ECS json bug fix that corrects casing issues for entrypoint, image and environment values (#175)

Author: yashgiri

sysdig/cfn_preprocess_template.go

@@ -0,0 +1,104 @@
+/*
+This file contains definition for the following functions.
+
+terraformPreModifications is used to modify the container definitions passed to the cfn patcher such that it modifies casing issues in any ECS json content so that it can be processed by the kilt patcher.
+
+GetValueFromTemplate is used to obtain key, value information from JSON object
+*/
+
+package sysdig
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Jeffail/gabs/v2"
+	"github.com/rs/zerolog/log"
+)
+
+// GetValueFromTemplate can be used to obtain string value from JSON object
+func GetValueFromTemplate(what *gabs.Container) (string, *gabs.Container) {
+	var result string
+	var fallback *gabs.Container
+
+	switch v := what.Data().(type) {
+	case string:
+		result = v
+		fallback = nil
+	default:
+		fallback = what
+		result = "placeholder: " + what.String()
+	}
+	return result, fallback
+}
+
+func terraformPreModifications(ctx context.Context, patchedStack []byte) ([]byte, error) {
+	l := log.Ctx(ctx)
+	template, err := gabs.ParseJSON(patchedStack)
+	if err != nil {
+		l.Error().Err(err).Msg("failed to parse input fragment")
+		return nil, err
+	}
+
+	// This code block is used when parsing ECS JSON format
+	for _, resource := range template.S("Resources").ChildrenMap() {
+		for _, container := range resource.S("Properties", "ContainerDefinitions").Children() {
+			if container.Exists("image") {
+				passthrough, _ := GetValueFromTemplate(container.S("image"))
+				_, err = container.Set(passthrough, "Image")
+				if err != nil {
+					return nil, fmt.Errorf("Could not update Image field: %v", err)
+				}
+
+				err = container.Delete("image")
+				if err != nil {
+					return nil, fmt.Errorf("could not delete image in the Container definition: %w", err)
+				}
+			}
+
+			if container.Exists("Environment") {
+				for _, env := range container.S("Environment").Children() {
+					if env.Exists("name") {
+						name, _ := env.S("name").Data().(string)
+						err = env.Delete("name")
+						if err != nil {
+							return nil, fmt.Errorf("Could not delete \"name\" key in Environment: %v", err)
+						}
+						_, err = env.Set(name, "Name")
+						if err != nil {
+							return nil, fmt.Errorf("Could not assign \"Name\" key in Environment: %v", err)
+						}
+					}
+					if env.Exists("value") {
+						value, _ := env.S("value").Data().(string)
+						err = env.Delete("value")
+						if err != nil {
+							return nil, fmt.Errorf("Could not delete \"value\" key in Environment: %v", err)
+						}
+						_, err = env.Set(value, "Value")
+						if err != nil {
+							return nil, fmt.Errorf("Could not assign \"Value\" key in Environment: %v", err)
+						}
+					}
+				}
+			}
+
+			if container.Exists("entryPoint") {
+				for _, arg := range container.S("entryPoint").Children() {
+					passthrough, _ := GetValueFromTemplate(arg)
+					err = container.ArrayAppend(passthrough, "EntryPoint")
+					if err != nil {
+						return nil, fmt.Errorf("Could not append entrypoint values to EntryPoint: %v", err)
+					}
+				}
+
+				err = container.Delete("entryPoint")
+				if err != nil {
+					return nil, fmt.Errorf("could not delete entryPoint in the Container definition: %w", err)
+				}
+			}
+		}
+	}
+
+	return template.Bytes(), err
+}

sysdig/data_source_sysdig_fargate_ECS_test.go

@@ -0,0 +1,89 @@
+package sysdig
+
+import (
+	"context"
+	"encoding/json"
+	"io/ioutil"
+	"testing"
+
+	"github.com/falcosecurity/kilt/runtimes/cloudformation/cfnpatcher"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestECStransformation(t *testing.T) {
+	inputfile, err := ioutil.ReadFile("testfiles/ECSinput.json")
+
+	if err != nil {
+		t.Fatalf("Cannot find testfiles/ECSinput.json")
+	}
+
+	recipeConfig := KiltRecipeConfig{
+		SysdigAccessKey:  "sysdig_access_key",
+		AgentImage:       "workload_agent_image",
+		OrchestratorHost: "orchestrator_host",
+		OrchestratorPort: "orchestrator_port",
+		CollectorHost:    "collector_host",
+		CollectorPort:    "collector_port",
+	}
+
+	jsonConf, err := json.Marshal(&recipeConfig)
+	if err != nil {
+		t.Fatalf("Failed to serialize configuration: %v", err.Error())
+	}
+
+	kiltConfig := &cfnpatcher.Configuration{
+		Kilt:               agentinoKiltDefinition,
+		ImageAuthSecret:    "image_auth_secret",
+		OptIn:              false,
+		UseRepositoryHints: true,
+		RecipeConfig:       string(jsonConf),
+	}
+
+	patchedOutput, err := patchFargateTaskDefinition(context.Background(), string(inputfile), kiltConfig)
+	if err != nil {
+		t.Fatalf("Cannot execute PatchFargateTaskDefinition : %v", err.Error())
+	}
+
+	expectedOutput, err := ioutil.ReadFile("testfiles/ECSInstrumented.json")
+	if err != nil {
+		t.Fatalf("Cannot find testfiles/ECSinput.json")
+	}
+
+	type cdef struct {
+		Command          []string            `json:"Command"`
+		EntryPoint       []string            `json:"EntryPoint"`
+		Environment      []map[string]string `json:"Environment"`
+		Image            string              `json:"Image"`
+		Linuxparameters  interface{}         `json:"LinuxParameters"`
+		VolumesFrom      []interface{}       `json:"VolumesFrom"`
+		LogConfiguration interface{}         `json:"LogConfiguration"`
+		Name             string              `json:"Name"`
+		Image2           string              `json:"image"`
+		EntryPoint2      string              `json:"entryPoint"`
+	}
+
+	var patchedContainerDefinitions, expectedContainerDefinitions []cdef
+	err = json.Unmarshal([]byte(*patchedOutput), &patchedContainerDefinitions)
+	if err != nil {
+		t.Fatalf("Error Unmarshaling patched Container definitions : %v", err.Error())
+	}
+
+	err = json.Unmarshal([]byte(expectedOutput), &expectedContainerDefinitions)
+	if err != nil {
+		t.Fatalf("Error Unmarshaling expected Container definitions: %v", err.Error())
+	}
+
+	assert.Equal(t, expectedContainerDefinitions[0].Name, patchedContainerDefinitions[0].Name)
+
+	// The order received from patchedOutput changes continuously hence it is important to check if the arrays of expected and actual are equal without order being correct. This check also
+	// helps with checking if key/value is named "Name" and "Value" accordingly.
+	assert.ElementsMatch(t, expectedContainerDefinitions[0].Environment, patchedContainerDefinitions[0].Environment)
+
+	// Check if Image key is correct
+	assert.Equal(t, expectedContainerDefinitions[0].Image, patchedContainerDefinitions[0].Image)
+	assert.Equal(t, patchedContainerDefinitions[0].Image2, "")
+
+	// Check if entryPoint key is correct
+	assert.Equal(t, expectedContainerDefinitions[0].EntryPoint, patchedContainerDefinitions[0].EntryPoint)
+	assert.Equal(t, patchedContainerDefinitions[0].EntryPoint2, "")
+}

