Add configuration option to cloud api for disabling pxl script modification

ddelnano · ddelnano · commit 034804faeec5 · 2024-12-17T16:17:07.000Z
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/src/cloud/api/api_server.go b/src/cloud/api/api_server.go
@@ -66,6 +66,7 @@ func init() {
 
 	pflag.String("auth_connector_name", "", "If any, the name of the auth connector to be used with Pixie")
 	pflag.String("auth_connector_callback_url", "", "If any, the callback URL for the auth connector")
+	pflag.Bool("disable_script_modification", false, "If script modification should be disallowed to prevent arbitrary script execution")
 }
 
 func main() {
@@ -213,17 +214,18 @@ func main() {
 	authServer := &controllers.AuthServer{AuthClient: ac}
 	cloudpb.RegisterAuthServiceServer(s.GRPCServer(), authServer)
 
-	vpt := ptproxy.NewVizierPassThroughProxy(nc, vc)
-	vizierpb.RegisterVizierServiceServer(s.GRPCServer(), vpt)
-	vizierpb.RegisterVizierDebugServiceServer(s.GRPCServer(), vpt)
-
 	sm, err := apienv.NewScriptMgrServiceClient()
 	if err != nil {
 		log.WithError(err).Fatal("Failed to init scriptmgr client.")
 	}
 	sms := &controllers.ScriptMgrServer{ScriptMgr: sm}
 	cloudpb.RegisterScriptMgrServer(s.GRPCServer(), sms)
 
+	disableScriptModification := viper.GetBool("disable_script_modification")
+	vpt := ptproxy.NewVizierPassThroughProxy(nc, vc, sm, disableScriptModification)
+	vizierpb.RegisterVizierServiceServer(s.GRPCServer(), vpt)
+	vizierpb.RegisterVizierDebugServiceServer(s.GRPCServer(), vpt)
+
 	mdIndexName := viper.GetString("md_index_name")
 	if mdIndexName == "" {
 		log.Fatal("Must specify a name for the elastic index.")
diff --git a/src/cloud/api/ptproxy/BUILD.bazel b/src/cloud/api/ptproxy/BUILD.bazel
@@ -28,12 +28,15 @@ go_library(
     deps = [
         "//src/api/proto/uuidpb:uuid_pl_go_proto",
         "//src/api/proto/vizierpb:vizier_pl_go_proto",
+        "//src/cloud/scriptmgr/scriptmgrpb:service_pl_go_proto",
         "//src/cloud/shared/vzshard",
         "//src/shared/cvmsgspb:cvmsgs_pl_go_proto",
         "//src/shared/services/authcontext",
+        "//src/shared/services/utils",
         "//src/shared/services/jwtpb:jwt_pl_go_proto",
         "//src/utils",
         "@com_github_gofrs_uuid//:uuid",
+        "@com_github_spf13_viper//:viper",
         "@com_github_gogo_protobuf//proto",
         "@com_github_gogo_protobuf//types",
         "@com_github_nats_io_nats_go//:nats_go",
@@ -53,6 +56,7 @@ pl_go_test(
         ":ptproxy",
         "//src/api/proto/uuidpb:uuid_pl_go_proto",
         "//src/api/proto/vizierpb:vizier_pl_go_proto",
+        "//src/cloud/scriptmgr/scriptmgrpb:service_pl_go_proto",
         "//src/cloud/shared/vzshard",
         "//src/shared/cvmsgspb:cvmsgs_pl_go_proto",
         "//src/shared/services/env",
diff --git a/src/cloud/api/ptproxy/vizier_pt_proxy.go b/src/cloud/api/ptproxy/vizier_pt_proxy.go
@@ -20,12 +20,21 @@ package ptproxy
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
 
 	"github.com/nats-io/nats.go"
+	"github.com/spf13/viper"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+	jwtutils "px.dev/pixie/src/shared/services/utils"
 
 	"px.dev/pixie/src/api/proto/uuidpb"
 	"px.dev/pixie/src/api/proto/vizierpb"
+	"px.dev/pixie/src/cloud/scriptmgr/scriptmgrpb"
 	"px.dev/pixie/src/shared/cvmsgspb"
 	"px.dev/pixie/src/shared/services/authcontext"
 	"px.dev/pixie/src/shared/services/jwtpb"
@@ -36,16 +45,46 @@ type vzmgrClient interface {
 	GetVizierConnectionInfo(ctx context.Context, in *uuidpb.UUID, opts ...grpc.CallOption) (*cvmsgspb.VizierConnectionInfo, error)
 }
 
