feat: add windows releases

SimonGurney commented 1 year ago

Description

Ask GoReleaser to make a windows build on a new release

Motivation and Context

I'm a Windows user and currently have to clone the repo and build from source

How Has This Been Tested?

Yes, with releases on my fork

Screenshots (if appropriate)

See comments

Types of changes

New feature (non-breaking change which adds functionality)

Checklist

[x] I have updated the documentation accordingly.
[x] I have read the CONTRIBUTING document.
[x] I have added tests to cover my changes if appropriate.
[x] All new and existing tests passed.

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening this pull request! We really appreciate contributors like you! :raised_hands:

SimonGurney commented 1 year ago

Testing a quick change on my fork, which allows me to do releases based on tags, but the GoReleaser action is currently broken. I've raised issue #16

SimonGurney commented 1 year ago

Tested this on my fork and the windows release is generated ...and it works

SimonGurney commented 1 year ago

Fixed the Tt issue

yuvalavra commented 1 year ago

Thanks for the contribution! Releasing windows builds would be awesome :)

Before this can be merged though I believe that some places in the code would need to be updated to be agnostic to the underlying filesystem. I think rbac-police eval for example uses a hard coded unix-style path for builtins.rego.

You’ll need to search for occurrences of unix-style slashes and update the code to consider the underlying fs when accessing a path.

Haven’t tested this, so maybe I’m off and rbac-police just works on windows because of some Golang magic, let me know what you think

SimonGurney commented 1 year ago

Ah ok, that's interesting. I'm a windows user predominantly (don't judge!) and I had to go build and run it on windows...

It didn't explode on either the collect or eval, and it found a load of really useful findings both around k8s itself and aws specific issues (aws-auth configmap perms).

Would you expect it to explode in an obvious way (because it didn't) or just silently omit some signatures?

If you have a test suite I'd be happy to run it on windows?

yuvalavra commented 1 year ago

Glad to hear you found rbac-police helpful!

No test suite at the moment, but if eval works than Golang probably does the work for us. I’d still appreciate if you run a few simple sanity tests before this is merged to make sure things work as expected under windows:

Create a new directory at custom_lib\first_dir\second_dir and copy the entire default policy library (the lib directory) under second_dir. Then see that rbac-police eval custom_lib\first_dir\second_dir , rbac-police eval custom_lib\first_dir , rbac-police eval custom_lib\first_dir\second_dir\ , and rbac-police eval custom_lib\ all work.
Create new directories at test\nested_dir, then run rbac-police collect -o test\nested_dir\rbac.json , followed by rbac-police eval lib test\nested_dir\rbac.json and see that it works as expected.
Run eval in offline mode with —local-dir

Thanks!

(Btw util scripts will stay unix only)

smarticu5 commented 1 year ago

I tried this against a couple of test clusters and everything seems to work fine on Windows. While I haven't performed extensive testing, I have run your commands above and they seem to behave as expected. This was using rbac-police built using go build on Windows 11.

Output from each command is attached in a zip file and my command log is below.

PS C:\Users\iain\temp\rbac-police> mkdir custom_lib\first_dir\second_dir

    Directory: C:\Users\iain\temp\rbac-police\custom_lib\first_dir

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        08/02/2023     19:09                second_dir

PS C:\Users\iain\temp\rbac-police> copy lib\* .\custom_lib\first_dir\second_dir\
PS C:\Users\iain\temp\rbac-police> dir .\custom_lib\first_dir\second_dir\

    Directory: C:\Users\iain\temp\rbac-police\custom_lib\first_dir\second_dir

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        08/02/2023     19:09                utils
-a----        08/02/2023     11:56           4090 approve_csrs.rego
-a----        08/02/2023     11:56            637 assign_sa.rego
-a----        08/02/2023     11:56            867 bind_roles.rego
-a----        08/02/2023     11:56            547 cluster_admin.rego
-a----        08/02/2023     11:56            853 control_webhooks.rego
-a----        08/02/2023     11:56            862 eks_modify_aws_auth.rego
-a----        08/02/2023     11:56            795 escalate_roles.rego
-a----        08/02/2023     11:56            966 impersonate.rego
-a----        08/02/2023     11:56           1320 issue_token_secrets.rego
-a----        08/02/2023     11:56            598 list_secrets.rego
-a----        08/02/2023     11:56            601 modify_node_status.rego
-a----        08/02/2023     11:56            745 modify_pods.rego
-a----        08/02/2023     11:56            619 modify_pod_status.rego
-a----        08/02/2023     11:56            918 modify_service_status_cve_2020_8554.rego
-a----        08/02/2023     11:56            560 nodes_proxy.rego
-a----        08/02/2023     11:56           1701 obtain_token_weak_ns.rego
-a----        08/02/2023     11:56            685 pods_ephemeral_ctrs.rego
-a----        08/02/2023     11:56            762 pods_exec.rego
-a----        08/02/2023     11:56            860 providerIAM.rego
-a----        08/02/2023     11:56            901 rce_weak_ns.rego
-a----        08/02/2023     11:56            752 retrieve_token_secrets.rego
-a----        08/02/2023     11:56           4299 steal_pods.rego
-a----        08/02/2023     11:56            736 token_request.rego

PS C:\Users\iain\temp\rbac-police> .\rbac-police.exe eval .\custom_lib\first_dir\second_dir\ > second_dir_output.json
PS C:\Users\iain\temp\rbac-police> .\rbac-police.exe eval .\custom_lib\first_dir\ > first_dir_output.json
PS C:\Users\iain\temp\rbac-police> .\rbac-police.exe eval .\custom_lib\ > custom_lib_output.json
PS C:\Users\iain\temp\rbac-police> mkdir test

    Directory: C:\Users\iain\temp\rbac-police

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        08/02/2023     19:11                test

PS C:\Users\iain\temp\rbac-police> mkdir test\nested_dir

    Directory: C:\Users\iain\temp\rbac-police\test

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        08/02/2023     19:11                nested_dir

PS C:\Users\iain\temp\rbac-police> .\rbac-police.exe collect -o .\test\nested_dir\rbac.json
PS C:\Users\iain\temp\rbac-police> .\rbac-police.exe eval lib test\nested_dir\rbac.json > nested_dir_rbac.json

Testing was performed against a Kind cluster with these versions, and no modifications:

/mnt/c/Users/iain/Documents/moderncv master !1 ?29 ❯                                                                    ❯ kind version
kind v0.13.0 go1.18 linux/amd64
❯ kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-10T01:37:08Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}

rbac-police-windows-output.zip

yuvalavra commented 1 year ago

Thanks for testing this @smarticu5 :) Looks good to me

I no longer have access, @sbenhai @sharonbz can you merge?

PaloAltoNetworks / rbac-police