Skip to content

Commit

Permalink
feat: Add policy types support (#186)
Browse files Browse the repository at this point in the history 
* feat: Add policy types support

* ci: Ignore assert order
  • Loading branch information
@tembleking
tembleking authored Mar 17, 2021
1 parent 6259d00 commit 818f7d2
Show file tree
Hide file tree
Showing 5 changed files with 370 additions and 293 deletions.
280 changes: 2 additions & 278 deletions sdcclient/_secure.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@
import time

from sdcclient._common import _SdcCommon
from sdcclient.secure import FalcoRulesFilesClientOld, PolicyEventsClientV1, PolicyEventsClientOld
from sdcclient.secure import FalcoRulesFilesClientOld, PolicyEventsClientV1, PolicyEventsClientOld, PolicyClientV2


class SdSecureClient(FalcoRulesFilesClientOld,
PolicyEventsClientV1,
PolicyEventsClientOld,
PolicyClientV2,
_SdcCommon):
def __init__(self, token="", sdc_url='https://secure.sysdig.com', ssl_verify=True, custom_headers=None):
super(SdSecureClient, self).__init__(token, sdc_url, ssl_verify, custom_headers)
Expand All @@ -25,283 +26,6 @@ def policy_v2(self):
self._policy_v2 = res.status_code != 404
return self._policy_v2

def create_default_policies(self):
'''**Description**
Create new policies based on the currently available set of rules. For now, this only covers Falco rules, but we might extend
the endpoint later. The backend should use the defaultPolicies property of a previously provided FalcoRulesFiles model as
guidance on the set of policies to create. The backend should only create new policies (not delete or modify), and should only
create new policies if there is not an existing policy with the same name.
**Arguments**
- None
**Success Return Value**
JSON containing details on any new policies that were added.
**Example**
`examples/create_default_policies.py <https://github.com/draios/python-sdc-client/blob/master/examples/create_default_policies.py>`_
'''
res = self.http.post(self.url + '/api/v2/policies/default', headers=self.hdrs, verify=self.ssl_verify)
return self._request_result(res)

def delete_all_policies(self):
'''**Description**
Delete all existing policies. The falco rules file is unchanged.
**Arguments**
- None
**Success Return Value**
The string "Policies Deleted"
**Example**
`examples/delete_all_policies.py <https://github.com/draios/python-sdc-client/blob/master/examples/delete_all_policies.py>`_
'''
ok, res = self.list_policies()
if not ok:
return False, res

for policy in res:
ok, res = self.delete_policy_id(policy["id"])
if not ok:
return False, res

return True, "Policies Deleted"

def list_policies(self):
'''**Description**
List the current set of policies.
**Arguments**
- None
**Success Return Value**
A JSON object containing the number and details of each policy.
**Example**
`examples/list_policies.py <https://github.com/draios/python-sdc-client/blob/master/examples/list_policies.py>`_
'''
res = self.http.get(self.url + '/api/v2/policies', headers=self.hdrs, verify=self.ssl_verify)
return self._request_result(res)

def get_policy(self, name):
'''**Description**
Find the policy with name <name> and return its json description.
**Arguments**
- name: the name of the policy to fetch
**Success Return Value**
A JSON object containing the description of the policy. If there is no policy with
the given name, returns False.
**Example**
`examples/get_policy.py <https://github.com/draios/python-sdc-client/blob/master/examples/get_policy.py>`_
'''
ok, res = self.list_policies()
if not ok:
return [False, res]
policies = res

# Find the policy with the given name and return it.
for policy in policies:
if policy["name"] == name:
return [True, policy]

return [False, "No policy with name {}".format(name)]

def get_policy_id(self, id):
'''**Description**
Find the policy with id <id> and return its json description.
**Arguments**
- id: the id of the policy to fetch
**Success Return Value**
A JSON object containing the description of the policy. If there is no policy with
the given name, returns False.
'''
res = self.http.get(self.url + '/api/v2/policies/{}'.format(id), headers=self.hdrs, verify=self.ssl_verify)
return self._request_result(res)

def add_policy(self, name, description, rule_names=[], actions=[], scope=None, severity=0, enabled=True,
notification_channels=[]):
'''**Description**
Add a new policy.
**Arguments**
- name: A short name for the policy
- description: Description of policy
- rule_names: Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
- actions: It can be a stop, pause and/or capture action
- scope: Where the policy is being applied- Container, Host etc.. (example: "container.image.repository = sysdig/agent")
- enabled: True if the policy should be considered
- severity: How severe is this policy when violated. Range from 0 to 7 included.
- notification_channels: ids of the notification channels to subscribe to the policy
**Success Return Value**
The string "OK"
'''
policy = {
"name": name,
"description": description,
"ruleNames": rule_names,
"actions": actions,
"scope": scope,
"severity": severity,
"enabled": enabled,
"notificationChannelIds": notification_channels
}
res = self.http.post(self.url + '/api/v2/policies', headers=self.hdrs, data=json.dumps(policy),
verify=self.ssl_verify)
return self._request_result(res)

def add_policy_json(self, policy_json):
'''**Description**
Add a new policy using the provided json.
**Arguments**
- policy_json: a description of the new policy
**Success Return Value**
The string "OK"
**Example**
`examples/add_policy.py <https://github.com/draios/python-sdc-client/blob/master/examples/add_policy.py>`_
'''

try:
policy_obj = json.loads(policy_json)
if "origin" in policy_obj:
del policy_obj["origin"]
except Exception as e:
return [False, "policy json is not valid json: {}".format(str(e))]

res = self.http.post(self.url + '/api/v2/policies', headers=self.hdrs, data=json.dumps(policy_obj),
verify=self.ssl_verify)
return self._request_result(res)

def update_policy(self, id, name=None, description=None, rule_names=None, actions=None, scope=None,
severity=None, enabled=None, notification_channels=None):
'''**Description**
Update policy with the provided values.
**Arguments**
- id: the id of the policy to update
- name: A short name for the policy
- description: Description of policy
- rule_names: Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
- actions: It can be a stop, pause and/or capture action
- scope: Where the policy is being applied- Container, Host etc.. (example: "container.image.repository = sysdig/agent")
- enabled: True if the policy should be considered
- severity: How severe is this policy when violated. Range from 0 to 7 included.
- notification_channels: ids of the notification channels to subscribe to the policy
**Success Return Value**
The string "OK"
'''
ok, res = self.get_policy_id(id)
if not ok:
return [False, res]
policy = res

if name is not None:
policy["name"] = name
if description is not None:
policy["description"] = description
if rule_names is not None:
policy["ruleNames"] = rule_names
if actions is not None:
policy["actions"] = actions
if scope is not None:
policy["scope"] = scope
if severity is not None:
policy["severity"] = severity
if enabled is not None:
policy["enabled"] = enabled
if notification_channels is not None:
policy["notificationChannelIds"] = notification_channels

res = self.http.put(self.url + '/api/v2/policies/{}'.format(id), headers=self.hdrs, data=json.dumps(policy),
verify=self.ssl_verify)
return self._request_result(res)

def update_policy_json(self, policy_json):
'''**Description**
Update an existing policy using the provided json. The 'id' field from the policy is
used to determine which policy to update.
**Arguments**
- policy_json: a description of the new policy
**Success Return Value**
The string "OK"
**Example**
`examples/update_policy.py <https://github.com/draios/python-sdc-client/blob/master/examples/update_policy.py>`_
'''
try:
policy_obj = json.loads(policy_json)
if "origin" in policy_obj:
del policy_obj["origin"]
except Exception as e:
return [False, "policy json is not valid json: {}".format(str(e))]

if "id" not in policy_obj:
return [False, "Policy Json does not have an 'id' field"]

res = self.http.put(self.url + '/api/v2/policies/{}'.format(policy_obj["id"]), headers=self.hdrs,
data=json.dumps(policy_obj), verify=self.ssl_verify)
return self._request_result(res)

def delete_policy_name(self, name):
'''**Description**
Delete the policy with the given name.
**Arguments**
- name: the name of the policy to delete
**Success Return Value**
The JSON object representing the now-deleted policy.
**Example**
`examples/delete_policy.py <https://github.com/draios/python-sdc-client/blob/master/examples/delete_policy.py>`_
'''
ok, res = self.list_policies()
if not ok:
return [False, res]

# Find the policy with the given name and delete it
for policy in res:
if policy["name"] == name:
return self.delete_policy_id(policy["id"])

return [False, "No policy with name {}".format(name)]

def delete_policy_id(self, id):
'''**Description**
Delete the policy with the given id
**Arguments**
- id: the id of the policy to delete
**Success Return Value**
The JSON object representing the now-deleted policy.
**Example**
`examples/delete_policy.py <https://github.com/draios/python-sdc-client/blob/master/examples/delete_policy.py>`_
'''
res = self.http.delete(self.url + '/api/v2/policies/{}'.format(id), headers=self.hdrs, verify=self.ssl_verify)
return self._request_result(res)

def list_rules(self):
'''**Description**
Returns the list of rules in the system. These are grouped by name
Expand Down
5 changes: 4 additions & 1 deletion sdcclient/secure/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
from ._falco_rules_files_old import FalcoRulesFilesClientOld
from ._policy_events_old import PolicyEventsClientOld
from ._policy_events_v1 import PolicyEventsClientV1
from ._policy_v2 import PolicyClientV2, policy_action_pause, policy_action_stop, policy_action_kill, \
policy_action_capture

__all__ = ["PolicyEventsClientOld", "PolicyEventsClientV1", "FalcoRulesFilesClientOld"]
__all__ = ["PolicyEventsClientOld", "PolicyEventsClientV1", "FalcoRulesFilesClientOld",
"PolicyClientV2", "policy_action_pause", "policy_action_stop", "policy_action_kill", "policy_action_capture"]
Loading

0 comments on commit 818f7d2

Please sign in to comment.