Ejemplo n.º 1
0
    def __init__(self, app, instance_keys, storage):
        self.app = app
        self._legacy_secscan_api = None

        validator = V2SecurityConfigValidator(
            app.config.get("FEATURE_SECURITY_SCANNER", False),
            app.config.get("SECURITY_SCANNER_ENDPOINT"),
        )

        if not validator.valid():
            msg = "Failed to validate security scanner V2 configuration"
            logger.warning(msg)
            raise InvalidConfigurationException(msg)

        url_scheme_and_hostname = URLSchemeAndHostname(
            app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"])

        self._legacy_secscan_api = SecurityScannerAPI(
            app.config,
            storage,
            app.config["SERVER_HOSTNAME"],
            app.config["HTTPCLIENT"],
            uri_creator=get_blob_download_uri_getter(
                app.test_request_context("/"), url_scheme_and_hostname),
            instance_keys=instance_keys,
        )

        # NOTE: This import is in here because otherwise this class would depend upon app.
        # Its not great, but as this is intended to be legacy until its removed, its okay.
        from util.secscan.analyzer import LayerAnalyzer

        self._target_version = app.config.get(
            "SECURITY_SCANNER_ENGINE_VERSION_TARGET", 3)
        self._analyzer = LayerAnalyzer(app.config, self._legacy_secscan_api)
Ejemplo n.º 2
0
    def from_app(
        cls,
        app,
        config,
        user_password,
        ip_resolver,
        instance_keys,
        client=None,
        config_provider=None,
        init_scripts_location=None,
    ):
        """
        Creates a ValidatorContext from an app config, with a given config to validate.

        :param app: the Flask app to pull configuration information from
        :param config: the config to validate
        :param user_password: request password
        :param instance_keys: The instance keys handler
        :param ip_resolver: an App
        :param client: http client used to connect to services
        :param config_provider: config provider used to access config volume(s)
        :param init_scripts_location: location where initial load scripts are stored
        :return: ValidatorContext
        """
        url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(
            app.config)

        return cls(
            config,
            user_password=user_password,
            http_client=client or app.config["HTTPCLIENT"],
            context=app.app_context,
            url_scheme_and_hostname=url_scheme_and_hostname,
            jwt_auth_max=app.config.get("JWT_AUTH_MAX_FRESH_S", 300),
            registry_title=app.config["REGISTRY_TITLE"],
            ip_resolver=ip_resolver,
            feature_sec_scanner=app.config.get("FEATURE_SECURITY_SCANNER",
                                               False),
            is_testing=app.config.get("TESTING", False),
            uri_creator=get_blob_download_uri_getter(
                app.test_request_context("/"), url_scheme_and_hostname),
            config_provider=config_provider,
            instance_keys=instance_keys,
            init_scripts_location=init_scripts_location,
        )
Ejemplo n.º 3
0
    def setUp(self):
        # Enable direct download in fake storage.
        storage.put_content(['local_us'], 'supports_direct_download', 'true')

        # Have fake storage say all files exist for the duration of the test.
        storage.put_content(['local_us'], 'all_files_exist', 'true')

        # Setup the database with fake storage.
        setup_database_for_testing(self)
        self.app = app.test_client()
        self.ctx = app.test_request_context()
        self.ctx.__enter__()

        instance_keys = InstanceKeys(app)
        self.api = SecurityScannerAPI(app.config,
                                      storage,
                                      app.config['SERVER_HOSTNAME'],
                                      app.config['HTTPCLIENT'],
                                      uri_creator=get_blob_download_uri_getter(
                                          app.test_request_context('/'),
                                          url_scheme_and_hostname),
                                      instance_keys=instance_keys)
Ejemplo n.º 4
0
def test_blob_download_uri_getter(app, url_scheme_and_hostname, repo_namespace,
                                  checksum, expected_value):
    blob_uri_getter = get_blob_download_uri_getter(
        app.test_request_context('/'), url_scheme_and_hostname)

    assert blob_uri_getter(repo_namespace, checksum) == expected_value
Ejemplo n.º 5
0
    notification_queue,
    secscan_notification_queue,
    chunk_cleanup_queue,
    namespace_gc_queue,
]

url_scheme_and_hostname = URLSchemeAndHostname(
    app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"]
)
secscan_api = SecurityScannerAPI(
    app.config,
    storage,
    app.config["SERVER_HOSTNAME"],
    app.config["HTTPCLIENT"],
    uri_creator=get_blob_download_uri_getter(
        app.test_request_context("/"), url_scheme_and_hostname
    ),
    instance_keys=instance_keys,
)

repo_mirror_api = RepoMirrorAPI(
    app.config, app.config["SERVER_HOSTNAME"], app.config["HTTPCLIENT"], instance_keys=instance_keys
)

tuf_metadata_api = TUFMetadataAPI(app, app.config)

# Check for a key in config. If none found, generate a new signing key for Docker V2 manifests.
_v2_key_path = os.path.join(OVERRIDE_CONFIG_DIRECTORY, DOCKER_V2_SIGNINGKEY_FILENAME)
if os.path.exists(_v2_key_path):
    docker_v2_signing_key = RSAKey().load(_v2_key_path)
else: