From 0030b87465f6eef1a89e1c3390d74ad48a2520c6 Mon Sep 17 00:00:00 2001 From: Fred Heinecke Date: Wed, 5 Feb 2025 17:31:07 -0600 Subject: [PATCH] Add skeleton for approval service Signed-off-by: Fred Heinecke --- .github/workflows/approval-service-cd.yaml | 25 +++ .github/workflows/approval-service-ci.yaml | 14 ++ .../approval-service/.devcontainer/Dockerfile | 4 + .../.devcontainer/devcontainer.json | 23 ++ tools/approval-service/.gitignore | 1 + tools/approval-service/LICENSE | 201 ++++++++++++++++++ tools/approval-service/Makefile | 6 + tools/approval-service/README.md | 17 ++ .../approval-service/cmd/approval-service.go | 198 +++++++++++++++++ .../deploy/charts/approval-service/.gitkeep | 0 tools/approval-service/go.mod | 3 + tools/approval-service/go.sum | 0 tools/approval-service/workflows/cd.yaml | 1 + tools/approval-service/workflows/ci.yaml | 1 + 14 files changed, 494 insertions(+) create mode 100644 .github/workflows/approval-service-cd.yaml create mode 100644 .github/workflows/approval-service-ci.yaml create mode 100644 tools/approval-service/.devcontainer/Dockerfile create mode 100644 tools/approval-service/.devcontainer/devcontainer.json create mode 100644 tools/approval-service/.gitignore create mode 100644 tools/approval-service/LICENSE create mode 100644 tools/approval-service/Makefile create mode 100644 tools/approval-service/README.md create mode 100644 tools/approval-service/cmd/approval-service.go create mode 100644 tools/approval-service/deploy/charts/approval-service/.gitkeep create mode 100644 tools/approval-service/go.mod create mode 100644 tools/approval-service/go.sum create mode 120000 tools/approval-service/workflows/cd.yaml create mode 120000 tools/approval-service/workflows/ci.yaml diff --git a/.github/workflows/approval-service-cd.yaml b/.github/workflows/approval-service-cd.yaml new file mode 100644 index 00000000..53afa715 --- /dev/null +++ b/.github/workflows/approval-service-cd.yaml @@ -0,0 +1,25 @@ +--- +name: Approval service CD + +on: + push: + branches: + - main + paths: + - tools/approval-service + tags: + - "tools/approval-service/v[0-9]+.[0-9]+.[0-9]+**" + pull_request: + paths: + - tools/approval-service/workflows/cd.yaml + - .github/workflows/approval-service-cd.yaml + - .github/workflows/reusable-cd.yaml + +jobs: + release: + uses: ./.github/workflows/reusable-cd.yaml + permissions: + contents: write + packages: write + with: + tool-directory: ./tools/approval-service diff --git a/.github/workflows/approval-service-ci.yaml b/.github/workflows/approval-service-ci.yaml new file mode 100644 index 00000000..1af553c0 --- /dev/null +++ b/.github/workflows/approval-service-ci.yaml @@ -0,0 +1,14 @@ +--- +name: Approval service CI + +on: + pull_request: + +jobs: + release: + uses: ./.github/workflows/reusable-ci.yaml + permissions: + contents: write + packages: write + with: + tool-directory: ./tools/approval-service diff --git a/tools/approval-service/.devcontainer/Dockerfile b/tools/approval-service/.devcontainer/Dockerfile new file mode 100644 index 00000000..e6448d2e --- /dev/null +++ b/tools/approval-service/.devcontainer/Dockerfile @@ -0,0 +1,4 @@ +FROM mcr.microsoft.com/vscode/devcontainers/go + +RUN go install gotest.tools/gotestsum@latest && \ + chown -R "vscode:golang" /go/pkg # Fix ownership diff --git a/tools/approval-service/.devcontainer/devcontainer.json b/tools/approval-service/.devcontainer/devcontainer.json new file mode 100644 index 00000000..7c70d26a --- /dev/null +++ b/tools/approval-service/.devcontainer/devcontainer.json @@ -0,0 +1,23 @@ +// For format details, see https://aka.ms/devcontainer.json. +{ + "name": "approval-service", + "build": { + "dockerfile": "Dockerfile" + }, + "features": { + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {} + }, + "customizations": { + "vscode": { + "extensions": [ + "github.vscode-github-actions", + "redhat.vscode-yaml", + "ms-azuretools.vscode-docker" + ] + } + }, + "mounts": [ + "type=bind,source=${localEnv:HOME}/.config/gh,target=/home/vscode/.config/gh,readonly" + ] +} \ No newline at end of file diff --git a/tools/approval-service/.gitignore b/tools/approval-service/.gitignore new file mode 100644 index 00000000..a007feab --- /dev/null +++ b/tools/approval-service/.gitignore @@ -0,0 +1 @@ +build/* diff --git a/tools/approval-service/LICENSE b/tools/approval-service/LICENSE new file mode 100644 index 00000000..9a3e00bb --- /dev/null +++ b/tools/approval-service/LICENSE @@ -0,0 +1,201 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2024 Gravitational, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/tools/approval-service/Makefile b/tools/approval-service/Makefile new file mode 100644 index 00000000..95aa07d7 --- /dev/null +++ b/tools/approval-service/Makefile @@ -0,0 +1,6 @@ +TOOL_NAME = approval-service +PACKAGE_PATH = ./cmd/approval-service.go +VERSION = v0.0.1 + + +include ../repo-release-tooling/tooling.mk diff --git a/tools/approval-service/README.md b/tools/approval-service/README.md new file mode 100644 index 00000000..ec9f1f78 --- /dev/null +++ b/tools/approval-service/README.md @@ -0,0 +1,17 @@ +# approval-service + +This service approves or denies CI/CD pipeline jobs. Approvals/denials are +handled by Teleport. + +The following CI/CD tools are currently supported: +* GitHub Actions + * Provides workflow dispatch event information, and "rolls up" requests for + multiple workflows jobs into a single approval/denial. + * Supports automated denial for requests from outside the GitHub + organization. + +## Deployment information +TODO + +## Security +TODO diff --git a/tools/approval-service/cmd/approval-service.go b/tools/approval-service/cmd/approval-service.go new file mode 100644 index 00000000..7407bb30 --- /dev/null +++ b/tools/approval-service/cmd/approval-service.go @@ -0,0 +1,198 @@ +package main + +// Process: +// 1. Take in events from CI/CD systems +// 2. Extract common information +// 3. Process information according to business rules/logic +// 4. Callback to the event source, have it handle + +// One of the design goals of this is to support multiple "sources" of deployment events, +// such as github or another CI/CD service. + +// Skeleton TODO: +// * add ctx where needed +// * err handling +// * pass some form of "config" struct to setup funcs, which will be populated by CLI or config file +// * maybe add some "hook" for registering CLI options? +// * Move approval processor, event, and event source to different packages + +func main() { + // 0. Process CLI args, setup logger, etc. + // TODO + + // 1. Setup approval processor + var processor ApprovalProcessor = &TeleportApprovalProcessor{} + _ = processor.Setup() // Error handling TODO + + // 2. Setup event sources + eventSources := []EventSource{ + NewGitHubEventSource(processor), + } + + for _, eventSource := range eventSources { + _ = eventSource.Setup() + } + + done := make(chan struct{}) // TODO replace with error? + for _, eventSource := range eventSources { + _ = eventSource.Run(done) + } + + // Block until an event source has a fatal error + <-done + close(done) +} + +// This contains information needed to process a request +// If multiple underlying events/payloads/etc. roll under +// the same "root" event that approval is for, they should +// all set the same ID. +type Event struct { + // Unique for an approval request, but may be common for + // multiple underlying events/payloads/etc. + ID string + Requester string + // Other fields TODO. Potential fields: + // * Source + // * Commit/tag/source control identifier + // * "Parameters" map. In the case of GHA, this would be + // any input provided to a workflow dispatch event + // See RFD for more details +} + +type ApprovalProcessor interface { + // This should do things like setup API clients, as well as anything + // needed to approve/deny events. + Setup() error + + // This should be a blocking function that takes in an event, and + // approves or denies it. + ProcessRequest(*Event) (approved bool, err error) +} + +type TeleportApprovalProcessor struct { + // TODO +} + +func (tap *TeleportApprovalProcessor) Setup() error { + // Setup Teleport API client + return nil +} + +func (tap *TeleportApprovalProcessor) ProcessRequest(e *Event) (approved bool, err error) { + // 1. Create a new role: + // * Set TTL to value in RFD + // * Encode event information in role for recordkeeping + + // 2. Request access to the role. Include the same info as the role, + // for reviewer visibility. + + // 3. Wait for the request to be approved or denied. + // This may block for a long time (minutes, hours, days). + // Timeout if it takes too long. + + return false, nil +} + +type EventSource interface { + // This should do thinks like setup API clients and