def testWhitelists(self):
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(built)))
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print((json.dumps(evaluation.json(), indent=2)))
print((json.dumps(evaluation.as_table_json(), indent=2)))
to_whitelist = evaluation.bundle_decision.policy_decisions[
0].decisions[0]
whitelist_bundle = copy.deepcopy(self.default_bundle)
whitelist_bundle['whitelists'].append({
'id':
'generated_whitelist1',
'name':
'test_whitelist',
'version':
'1_0',
'items': [{
'gate': to_whitelist.match.trigger.gate_cls.__gate_name__,
'trigger_id': to_whitelist.match.id,
'id': 'test_whitelistitem'
}]
})
whitelist_bundle['mappings'][0]['whitelist_ids'] = [
'generated_whitelist1'
]
built = build_bundle(whitelist_bundle, for_tag=test_tag)
print(('Got updated: {}'.format(built)))
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
#print(json.dumps(evaluation.json(), indent=2))
#print(json.dumps(evaluation.as_table_json(), indent=2))
self.assertNotIn(to_whitelist.match.id, [
x.match.id if not (hasattr(x.match, 'is_whitelisted')
and x.match.is_whitelisted) else None
for x in evaluation.bundle_decision.policy_decisions[0].decisions
])
def testBasicLegacyEvaluation(self):
db = get_session()
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(built)))
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print((json.dumps(evaluation.json(), indent=2)))
print((json.dumps(evaluation.as_table_json(), indent=2)))
print('Building executable bundle from old default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(self.old_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(built)))
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print((json.dumps(evaluation.json(), indent=2)))
print((json.dumps(evaluation.as_table_json(), indent=2)))
def test_image_whitelist(self):
bundle = {
'id': 'multigate1',
'name': 'Multigate test1',
'version': '1_0',
'policies': [
{
'id': 'policy1',
'name': 'Test policy1',
'version': '1_0',
'rules': [
{
'gate': 'always',
'trigger': 'always',
'params': [],
'action': 'STOP'
}
]
}
],
'whitelists': [],
'mappings': [
{
'registry': '*', 'repository': '*', 'image': {'type': 'tag', 'value': '*'}, 'policy_id': 'policy1', 'whitelist_ids': []
}
],
'whitelisted_images': [
{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': 'latest'
}
}
],
'blacklisted_images': []
}
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
test_tag = 'docker.io/library/ruby:alpine'
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation)
self.assertEqual(GateAction.stop, evaluation.bundle_decision.final_decision)
self.assertEqual('policy_evaluation', evaluation.bundle_decision.reason)
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation)
self.assertEqual(GateAction.go, evaluation.bundle_decision.final_decision)
self.assertEqual('whitelisted', evaluation.bundle_decision.reason)
def testWhitelists(self):
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/node:latest'
[
x for x in self.default_bundle['whitelists']
if x['id'] == 'wl_jessie'
][0]['items'].append({
'gate': 'ANCHORESEC',
'trigger_id': '*binutils*',
'id': 'testinserted123'
})
built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(built)))
db = get_session()
img_obj = db.query(Image).get(
(self.test_env.get_images_named('node')[0][0], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
t = time.time()
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(('Evaluation: {}'.format(json.dumps(evaluation.json(),
indent=2))))
print(('Took: {}'.format(time.time() - t)))
# Run without index handlers
print('Running without optimized indexes')
ExecutableWhitelist._use_indexes = False
no_index_built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(no_index_built.init_errors)
print(('Got: {}'.format(no_index_built)))
t = time.time()
no_index_evaluation = no_index_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
ExecutableWhitelist._use_indexes = True
self.assertDictEqual(
evaluation.json(), no_index_evaluation.json(),
'Index vs non-indexed returned different results')
self.assertIsNotNone(no_index_evaluation, 'Got None eval')
print(('Non-indexed Evaluation: {}'.format(
json.dumps(evaluation.json(), indent=2))))
print(('Non-indexed Evaluation Took: {}'.format(time.time() - t)))
def test_basic_evaluation(test_data_env_with_images_loaded):
db = get_thread_scoped_session()
logger.info("Session state: {}".format(db.__dict__))
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/ruby:latest"
test_bundle = test_data_env_with_images_loaded.get_bundle("multitest")
built = build_bundle(test_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info("Got: {}".format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None
assert img_obj is not None, "Failed to get an image object to test"
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, "Got None eval"
logger.info("Native json: {}\n".format(
json.dumps(evaluation.json(), indent=2)))
logger.info("Table json: {}\n".format(
json.dumps(evaluation.as_table_json(), indent=2)))
# Diff old an new defaults
multi_bundle = test_data_env_with_images_loaded.get_bundle("multi_default")
multi_default = build_bundle(multi_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info("Got: {}".format(multi_default))
assert img_obj is not None, "Failed to get an image object to test"
multi_default_evaluation = multi_default.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
default_built = build_bundle(
test_data_env_with_images_loaded.get_bundle("default"),
for_tag=test_tag)
assert not built.init_errors
logger.info("Got: {}".format(default_built))
assert img_obj is not None, "Failed to get an image object to test"
default_evaluation = default_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
assert (multi_default_evaluation.as_table_json() ==
default_evaluation.as_table_json())
def test_basic_evaluation(test_data_env_with_images_loaded):
db = get_thread_scoped_session()
logger.info('Session state: {}'.format(db.__dict__))
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
test_bundle = test_data_env_with_images_loaded.get_bundle('multitest')
built = build_bundle(test_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info('Native json: {}\n'.format(
