Light action support (#642)

* Added light action config to helm and event_handler

* refactored authentication and enabled light action via relay

* fixing helm format

* fixing action name

* added cluster status

also added verification that both parts of the signature are present

* require private key verification if atleast one key is sent

* slight refactoring, added logs

* changed logs, removed redundant code

* added removed comment

* adding other needed light actions

* return error even if signature is signed correctly

functionally only impacts edge case where signature is correct but the request shouldnt be signed

* removing sign_action param

* updated light action helm + supported actions

* remove unneeded log changes

* remove additional signature match check

* changing default java toolkit

* Removing debugger until newer version

helm/robusta/templates/_helpers.tpl

@@ -34,6 +34,10 @@ global_config:
   {{- if .Values.globalConfig }}
 {{ toYaml .Values.globalConfig | indent 2 }}
   {{- end }}
+
+light_actions:
+{{ toYaml  .Values.lightActions | indent 2 }}
+
 active_playbooks:
 {{- if .Values.playbooks }}
   {{- fail "The `playbooks` value is deprecated. Rename `playbooks`  to `customPlaybooks` and remove builtin playbooks which are now defined separately" -}}

helm/robusta/values.yaml

@@ -22,6 +22,40 @@ globalConfig:
   account_id: ""
   signing_key: ""
 
+# safe actions to enable authenticated users to run
+lightActions:
+- related_pods
+- prometheus_enricher
+- add_silence
+- delete_pod
+- delete_silence
+- get_silences
+- logs_enricher
+- pod_events_enricher
+- deployment_events_enricher
+- job_events_enricher
+- job_pod_enricher
+- get_resource_yaml
+- incluster_ping
+- node_cpu_enricher
+- node_disk_analyzer
+- node_running_pods_enricher
+- node_allocatable_resources_enricher
+- node_status_enricher
+- node_graph_enricher
+- oomkilled_container_graph_enricher
+- pod_oom_killer_enricher
+- oom_killer_enricher
+- volume_analysis
+- python_profiler
+- pod_ps
+- python_memory
+- debugger_stack_trace
+- python_process_inspector
+- prometheus_alert
+- create_pvc_snapshot
+- http_stress_test
+
 # install prometheus, alert-manager, and grafana along with Robusta?
 enablePrometheusStack: false
 enableServiceMonitors: false

src/robusta/core/model/cluster_status.py

@@ -1,8 +1,9 @@
-from pydantic.main import BaseModel, Optional
+from pydantic.main import BaseModel, Optional, List
 
 
 class ClusterStatus(BaseModel):
     account_id: str
     cluster_id: str
     version: str
     last_alert_at: Optional[str]  # ts
+    light_actions: List[str]

src/robusta/core/model/runner_config.py

@@ -48,6 +48,7 @@ class RunnerConfig(BaseModel):
             ]
         ]
     ]
+    light_actions: Optional[List[str]]
     global_config: Optional[dict] = {}
     active_playbooks: Optional[List[PlaybookDefinition]] = []
 

src/robusta/core/playbooks/playbooks_event_handler.py

@@ -45,6 +45,13 @@ def get_global_config(
         """Return runner global config"""
         pass
 
+    @abstractmethod
+    def get_light_actions(
+        self,
+    ) -> List[str]:
+        """Returns configured light actions"""
+        pass
+
     @abstractmethod
     def get_telemetry(
         self,

src/robusta/core/playbooks/playbooks_event_handler_impl.py

@@ -311,5 +311,8 @@ def __handle_findings(self, execution_event: ExecutionBaseEvent):
     def get_global_config(self) -> dict:
         return self.registry.get_playbooks().get_global_config()
 
+    def get_light_actions(self) -> List[str]:
+        return self.registry.get_light_actions()
+
     def get_telemetry(self) -> Telemetry:
         return self.registry.get_telemetry()

src/robusta/core/sinks/robusta/robusta_sink.py

@@ -327,6 +327,7 @@ def __update_cluster_status(self):
                 version=self.registry.get_telemetry().runner_version,
                 last_alert_at=self.registry.get_telemetry().last_alert_at,
                 account_id=self.account_id,
+                light_actions=self.registry.get_light_actions(),
             )
 
             self.dal.publish_cluster_status(cluster_status)

src/robusta/integrations/kubernetes/custom_models.py

@@ -18,7 +18,7 @@
     "us-central1-docker.pkg.dev/genuine-flight-317411/devel/debug-toolkit:v5.0"
 )
 JAVA_DEBUGGER_IMAGE = (
-    "us-central1-docker.pkg.dev/genuine-flight-317411/devel/java-toolkit-11:v1.1"
+    "us-central1-docker.pkg.dev/genuine-flight-317411/devel/java-toolkit-11:jattach"
 )
 
