Merge branch 'master' into feature/api-only-secure-onboarding

sysdiglabs · Oct 10, 2023 · e94290a · e94290a
2 parents e35bf0c + 8120b3e
commit e94290a
Show file tree

Hide file tree

Showing 39 changed files with 594 additions and 139 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -12,3 +12,11 @@
 
 # policies/rules
 *secure*policy* @jacklongsd @kmvachhani @ben-m-lucas @ombellare @miguelgordo @ivanlysiuk-sysdig
+
+# internal components
+/sysdig/internal/client/v2/client.go @filiptubic @mbarbieri @draraksysdig
+/sysdig/internal/client/v2/config.go @filiptubic @mbarbieri @draraksysdig
+/sysdig/internal/client/v2/ibm.go @filiptubic @mbarbieri @draraksysdig
+/main.go @filiptubic @mbarbieri @draraksysdig
+/.goreleaser.yml @filiptubic @mbarbieri @draraksysdig
+/.github/ @filiptubic @mbarbieri @draraksysdig
diff --git a/go.mod b/go.mod
@@ -8,8 +8,10 @@ require (
 	github.com/falcosecurity/kilt/runtimes/cloudformation v0.0.0-20230606123839-2e4c434d5d88
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/hashicorp/terraform-plugin-log v0.8.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.26.1
 	github.com/jmespath/go-jmespath v0.4.0
+	github.com/pkg/errors v0.9.1
 	github.com/rs/zerolog v1.29.1
 	github.com/spf13/cast v1.5.1
 	github.com/stretchr/testify v1.8.4
@@ -45,7 +47,6 @@ require (
 	github.com/hashicorp/terraform-exec v0.18.1 // indirect
 	github.com/hashicorp/terraform-json v0.16.0 // indirect
 	github.com/hashicorp/terraform-plugin-go v0.14.3 // indirect
-	github.com/hashicorp/terraform-plugin-log v0.8.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.1.0 // indirect
 	github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734 // indirect
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
@@ -61,7 +62,6 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect

diff --git a/go.sum b/go.sum
@@ -40,8 +40,6 @@ github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPa
 github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
-github.com/draios/protorepo/cloudauth/go v0.0.0-20230901163632-fcbfe0cb84e0 h1:LKBglxJ55sl7NuP5IrC/SD89ZQFwN8ejh8XGJ0dj5P0=
-github.com/draios/protorepo/cloudauth/go v0.0.0-20230901163632-fcbfe0cb84e0/go.mod h1:JmBZh3AOhz4gg83qMw9p2QDCIiLSH9YCyyvDVClIynU=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
 github.com/falcosecurity/kilt/pkg v0.0.0-20230111165949-b36cdd622de1 h1:7JOAJwPA4FEtowSP133pgicOu+nOfo0wGuXapXKhafk=

diff --git a/main.go b/main.go
@@ -7,5 +7,9 @@ import (
 )
 
 func main() {
-	plugin.Serve(&plugin.ServeOpts{ProviderFunc: sysdig.Provider})
+	sysdigClient := sysdig.NewSysdigClients()
+	defer sysdigClient.Close()
+
+	provider := &sysdig.SysdigProvider{SysdigClient: sysdigClient}
+	plugin.Serve(&plugin.ServeOpts{ProviderFunc: provider.Provider})
 }
diff --git a/sysdig/internal/client/v2/config.go b/sysdig/internal/client/v2/config.go
@@ -1,16 +1,17 @@
 package v2
 
 type config struct {
-	url            string
-	token          string
-	insecure       bool
-	extraHeaders   map[string]string
-	ibmInstanceID  string
-	ibmAPIKey      string
-	ibmIamURL      string
-	sysdigTeamName string
-	sysdigTeamID   *int
-	product        string
+	url                   string
+	token                 string
+	insecure              bool
+	extraHeaders          map[string]string
+	ibmInstanceID         string
+	ibmAPIKey             string
+	ibmIamURL             string
+	sysdigTeamName        string
+	sysdigTeamID          *int
+	product               string
+	secureSkipPolicyV2Msg bool
 }
 
 type Product string
@@ -95,3 +96,9 @@ func configure(opts ...ClientOption) *config {
 	}
 	return cfg
 }
+
+func WithSkipPolicyV2Msg(skipPolicyV2Msg bool) ClientOption {
+	return func(c *config) {
+		c.secureSkipPolicyV2Msg = skipPolicyV2Msg
+	}
+}
diff --git a/sysdig/internal/client/v2/list.go b/sysdig/internal/client/v2/list.go
@@ -7,10 +7,10 @@ import (
 )
 