json.dumps(evaluation.json(), indent=2)))
logger.info('Table json: {}\n'.format(
json.dumps(evaluation.as_table_json(), indent=2)))
# Diff old an new defaults
multi_bundle = test_data_env_with_images_loaded.get_bundle('multi_default')
multi_default = build_bundle(multi_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(multi_default))
assert img_obj is not None, 'Failed to get an image object to test'
multi_default_evaluation = multi_default.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
default_built = build_bundle(
test_data_env_with_images_loaded.get_bundle('default'),
for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(default_built))
assert img_obj is not None, 'Failed to get an image object to test'
default_evaluation = default_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
assert multi_default_evaluation.as_table_json(
) == default_evaluation.as_table_json()
def test_whitelists(large_whitelist, test_data_env_with_images_loaded):
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/node:latest'
[x for x in default_bundle['whitelists']
if x['id'] == 'wl_jessie'][0]['items'].append({
'gate': 'vulnerabilities',
'trigger_id': '*binutils*',
'id': 'testinserted123'
})
built = build_bundle(default_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info(('Got: {}'.format(built)))
db = get_session()
img_obj = db.query(Image).get(
(test_data_env_with_images_loaded.get_images_named('node')[0][0], '0'))
assert img_obj is not None
t = time.time()
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
logger.info(
('Evaluation: {}'.format(json.dumps(evaluation.json(), indent=2))))
logger.info(('Took: {}'.format(time.time() - t)))
# Run without index handlers
logger.info('Running without optimized indexes')
ExecutableWhitelist._use_indexes = False
no_index_built = build_bundle(default_bundle, for_tag=test_tag)
assert not no_index_built.init_errors
logger.info(('Got: {}'.format(no_index_built)))
t = time.time()
no_index_evaluation = no_index_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
ExecutableWhitelist._use_indexes = True
assert evaluation.json() == no_index_evaluation.json(
), 'Index vs non-indexed returned different results'
assert no_index_evaluation is not None, 'Got None eval'
logger.info(('Non-indexed Evaluation: {}'.format(
json.dumps(evaluation.json(), indent=2))))
logger.info(('Non-indexed Evaluation Took: {}'.format(time.time() - t)))
def test_whitelists(bundle, test_data_env_with_images_loaded):
default_bundle = bundle()
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/node:latest"
[x for x in default_bundle["whitelists"] if x["id"] == "wl_jessie"][0][
"items"
].append(
{"gate": "vulnerabilities", "trigger_id": "*binutils*", "id": "testinserted123"}
)
built = build_bundle(default_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info(("Got: {}".format(built)))
db = get_session()
img_obj = db.query(Image).get(
(test_data_env_with_images_loaded.get_images_named("node")[0][0], "0")
)
assert img_obj is not None
t = time.time()
evaluation = built.execute(
img_obj, tag=test_tag, context=ExecutionContext(db_session=db, configuration={})
)
assert evaluation is not None
logger.info(("Evaluation: {}".format(json.dumps(evaluation.json(), indent=2))))
logger.info(("Took: {}".format(time.time() - t)))
# Run without index handlers
logger.info("Running without optimized indexes")
ExecutableWhitelist._use_indexes = False
no_index_built = build_bundle(default_bundle, for_tag=test_tag)
assert not no_index_built.init_errors
logger.info(("Got: {}".format(no_index_built)))
t = time.time()
no_index_evaluation = no_index_built.execute(
img_obj, tag=test_tag, context=ExecutionContext(db_session=db, configuration={})
)
ExecutableWhitelist._use_indexes = True
assert (
evaluation.json() == no_index_evaluation.json()
), "Index vs non-indexed returned different results"
assert no_index_evaluation is not None, "Got None eval"
logger.info(
("Non-indexed Evaluation: {}".format(json.dumps(evaluation.json(), indent=2)))
)
logger.info(("Non-indexed Evaluation Took: {}".format(time.time() - t)))
def test_error_evaluation(test_data_env_with_images_loaded):
bundle = {
'id': 'someid',
'version': '1_0',
'whitelists': [],
'policies': [],
'mappings': []
}
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(bundle, for_tag=test_tag)
logger.info('Got: {}'.format(built))
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
logger.info('Result: {}'.format(
json.dumps(evaluation.as_table_json(), indent=2)))
with pytest.raises(BundleTargetTagMismatchError) as f:
evaluation = built.execute(img_obj,
tag='docker.io/library/ubuntu:vivid-2015',
context=ExecutionContext(db_session=db,
configuration={}))
def testErrorEvaluation(self):
bundle = {
'id': 'someid',
'version': '1_0',
'whitelists': [],
'policies': [],
'mappings': []
}
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(bundle, for_tag=test_tag)
print(('Got: {}'.format(built)))
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(('Result: {}'.format(json.dumps(evaluation.as_table_json(), indent=2))))
with self.assertRaises(BundleTargetTagMismatchError) as f:
evaluation = built.execute(img_obj, tag='docker.io/library/ubuntu:vivid-2015',
context=ExecutionContext(db_session=db, configuration={}))
def test_error_evaluation(test_data_env_with_images_loaded):
bundle = {
"id": "someid",
"version": "1_0",
"whitelists": [],
"policies": [],
"mappings": [],
}
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/ruby:latest"
built = build_bundle(bundle, for_tag=test_tag)
logger.info("Got: {}".format(built))
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
logger.info("Result: {}".format(
json.dumps(evaluation.as_table_json(), indent=2)))
with pytest.raises(BundleTargetTagMismatchError) as f:
evaluation = built.execute(
img_obj,
tag="docker.io/library/ubuntu:vivid-2015",
context=ExecutionContext(db_session=db, configuration={}),
)
def validate_bundle(policy_bundle):
"""
Performs a validation of the given policy bundle and either returns 200 OK with a status message in the response indicating pass/fail and any validation errors.
:param policy_bundle:
:return: 200 OK with policy validation response
"""
try:
resp = PolicyValidationResponse()
problems = []
try:
executable_bundle = build_bundle(policy_bundle,
allow_deprecated=False)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except ValidationError as e:
problems.append(e)
except InitializationError as e:
# Expand any validation issues
problems = e.causes
resp.valid = len(problems) == 0
resp.validation_details = [
problem_from_exception(i, severity="error") for i in problems
]
return resp.to_json()
except HTTPException as e:
log.exception("Caught exception in execution: {}".format(e))
raise
except Exception as e:
log.exception("Failed processing bundle evaluation: {}".format(e))
return make_response_error(e, in_httpcode=500), 500
def validate_bundle(policy_bundle):
"""
Performs a validation of the given policy bundle and either returns 200 OK with a status message in the response indicating pass/fail and any validation errors.
:param policy_bundle:
:return: 200 OK with policy validation response
"""
try:
resp = PolicyValidationResponse()
problems = []
try:
executable_bundle = build_bundle(policy_bundle,
allow_deprecated=False)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except InitializationError as e:
# Expand any validation issues
problems = e.causes
resp.valid = (len(problems) == 0)
resp.validation_details = [
problem_from_exception(i, severity='error') for i in problems
]
return resp.to_dict()
except HTTPException as e:
log.exception('Caught exception in execution: {}'.format(e))
raise
except Exception as e:
log.exception('Failed processing bundle evaluation: {}'.format(e))
abort(Response('Unexpected internal error', 500))
def testBasicEvaluation(self):
db = get_session()
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
test_bundle = self.test_env.get_bundle('multitest')
built = build_bundle(test_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(built)))
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(
('Native json: {}\n'.format(json.dumps(evaluation.json(),
indent=2))))
print(('Table json: {}\n'.format(
json.dumps(evaluation.as_table_json(), indent=2))))
# Diff old an new defaults
multi_bundle = self.test_env.get_bundle('multi_default')
multi_default = build_bundle(multi_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(multi_default)))
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
multi_default_evaluation = multi_default.execute(
img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
default_built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(default_built)))
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
default_evaluation = default_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
self.assertDictEqual(multi_default_evaluation.as_table_json(),
default_evaluation.as_table_json())
def testPolicyNotFound(self):
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
with self.assertRaises(InitializationError) as f:
built = build_bundle(self.test_env.get_bundle('bad_policy_id'))
built.execute(image_object=img_obj, context=None, tag='dockerhub/library/ruby:latest')
print(('Expected Initialization error: {}'.format(f.exception)))
def test_bundle_failure(self):
b = build_bundle(test_bundle)
image_obj = Image(id='fakeid1')
r = b.execute(image_object=image_obj,
tag='dockerhub/library/alpine:latest',
context=object())
logger.info((json.dumps((r.json()), indent=2)))
def test_basic_legacy_evaluation(test_data_env_with_images_loaded):
db = get_thread_scoped_session()
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(
test_data_env_with_images_loaded.get_bundle('default'),
for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info(json.dumps(evaluation.json(), indent=2))
logger.info(json.dumps(evaluation.as_table_json(), indent=2))
logger.info('Building executable bundle from old default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(
test_data_env_with_images_loaded.get_bundle('old_default'),
for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info(json.dumps(evaluation.json(), indent=2))
logger.info(json.dumps(evaluation.as_table_json(), indent=2))
def testBasicEvaluation(self):
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print('Got: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(json.dumps(evaluation.json(), indent=2))
print(json.dumps(evaluation.as_table_json(), indent=2))
