Merge pull request #303 from rosmo/decentralized-firewall-validator
Added decentralized firewall rule validator
This commit is contained in:
commit
b86d696e17
|
@ -0,0 +1,29 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
FROM python:3.9-slim
|
||||
|
||||
RUN mkdir /validator
|
||||
COPY requirements.txt /validator/requirements.txt
|
||||
RUN pip install -r /validator/requirements.txt
|
||||
COPY validator.py /validator/validator.py
|
||||
|
||||
RUN mkdir /schemas
|
||||
COPY firewallSchema.yaml /schemas/firewallSchema.yaml
|
||||
COPY firewallSchemaAutoApprove.yaml /schemas/firewallAutoApprove.yaml
|
||||
COPY firewallSchemaSettings.yaml /schemas/firewallSchemaSettings.yaml
|
||||
|
||||
RUN mkdir /rules
|
||||
|
||||
CMD ["/rules/**/*.yaml"]
|
||||
ENTRYPOINT ["python3", "/validator/validator.py"]
|
|
@ -0,0 +1,80 @@
|
|||
# Decentralized firewall validator
|
||||
|
||||
The decentralized firewall validator is a Python scripts that utilizes [Yamale](https://github.com/23andMe/Yamale) schema
|
||||
validation library to validate the configured firewall rules.
|
||||
|
||||
## Configuring schemas
|
||||
|
||||
There are three configuration files:
|
||||
- [firewallSchema.yaml](firewallSchema.yaml), where the basic validation schema is configured
|
||||
- [firewallSchemaAutoApprove.yaml](firewallSchemaAutoApprove.yaml), where the a different schema for auto-approval
|
||||
can be configured (in case more validation is required than what is available in the schema settings)
|
||||
- [firewallSchemaSettings.yaml](firewallSchemaSettings.yaml), configures list of allowed and approved
|
||||
source and destination ranges, ports, network tags and service accounts.
|
||||
|
||||
## Building the container
|
||||
|
||||
You can build the container like this:
|
||||
|
||||
```sh
|
||||
docker build -t eu.gcr.io/YOUR-PROJECT/firewall-validator:latest .
|
||||
docker push eu.gcr.io/YOUR-PROJECT/firewall-validator:latest
|
||||
```
|
||||
|
||||
## Running the validator
|
||||
|
||||
Example:
|
||||
|
||||
```sh
|
||||
docker run -v $(pwd)/firewall:/rules/ -t eu.gcr.io/YOUR-PROJECT/firewall-validator:latest
|
||||
```
|
||||
|
||||
Output is JSON with keys `ok` and `errors` (if any were found).
|
||||
|
||||
## Using as a GitHub action
|
||||
|
||||
An `action.yml` is provided for this validator to be used as a GitHub action.
|
||||
|
||||
Example of being used in a pipeline:
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Get changed files
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
id: changed-files
|
||||
uses: tj-actions/changed-files@v1.1.2
|
||||
|
||||
- uses: ./.github/actions/validate-firewall
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
id: validation
|
||||
with:
|
||||
files: ${{ steps.changed-files.outputs.all_modified_files }}
|
||||
|
||||
- uses: actions/github-script@v3
|
||||
if: ${{ github.event_name == 'pull_request' && steps.validation.outputs.ok != 'true' }}
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
script: |
|
||||
var comments = [];
|
||||
var errors = JSON.parse(process.env.ERRORS);
|
||||
for (const filename in errors) {
|
||||
var fn = filename.replace('/github/workspace/', '');
|
||||
comments.push({
|
||||
path: fn,
|
||||
body: "```\n" + errors[filename].join("\n") + "\n```\n",
|
||||
position: 1,
|
||||
});
|
||||
}
|
||||
github.pulls.createReview({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
pull_number: context.issue.number,
|
||||
event: "REQUEST_CHANGES",
|
||||
body: "Firewall rule validation failed.",
|
||||
comments: comments,
|
||||
});
|
||||
core.setFailed("Firewall validation failed");
|
||||
env:
|
||||
ERRORS: '${{ steps.validation.outputs.errors }}'
|
||||
```
|
|
@ -0,0 +1,44 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
name: 'Validate firewall rules'
|
||||
description: 'Validate firewall rule YAML files'
|
||||
inputs:
|
||||
files:
|
||||
description: 'Files to scan (supports wildcards)'
|
||||
required: false
|
||||
default: '/github/workspace/firewall/**/*.yaml'