sysdig/data_source_sysdig_fargate_workload_agent.go

@@ -100,6 +100,7 @@ type cfnStack struct {
 	Resources map[string]cfnResource `json:"Resources"`
 }
 
+// PatchFargateTaskDefinition modifies the container definitions
 func patchFargateTaskDefinition(ctx context.Context, containerDefinitions string, kiltConfig *cfnpatcher.Configuration) (patched *string, err error) {
 	var cdefs []map[string]interface{}
 	err = json.Unmarshal([]byte(containerDefinitions), &cdefs)
@@ -139,6 +140,9 @@ func patchFargateTaskDefinition(ctx context.Context, containerDefinitions string
 		}
 	}()
 
+	// ECS JSON modifications
+	patchedStack, _ = terraformPreModifications(ctx, patchedStack)
+
 	patchedBytes, err := cfnpatcher.Patch(ctx, kiltConfig, patchedStack)
 	if err != nil {
 		return nil, err

sysdig/testfiles/ECSInstrumented.json

@@ -0,0 +1,81 @@
+[
+  {
+    "Command": [
+      "watch",
+      "-n60",
+      "cat",
+      "/etc/shadow",
+      "/bin/sh"
+    ],
+    "EntryPoint": [
+      "/opt/draios/bin/instrument"
+    ],
+    "Environment": [
+      {
+        "Name": "SYSDIG_ACCESS_KEY",
+        "Value": "sysdig_access_key"
+      },
+      {
+        "Name": "SYSDIG_LOGGING",
+        "Value": ""
+      },
+      {
+        "Name": "SYSDIG_ENDPOINT",
+        "Value": "value"
+      },
+      {
+        "Name": "pmet",
+        "Value": "temp"
+      },
+      {
+        "Name": "SYSDIG_ORCHESTRATOR",
+        "Value": "orchestrator_host"
+      },
+      {
+        "Name": "SYSDIG_ORCHESTRATOR_PORT",
+        "Value": "orchestrator_port"
+      },
+      {
+        "Name": "SYSDIG_COLLECTOR",
+        "Value": "collector_host"
+      },
+      {
+        "Name": "SYSDIG_COLLECTOR_PORT",
+        "Value": "collector_port"
+      }
+    ],
+    "Image": "quay.io/rehman0288/busyboxplus:latest",
+    "LinuxParameters": {
+      "Capabilities": {
+        "Add": [
+          "SYS_PTRACE"
+        ]
+      }
+    },
+    "VolumesFrom": [
+      {
+        "ReadOnly": true,
+        "SourceContainer": "SysdigInstrumentation"
+      }
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "test-log-group",
+        "awslogs-region": "us-east-1",
+        "awslogs-stream-prefix": "ecs"
+      }
+    },
+    "name": "busybox"
+  },
+  {
+    "EntryPoint": [
+      "/opt/draios/bin/logwriter"
+    ],
+    "Image": "workload_agent_image",
+    "Name": "SysdigInstrumentation",
+    "RepositoryCredentials": {
+      "CredentialsParameter": "image_auth_secret"
+    }
+  }
+]

sysdig/testfiles/ECSinput.json

@@ -0,0 +1,30 @@
+[
+    {
+      "Environment": [
+        {
+          "name": "pmet",
+          "value": "temp"
+        },
+        {
+          "Name": "SYSDIG_ENDPOINT",
+          "Value": "value"
+        }
+      ],
+      "entryPoint": [
+        "watch",
+        "-n60",
+        "cat",
+        "/etc/shadow"
+      ],
+      "image": "quay.io/rehman0288/busyboxplus:latest",
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "test-log-group",
+          "awslogs-region": "us-east-1",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "name": "busybox"
+    }
+]