print('Building executable bundle from old default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(self.old_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print('Got: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(json.dumps(evaluation.json(), indent=2))
print(json.dumps(evaluation.as_table_json(), indent=2))
def test_multi_policy_missing_errors(test_data_env_with_images_loaded):
"""
Test entries in policy_ids that are not found in bundle
:return:
"""
ruby_tag = "dockerhub/library/ruby:latest"
with pytest.raises(InitializationError) as f:
built = build_bundle({
"id":
"someid",
"version":
"1_0",
"name":
"testbundle",
"whitelists": [{
"id": "whitelist1",
"version": "1_0",
"name": "ok whitelist",
"items": [],
}],
"policies": [
{
"id": "okpolicy",
"version": "1_0",
"name": "ok policy",
"rules": [],
},
{
"id": "okpolicy",
"version": "1_0",
"name": "ok policy",
"rules": [],
},
],
"mappings": [{
"id":
"invalid_mapping",
"policy_ids": ["okpolicy", "okpolicy2", "notrealpolicy"],
"whitelist_ids": ["whitelist1"],
"registry":
"*",
"repository":
"*",
"image": {
"type": "tag",
"value": "*"
},
}],
})
built.execute(image_object=Image(), context=None, tag=ruby_tag)
def test_policy_not_found(test_data_env_with_images_loaded):
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
with pytest.raises(InitializationError) as f:
built = build_bundle(
test_data_env_with_images_loaded.get_bundle('bad_policy_id'))
built.execute(image_object=img_obj,
context=None,
tag='dockerhub/library/ruby:latest')
logger.info('Expected Initialization error: {}'.format(f.exception))
def test_multi_policy_missing_errors(self):
"""
Test entries in policy_ids that are not found in bundle
:return:
"""
ruby_tag = 'dockerhub/library/ruby:latest'
with self.assertRaises(InitializationError) as f:
built = build_bundle({
'id': 'someid',
'version': '1_0',
'name': 'testbundle',
'whitelists': [
{'id': 'whitelist1',
'version': '1_0',
'name': 'ok whitelist',
'items': []
}
],
'policies': [
{
'id': 'okpolicy',
'version': '1_0',
'name': 'ok policy',
'rules': []
},
{
'id': 'okpolicy',
'version': '1_0',
'name': 'ok policy',
'rules': []
}
],
'mappings': [
{
'id': 'invalid_mapping',
'policy_ids': ['okpolicy', 'okpolicy2', 'notrealpolicy'],
'whitelist_ids': ['whitelist1'],
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}
]
})
built.execute(image_object=Image(), context=None, tag=ruby_tag)
def test_multi_policy_invalid_errors(test_data_env_with_images_loaded):
"""
Test validation of policies in multi-policy mapping
:return:
"""
ruby_tag = 'dockerhub/library/ruby:latest'
with pytest.raises(InitializationError) as f:
built = build_bundle({
'id':
'someid',
'version':
'1_0',
'name':
'invalid_version',
'whitelists': [{
'id': 'whitelist1',
'version': '1_0',
'name': 'ok whitelist',
'items': []
}],
'policies': [{
'id': 'okpolicy',
'version': '1_0',
'name': 'ok policy',
'rules': []
}, {
'id': 'okpolicy',
'version': '2_0',
'name': 'ok policy',
'rules': []
}],
'mappings': [{
'id': 'ok_mapping',
'policy_ids': ['okpolicy', 'okpolicy2'],
'whitelist_ids': ['whitelist1'],
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}]
})
built.execute(image_object=Image(), context=None, tag=ruby_tag)
def test_basic_whitelist_evaluation(bundle, test_data_env_with_images_loaded):
default_bundle = bundle()
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/node:latest'
built = build_bundle(default_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info(('Got: {}'.format(built)))
db = get_session()
img_obj = db.query(Image).get((test_data_env_with_images_loaded.get_images_named('node')[0][0], '0'))
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info((json.dumps(evaluation.json(), indent=2)))
logger.info((json.dumps(evaluation.as_table_json(), indent=2)))
def check_user_image_inline(user_id, image_id, tag, bundle):
"""
Execute a policy evaluation using the info in the request body including the bundle content
:param user_id:
:param image_id:
:param tag:
:param bundle:
:return:
"""
db = get_session()
try:
# Input validation
try:
img_obj = db.query(Image).get((image_id, user_id))
except:
abort(Response(response='Image not found', status=404))
if not img_obj:
log.info('Request for evaluation of image that cannot be found: user_id = {}, image_id = {}'.format(user_id, image_id))
abort(Response(response='Image not found', status=404))
