From 763c60027e58946f484d88d07526a2a214f8731b Mon Sep 17 00:00:00 2001 From: Ray Cromwell Date: Mon, 26 Sep 2022 11:28:46 -0700 Subject: [PATCH 1/3] More GCP deployment work --- .bazelrc-docker | 34 +++++++++++++++++++++++++++++++++ .dockerignore | 2 ++ Dockerfile | 21 ++++++++++++++++++++ cloudbuild.yaml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ index.js | 40 ++++++++++++++++++++++++++++++++++++++ package.json | 5 ++++- server.js | 2 +- 7 files changed, 153 insertions(+), 2 deletions(-) create mode 100644 .bazelrc-docker create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 cloudbuild.yaml create mode 100644 index.js diff --git a/.bazelrc-docker b/.bazelrc-docker new file mode 100644 index 0000000..36260bb --- /dev/null +++ b/.bazelrc-docker @@ -0,0 +1,34 @@ +try-import %workspace%/gcb/rbe/remote.bazelrc + +# TODO(#167): Remove `-Wno-deprecated-declarations` when glog is updated. + +build --cxxopt='-std=c++17' +build --cxxopt='-Wall' +build --cxxopt='-Wno-deprecated-declarations' +# Why are we doing this when Souffle-generated C++ clearly uses exceptions? +# Well, Google famously does not like C++ exceptions in its internal codebase, +# so we will need to explicitly override that in Raksha files everywhere we +# build Souffle C++ code to have Raksha build when imported into Google. This +# default acts as a simulation of that property of Google's internal codebase. +#build --cxxopt='-fno-exceptions' +build --host_cxxopt='-std=c++17' +# Note: We usually try to keep the cxxopt and host_cxxopt consistent. That is +# not a good idea for this line. It appears that adding -Werror to host_cxxopt +# causes the compiler to use this flag when building dependencies that we build +# from source. This causes the build to fail if our source dependencies are not +# warning-clean. We also comment out -Wall so that we do not receive extra +# warnings from our third party packages. +# build --host_cxxopt='-Werror' --host_cxxopt='-Wall' +build --host_cxxopt='-Wno-deprecated-declarations' +# Similarly, we should not set this flag that we're using as a debugging +# assistant when compiling third party libraries. +# build --host_cxxopt='-fno-exceptions' + +# ASAN config for exposing memory errors. +build:asan --strip=never +build:asan --copt -fsanitize=address +build:asan --copt -DADDRESS_SANITIZER +build:asan --copt -O1 +build:asan --copt -g +build:asan --copt -fno-omit-frame-pointer +build:asan --linkopt -fsanitize=address diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..93f1361 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +node_modules +npm-debug.log diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..29cbc22 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM node:16 + +# Create app directory +WORKDIR /usr/src/app + +# Install app dependencies +# A wildcard is used to ensure both package.json AND package-lock.json are copied +# where available (npm@5+) +COPY package*.json ./ + +# If you are building your code for production +# RUN npm ci --only=production + +# Bundle app source +COPY . . + +RUN npm install + +EXPOSE 3000 +CMD [ "node", "index.js" ] +#CMD [ "bash" ] diff --git a/cloudbuild.yaml b/cloudbuild.yaml new file mode 100644 index 0000000..58142b2 --- /dev/null +++ b/cloudbuild.yaml @@ -0,0 +1,51 @@ +steps: + - name: gcr.io/cloud-builders/git + args: + - clone + - 'https://github.com/google-research/raksha.git' + - name: ubuntu + script: cp .bazelrc-docker raksha/.bazelrc + - name: gcr.io/cloud-builders/bazel + args: + - build + - '--remote_cache=https://storage.googleapis.com/arcsjs-bazel-cache' + - '--google_default_credentials' + - //src/... + dir: raksha + - name: node + args: + - install + entrypoint: npm + - name: gcr.io/cloud-builders/docker + args: + - build + - '--network=cloudbuild' + - '--cache-from=${_DOCKER_IMAGE}' + - '--tag=${_DOCKER_IMAGE}' + - . + id: build-image + - name: gcr.io/cloud-builders/docker + args: + - push + - '${_DOCKER_IMAGE}' + id: push-image + waitFor: + - build-image + - name: gcr.io/google.com/cloudsdktool/cloud-sdk + args: + - run + - deploy + - arcsjs-chromium + - '--image' + - '${_DOCKER_IMAGE}' + - '--region' + - us-central1 + - '--platform' + - managed + entrypoint: gcloud +images: + - '${_DOCKER_IMAGE}' +options: + machineType: E2_HIGHCPU_8 +substitutions: + _DOCKER_IMAGE: 'gcr.io/arcsjs/arcsjs-chromium:latest' diff --git a/index.js b/index.js new file mode 100644 index 0000000..37f51cb --- /dev/null +++ b/index.js @@ -0,0 +1,40 @@ +import express from "express"; +import bodyParser from "body-parser"; +import fs from "fs"; +import tmp from "tmp"; +import { exec } from "child_process"; + +const app = express(); + +app.use(express.static("pkg")); +app.use(bodyParser.text({ type: 'text/plain' })); + +app.get("/", function (req, res) { + res.redirect("/demo/quill/index.html"); +}); + +const RAKSHA_BINARY = '/usr/src/app/raksha/bazel-bin/src/backends/policy_engine/souffle/check_policy_compliance'; +const RAKSHA_POLICY = '/usr/src/app/raksha/src/backends/policy_engine/souffle/testdata/arcsjs_policy_rules.txt'; + +app.post("/raksha", async function (req, res) { + const data = req.body; + tmp.file(function (err, path, fd, cleanup) { + if (err) throw err; + fs.appendFile(path, new Buffer(data), function (err) { + if (err) { + res.send("2"); + } + }); + exec(`${RAKSHA_BINARY} --ir ${path} --sql_policy_rules=${RAKSHA_POLICY} --policy_engine=`, + async (err, stdout, stderr) => { + if (err) { console.error(err); res.send("1"); } else { + res.send("0"); + } + console.log(stdout); + }); + }); +}); + +app.listen(3000, function () { + console.log("Starting server at port 3000..."); +}); diff --git a/package.json b/package.json index 6677323..fe562cf 100644 --- a/package.json +++ b/package.json @@ -1,10 +1,10 @@ { "name": "chromium-arcsjs", "author": "cromwellian@google.com", - "type": "module", "license": "ISC", "version": "0.0.0", "description": "", + "type": "module", "main": "server.js", "engines": { "node": ">=14.0.0" @@ -13,6 +13,9 @@ "local-web-server": "^4.2.1" }, "dependencies": { + "body-parser": "^1.20.0", + "express": "^4.18.1", + "tmp": "^0.2.1", "fastify": "^3.27.4", "fastify-static": "^4.6.1" }, diff --git a/server.js b/server.js index 2390fc0..5aaa998 100644 --- a/server.js +++ b/server.js @@ -21,7 +21,7 @@ fastify.get("/", function(request, reply) { }); // Run the server and report out to the logs -fastify.listen(process.env.PORT, '0.0.0.0', function(err, address) { +fastify.listen(8090, '0.0.0.0', function(err, address) { if (err) { fastify.log.error(err); process.exit(1); From 79ca4531fe7a4a2a15cc58c4523f8cb403701cad Mon Sep 17 00:00:00 2001 From: Ray Cromwell Date: Tue, 27 Sep 2022 20:39:18 -0700 Subject: [PATCH 2/3] Policy/DevTools Integration, Raksha Integration, TPAC Demo --- pkg/Chooser/ChooserApp.js | 20 ++++- pkg/Library/DevToolsEx/PolicyRenderer.js | 12 ++- .../policy/Library/SimplePassingRecipe.js | 7 +- pkg/demo/policy/index.js | 12 ++- pkg/demo/quill/Library/QuillFontPicker.js | 22 +++-- .../quill/Library/QuillFontPickerRecipe.js | 16 ++-- pkg/policy/ir_test.js | 1 + pkg/policy/recipe2policy.js | 88 ++++++++++++++++--- pkg/policy/simple_recipe.js | 21 ++--- pkg/policy/simplerecipe_test_ir.js | 11 +-- 10 files changed, 161 insertions(+), 49 deletions(-) diff --git a/pkg/Chooser/ChooserApp.js b/pkg/Chooser/ChooserApp.js index db15dda..4a0f06d 100644 --- a/pkg/Chooser/ChooserApp.js +++ b/pkg/Chooser/ChooserApp.js @@ -22,13 +22,25 @@ export const ChooserApp = class extends App { await App.Arcs.addAssembly(assembly, 'user'); } - onservice(user, host, {msg, data}) { + async onservice(user, host, {msg, data}) { switch (msg) { case 'currentPolicy': return new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToPolicy(); - case 'currentPolicyIr': - return new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToIr(); + case 'currentPolicyIr': { + const ir = new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToIr(); + const result = await fetch('/raksha', { + method: "POST", + headers: { + "Content-Type": "text/plain" + }, + body: ir + }); + const code = await result.text(); + return { + ir: ir, + valid: code.trim() == "0" + } + } } - ; } } \ No newline at end of file diff --git a/pkg/Library/DevToolsEx/PolicyRenderer.js b/pkg/Library/DevToolsEx/PolicyRenderer.js index 397dcae..31e963d 100644 --- a/pkg/Library/DevToolsEx/PolicyRenderer.js +++ b/pkg/Library/DevToolsEx/PolicyRenderer.js @@ -13,15 +13,23 @@ }, render(inputs, state) { + log("Invalid " + !state.policy.valid + " valid " + state.policy.valid); return { - policy: state.policy, - jsonPolicy: {foo: 42, bar: 20} + policy: state.policy.ir, + jsonPolicy: {foo: 42, bar: 20}, + invalid: ""+!state.policy.valid, + valid: ""+state.policy.valid } }, get template() { return html` +
+
Policy is Invalid
+
Policy is Valid
{{policy}}
`; } diff --git a/pkg/demo/policy/Library/SimplePassingRecipe.js b/pkg/demo/policy/Library/SimplePassingRecipe.js index ca5c84d..0da79c3 100644 --- a/pkg/demo/policy/Library/SimplePassingRecipe.js +++ b/pkg/demo/policy/Library/SimplePassingRecipe.js @@ -20,17 +20,22 @@ export const SimplePassingRecipe = { }, public: { $tags: ['public'], + $type: 'String', $value: 'PublicData' }, output: { $type: 'String', + }, + intent: { + $type: 'String' } }, main: { $kind: '$local/SimplePassingParticle', $inputs: ['private', 'public'], - $outputs: ['output'], + $outputs: ['output', 'intent'], // handler_name -> [tag -> downgraded-tag] + // arcsjs.user_consent_to_downgrade[from: 'private', to: 'public'] $events: {'onClick': ['private', 'public']} } }; diff --git a/pkg/demo/policy/index.js b/pkg/demo/policy/index.js index 3430821..fd1d829 100644 --- a/pkg/demo/policy/index.js +++ b/pkg/demo/policy/index.js @@ -44,8 +44,16 @@ class SimplePassingApp extends App { onservice(user, host, {msg, data}) { switch (msg) { - case 'currentPolicy': - return new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToPolicy(); + case 'currentPolicyIr': + const ir = new PolicyGenerator(this.userAssembly[0], "Chooser").recipeToIr(); + fetch('/raksha', { + method: "POST", + headers: { + "Content-Type": "text/plain" + }, + body: ir + }); + return ir; } ; } diff --git a/pkg/demo/quill/Library/QuillFontPicker.js b/pkg/demo/quill/Library/QuillFontPicker.js index 8503d39..34caf7c 100644 --- a/pkg/demo/quill/Library/QuillFontPicker.js +++ b/pkg/demo/quill/Library/QuillFontPicker.js @@ -15,7 +15,12 @@ }); }, - render({fonts, suggested}) { + async update({show}, state, {service}) { + const policy = await service({msg: 'currentPolicyIr'}); + assign(state, {policy}); + }, + + render({fonts, suggested}, {policy}) { return { styles: { models: fonts, @@ -26,6 +31,7 @@ models: fonts, decorator: 'decorator', suggested, + policy, filter: 'suggestedfilter', }, families: { @@ -34,6 +40,7 @@ fonts: { collateBy: 'family' }, + policy, filter: 'filter' } }; @@ -47,7 +54,7 @@ return suggested?.indexOf(name) != -1 && name?.toLowerCase().includes(myFilter?.toLowerCase()); }, - decorator({family, fullName, weight, style, postscriptName}, {suggested}, {searchFilter}) { + decorator({family, fullName, weight, style, postscriptName}, {suggested}, {searchFilter, policy}) { const fweight = style.includes('Bold') ? 'bold' : weight; const fstyle = style.includes('Italic') ? 'italic' : style.includes('Oblique') ? 'oblique' : ''; const fontFace = `@font-face { @@ -63,12 +70,15 @@ suggested, postscriptName, fontFace, - displayStyle: `font-family: "${family}"; font-weight: ${fweight}; font-style: ${fstyle};` + displayStyle: `font-family: "${family}"; font-weight: ${fweight}; font-style: ${fstyle};`, + valid: policy?.valid || false }; }, - onFontClick({eventlet: {key}}) { - return {pickedFont: key}; + onFontClick({eventlet: {key, value}}) { + if (value) { + return {pickedFont: key}; + } }, onBadFontClick({eventlet: {key}}) { @@ -153,7 +163,7 @@ diff --git a/pkg/demo/quill/Library/QuillFontPickerRecipe.js b/pkg/demo/quill/Library/QuillFontPickerRecipe.js index e6ec4bd..6ca6304 100644 --- a/pkg/demo/quill/Library/QuillFontPickerRecipe.js +++ b/pkg/demo/quill/Library/QuillFontPickerRecipe.js @@ -16,23 +16,27 @@ export const QuillFontPickerRecipe = { $stores: { fonts: { $type: `[Key]`, - $tags: ['simple'] + $tags: ['private'] }, pickedFont: { - $type: `FontKey` + $type: `FontKey`, + $tags: ['public'] }, suggested: { $type: `[Key]`, + $tags: ['public'] }, - baz: { - $type: '[String]', - value: 10 + downgrade_intent: { + $type: 'Intent', + $tags: [], + $value: [], } }, main: { $kind: "$local/../../quill/Library/QuillFontPicker", $inputs: ['fonts', 'suggested'], - $outputs: ['pickedFont'], + $outputs: ['pickedFont', 'downgrade_intent'], + $events: {'onFontClick': ['private', 'public']} }, }; diff --git a/pkg/policy/ir_test.js b/pkg/policy/ir_test.js index 9acd077..ae84c6c 100644 --- a/pkg/policy/ir_test.js +++ b/pkg/policy/ir_test.js @@ -13,5 +13,6 @@ import {SimpleRecipe} from './simple_recipe.js'; const policyGen = new PolicyGenerator(SimpleRecipe, "SimpleRecipe"); const ir = policyGen.recipeToIr(); +console.log(ir); console.assert(ir.trim() == SimpleRecipeIr.trim(), "IR don't match"); diff --git a/pkg/policy/recipe2policy.js b/pkg/policy/recipe2policy.js index 1fcddaa..ed49d5f 100644 --- a/pkg/policy/recipe2policy.js +++ b/pkg/policy/recipe2policy.js @@ -57,7 +57,8 @@ class Operation { } ir() { - return `%${this.id} = ${this.name}[${this.attributes.map(x => x.ir()).join(',')}](${this.inputs.map(i => i.ir()).join(',')})`; + return `%${this.id} = ${this.name}[${this.attributes.map(x => x.ir()).join( + ', ')}](${this.inputs.map(i => i.ir()).join(', ')})`; } json() { @@ -81,7 +82,7 @@ class Store extends Operation { constructor(generator, storeName, $store) { super(generator, 'arcsjs.create_store', [], [ new Attribute("name", STRING, `${generator.recipeName}.