def requestAvatarId_db(self, credentials): try: username = credentials.username with session_scope() as dbsession: user_record = db_users.get(username, session=dbsession) if not user_record: return defer.fail(credError.UnauthorizedLogin("Invalid user")) elif not user_record['active']: return defer.fail(credError.UnauthorizedLogin("Inactive user")) else: #from passlib.hash import pbkdf2_sha256 #hashpw = user_record['password'] #if pbkdf2_sha256.verify(credentials.password, hashpw): if user_record['password'] == credentials.password: return (defer.succeed(username)) return defer.fail(credError.UnauthorizedLogin("Bad password")) except Exception as err: return defer.fail( credError.UnauthorizedLogin("Auth check exception - " + str(err))) return defer.fail(credError.UnauthorizedLogin("Unknown auth failure"))
def _get_content(self, url): """ This can be *big*, as in hundreds of MB of data. Supported url formats: file:// http(s):// catalog://<userId>/<bucket>/<name> :param url: :return: """ split_url = urllib.splittype(url) if split_url[0] == 'file': return self._get_file(split_url[1]) elif split_url[0] == 'catalog': userId, bucket, name = split_url[1][2:].split('/') # Add auth if necessary try: with session_scope() as dbsession: usr_record = db_users.get(userId, session=dbsession) if not usr_record: raise Exception( 'User {} not found, cannot fetch analysis data'.format( userId)) except: log.exception( 'Cannot get credentials for user {} fetching the analysis content to load' .format(userId)) raise try: doc = catalog.get_document( (usr_record['userId'], usr_record['password']), bucket, name) return doc except: log.exception( 'Error retrieving analysis json from the catalog service') raise elif split_url[0].startswith('http'): retry = 3 while retry > 0: try: data_response = requests.get(url=url) content = data_response.json() return content except requests.HTTPError as ex: log.exception('HTTP exception: {}. Retrying'.format(ex)) retry = retry - 1 time.sleep(retry * 3) # Backoff and retry except: log.exception('Non HTTP exception. Retrying') retry = retry - 1 else: raise Exception('Cannot get content from url: {}'.format(url))
def get_system_user_auth(session=None): localconfig = anchore_engine.configuration.localconfig.get_config() if 'system_user_auth' in localconfig and localconfig[ 'system_user_auth'] != (None, None): return (localconfig['system_user_auth']) if session: system_user = db_users.get('anchore-system', session=session) if system_user: return ((system_user['userId'], system_user['password'])) return ((None, None))
def do_db_bootstrap(localconfig=None): with upgrade_context(my_module_upgrade_id) as ctx: from anchore_engine.db import db_users, session_scope with session_scope() as dbsession: # system user try: system_user_record = db_users.get('anchore-system', session=dbsession) if not system_user_record: rc = db_users.add('anchore-system', str(uuid.uuid4()), {'active': True}, session=dbsession) else: db_users.update(system_user_record['userId'], system_user_record['password'], {'active': True}, session=dbsession) except Exception as err: raise Exception("Initialization failed: could not fetch/add anchore-system user from/to DB - exception: " + str(err))
def do_db_bootstrap(localconfig=None): with upgrade_context(my_module_upgrade_id) as ctx: from anchore_engine.db import db_users, session_scope with session_scope() as dbsession: # system user try: system_user_record = db_users.get('anchore-system', session=dbsession) if not system_user_record: rc = db_users.add('anchore-system', str(uuid.uuid4()), {'active': True}, session=dbsession) else: db_users.update(system_user_record['userId'], system_user_record['password'], {'active': True}, session=dbsession) except Exception as err: raise Exception("Initialization failed: could not fetch/add anchore-system user from/to DB - exception: " + str(err)) if False and localconfig: try: for userId in localconfig['credentials']['users']: if not localconfig['credentials']['users'][userId]: localconfig['credentials']['users'][userId] = {} cuser = localconfig['credentials']['users'][userId] password = cuser.pop('password', None) email = cuser.pop('email', None) if password and email: db_users.add(userId, password, {'email': email, 'active': True}, session=dbsession) else: raise Exception("user defined but has empty password/email: " + str(userId)) user_records = db_users.get_all(session=dbsession) for user_record in user_records: if user_record['userId'] == 'anchore-system': continue if user_record['userId'] not in localconfig['credentials']['users']: logger.info("flagging user '"+str(user_record['userId']) + "' as inactive (in DB, not in configuration)") db_users.update(user_record['userId'], user_record['password'], {'active': False}, session=dbsession) except Exception as err: raise Exception("Initialization failed: could not add users from config into DB - exception: " + str(err))
def requestAvatarId_db(self, credentials): try: username = str(credentials.username, 'utf-8') with session_scope() as dbsession: user_record = db_users.get(username, session=dbsession) if not user_record: return defer.fail(credError.UnauthorizedLogin("Invalid user")) elif not user_record['active']: return defer.fail(credError.UnauthorizedLogin("Inactive user")) else: if user_record['password'] == str(credentials.password, 'utf-8'): return defer.succeed(username.encode('utf8')) return defer.fail(credError.UnauthorizedLogin("Bad password")) except Exception as err: logger.exception('Error during auth') return defer.fail( credError.UnauthorizedLogin("Auth check exception - " + str(err))) return defer.fail(credError.UnauthorizedLogin("Unknown auth failure"))
def initialize(localconfig=None, versions=None, bootstrap_db=False, specific_tables=None, bootstrap_users=False): """ Initialize the db for use. Optionally bootstrap it and optionally only for specific entities. :param versions: :param bootstrap_db: :param specific_entities: a list of entity classes to initialize if a subset is desired. Expects a list of classes. :return: """ global engine, Session if versions is None: versions = {} #localconfig = anchore_engine.configuration.localconfig.get_config() ret = True try: db_auth = localconfig['credentials']['database'] # connect to DB using db_connect from configuration db_connect = None db_connect_args = {} db_pool_size = 10 db_pool_max_overflow = 20 if 'db_connect' in db_auth and db_auth['db_connect']: db_connect = db_auth['db_connect'] if 'db_connect_args' in db_auth and db_auth['db_connect_args']: db_connect_args = db_auth['db_connect_args'] if 'db_pool_size' in db_auth: db_pool_size = int(db_auth['db_pool_size']) if 'db_pool_max_overflow' in db_auth: db_pool_max_overflow = int(db_auth['db_pool_max_overflow']) except: raise Exception( "could not locate credentials->database entry from configuration: add 'database' section to 'credentials' section in configuration file" ) db_connect_retry_max = 3 for count in range(0, db_connect_retry_max): try: if db_connect: try: if db_connect.startswith('sqlite://'): # Special case for testing with sqlite. Not for production use, unit tests only engine = sqlalchemy.create_engine(db_connect, echo=False) else: engine = sqlalchemy.create_engine( db_connect, connect_args=db_connect_args, echo=False, pool_size=db_pool_size, max_overflow=db_pool_max_overflow) except Exception as err: raise Exception("could not connect to DB - exception: " + str(err)) else: raise Exception( "could not locate db_connect string from configuration: add db_connect parameter to configuration file" ) # set up the global session try: Session = sessionmaker(bind=engine) except Exception as err: raise Exception("could not create DB session - exception: " + str(err)) # set up thread-local session factory init_thread_session() # create try: if specific_tables: logger.info( 'Initializing only a subset of tables as requested: {}' .format(specific_tables)) Base.metadata.create_all(engine, tables=specific_tables) else: Base.metadata.create_all(engine) except Exception as err: raise Exception( "could not create/re-create DB tables - exception: " + str(err)) break except Exception as err: if count > db_connect_retry_max: raise Exception( "could not establish connection to DB after retry - last exception: " + str(err)) else: log.err( "could not connect to db, retrying in 10 seconds - exception: " + str(err)) time.sleep(10) if bootstrap_db: from anchore_engine.db import db_anchore, db_users with session_scope() as dbsession: # version check version_record = db_anchore.get(session=dbsession) if not version_record: db_anchore.add(versions['service_version'], versions['db_version'], versions, session=dbsession) version_record = db_anchore.get(session=dbsession) if bootstrap_users: # system user try: system_user_record = db_users.get('anchore-system', session=dbsession) if not system_user_record: rc = db_users.add('anchore-system', str(uuid.uuid4()), {'active': True}, session=dbsession) else: db_users.update(system_user_record['userId'], system_user_record['password'], {'active': True}, session=dbsession) except Exception as err: raise Exception( "Initialization failed: could not fetch/add anchore-system user from/to