kbs: switch to Regorus for resource policy

[fitzthum]

1. Switch from Go-based policy engine to rust-based Regorus
2. Switch from Anyhow to thiserror for resource policy
3. Add several unit tests and test policies

This does not touch the AS policy. I will do that later although the plan may change based on whether/how we use EAR tokens.

[fitzthum]

Unfortunately when I rebase (and pick up az-snp-vtpm 0.5.2) I run into this dependency conflict. Not sure we can fix this ourselves? @mkulke @anakrish

error: failed to select a version for `once_cell`.
    ... required by package `jsonschema v0.17.1`
    ... which satisfies dependency `jsonschema = "^0.17.1"` of package `regorus v0.1.2`
    ... which satisfies dependency `regorus = "^0.1.2"` of package `api-server v0.1.0 (/home/tobin/kbs/kbs/src/api)`
    ... which satisfies path dependency `api-server` of package `kbs v0.1.0 (/home/tobin/kbs/kbs/src/kbs)`
versions that meet the requirements `^1.17` are: 1.19.0, 1.18.0, 1.17.2, 1.17.1, 1.17.0

all possible versions conflict with previously selected packages.

  previously selected package `once_cell v1.0.1`
    ... which satisfies dependency `once_cell = ">=1, <=1.14.0"` of package `mbox v0.6.1`
    ... which satisfies dependency `mbox = "^0.6.0"` of package `tss-esapi v7.4.0`
    ... which satisfies dependency `tss-esapi = "^7.4"` of package `az-cvm-vtpm v0.5.2`
    ... which satisfies dependency `az-cvm-vtpm = "^0.5.2"` of package `az-snp-vtpm v0.5.2`
    ... which satisfies dependency `az-snp-vtpm = "^0.5.2"` of package `attester v0.1.0 (https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536)`
    ... which satisfies git dependency `attester` of package `kbs_protocol v0.1.0 (https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536)`
    ... which satisfies git dependency `kbs_protocol` of package `kbs-client v0.1.0 (/home/tobin/kbs/kbs/tools/client)`

failed to select a version for `once_cell` which could resolve this conflict
make: *** [Makefile:21: background-check-kbs] Error 101

[anakrish]

Any reason for the preference for github repo over crates.io?

[fitzthum]

Whoops. That's leftover from development when I was thinking about using the new eval_rule thing.

[anakrish]

eva;_rule would be the way to go in future. It avoids having to parse a query, and also returns the value of a rule directly.

[anakrish]

We could configure regorus to support only those builtins that will be used by the policies. The way it is used currently, we might not even need the arc feature since neither the Engine instance nor the Value instances are shared between threads.

Suggested change

	regorus = { git = "https://github.com/microsoft/regorus" }
	regorus = { git = "https://github.com/microsoft/regorus", default-features=false, features=["arc"] }

[fitzthum]

This seems to work. Thanks for the advice.

[anakrish]

Unfortunately when I rebase (and pick up az-snp-vtpm 0.5.2) I run into this dependency conflict. Not sure we can fix this ourselves? @mkulke @anakrish

error: failed to select a version for `once_cell`.
    ... required by package `jsonschema v0.17.1`
    ... which satisfies dependency `jsonschema = "^0.17.1"` of package `regorus v0.1.2`
    ... which satisfies dependency `regorus = "^0.1.2"` of package `api-server v0.1.0 (/home/tobin/kbs/kbs/src/api)`
    ... which satisfies path dependency `api-server` of package `kbs v0.1.0 (/home/tobin/kbs/kbs/src/kbs)`
versions that meet the requirements `^1.17` are: 1.19.0, 1.18.0, 1.17.2, 1.17.1, 1.17.0

all possible versions conflict with previously selected packages.

  previously selected package `once_cell v1.0.1`
    ... which satisfies dependency `once_cell = ">=1, <=1.14.0"` of package `mbox v0.6.1`
    ... which satisfies dependency `mbox = "^0.6.0"` of package `tss-esapi v7.4.0`
    ... which satisfies dependency `tss-esapi = "^7.4"` of package `az-cvm-vtpm v0.5.2`
    ... which satisfies dependency `az-cvm-vtpm = "^0.5.2"` of package `az-snp-vtpm v0.5.2`
    ... which satisfies dependency `az-snp-vtpm = "^0.5.2"` of package `attester v0.1.0 (https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536)`
    ... which satisfies git dependency `attester` of package `kbs_protocol v0.1.0 (https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536)`
    ... which satisfies git dependency `kbs_protocol` of package `kbs-client v0.1.0 (/home/tobin/kbs/kbs/tools/client)`

failed to select a version for `once_cell` which could resolve this conflict
make: *** [Makefile:21: background-check-kbs] Error 101