# Build bundle exec.
problems = []
executable_bundle = None
try:
executable_bundle = build_bundle(bundle, for_tag=tag)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except InitializationError as e:
log.exception('Bundle construction and initialization returned errors')
problems = e.causes
if not problems:
# Execute bundle
try:
eval_result = executable_bundle.execute(img_obj, tag, ExecutionContext(db_session=db, configuration={}))
except Exception as e:
log.exception('Error executing policy bundle {} against image {} w/tag {}: {}'.format(bundle['id'], image_id, tag, e.message))
abort(Response(response='Cannot execute given policy against the image due to errors executing the policy bundle: {}'.format(e.message), status=500))
else:
# Construct a failure eval with details on the errors and mappings to send to client
eval_result = build_empty_error_execution(img_obj, tag, executable_bundle, errors=problems, warnings=[])
if executable_bundle and executable_bundle.mapping and len(executable_bundle.mapping.mapping_rules) == 1:
eval_result.executed_mapping = executable_bundle.mapping.mapping_rules[0]
resp = PolicyEvaluation()
resp.user_id = user_id
resp.image_id = image_id
resp.tag = tag
resp.bundle = bundle
resp.matched_mapping_rule = eval_result.executed_mapping.json() if eval_result.executed_mapping else {}
resp.last_modified = int(time.time())
resp.final_action = eval_result.policy_decision.final_decision
resp.result = eval_result.as_table_json()
resp.created_at = int(time.time())
resp.evaluation_problems = [problem_from_exception(i) for i in eval_result.errors]
resp.evaluation_problems += [problem_from_exception(i) for i in eval_result.warnings]
if resp.evaluation_problems:
for i in resp.evaluation_problems:
log.warn('Returning evaluation response for image {}/{} w/tag {} and bundle {} that contains error: {}'.format(user_id, image_id, tag, bundle['id'], json.dumps(i.to_dict())))
return resp.to_dict()
except HTTPException as e:
db.rollback()
log.exception('Caught exception in execution: {}'.format(e))
raise
except Exception as e:
db.rollback()
log.exception('Failed processing bundle evaluation: {}'.format(e))
abort(Response('Unexpected internal error', 500))
finally:
db.close()
def testInvalidActions(self):
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
with self.assertRaises(InitializationError) as f:
built = build_bundle(self.test_env.get_bundle('bad_bundle1'))
built.execute(image_object=img_obj, context=None, tag='dockerhub/library/ruby:latest')
built.execute(image_object=img_obj, context=None, tag='test')
with self.assertRaises(InitializationError) as f:
built = build_bundle({
'id': 'someid',
'version': '1_0',
'name': 'invalid_actions',
'whitelists': [
{'id': 'whitelist1',
'version': '1_0',
'name': 'ok whitelist',
'items': []
}
],
'policies': [
{
'id': 'okpolicy',
'version': '1_0',
'name': 'ok policy',
'rules': [
{
'gate': 'ANCHORESEC',
'trigger': 'UNSUPPPORTEDDISTRO',
'action': 'HELLO',
'params': []
}
]
}
],
'mappings': [
{
'policy_id': 'okpolicy',
'whitelist_ids': ['whitelist1'],
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}
]
})
built.execute(image_object=img_obj, context=None, tag=None)
with self.assertRaises(InitializationError) as f:
bad_param1 = build_bundle({
'id': 'someid',
'version': '1_0',
'name': 'invalid_params',
'whitelists': [
{'id': 'whitelist1',
'version': '1_0',
'name': 'ok whitelist',
'items': []
}
],
'policies': [
{
'id': 'okpolicy',
'version': '1_0',
'name': 'ok policy',
'rules': [
{
'gate': 'ANCHORESEC',
'trigger': 'FEEDOUTOFDATE',
'action': 'GO',
'params': [
{
'name': 'MAXAGE',
'value': 0.1
}
]
}
]
}
],
'mappings': [
{
'policy_id': 'okpolicy',
'whitelist_ids': ['whitelist1'],
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}
]
})
built.execute(image_object=img_obj, context=None, tag=None)
with self.assertRaises(InitializationError) as f:
bad_param2 = build_bundle({
'id': 'someid',
'version': '1_0',
'name': 'invalid_params',
'whitelists': [
{'id': 'whitelist1',
'version': '1_0',
'name': 'ok whitelist',
'items': []
}
],
'policies': [
{
'id': 'okpolicy',
'version': '1_0',
'name': 'ok policy',
'rules': [
{
'gate': 'ANCHORESEC',
'trigger': 'FEEDOUTOFDATE',
'action': 'GO',
'params': [
{
'name': 'MAXIMUS_AGIMUS',
'value': 10
}
]
}
]
}
],
'mappings': [
{
'policy_id': 'okpolicy',
'whitelist_ids': ['whitelist1'],
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}
]
})
built.execute(image_object=img_obj, context=None, tag=None)
def testPolicyInitError(self):
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
ruby_tag = 'dockerhub/library/ruby:latest'
