Add inheritHookSelector to CRD and cascading scans definition

Jop Zitman · Jop Zitman · commit c6ff8f7d7077 · 2021-10-28T12:34:38.000+02:00
Signed-off-by: Jop Zitman &lt;jop.zitman@secura.com&gt;
diff --git a/hooks/cascading-scans/hook/hook.test.js b/hooks/cascading-scans/hook/hook.test.js
@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 const { getCascadingScans } = require("./hook");
+const {LabelSelectorRequirementOperator} = require("./kubernetes-label-selector");
 
 let parentScan = undefined;
 let sslyzeCascadingRules = undefined;
@@ -104,6 +105,7 @@ test("Should create subsequent scans for open HTTPS ports (NMAP findings)", () =
         "spec": Object {
           "cascades": Object {},
           "env": Array [],
+          "hookSelector": Object {},
           "initContainers": Array [],
           "parameters": Array [
             "--regular",
@@ -241,6 +243,7 @@ test("Should not crash when the annotations are not set", () => {
         "spec": Object {
           "cascades": Object {},
           "env": Array [],
+          "hookSelector": Object {},
           "initContainers": Array [],
           "parameters": Array [
             "--regular",
@@ -372,6 +375,7 @@ test("Should allow wildcards in cascadingRules", () => {
         "spec": Object {
           "cascades": Object {},
           "env": Array [],
+          "hookSelector": Object {},
           "initContainers": Array [],
           "parameters": Array [
             "--regular",
@@ -1128,6 +1132,7 @@ test("Templating should also apply to initContainer commands", () => {
         "spec": Object {
           "cascades": Object {},
           "env": Array [],
+          "hookSelector": Object {},
           "initContainers": Array [
             Object {
               "command": Array [
@@ -1260,6 +1265,7 @@ test("Templating should not break special encoding (http://...) when using tripl
         "spec": Object {
           "cascades": Object {},
           "env": Array [],
+          "hookSelector": Object {},
           "initContainers": Array [
             Object {
               "command": Array [
@@ -1301,6 +1307,145 @@ test("Templating should not break special encoding (http://...) when using tripl
   `);
 });
 
