def testDuplicateRuleEvaluation(self):
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
multi_gate_bundle = {
'id':
'multigate1',
'name':
'Multigate test1',
'version':
'1_0',
'policies': [{
'id':
'policy1',
'name':
'Test policy1',
'version':
'1_0',
'rules': [{
'gate': 'DOCKERFILECHECK',
'trigger': 'FROMSCRATCH',
'params': [],
'action': 'GO'
}, {
'gate': 'DOCKERFILECHECK',
'trigger': 'FROMSCRATCH',
'params': [],
'action': 'STOP'
}, {
'action':
'stop',
'gate':
'DOCKERFILECHECK',
'trigger':
'DIRECTIVECHECK',
'params': [{
'name': 'DIRECTIVES',
'value': 'RUN'
}, {
'name': 'CHECK',
'value': 'exists'
}]
}, {
'action':
'STOP',
'gate':
'DOCKERFILECHECK',
'trigger':
'DIRECTIVECHECK',
'params': [{
'name': 'DIRECTIVES',
'value': 'USER'
}, {
'name': 'CHECK',
'value': 'not_exists'
}]
}, {
'action':
'STOP',
'gate':
'DOCKERFILECHECK',
'trigger':
'DIRECTIVECHECK',
'params': [{
'name': 'DIRECTIVES',
'value': 'RUN'
}, {
'name': 'CHECK',
'value': '=',
'check_value': 'yum update -y'
}]
}]
}],
'whitelists': [],
'mappings': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
},
'policy_id': 'policy1',
'whitelist_ids': []
}]
}
built = build_bundle(multi_gate_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print('Got: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(json.dumps(evaluation.json(), indent=2))
print(json.dumps(evaluation.as_table_json(), indent=2))
def check_user_image_inline(user_id, image_id, tag, bundle):
"""
Execute a policy evaluation using the info in the request body including the bundle content
:param user_id:
:param image_id:
:param tag:
:param bundle:
:return:
"""
db = get_session()
try:
# Input validation
try:
img_obj = db.query(Image).get((image_id, user_id))
except:
abort(Response(response='Image not found', status=404))
if not img_obj:
log.info(
'Request for evaluation of image that cannot be found: user_id = {}, image_id = {}'
.format(user_id, image_id))
abort(Response(response='Image not found', status=404))
# Build bundle exec.
problems = []
executable_bundle = None
try:
executable_bundle = build_bundle(bundle, for_tag=tag)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except InitializationError as e:
log.exception(
'Bundle construction and initialization returned errors')
problems = e.causes
if not problems:
# Execute bundle
try:
eval_result = executable_bundle.execute(
img_obj, tag,
ExecutionContext(db_session=db, configuration={}))
except Exception as e:
log.exception(
'Error executing policy bundle {} against image {} w/tag {}: {}'
.format(bundle['id'], image_id, tag, e.message))
abort(
Response(
response=
'Cannot execute given policy against the image due to errors executing the policy bundle: {}'
.format(e.message),
status=500))
else:
# Construct a failure eval with details on the errors and mappings to send to client
eval_result = build_empty_error_execution(img_obj,
tag,
executable_bundle,
errors=problems,
warnings=[])
if executable_bundle and executable_bundle.mapping and len(
executable_bundle.mapping.mapping_rules) == 1:
eval_result.executed_mapping = executable_bundle.mapping.mapping_rules[
0]
resp = PolicyEvaluation()
resp.user_id = user_id
resp.image_id = image_id
resp.tag = tag
resp.bundle = bundle
resp.matched_mapping_rule = eval_result.executed_mapping.json(
) if eval_result.executed_mapping else {}
resp.last_modified = int(time.time())
resp.final_action = eval_result.policy_decision.final_decision
resp.result = eval_result.as_table_json()
resp.created_at = int(time.time())
resp.evaluation_problems = [
problem_from_exception(i) for i in eval_result.errors
]
resp.evaluation_problems += [
problem_from_exception(i) for i in eval_result.warnings
]
if resp.evaluation_problems:
for i in resp.evaluation_problems:
log.warn(
'Returning evaluation response for image {}/{} w/tag {} and bundle {} that contains error: {}'
.format(user_id, image_id, tag, bundle['id'],
json.dumps(i.to_dict())))
return resp.to_dict()
except HTTPException as e:
db.rollback()
log.exception('Caught exception in execution: {}'.format(e))
raise
except Exception as e:
db.rollback()
log.exception('Failed processing bundle evaluation: {}'.format(e))
abort(Response('Unexpected internal error', 500))