with self.assertRaises(UnsupportedVersionError) as f:
built = build_bundle({
'id':'someid',
'version': 'invalid_version',
'name': 'invalid_version',
'whitelists': [],
'policies': [],
'mappings': []
})
built.execute(image_object=img_obj, context=None, tag=ruby_tag)
with self.assertRaises(InitializationError) as f:
built = build_bundle({
'id':'someid',
'version': '1_0',
'name': 'invalid_version',
'whitelists': [
{'id': 'whitelist1',
'version': 'invalid_version',
'name': 'bad whitelist',
'rules': []
}
],
'policies': [
{
'id': 'ok_policy',
'version': 'v1.0',
'name': 'bad policy',
'rules': []
}
],
'mappings': [
{'registry': '*',
'repository': '*',
'image': {'type': 'tag', 'value':'*'},
'policy_id': 'ok_policy',
'whitelist_ids': ['whitelist1']
}
]
}, for_tag='dockerhub/library/centos:latest')
built.execute(image_object=img_obj, context=None, tag='dockerhub/library/centos:latest')
self.assertEqual(type(f.exception.causes[0]), UnsupportedVersionError)
with self.assertRaises(InitializationError) as f:
built = build_bundle({
'id':'someid',
'version': '1_0',
'name': 'invalid_version',
'whitelists': [
{'id': 'whitelist1',
'version': '1_0',
'name': 'okwhitelist',
'items': []
}
],
'policies': [
{
'id': 'invalid_policy',
'version': 'invalid_version',
'name': 'bad policy',
'rules': []
}
],
'mappings': [
{'registry': '*',
'repository': '*',
'image': {'type': 'tag', 'value':'*'},
'policy_id': 'invalid_policy',
'whitelist_ids': ['whitelist1']
}
]
}, for_tag='dockerhub/library/centos:latest')
built.execute(image_object=img_obj, context=None, tag='dockerhub/library/centos:latest')
self.assertEqual(type(f.exception.causes[0]), UnsupportedVersionError)
with self.assertRaises(InitializationError) as f:
built = build_bundle({
'id':'someid',
'version': '1_0',
'name': 'invalid_version',
'whitelists': [
{'id': 'whitelist1',
'version': '1_0',
'name': 'ok whitelist',
'items': []
}
],
'policies': [
{
'id': 'okpolicy',
'version': '2_0',
'name': 'ok policy',
'rules': []
}
],
'mappings': [
{
'id': 'invalid_mapping',
'policy_id': 'okpolicy',
'whitelist_ids': ['whitelist1'],
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}
]
})
built.execute(image_object=img_obj, context=None, tag=ruby_tag)
self.assertEqual(type(f.exception.causes[0]), UnsupportedVersionError)
def testDeprecatedGateEvaluation(self):
bundle = {
'id': 'someid',
'version': '1_0',
'whitelists': [],
'policies': [
{'id': 'abc',
'name': 'Deprecated Policy',
'version': '1_0',
'rules': [
{
'gate': 'PKGDIFF',
'trigger': 'pkgadd',
'params': [],
'action': 'stop'
},
{
'gate': 'always',
'trigger': 'always',
'action': 'go',
'params': []
},
{
'gate': 'ANCHORESEC',
'trigger': 'VULNLOW',
'action': 'warn',
'params': []
}
]
}
],
'mappings': [
{'registry': '*', 'repository': '*', 'image': {'type': 'tag', 'value': '*'}, 'name': 'Default', 'policy_id': 'abc', 'whitelist_ids': []}
]
}
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
db = get_session()
with self.assertRaises(InitializationError) as ex:
built = build_bundle(bundle, for_tag=test_tag, allow_deprecated=False)
print(('Got: {}'.format(built)))
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
built = build_bundle(bundle, for_tag=test_tag, allow_deprecated=True)
print(('Got: {}'.format(built)))
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(('Result: {}'.format(json.dumps(evaluation.json(), indent=2))))
self.assertIsNotNone(evaluation.warnings)
def testDuplicateRuleEvaluation(self):
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
multi_gate_bundle = {
'id': 'multigate1',
'name': 'Multigate test1',
'version': '1_0',
'policies': [
{
'id': 'policy1',
'name': 'Test policy1',
'version': '1_0',
'rules': [
{
'gate': 'DOCKERFILECHECK',
'trigger': 'FROMSCRATCH',
'params': [],
'action': 'GO'
},
{
'gate': 'DOCKERFILECHECK',
'trigger': 'FROMSCRATCH',
'params': [],
'action': 'STOP'
},
{
'action': 'stop',
'gate': 'DOCKERFILECHECK',
'trigger': 'DIRECTIVECHECK',
'params': [
{
'name': 'DIRECTIVES',
'value': 'RUN'
},
{
'name': 'CHECK',
'value': 'exists'
}
]
},
{
'action': 'STOP',
'gate': 'DOCKERFILECHECK',
'trigger': 'DIRECTIVECHECK',
'params': [
{
'name': 'DIRECTIVES',
'value': 'USER'
},
{
'name': 'CHECK',
'value': 'not_exists'
}
]
},
{
'action': 'STOP',
'gate': 'DOCKERFILECHECK',
'trigger': 'DIRECTIVECHECK',
'params': [
{
'name': 'DIRECTIVES',
'value': 'RUN'
},
{
'name': 'CHECK',
'value': '=',
'check_value': 'yum update -y'
}
]
}
]
}
],
'whitelists': [],
'mappings': [
{
'registry': '*', 'repository': '*', 'image': {'type': 'tag', 'value': '*'}, 'policy_id': 'policy1', 'whitelist_ids': []
}
]
}
