From 8f96c0a44eaf07288010fd423ff96fc79de65ce3 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 12:31:49 +0530 Subject: [PATCH 01/13] feat: update armour version update global feature flags API add ReleaseTag build flag --- .goreleaser.yml | 2 +- apiclient.go | 21 +++++++++++++++++++-- buildinfo.go | 6 ++++++ common.go | 9 --------- global_feature_flags.go | 2 +- go.mod | 2 +- go.sum | 2 ++ release-monitor.yml | 2 +- 8 files changed, 31 insertions(+), 15 deletions(-) create mode 100644 buildinfo.go diff --git a/.goreleaser.yml b/.goreleaser.yml index 6d533e3..5d9aa26 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -18,7 +18,7 @@ builds: flags: - -trimpath ldflags: - - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date=123 + - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date=123 -X main.ReleaseTag={{.Tag}} # Optionally override the matrix generation and specify only the final list of targets. diff --git a/apiclient.go b/apiclient.go index 3d04c2b..6bc62e3 100644 --- a/apiclient.go +++ b/apiclient.go @@ -6,6 +6,8 @@ import ( "fmt" "io" "net/http" + "net/url" + "path" "time" ) @@ -107,28 +109,43 @@ func (apiclient *ApiClient) getSubscriptionStatus(repo string) bool { func (apiclient *ApiClient) getGlobalFeatureFlags() GlobalFeatureFlags { - url := fmt.Sprintf("%s/global-feature-flags?agent_type=%s", apiclient.APIURL, AgentTypeGitHubHosted) + u, err := url.Parse(apiclient.APIURL) + if err != nil { + return GlobalFeatureFlags{} + } + + u.Path = path.Join(u.Path, "global-feature-flags") + + // Add query parameters + values := url.Values{} + values.Add("agent_type", AgentTypeOSS) + values.Add("version", ReleaseTag) // v1.3.6 + u.RawQuery = values.Encode() - req, err := http.NewRequest(http.MethodGet, url, nil) + req, err := http.NewRequest(http.MethodGet, u.String(), nil) if err != nil { + fmt.Println("Error creating request:", err) return GlobalFeatureFlags{} } resp, err := apiclient.Client.Do(req) if err != nil { + fmt.Println("Error sending request:", err) return GlobalFeatureFlags{} } body, err := io.ReadAll(resp.Body) if err != nil { + fmt.Println("Error reading response body:", err) return GlobalFeatureFlags{} } var globalFeatureFlags GlobalFeatureFlags err = json.Unmarshal(body, &globalFeatureFlags) if err != nil { + fmt.Println("Error unmarshalling response body:", err) return GlobalFeatureFlags{} } diff --git a/buildinfo.go b/buildinfo.go new file mode 100644 index 0000000..c409833 --- /dev/null +++ b/buildinfo.go @@ -0,0 +1,6 @@ +package main + +// filled through ldflags +var ( + ReleaseTag = "" +) diff --git a/common.go b/common.go index 6ac81fd..9b44739 100644 --- a/common.go +++ b/common.go @@ -18,11 +18,6 @@ func getPidsOfInterest() []uint32 { // our process out = append(out, uint32(os.Getpid())) - // systemd-resolved - systemdResolvePid, _ := pidOf("systemd-resolved") - - out = append(out, uint32(systemdResolvePid)) - return out } @@ -47,9 +42,6 @@ func getFilesOfInterest() []string { func getProcFilesOfInterest() []string { out := []string{} - // our memory files - out = append(out, getProcMemFiles(uint64(os.Getpid()))...) - // runner worker memory files runnerWorker, _ := pidOf("Runner.Worker") out = append(out, getProcMemFiles(runnerWorker)...) @@ -94,7 +86,6 @@ func getProcMemFiles(pid uint64) []string { } out = []string{ - fmt.Sprintf("/proc/%d/maps", pid), fmt.Sprintf("/proc/%d/mem", pid), } diff --git a/global_feature_flags.go b/global_feature_flags.go index 50f4de5..63969e1 100644 --- a/global_feature_flags.go +++ b/global_feature_flags.go @@ -7,7 +7,7 @@ import ( ) const ( - AgentTypeGitHubHosted = "githubhosted" + AgentTypeOSS = "agent-oss" ) type GlobalFeatureFlags struct { diff --git a/go.mod b/go.mod index 88503bf..ea6834d 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/jarcoal/httpmock v1.3.0 github.com/miekg/dns v1.1.53 github.com/pkg/errors v0.9.1 - github.com/step-security/armour v1.0.1 + github.com/step-security/armour v1.0.4 ) require ( diff --git a/go.sum b/go.sum index 30a380d..5746f70 100644 --- a/go.sum +++ b/go.sum @@ -102,6 +102,8 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/step-security/armour v1.0.1 h1:+Lae8o/cbSV0HFD4wKhx4mHnQCTEJ8ndRN0gfmu1t3I= github.com/step-security/armour v1.0.1/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI= +github.com/step-security/armour v1.0.4 h1:bTtvS4A9TTG83sSXW/+nno9cQOgqaueAedGdunE1eaY= +github.com/step-security/armour v1.0.4/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= diff --git a/release-monitor.yml b/release-monitor.yml index d15b62b..dbaaf08 100644 --- a/release-monitor.yml +++ b/release-monitor.yml @@ -6,7 +6,7 @@ release-process: reproducible-build: - artifact: agent_{{.Version}}_linux_amd64.tar.gz binary: agent - build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123" + build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123 -X main.ReleaseTag={{.Tag}}" go-version: 1.19.8 pipeline: github-action: From dea1b2356b0047ee0208c17d120921efd745e2b5 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 12:47:07 +0530 Subject: [PATCH 02/13] fix: handle sudoers --- sudo.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudo.go b/sudo.go index 5a4c226..80ca83b 100644 --- a/sudo.go +++ b/sudo.go @@ -25,7 +25,7 @@ func (s *Sudo) disableSudo(tempDir string) error { if err != nil { return fmt.Errorf("error backing up sudoers file: %v", err) } - err = os.Remove(sudoersFile) + err = os.Truncate(sudoersFile, 0) if err != nil { return fmt.Errorf("unable to delete sudoers file at %s: %v", sudoersFile, err) } From e2b800f7537754368e1c396ef369b0205871f6fe Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 13:23:13 +0530 Subject: [PATCH 03/13] fix: add test responder --- agent_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/agent_test.go b/agent_test.go index f23895d..0daf7ff 100644 --- a/agent_test.go +++ b/agent_test.go @@ -159,6 +159,9 @@ func TestRun(t *testing.T) { httpmock.RegisterResponder("GET", "https://apiurl/v1/github/owner/repo/actions/subscription", httpmock.NewStringResponder(403, "")) + httpmock.RegisterResponder("GET", "https://apiurl/v1/global-feature-flags?agent_type=agent-oss&version=", + httpmock.NewStringResponder(200, `{"agent_type":"agent-oss","enable_armour":false}`)) + tests := []struct { name string args args From 7e6662523098c0fb2d4ab852949c9d4bfa7e9ad9 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 19:30:07 +0530 Subject: [PATCH 04/13] chore: print global flags --- global_feature_flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global_feature_flags.go b/global_feature_flags.go index 63969e1..21e0b69 100644 --- a/global_feature_flags.go +++ b/global_feature_flags.go @@ -51,7 +51,7 @@ func (manager *GlobalFeatureFlagManager) refresh() error { defer manager.mutex.Unlock() flags := manager.apiClient.getGlobalFeatureFlags() - + WriteLog(fmt.Sprintf("Global feature flags: %+v", flags)) manager.flags = flags return nil } From 16de40de28d186ae843c17a65f6c83530da0a0f9 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 19:39:02 +0530 Subject: [PATCH 05/13] chore: print buildinfo --- buildinfo.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/buildinfo.go b/buildinfo.go index c409833..2529809 100644 --- a/buildinfo.go +++ b/buildinfo.go @@ -1,6 +1,13 @@ package main +import "fmt" + // filled through ldflags var ( ReleaseTag = "" + commit = "" ) + +func LogBuildInfo() { + WriteLog(fmt.Sprintf("[buildInfo] tag=%s commit=%s \n", ReleaseTag, commit)) +} From e8bf9711a9e325198fa65ae8a5bfa42821109942 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 19:47:05 +0530 Subject: [PATCH 06/13] chore: print buildinfo --- main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.go b/main.go index 999c56a..920fddc 100644 --- a/main.go +++ b/main.go @@ -13,6 +13,9 @@ import ( const agentConfigFilePath = "agent.json" func main() { + + LogBuildInfo() + ctx := context.Background() ctx, cancel := context.WithCancel(ctx) From 47da2f7bcd63ae1913ef542511bf01c67a8261bf Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 19:52:21 +0530 Subject: [PATCH 07/13] chore: add buildflags to integration-test --- .github/workflows/int.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 3a05f81..7a584fc 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -37,7 +37,7 @@ jobs: go mod vendor - run: sudo go test -v - - run: go build -ldflags="-s -w" -o ./agent + - run: go build -ldflags="-s -w -X main.commit=latest -X main.ReleaseTag=rc" -o ./agent - name: Configure aws credentials uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e with: From ae7e6eceabfa744aba521077b42e8cca1baace02 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 20:07:22 +0530 Subject: [PATCH 08/13] feat: update releasers --- .github/workflows/int.yml | 12 +++++++++++- .goreleaser.yml | 2 +- buildinfo.go | 7 ++++--- releasers/int.yml | 28 ++++++++++++++++++++++++++++ 4 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 releasers/int.yml diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 7a584fc..eed8aee 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -37,13 +37,23 @@ jobs: go mod vendor - run: sudo go test -v - - run: go build -ldflags="-s -w -X main.commit=latest -X main.ReleaseTag=rc" -o ./agent + + - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2 + with: + distribution: goreleaser + version: latest + args: release --snapshot --clean --config releasers/int.yml + - name: Configure aws credentials uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 + + - run: | + ls -lahR + - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/int/agent --acl public-read - name: Integration test uses: docker://ghcr.io/step-security/integration-test/int:latest diff --git a/.goreleaser.yml b/.goreleaser.yml index 5d9aa26..9c6ead2 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -18,7 +18,7 @@ builds: flags: - -trimpath ldflags: - - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date=123 -X main.ReleaseTag={{.Tag}} + - -s -w -X main.version={{.Version}} -X main.ReleaseCommit={{.FullCommit}} -X main.date=123 -X main.ReleaseTag={{.Tag}} -X ain.ReleaseBranch={{.Branch}} # Optionally override the matrix generation and specify only the final list of targets. diff --git a/buildinfo.go b/buildinfo.go index 2529809..b36b5b8 100644 --- a/buildinfo.go +++ b/buildinfo.go @@ -4,10 +4,11 @@ import "fmt" // filled through ldflags var ( - ReleaseTag = "" - commit = "" + ReleaseTag = "" + ReleaseBranch = "" + ReleaseCommit = "" ) func LogBuildInfo() { - WriteLog(fmt.Sprintf("[buildInfo] tag=%s commit=%s \n", ReleaseTag, commit)) + WriteLog(fmt.Sprintf("[buildInfo] tag=%s commit=%s branch=%s \n", ReleaseTag, ReleaseCommit, ReleaseBranch)) } diff --git a/releasers/int.yml b/releasers/int.yml new file mode 100644 index 0000000..7fe503b --- /dev/null +++ b/releasers/int.yml @@ -0,0 +1,28 @@ +# .goreleaser.yml +builds: + # You can have multiple builds defined as a yaml list + - + # GOOS list to build for. + # For more info refer to: https://golang.org/doc/install/source#environment + # Defaults are darwin and linux. + goos: + - linux + + # GOARCH to build for. + # For more info refer to: https://golang.org/doc/install/source#environment + # Defaults are 386, amd64 and arm64. + goarch: + - amd64 + + mod_timestamp: '123' + flags: + - -trimpath + ldflags: + - -s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123 -X main.ReleaseTag=int -X main.ReleaseBranch=int -X main.ReleaseCommit={{.FullCommit}} + + + # Optionally override the matrix generation and specify only the final list of targets. + # Format is `{goos}_{goarch}` with optionally a suffix with `_{goarm}` or `_{gomips}`. + # This overrides `goos`, `goarch`, `goarm`, `gomips` and `ignores`. + targets: + - linux_amd64 \ No newline at end of file From 37dd86ca8e8c90414de214e4583c7a2ba6fcf7fc Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 20:13:19 +0530 Subject: [PATCH 09/13] feat: fix path --- .github/workflows/int.