+test("should merge hookSelector into cascaded scan", () => {
+  parentScan.spec.cascades.inheritHookSelector = true
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  parentScan.spec.hookSelector = {}
+  parentScan.spec.hookSelector.matchLabels = {
+    "securecodebox.io/internal": "true",
+  }
+  parentScan.spec.hookSelector.matchExpressions = [
+    {
+      key: "securecodebox.io/name",
+      operator: LabelSelectorRequirementOperator.In,
+      values: ["cascading-scans"]
+    }
+  ]
+
+  sslyzeCascadingRules[0].spec.scanSpec.hookSelector = {};
+  sslyzeCascadingRules[0].spec.scanSpec.hookSelector.matchExpressions = [
+    {
+      key: "securecodebox.io/name",
+      operator: LabelSelectorRequirementOperator.NotIn,
+      values: ["cascading-scans"]
+    }
+  ]
+
+  sslyzeCascadingRules[0].spec.scanSpec.hookSelector.matchLabels = {
+    "securecodebox.io/internal": "false",
+  }
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  const cascadedScan = cascadedScans[0];
+
+  expect(cascadedScan.spec.hookSelector).toMatchInlineSnapshot(`
+  Object {
+    "matchExpressions": Array [
+      Object {
+        "key": "securecodebox.io/name",
+        "operator": "In",
+        "values": Array [
+          "cascading-scans",
+        ],
+      },
+      Object {
+        "key": "securecodebox.io/name",
+        "operator": "NotIn",
+        "values": Array [
+          "cascading-scans",
+        ],
+      },
+    ],
+    "matchLabels": Object {
+      "securecodebox.io/internal": "false",
+    },
+  }
+  `);
+});
+
+
+test("should not merge hookSelector into cascaded scan if inheritHookSelector is disabled", () => {
+  parentScan.spec.cascades.inheritHookSelector = false
+  const findings = [
+    {
+      name: "Port 443 is open",
+      category: "Open Port",
+      attributes: {
+        state: "open",
+        hostname: "foobar.com",
+        port: 443,
+        service: "https"
+      }
+    }
+  ];
+
+  parentScan.spec.hookSelector = {}
+  parentScan.spec.hookSelector.matchLabels = {
+    "securecodebox.io/internal": "true",
+  }
+  parentScan.spec.hookSelector.matchExpressions = [
+    {
+      key: "securecodebox.io/name",
+      operator: LabelSelectorRequirementOperator.In,
+      values: ["cascading-scans"]
+    }
+  ]
+
+  sslyzeCascadingRules[0].spec.scanSpec.hookSelector = {};
+  sslyzeCascadingRules[0].spec.scanSpec.hookSelector.matchExpressions = [
+    {
+      key: "securecodebox.io/name",
+      operator: LabelSelectorRequirementOperator.NotIn,
+      values: ["cascading-scans"]
+    }
+  ]
+
+  sslyzeCascadingRules[0].spec.scanSpec.hookSelector.matchLabels = {
+    "securecodebox.io/internal": "false",
+  }
+
+  const cascadedScans = getCascadingScans(
+    parentScan,
+    findings,
+    sslyzeCascadingRules
+  );
+
+  const cascadedScan = cascadedScans[0];
+
+  expect(cascadedScan.spec.hookSelector).toMatchInlineSnapshot(`
+  Object {
+    "matchExpressions": Array [
+      Object {
+        "key": "securecodebox.io/name",
+        "operator": "NotIn",
+        "values": Array [
+          "cascading-scans",
+        ],
+      },
+    ],
+    "matchLabels": Object {
+      "securecodebox.io/internal": "false",
+    },
+  }
+  `);
+});
 
 test("should purge cascaded scan spec from parent scan", () => {
   parentScan.spec.cascades.inheritEnv = true
diff --git a/hooks/cascading-scans/hook/hook.ts b/hooks/cascading-scans/hook/hook.ts
@@ -16,7 +16,8 @@ import {
   getCascadedRuleForScan,
   purgeCascadedRuleFromScan,
   mergeInheritedMap,
-  mergeInheritedArray
+  mergeInheritedArray,
+  mergeInheritedSelector,
 } from "./scan-helpers";
 
 interface HandleArgs {
@@ -110,7 +111,7 @@ function getCascadingScan(
 
   let { scanType, parameters } = cascadingRule.spec.scanSpec;
 
-  let { annotations, labels, env, volumes, volumeMounts, initContainers } = mergeCascadingRuleWithScan(parentScan, cascadingRule);
+  let { annotations, labels, env, volumes, volumeMounts, initContainers, hookSelector } = mergeCascadingRuleWithScan(parentScan, cascadingRule);
 
   let cascadingChain = getScanChain(parentScan);
 
@@ -142,6 +143,7 @@ function getCascadingScan(
       ]
     },
     spec: {
+      hookSelector,
       scanType,
       parameters,
       cascades: parentScan.spec.cascades,
@@ -158,8 +160,8 @@ function mergeCascadingRuleWithScan(
   cascadingRule: CascadingRule
 ) {
   const { scanAnnotations, scanLabels } = cascadingRule.spec;
-  let { env = [], volumes = [], volumeMounts = [], initContainers = [] } = cascadingRule.spec.scanSpec;
-  let { inheritAnnotations, inheritLabels, inheritEnv, inheritVolumes, inheritInitContainers } = scan.spec.cascades;
+  let { env = [], volumes = [], volumeMounts = [], initContainers = [], hookSelector = {} } = cascadingRule.spec.scanSpec;
+  let { inheritAnnotations, inheritLabels, inheritEnv, inheritVolumes, inheritInitContainers, inheritHookSelector } = scan.spec.cascades;
 