+type scriptmgrClient interface {
+	GetScriptByHash(ctx context.Context, req *scriptmgrpb.GetScriptByHashReq, opts ...grpc.CallOption) (*scriptmgrpb.GetScriptByHashResp, error)
+}
+
 // VizierPassThroughProxy implements the VizierAPI and allows proxying the data to the actual
 // vizier cluster.
 type VizierPassThroughProxy struct {
-	nc *nats.Conn
-	vc vzmgrClient
+	nc                       *nats.Conn
+	vc                       vzmgrClient
+	sm                       scriptmgrClient
+	disableScriptModifiation bool
+}
+
+// getServiceCredentials returns JWT credentials for inter-service requests.
+func getServiceCredentials(signingKey string) (string, error) {
+	claims := jwtutils.GenerateJWTForService("cloud api", viper.GetString("domain_name"))
+	return jwtutils.SignJWTClaims(claims, signingKey)
 }
 
 // NewVizierPassThroughProxy creates a new passthrough proxy.
-func NewVizierPassThroughProxy(nc *nats.Conn, vc vzmgrClient) *VizierPassThroughProxy {
-	return &VizierPassThroughProxy{nc: nc, vc: vc}
+func NewVizierPassThroughProxy(nc *nats.Conn, vc vzmgrClient, sm scriptmgrClient, disableScriptModifiation bool) *VizierPassThroughProxy {
+	return &VizierPassThroughProxy{nc: nc, vc: vc, sm: sm, disableScriptModifiation: disableScriptModifiation}
+}
+
+func (v *VizierPassThroughProxy) isScriptModified(ctx context.Context, script string) (bool, error) {
+	hash := sha256.New()
+	hash.Write([]byte(script))
+	hashStr := hex.EncodeToString(hash.Sum(nil))
+	req := &scriptmgrpb.GetScriptByHashReq{Sha256Hash: hashStr}
+
+	serviceAuthToken, err := getServiceCredentials(viper.GetString("jwt_signing_key"))
+	ctx = metadata.AppendToOutgoingContext(ctx, "authorization",
+		fmt.Sprintf("bearer %s", serviceAuthToken))
+
+	resp, err := v.sm.GetScriptByHash(ctx, req)
+
+	if err != nil {
+		return false, err
+	}
+	return !resp.Exists, nil
 }
 
 // ExecuteScript is the GRPC stream method.
@@ -55,6 +94,17 @@ func (v *VizierPassThroughProxy) ExecuteScript(req *vizierpb.ExecuteScriptReques
 		return err
 	}
 	defer rp.Finish()
+	if v.disableScriptModifiation {
+		modified, err := v.isScriptModified(srv.Context(), req.QueryStr)
+		if err != nil {
+			return err
+		}
+
+		if modified {
+			return status.Error(codes.InvalidArgument, "Script modification has been disabled")
+		}
+	}
+
 	vizReq := rp.prepareVizierRequest()
 	vizReq.Msg = &cvmsgspb.C2VAPIStreamRequest_ExecReq{ExecReq: req}
 	if err := rp.sendMessageToVizier(vizReq); err != nil {
diff --git a/src/cloud/api/ptproxy/vizier_pt_proxy_test.go b/src/cloud/api/ptproxy/vizier_pt_proxy_test.go
@@ -44,6 +44,7 @@ import (
 	"px.dev/pixie/src/api/proto/uuidpb"
 	"px.dev/pixie/src/api/proto/vizierpb"
 	"px.dev/pixie/src/cloud/api/ptproxy"
+	"px.dev/pixie/src/cloud/scriptmgr/scriptmgrpb"
 	"px.dev/pixie/src/cloud/shared/vzshard"
 	"px.dev/pixie/src/shared/cvmsgspb"
 	"px.dev/pixie/src/shared/services/env"
@@ -65,15 +66,15 @@ type testState struct {
 	conn *grpc.ClientConn
 }
 
