Armour v1.0.4

.github/workflows/int.yml

@@ -37,14 +37,22 @@ jobs:
           go mod vendor
 
       - run: sudo go test -v
-      - run: go build -ldflags="-s -w" -o ./agent
+
+      - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --snapshot --clean --config releasers/int.yml
+
       - name: Configure aws credentials
         uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-west-2
-      - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/int/agent --acl public-read
+
+
+      - run: aws s3 cp ./dist/agent_linux_amd64_v1/agent s3://step-security-agent/refs/heads/int/agent --acl public-read
       - name: Integration test
         uses: docker://ghcr.io/step-security/integration-test/int:latest
         env:

.goreleaser.yml

@@ -18,7 +18,7 @@ builds:
     flags:
       - -trimpath
     ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date=123
+      - -s -w -X main.ReleaseTag={{.Tag}} -X main.ReleaseBranch={{.Branch}} -X main.ReleaseCommit={{.FullCommit}}
 
 
     # Optionally override the matrix generation and specify only the final list of targets.

agent_test.go

@@ -159,6 +159,9 @@ func TestRun(t *testing.T) {
 	httpmock.RegisterResponder("GET", "https://apiurl/v1/github/owner/repo/actions/subscription",
 		httpmock.NewStringResponder(403, ""))
 
+	httpmock.RegisterResponder("GET", "https://apiurl/v1/global-feature-flags?agent_type=agent-oss&version=",
+		httpmock.NewStringResponder(200, `{"agent_type":"agent-oss","enable_armour":false}`))
+
 	tests := []struct {
 		name    string
 		args    args

apiclient.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"path"
 	"time"
 )
 
@@ -107,28 +109,43 @@ func (apiclient *ApiClient) getSubscriptionStatus(repo string) bool {
 
 func (apiclient *ApiClient) getGlobalFeatureFlags() GlobalFeatureFlags {
 
-	url := fmt.Sprintf("%s/global-feature-flags?agent_type=%s", apiclient.APIURL, AgentTypeGitHubHosted)
+	u, err := url.Parse(apiclient.APIURL)
+	if err != nil {
+		return GlobalFeatureFlags{}
+	}
+
+	u.Path = path.Join(u.Path, "global-feature-flags")
+
+	// Add query parameters
+	values := url.Values{}
+	values.Add("agent_type", AgentTypeOSS)
+	values.Add("version", ReleaseTag) // v1.3.6
+	u.RawQuery = values.Encode()
 
-	req, err := http.NewRequest(http.MethodGet, url, nil)
+	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
 
 	if err != nil {
+		fmt.Println("Error creating request:", err)
 		return GlobalFeatureFlags{}
 	}
 
 	resp, err := apiclient.Client.Do(req)
 
 	if err != nil {
+		fmt.Println("Error sending request:", err)
 		return GlobalFeatureFlags{}
 	}
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
+		fmt.Println("Error reading response body:", err)
 		return GlobalFeatureFlags{}
 	}
 
 	var globalFeatureFlags GlobalFeatureFlags
 	err = json.Unmarshal(body, &globalFeatureFlags)
 	if err != nil {
+		fmt.Println("Error unmarshalling response body:", err)
 		return GlobalFeatureFlags{}
 	}
 

buildinfo.go

@@ -0,0 +1,14 @@
+package main
+
+import "fmt"
+
+// filled through ldflags
+var (
+	ReleaseTag    = ""
+	ReleaseBranch = ""
+	ReleaseCommit = ""
+)
+
+func LogBuildInfo() {
+	WriteLog(fmt.Sprintf("[buildInfo] tag=%s commit=%s branch=%s \n", ReleaseTag, ReleaseCommit, ReleaseBranch))
+}

common.go

@@ -18,11 +18,6 @@ func getPidsOfInterest() []uint32 {
 	// our process
 	out = append(out, uint32(os.Getpid()))
 
-	// systemd-resolved
-	systemdResolvePid, _ := pidOf("systemd-resolved")
-
-	out = append(out, uint32(systemdResolvePid))
-
 	return out
 }
 
@@ -47,9 +42,6 @@ func getFilesOfInterest() []string {
 func getProcFilesOfInterest() []string {
 	out := []string{}
 
-	// our memory files
-	out = append(out, getProcMemFiles(uint64(os.Getpid()))...)
-
 	// runner worker memory files
 	runnerWorker, _ := pidOf("Runner.Worker")
 	out = append(out, getProcMemFiles(runnerWorker)...)
@@ -94,7 +86,6 @@ func getProcMemFiles(pid uint64) []string {
 	}
 
 	out = []string{
-		fmt.Sprintf("/proc/%d/maps", pid),
 		fmt.Sprintf("/proc/%d/mem", pid),
 	}
 

global_feature_flags.go

@@ -7,7 +7,7 @@ import (
 )
 
 const (
-	AgentTypeGitHubHosted = "githubhosted"
+	AgentTypeOSS = "agent-oss"
 )
 
 type GlobalFeatureFlags struct {
@@ -51,7 +51,7 @@ func (manager *GlobalFeatureFlagManager) refresh() error {
 	defer manager.mutex.Unlock()
 
 	flags := manager.apiClient.getGlobalFeatureFlags()
-
+	WriteLog(fmt.Sprintf("Global feature flags: %+v", flags))
 	manager.flags = flags
 	return nil
 }

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/jarcoal/httpmock v1.3.0
 	github.com/miekg/dns v1.1.53
 	github.com/pkg/errors v0.9.1
-	github.com/step-security/armour v1.0.1
+	github.com/step-security/armour v1.1.0
 )
 
 require (

go.sum

@@ -102,6 +102,10 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/step-security/armour v1.0.1 h1:+Lae8o/cbSV0HFD4wKhx4mHnQCTEJ8ndRN0gfmu1t3I=
 github.com/step-security/armour v1.0.1/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI=
+github.com/step-security/armour v1.0.4 h1:bTtvS4A9TTG83sSXW/+nno9cQOgqaueAedGdunE1eaY=
+github.com/step-security/armour v1.0.4/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI=
+github.com/step-security/armour v1.1.0 h1:oxJfxIOouf+KME4SzmZwukGsJSGlKmRR3ysExIeFAcY=
+github.com/step-security/armour v1.1.0/go.mod h1:I6pTEysb5fd3Cc79tvCMVp70RqhvMYbawfoq5Gz0cPI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

main.go

@@ -13,6 +13,9 @@ import (
 const agentConfigFilePath = "agent.json"
 
 func main() {
+
+	LogBuildInfo()
+
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
 

release-monitor.yml

@@ -6,7 +6,7 @@ release-process:
   reproducible-build:
     - artifact: agent_{{.Version}}_linux_amd64.tar.gz
       binary: agent
-      build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123"
+      build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123 -X main.ReleaseTag={{.Tag}}"
       go-version: 1.19.8      
   pipeline:
     github-action:

releasers/int.yml

@@ -0,0 +1,28 @@
+# .goreleaser.yml
+builds:
+  # You can have multiple builds defined as a yaml list
+  -
+    # GOOS list to build for.
+    # For more info refer to: https://golang.org/doc/install/source#environment
+    # Defaults are darwin and linux.
+    goos:
+      - linux
+
+    # GOARCH to build for.
+    # For more info refer to: https://golang.org/doc/install/source#environment
+    # Defaults are 386, amd64 and arm64.
+    goarch:
+      - amd64
+
+    mod_timestamp: '123'
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X main.ReleaseTag=int -X main.ReleaseBranch=int -X main.ReleaseCommit={{.FullCommit}}
+
+
+    # Optionally override the matrix generation and specify only the final list of targets.
+    # Format is `{goos}_{goarch}` with optionally a suffix with `_{goarm}` or `_{gomips}`.
+    # This overrides `goos`, `goarch`, `goarm`, `gomips` and `ignores`.
+    targets:
+      - linux_amd64

sudo.go

@@ -25,7 +25,7 @@ func (s *Sudo) disableSudo(tempDir string) error {
 	if err != nil {
 		return fmt.Errorf("error backing up sudoers file: %v", err)
 	}
-	err = os.Remove(sudoersFile)
+	err = os.Truncate(sudoersFile, 0)
 	if err != nil {
 		return fmt.Errorf("unable to delete sudoers file at %s: %v", sudoersFile, err)
 	}