finally:
db.close()
def testWhitelists(self):
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(self.default_bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print('Got: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print(json.dumps(evaluation.json(), indent=2))
print(json.dumps(evaluation.as_table_json(), indent=2))
to_whitelist = evaluation.bundle_decision.policy_decision.decisions[0]
whitelist_bundle = copy.deepcopy(self.default_bundle)
whitelist_bundle['whitelists'].append({
'id':
'generated_whitelist1',
'name':
'test_whitelist',
'version':
'1_0',
'items': [{
'gate': to_whitelist.match.trigger.gate_cls.__gate_name__,
'trigger_id': to_whitelist.match.id,
'id': 'test_whitelistitem'
}]
})
whitelist_bundle['mappings'][0]['whitelist_ids'] = [
'generated_whitelist1'
]
built = build_bundle(whitelist_bundle, for_tag=test_tag)
print('Got updated: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
#print(json.dumps(evaluation.json(), indent=2))
#print(json.dumps(evaluation.as_table_json(), indent=2))
self.assertNotIn(
to_whitelist.match.id,
map(
lambda x: x.match.id
if not (hasattr(x.match, 'is_whitelisted') and x.match.
is_whitelisted) else None,
evaluation.bundle_decision.policy_decision.decisions))
def testDeprecatedGateEvaluation(self):
bundle = {
'id':
'someid',
'version':
'1_0',
'whitelists': [],
'policies': [{
'id':
'abc',
'name':
'Deprecated Policy',
'version':
'1_0',
'rules': [{
'gate': 'PKGDIFF',
'trigger': 'pkgadd',
'params': [],
'action': 'stop'
}, {
'gate': 'always',
'trigger': 'always',
'action': 'go',
'params': []
}, {
'gate': 'ANCHORESEC',
'trigger': 'VULNLOW',
'action': 'warn',
'params': []
}]
}],
'mappings': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
},
'name': 'Default',
'policy_id': 'abc',
'whitelist_ids': []
}]
}
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
with self.assertRaises(InitializationError) as ex:
built = build_bundle(bundle,
for_tag=test_tag,
allow_deprecated=False)
print('Got: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj,
'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db, configuration={}))
built = build_bundle(bundle, for_tag=test_tag, allow_deprecated=True)
print('Got: {}'.format(built))
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation, 'Got None eval')
print('Result: {}'.format(json.dumps(evaluation.json(), indent=2)))
self.assertIsNotNone(evaluation.warnings)
def get_initialized_trigger(self, name, config=None, **kwargs):
clazz = self.gate_clazz.get_trigger_named(name)
trigger = clazz(self.gate_clazz, **kwargs)
context = ExecutionContext(db_session=None, configuration=config)
gate = trigger.gate_cls()
return trigger, gate, context
def test_whitelists(test_data_env_with_images_loaded):
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(
test_data_env_with_images_loaded.get_bundle('default'),
for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(built))
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info(json.dumps(evaluation.json(), indent=2))
logger.info(json.dumps(evaluation.as_table_json(), indent=2))
to_whitelist = evaluation.bundle_decision.policy_decisions[0].decisions[0]
whitelist_bundle = copy.deepcopy(
test_data_env_with_images_loaded.get_bundle('default'))
whitelist_bundle['whitelists'].append({
'id':
'generated_whitelist1',
'name':
'test_whitelist',
'version':
'1_0',
'items': [{
'gate': to_whitelist.match.trigger.gate_cls.__gate_name__,
'trigger_id': to_whitelist.match.id,
'id': 'test_whitelistitem'
}]
})
whitelist_bundle['mappings'][0]['whitelist_ids'] = ['generated_whitelist1']
built = build_bundle(whitelist_bundle, for_tag=test_tag)
logger.info('Got updated: {}'.format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
#logger.info(json.dumps(evaluation.json(), indent=2))
#logger.info(json.dumps(evaluation.as_table_json(), indent=2))
assert to_whitelist.match.id not in [
x.match.id
if not (hasattr(x.match, 'is_whitelisted') and x.match.is_whitelisted)
else None
for x in evaluation.bundle_decision.policy_decisions[0].decisions
]
def testDeprecatedGateEvaluationOk(test_data_env_with_images_loaded):
"""
Test the policy build with deprecated explicitly allowed.