DB - exception: " + str(err)) try: for userId in localconfig['credentials']['users']: if not localconfig['credentials']['users'][userId]: localconfig['credentials']['users'][userId] = {} cuser = localconfig['credentials']['users'][userId] password = cuser.pop('password', None) email = cuser.pop('email', None) if password and email: # try: # from passlib.hash import pbkdf2_sha256 # hashpw = pbkdf2_sha256.encrypt(password, rounds=200000, salt_size=16) # password = hashpw # except: # pass db_users.add(userId, password, { 'email': email, 'active': True }, session=dbsession) else: raise Exception( "user defined but has empty password/email: " + str(userId)) user_records = db_users.get_all(session=dbsession) for user_record in user_records: if user_record['userId'] == 'anchore-system': continue if user_record['userId'] not in localconfig[ 'credentials']['users']: logger.info( "flagging user '" + str(user_record['userId']) + "' as inactive (in DB, not in configuration)") db_users.update(user_record['userId'], user_record['password'], {'active': False}, session=dbsession) except Exception as err: raise Exception( "Initialization failed: could not add users from config into DB - exception: " + str(err)) print("Starting up version: " + json.dumps(versions)) print("\tDB version: " + json.dumps(version_record)) try: rc = do_upgrade(version_record, versions) if rc: # if successful upgrade, set the DB values to the incode values with session_scope() as dbsession: db_anchore.add(versions['service_version'], versions['db_version'], versions, session=dbsession) except Exception as err: raise Exception( "Initialization failed: upgrade failed - exception: " + str(err)) return (ret)
def makeService(snames, options, bootstrap_db=False, bootstrap_users=False): try: # config and init configfile = configdir = None if options['config']: configdir = options['config'] configfile = os.path.join(options['config'], 'config.yaml') anchore_engine.configuration.localconfig.load_config( configdir=configdir, configfile=configfile) localconfig = anchore_engine.configuration.localconfig.get_config() localconfig['myservices'] = [] logger.spew("localconfig=" + json.dumps(localconfig, indent=4, sort_keys=True)) except Exception as err: log.err("cannot load configuration: exception - " + str(err)) raise err # get versions of things try: versions = anchore_engine.configuration.localconfig.get_versions() except Exception as err: log.err("cannot detect versions of service: exception - " + str(err)) raise err logger.info("initializing database") # connect to DB try: db.initialize(versions=versions, bootstrap_db=bootstrap_db, bootstrap_users=bootstrap_users) except Exception as err: log.err("cannot connect to configured DB: exception - " + str(err)) raise err #credential bootstrap with session_scope() as dbsession: system_user = db_users.get('anchore-system', session=dbsession) localconfig['system_user_auth'] = (system_user['userId'], system_user['password']) # application object application = service.Application("multi-service-" + '-'.join(snames)) #from twisted.python.log import ILogObserver, FileLogObserver #from twisted.python.logfile import DailyLogFile #logfile = DailyLogFile("ghgh.log", "/tmp/") #multi-service retservice = service.MultiService() retservice.setServiceParent(application) success = False try: scount = 0 for sname in snames: if sname in localconfig['services'] and localconfig['services'][ sname]['enabled']: smodule = importlib.import_module("anchore_engine.services." + sname) s = smodule.createService(sname, localconfig) s.setServiceParent(retservice) rc = smodule.initializeService(sname, localconfig) if not rc: raise Exception("failed to initialize service") rc = smodule.registerService(sname, localconfig) if not rc: raise Exception("failed to register service") logger.debug("starting service: " + sname) success = True scount += 1 localconfig['myservices'].append(sname) else: log.err( "service not enabled in config, not starting service: " + sname) if scount == 0: log.err( "no services/subservices were enabled/started on this host") success = False except Exception as err: log.err("cannot create/init/register service: " + sname + " - exception: " + str(err)) success = False if not success: log.err("cannot start service (see above for information)") traceback.print_exc('Service init failure') raise Exception("cannot start service (see above for information)") return (retservice)
def _get_catalog_creds(self, session): if not self._catalog_creds: self._catalog_creds = db_users.get(userId='admin', session=session) return self._catalog_creds