|
||||
mode:
|
||||
description: 'Mode (validate or approve)'
|
||||
required: false
|
||||
default: 'validate'
|
||||
schema:
|
||||
description: 'Schema'
|
||||
required: false
|
||||
default: '/schemas/firewallSchema.yaml'
|
||||
outputs:
|
||||
ok:
|
||||
description: 'Validation successful'
|
||||
errors:
|
||||
description: 'Validation results'
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: 'Dockerfile'
|
||||
args:
|
||||
- ${{ inputs.files }}
|
||||
- "--mode"
|
||||
- ${{ inputs.mode }}
|
||||
- "--schema"
|
||||
- ${{ inputs.schema }}
|
||||
- "--github"
|
|
@ -0,0 +1,32 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
map(include('rule'), key=str(min=3, max=30))
|
||||
---
|
||||
rule:
|
||||
disabled: bool(required=False)
|
||||
deny: list(include('trafficSpec'), required=False)
|
||||
allow: list(include('trafficSpec'), required=False)
|
||||
direction: enum('ingress', 'INGRESS', 'egress', 'EGRESS')
|
||||
priority: int(min=1, max=65535, required=False)
|
||||
destination_ranges: list(netmask(type='destination'), max=256, required=False)
|
||||
source_ranges: list(netmask(type='source'), max=256, required=False)
|
||||
source_tags: list(networktag(), max=30, required=False)
|
||||
target_tags: list(networktag(), max=70, required=False)
|
||||
source_service_accounts: list(serviceaccount(), max=10, required=False)
|
||||
target_service_account: list(serviceaccount(), max=10, required=False)
|
||||
---
|
||||
trafficSpec:
|
||||
ports: list(networkports())
|
||||
protocol: enum('all', 'tcp', 'udp', 'icmp', 'esp', 'ah', 'ipip', 'sctp')
|
|
@ -0,0 +1,42 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
map(include('ingress'), include('egress'), key=str(min=3, max=30))
|
||||
---
|
||||
ingress:
|
||||
disabled: bool(required=False)
|
||||
deny: list(include('trafficSpec'), required=False)
|
||||
allow: list(include('trafficSpec'), required=False)
|
||||
direction: enum('ingress', 'INGRESS')
|
||||
priority: int(min=1, max=65535, required=False)
|
||||
source_ranges: list(netmask(type='source'), max=256, required=False)
|
||||
source_tags: list(networktag(), max=30, required=False)
|
||||
target_tags: list(networktag(), max=70, required=False)
|
||||
source_service_accounts: list(serviceaccount(), max=10, required=False)
|
||||
target_service_account: list(serviceaccount(), max=10, required=False)
|
||||
---
|
||||
egress:
|
||||
disabled: bool(required=False)
|
||||
deny: list(include('trafficSpec'), required=False)
|
||||
allow: list(include('trafficSpec'), required=False)
|
||||
direction: enum('egress', 'EGRESS')
|
||||
priority: int(min=1, max=65535, required=False)
|
||||
destination_ranges: list(netmask(type='destination'), max=256, required=False)
|
||||
source_tags: list(networktag(), max=30, required=False)
|
||||
target_tags: list(networktag(), max=70, required=False)
|
||||
source_service_accounts: list(serviceaccount(), max=10, required=False)
|
||||
target_service_account: list(serviceaccount(), max=10, required=False)
|
||||
---
|
||||
trafficSpec:
|
||||
ports: list()
|
||||
protocol: enum('all', 'tcp', 'udp', 'icmp', 'esp', 'ah', 'ipip', 'sctp')
|
|
@ -0,0 +1,49 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
allowedPorts:
|
||||
- ports: 22 # SSH
|
||||
approved: false
|
||||
- ports: 80 # HTTP
|
||||
approved: true
|
||||
- ports: 443 # HTTPS
|
||||
approved: true
|
||||
- ports: 3306 # MySQL
|
||||
approved: false
|
||||
- ports: 8000-8999
|
||||
approved: true
|
||||
|
||||
allowedSourceRanges:
|
||||
- cidr: 10.0.0.0/8 # Example on-premise range
|
||||
approved: true
|
||||
- cidr: 35.191.0.0/16 # Load balancing & health checks
|
||||
approved: true
|
||||
- cidr: 130.211.0.0/22 # Load balancing & health checks
|
||||
approved: false
|
||||
- cidr: 35.235.240.0/20 # IAP source range
|
||||
approved: true
|
||||
|
||||
allowedDestinationRanges:
|
||||
- cidr: 10.0.0.0/8
|
||||
approved: true
|
||||
- cidr: 0.0.0.0/0
|
||||
approved: false
|
||||
|
||||
allowedNetworkTags:
|
||||
- tag: '*'
|
||||
approved: true
|
||||
|
||||
allowedServiceAccounts:
|
||||
- serviceAccount: '*'
|
||||
approved: true
|
|
@ -0,0 +1,16 @@
|
|||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
yamale~=3.0.0
|
||||
PyYAML~=5.4.0
|
||||
click~=7.1.0
|
|
@ -0,0 +1,261 @@
|
|||
#!/usr/bin/env python3
|
||||
# Copyright 2021 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import glob
|
||||
import ipaddress
|
||||
import json
|
||||
import sys
|
||||
|
||||
import click
|
||||
import yaml
|
||||
import yamale
|
||||
|
||||
from fnmatch import fnmatch
|
||||
from types import SimpleNamespace
|
||||
from yamale.validators import DefaultValidators, Validator
|
||||
|
||||
|
||||
class Netmask(Validator):
|
||||
""" Custom netmask validator """
|
||||
tag = 'netmask'
|
||||
settings = {}
|
||||
mode = None
|
||||
_type = None
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
self._type = kwargs.pop('type', 'source-or-dest')
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
def fail(self, value):
|
||||
dir_str = 'source or destination'
|
||||
mode_str = 'allowed'
|
||||
if self._type == 'source':
|
||||
dir_str = 'source'
|
||||
elif self._type == 'destination':
|
||||
dir_str = 'destination'
|
||||
if self.mode == 'approve':
|
||||
mode_str = 'automatically approved'
|
||||
return '\'%s\' is not an %s %s network.' % (value, mode_str, dir_str)
|
||||
|
||||
def _is_valid(self, value):
|
||||
is_ok = False
|
||||
network = ipaddress.ip_network(value)
|
||||
if self._type == 'source' or self._type == 'source-or-dest':
|
||||
for ip_range in self.settings['allowedSourceRanges']:
|
||||
allowed_network = ipaddress.ip_network(ip_range['cidr'])
|
||||
if network.subnet_of(allowed_network):
|
||||
if self.mode != 'approve' or ip_range['approved']:
|
||||
is_ok = True
|
||||
break
|
||||
if self._type == 'destination' or self._type == 'source-or-dest':
|
||||
for ip_range in self.settings['allowedDestinationRanges']:
|
||||
allowed_network = ipaddress.ip_network(ip_range['cidr'])
|
||||
if network.subnet_of(allowed_network):
|
||||
if self.mode != 'approve' or ip_range['approved']:
|
||||
is_ok = True
|
||||
break
|
||||
|
||||
return is_ok
|
||||
|
||||
|
||||
class NetworkTag(Validator):
|
||||
""" Custom network tag validator """
|
||||
tag = 'networktag'
|
||||
settings = {}
|
||||
mode = None
|
||||
_type = None
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
def fail(self, value):
|
||||
mode_str = 'allowed'
|
||||
if self.mode == 'approve':
|
||||
mode_str = 'automatically approved'
|
||||
return '\'%s\' is not an %s network tag.' % (value, mode_str)
|
||||
|
||||
def _is_valid(self, value):
|
||||
is_ok = False
|
||||
for tag in self.settings['allowedNetworkTags']:
|
||||
if fnmatch(value, tag['tag']):
|
||||
if self.mode != 'approve' or tag['approved']:
|
||||
is_ok = True
|
||||
break
|
||||
return is_ok
|
||||
|
||||
|
||||
class ServiceAccount(Validator):
|
||||
""" Custom service account validator """
|
||||
tag = 'serviceaccount'
|
||||
settings = {}
|
||||
mode = None
|
||||
_type = None
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
def fail(self, value):
|
||||
mode_str = 'allowed'
|
||||
if self.mode == 'approve':
|
||||
mode_str = 'automatically approved'
|
||||
return '\'%s\' is not an %s service account.' % (value, mode_str)
|
||||
|
||||
def _is_valid(self, value):
|
||||
is_ok = False
|
||||
for sa in self.settings['allowedServiceAccounts']:
|
||||
if fnmatch(value, sa['serviceAccount']):
|
||||
if self.mode != 'approve' or sa['approved']:
|
||||
is_ok = True
|
||||
break
|
||||
return is_ok
|
||||
|
||||
|
||||
class NetworkPorts(Validator):
|
||||
""" Custom ports validator """
|
||||
tag = 'networkports'
|
||||
settings = {}
|
||||
mode = None
|
||||
_type = None
|
||||
allowed_port_map = []
|
||||
approved_port_map = []
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
for port in self.settings['allowedPorts']:
|
||||
ports = self._process_port_definition(port['ports'])
|
||||
self.allowed_port_map.extend(ports)
|
||||
if port['approved']:
|
||||
self.approved_port_map.extend(ports)
|
||||
|
||||
def _process_port_definition(self, port_definition):
|
||||
ports = []
|
||||
if not isinstance(port_definition, int) and '-' in port_definition:
|
||||
start, end = port_definition.split('-', 2)
|
||||
for port in range(int(start), int(end) + 1):
|
||||
ports.append(int(port))
|
||||
else:
|
||||
ports.append(int(port_definition))
|
||||
return ports
|
||||
|
||||
def fail(self, value):
|
||||
mode_str = 'allowed'
|
||||
if self.mode == 'approve':
|
||||
mode_str = 'automatically approved'
|
||||
return '\'%s\' is not an %s IP port.' % (value, mode_str)
|
||||
|
||||
def _is_valid(self, value):
|
||||
ports = self._process_port_definition(value)
|
||||
is_ok = True
|
||||
for port in ports:
|
||||
if self.mode == 'approve' and port not in self.approved_port_map:
|
||||
is_ok = False
|
||||
break
|
||||
elif port not in self.allowed_port_map:
|
||||
is_ok = False
|
||||
break
|
||||
|
||||
return is_ok
|
||||
|
||||
|
||||
class FirewallValidator:
|
||||
schema = None
|
||||
settings = None
|
||||
validators = None
|
||||
|
||||
def __init__(self, settings, mode):
|
||||
self.settings = settings
|
||||
|
||||
self.validators = DefaultValidators.copy()
|
||||
Netmask.settings = self.settings
|
||||
Netmask.mode = mode
|
||||
self.validators[Netmask.tag] = Netmask
|
||||
|
||||
NetworkTag.settings = self.settings
|
||||
NetworkTag.mode = mode
|
||||
self.validators[NetworkTag.tag] = NetworkTag
|
||||
|
||||
ServiceAccount.settings = self.settings
|
||||
ServiceAccount.mode = mode
|
||||
self.validators[ServiceAccount.tag] = ServiceAccount
|
||||
|
||||
NetworkPorts.settings = self.settings
|
||||
NetworkPorts.mode = mode
|
||||
self.validators[NetworkPorts.tag] = NetworkPorts
|
||||
|
||||
def set_schema_from_file(self, schema):
|
||||
self.schema = yamale.make_schema(path=schema, validators=self.validators)
|
||||
|
||||
def set_schema_from_string(self, schema):
|
||||
self.schema = yamale.make_schema(content=schema, validators=self.validators)
|
||||
|
||||
def validate_file(self, file):
|
||||
print('Validating %s...' % (file), file=sys.stderr)
|
||||
data = yamale.make_data(file)
|
||||
yamale.validate(self.schema, data)
|
||||
|
||||
|
||||
@click.command()
|
||||
@click.argument('files')
|
||||
@click.option('--schema',
|
||||
default='/schemas/firewallSchema.yaml',
|
||||
help='YAML schema file')
|
||||
@click.option('--settings',
|
||||
default='/schemas/firewallSchemaSettings.yaml',
|
||||
help='schema configuration file')
|
||||
@click.option('--mode',
|
||||
default='validate',
|
||||
help='select mode (validate or approve)')
|
||||
@click.option('--github',
|
||||
is_flag=True,
|
||||
default=False,
|
||||
help='output GitHub action compatible variables')
|
||||
def main(**kwargs):
|
||||
args = SimpleNamespace(**kwargs)
|
||||
files = [args.files]
|
||||
if '*' in args.files:
|
||||
files = glob.glob(args.files, recursive=True)
|
||||
|
||||
print('Arguments: %s' % (str(sys.argv)), file=sys.stderr)
|
||||
|
||||
f = open(args.settings)
|
||||
settings = yaml.load(f, Loader=yaml.SafeLoader)
|
||||
|
||||
firewall_validator = FirewallValidator(settings, args.mode)
|
||||
firewall_validator.set_schema_from_file(args.schema)
|
||||
output = {'ok': True, 'errors': {}}
|
||||
for file in files:
|
||||
try:
|
||||
firewall_validator.validate_file(file)
|
||||
except yamale.yamale_error.YamaleError as e:
|
||||
if file not in output['errors']:
|
||||
output['errors'][file] = []
|
||||
output['ok'] = False
|
||||
for result in e.results:
|
||||
for err in result.errors:
|
||||
output['errors'][file].append(err)
|
||||
|
||||
if args.github:
|
||||
print('::set-output name=ok::%s' % ('true' if output['ok'] else 'false'))
|
||||
print('::set-output name=errors::%s' % (json.dumps(output['errors'])))
|
||||
print(json.dumps(output), file=sys.stderr)
|
||||
else:
|
||||
print(json.dumps(output))
|
||||
if not output['ok'] and not args.github:
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in New Issue