 const (
-	CreateListPath = "%s/api/secure/falco/lists"
+	CreateListPath = "%s/api/secure/falco/lists?skipPolicyV2Msg=%t"
 	GetListPath    = "%s/api/secure/falco/lists/%d"
-	UpdateListPath = "%s/api/secure/falco/lists/%d"
-	DeleteListPath = "%s/api/secure/falco/lists/%d"
+	UpdateListPath = "%s/api/secure/falco/lists/%d?skipPolicyV2Msg=%t"
+	DeleteListPath = "%s/api/secure/falco/lists/%d?skipPolicyV2Msg=%t"
 )
 
 type ListInterface interface {
@@ -97,17 +97,17 @@ func (client *Client) DeleteList(ctx context.Context, id int) error {
 }
 
 func (client *Client) CreateListURL() string {
-	return fmt.Sprintf(CreateListPath, client.config.url)
+	return fmt.Sprintf(CreateListPath, client.config.url, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) GetListURL(id int) string {
 	return fmt.Sprintf(GetListPath, client.config.url, id)
 }
 
 func (client *Client) UpdateListURL(id int) string {
-	return fmt.Sprintf(UpdateListPath, client.config.url, id)
+	return fmt.Sprintf(UpdateListPath, client.config.url, id, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) DeleteListURL(id int) string {
-	return fmt.Sprintf(DeleteListPath, client.config.url, id)
+	return fmt.Sprintf(DeleteListPath, client.config.url, id, client.config.secureSkipPolicyV2Msg)
 }
diff --git a/sysdig/internal/client/v2/macros.go b/sysdig/internal/client/v2/macros.go
@@ -7,10 +7,10 @@ import (
 )
 
 const (
-	CreateMacroPath  = "%s/api/secure/falco/macros"
+	CreateMacroPath  = "%s/api/secure/falco/macros?skipPolicyV2Msg=%t"
 	GetMacroByIDPath = "%s/api/secure/falco/macros/%d"
-	UpdateMacroPath  = "%s/api/secure/falco/macros/%d"
-	DeleteMacroPath  = "%s/api/secure/falco/macros/%d"
+	UpdateMacroPath  = "%s/api/secure/falco/macros/%d?skipPolicyV2Msg=%t"
+	DeleteMacroPath  = "%s/api/secure/falco/macros/%d?skipPolicyV2Msg=%t"
 )
 
 type MacroInterface interface {
@@ -96,17 +96,17 @@ func (client *Client) DeleteMacro(ctx context.Context, id int) error {
 }
 
 func (client *Client) CreateMacroURL() string {
-	return fmt.Sprintf(CreateMacroPath, client.config.url)
+	return fmt.Sprintf(CreateMacroPath, client.config.url, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) GetMacroByIDURL(id int) string {
 	return fmt.Sprintf(GetMacroByIDPath, client.config.url, id)
 }
 
 func (client *Client) UpdateMacroURL(id int) string {
-	return fmt.Sprintf(UpdateMacroPath, client.config.url, id)
+	return fmt.Sprintf(UpdateMacroPath, client.config.url, id, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) DeleteMacroURL(id int) string {
-	return fmt.Sprintf(DeleteMacroPath, client.config.url, id)
+	return fmt.Sprintf(DeleteMacroPath, client.config.url, id, client.config.secureSkipPolicyV2Msg)
 }
diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go
@@ -606,8 +606,9 @@ type AlertV2ConfigMetric struct {
 
 type AlertV2Metric struct {
 	AlertV2Common
-	DurationSec int                 `json:"durationSec"`
-	Config      AlertV2ConfigMetric `json:"config"`
+	DurationSec                              int                 `json:"durationSec"`
+	Config                                   AlertV2ConfigMetric `json:"config"`
+	UnreportedAlertNotificationsRetentionSec *int                `json:"unreportedAlertNotificationsRetentionSec"`
 }
 
 type alertV2MetricWrapper struct {
@@ -628,8 +629,9 @@ type AlertV2ConfigDowntime struct {
 