-func createTestState(t *testing.T) (*testState, func(t *testing.T)) {
+func createTestState(t *testing.T, disableScriptModification bool) (*testState, func(t *testing.T)) {
 	lis := bufconn.Listen(bufSize)
 	env := env.New("withpixie.ai")
 	s := server.CreateGRPCServer(env, &server.GRPCServerOptions{})
 
 	nc, natsCleanup := testingutils.MustStartTestNATS(t)
 
-	vizierpb.RegisterVizierServiceServer(s, ptproxy.NewVizierPassThroughProxy(nc, &fakeVzMgr{}))
-	vizierpb.RegisterVizierDebugServiceServer(s, ptproxy.NewVizierPassThroughProxy(nc, &fakeVzMgr{}))
+	vizierpb.RegisterVizierServiceServer(s, ptproxy.NewVizierPassThroughProxy(nc, &fakeVzMgr{}, &fakeScriptMgr{}, disableScriptModification))
+	vizierpb.RegisterVizierDebugServiceServer(s, ptproxy.NewVizierPassThroughProxy(nc, &fakeVzMgr{}, &fakeScriptMgr{}, disableScriptModification))
 
 	eg := errgroup.Group{}
 	eg.Go(func() error { return s.Serve(lis) })
@@ -112,7 +113,7 @@ func createDialer(lis *bufconn.Listener) func(ctx context.Context, url string) (
 func TestVizierPassThroughProxy_ExecuteScript(t *testing.T) {
 	viper.Set("jwt_signing_key", "the-key")
 
-	ts, cleanup := createTestState(t)
+	ts, cleanup := createTestState(t, false)
 	defer cleanup(t)
 
 	client := vizierpb.NewVizierServiceClient(ts.conn)
@@ -283,10 +284,141 @@ func TestVizierPassThroughProxy_ExecuteScript(t *testing.T) {
 	}
 }
 
+func TestVizierPassThroughProxy_ExecuteScriptWithScriptModificationEnabled(t *testing.T) {
+	viper.Set("jwt_signing_key", "the-key")
+
+	ts, cleanup := createTestState(t, true)
+	defer cleanup(t)
+
+	client := vizierpb.NewVizierServiceClient(ts.conn)
+	validTestToken := testingutils.GenerateTestJWTToken(t, viper.GetString("jwt_signing_key"))
+
+	testCases := []struct {
+		name string
+
+		clusterID      string
+		authToken      string
+		pxlString      string
+		respFromVizier []*cvmsgspb.V2CAPIStreamResponse
+
+		expGRPCError     error
+		expGRPCResponses []*vizierpb.ExecuteScriptResponse
+	}{
+		{
+			name: "Request with modified pxl script",
+
+			clusterID:        "00000000-1111-2222-2222-333333333333",
+			pxlString:        "import pxl",
+			authToken:        validTestToken,
+			expGRPCError:     status.Error(codes.InvalidArgument, "Script modification has been disabled"),
+			expGRPCResponses: nil,
+		},
+		{
+			name: "Request with not modified pxl script",
+
+			clusterID:    "00000000-1111-2222-2222-333333333333",
+			pxlString:    "liveview1 pxl",
+			authToken:    validTestToken,
+			expGRPCError: nil,
+			expGRPCResponses: []*vizierpb.ExecuteScriptResponse{
+				{
+					QueryID: "abc",
+				},
+				{
+					QueryID: "abc",
+				},
+			},
+			respFromVizier: []*cvmsgspb.V2CAPIStreamResponse{
+				{
+					Msg: &cvmsgspb.V2CAPIStreamResponse_ExecResp{ExecResp: &vizierpb.ExecuteScriptResponse{QueryID: "abc"}},
+				},
+				{
+					Msg: &cvmsgspb.V2CAPIStreamResponse_ExecResp{ExecResp: &vizierpb.ExecuteScriptResponse{QueryID: "abc"}},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			if len(tc.authToken) > 0 {
+				ctx = metadata.AppendToOutgoingContext(ctx, "authorization",
+					fmt.Sprintf("bearer %s", tc.authToken))
+			}
+
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+			resp, err := client.ExecuteScript(ctx,
+				&vizierpb.ExecuteScriptRequest{ClusterID: tc.clusterID, QueryStr: tc.pxlString})
+			require.NoError(t, err)
+			fv := newFakeVizier(t, uuid.FromStringOrNil(tc.clusterID), ts.nc)
+			fv.Run(t, tc.respFromVizier)
+			defer fv.Stop()
+
+			grpcDataCh := make(chan *vizierpb.ExecuteScriptResponse)
+			var gotReadErr error
+			var eg errgroup.Group
+			eg.Go(func() error {
+				defer close(grpcDataCh)
+				for {
+					d, err := resp.Recv()
+					if err != nil && err != io.EOF {
+						gotReadErr = err
+					}
+					if err == io.EOF {
+						return nil
+					}
+					if d == nil {
+						return nil
+					}
+					grpcDataCh <- d
+				}
+			})
+
+			var responses []*vizierpb.ExecuteScriptResponse
+			eg.Go(func() error {
+				timeout := time.NewTimer(defaultTimeout)
+				defer timeout.Stop()
+
+				for {
+					select {
+					case <-resp.Context().Done():
+						return nil
+					case <-timeout.C:
+						return fmt.Errorf("timeout waiting for data on grpc channel")
+					case msg := <-grpcDataCh:
+
+						if msg == nil {
+							return nil
+						}
+						responses = append(responses, msg)
+					}
+				}
+			})
+
+			err = eg.Wait()
+			if tc.expGRPCError != nil {
+				if gotReadErr == nil {
+					t.Fatal("Expected to get GRPC error")
+				}
+				assert.Equal(t, status.Code(tc.expGRPCError), status.Code(gotReadErr))
+			}
+			if tc.expGRPCResponses == nil {
+				if len(responses) != 0 {
+					t.Fatal("Expected to get no responses")
+				}
+			} else {
+				assert.Equal(t, tc.expGRPCResponses, responses)
+			}
+		})
+	}
+}
+
 func TestVizierPassThroughProxy_HealthCheck(t *testing.T) {
 	viper.Set("jwt_signing_key", "the-key")
 