${storeName}`), - new Attribute("type", STRING, $store.$type) + new Attribute("type", STRING, $store.$type.replace('[', 'List_').replace(']', '')) ]); this.generator = generator; this.storeName = storeName; @@ -91,6 +92,10 @@ class Store extends Operation { isPublicStore() { return this.$store.$tags && this.$store.$tags.includes('public'); } + + isPrivateStore() { + return this.$store.$tags && this.$store.$tags.includes('private'); + } } class PublicOp extends Operation { @@ -102,11 +107,39 @@ class PublicOp extends Operation { } } -class OutputOp extends Operation { +class PrivateOp extends Operation { + constructor(generator, inputId) { + super(generator, 'sql.tag_transform', [new Input(inputId)], [ + new Attribute('rule_name', STRING, "set_private") + ] + ); + } +} + +class SelectFieldOp extends Operation { constructor(generator, handleName, inputId) { - super(generator, 'sql.sql_output', [new Input(inputId)], + super(generator, 'arcsjs.select_field', [new Input(inputId)], [ - new Attribute('handle_name', STRING, handleName) + new Attribute('name', STRING, handleName) + ]); + } +} + +class OutputOp extends Operation { + constructor(generator, handleName, inputIds) { + super(generator, 'arcsjs.arcsjs_output', + inputIds.map(inputId => new Input(inputId)), + [ + ]); + } +} + +class UserAction extends Operation { + constructor(generator, from, to, inputIds) { + super(generator, "arcsjs.user_consent_to_downgrade", + inputIds.map(inputId => new Input(inputId)), [ + new Attribute("downgrade_from", STRING, from), + new Attribute("downgrade_to", STRING, to) ]); } } @@ -115,7 +148,8 @@ class Binding { constructor(generator, bindingName, store, isOutput) { this.bindingName = bindingName; this.store = store; - this.op = this.isPublic() ? new PublicOp(generator, store.id) : store; + this.op = this.isPublic() ? store + : this.isPrivate() ? new PrivateOp(generator, store.id) : store; this.isOutput = isOutput; } @@ -127,6 +161,10 @@ class Binding { return this.store.isPublicStore(); } + isPrivate() { + return this.store.isPrivateStore(); + } + ir() { return this.op.ir(); } @@ -154,7 +192,7 @@ class Particle extends Operation { const inputBindings = [...bindingMap.values()].filter(x => !x.isOutput); const inputs = inputBindings.map(binding => new Input(binding.id)); - const inputAttributes = inputBindings.map( + const inputAttributes = inputBindings.map( (binding, index) => new Attribute("input_" + index, STRING, binding.bindingName)); @@ -168,7 +206,16 @@ class Particle extends Operation { this.storeMap = stores; this.bindingMap = bindingMap; this.output = this.outputBindings().map( - binding => new OutputOp(generator, binding.bindingName, this.id)); + binding => new SelectFieldOp(generator, binding.bindingName, this.id)); + this.downgrades = Object.entries($particle.