 type AlertV2Downtime struct {
 	AlertV2Common
-	DurationSec int                   `json:"durationSec"`
-	Config      AlertV2ConfigDowntime `json:"config"`
+	DurationSec                              int                   `json:"durationSec"`
+	Config                                   AlertV2ConfigDowntime `json:"config"`
+	UnreportedAlertNotificationsRetentionSec *int                  `json:"unreportedAlertNotificationsRetentionSec"`
 }
 
 type alertV2DowntimeWrapper struct {
@@ -665,8 +667,9 @@ type AlertV2ConfigFormBasedPrometheus struct {
 
 type AlertV2FormBasedPrometheus struct {
 	AlertV2Common
-	DurationSec int                              `json:"durationSec"` // not really used but the api wants it set to 0 in POST/PUT
-	Config      AlertV2ConfigFormBasedPrometheus `json:"config"`
+	DurationSec                              int                              `json:"durationSec"` // not really used but the api wants it set to 0 in POST/PUT
+	Config                                   AlertV2ConfigFormBasedPrometheus `json:"config"`
+	UnreportedAlertNotificationsRetentionSec *int                             `json:"unreportedAlertNotificationsRetentionSec"`
 }
 
 type alertV2FormBasedPrometheusWrapper struct {
@@ -675,8 +678,9 @@ type alertV2FormBasedPrometheusWrapper struct {
 
 type AlertV2Change struct {
 	AlertV2Common
-	DurationSec int                 `json:"durationSec"` // not really used but the api wants it set to 0 in POST/PUT
-	Config      AlertV2ConfigChange `json:"config"`
+	DurationSec                              int                 `json:"durationSec"` // not really used but the api wants it set to 0 in POST/PUT
+	Config                                   AlertV2ConfigChange `json:"config"`
+	UnreportedAlertNotificationsRetentionSec *int                `json:"unreportedAlertNotificationsRetentionSec"`
 }
 
 type alertV2ChangeWrapper struct {

diff --git a/sysdig/internal/client/v2/policies.go b/sysdig/internal/client/v2/policies.go
@@ -4,14 +4,17 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+
+	"github.com/pkg/errors"
 )
 
 const (
-	CreatePolicyPath = "%s/api/v2/policies"
-	DeletePolicyPath = "%s/api/v2/policies/%d"
-	UpdatePolicyPath = "%s/api/v2/policies/%d"
-	GetPolicyPath    = "%s/api/v2/policies/%d"
-	GetPoliciesPath  = "%s/api/v2/policies"
+	CreatePolicyPath         = "%s/api/v2/policies?skipPolicyV2Msg=%t"
+	DeletePolicyPath         = "%s/api/v2/policies/%d?skipPolicyV2Msg=%t"
+	UpdatePolicyPath         = "%s/api/v2/policies/%d?skipPolicyV2Msg=%t"
+	GetPolicyPath            = "%s/api/v2/policies/%d"
+	GetPoliciesPath          = "%s/api/v2/policies"
+	SendPoliciesToAgentsPath = "%s/api/v2/policies/actions?action=forwardPolicyV2Msg"
 )
 
 type PolicyInterface interface {
@@ -21,6 +24,7 @@ type PolicyInterface interface {
 	UpdatePolicy(ctx context.Context, policy Policy) (Policy, error)
 	GetPolicyByID(ctx context.Context, policyID int) (Policy, int, error)
 	GetPolicies(ctx context.Context) ([]Policy, int, error)
+	SendPoliciesToAgents(ctx context.Context) error
 }
 
 func (client *Client) CreatePolicy(ctx context.Context, policy Policy) (Policy, error) {
@@ -113,16 +117,32 @@ func (client *Client) GetPolicies(ctx context.Context) ([]Policy, int, error) {
 	return policies, http.StatusOK, nil
 }
 
+func (client *Client) SendPoliciesToAgents(ctx context.Context) error {
+	if client.config.secureSkipPolicyV2Msg {
+		// We only need to send policies if we've been configured to skip sending them during updates
+		response, err := client.requester.Request(ctx, http.MethodPost, client.SendPoliciesToAgentsURL(), nil)
+		if err != nil {
+			return err
+		}
+		defer response.Body.Close()
+
+		if response.StatusCode != http.StatusOK {
+			return errors.Errorf("Unexpected response when sending policies to agents: %s", response.Status)
+		}
+	}
+	return nil
+}
+
 func (client *Client) CreatePolicyURL() string {
-	return fmt.Sprintf(CreatePolicyPath, client.config.url)
+	return fmt.Sprintf(CreatePolicyPath, client.config.url, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) DeletePolicyURL(policyID int) string {
-	return fmt.Sprintf(DeletePolicyPath, client.config.url, policyID)
+	return fmt.Sprintf(DeletePolicyPath, client.config.url, policyID, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) UpdatePolicyURL(policyID int) string {
-	return fmt.Sprintf(UpdatePolicyPath, client.config.url, policyID)
+	return fmt.Sprintf(UpdatePolicyPath, client.config.url, policyID, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) GetPolicyURL(policyID int) string {
@@ -132,3 +152,7 @@ func (client *Client) GetPolicyURL(policyID int) string {
 func (client *Client) GetPoliciesURL() string {
 	return fmt.Sprintf(GetPoliciesPath, client.config.url)
 }
+
+func (client *Client) SendPoliciesToAgentsURL() string {
+	return fmt.Sprintf(SendPoliciesToAgentsPath, client.config.url)
+}
diff --git a/sysdig/internal/client/v2/rules.go b/sysdig/internal/client/v2/rules.go
@@ -8,17 +8,17 @@ import (
 )
 
 const (
-	CreateRulePath   = "%s/api/secure/rules"
+	CreateRulePath   = "%s/api/secure/rules?skipPolicyV2Msg=%t"
 	GetRuleByIDPath  = "%s/api/secure/rules/%d"
-	UpdateRulePath   = "%s/api/secure/rules/%d"
-	DeleteURLPath    = "%s/api/secure/rules/%d"
+	UpdateRulePath   = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
+	DeleteURLPath    = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
 	GetRuleGroupPath = "%s/api/secure/rules/groups?name=%s&type=%s"
 )
 
 type RuleInterface interface {
 	Base
 	CreateRule(ctx context.Context, rule Rule) (Rule, error)
-	GetRuleByID(ctx context.Context, ruleID int) (Rule, error)
+	GetRuleByID(ctx context.Context, ruleID int) (Rule, int, error)
 	UpdateRule(ctx context.Context, rule Rule) (Rule, error)
 	DeleteRule(ctx context.Context, ruleID int) error
 	GetRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error)
@@ -43,18 +43,19 @@ func (client *Client) CreateRule(ctx context.Context, rule Rule) (Rule, error) {
 	return Unmarshal[Rule](response.Body)
 }
 
-func (client *Client) GetRuleByID(ctx context.Context, ruleID int) (Rule, error) {
+func (client *Client) GetRuleByID(ctx context.Context, ruleID int) (Rule, int, error) {
 	response, err := client.requester.Request(ctx, http.MethodGet, client.GetRuleByIDURL(ruleID), nil)
 	if err != nil {
-		return Rule{}, err
+		return Rule{}, 0, err
 	}
 	defer response.Body.Close()
 
 	if response.StatusCode != http.StatusOK {
-		return Rule{}, client.ErrorFromResponse(response)
+		return Rule{}, response.StatusCode, client.ErrorFromResponse(response)
 	}
 
-	return Unmarshal[Rule](response.Body)
+	rule, err := Unmarshal[Rule](response.Body)
+	return rule, 0, err
 }
 
 func (client *Client) UpdateRule(ctx context.Context, rule Rule) (Rule, error) {
@@ -106,19 +107,19 @@ func (client *Client) GetRuleGroup(ctx context.Context, ruleName string, ruleTyp
 }
 
 func (client *Client) CreateRuleURL() string {
-	return fmt.Sprintf(CreateRulePath, client.config.url)
+	return fmt.Sprintf(CreateRulePath, client.config.url, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) GetRuleByIDURL(ruleID int) string {
 	return fmt.Sprintf(GetRuleByIDPath, client.config.url, ruleID)
 }
 
 func (client *Client) UpdateRuleURL(ruleID int) string {
-	return fmt.Sprintf(UpdateRulePath, client.config.url, ruleID)
+	return fmt.Sprintf(UpdateRulePath, client.config.url, ruleID, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) DeleteRuleURL(ruleID int) string {
-	return fmt.Sprintf(DeleteURLPath, client.config.url, ruleID)
+	return fmt.Sprintf(DeleteURLPath, client.config.url, ruleID, client.config.secureSkipPolicyV2Msg)
 }
 
 func (client *Client) GetRuleGroupURL(ruleName string, ruleType string) string {