-	ts, cleanup := createTestState(t)
+	ts, cleanup := createTestState(t, false)
 	defer cleanup(t)
 
 	client := vizierpb.NewVizierServiceClient(ts.conn)
@@ -463,7 +595,7 @@ func TestVizierPassThroughProxy_HealthCheck(t *testing.T) {
 func TestVizierPassThroughProxy_DebugLog(t *testing.T) {
 	viper.Set("jwt_signing_key", "the-key")
 
-	ts, cleanup := createTestState(t)
+	ts, cleanup := createTestState(t, false)
 	defer cleanup(t)
 
 	client := vizierpb.NewVizierDebugServiceClient(ts.conn)
@@ -582,7 +714,7 @@ func TestVizierPassThroughProxy_DebugLog(t *testing.T) {
 func TestVizierPassThroughProxy_DebugPods(t *testing.T) {
 	viper.Set("jwt_signing_key", "the-key")
 
-	ts, cleanup := createTestState(t)
+	ts, cleanup := createTestState(t, false)
 	defer cleanup(t)
 
 	client := vizierpb.NewVizierDebugServiceClient(ts.conn)
@@ -719,6 +851,20 @@ func TestVizierPassThroughProxy_DebugPods(t *testing.T) {
 	}
 }
 
+type fakeScriptMgr struct{}
+
+func (s *fakeScriptMgr) GetScriptByHash(ctx context.Context, req *scriptmgrpb.GetScriptByHashReq, opts ...grpc.CallOption) (*scriptmgrpb.GetScriptByHashResp, error) {
+	hash := "488f131003f415a61090901c544e0ace731e8a85b12ce0aea770273d656f08e0" // sha256 of "liveview1 pxl"
+
+	scripts := map[string]bool{
+		hash: true,
+	}
+	_, ok := scripts[req.Sha256Hash]
+	return &scriptmgrpb.GetScriptByHashResp{
+		Exists: ok,
+	}, nil
+}
+
 type fakeVzMgr struct{}
 
 func (v *fakeVzMgr) GetVizierInfo(ctx context.Context, in *uuidpb.UUID, opts ...grpc.CallOption) (*cvmsgspb.VizierInfo, error) {