   return {
     annotations: mergeInheritedMap(scan.metadata.annotations, scanAnnotations, inheritAnnotations),
@@ -168,6 +170,7 @@ function mergeCascadingRuleWithScan(
     volumes: mergeInheritedArray(scan.spec.volumes, volumes, inheritVolumes),
     volumeMounts: mergeInheritedArray(scan.spec.volumeMounts, volumeMounts, inheritVolumes),
     initContainers: mergeInheritedArray(scan.spec.initContainers, initContainers, inheritInitContainers),
+    hookSelector: mergeInheritedSelector(scan.spec.hookSelector, hookSelector, inheritHookSelector),
   }
 }
 
diff --git a/hooks/cascading-scans/hook/kubernetes-label-selector.ts b/hooks/cascading-scans/hook/kubernetes-label-selector.ts
@@ -19,8 +19,8 @@ export interface LabelSelectorRequirement {
 }
 
 export interface LabelSelector {
-  matchExpressions: Array<LabelSelectorRequirement>;
-  matchLabels: Map<string, string>;
+  matchExpressions?: Array<LabelSelectorRequirement>;
+  matchLabels?: Map<string, string>;
 }
 
 // generateSelectorString transforms a kubernetes labelSelector object in to the string representation
diff --git a/hooks/cascading-scans/hook/scan-helpers.ts b/hooks/cascading-scans/hook/scan-helpers.ts
@@ -62,6 +62,7 @@ export interface ScanSpec {
   volumes?: Array<k8s.V1Volume>;
   volumeMounts?: Array<k8s.V1VolumeMount>;
   initContainers?: Array<k8s.V1Container>;
+  hookSelector?: LabelSelector;
 }
 
 export interface CascadingInheritance {
@@ -70,6 +71,7 @@ export interface CascadingInheritance {
   inheritEnv: boolean,
   inheritVolumes: boolean,
   inheritInitContainers: boolean,
+  inheritHookSelector: boolean,
 }
 
 export function mergeInheritedMap(parentProps, ruleProps, inherit: boolean = true) {
@@ -89,6 +91,17 @@ export function mergeInheritedArray(parentArray, ruleArray, inherit: boolean = f
   return (parentArray || []).concat(ruleArray)  // CascadingRule's env overwrites scan's env
 }
 
+export function mergeInheritedSelector(parentSelector: LabelSelector = {}, ruleSelector: LabelSelector = {}, inherit: boolean = true): LabelSelector {
+  let labelSelector: LabelSelector = {};
+  if (parentSelector.matchExpressions || ruleSelector.matchExpressions) {
+    labelSelector.matchExpressions = mergeInheritedArray(parentSelector.matchExpressions, ruleSelector.matchExpressions, inherit);
+  }
+  if (parentSelector.matchLabels || ruleSelector.matchLabels) {
+    labelSelector.matchLabels = mergeInheritedMap(parentSelector.matchLabels, ruleSelector.matchLabels, inherit);
+  }
+  return labelSelector
+}
+
 export async function startSubsequentSecureCodeBoxScan(scan: Scan) {
   console.log(`Starting Scan ${scan.metadata.name}`);
 
diff --git a/operator/apis/execution/v1/scan_types.go b/operator/apis/execution/v1/scan_types.go
@@ -39,6 +39,11 @@ type CascadeSpec struct {
 	// +kubebuilder:default=false
 	InheritInitContainers bool `json:"inheritInitContainers"`
 