:return:
"""
bundle = {
"id":
"someid",
"version":
"1_0",
"whitelists": [],
"policies": [{
"id":
"abc",
"name":
"Deprecated Policy",
"version":
"1_0",
"rules": [
{
"gate": "PKGDIFF",
"trigger": "pkgadd",
"params": [],
"action": "stop",
},
{
"gate": "always",
"trigger": "always",
"action": "go",
"params": [],
},
{
"gate": "ANCHORESEC",
"trigger": "VULNLOW",
"action": "warn",
"params": [],
},
],
}],
"mappings": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "*"
},
"name": "Default",
"policy_id": "abc",
"whitelist_ids": [],
}],
}
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/ruby:latest"
db = get_thread_scoped_session()
built = build_bundle(bundle, for_tag=test_tag, allow_deprecated=True)
logger.info("Got: {}".format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None, "Failed to get an image object to test"
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, "Got None eval"
logger.info("Result: {}".format(json.dumps(evaluation.json(), indent=2)))
assert evaluation.warnings is not None
def exec_context():
mock_db = Mock()
mock_db.query().filter().all = npm_metadata
return ExecutionContext(db_session=mock_db, configuration={})
def test_whitelists(test_data_env_with_images_loaded):
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/ruby:latest"
built = build_bundle(
test_data_env_with_images_loaded.get_bundle("default"),
for_tag=test_tag)
assert not built.init_errors
logger.info("Got: {}".format(built))
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None
assert img_obj is not None, "Failed to get an image object to test"
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, "Got None eval"
logger.info(json.dumps(evaluation.json(), indent=2))
logger.info(json.dumps(evaluation.as_table_json(), indent=2))
to_whitelist = evaluation.bundle_decision.policy_decisions[0].decisions[0]
whitelist_bundle = copy.deepcopy(
test_data_env_with_images_loaded.get_bundle("default"))
whitelist_bundle["whitelists"].append({
"id":
"generated_whitelist1",
"name":
"test_whitelist",
"version":
"1_0",
"items": [{
"gate": to_whitelist.match.trigger.gate_cls.__gate_name__,
"trigger_id": to_whitelist.match.id,
"id": "test_whitelistitem",
}],
})
whitelist_bundle["mappings"][0]["whitelist_ids"] = ["generated_whitelist1"]
built = build_bundle(whitelist_bundle, for_tag=test_tag)
logger.info("Got updated: {}".format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None
assert img_obj is not None
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
# logger.info(json.dumps(evaluation.json(), indent=2))
# logger.info(json.dumps(evaluation.as_table_json(), indent=2))
assert to_whitelist.match.id not in [
x.match.id
if not (hasattr(x.match, "is_whitelisted") and x.match.is_whitelisted)
else None
for x in evaluation.bundle_decision.policy_decisions[0].decisions
]
def test_deprecated_gate_evaluation_error(test_data_env_with_images_loaded):
"""
Test the policy build of deprecated gates with deprecated explicitly disallowed
:return:
"""
bundle = {
"id":
"someid",
"version":
"1_0",
"whitelists": [],
"policies": [{
"id":
"abc",
"name":
"Deprecated Policy",
"version":
"1_0",
"rules": [
{
"gate": "PKGDIFF",
"trigger": "pkgadd",
"params": [],
"action": "stop",
},
{
"gate": "always",
"trigger": "always",
"action": "go",
"params": [],
},
{
"gate": "ANCHORESEC",
"trigger": "VULNLOW",
"action": "warn",
"params": [],
},
],
}],
"mappings": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "*"
},
"name": "Default",
"policy_id": "abc",
"whitelist_ids": [],
}],
}
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/ruby:latest"
db = get_thread_scoped_session()
with pytest.raises(InitializationError) as ex:
built = build_bundle(bundle, for_tag=test_tag, allow_deprecated=False)
logger.info("Got: {}".format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None, "Failed to get an image object to test"
evaluation = built.execute(