You could just not use the jsonschema feature in Regorus that bring in the dependency.
https://github.com/microsoft/regorus/blob/3d98c3b12ecbdfdfabdcfd6947c2019413883a9f/Cargo.toml#L38

The following table lists various Rego builtins and which feature each one depends on.
https://github.com/microsoft/regorus/blob/main/docs/builtins.md

For OPA compatibility, all features are enabled by default. But most applications won't need or use all the OPA builtins.

[Xynnn007]

Nice PR and good unit tests.

[Xynnn007]

If we split docs and code, it would be better. But it looks good now.

[fitzthum]

Yeah I think we should refactor a few things in this repo including the docs.

[Xynnn007]

btw I like this definition of error types.

[Xynnn007]

maybe we should delete the empty lines

[fitzthum]

The GO OPA engine is very picky about the format of the policy and would often fail if there were any extra lines. This test is supposed to make sure Regorus is more resilient. I added a comment to the policy file because it does look odd.

[fitzthum]

Hmm. Looks like there is some issue with building Regorus inside of our docker container

60.32 error: failed to run custom build command for `regorus v0.1.2`
60.32 
60.32 Caused by:
60.32   process didn't exit successfully: `/usr/src/kbs/target/release/build/regorus-d111907e1736880c/build-script-build` (exit status: 101)
60.32   --- stderr
60.32   thread 'main' panicked at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/regorus-0.1.2/build.rs:20:10:
60.32   called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }
60.32   note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
60.32 warning: build failed, waiting for other jobs to finish...
81.04 error: failed to compile `kbs v0.1.0 (/usr/src/kbs/kbs/src/kbs)`, intermediate artifacts can be found at `/usr/src/kbs/target`.
81.04 To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.

I don't see a similar issue building locally. I have also tried pinning to v0.1.0 and v0.1.1 and the upstream head. Any ideas @anakrish

[anakrish]

Hmm. Looks like there is some issue with building Regorus inside of our docker container

60.32 error: failed to run custom build command for `regorus v0.1.2`
60.32 
60.32 Caused by:
60.32   process didn't exit successfully: `/usr/src/kbs/target/release/build/regorus-d111907e1736880c/build-script-build` (exit status: 101)
60.32   --- stderr
60.32   thread 'main' panicked at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/regorus-0.1.2/build.rs:20:10:
60.32   called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }
60.32   note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
60.32 warning: build failed, waiting for other jobs to finish...
81.04 error: failed to compile `kbs v0.1.0 (/usr/src/kbs/kbs/src/kbs)`, intermediate artifacts can be found at `/usr/src/kbs/target`.
81.04 To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.

I don't see a similar issue building locally. I have also tried pinning to v0.1.0 and v0.1.1 and the upstream head. Any ideas @anakrish

Hmm. I haven't seen such an issue before. The failing build command is trying to do this:
https://github.com/microsoft/regorus/blob/0ebcb568cc577602c9ac64ae491ca1e45683deaa/build.rs#L17-L21

    let output = Command::new("git")
        .args(["rev-parse", "HEAD"])
        .output()
        .unwrap();
    let git_hash = String::from_utf8(output.stdout).unwrap();

It is likely that git is not present in the container.

Can you point me to the container image so that I can try it out locally?
By renaming the git executable temporarily, I could reproduce the issue, confirming that the error is due to git not being present in the docker image.
In the Regorus repo, I have changed it so that unless opa.runtime feature is enabled (that built in function requires the commit hash for which git is needed) there is no need to have git while building.

[Xynnn007]

lgtm. cc @jialez0

[fitzthum]

Ok, thanks @anakrish. I added git to our container image so we don't have to pick up a new version.

@jialez0 I would be curious about your feedback since you've worked on the policy stuff previously.

[jialez0]

LGTM. Thanks @fitzthum

[mkulke]

I have some concerns about dropping error sources, but otherwise lg!