Merge pull request #203 from owncloud/d7_issue_188

Added policies service

charts/ocis/docs/values-desc-table.adoc

@@ -420,6 +420,24 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `"web"`
 | Specify the client ID which the web frontend will use
+| features.policies.enabled
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+| Enables policies
+| features.policies.engineTimeout
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"10s"`
+| Sets the timeout the rego expression evaluation can take. The timeout can be set as number followed by a unit identifier  like ms, s, etc. Rules default to deny if the timeout was reached.
+| features.policies.policies
+a| [subs=-attributes]
++list+
+a| [subs=-attributes]
+`[]`
+| Sets the policies. Each policy is defined by a `fileName` and a `content`. The content takes the rego script as text, see  https://doc.owncloud.com/ocis/next/deployment/services/s-list/policies.html#example-policies Attention: All scripts provided here will end up in a ConfigMap. The data stored in a ConfigMap cannot exceed 1 MiB. see  https://kubernetes.io/docs/concepts/configuration/configmap/#:~:text=The%20data%20stored%20in%20a,separate%20database%20or%20file%20service.
 | features.quotas.default
 a| [subs=-attributes]
 +string+
@@ -455,7 +473,7 @@ a| [subs=-attributes]
 +bool+
 a| [subs=-attributes]
 `false`
-| Enabled virus scanning
+| Enables virus scanning
 | features.virusscan.icap
 a| [subs=-attributes]
 +object+

charts/ocis/docs/values.adoc.yaml

@@ -290,7 +290,7 @@ features:
     #   2aadd357-682c-406b-8874-293091995fdd: 100000000000
   # Define virus scanning
   virusscan:
-    # -- Enabled virus scanning
+    # -- Enables virus scanning
     enabled: false
     # -- Define what should happen with infected files. Supported options are: 'delete', 'continue' and 'abort '.
     # Delete will delete the file.
@@ -308,7 +308,104 @@ features:
       url: icap://127.0.0.1:1344
       # -- Sets the service to be used in icap
       service: avscan
-
+  # Define policies
+  policies:
+    # -- Enables policies
+    enabled: false
+    # -- Sets the timeout the rego expression evaluation can take. The timeout can be set as number followed by a unit identifier 
+    # like ms, s, etc. Rules default to deny if the timeout was reached.
+    engineTimeout: 10s
+    # -- Sets the policies. Each policy is defined by a `fileName` and a `content`. The content takes the rego script as text, see 
+    # https://doc.owncloud.com/ocis/next/deployment/services/s-list/policies.html#example-policies
+    # Attention: All scripts provided here will end up in a ConfigMap. The data stored in a ConfigMap cannot exceed 1 MiB. see 
+    # https://kubernetes.io/docs/concepts/configuration/configmap/#:~:text=The%20data%20stored%20in%20a,separate%20database%20or%20file%20service.
+    policies: []
+    # - fileName: proxy.rego
+    #   content: |-
+    #     package proxy
+    #
+    #     import future.keywords.if
+    #     import data.utils
+    #
+    #     default granted := true
+    #
+    #     granted = false if {
+    #         utils.is_request_type_put
+    #         not input.request.path == "/data"
+    #         not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.request.path)
+    #     }
+    #
+    #     granted = false if {
+    #         utils.is_request_type_post
+    #         startswith(input.request.path, "/remote.php")
+    #         not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.resource.name)
+    #     }
+    # - fileName: postprocessing.rego
+    #   content: |-
+    #     package postprocessing
+    #
+    #     import future.keywords.if
+    #     import data.utils
+    #
+    #     default granted := true
+    #
+    #     granted = false if {
+    #         not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.resource.name)
+    #     }
+    # - fileName: util.rego
+    #   content: |-
+    #     package utils
+    #
+    #     import future.keywords.if
+    #
+    #     ALLOWED_FILE_EXTENSIONS := [
+    #         ".apk", ".avi", ".bat", ".bmp", ".css", ".csv", ".doc", ".docm", ".docx",
+    #         ".docxf", ".dotx", ".eml", ".epub", ".htm", ".html", ".ipa", ".jar", ".java",
+    #         ".jpg", ".js", ".json", ".mp3", ".mp4", ".msg", ".odp", ".ods", ".odt", ".oform",
+    #         ".ots", ".ott", ".pdf", ".php", ".png", ".potm", ".potx", ".ppsm", ".ppsx", ".ppt",
+    #         ".pptm", ".pptx", ".py", ".rtf", ".sb3", ".sprite3", ".sql", ".svg", ".tif", ".tiff",
+    #         ".txt", ".xls", ".xlsm", ".xlsx", ".xltm", ".xltx", ".xml", ".zip", ".md"
+    #     ]
+    #
+    #     ##
+    #
+    #     is_stage_http {
+    #         input.stage == "http"
+    #     }
+    #
+    #     is_stage_pp {
+    #         input.stage == "pp"
+    #     }
+    #
+    #     ##
+    #
+    #     is_user_admin {
+    #         input.user.username == "admin"
+    #     }
+    #
+    #     ##
+    #
+    #     is_request_type_put {
+    #         is_stage_http
+    #         input.request.method == "PUT"
+    #     }
+    #
+    #     is_request_type_post {
+    #         is_stage_http
+    #         input.request.method == "POST"
+    #     }
+    #
+    #     is_request_type_mkcol {
+    #         is_stage_http
+    #         input.request.method == "MKCOL"
+    #     }
+    #
+    #     ##
+    #
+    #     collection_contains(collection, source) {
+    #         current := collection[_]
+    #         endswith(source, current)
+    #     }
 # Ingress for oCIS.
 ingress:
   # -- Enables the Ingress.

