def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, show_gatehelp, show_policytemplate, whitelist): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t][ 'params'] and gate_info[g][t]['params'].lower( ) != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p + "=<a,b,c>") outstr += ':'.join( [g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage( 'Cannot use other policy options when --policy <file> is specified.' ) try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1 else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1 else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params']) ]) else: outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']) ]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates: " + str(err)) ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t][ 'params'] and gate_info[g][t]['params'].lower( ) != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p + "=<a,b,c>") outstr += ':'.join( [g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage( 'Cannot use other policy options when --policy <file> is specified.' ) if (policy and run_bundle): raise click.BadOptionUsage( 'Cannot use both --policy and --run_bundle at the same time.') if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)): raise click.BadOptionUsage( 'Cannot use other policy options when --run_bundle is specified.') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() inputimagelist = list(imagelist) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1 else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1 else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params']) ]) else: outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']) ]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 elif run_bundle: try: if not anchore_policy.check(): anchore_print_err( "run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io" ) ecode = 1 else: bundle = anchore_policy.load_policymeta( policymetafile=bundlefile) if not bundle: raise Exception( "could not load stored bundle - run 'anchore policybundle sync' and try again" ) bundleId = bundle['id'] result, ecode = anchore_policy.run_bundle( anchore_config=anchore_config, imagelist=inputimagelist, matchtag=usetag, bundle=bundle) if not resultsonly: if anchore_config.cliargs['json']: import json anchore_print(json.dumps(result)) else: for image in result.keys(): for gate_result in result[image][ 'evaluations']: _logger.info( "BundleId=" + bundleId + " Policy=" + gate_result['policy_name'] + " Whitelists=" + str(gate_result['whitelist_names'])) anchore_utils.print_result( anchore_config, gate_result['results']) else: final_result = {} for image in result.keys(): for gate_result in result[image]['evaluations']: final_result.update(gate_result['results']) anchore_utils.print_result(anchore_config, final_result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t]['params'] and gate_info[g][t]['params'].lower() != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p+"=<a,b,c>") outstr += ':'.join([g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage('Cannot use other policy options when --policy <file> is specified.') if (policy and run_bundle): raise click.BadOptionUsage('Cannot use both --policy and --run_bundle at the same time.') if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)): raise click.BadOptionUsage('Cannot use other policy options when --run_bundle is specified.') if (run_bundle and (usetag and resultsonly)): raise click.BadOptionUsage('Cannot use --resultsonly if --usetag is specified.') if (run_bundle and (usetag and not image)): raise click.BadOptionUsage('Cannot specify --usetag unless gating a single image (using --image)') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() inputimagelist = list(imagelist) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1; else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1; else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params'])]) else: outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action'])]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 elif run_bundle: try: if not anchore_policy.check(): anchore_print_err("run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io") ecode = 1 else: bundle = anchore_policy.load_policymeta(policymetafile=bundlefile) if not bundle: raise Exception("could not load stored bundle - run 'anchore policybundle sync' and try again") bundleId = bundle['id'] inputimage = inputimagelist[0] allresults = {} for inputimage in inputimagelist: result, image_ecode = anchore_policy.run_bundle(anchore_config=anchore_config, image=inputimage, matchtags=usetag, bundle=bundle, show_whitelisted=show_whitelisted, show_triggerIds=show_triggerids) allresults.update(result) if image_ecode == 1: ecode = 1 elif ecode == 0 and image_ecode > ecode: ecode = image_ecode if not resultsonly: if anchore_config.cliargs['json']: anchore_print(json.dumps(allresults)) else: for image in allresults.keys(): for gate_result in allresults[image]['evaluations']: _logger.info("Image="+image + " BundleId="+bundleId+" Policy="+gate_result['policy_name']+" Whitelists="+str(gate_result['whitelist_names'])) anchore_utils.print_result(anchore_config, gate_result['results']) else: final_result = {} for image in allresults.keys(): for gate_result in allresults[image]['evaluations']: final_result.update(gate_result['results']) anchore_utils.print_result(anchore_config, final_result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)