img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db, configuration={}),
)
def test_image_blacklist(test_data_env_with_images_loaded):
bundle = {
"id":
"multigate1",
"name":
"Multigate test1",
"version":
"1_0",
"policies": [{
"id":
"policy1",
"name":
"Test policy1",
"version":
"1_0",
"rules": [{
"gate": "always",
"trigger": "always",
"params": [],
"action": "STOP",
}],
}],
"whitelists": [],
"mappings": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "*"
},
"policy_id": "policy1",
"whitelist_ids": [],
}],
"blacklisted_images": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "latest"
},
}],
"whitelisted_images": [],
}
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None
assert img_obj is not None, "Failed to get an image object to test"
test_tag = "docker.io/library/ruby:alpine"
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.stop == evaluation.bundle_decision.final_decision
assert "policy_evaluation" == evaluation.bundle_decision.reason
assert img_obj is not None, "Failed to get an image object to test"
test_tag = "docker.io/library/ruby:latest"
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.stop == evaluation.bundle_decision.final_decision
assert "blacklisted" == evaluation.bundle_decision.reason
bundle = {
"id":
"emptytest1",
"name":
"Empty mapping test1",
"version":
"1_0",
"policies": [],
"whitelists": [],
"mappings": [],
"blacklisted_images": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "*"
}
}],
"whitelisted_images": [],
}
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.stop == evaluation.bundle_decision.final_decision
assert "blacklisted" == evaluation.bundle_decision.reason
bundle = {
"id":
"emptytest1",
"name":
"Empty mapping test1",
"version":
"1_0",
"policies": [],
"whitelists": [],
"mappings": [],
"whitelisted_images": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "*"
}
}],
"blacklisted_images": [],
}
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.go == evaluation.bundle_decision.final_decision
assert "whitelisted" == evaluation.bundle_decision.reason
def test_duplicate_rule_evaluation(test_data_env_with_images_loaded):
logger.info("Building executable bundle from default bundle")
test_tag = "docker.io/library/ruby:latest"
multi_gate_bundle = {
"id":
"multigate1",
"name":
"Multigate test1",
"version":
"1_0",
"policies": [{
"id":
"policy1",
"name":
"Test policy1",
"version":
"1_0",
"rules": [
{
"gate": "always",
"trigger": "always",
"params": [],
"action": "GO",
},
{
"gate": "always",
"trigger": "always",
"params": [],
"action": "STOP",
},
{
"action":
"stop",
"gate":
"dockerfile",
"trigger":
"instruction",
"params": [
{
"name": "instruction",
"value": "RUN"
},
{
"name": "check",
"value": "exists"
},
],
},
{
"action":
"STOP",
"gate":
"dockerfile",
"trigger":
"instruction",
"params": [
{
"name": "instruction",
"value": "USER"
},
{
"name": "CHECK",
"value": "not_exists"
},
],
},
{
"action":
"STOP",
"gate":
"dockerfile",
"trigger":
"instruction",
"params": [
{
"name": "instruction",
"value": "RUN"
},
{
"name": "CHECK",
"value": "=",
"check_value": "yum update -y",
},
],
},
],
}],
"whitelists": [],
"mappings": [{
"registry": "*",
"repository": "*",
"image": {
"type": "tag",
"value": "*"
},
"policy_id": "policy1",
"whitelist_ids": [],
}],
}
built = build_bundle(multi_gate_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info("Got: {}".format(built))
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, "ruby")
assert img_obj is not None
assert img_obj is not None, "Failed to get an image object to test"
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, "Got None eval"
logger.info(json.dumps(evaluation.json(), indent=2))
logger.info(json.dumps(evaluation.as_table_json(), indent=2))
def testDeprecatedGateEvaluationOk(test_data_env_with_images_loaded):
"""
Test the policy build with deprecated explicitly allowed.