charts/ocis/templates/_common/_tplvalues.tpl

@@ -72,6 +72,7 @@ Adds the app names to the scope and set the name of the app based on the input p
   {{- $_ := set .scope "appNameNotifications" "notifications" -}}
   {{- $_ := set .scope "appNameOcdav" "ocdav" -}}
   {{- $_ := set .scope "appNameOcs" "ocs" -}}
+  {{- $_ := set .scope "appNamePolicies" "policies" -}}
   {{- $_ := set .scope "appNamePostprocessing" "postprocessing" -}}
   {{- $_ := set .scope "appNameProxy" "proxy" -}}
   {{- $_ := set .scope "appNameSearch" "search" -}}

charts/ocis/templates/policies/config.yaml

@@ -0,0 +1,26 @@
+{{ if .Values.features.policies.enabled }}
+{{- include "ocis.appNames" (dict "scope" . "appName" "appNamePolicies" "appNameSuffix" "") -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .appName }}-config
+  namespace: {{ template "ocis.namespace" . }}
+  labels:
+    {{- include "ocis.labels" . | nindent 4 }}
+data:
+  policies.yaml: |
+    ---
+    {{- with $.Values.features.policies.policies }}
+    engine:
+      policies:
+    {{- range . }}
+          - /etc/ocis/{{- .fileName }}
+    {{- end }}
+    {{- end }}
+  {{- with $.Values.features.policies.policies -}}
+  {{- range . -}}
+  {{- .fileName | nindent 2 }}: |
+  {{- .content | nindent 4 -}}  
+  {{- end -}}
+  {{- end -}}
+{{ end }}

charts/ocis/templates/policies/deployment.yaml

@@ -0,0 +1,116 @@
+{{ if .Values.features.policies.enabled }}
+{{- include "ocis.appNames" (dict "scope" . "appName" "appNamePolicies" "appNameSuffix" "") -}}
+{{- $_ := set . "resources" (default (default (dict) .Values.resources) .Values.services.audit.resources) -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .appName }}
+  namespace: {{ template "ocis.namespace" . }}
+  labels:
+    {{- include "ocis.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .appName }}
+  {{- if and (not .Values.autoscaling.enabled) (.Values.replicas) }}
+  replicas: {{ .Values.replicas }}
+  {{- end }}
+  {{- if .Values.deploymentStrategy }}
+  strategy: {{ toYaml .Values.deploymentStrategy | nindent 4 }}
+  {{ end }}
+  template:
+    metadata:
+      labels:
+        app: {{ .appName }}
+        {{- include "ocis.labels" . | nindent 8 }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/policies/config.yaml") . | sha256sum }}
+    spec:
+      securityContext:
+          fsGroup: {{ .Values.securityContext.fsGroup }}
+          fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl . $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .appName }}
+          image: {{ template "ocis.image" $ }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["ocis"]
+          args: ["policies", "server"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: {{ .Values.securityContext.runAsUser }}
+            runAsGroup: {{ .Values.securityContext.runAsGroup }}
+            readOnlyRootFilesystem: true
+          env:
+            - name: MICRO_REGISTRY
+              value: kubernetes
+            - name: POLICIES_LOG_COLOR
+              value: {{ .Values.logging.color | quote }}
+            - name: POLICIES_LOG_LEVEL
+              value: {{ .Values.logging.level | quote }}
+            - name: POLICIES_LOG_PRETTY
+              value: {{ .Values.logging.pretty | quote }}
+            - name: POLICIES_GRPC_ADDR
+              value: 0.0.0.0:9125
+            - name: POLICIES_ENGINE_TIMEOUT
+              value: {{ .Values.features.policies.engineTimeout | quote }}
+            - name: POLICIES_POSTPROCESSING_QUERY
+              value: "data.postprocessing.granted"
+            - name: POLICIES_EVENTS_ENDPOINT
+            {{- if not .Values.messagingSystem.external.enabled }}
+              value: {{ .appNameNats }}:9233
+            {{- else }}
+              value: {{ .Values.messagingSystem.external.endpoint | quote }}
+            - name: POLICIES_EVENTS_CLUSTER
+              value: {{ .Values.messagingSystem.external.cluster | quote }}
+            - name: POLICIES_EVENTS_ENABLE_TLS
+              value: {{ .Values.messagingSystem.external.tls.enabled | quote }}
+            - name: POLICIES_EVENTS_TLS_INSECURE
+              value: {{ .Values.messagingSystem.external.tls.insecure | quote }}
+            - name: POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE
+              {{- if not .Values.messagingSystem.external.tls.certTrusted }}
+              value: /etc/ocis/messaging-system-ca/messaging-system-ca.crt
+              {{- else }}
+              value: "" # no cert needed
+              {{- end }}
+            {{- end }}
+            - name: OCIS_REVA_GATEWAY
+              value: {{ .appNameGateway }}:9142
+            - name: POLICIES_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $.Values.secretRefs.jwtSecretRef }}
+                  key: jwt-secret
+            - name: POLICIES_MACHINE_AUTH_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
+                  key: machine-auth-api-key
+
+
+          resources: {{ toYaml .resources | nindent 12 }}
+
+          volumeMounts:
+            - name: messaging-system-ca
+              mountPath: /etc/ocis/messaging-system-ca
+              readOnly: true
+            - name: configs
+              mountPath: /etc/ocis
+
+
+      {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
+      volumes:
+        - name: messaging-system-ca
+          {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }}
+          secret:
+            secretName: {{ .Values.secretRefs.messagingSystemCaRef }}
+          {{ else }}
+          emptyDir: {}
+          {{ end }}
+        - name: configs
+          configMap:
+            name: {{ .appName }}-config
+{{ end }}

charts/ocis/templates/policies/hpa.yaml

@@ -0,0 +1,4 @@
+{{ if .Values.features.policies.enabled }}
+{{- include "ocis.appNames" (dict "scope" . "appName" "appNamePolicies" "appNameSuffix" "") -}}
+{{ include "ocis.hpa" . }}
+{{ end }}

charts/ocis/templates/policies/pdb.yaml

@@ -0,0 +1,4 @@
+{{ if .Values.features.policies.enabled }}
+{{- include "ocis.appNames" (dict "scope" . "appName" "appNamePolicies" "appNameSuffix" "") -}}
+{{ include "ocis.pdb" . }}
+{{ end }}

charts/ocis/templates/postprocessing/deployment.yaml

@@ -53,9 +53,16 @@ spec:
             # - name: POSTPROCESSING_DEBUG_ADDR
             #   value: 0.0.0.0:TODO
 
+            {{- $_ := set . "postprocessingSteps" list -}}
+            {{- if .Values.features.policies.enabled }}
+            {{- $_ := set . "postprocessingSteps" (append .postprocessingSteps "policies") -}}
+            {{- end }}
             {{- if .Values.features.virusscan.enabled }}
+            {{- $_ := set . "postprocessingSteps" (append .postprocessingSteps "virusscan") -}}
+            {{- end }}
+            {{- if .postprocessingSteps }}
             - name: POSTPROCESSING_STEPS
-              value: "virusscan"
+              value: {{ join "," .postprocessingSteps | quote }}
             {{- end }}
 
             - name: POSTPROCESSING_EVENTS_ENDPOINT

charts/ocis/templates/proxy/deployment.yaml

@@ -103,6 +103,11 @@ spec:
                   name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
                   key: machine-auth-api-key
 
+            {{- if .Values.features.policies.enabled }}
+            - name: PROXY_POLICIES_QUERY
+              value: data.proxy.granted
+            {{- end }}
+
           livenessProbe:
             httpGet:
               path: /healthz