Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[confcom] updating docs to include new genpolicy info #7093

Merged
merged 6 commits into from
Dec 20, 2023
Merged

[confcom] updating docs to include new genpolicy info #7093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0b31700
updating docs to include new genpolicy info
SethHollandsworth Dec 15, 2023
17a5d1b
updating image hash
SethHollandsworth Dec 18, 2023
6b352c3
updating styling in test files
SethHollandsworth Dec 18, 2023
c8b58c8
updating styling and a regex
SethHollandsworth Dec 18, 2023
25693b2
adding back if statement
SethHollandsworth Dec 18, 2023
f7dc127
fixing syntax bug
SethHollandsworth Dec 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/confcom/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

Release History
===============
0.3.2
++++++
* updating genpolicy version to allow for topologySpreadConstraints, version genpolicy-0.6.2-2

0.3.1
++++++
* removing unneeded print statement
Expand Down
4 changes: 2 additions & 2 deletions src/confcom/azext_confcom/data/internal_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "0.3.1",
"version": "0.3.2",
"hcsshim_config": {
"maxVersion": "1.0.0",
"minVersion": "0.0.1"
Expand All @@ -18,7 +18,7 @@
"fabric": {
"environmentVariables": [
{
"name": "((?i)FABRIC)_.+",
"name": "(?i)(FABRIC)_.+",
"value": ".+",
"strategy": "re2",
"required": false
Expand Down
6 changes: 4 additions & 2 deletions src/confcom/azext_confcom/security_policy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,8 +438,10 @@ def populate_policy_content_for_all_images(
if signals:
image.set_signals(signals)

if (deepdiff.DeepDiff(image.get_user(), config.DEFAULT_USER, ignore_order=True) == {}
and image_info.get("User") != ""):
if (
not deepdiff.DeepDiff(image.get_user(), config.DEFAULT_USER, ignore_order=True)
and image_info.get("User") != ""
):
# valid values are in the form "user", "user:group", "uid", "uid:gid", "user:gid", "uid:group"
# where each entry is either a string or an unsigned integer
# "" means any user (use default)
Expand Down
32 changes: 14 additions & 18 deletions src/confcom/azext_confcom/tests/latest/test_confcom_arm.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), ".."))



class PolicyGeneratingArm(unittest.TestCase):
custom_json = """
{
Expand Down Expand Up @@ -1988,7 +1987,7 @@ def test_multiple_policies(self):
is_valid, diff = self.aci_policy.validate_cce_policy()
self.assertFalse(is_valid)
# just check to make sure the containers in both policies are different
expected_diff = {"alpine:3.16":"alpine:3.16 not found in policy"}
expected_diff = {"alpine:3.16": "alpine:3.16 not found in policy"}
self.assertEqual(diff, expected_diff)


Expand Down Expand Up @@ -2472,9 +2471,7 @@ def test_arm_template_allow_elevated_false(self):
self.assertFalse(allow_elevated)



class PrintExistingPolicy(unittest.TestCase):

def test_printing_existing_policy(self):
template = """
{
Expand Down Expand Up @@ -3372,7 +3369,7 @@ def test_arm_template_policy_regex(self):

normalized_aci_arm_policy = json.loads(
self.aci_arm_policy.get_serialized_output(
output_type=OutputType.RAW,rego_boilerplate=False
output_type=OutputType.RAW, rego_boilerplate=False
)
)

Expand All @@ -3395,15 +3392,17 @@ def test_wildcard_env_var(self):
)

self.assertEqual(
normalized_aci_arm_policy[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS
][1][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_STRATEGY],
"re2"
normalized_aci_arm_policy[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS][1][
config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_STRATEGY
],
"re2",
)

self.assertEqual(
normalized_aci_arm_policy[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS
][1][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE],
"TEST_WILDCARD_ENV=.*"
normalized_aci_arm_policy[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS][1][
config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE
],
"TEST_WILDCARD_ENV=.*",
)

normalized_aci_arm_policy2 = json.loads(
Expand All @@ -3417,9 +3416,10 @@ def test_wildcard_env_var(self):
)

self.assertEqual(
normalized_aci_arm_policy2[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS
][1][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE],
"TEST_WILDCARD_ENV=.*"
normalized_aci_arm_policy2[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS][1][
config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE
],
"TEST_WILDCARD_ENV=.*",
)

def test_wildcard_env_var_invalid(self):
Expand Down Expand Up @@ -3875,7 +3875,6 @@ class PolicyGeneratingSecurityContext(unittest.TestCase):
}
"""


custom_arm_json3 = """
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
Expand Down Expand Up @@ -4196,7 +4195,6 @@ def setUpClass(cls):
]
cls.aci_arm_policy4.populate_policy_content_for_all_images()


def test_arm_template_security_context_defaults(self):
expected_user_json = json.loads("""{
"user_idname":
Expand Down Expand Up @@ -4761,7 +4759,6 @@ class PolicyGeneratingSecurityContextUserEdgeCases(unittest.TestCase):
}
"""


@classmethod
def setUpClass(cls):
cls.aci_arm_policy = load_policy_from_arm_template_str(cls.custom_arm_json, "")[
Expand Down Expand Up @@ -5287,7 +5284,6 @@ def test_arm_template_security_context_seccomp_profile_missing_syscalls(self):
self.assertEqual(regular_image_json[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256], expected_seccomp_profile_sha256)



class PolicyStopSignal(unittest.TestCase):
custom_arm_json = """
{
Expand Down
5 changes: 5 additions & 0 deletions src/confcom/azext_confcom/tests/latest/test_confcom_image.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), ".."))


class PolicyGeneratingImage(unittest.TestCase):
custom_json = """
{
Expand All @@ -36,6 +37,7 @@ class PolicyGeneratingImage(unittest.TestCase):
]
}
"""

@classmethod
def setUpClass(cls):
with load_policy_from_image_name("python:3.6.14-slim-buster") as aci_policy:
Expand All @@ -49,6 +51,7 @@ def test_image_policy(self):
# deep diff the output policies from the regular policy.json and the single image
self.assertEqual(self.aci_policy.get_serialized_output(), self.custom_policy.get_serialized_output())


class PolicyGeneratingImageSidecar(unittest.TestCase):
custom_json = """
{
Expand Down Expand Up @@ -82,6 +85,7 @@ def setUpClass(cls):
def test_sidecar_image_policy(self):
self.assertEqual(self.aci_policy.get_serialized_output(), self.custom_policy.get_serialized_output())


class PolicyGeneratingImageInvalid(unittest.TestCase):
def test_invalid_image_policy(self):

Expand All @@ -92,6 +96,7 @@ def test_invalid_image_policy(self):
policy.populate_policy_content_for_all_images(individual_image=True)
self.assertEqual(exc_info.exception.code, 1)


class PolicyGeneratingImageCleanRoom(unittest.TestCase):
def test_clean_room_policy(self):
client = docker.from_env()
Expand Down
Loading