:return:
"""
bundle = {
'id':
'someid',
'version':
'1_0',
'whitelists': [],
'policies': [{
'id':
'abc',
'name':
'Deprecated Policy',
'version':
'1_0',
'rules': [{
'gate': 'PKGDIFF',
'trigger': 'pkgadd',
'params': [],
'action': 'stop'
}, {
'gate': 'always',
'trigger': 'always',
'action': 'go',
'params': []
}, {
'gate': 'ANCHORESEC',
'trigger': 'VULNLOW',
'action': 'warn',
'params': []
}]
}],
'mappings': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
},
'name': 'Default',
'policy_id': 'abc',
'whitelist_ids': []
}]
}
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
db = get_thread_scoped_session()
built = build_bundle(bundle, for_tag=test_tag, allow_deprecated=True)
logger.info('Got: {}'.format(built))
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info('Result: {}'.format(json.dumps(evaluation.json(), indent=2)))
assert evaluation.warnings is not None
def check_user_image_inline(user_id, image_id, tag, bundle):
"""
Execute a policy evaluation using the info in the request body including the bundle content
:param user_id:
:param image_id:
:param tag:
:param bundle:
:return:
"""
timer = time.time()
db = get_session()
try:
# Input validation
if tag is None:
# set tag value to a value that only matches wildcards
tag = '*/*:*'
try:
img_obj = db.query(Image).get((image_id, user_id))
except:
abort(Response(response='Image not found', status=404))
if not img_obj:
log.info(
'Request for evaluation of image that cannot be found: user_id = {}, image_id = {}'
.format(user_id, image_id))
abort(Response(response='Image not found', status=404))
# Build bundle exec.
problems = []
executable_bundle = None
try:
# Allow deprecated gates here to support upgrade cases from old policy bundles.
executable_bundle = build_bundle(bundle,
for_tag=tag,
allow_deprecated=True)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except InitializationError as e:
log.exception(
'Bundle construction and initialization returned errors')
problems = e.causes
eval_result = None
if not problems:
# Execute bundle
try:
eval_result = executable_bundle.execute(
img_obj, tag,
ExecutionContext(db_session=db, configuration={}))
except Exception as e:
log.exception(
'Error executing policy bundle {} against image {} w/tag {}: {}'
.format(bundle['id'], image_id, tag, e.message))
abort(
Response(
response=
'Cannot execute given policy against the image due to errors executing the policy bundle: {}'
.format(e.message),
status=500))
else:
# Construct a failure eval with details on the errors and mappings to send to client
eval_result = build_empty_error_execution(img_obj,
tag,
executable_bundle,
errors=problems,
warnings=[])
if executable_bundle and executable_bundle.mapping and len(
executable_bundle.mapping.mapping_rules) == 1:
eval_result.executed_mapping = executable_bundle.mapping.mapping_rules[
0]
resp = PolicyEvaluation()
resp.user_id = user_id
resp.image_id = image_id
resp.tag = tag
resp.bundle = bundle
resp.matched_mapping_rule = eval_result.executed_mapping.json(
) if eval_result.executed_mapping else False
resp.last_modified = int(time.time())
resp.final_action = eval_result.bundle_decision.final_decision.name
resp.final_action_reason = eval_result.bundle_decision.reason
resp.matched_whitelisted_images_rule = eval_result.bundle_decision.whitelisted_image.json(
) if eval_result.bundle_decision.whitelisted_image else False
resp.matched_blacklisted_images_rule = eval_result.bundle_decision.blacklisted_image.json(
) if eval_result.bundle_decision.blacklisted_image else False
resp.result = eval_result.as_table_json()
resp.created_at = int(time.time())
resp.evaluation_problems = [
problem_from_exception(i) for i in eval_result.errors
]
resp.evaluation_problems += [
problem_from_exception(i) for i in eval_result.warnings
]
if resp.evaluation_problems:
for i in resp.evaluation_problems:
log.warn(
'Returning evaluation response for image {}/{} w/tag {} and bundle {} that contains error: {}'
.format(user_id, image_id, tag, bundle['id'],
json.dumps(i.to_dict())))
anchore_engine.subsys.metrics.histogram_observe(
'anchore_policy_evaluation_time_seconds',
time.time() - timer,
status="fail")
else:
anchore_engine.subsys.metrics.histogram_observe(
'anchore_policy_evaluation_time_seconds',
