initial commit for adding confcom

.github/CODEOWNERS

@@ -269,3 +269,5 @@
 /src/mobile-network/ @jsntcy
 
 /src/automanage/ @calvinhzy
+
+/src/confcom/ @BryceDFisher @SethHollandsworth @hgarvison @stevendongatmsft

src/confcom/.gitignore

@@ -0,0 +1,32 @@
+.vscode/settings.json
+.vscode/*.log
+
+# python cache files and directories
+**/*.egg-info/
+**/*.egg-info/*
+**/dist/
+**/dist/*
+**/build/
+**/build/*
+**/__pycache__/
+**/__pycache__/*
+**/*.pyc
+
+# virtual environments
+env/*
+accdevops_env/*
+acclibpy_env/*
+ext_env/*
+
+# memeory leak check footage
+**/memleak-check.log
+
+# temporary shared libraries
+tests/outputs/**
+azext_confcom/bin/
+azext_confcom/bin/*
+**/dmverity-vhd.exe
+**/dmverity-vhd
+# metadata file for coverage reports
+**/.coverage
+**/htmlcov

src/confcom/HISTORY.rst

@@ -0,0 +1,54 @@
+.. :changelog:
+
+Release History
+===============
+0.2.8
+* adding secureValue as a valid input for environment variables
+
+0.2.7
+* adding default mounts field for sidecars
+
+0.2.6
+* updating secretSource mount source to "plan9://" and adding vkMetrics and scKubeProxy to sidecar list
+
+0.2.5
+* removing default mounts and updating mount type to "bind"
+
+0.2.4
+* updating sidecar package name and svn
+
+0.2.3
+* added ability to use tarball as input for layer hashes and container manifests
+* added initContainers as container source in ARM Template
+* update dealing with liveness and readiness probes
+* update
+
+0.2.2
+* added pause container to customer container groups
+* added caching for dm-verity calculation when using the same image multiple times in a container group
+* added new rego variables
+* made injecting security policies into ARM template the default behavior
+
+0.2.1
+* update rego format
+* allow users to update the infrastructure fragment minimum svn value from command line arguments
+* add check for arm64 architecture
+* add policy diff feature
+* add ability to generate policy based on image name
+* add debug mode for rego policy
+* add ability to inject policy into ARM template
+
+0.2.0
+* update to remove hardcoded side-cars
+* update to create CCE Policy with ARM Template
+* update to make rego the default output format
+
+0.1.2
+* update for enable restart field
+
+0.1.1
+* update for private preview
+
+0.1.0
+++++++
+* Initial release.

src/confcom/README.md

@@ -0,0 +1,80 @@
+# Microsoft Azure CLI 'confcom' Extension
+
+- [Microsoft Azure CLI 'confcom' Extension](#microsoft-azure-cli-confcom-extension)
+  - [Repository](#repository)
+  - [Prerequisites](#prerequisites)
+  - [Installation Instructions (End User)](#installation-instructions-end-user)
+  - [Generating a confidential execution enforcement (cce) policy](#generating-a-confidential-execution-enforcement-cce-policy)
+  - [Setup and Instructions for Developers](#setup-and-instructions-for-developers)
+    - [Setup Development Environment](#setup-development-environment)
+    - [Build Extension Binary(Wheel) and Run Extension Tests](#build-extension-binarywheel-and-run-extension-tests)
+    - [Miscellaneous](#miscellaneous)
+  - [Azure Container Registration authentication](#azure-container-registration-authentication)
+    - [Authentication with service principals](#authentication-with-service-principals)
+    - [Authenticate with Azure managed identity](#authenticate-with-azure-managed-identity)
+  - [Trademarks](#trademarks)
+
+## Repository
+
+- <https://github.com/Azure/ACC-CLI/tree/main/az_extensions/confcom>
+
+## Prerequisites
+
+**MacOS** is **NOT** supported yet
+
+- **64-bit** `Python 3.6+` and `pip`
+  - **64-bit** **Windows 10** or later
+    - Install python3 version 3.6+ through [official download](https://www.python.org/downloads/)
+    - or chocolatey: `choco install python`
+  - Or **64-bit** Linux Distribution System, **Ubuntu 18.04** or later is recommended
+    - Ubuntu 18.04 or later comes with python 3.6+ by default
+- Docker Daemon
+  - Linux(Ubuntu):
+
+    ```bash
+    sudo apt install docker.io
+    ```
+
+  - Windows: [Docker Desktop](https://www.docker.com/products/docker-desktop) and [WSL2](https://docs.microsoft.com/en-us/windows/wsl/install)
+
+## Docker Standalone Instructions (End User)
+
+### TODO: change this image when it goes to a public registry
+
+1. Download the docker container: `fishersnpregistry.azurecr.io/confcom-cli:clean-room`
+2. Run:
+
+  ```bash
+    docker run -v "$(pwd):/temp" -v /var/run/docker.sock:/var/run/docker.sock fishersnpregistry.azurecr.io/confcom-cli:clean-room az confcom acipolicygen -a temp/template.json
+  ```
+
+Notes:
+
+- The first `-v` flag can be changed to go wherever in the local machine that has the input files for generating policies. For example, the ARM Template that is going to be used.
+- The second `-v` is for mounting the Docker socket into the container, so Docker must be running on the host machine in order to generate policies from images that are contained within the Docker daemon. This includes images that need to be pulled from a remote registry.
+- The path to the input file in the `az confcom acipolicygen` snippet must line up with where the local folder is getting mounted in the first `-v` flag. For example, above we are mounting to `/temp` in the container so the CLI command will be `az confcom acipolicygen -a /temp/template.json` because `template.json` is in the current local directory.
+
+## Installation Instructions (End User)
+
+1. Install Azure CLI through following ways:
+   1. Option 1: (Windows and Linux) use `PyPI/pip(comes with 64-bit python)` to install `azure-cli`
+
+      ```bash
+      python3 -m pip install azure-cli
+      ```
+
+      - **Notes for Windows user ONLY**:  even you have 64-bit python3 installed already, windows version **Azure CLI** installation package comes with a 32-bit python, which is not supported for now. So please use the `PyPI/pip` solution to install `azure-cli`.
+
+   2. Option 2:(Linux Only) [Install through Linux Package Tools](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt).
+
+## Generating a confidential execution enforcement (cce) policy
+
+Please see [ACIConfidentialSecurityPolicySpec](https://microsoft-my.sharepoint.com/:w:/p/sewong/EV7PkPR5kWJMnmqm9TtWt0QBhmpYg1HqKwknw07DleugKQ?e=zLQZOl)
+
+## Trademarks
+
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
+trademarks or logos is subject to and must follow
+[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
+Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
+Any use of third-party trademarks or logos are subject to those third-party's policies.