webhooks. + Setup() error + + // Handle actual requests. This should not block. + Run(chan struct{}) error +} + +type GitHubEventSource struct { + processor ApprovalProcessor + // TODO +} + +func NewGitHubEventSource(processor ApprovalProcessor) *GitHubEventSource { + return &GitHubEventSource{processor: processor} +} + +// Setup GH client, webhook secret, etc. +// https://github.com/go-playground/webhooks may help here +func (ghes *GitHubEventSource) Setup() error { + // TODO + return nil +} + +// Take incoming events and respond to them +func (ghes *GitHubEventSource) Run(done chan struct{}) error { + // If anything errors, deny the request. For safety, maybe `defer` + // the "response" function? + go func() { + // Notify the service that the listener is completely done. + // Normally this should only be hit if there is a fatal error + defer func() { done <- struct{}{} }() + + // Incoming webhook payloads + // This should be closed by the webhook listener func + payloads := make(chan interface{}) + + // Listen for webhook calls + go ghes.listenForPayloads(payloads, done) + + for payload := range payloads { + go ghes.processWebhookPayload(payload, done) + } + }() + + return nil +} + +// Listen for incoming webhook events. Register HTTP routes, start server, etc. Long running, blocking. +func (ghes *GitHubEventSource) listenForPayloads(payloads chan interface{}, done chan struct{}) { + // Once a call is received, it should return a 200 response immediately. + + // TODO +} + +// Given an event, approve or deny it. This is a long running, blocking function. +func (ghes *GitHubEventSource) processWebhookPayload(payload interface{}, done chan struct{}) { + // Do GitHub-specific checks. Don't approve based off ot this - just deny + // if one fails. + automatedDenial, err := ghes.performAutomatedChecks(payload) + if automatedDenial || err != nil { + ghes.respondToDeployRequest(false, payload) + } + + // Convert it to a generic event that is common to all sources + event := ghes.convertWebhookPayloadToEvent(payload) + + // Process the event + processorApproved, err := ghes.processor.ProcessRequest(event) + + // Respond to the event + if !processorApproved || err != nil { + ghes.respondToDeployRequest(false, payload) + } + + _ = ghes.respondToDeployRequest(true, payload) +} + +// Turns GH-specific information into "common" information for the approver +func (ghes *GitHubEventSource) convertWebhookPayloadToEvent(payload interface{}) *Event { + // This needs to perform logic to get the top-level workflow identifier. For example if + // workflow job A calls workflow B, events for both A and B should use A's ID as the + // event identifier + + return &Event{} +} + +// Performs approval checks that are GH-specific. This should only be used to deny requests, +// never approve them. +func (ghes *GitHubEventSource) performAutomatedChecks(payload interface{}) (pass bool, err error) { + // Verify request is from Gravitational org repo + // Verify request is from Gravitational org member + // See RFD for additional examples + + return false, nil +} + +func (ghes *GitHubEventSource) respondToDeployRequest(approved bool, payload interface{}) error { + // TODO call GH API + + return nil +} diff --git a/tools/approval-service/deploy/charts/approval-service/.gitkeep b/tools/approval-service/deploy/charts/approval-service/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/tools/approval-service/go.mod b/tools/approval-service/go.mod new file mode 100644 index 00000000..88b616e4 --- /dev/null +++ b/tools/approval-service/go.mod @@ -0,0 +1,3 @@ +module github.com/gravitational/shared-workflows/tools/approval-service + +go 1.23.5 diff --git a/tools/approval-service/go.sum b/tools/approval-service/go.sum new file mode 100644 index 00000000..e69de29b diff --git a/tools/approval-service/workflows/cd.yaml b/tools/approval-service/workflows/cd.yaml new file mode 120000 index 00000000..4fbf4de1 --- /dev/null +++ b/tools/approval-service/workflows/cd.yaml @@ -0,0 +1 @@ +../../../.github/workflows/approval-service-cd.yaml \ No newline at end of file diff --git a/tools/approval-service/workflows/ci.yaml b/tools/approval-service/workflows/ci.yaml new file mode 120000 index 00000000..751f5a22 --- /dev/null +++ b/tools/approval-service/workflows/ci.yaml @@ -0,0 +1 @@ +../../../.github/workflows/approval-service-ci.yaml \ No newline at end of file