time.time() - timer,
status="success")
return resp.to_dict()
except HTTPException as e:
db.rollback()
log.exception('Caught exception in execution: {}'.format(e))
raise
except Exception as e:
db.rollback()
log.exception('Failed processing bundle evaluation: {}'.format(e))
abort(Response('Unexpected internal error', 500))
finally:
db.close()
def check_user_image_inline(user_id, image_id, tag, bundle):
"""
Execute a policy evaluation using the info in the request body including the bundle content
:param user_id:
:param image_id:
:param tag:
:param bundle:
:return:
"""
timer = time.time()
db = get_session()
cache_mgr = None
try:
# Input validation
if tag is None:
# set tag value to a value that only matches wildcards
tag = "*/*:*"
try:
img_obj = db.query(Image).get((image_id, user_id))
except:
return make_response_error("Image not found", in_httpcode=404), 404
if not img_obj:
log.info(
"Request for evaluation of image that cannot be found: user_id = {}, image_id = {}"
.format(user_id, image_id))
return make_response_error("Image not found", in_httpcode=404), 404
if evaluation_cache_enabled:
timer2 = time.time()
try:
try:
conn_timeout = (
ApiRequestContextProxy.get_service().configuration.get(
"catalog_client_conn_timeout",
DEFAULT_CACHE_CONN_TIMEOUT))
read_timeout = (
ApiRequestContextProxy.get_service().configuration.get(
"catalog_client_read_timeout",
DEFAULT_CACHE_READ_TIMEOUT))
cache_mgr = EvaluationCacheManager(img_obj, tag, bundle,
conn_timeout,
read_timeout)
except ValueError as err:
log.warn(
"Could not leverage cache due to error in bundle data: {}"
.format(err))
cache_mgr = None
if cache_mgr is None:
log.info(
"Could not initialize cache manager for policy evaluation, skipping cache usage"
)
else:
cached_result = cache_mgr.refresh()
if cached_result:
metrics.counter_inc(
name="anchore_policy_evaluation_cache_hits")
metrics.histogram_observe(
"anchore_policy_evaluation_cache_access_latency",
time.time() - timer2,
status="hit",
)
log.info(
"Returning cached result of policy evaluation for {}/{}, with tag {} and bundle {} with digest {}. Last evaluation: {}"
.format(
user_id,
image_id,
tag,
cache_mgr.bundle_id,
cache_mgr.bundle_digest,
cached_result.get("last_modified"),
))
return cached_result
else:
metrics.counter_inc(
name="anchore_policy_evaluation_cache_misses")
metrics.histogram_observe(
"anchore_policy_evaluation_cache_access_latency",
time.time() - timer2,
status="miss",
)
log.info(
"Policy evaluation not cached, or invalid, executing evaluation for {}/{} with tag {} and bundle {} with digest {}"
.format(
user_id,
image_id,
tag,
cache_mgr.bundle_id,
cache_mgr.bundle_digest,
))
except Exception as ex:
log.exception(
"Unexpected error operating on policy evaluation cache. Skipping use of cache."
)
else:
log.info("Policy evaluation cache disabled. Executing evaluation")
# Build bundle exec.
problems = []
executable_bundle = None
try:
# Allow deprecated gates here to support upgrade cases from old policy bundles.
executable_bundle = build_bundle(bundle,
for_tag=tag,
allow_deprecated=True)
if executable_bundle.init_errors:
problems = executable_bundle.init_errors
except InitializationError as e:
log.exception(
"Bundle construction and initialization returned errors")
problems = e.causes
eval_result = None
if not problems:
# Execute bundle
try:
eval_result = executable_bundle.execute(
img_obj, tag,
ExecutionContext(db_session=db, configuration={}))
except Exception as e:
log.exception(
"Error executing policy bundle {} against image {} w/tag {}: {}"
.format(bundle["id"], image_id, tag, e))
return (
make_response_error(
"Internal bundle evaluation error",
details={
"message":
"Cannot execute given policy against the image due to errors executing the policy bundle: {}"
.format(e)
},
in_httpcode=500,
),
500,
)
else:
# Construct a failure eval with details on the errors and mappings to send to client
eval_result = build_empty_error_execution(img_obj,
tag,
executable_bundle,
errors=problems,
warnings=[])
if (executable_bundle and executable_bundle.mapping
and len(executable_bundle.mapping.mapping_rules) == 1):
eval_result.executed_mapping = executable_bundle.mapping.mapping_rules[
0]
resp = PolicyEvaluation()
resp.user_id = user_id
resp.image_id = image_id
