Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Azure] Checking allow rules for GetPermitList #494

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Azure] Checking allow rules for GetPermitList #494

wants to merge 4 commits into from

Conversation

J-467
Copy link
Contributor

@J-467 J-467 commented Nov 3, 2024
edited
Loading

  • GetPermitList checks if a rule is an allow rule before converting to Permit List
  • However, it did this by checking if the prefix of the name is "paraglider...".
  • For attached resources, the name of the rule may not conform to paraglider naming requirement
  • Changing this to use the rule's access property

@J-467 J-467 requested a review from a team as a code owner November 3, 2024 21:30
@J-467 J-467 changed the title Allow rules for GetPermitList [Azure] Allow rules for GetPermitList Nov 3, 2024
@J-467 J-467 changed the title [Azure] Allow rules for GetPermitList [Azure] Checking allow rules for GetPermitList Nov 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 3, 2024
edited
Loading

Unit Test Results

323 tests  ±0   323 ✅ ±0   3s ⏱️ ±0s
 50 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 61f2a96. ± Comparison against base commit a05976c.

♻️ This comment has been updated with latest results.

@J-467 J-467 force-pushed the juliantk/nsg-rule-fix branch from 1696a70 to 2cf6856 Compare November 4, 2024 04:30
@J-467 J-467 temporarily deployed to functional-tests November 4, 2024 04:30 — with GitHub Actions Inactive
@J-467
Adding deny rule; fixing test
c6c5abe 
Signed-off-by: J-467 <[email protected]>

Signed-off-by: J-467 <[email protected]>

Signed-off-by: J-467 <[email protected]>
@J-467 J-467 force-pushed the juliantk/nsg-rule-fix branch from 2cf6856 to c6c5abe Compare November 4, 2024 04:40
@J-467 J-467 temporarily deployed to functional-tests November 4, 2024 04:40 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

54.9

For the detailed report, please go to Checks tab, click Build and Test, and then download unit_test_coverage artifact at the bottom of build page.

  • Your PR branch coverage: 54.9 %
  • main branch coverage: 0 %
  • diff coverage: 54.9 %

The coverage result does not include the functional test results.

@J-467
Copy link
Contributor Author

J-467 commented Nov 4, 2024

@smcclure20 If you could check this out, that'll be great

@J-467 J-467 temporarily deployed to functional-tests November 12, 2024 18:07 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link

54.9

For the detailed report, please go to Checks tab, click Build and Test, and then download unit_test_coverage artifact at the bottom of build page.

  • Your PR branch coverage: 54.9 %
  • main branch coverage: 0 %
  • diff coverage: 54.9 %

The coverage result does not include the functional test results.

smcclure20
smcclure20 reviewed Nov 19, 2024
View reviewed changes
pkg/azure/plugin.go Outdated
@@ -90,7 +89,8 @@ func (s *azurePluginServer) GetPermitList(ctx context.Context, req *paragliderpb

// get the NSG rules
for _, rule := range nsg.Properties.SecurityRules {
if !strings.HasPrefix(*rule.Name, denyAllNsgRulePrefix) && strings.HasPrefix(*rule.Name, paragliderPrefix) {
// Ignore default Azure rules with priority above maxPriority
if *rule.Properties.Access == allowRule && *rule.Properties.Priority <= maxPriority {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There shouldn't be any deny rules, right? So is the first part of this check even necessary?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's the deny-all rule for inbound and outbound rules

Copy link
Contributor Author

@J-467 J-467 Nov 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the <= maxPriority because Rules doesn't contain the default Azure rules, so no need for that

@J-467
NSG security rules does not contain defaults
61f2a96 
Signed-off-by: Julian Tweneboa Kodua <[email protected]>

Signed-off-by: Julian Tweneboa Kodua <[email protected]>
@J-467 J-467 force-pushed the juliantk/nsg-rule-fix branch from 9fc418e to 61f2a96 Compare November 19, 2024 05:35
@J-467 J-467 temporarily deployed to functional-tests November 19, 2024 05:35 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link

54.9

For the detailed report, please go to Checks tab, click Build and Test, and then download unit_test_coverage artifact at the bottom of build page.

  • Your PR branch coverage: 54.9 %
  • main branch coverage: 0 %
  • diff coverage: 54.9 %

The coverage result does not include the functional test results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcclure20 smcclure20 smcclure20 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@J-467 @smcclure20