StyraOSS
diff --git a/‎core/src/main/java/com/styra/opa/wasm/OpaWasm.java‎
Lines changed: 17 additions & 5 deletions b/‎core/src/main/java/com/styra/opa/wasm/OpaWasm.java‎
Lines changed: 17 additions & 5 deletions
diff --git a/‎core/src/main/java/com/styra/opa/wasm/builtins/String.java‎
Lines changed: 5 additions & 0 deletions b/‎core/src/main/java/com/styra/opa/wasm/builtins/String.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎core/src/test/java/com/styra/opa/wasm/OpaTest.java‎
Lines changed: 82 additions & 0 deletions b/‎core/src/test/java/com/styra/opa/wasm/OpaTest.java‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎core/src/test/resources/fixtures/issue78-sprintf/policy.rego‎
Lines changed: 150 additions & 0 deletions b/‎core/src/test/resources/fixtures/issue78-sprintf/policy.rego‎
Lines changed: 150 additions & 0 deletions
@@ -12,6 +12,7 @@
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 // Low level bindings to OPA
 @WasmModuleInterface("demo-policy.wasm")
@@ -71,26 +72,37 @@ public OpaBuiltin.Builtin[] initializeBuiltins(
  throw new RuntimeException(e);
  }
 
- var result = new OpaBuiltin.Builtin[mappings.size()];
+ Map<Integer, OpaBuiltin.Builtin> result = new HashMap<>();
  // Default initialization to have proper error messages
  for (var m : mappings.entrySet()) {
- result[m.getValue()] = () -> m.getKey();
+ result.put(m.getValue(), () -> m.getKey());
  }
  for (var builtin : builtins) {
  if (mappings.containsKey(builtin.name())) {
- result[mappings.get(builtin.name())] = builtin;
+ result.put(mappings.get(builtin.name()), builtin);
  }
  }
  if (defaultBuiltins) {
  // provided builtins override anything with clashing name
  var all = Provided.all();
  for (var builtin : all) {
  if (mappings.containsKey(builtin.name())) {
- result[mappings.get(builtin.name())] = builtin;
+ result.put(mappings.get(builtin.name()), builtin);
  }
  }
  }
- return result;
+
+ int size = result.keySet().stream().mapToInt(i -> i + 1).max().orElse(0);
+ var finalResult = new OpaBuiltin.Builtin[size];
+ for (int i = 0; i < size; i++) {
+ if (result.containsKey(i)) {
+ finalResult[i] = result.get(i);
+ } else {
+ finalResult[i] = null;
+ }
+ }
+
+ return finalResult;
  }
 
  public static class Builder {
 
@@ -60,6 +60,11 @@ private static JsonNode sprintfImpl(OpaWasm instance, JsonNode operand0, JsonNod
 
  // Apply formatting using String.format
  try {
+ // %v partial support
+ if (format.contains("%v")) {
+ format = format.replaceAll("%v", "%s");
+ }
+
  var result = java.lang.String.format(format, args.toArray());
  return TextNode.valueOf(result);
  } catch (IllegalArgumentException e) {
 