+	// InheritHookSelector defines whether cascading scans should inherit hookSelector from the parent scan.
+	// +optional
+	// +kubebuilder:default=true
+	InheritHookSelector bool `json:"inheritHookSelector"`
+
 	// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
 	// map is equivalent to an element of matchExpressions, whose key field is "key", the
 	// operator is "In", and the values array contains only "value". The requirements are ANDed.
diff --git a/operator/config/crd/bases/cascading.securecodebox.io_cascadingrules.yaml b/operator/config/crd/bases/cascading.securecodebox.io_cascadingrules.yaml
@@ -114,6 +114,11 @@ spec:
                         description: InheritEnv defines whether cascading scans should
                           inherit environment variables from the parent scan
                         type: boolean
+                      inheritHookSelector:
+                        default: true
+                        description: InheritHookSelector defines whether cascading
+                          scans should inherit hookSelector from the parent scan.
+                        type: boolean
                       inheritInitContainers:
                         default: false
                         description: InheritInitContainers defines whether cascading
diff --git a/operator/config/crd/bases/execution.securecodebox.io_scans.yaml b/operator/config/crd/bases/execution.securecodebox.io_scans.yaml
@@ -76,6 +76,11 @@ spec:
                     description: InheritEnv defines whether cascading scans should
                       inherit environment variables from the parent scan
                     type: boolean
+                  inheritHookSelector:
+                    default: true
+                    description: InheritHookSelector defines whether cascading scans
+                      should inherit hookSelector from the parent scan.
+                    type: boolean
                   inheritInitContainers:
                     default: false
                     description: InheritInitContainers defines whether cascading scans
diff --git a/operator/config/crd/bases/execution.securecodebox.io_scheduledscans.yaml b/operator/config/crd/bases/execution.securecodebox.io_scheduledscans.yaml
@@ -96,6 +96,11 @@ spec:
                         description: InheritEnv defines whether cascading scans should
                           inherit environment variables from the parent scan
                         type: boolean
+                      inheritHookSelector:
+                        default: true
+                        description: InheritHookSelector defines whether cascading
+                          scans should inherit hookSelector from the parent scan.
+                        type: boolean
                       inheritInitContainers:
                         default: false
                         description: InheritInitContainers defines whether cascading
diff --git a/operator/crds/cascading.securecodebox.io_cascadingrules.yaml b/operator/crds/cascading.securecodebox.io_cascadingrules.yaml
@@ -114,6 +114,11 @@ spec:
                         description: InheritEnv defines whether cascading scans should
                           inherit environment variables from the parent scan
                         type: boolean
+                      inheritHookSelector:
+                        default: true
+                        description: InheritHookSelector defines whether cascading
+                          scans should inherit hookSelector from the parent scan.
+                        type: boolean
                       inheritInitContainers:
                         default: false
                         description: InheritInitContainers defines whether cascading
diff --git a/operator/crds/execution.securecodebox.io_scans.yaml b/operator/crds/execution.securecodebox.io_scans.yaml
@@ -76,6 +76,11 @@ spec:
                     description: InheritEnv defines whether cascading scans should
                       inherit environment variables from the parent scan
                     type: boolean
+                  inheritHookSelector:
+                    default: true
+                    description: InheritHookSelector defines whether cascading scans
+                      should inherit hookSelector from the parent scan.
+                    type: boolean
                   inheritInitContainers:
                     default: false
                     description: InheritInitContainers defines whether cascading scans
diff --git a/operator/crds/execution.securecodebox.io_scheduledscans.yaml b/operator/crds/execution.securecodebox.io_scheduledscans.yaml
@@ -96,6 +96,11 @@ spec:
                         description: InheritEnv defines whether cascading scans should
                           inherit environment variables from the parent scan
                         type: boolean
+                      inheritHookSelector:
+                        default: true
+                        description: InheritHookSelector defines whether cascading
+                          scans should inherit hookSelector from the parent scan.
+                        type: boolean
                       inheritInitContainers:
                         default: false
                         description: InheritInitContainers defines whether cascading

Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ export interface LabelSelectorRequirement {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`export interface LabelSelector {`
`22`		`- matchExpressions: Array<LabelSelectorRequirement>;`
`23`		`- matchLabels: Map<string, string>;`
	`22`	`+ matchExpressions?: Array<LabelSelectorRequirement>;`
	`23`	`+ matchLabels?: Map<string, string>;`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`// generateSelectorString transforms a kubernetes labelSelector object in to the string representation`