$events || {}).map( + ([eventName, downgradeConfig]) => new UserAction(generator, + downgradeConfig[0], downgradeConfig[1], + // hack for demo + [this.output[0].id, (this.output.length > 1 ? this.output[1] : this.output[0]).id])); + } + + hasDowngrades() { + return this.downgrades.length > 0; } bindings() { @@ -179,13 +226,18 @@ class Particle extends Operation { return this.bindings().filter(binding => binding.isPublic()); } - nonPublicBindings() { - return this.bindings().filter(binding => !binding.isPublic()); + privateBindings() { + return this.bindings().filter(binding => binding.isPrivate()); } outputBindings() { return this.bindings().filter(binding => binding.isOutput); } + + downgradeOps() { + return this.downgrades; + } + } export class PolicyGenerator { @@ -222,10 +274,20 @@ export class PolicyGenerator { // Collect all-public bindings which need set_public tag const allPublicOps = particles.flatMap( particle => particle.publicBindings()).map(binding => binding.op); - const allOutputOps = particles.flatMap(particle => particle.output); + const allPrivateOps = particles.flatMap( + particle => particle.privateBindings()).map(binding => binding.op); + + const allSelectFieldOps = particles.flatMap(particle => particle.output); + + const downgradeOps = particles.flatMap(particle => particle.downgradeOps()); + const outputOp = new OutputOp(this, "out", + downgradeOps.map(op => op.id).concat( + particles.filter(particle => !particle.hasDowngrades()).flatMap( + p => p.output).map(p => p.id))); - const allOps = allReferencedStores.concat(allPublicOps).concat( - particles).concat(allOutputOps).map(op => output(op)); + const allOps = allReferencedStores.concat(allPrivateOps).concat( + particles).concat(allSelectFieldOps).concat(downgradeOps).concat( + outputOp).map(op => output(op)); return allOps; } diff --git a/pkg/policy/simple_recipe.js b/pkg/policy/simple_recipe.js index 4293b76..2dd5003 100644 --- a/pkg/policy/simple_recipe.js +++ b/pkg/policy/simple_recipe.js @@ -11,14 +11,14 @@ export const SimpleRecipe = { description: 'A very simple recipe', }, $stores: { - public_texts: { + private_texts: { $type: '[Text]', - $tags: ['public'], + $tags: ['private'], $value: [], }, - ignored_data: { - $type: '[Text]', - // $tags: ['public'], + downgrade_intent: { + $type: 'Intent', + $tags: [], $value: [], }, output: { @@ -28,13 +28,14 @@ export const SimpleRecipe = { } }, exfil_particle: { - $kind: './Library/ExfilParticle', + $kind: './Library/ExfilWithConsentParticle', $inputs: [ - {bar: 'public_texts'}, - {foo: 'ignored_data'}, + {secrets: 'private_texts'} ], $outputs: [ - {baz: 'output'}, + {share: 'output'}, + {intent: 'downgrade_intent'}, ], - } + $events: {'onClick': ['private', 'public']} + }, }; \ No newline at end of file diff --git a/pkg/policy/simplerecipe_test_ir.js b/pkg/policy/simplerecipe_test_ir.js index 21927e5..2272177 100644 --- a/pkg/policy/simplerecipe_test_ir.js +++ b/pkg/policy/simplerecipe_test_ir.js @@ -10,13 +10,14 @@ export const SimpleRecipeIr = ` module m0 { block b0 { - %0 = arcsjs.create_store[name: "SimpleRecipe.public_texts",type: "[Text]"]() - %1 = arcsjs.create_store[name: "SimpleRecipe.ignored_data",type: "[Text]"]() + %0 = arcsjs.create_store[name: "SimpleRecipe.public",type: "[Text]"]() + %1 = arcsjs.create_store[name: "SimpleRecipe.private",type: "[Text]"]() %2 = arcsjs.create_store[name: "SimpleRecipe.output",type: "[Text]"]() %3 = sql.tag_transform[rule_name: "set_public"](%0) - %4 = sql.tag_transform[rule_name: "set_public"](%2) - %5 = arcsjs.particle[name: "SimpleRecipe.exfil_particle",input_0: "bar",input_1: "foo"](%3,%1) - %6 = sql.sql_output[handle_name: "baz"](%5) + %4 = sql.tag_transform[rule_name: "set_restricted"](%2) + %5 = arcsjs.particle[name: "SimpleRecipe.exfil_particle",input_0: "bar",input_1: "foo"](%3,%4) + %6 = arcsjs.user_consent_to_downgrade[downgrade_from: "private", downgrade_to: "public"](%5) + %7 = sql.sql_output[handle_name: "baz"](%6) } } `; \ No newline at end of file From 8f0bcc94430af7cc63ffded3097cc55d6a54866d Mon Sep 17 00:00:00 2001 From: Ray Cromwell Date: Tue, 27 Sep 2022 20:56:04 -0700 Subject: [PATCH 3/3] GCP build work --- .bazelrc-docker | 2 ++ .dockerignore | 3 +++ Dockerfile | 13 +++++++------ cloudbuild.yaml | 20 +++++++++++++------- index.js | 2 +- 5 files changed, 26 insertions(+), 14 deletions(-) diff --git a/.bazelrc-docker b/.bazelrc-docker index 36260bb..5854127 100644 --- a/.bazelrc-docker +++ b/.bazelrc-docker @@ -32,3 +32,5 @@ build:asan --copt -O1 build:asan --copt -g build:asan --copt -fno-omit-frame-pointer build:asan --linkopt -fsanitize=address +startup --output_base=/workspace/.bazel + diff --git a/.dockerignore b/.dockerignore index 93f1361..9a7fa21 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,2 +1,5 @@ +.git node_modules npm-debug.log +raksha +Dockerfile diff --git a/Dockerfile b/Dockerfile index 29cbc22..fb8f5a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,8 @@ -FROM node:16 +FROM gcr.io/gcp-runtimes/ubuntu_20_0_4 + +RUN apt-get update && apt-get install -y curl +RUN curl -s https://deb.nodesource.com/setup_16.x | bash +RUN apt-get install nodejs -y # Create app directory WORKDIR /usr/src/app @@ -7,15 +11,12 @@ WORKDIR /usr/src/app # A wildcard is used to ensure both package.json AND package-lock.json are copied # where available (npm@5+) COPY package*.json ./ - -# If you are building your code for production -# RUN npm ci --only=production +RUN npm install # Bundle app source COPY . . -RUN npm install EXPOSE 3000 CMD [ "node", "index.js" ] -#CMD [ "bash" ] + diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 58142b2..5e6ee69 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -10,12 +10,18 @@ steps: - build - '--remote_cache=https://storage.googleapis.com/arcsjs-bazel-cache' - '--google_default_credentials' - - //src/... + - '//src/backends/policy_engine/souffle:check_policy_compliance' dir: raksha - - name: node - args: - - install - entrypoint: npm + - name: ubuntu + script: >- + cp -pr + raksha/bazel-bin/src/backends/policy_engine/souffle/check_policy_compliance + raksha/ + # Pull most recent Docker image. + - id: 'pull-image' + name: 'gcr.io/cloud-builders/docker' + args: ['pull', '${_DOCKER_IMAGE}'] + - name: gcr.io/cloud-builders/docker args: - build @@ -36,6 +42,8 @@ steps: - run - deploy - arcsjs-chromium + - '--project' + - arcsjs - '--image' - '${_DOCKER_IMAGE}' - '--region' @@ -45,7 +53,5 @@ steps: entrypoint: gcloud images: - '${_DOCKER_IMAGE}' -options: - machineType: E2_HIGHCPU_8 substitutions: _DOCKER_IMAGE: 'gcr.io/arcsjs/arcsjs-chromium:latest' diff --git a/index.js b/index.js index 37f51cb..8ce6295 100644 --- a/index.js +++ b/index.js @@ -13,7 +13,7 @@ app.get("/", function (req, res) { res.redirect("/demo/quill/index.html"); }); -const RAKSHA_BINARY = '/usr/src/app/raksha/bazel-bin/src/backends/policy_engine/souffle/check_policy_compliance'; +const RAKSHA_BINARY = '/usr/src/app/raksha/check_policy_compliance'; const RAKSHA_POLICY = '/usr/src/app/raksha/src/backends/policy_engine/souffle/testdata/arcsjs_policy_rules.txt'; app.post("/raksha", async function (req, res) {