Skip to content

Commit

Permalink
Add --validate options to servers so they can check their policy and …
Browse files Browse the repository at this point in the history
…exit. (#74)

Useful for build validation a package would at least start.
  • Loading branch information
sfc-gh-jchacon authored Feb 11, 2022
1 parent b6fd440 commit 4b4f696
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 7 deletions.
15 changes: 11 additions & 4 deletions cmd/proxy-server/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (

"github.com/Snowflake-Labs/sansshell/auth/mtls"
mtlsFlags "github.com/Snowflake-Labs/sansshell/auth/mtls/flags"
"github.com/Snowflake-Labs/sansshell/auth/opa"
"github.com/Snowflake-Labs/sansshell/cmd/proxy-server/server"
"github.com/Snowflake-Labs/sansshell/cmd/util"
"github.com/go-logr/stdr"
Expand All @@ -41,6 +42,7 @@ var (
hostport = flag.String("hostport", "localhost:50043", "Where to listen for connections.")
credSource = flag.String("credential-source", mtlsFlags.Name(), fmt.Sprintf("Method used to obtain mTLS creds (one of [%s])", strings.Join(mtls.Loaders(), ",")))
verbosity = flag.Int("v", 0, "Verbosity level. > 0 indicates more extensive logging")
validate = flag.Bool("validate", false, "If true will evaluate the policy and then exit (non-zero on error)")
)

func main() {
Expand All @@ -50,12 +52,17 @@ func main() {
logger := stdr.New(log.New(os.Stderr, "", logOpts)).WithName("sanshell-proxy")
stdr.SetVerbosity(*verbosity)

policy := util.ChoosePolicy(logger, defaultPolicy, *policyFlag, *policyFile)
ctx := context.Background()

// TODO(jallie): implement the ability to 'hot reload' policy, since
// that could likely be done underneath the authorizer, with little
// disruption to existing connections.
policy := util.ChoosePolicy(logger, defaultPolicy, *policyFlag, *policyFile)
if *validate {
_, err := opa.NewAuthzPolicy(ctx, policy)
if err != nil {
log.Fatalf("Invalid policy: %v\n", err)
}
fmt.Println("Policy passes.")
os.Exit(0)
}

rs := server.RunState{
Logger: logger,
Expand Down
14 changes: 11 additions & 3 deletions cmd/sansshell-server/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (

"github.com/Snowflake-Labs/sansshell/auth/mtls"
mtlsFlags "github.com/Snowflake-Labs/sansshell/auth/mtls/flags"
"github.com/Snowflake-Labs/sansshell/auth/opa"
"github.com/Snowflake-Labs/sansshell/cmd/sansshell-server/server"
"github.com/Snowflake-Labs/sansshell/cmd/util"
)
Expand All @@ -46,6 +47,7 @@ var (
hostport = flag.String("hostport", "localhost:50042", "Where to listen for connections.")
credSource = flag.String("credential-source", mtlsFlags.Name(), fmt.Sprintf("Method used to obtain mTLS credentials (one of [%s])", strings.Join(mtls.Loaders(), ",")))
verbosity = flag.Int("v", 0, "Verbosity level. > 0 indicates more extensive logging")
validate = flag.Bool("validate", false, "If true will evaluate the policy and then exit (non-zero on error)")
)

func main() {
Expand All @@ -55,12 +57,18 @@ func main() {
logger := stdr.New(log.New(os.Stderr, "", logOpts)).WithName("sanshell-server")
stdr.SetVerbosity(*verbosity)

// TODO(jallie): implement the ability to 'hot reload' policy, since
// that could likely be done underneath the authorizer, with little
// disruption to existing connections.
policy := util.ChoosePolicy(logger, defaultPolicy, *policyFlag, *policyFile)
ctx := context.Background()

if *validate {
_, err := opa.NewAuthzPolicy(ctx, policy)
if err != nil {
log.Fatalf("Invalid policy: %v\n", err)
}
fmt.Println("Policy passes.")
os.Exit(0)
}

rs := server.RunState{
Logger: logger,
CredSource: *credSource,
Expand Down
9 changes: 9 additions & 0 deletions testing/integrate.sh
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,15 @@ else
echo "Skipping package setup on Github"
fi

echo
echo "Testing policy validation for proxy"
./bin/proxy-server --policy-file=${LOGS}/policy --validate
check_status $? /dev/null policy check failed for proxy
echo
echo "Testing policy validation for server"
./bin/sansshell-server --policy-file=${LOGS}/policy --validate
check_status $? /dev/null policy check failed for server

echo
echo "Starting servers. Logs in ${LOGS}"
./bin/proxy-server -v=1 --root-ca=./auth/mtls/testdata/root.pem --server-cert=./auth/mtls/testdata/leaf.pem --server-key=./auth/mtls/testdata/leaf.key --client-cert=./auth/mtls/testdata/client.pem --client-key=./auth/mtls/testdata/client.key --policy-file=${LOGS}/policy --hostport=localhost:50043 >& ${LOGS}/proxy.log &
Expand Down

0 comments on commit 4b4f696

Please sign in to comment.