Replace Regorus with Python-based policy engine

[mgunnala]

Description

Issue #

---

Add Python-based policy handing logic to replace Regorus.
Extension handling code is not changed in this PR, so agent functionality is not affected. No e2e tests were added.

PR information

• The title of the PR is clear and informative.
• There are a small number of commits, each of which has an informative message. This means that previously merged commits do not appear in the history of the PR. For information on cleaning up the commits in your pull request, see this page.
• If applicable, the PR references the bug/issue that it fixes in the description.
• New Unit tests were added for the changes made

Quality of Code and Contribution Guidelines

• I have read the contribution guidelines.

[narrieta]

Did not go thru the implementation details, but approach looks good to me

[narrieta]

let's do the same we do for waagent.conf

class DefaultOSUtil(object):
    def __init__(self):
        self.agent_conf_file_path = '/etc/waagent.conf'

[mgunnala]

Added get_custom_policy_file_path() to DefaultOSUtil and called it here

[narrieta]

should be private

[mgunnala]

updated

[narrieta]

add TODO for validation

[mgunnala]

added

[narrieta]

Suggested change

	def should_enforce_signature(self):
	def should_enforce_signature_validation(self):

[mgunnala]

Updated

[narrieta]

isn't this deleting the data file from the source code?

[narrieta]

or maybe you meant to use self.tmp_dir

[mgunnala]

We don't actually store a test policy file in the source code, each test creates its own file and cleans it up. But I was looking for a better place to create this file, so I've changed it to use self.tmp_dir.

[narrieta]

tearDown cleans up self.tmp_dir, no need for explicit deletion

[mgunnala]

Removed

[narrieta]

        with open(self.custom_policy_path, mode='w') as policy_file:
            json.dump(policy, policy_file, indent=4)
            policy_file.flush()

should probably be refactored into a helper method

[mgunnala]

good point, I added this helper

[maddieford]

Custom_policy_path may exist, but have no contents. In that case this function would return an empty dict as well. If we return default policy in the else condition, I think we should also return defaults for any prop the customer did not include in their custom policy path

[maddieford]

I would suggest _log_policy_info or something similar.
_log_policy() sounds like we're logging the policy attribute

[mgunnala]

how about _log_policy_event()? _log_policy_info might make it seem like we're just writing to logger.info, but we're also writing to logger.error

[maddieford]

Ah I see, _log_policy_message? event is also ok with me

[mgunnala]

changed to _log_policy_event

[maddieford]

Yes we should remove this parameter since we're initializing on a goal state basis.

[maddieford]

This check already happens in base class init

[mgunnala]

Originally, we needed this check because policy is None if the feature isn't enabled - but since we've removed the extension_to_check parameter, we don't need this constructor at all. I've removed it.

[maddieford]

Will this function will be called for every ext, in every goal state? Even if policy is not enabled?

[mgunnala]

This function will be called any time we try to enable an extension (right before the handle_enable call in handle_ext_handler()). It will be called even if policy isn't enabled, but if policy is not enabled, it will just return True.

[narrieta]

private

[mgunnala]

Updated

[narrieta]

how are we planning to use 'code'?

should probably not have a default value

[mgunnala]

I set the code here to eventually use in create_status_file_if_not_exist(), when we block the extension. But I've removed it for now, I can add in the next PR if needed.

[maddieford]

I think we should separate these unit tests into separate classes.
TestPolicyEngine
TestExtensionPolicyEngine

policy enabled/parsing logic should be in TestPolicyEngine

[mgunnala]

I didn't initially split it this way because PolicyEngine is a private class and functionality is actually tested through ExtensionPolicyEngine. But I'm neutral on the change so went ahead and refactored it - let me know if the new split makes sense to you.

[maddieford]

Changes in the agent look good. I reviewed the tests in more detail with this review

[maddieford]

Do we still need this None check?

[mgunnala]

Removed it - validation will now raise an error if ext_policy is None.

[maddieford]

This test name sounds like its testing default policy:

# Default policy values to be used when no custom policy is present.
_DEFAULT_ALLOW_LISTED_EXTENSIONS_ONLY = False
_DEFAULT_SIGNATURE_REQUIRED = False

but its actual testing the case where no policy exists/is in use

[mgunnala]

I realized there are a few overlapping tests for testing default policy / custom policy empty / no custom policy exists. I've refactored them into:
test_should_allow_and_should_not_enforce_signature_if_no_custom_policy_file
test_should_allow_and_should_not_enforce_signature_if_conf_flag_false
test_should_use_default_policy_if_no_custom_extension_policy_specified

[maddieford]

Can we add a case to test that we don't enforce signature if extension policy section is missing

[mgunnala]

Added

[maddieford]

__get_policy_enforcement_enabled() checks if the policy file exists first. Since policy file doesn't exist, the function is returning false without checking the conf flag. Consider creating a policy file for this test and test_should_not_enforce_signature_if_policy_disabled

[mgunnala]

Refactored these into two different tests:
test_should_allow_and_should_not_enforce_signature_if_no_custom_policy_file
test_should_allow_and_should_not_enforce_signature_if_conf_flag_false

[codecov]

Codecov Report

Attention: Patch coverage is 94.89796% with 5 lines in your changes missing coverage. Please review.

Project coverage is 72.40%. Comparing base (3aebcdd) to head (e038560).
Report is 314 commits behind head on develop.

Files with missing lines	Patch %	Lines
azurelinuxagent/ga/policy/policy_engine.py	94.68%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #3234      +/-   ##
===========================================
+ Coverage    71.97%   72.40%   +0.42%     
===========================================
  Files          103      113      +10     
  Lines        15692    16956    +1264     
  Branches      2486     2452      -34     
===========================================
+ Hits         11295    12277     +982     
- Misses        3881     4121     +240     
- Partials       516      558      +42     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[maddieford]

Added two very minor comments

[maddieford]

I think 227 is a duplicate of 226

[mgunnala]

Fixed!

[nagworld9]

Today, some distros place the waagent.conf in different path, do we want to take that responsibility and update those distros policy path based on waagent.conf path in respective osutils?

[mgunnala]

I think we should leave it up to individual distros if they want to update the policy path, but will defer to you on this. PolicyEngine just uses get_osutil().get_custom_policy_file_path().

[narrieta]

@mgunnala - @nagworld9 is right. Initially I asked you to add it here, and then I realized it actually needed to be in waagent.conf, but did not have time to post my message. Thanks for pointing this out, Nag.

[mgunnala]

To make sure I'm understanding correctly, is this the change we would want to make?

• remove custom_policy_file_path instance variable from DefaultOSUtil
• get_custom_policy_file_path() should return <conf_file_directory>/waagent_policy.json
• policy_engine.py calls get_osutil().get_custom_policy_file_path() (as currently implemented)

[narrieta]

Almost. Move the path from osutil to conf (we already define other paths there)

def get_lib_dir(conf=__conf__):
    return conf.get("Lib.Dir", "/var/lib/waagent")

def get_ext_log_dir(conf=__conf__):
    return conf.get("Extension.LogDir", "/var/log/azure")

BTW, let's remove "custom" from it. Maybe Policy.PolicyFile?

[mgunnala]

Updated.

[nagworld9]

customer can change json file while we read, so we may get jsondecode error. Do we want to add few retries for json load?

[mgunnala]

We read the policy on a per goal state basis. If the customer does change the file during goal state processing, we don't necessarily want to support that so it would make sense to raise an error.

[maddieford]

If user is modifying policy file while the agent is processing extensions, what message will be surfaced to the user? Will it be useful/clear?

[mgunnala]

The policy file is only read once during extension processing. If the user successfully modifies the file to a valid JSON before json.load is called, no error message is raised and we apply the modified version of the policy.

If the file is actively being modified and incomplete/invalid when json.load is called, JSONDecodeError will be thrown, we catch and re-raise it as an InvalidPolicyError with an error message like "policy file does not conform to valid json syntax". This might be a case where it makes sense to dump the policy file in the error message.

[narrieta]

left-over

[mgunnala]

removed

[narrieta]

Suggested change

	class PolicyInvalidError(AgentError):
	class InvalidPolicyError(AgentError):

[mgunnala]

Updated this

[narrieta]

do we still need this module-global variable?

[mgunnala]

I kept it to easily accommodate changes to where we keep the policy path (for example, moving from osutil to conf). Can remove if you think it's not needed.

[narrieta]

I thought it was a left-over from a previous iteration, when we defining the value here.

Seems odd that we define this global for this conf parameter, while we don't for conf.get_extension_policy_enabled (and other parameters in the rest of the code)

[mgunnala]

removed

[narrieta]

     policy_file_exists = os.path.exists(_CUSTOM_POLICY_PATH)
     return conf.get_extension_policy_enabled() and policy_file_exists

The enabled flag should be checked first:

return conf.get_extension_policy_enabled() and os.path.exists(conf.get_policy_file_path())

[mgunnala]

updated

[narrieta]

On most VMs, the policy file will not exist and this message won't make much sense. Maybe log when enforcing, rather than when not enforcing? (and include the path to the policy file in the message)

[narrieta]

Should be static. It is called from init and, as the code evolves, it may end up referencing an uninitialized instance member

[mgunnala]

not sure I understand - what's an example of when this could happen, and would it not be caught by unit tests? I've changed the code in __parse_policy to directly update self._policy, trying to understand if this implementation is problematic.

[narrieta]

"object", rather than "JSON"

[mgunnala]

added a __parse_dict method and changed the error message to "object"

[mgunnala]

Do we want this to be "0.1.0" to accommodate any changes we might make before GA? Or set to "1.0.0" now?

[mgunnala]

is something like "1" or "1.0" acceptable? or should this be a strict major.minor.patch format?

[maddieford]

Suggested change

	"Policy.PolicyFile": "/etc/waagent_policy.json"
	"Policy.PolicyFilePath": "/etc/waagent_policy.json"

[maddieford]

Is it worth logging/sending telemetry with the provided policy (either before or after parsing)?

We don't want to flood the log, but we only check policy when there's a new extensions goal state to process, so I think it may be useful to add this logging/telemetry to aid in debugging. Right now, if a customer raises an incident that their policy was incorrectly applied, we won't know what the state of the policy file was at the time of the issue.

@narrieta, @mgunnala what do you think?

[mgunnala]

I think it could be worth logging the policy immediately after reading it (before parsing), it would be helpful especially in cases where the customer unexpectedly changes the file during goal state processing.

I was also thinking if we should include it in InvalidPolicyError messages, so the user knows exactly what policy file contents caused that error. But this seems like potentially overkill and might make error messages quite difficult to read.

[maddieford]

If user is modifying policy file while the agent is processing extensions, what message will be surfaced to the user? Will it be useful/clear?

[maddieford]

please change to object

should this be str?

[mgunnala]

Yes, thanks.

I was thinking about merging __parse_bool, __parse_dict, __parse_string into a single function, so we have a common error message between all of them. I ended up keeping them separate because I thought it made the code more readable but let me know if you have a preference.

[maddieford]

I think it would make sense to merge them.
I also think the type validation could instead be done in __validate_schema by using the value of the attribute in _POLICY_SCHEMA as the expected type

[maddieford]

As is, if we add a new attribute to the extensionPolicies section, we would need to add it to POLICY_SCHEMA, and add a separate call to _parse_bool for the new attribute.

[maddieford]

Is this a repeat of the type check that happens in __parse_dict on line 212

[maddieford]

I think this type check should happen before __validate_schema on line 225. Validate schema iterates over keys in the individual_policy, before validating the type of the individual_policy

[mgunnala]

I changed the order, also added a unit test to check the case where individual_policy is not iterable.

[maddieford]

Doesn't look like this return is necessary currently

[mgunnala]

removed

[maddieford]

__parse_policy may update self._policy with a partially parsed policy in the case that an exception is raised during parsing.

I don't think self._policy should be in a 'partially parsed' state. For now, I understand why this may be ok, but it could be risky in future iterations of the code.

I think self._policy should either be -> default policy, or fully parsed custom policy

[mgunnala]

what if the policy file specifies a null value (like { "signatureRequired": None }) - what is the expected behavior? with this implementation, we don't raise an error and use the default value