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index eed8aee..7da6a5c 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -54,7 +54,7 @@ jobs: - run: | ls -lahR - - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/int/agent --acl public-read + - run: aws s3 cp ./dist/agent_linux_amd64_v1/agent s3://step-security-agent/refs/heads/int/agent --acl public-read - name: Integration test uses: docker://ghcr.io/step-security/integration-test/int:latest env: From 7a0f6a4f4d6192f2ad77c781ecbcbc2cfaa7cc46 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 20:13:33 +0530 Subject: [PATCH 10/13] feat: fix path --- .github/workflows/int.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 7da6a5c..e7f7cc8 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -51,8 +51,6 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - - run: | - ls -lahR - run: aws s3 cp ./dist/agent_linux_amd64_v1/agent s3://step-security-agent/refs/heads/int/agent --acl public-read - name: Integration test From 4c3f6f301677eea91636c57511addebb9825c31e Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 2 May 2025 21:29:39 +0530 Subject: [PATCH 11/13] feat: fix --- releasers/int.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasers/int.yml b/releasers/int.yml index 7fe503b..125acde 100644 --- a/releasers/int.yml +++ b/releasers/int.yml @@ -18,7 +18,7 @@ builds: flags: - -trimpath ldflags: - - -s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123 -X main.ReleaseTag=int -X main.ReleaseBranch=int -X main.ReleaseCommit={{.FullCommit}} + - -s -w -X main.ReleaseTag=int -X main.ReleaseBranch=int -X main.ReleaseCommit={{.FullCommit}} # Optionally override the matrix generation and specify only the final list of targets. From 3ad13c1591497a9522cb0ee3eec4bfb5ab6430ff Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Mon, 5 May 2025 12:44:22 +0530 Subject: [PATCH 12/13] feat: fix gorelaser --- .goreleaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 9c6ead2..c6e41fc 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -18,7 +18,7 @@ builds: flags: - -trimpath ldflags: - - -s -w -X main.version={{.Version}} -X main.ReleaseCommit={{.FullCommit}} -X main.date=123 -X main.ReleaseTag={{.Tag}} -X ain.ReleaseBranch={{.Branch}} + - -s -w -X main.ReleaseTag={{.Tag}} -X main.ReleaseBranch={{.Branch}} -X main.ReleaseCommit={{.FullCommit}} # Optionally override the matrix generation and specify only the final list of targets. From 219806bd003214afcf75f5695c8f7621d41ad0f5 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Thu, 8 May 2025 14:57:47 +0530 Subject: [PATCH 13/13] bump armour version --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index ea6834d..e45f326 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/jarcoal/httpmock v1.3.0 github.com/miekg/dns v1.1.53 github.com/pkg/errors v0.9.1 - github.com/step-security/armour v1.0.4 + github.com/step-security/armour v1.1.0 ) require ( diff --git a/go.sum b/go.sum index 5746f70..ae1771d 100644 --- a/go.sum +++ b/go.sum @@ -104,6 +104,8 @@ github.com/step-security/armour v1.0.1 h1:+Lae8o/cbSV0HFD4wKhx4mHnQCTEJ8ndRN0gfm github.com/step-security/armour v1.0.1/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI= github.com/step-security/armour v1.0.4 h1:bTtvS4A9TTG83sSXW/+nno9cQOgqaueAedGdunE1eaY= github.com/step-security/armour v1.0.4/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI= +github.com/step-security/armour v1.1.0 h1:oxJfxIOouf+KME4SzmZwukGsJSGlKmRR3ysExIeFAcY= +github.com/step-security/armour v1.1.0/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=