built = build_bundle(multi_gate_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print(('Got: {}'.format(built)))
db = get_session()
img_obj = self.get_image_named(db, 'ruby')
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj, tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print((json.dumps(evaluation.json(), indent=2)))
print((json.dumps(evaluation.as_table_json(), indent=2)))
def test_regexes(bundle, test_data_env_with_images_loaded):
"""
Test regular expressions in the trigger_id part of the WL rule
:return:
"""
bundle = bundle()
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/node:latest"
node_whitelist = [x for x in bundle["whitelists"] if x["id"] == "wl_jessie"][0]
node_whitelist["items"] = [
x for x in node_whitelist["items"] if "binutils" in x["trigger_id"]
]
node_whitelist["items"].append(
{
"gate": "vulnerabilities",
"trigger_id": "CVE-2016-6515+openssh-client",
"id": "testinserted3",
}
)
node_whitelist["items"].append(
{
"gate": "vulnerabilities",
"trigger_id": "CVE-2016-6515+*",
"id": "test-cve-2016-6515",
}
)
node_whitelist["items"].append(
{"gate": "vulnerabilities", "trigger_id": "CVE-2017*", "id": "testinserted2"}
)
node_whitelist["items"].append(
{"gate": "vulnerabilities", "trigger_id": "*binutils*", "id": "testinserted1"}
)
db = get_session()
img_obj = db.query(Image).get(
(test_data_env_with_images_loaded.get_images_named("node")[0][0], "0")
)
assert img_obj is not None
ExecutableWhitelist._use_indexes = True
built = build_bundle(bundle, for_tag=test_tag)
assert not built.init_errors
logger.info("Executing with indexes")
t = time.time()
evaluation = built.execute(
img_obj, tag=test_tag, context=ExecutionContext(db_session=db, configuration={})
)
t1 = time.time() - t
logger.info(("Took: {}".format(t1)))
assert evaluation is not None
ExecutableWhitelist._use_indexes = False
non_index_built = build_bundle(bundle, for_tag=test_tag)
assert not non_index_built.init_errors
logger.info("Executing without indexes")
t2 = time.time()
evaluation2 = non_index_built.execute(
img_obj, tag=test_tag, context=ExecutionContext(db_session=db, configuration={})
)
t2 = time.time() - t2
logger.info(("Took: {}".format(t2)))
assert evaluation2 is not None
ExecutableWhitelist._use_indexes = True
assert (
evaluation.json()["bundle_decision"]["policy_decisions"][0]["decisions"]
== evaluation2.json()["bundle_decision"]["policy_decisions"][0]["decisions"]
)
logger.info(("Evaluation: {}".format(json.dumps(evaluation.json(), indent=2))))
open_ssl_wl_match = {
"action": "go",
"rule": {
"action": "stop",
"gate": "vulnerabilities",
"trigger": "package",
"params": {},
},
"match": {
"message": "HIGH Vulnerability found in package - openssh-client (CVE-2016-6515 - https://security-tracker.debian.org/tracker/CVE-2016-6515)",
"trigger": "package",
"whitelisted": {
"whitelist_id": "wl_jessie",
"matched_rule_id": "testinserted3",
"whitelist_name": "CVE whitelist for jessie - 12092017",
},
"trigger_id": "CVE-2016-6515+openssh-client",
},
}
assert (
open_ssl_wl_match
in evaluation.json()["bundle_decision"]["policy_decisions"][0]["decisions"]
)
assert (
len(
[
x
for x in evaluation.json()["bundle_decision"]["policy_decisions"][0][
"decisions"
]
if x["match"].get("whitelisted", {}).get("matched_rule_id", "")
in ["testinserted1", "testinserted2", "testinserted3"]
]
)
>= 1
)
def check_user_image_inline(user_id, image_id, tag, bundle):
"""
Execute a policy evaluation using the info in the request body including the bundle content
:param user_id:
:param image_id:
:param tag:
:param bundle:
:return:
"""
timer = time.time()
db = get_session()
cache_mgr = None
try:
# Input validation
if tag is None:
# set tag value to a value that only matches wildcards
tag = "*/*:*"
try:
img_obj = db.query(Image).get((image_id, user_id))
except:
return make_response_error("Image not found", in_httpcode=404), 404
if not img_obj:
log.info(
"Request for evaluation of image that cannot be found: user_id = {}, image_id = {}"
.format(user_id, image_id))
return make_response_error("Image not found", in_httpcode=404), 404
if evaluation_cache_enabled:
timer2 = time.time()
try:
try:
conn_timeout = (
ApiRequestContextProxy.get_service().configuration.get(
"catalog_client_conn_timeout",
DEFAULT_CACHE_CONN_TIMEOUT))
read_timeout = (
ApiRequestContextProxy.get_service().configuration.get(
"catalog_client_read_timeout",
DEFAULT_CACHE_READ_TIMEOUT))
cache_mgr = EvaluationCacheManager(img_obj, tag, bundle,
conn_timeout,
read_timeout)
except ValueError as err:
log.warn(
"Could not leverage cache due to error in bundle data: {}"
.format(err))