@@ -105,4 +105,86 @@ public void issue69() throws Exception {
  policy.input("{\"method\":\"POST\"}");
  Assertions.assertFalse(Utils.getResult(policy.evaluate()).asBoolean());
  }
+
+ @Test
+ public void issue78Sprintf() throws Exception {
+ var policyWasm =
+ OpaCli.compile("issue78-sprintf", "armo_builtins/deny").resolve("policy.wasm");
+ var policy = OpaPolicy.builder().withPolicy(policyWasm).build();
+ var pod =
+ "apiVersion: v1\n"
+ + "kind: Pod\n"
+ + "metadata:\n"
+ + " name: static-web\n"
+ + " labels:\n"
+ + " role: myrole\n"
+ + "spec:\n"
+ + " securityContext:\n"
+ + " runAsNonRoot: false\n"
+ + " containers:\n"
+ + " - name: web\n"
+ + " image: nginx\n"
+ + " ports:\n"
+ + " - name: web\n"
+ + " containerPort: 80\n"
+ + " protocol: TCP\n"
+ + " securityContext:\n"
+ + " runAsGroup: 1000\n";
+
+ // should be an array of Pods
+ var rawInput = DefaultMappers.jsonMapper.createArrayNode();
+ rawInput.add(DefaultMappers.yamlMapper.readTree(pod));
+
+ var input = DefaultMappers.jsonMapper.writeValueAsString(rawInput);
+
+ var result = policy.evaluate(input);
+
+ var resultNode = Utils.getResult(result).get(0);
+ var alertMessage = resultNode.get("alertMessage").asText();
+ var alertScore = resultNode.get("alertScore").asInt();
+
+ assertEquals("container: web in pod: static-web may run as root", alertMessage);
+ assertEquals(7, alertScore);
+ }
+
+ @Test
+ public void issue78Updated() throws Exception {
+ var policyWasm =
+ OpaCli.compile("issue78-updated", "armo_builtins/deny").resolve("policy.wasm");
+ var policy = OpaPolicy.builder().withPolicy(policyWasm).build();
+ var pod =
+ "apiVersion: v1\n"
+ + "kind: Pod\n"
+ + "metadata:\n"
+ + " name: static-web\n"
+ + " labels:\n"
+ + " role: myrole\n"
+ + "spec:\n"
+ + " securityContext:\n"
+ + " runAsNonRoot: false\n"
+ + " containers:\n"
+ + " - name: web\n"
+ + " image: nginx\n"
+ + " ports:\n"
+ + " - name: web\n"
+ + " containerPort: 80\n"
+ + " protocol: TCP\n"
+ + " securityContext:\n"
+ + " runAsGroup: 1000";
+
+ // should be an array of Pods
+ var rawInput = DefaultMappers.jsonMapper.createArrayNode();
+ rawInput.add(DefaultMappers.yamlMapper.readTree(pod));
+
+ var input = DefaultMappers.jsonMapper.writeValueAsString(rawInput);
+
+ var result = policy.evaluate(input);
+
+ var resultNode = Utils.getResult(result).get(0);
+ var alertMessage = resultNode.get("alertMessage").asText();
+ var alertScore = resultNode.get("alertScore").asInt();
+
+ assertEquals("container: web in pod: static-web may run as root", alertMessage);
+ assertEquals(7, alertScore);
+ }
 }
@@ -0,0 +1,150 @@
+package armo_builtins
+
+
+################################################################################
+# Rules
+deny[msga] {
+ pod := input[_]
+ pod.kind == "Pod"
+container := pod.spec.containers[i]
+
+start_of_path := "spec"
+run_as_user_fixpath := evaluate_workload_run_as_user(container, pod, start_of_path)
+run_as_group_fixpath := evaluate_workload_run_as_group(container, pod, start_of_path)
+all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath)
+count(all_fixpaths) > 0
+fixPaths := get_fixed_paths(all_fixpaths, i)
+
+ msga := {
+"alertMessage": sprintf("container: %v in pod: %v may run as root", [container.name, pod.metadata.name]),
+"packagename": "armo_builtins",
+"alertScore": 7,
+"reviewPaths": [],
+"failedPaths": [],
+ "fixPaths": fixPaths,
+"alertObject": {
+"k8sApiObjects": [pod]
+}
+}
+}
+
+
+deny[msga] {
+ wl := input[_]
+spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+spec_template_spec_patterns[wl.kind]
+ container := wl.spec.template.spec.containers[i]
+
+start_of_path := "spec.template.spec"
+run_as_user_fixpath := evaluate_workload_run_as_user(container, wl.spec.template, start_of_path)
+run_as_group_fixpath := evaluate_workload_run_as_group(container, wl.spec.template, start_of_path)
+all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath)
+count(all_fixpaths) > 0
+fixPaths := get_fixed_paths(all_fixpaths, i)
+
+ msga := {
+"alertMessage": sprintf("container: %v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]),
+"packagename": "armo_builtins",
+"alertScore": 7,
+"reviewPaths": [],
+"failedPaths": [],
+ "fixPaths": fixPaths,
+"alertObject": {
+"k8sApiObjects": [wl]
+}
+}
+}
+
+# Fails if cronjob has a container configured to run as root
+deny[msga] {
+wl := input[_]
+wl.kind == "CronJob"
+container = wl.spec.jobTemplate.spec.template.spec.containers[i]
+
+start_of_path := "spec.jobTemplate.spec.template.spec"
+run_as_user_fixpath := evaluate_workload_run_as_user(container, wl.spec.jobTemplate.spec.template, start_of_path)
+run_as_group_fixpath := evaluate_workload_run_as_group(container, wl.spec.jobTemplate.spec.template, start_of_path)
+all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath)
+count(all_fixpaths) > 0
+fixPaths := get_fixed_paths(all_fixpaths, i)
+
+
+ msga := {
+"alertMessage": sprintf("container: %v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]),
+"packagename": "armo_builtins",
+"alertScore": 7,
+"reviewPaths": [],
+"failedPaths": [],
+ "fixPaths": fixPaths,
+"alertObject": {
+"k8sApiObjects": [wl]
+}
+}
+}
+
+
+get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}]{
+count(all_fixpaths) == 2
+} else = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}]
+
+#################################################################################
+# Workload evaluation
+
+# if runAsUser is set to 0 and runAsNonRoot is set to false/ not set - suggest to set runAsUser to 1000
+# if runAsUser is not set and runAsNonRoot is set to false/ not set - suggest to set runAsNonRoot to true
+# all checks are both on the pod and the container level
+evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath {
+runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path)
+runAsNonRootValue.value == false
+
+runAsUserValue := get_run_as_user_value(container, pod, start_of_path)
+runAsUserValue.value == 0
+
+alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue)
+fixPath := alertInfo.fixPath
+} else = []
+
+
+# if runAsGroup is set to 0/ not set - suggest to set runAsGroup to 1000
+# all checks are both on the pod and the container level
+evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath {
+runAsGroupValue := get_run_as_group_value(container, pod, start_of_path)
+runAsGroupValue.value == 0
+
+fixPath := runAsGroupValue.fixPath
+} else = []
+
+
+#################################################################################
+# Value resolution functions
+
+
+get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot {
+ runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true}
+} else = runAsNonRoot {
+ runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true}
+} else = {"value" : false, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}], "defined" : false}
+
+get_run_as_user_value(container, pod, start_of_path) = runAsUser {
+path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path])
+ runAsUser := {"value" : container.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}], "defined" : true}
+} else = runAsUser {
+path := sprintf("%v.securityContext.runAsUser", [start_of_path])
+ runAsUser := {"value" : pod.spec.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}],"defined" : true}
+} else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],
+"defined" : false}
+
+get_run_as_group_value(container, pod, start_of_path) = runAsGroup {
+path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
+ runAsGroup := {"value" : container.securityContext.runAsGroup, "fixPath": [{"path": path, "value": "1000"}],"defined" : true}
+} else = runAsGroup {
+path := sprintf("%v.securityContext.runAsGroup", [start_of_path])
+ runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "fixPath":[{"path": path, "value": "1000"}], "defined" : true}
+} else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]), "value":"1000"}],
+ "defined" : false
+}
+
+choose_first_if_defined(l1, l2) = c {
+ l1.defined
+ c := l1
+} else = l2