From d5deb34f9da6e7f2479c6df2fe68bbe41a15b1d9 Mon Sep 17 00:00:00 2001
From: PT-ATA No One <ata-no-one@gdata.de>
Date: Thu, 25 Apr 2024 12:00:20 +0200
Subject: [PATCH] Implement values for enabling the allowlist- and hashLookup
 and add corresponding documentation

---
 README.md                                      | 18 +++++++++++++++++-
 charts/vaas/Chart.yaml                         |  2 +-
 charts/vaas/templates/gateway/statefulset.yaml |  4 ++++
 charts/vaas/values.yaml                        |  8 +++++++-
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 227ba6d..7b35526 100644
--- a/README.md
+++ b/README.md
@@ -85,7 +85,21 @@ export TOKEN_URL=http://vaas/auth/protocol/openid-connect/token # URL of the tok
 
 ## Configuring Verdict-as-a-Service
 
-If you want to scan larger files, you have to adjust the deployments body size limit in ```vaas.gateway.ingress.annotations```. Should looks like this:
+The default configurations are set to provide the best verdict. When you have the need to run this helm-chart without sending the file hashes to our cloud, you can deactivate the cloud lookups with these options:
+
+```yaml
+cloud:
+  hashLookup:
+    enabled: false
+  allowlistLookup:
+    enabled: false
+```
+
+With the `hashLookup`, VaaS uses the G DATA Cloud to obtain additional information about a file and thus enrich the quality of the verdict. Without the hashLookup, this additional information is omitted and files that would ONLY be recognized via the cloud are therefore not recognized.
+
+The `allowlistLookup` is a request of the hash to the G DATA Cloud, against a list of files that we know for sure are not malicious, to prevent false positives. Some clean files are still detected by the scanners signatures and the `allowlistLookup` will prevent these files to be detected as `malicious` or `pup`.
+
+If you want to scan larger files, you have to adjust the deployments body size limit in `vaas.gateway.ingress.annotations`. Should looks like this:
 
 ```yaml
 nginx.ingress.kubernetes.io/proxy-body-size: <your maximum filesize>
@@ -96,6 +110,8 @@ nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
 | ------------------------------------------ | ----------------------------------------------------------------------------------------------------------- | -------------------------------- |
 | `global.imagePullSecrets`                  | List of image pull secrets                                                                                  | `- name: registry`               |
 | `global.secret.dockerconfigjson`           | Docker authentication configuration                                                                         | `""`                             |
+| `cloud.hashLookup.enabled`                 | Enable/Disable the cloud hash lookup                                                                        | `true`                           |
+| `cloud.allowlistLookup.enabled`            | Enable/Disable the cloud allowlist lookup                                                                   | `true`                           |
 | `gateway.ingress.enabled`                  | Enable/Disable the Ingress resource                                                                         | `false`                          |
 | `gateway.ingress.annotations`              | Additional annotations for Ingress                                                                          | `{}`                             |
 | `gateway.ingress.hosts`                    | Hostnames and paths for Ingress                                                                             | `[]`                             |
diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml
index 7b2296e..25855ae 100644
--- a/charts/vaas/Chart.yaml
+++ b/charts/vaas/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 1.3.0
+version: 1.4.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG
diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml
index 96e4d3e..8bd2a10 100644
--- a/charts/vaas/templates/gateway/statefulset.yaml
+++ b/charts/vaas/templates/gateway/statefulset.yaml
@@ -60,6 +60,10 @@ spec:
               value: {{ .Release.Name }}
             - name: MaxAnalysisDuration
               value: {{ include "common.secondsToHHMMSS" .Values.gateway.terminationGracePeriodSeconds | quote }}
+            - name: FileCloudVerdictSource__Enable
+              value: {{ .Values.cloud.hashLookup.enabled | quote  }}
+            - name: FileAllowlistCloudVerdictSource__Enable
+              value: {{ .Values.cloud.allowlistLookup.enabled | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.gateway.service.http.port }}
diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml
index 180c9db..b5e03a4 100644
--- a/charts/vaas/values.yaml
+++ b/charts/vaas/values.yaml
@@ -39,6 +39,12 @@ mini-identity-provider:
   tolerations: []
   affinity: {}
 
+cloud:
+  hashLookup:
+    enabled: true
+  allowlistLookup:
+    enabled: true
+
 gateway:
   ingress:
     enabled: true
@@ -136,7 +142,7 @@ gateway:
   extraEnvVars: []
 
   # This block is only for G DATA's internal usage.
-  hashlookup:
+  hashLookup:
     enabled: false
     apikey:
       value: ""