def __init__(self, app, instance_keys, storage): self.app = app self._legacy_secscan_api = None validator = V2SecurityConfigValidator( app.config.get("FEATURE_SECURITY_SCANNER", False), app.config.get("SECURITY_SCANNER_ENDPOINT"), ) if not validator.valid(): msg = "Failed to validate security scanner V2 configuration" logger.warning(msg) raise InvalidConfigurationException(msg) url_scheme_and_hostname = URLSchemeAndHostname( app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"]) self._legacy_secscan_api = SecurityScannerAPI( app.config, storage, app.config["SERVER_HOSTNAME"], app.config["HTTPCLIENT"], uri_creator=get_blob_download_uri_getter( app.test_request_context("/"), url_scheme_and_hostname), instance_keys=instance_keys, ) # NOTE: This import is in here because otherwise this class would depend upon app. # Its not great, but as this is intended to be legacy until its removed, its okay. from util.secscan.analyzer import LayerAnalyzer self._target_version = app.config.get( "SECURITY_SCANNER_ENGINE_VERSION_TARGET", 3) self._analyzer = LayerAnalyzer(app.config, self._legacy_secscan_api)
def from_app( cls, app, config, user_password, ip_resolver, instance_keys, client=None, config_provider=None, init_scripts_location=None, ): """ Creates a ValidatorContext from an app config, with a given config to validate. :param app: the Flask app to pull configuration information from :param config: the config to validate :param user_password: request password :param instance_keys: The instance keys handler :param ip_resolver: an App :param client: http client used to connect to services :param config_provider: config provider used to access config volume(s) :param init_scripts_location: location where initial load scripts are stored :return: ValidatorContext """ url_scheme_and_hostname = URLSchemeAndHostname.from_app_config( app.config) return cls( config, user_password=user_password, http_client=client or app.config["HTTPCLIENT"], context=app.app_context, url_scheme_and_hostname=url_scheme_and_hostname, jwt_auth_max=app.config.get("JWT_AUTH_MAX_FRESH_S", 300), registry_title=app.config["REGISTRY_TITLE"], ip_resolver=ip_resolver, feature_sec_scanner=app.config.get("FEATURE_SECURITY_SCANNER", False), is_testing=app.config.get("TESTING", False), uri_creator=get_blob_download_uri_getter( app.test_request_context("/"), url_scheme_and_hostname), config_provider=config_provider, instance_keys=instance_keys, init_scripts_location=init_scripts_location, )
def setUp(self): # Enable direct download in fake storage. storage.put_content(['local_us'], 'supports_direct_download', 'true') # Have fake storage say all files exist for the duration of the test. storage.put_content(['local_us'], 'all_files_exist', 'true') # Setup the database with fake storage. setup_database_for_testing(self) self.app = app.test_client() self.ctx = app.test_request_context() self.ctx.__enter__() instance_keys = InstanceKeys(app) self.api = SecurityScannerAPI(app.config, storage, app.config['SERVER_HOSTNAME'], app.config['HTTPCLIENT'], uri_creator=get_blob_download_uri_getter( app.test_request_context('/'), url_scheme_and_hostname), instance_keys=instance_keys)
def test_blob_download_uri_getter(app, url_scheme_and_hostname, repo_namespace, checksum, expected_value): blob_uri_getter = get_blob_download_uri_getter( app.test_request_context('/'), url_scheme_and_hostname) assert blob_uri_getter(repo_namespace, checksum) == expected_value
notification_queue, secscan_notification_queue, chunk_cleanup_queue, namespace_gc_queue, ] url_scheme_and_hostname = URLSchemeAndHostname( app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"] ) secscan_api = SecurityScannerAPI( app.config, storage, app.config["SERVER_HOSTNAME"], app.config["HTTPCLIENT"], uri_creator=get_blob_download_uri_getter( app.test_request_context("/"), url_scheme_and_hostname ), instance_keys=instance_keys, ) repo_mirror_api = RepoMirrorAPI( app.config, app.config["SERVER_HOSTNAME"], app.config["HTTPCLIENT"], instance_keys=instance_keys ) tuf_metadata_api = TUFMetadataAPI(app, app.config) # Check for a key in config. If none found, generate a new signing key for Docker V2 manifests. _v2_key_path = os.path.join(OVERRIDE_CONFIG_DIRECTORY, DOCKER_V2_SIGNINGKEY_FILENAME) if os.path.exists(_v2_key_path): docker_v2_signing_key = RSAKey().load(_v2_key_path) else: