Add Regorus policy engine framework

[mgunnala]

Description

This is PR 1 for policy enforcement within the guest agent. This PR adds the test Regorus executable and initial policy engine framework to call the executable. Guest agent functionality is not yet affected.

• Regorus is utilized as the policy engine. Regorus is maintained as a separate open-source repository. Currently, static Rust MUSL-based executable is built separately and copied into the tests/data folder. The binary will eventually be added to the package via official build pipeline but for now, is kept in the test directory.
• regorus.py implements add_policy, add_data, set_input, and eval_query functions by calling the Regorus executable via subprocess.
• policy_engine.py implements a PolicyEngineConfigurator (responsible for conf checks and import) and PolicyEngine (responsible for higher level policy functions).
• new "Debug.EnableExtensionPolicy" conf flag added to enable policy enforcement. Regorus is only imported if policy is enabled via conf and the platform is supported.
• In this PR, extension installation is not affected (no policy enforcement code added to exthandlers.py). This functionality will be added in the next PR. Once functionality is complete, any errors thrown in policy enforcement code will block extension installation.
• Unit tests were added for policy_engine.py and regorus.py. There is no change to agent functionality (PolicyEngine is not instantiated anywhere) so no end-to-end tests have been added yet.

---

PR information

• The title of the PR is clear and informative.
• There are a small number of commits, each of which has an informative message. This means that previously merged commits do not appear in the history of the PR. For information on cleaning up the commits in your pull request, see this page.
• If applicable, the PR references the bug/issue that it fixes in the description.
• New Unit tests were added for the changes made

Quality of Code and Contribution Guidelines

• I have read the contribution guidelines.

[mgunnala]

In this case, we want to allow all extensions to be installed, but log that customer is trying to enable policy on unsupported distro.

[mgunnala]

Discussed offline: all extensions should be blocked. I've updated the code to return an empty query result in this case. The next PR will use the empty query result to return an empty allow list, so that no extensions will be installed (ADO task 29144116, added TODO to code).

[narrieta]

I think empty list is not the right way to represent those errors. Both of them block extension execution, but empty list should just communicate the user that no extensions are allowed to execute, while errors should be very explicit about what is happening (try to enable on unsupported distro, invalid policy file, etc) so that the user can take the appropriate action

[maddieford]

+1, the extension status message should be clear that extension processing is blocked because this is an unsupported distro (or whatever the reason is)

[mgunnala]

Updated error handling to raise exceptions

[narrieta]

Some comments on the Agent code. I did not review the tests, since I think addressing some of my comment will require changes in the implementation/behavior

[narrieta]

Minor: suggest POLICY_SUPPORTED_DISTROS_MIN_VERSIONS

[mgunnala]

Fixed

[narrieta]

let's add 'azurelinux' '3'

[mgunnala]

Added

[narrieta]

double-check this, specially for arm64. it can also be aarch64

[maddieford]

We should have more telemetry on this now. I'll share with Manu

[mgunnala]

We're not supporting arm64 until public preview. Added a TODO to update this list once we enable support.

[maddieford]

I think we should remove 'amd64' from this list. We don't have telemetry for this arch type:

cluster("azcore.centralus.kusto.windows.net").database("Fa").GuestAgentExtensionEvents
| where PreciseTimeStamp >= ago(30d)
| where OSVersion startswith "linux"
| summarize dcount(ContainerId) by KeywordName

KeywordName	dcount_ContainerId
{"CpuArchitecture": "x86_64"}	739,107,991
	639,940,276
{"CpuArchitecture": "aarch64"}	3,092,416
{"CpuArchitecture": "i686"}	280

[mgunnala]

removed amd64

[narrieta]

Minor: not sure we need the "[Policy]" prefix

[mgunnala]

I thought it made the log file a little easier to read/parse, can remove if you think it adds too much clutter.

[mgunnala]

Removed

[narrieta]

rename to is_policy_enabled

[mgunnala]

renamed to is_policy_enforcement_enabled( ), to avoid confusion with the policy_engine_enabled property.

[narrieta]

I think empty list is not the right way to represent those errors. Both of them block extension execution, but empty list should just communicate the user that no extensions are allowed to execute, while errors should be very explicit about what is happening (try to enable on unsupported distro, invalid policy file, etc) so that the user can take the appropriate action

[narrieta]

by PolicyEngine? shouldn't we move the initialization there then?

[narrieta]

I think importing here, only after checking that the feature is enabled, etc, used to make sense when the interface with regorus was going to be a set of Python bindings that may crash on some distros. Not sure what the motivation is with the current implementation.

[mgunnala]

makes sense. I've moved the initialization to policy engine.

[narrieta]

I don't think this state should be static, since we are trying to initialize only once per waagent service start.

Under some scenarios, for example the user tries to use the feature on an unsupported distro, the user should not need to restart the agent to fix the issue.

This initialization should probably be done on a per-goal state basis, unless it is very expensive.

Alternatively, some initialization could be done on a per-service-start basis, and some on a per-goal-state basis, but those should be clearly defined.

[mgunnala]

Moved initialization to PolicyEngine. Exthandlers.py will initialize the PolicyEngine on a per-goal state basis.

[narrieta]

prefer DISTRO_NAME and DISTRO_VERSION over distro_info[0], [1]. Makes the code easier to read.

they are initialized like this

__distro__ = get_distro()
DISTRO_NAME = __distro__[0]
DISTRO_VERSION = __distro__[1]

[mgunnala]

Updated

[narrieta]

I missed one file in my initial review. Additional comments.

[narrieta]

How could ImportError and NameError happen?

[mgunnala]

Removed these errors, not relevant since we're no longer using a python wrapper

[narrieta]

I think importing here, only after checking that the feature is enabled, etc, used to make sense when the interface with regorus was going to be a set of Python bindings that may crash on some distros. Not sure what the motivation is with the current implementation.

[narrieta]

This usage is weird, because get_policy_enabled() is an static method, so one does not need an instance to invoke it...

Why the call to get_instance()?

This is related to one of my comments above about all methods/properties of PolicyEngineConfigurator being static, so there is no need for a singleton instance

[mgunnala]

Removed PolicyEngineConfigurator

[narrieta]

this check seems extremely weak... seems like we accept as valid any file, no matter its contents, as long as its name ends with ".rego"

[narrieta]

i see, the actual validation would be done by regorus and then we would need to handle the error reporting here.

a TODO comment would clarify thin

[narrieta]

can you describe what is in that JSON object?

[mgunnala]

Added

[narrieta]

this is weird. callers to eval_query() need to know that they must call add_policy(), set_input() and add_data() f first. How do they know that? why if the caller invokes those 3 methods to evaluate a query and then forgets to call one of them when trying to evaluate another query?

why not

def eval_query(self, policy_path, input_json, data, query):

[mgunnala]

Discussed offline - this is how the regorus library implements it, we're keeping the functions the same in case we want to change the underlying implementation in the future (ex switch to a python library). PolicyEngine init function calls add_policy() and add_data(), PolicyEngine.evaluate_query() takes input as a parameter and calls set_input().

[narrieta]

can you describe what is in that JSON object?

[mgunnala]

Added

[narrieta]

can you describe what is in that JSON file?

[mgunnala]

Added, though I haven't included full details here, more explanation in the spec doc. Let me know if more detail is needed here specifically.

[narrieta]

use shellutil.run_command() instead of Popen()

[narrieta]

should this be under the normal Agent license instead?

[mgunnala]

updated to normal agent license since this will be packaged with agent

[maddieford]

We have an osutil function for this: osutil.get_vm_arch()

[mgunnala]

updated to use osutil

[narrieta]

Sorry, what I meant was to use the distro name and version already defined in azurelinuxagent.common.version

[mgunnala]

Ah, that makes sense. Updated.

[narrieta]

is this left-over code?

[mgunnala]

I changed this function implementation based on the other comments, removed this block too.

[narrieta]

can we use a better name than "input_dict"?

[mgunnala]

"input_to_query" or "input_to_check" maybe?

[narrieta]

what does "data.agent_extension_policy.extensions_to_download"? an extension name?

[mgunnala]

This is the value we're querying for in the regorus engine. We can query for "data", "data.agent_extension_policy", "data.agent_extension_policy.extensions_to_download", etc.

"data.agent_extension_policy.extensions_to_download" will return output in the format:

"extensions_to_download": { 
        "Microsoft.Azure.ActiveDirectory.AADSSHLoginForLinux": { 
            "downloadAllowed": true 
        }, 
        "Microsoft.Azure.Extensions.CustomScript": { 
            "downloadAllowed": false 
        } 
    }

...
I've put a full example in the spec.

[narrieta]

could you add the full_result to the message? it would be needed for debugging.

while doing that, adding the path to the rule file would also be helpful (it was mentioned before that there may be multiple fules files)

[narrieta]

similar comment for other messages

[mgunnala]

Added!

[narrieta]

why mocking all of osutil instead of just mocking get_vm_arch? (if the code ends up doing other calls to utilities in osutil, the test may break)

[mgunnala]

Good catch, thanks. I've fixed it.

[maddieford]

Is this comment still true?

add_policy, add_data, and set_input will be no-ops, eval_query will return an empty dict

Seems like we updated to raise exc instead of no-op

[maddieford]

Suggested change

	if not self.policy_engine_enabled:
	if not self._policy_engine_enabled:

or

Suggested change

	if not self.policy_engine_enabled:
	if not self.policy_engine_enabled():

[narrieta]

Whoa! great catch @maddieford!

pylint disappoints me more often than I'd like. But if the linter fails, the next step would be unit tests, I guess

[mgunnala]

@maddieford not sure I'm understanding the issue - this came from a previous comment to make policy_engine_enabled( ) into a @Property method. My understanding is we can just access "self.policy_engine_enabled" since it's acting as a property. Is this not the case?

[narrieta]

@mgunnala - the parenthesis are missing from the function call. As written currently, that condition is always True

maddieford points out that you should add the parenthesis or use the private property

[narrieta]

This is a bad bug, easy to miss. The linter (or the unit tests) didn't point it out.

[narrieta]

ah, it's a property!

[mgunnala]

I thought @Property methods in python didn't require the parentheses.

I have a unit test looking for exactly this scenario - "test_eval_query_should_throw_error_when_disabled()". It passes, and when I step through it, the function is being called as expected.

[narrieta]

yes, i think we misread the code

[narrieta]

but, related to this property.. is this needed at all? see my other comment. looks like a left-over

[mgunnala]

Replied to your other comment

[maddieford]

not full_result.get('result')
Are we checking for None here? Looks like 'result' value type is list so we should probably do explicit check for None here instead of 'not full_result...'

Suggested change

	if not full_result.get('result') or not isinstance(full_result['result'], list):
	if full_result.get('result') is None or not isinstance(full_result['result'], list):

[narrieta]

+1

@mgunnala We avoid those implicit comparisons. We check "if foo/if not foo" only for actual bools. Comparisons against None, empty list, empty string, etc, should be explicit

[mgunnala]

Added explicit None checks for full_result, result, expression and value

[maddieford]

same comment here, check if expressions is None explicitly

[maddieford]

same here

[mgunnala]

done

[narrieta]

nit: missed this one before: "If true, Regorus will be installed on the VM". Regorus is always installed on the VM, no matter the value of the flag

[narrieta]

left-over comment; we removed the try/except of ImportError in a previous iteration

[narrieta]

left-over comment -- i think those methods are now gone

[narrieta]

there are some related left-over comments in the unit tests as well

[narrieta]

is this try/catch a leftover of a previous iteration? at this point the initialization is just

        self._engine = None
        self._rule_file = rule_file
        self._policy_file = policy_file

[narrieta]

Whoa! great catch @maddieford!

pylint disappoints me more often than I'd like. But if the linter fails, the next step would be unit tests, I guess

[narrieta]

+1

@mgunnala We avoid those implicit comparisons. We check "if foo/if not foo" only for actual bools. Comparisons against None, empty list, empty string, etc, should be explicit

[narrieta]

left-over comment: "and Regorus engine has been successfully initialized""

[mgunnala]

removed this property

[narrieta]

should be private

[mgunnala]

made private