Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block extensions disallowed by policy #3259

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Block extensions disallowed by policy #3259

wants to merge 4 commits into from

Conversation

mgunnala
Copy link

Description

Issue #

PR #2 for the policy engine allowlist feature:

  • invoke policy engine from exthandlers.py
  • block all extensions and report status if any errors are thrown during engine initialization
  • block any extensions that are disallowed by policy
  • add unit and e2e tests

PR information

  • The title of the PR is clear and informative.
  • There are a small number of commits, each of which has an informative message. This means that previously merged commits do not appear in the history of the PR. For information on cleaning up the commits in your pull request, see this page.
  • If applicable, the PR references the bug/issue that it fixes in the description.
  • New Unit tests were added for the changes made

Quality of Code and Contribution Guidelines

mgunnala
mgunnala commented Nov 12, 2024
View reviewed changes
azurelinuxagent/ga/policy/policy_engine.py
Error raised during agent extension policy enforcement.
"""
# TODO: when CRP adds terminal error code for policy-related extension failures, set that as the default code.
def __init__(self, msg, inner=None, code=-1):
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this default code be 1009 (terminal enable failure) for now? or just remove the default?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can remove the default

@codecov Codecov
Copy link

codecov bot commented Nov 13, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 72.77%. Comparing base (3aebcdd) to head (a37508f).
Report is 328 commits behind head on develop.

Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #3259      +/-   ##
===========================================
+ Coverage    71.97%   72.77%   +0.79%     
===========================================
  Files          103      114      +11     
  Lines        15692    17081    +1389     
  Branches      2486     2277     -209     
===========================================
+ Hits         11295    12431    +1136     
- Misses        3881     4107     +226     
- Partials       516      543      +27

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

maddieford
maddieford reviewed Nov 14, 2024
View reviewed changes
Copy link
Contributor

@maddieford maddieford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did an initial review not including tests

azurelinuxagent/ga/policy/policy_engine.py
Error raised during agent extension policy enforcement.
"""
# TODO: when CRP adds terminal error code for policy-related extension failures, set that as the default code.
def __init__(self, msg, inner=None, code=-1):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can remove the default

azurelinuxagent/ga/policy/policy_engine.py
"""
# TODO: when CRP adds terminal error code for policy-related extension failures, set that as the default code.
def __init__(self, msg, inner=None, code=-1):
msg = "Extension is disallowed by agent policy and will not be processed: {0}".format(msg)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case where agent failed to parse policy, I'm not sure we should say 'Extension is disallowed by policy'. In this case, extension is disallowed because there's some issue reading or parsing the policy.

I also am hesitant about 'agent policy' since policy is provided by customer

azurelinuxagent/ga/exthandlers.py
policy_op, policy_err_code = policy_err_map.get(ext_handler.state)
if policy_error is not None:
err = ExtensionPolicyError(msg="", inner=policy_error, code=policy_err_code)
self.__handle_and_report_ext_handler_errors(handler_i, err,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this create .status files for single config extensions?

azurelinuxagent/ga/exthandlers.py
ext_handler.name,
conf.get_policy_file_path())
err = ExtensionPolicyError(msg, code=policy_err_code)
self.__handle_and_report_ext_handler_errors(handler_i, err,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question here about .status file for single config extensions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maddieford maddieford maddieford left review comments

@narrieta narrieta Awaiting requested review from narrieta narrieta is a code owner

@ZhidongPeng ZhidongPeng Awaiting requested review from ZhidongPeng ZhidongPeng is a code owner

@nagworld9 nagworld9 Awaiting requested review from nagworld9 nagworld9 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mgunnala @maddieford