cache_mgr = None
if cache_mgr is None:
log.info(
"Could not initialize cache manager for policy evaluation, skipping cache usage"
)
else:
cached_result = cache_mgr.refresh()
if cached_result:
metrics.counter_inc(
name="anchore_policy_evaluation_cache_hits")
metrics.histogram_observe(
"anchore_policy_evaluation_cache_access_latency",
time.time() - timer2,
status="hit",
)
log.info(
"Returning cached result of policy evaluation for {}/{}, with tag {} and bundle {} with digest {}. Last evaluation: {}"
.format(
user_id,
image_id,
tag,
cache_mgr.bundle_id,
cache_mgr.bundle_digest,
cached_result.get("last_modified"),
))
return cached_result
else:
metrics.counter_inc(
name="anchore_policy_evaluation_cache_misses")
metrics.histogram_observe(
"anchore_policy_evaluation_cache_access_latency",
time.time() - timer2,
status="miss",
)
log.info(
"Policy evaluation not cached, or invalid, executing evaluation for {}/{} with tag {} and bundle {} with digest {}"
.format(
user_id,
image_id,
tag,
cache_mgr.bundle_id,
cache_mgr.bundle_digest,
))
except Exception as ex:
log.exception(
"Unexpected error operating on policy evaluation cache. Skipping use of cache."
)
else:
log.info("Policy evaluation cache disabled. Executing evaluation")
# Build bundle exec.
problems = []
executable_bundle = None
try:
# Allow deprecated gates here to support upgrade cases from old policy bundles.
executable_bundle = build_bundle(bundle,
for_tag=tag,
allow_deprecated=True)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except InitializationError as e:
log.exception(
"Bundle construction and initialization returned errors")
problems = e.causes
eval_result = None
if not problems:
# Execute bundle
try:
eval_result = executable_bundle.execute(
img_obj, tag,
ExecutionContext(db_session=db, configuration={}))
except Exception as e:
log.exception(
"Error executing policy bundle {} against image {} w/tag {}: {}"
.format(bundle["id"], image_id, tag, e))
return (
make_response_error(
"Internal bundle evaluation error",
details={
"message":
"Cannot execute given policy against the image due to errors executing the policy bundle: {}"
.format(e)
},
in_httpcode=500,
),
500,
)
else:
# Construct a failure eval with details on the errors and mappings to send to client
eval_result = build_empty_error_execution(img_obj,
tag,
executable_bundle,
errors=problems,
warnings=[])
if (executable_bundle and executable_bundle.mapping
and len(executable_bundle.mapping.mapping_rules) == 1):
eval_result.executed_mapping = executable_bundle.mapping.mapping_rules[
0]
resp = PolicyEvaluation()
resp.user_id = user_id
resp.image_id = image_id
resp.tag = tag
resp.bundle = bundle
resp.matched_mapping_rule = (eval_result.executed_mapping.json() if
eval_result.executed_mapping else False)
resp.last_modified = int(time.time())
resp.final_action = eval_result.bundle_decision.final_decision.name
resp.final_action_reason = eval_result.bundle_decision.reason
resp.matched_whitelisted_images_rule = (
eval_result.bundle_decision.whitelisted_image.json()
if eval_result.bundle_decision.whitelisted_image else False)
resp.matched_blacklisted_images_rule = (
eval_result.bundle_decision.blacklisted_image.json()
if eval_result.bundle_decision.blacklisted_image else False)
resp.result = eval_result.as_table_json()
resp.created_at = int(time.time())
resp.evaluation_problems = [
problem_from_exception(i) for i in eval_result.errors
]
resp.evaluation_problems += [
problem_from_exception(i) for i in eval_result.warnings
]
if resp.evaluation_problems:
for i in resp.evaluation_problems:
log.warn(
"Returning evaluation response for image {}/{} w/tag {} and bundle {} that contains error: {}"
.format(user_id, image_id, tag, bundle["id"],
json.dumps(i.to_json())))
metrics.histogram_observe(
"anchore_policy_evaluation_time_seconds",
time.time() - timer,
status="fail",
)
else:
metrics.histogram_observe(
"anchore_policy_evaluation_time_seconds",
time.time() - timer,
status="success",
)
result = resp.to_json()
# Never let the cache block returning results
try:
if evaluation_cache_enabled and cache_mgr is not None:
cache_mgr.save(result)
except Exception as ex:
log.exception(
"Failed saving policy result in cache. Skipping and continuing."
)
db.commit()
return result
except HTTPException as e:
db.rollback()
log.exception("Caught exception in execution: {}".format(e))
raise
except Exception as e:
db.rollback()
log.exception("Failed processing bundle evaluation: {}".format(e))
return (
make_response_error(
"Unexpected internal error",
details={"message": str(e)},
in_httpcode=500,
),
500,
)
finally:
db.close()