src/confcom/azext_confcom/__init__.py

@@ -0,0 +1,30 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azure.cli.core import AzCommandsLoader
+
+from azext_confcom._help import helps  # pylint: disable=unused-import
+
+
+class ConfcomCommandsLoader(AzCommandsLoader):
+    def __init__(self, cli_ctx=None):
+        from azure.cli.core.commands import CliCommandType
+
+        confcom_custom = CliCommandType(operations_tmpl="azext_confcom.custom#{}")
+        super().__init__(cli_ctx=cli_ctx, custom_command_type=confcom_custom)
+
+    def load_command_table(self, args):
+        from azext_confcom.commands import load_command_table
+
+        load_command_table(self, args)
+        return self.command_table
+
+    def load_arguments(self, command):
+        from azext_confcom._params import load_arguments
+
+        load_arguments(self, command)
+
+
+COMMAND_LOADER_CLS = ConfcomCommandsLoader

src/confcom/azext_confcom/_help.py

@@ -0,0 +1,91 @@
+# coding=utf-8
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from knack.help_files import helps  # pylint: disable=unused-import
+
+
+helps[
+    "confcom"
+] = """
+    type: group
+    short-summary: Commands to generate security policies for confidential containers in Azure.
+"""
+
+helps[
+    "confcom acipolicygen"
+] = """
+    type: command
+    short-summary: Create a Confidential Container Security Policy.
+
+    parameters:
+        - name: --input -i
+          type: string
+          short-summary: 'Input JSON config file'
+
+        - name: --template-file -a
+          type: string
+          short-summary: 'Input ARM Template file'
+
+        - name: --parameters -p
+          type: string
+          short-summary: 'Input parameters file to optionally accompany an ARM Template'
+
+        - name: --image
+          type: string
+          short-summary: 'Input image name'
+
+        - name: --tar
+          type: string
+          short-summary: 'Path to either a tarball containing image layers or a JSON file containing paths to tarballs of image layers'
+
+        - name: --infrastructure-svn
+          type: string
+          short-summary: 'Minimum Allowed Software Version Number for Infrastructure Fragment'
+
+        - name: --debug-mode
+          type: boolean
+          short-summary: 'When enabled, the generated security policy adds the ability to use /bin/sh or /bin/bash to debug the container. It also enabled stdio access, ability to dump stack traces, and enables runtime logging. It is recommended to only use this option for debugging purposes.'
+
+        - name: --disable-stdio
+          type: boolean
+          short-summary: 'When enabled, the containers in the container group do not have access to stdio.'
+
+        - name: --print-existing-policy
+          type: boolean
+          short-summary: 'When enabled, the existing security policy that is present in the ARM Template is printed to the command line, and no new security policy is generated.'
+
+        - name: --diff -d
+          type: boolean
+          short-summary: 'When combined with an input ARM Template, verifies the policy present in the ARM Template under "ccePolicy" and the containers within the ARM Template are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.'
+
+        - name: --json -j
+          type: string
+          short-summary: 'Outputs in JSON format instead of Rego'
+
+        - name: --outraw
+          type: boolean
+          short-summary: 'Output policy in clear text compact JSON instead of default base64 format'
+
+        - name: --outraw-pretty-print
+          type: boolean
+          short-summary: 'Output policy in clear text and pretty print format'
+
+        - name: --save-to-file -s
+          type: string
+          short-summary: 'Save output policy to given file path.'
+
+        - name: --print-policy
+          type: boolean
+          short-summary: 'When enabled, the generated security policy is printed to the command line instead of injected into the input ARM Template'
+
+    examples:
+        - name: Input a policy.json file to create a base64 encoded Confidential Container Security Policy
+          text: az confcom acipolicygen --input "./policy.json"
+        - name: Input a policy.json file to create a human-readable Confidential Container Security Policy
+          text: az confcom acipolicygen --input "./policy.json" --outraw-pretty-print
+        - name: Input a policy.json file to save a Confidential Container Security Policy to a file
+          text: az confcom acipolicygen --input "./policy.json" -s "./output-file.txt"
+"""