 # TODO: import these from the python-tools project

src/robusta/integrations/receiver.py

@@ -226,25 +226,41 @@ def __validate_request(self, action_request: ExternalActionRequest, validate_tim
                                       error_msg="Illegal timestamp")
 
         signing_key = self.event_handler.get_global_config().get("signing_key")
-        body = action_request.body
         if not signing_key:
-            logging.error(f"Signing key not available. Cannot verify request {body}")
+            logging.error(f"Signing key not available. Cannot verify request {action_request.body}")
             return ValidationResponse(http_code=500,
                                       error_code=ErrorCodes.NO_SIGNING_KEY.value,
                                       error_msg="No signing key")
 
-        # First auth protocol option, based on signature only
-        signature = action_request.signature
-        if signature:
-            generated_signature = sign_action_request(body, signing_key)
-            if hmac.compare_digest(generated_signature, signature):
-                return ValidationResponse()
-            else:
-                return ValidationResponse(http_code=500,
-                                          error_code=ErrorCodes.SIGNATURE_MISMATCH.value,
-                                          error_msg="Signature mismatch")
-
-        # Second auth protocol option, based on public key
+        if action_request.signature:
+            # First auth protocol option, based on signature only
+            return self.validate_action_request_signature(action_request, signing_key)
+        elif action_request.partial_auth_a or action_request.partial_auth_b:
+            # Second auth protocol option, based on public key
+            return self.validate_with_private_key(action_request, signing_key)
+        else: # Light action protocol option, authenticated in relay
+            return self.validate_light_action(action_request)
+
+    def validate_light_action(self, action_request: ExternalActionRequest) -> ValidationResponse:
+        light_actions = self.event_handler.get_light_actions()
+        if action_request.body.action_name not in light_actions:
+            return ValidationResponse(http_code=500,
+                                      error_code=ErrorCodes.UNAUTHORIZED_LIGHT_ACTION.value,
+                                      error_msg="Unauthorized action requested")
+        return ValidationResponse()
+
+    @staticmethod
+    def validate_action_request_signature(action_request: ExternalActionRequest, signing_key: str) -> ValidationResponse:
+        generated_signature = sign_action_request(action_request.body, signing_key)
+        if hmac.compare_digest(generated_signature, action_request.signature):
+            return ValidationResponse()
+        else:
+            return ValidationResponse(http_code=500,
+                                      error_code=ErrorCodes.SIGNATURE_MISMATCH.value,
+                                      error_msg="Signature mismatch")
+
+    def validate_with_private_key(self, action_request: ExternalActionRequest, signing_key: str) -> ValidationResponse:
+        body = action_request.body
         partial_auth_a = action_request.partial_auth_a
         partial_auth_b = action_request.partial_auth_b
         if not partial_auth_a or not partial_auth_b:

src/robusta/model/config.py

@@ -174,6 +174,7 @@ def get_global_config(self) -> dict:
 
 class Registry:
     _actions: ActionsRegistry = ActionsRegistry()
+    _light_actions: List[str] = []
     _playbooks: PlaybooksRegistry = PlaybooksRegistry()
     _sinks: SinksRegistry = None
     _scheduler = None
@@ -184,6 +185,12 @@ class Registry:
         prometheus_enabled=PROMETHEUS_ENABLED, 
     )
 
+    def set_light_actions(self, light_actions: List[str]):
+        self._light_actions = light_actions
+
+    def get_light_actions(self) -> List[str]:
+        return self._light_actions
+
     def set_actions(self, actions: ActionsRegistry):
         self._actions = actions
 

src/robusta/runner/config_loader.py

@@ -248,7 +248,7 @@ def __reload_playbook_packages(self, change_name):
                 GitRepoManager.clear_git_repos()
 
                 self.__reload_scheduler(playbooks_registry)
-
+                self.registry.set_light_actions(runner_config.light_actions)
                 self.registry.set_actions(action_registry)
                 self.registry.set_playbooks(playbooks_registry)
                 self.registry.set_sinks(sinks_registry)

src/robusta/utils/error_codes.py

@@ -20,6 +20,7 @@ class ErrorCodes(Enum):
     NOT_EXTERNAL_ACTION = 4604
     EVENT_PARAMS_INSTANTIATION_FAILED = 4605
     EVENT_INSTANTIATION_FAILED = 4606
+    UNAUTHORIZED_LIGHT_ACTION = 4607
 
     ACTION_UNEXPECTED_ERROR = 4700
     RESOURCE_NOT_SUPPORTED = 4701