resp.tag = tag
resp.bundle = bundle
resp.matched_mapping_rule = (eval_result.executed_mapping.json() if
eval_result.executed_mapping else False)
resp.last_modified = int(time.time())
resp.final_action = eval_result.bundle_decision.final_decision.name
resp.final_action_reason = eval_result.bundle_decision.reason
resp.matched_whitelisted_images_rule = (
eval_result.bundle_decision.whitelisted_image.json()
if eval_result.bundle_decision.whitelisted_image else False)
resp.matched_blacklisted_images_rule = (
eval_result.bundle_decision.blacklisted_image.json()
if eval_result.bundle_decision.blacklisted_image else False)
resp.result = eval_result.as_table_json()
resp.created_at = int(time.time())
resp.evaluation_problems = [
problem_from_exception(i) for i in eval_result.errors
]
resp.evaluation_problems += [
problem_from_exception(i) for i in eval_result.warnings
]
if resp.evaluation_problems:
for i in resp.evaluation_problems:
log.warn(
"Returning evaluation response for image {}/{} w/tag {} and bundle {} that contains error: {}"
.format(user_id, image_id, tag, bundle["id"],
json.dumps(i.to_json())))
metrics.histogram_observe(
"anchore_policy_evaluation_time_seconds",
time.time() - timer,
status="fail",
)
else:
metrics.histogram_observe(
"anchore_policy_evaluation_time_seconds",
time.time() - timer,
status="success",
)
result = resp.to_json()
# Never let the cache block returning results
try:
if evaluation_cache_enabled and cache_mgr is not None:
cache_mgr.save(result)
except Exception as ex:
log.exception(
"Failed saving policy result in cache. Skipping and continuing."
)
db.commit()
return result
except HTTPException as e:
db.rollback()
log.exception("Caught exception in execution: {}".format(e))
raise
except Exception as e:
db.rollback()
log.exception("Failed processing bundle evaluation: {}".format(e))
return (
make_response_error(
"Unexpected internal error",
details={"message": str(e)},
in_httpcode=500,
),
500,
)
finally:
db.close()
def testRegexes(self):
"""
Test regular expressions in the trigger_id part of the WL rule
:return:
"""
print('Building executable bundle from default bundle')
test_tag = 'docker.io/library/node:latest'
bundle = copy.deepcopy(self.default_bundle)
node_whitelist = [
x for x in bundle['whitelists'] if x['id'] == 'wl_jessie'
][0]
node_whitelist['items'] = [
x for x in node_whitelist['items'] if 'binutils' in x['trigger_id']
]
node_whitelist['items'].append({
'gate': 'ANCHORESEC',
'trigger_id': 'CVE-2016-6515+openssh-client',
'id': 'testinserted3'
})
node_whitelist['items'].append({
'gate': 'ANCHORESEC',
'trigger_id': 'CVE-2016-6515+*',
'id': 'test-cve-2016-6515'
})
node_whitelist['items'].append({
'gate': 'ANCHORESEC',
'trigger_id': 'CVE-2017*',
'id': 'testinserted2'
})
node_whitelist['items'].append({
'gate': 'ANCHORESEC',
'trigger_id': '*binutils*',
'id': 'testinserted1'
})
db = get_session()
img_obj = db.query(Image).get(
(self.test_env.get_images_named('node')[0][0], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
ExecutableWhitelist._use_indexes = True
built = build_bundle(bundle, for_tag=test_tag)
self.assertFalse(built.init_errors)
print('Executing with indexes')
t = time.time()
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
t1 = time.time() - t
print(('Took: {}'.format(t1)))
self.assertIsNotNone(evaluation, 'Got None eval')
ExecutableWhitelist._use_indexes = False
non_index_built = build_bundle(bundle, for_tag=test_tag)
self.assertFalse(non_index_built.init_errors)
print('Executing without indexes')
t2 = time.time()
evaluation2 = non_index_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db,
configuration={}))
t2 = time.time() - t2
print(('Took: {}'.format(t2)))
self.assertIsNotNone(evaluation2, 'Got None eval')
ExecutableWhitelist._use_indexes = True
self.assertListEqual(
evaluation.json()['bundle_decision']['policy_decisions'][0]
['decisions'],
evaluation2.json()['bundle_decision']['policy_decisions'][0]
['decisions'])
print(('Evaluation: {}'.format(json.dumps(evaluation.json(),
indent=2))))
open_ssl_wl_match = {
"action": "go",
"rule": {
"action": "stop",
"gate": "ANCHORESEC",
"trigger": "VULNHIGH",
"params": {}
},
"match": {
"message":
"HIGH Vulnerability found in package - openssh-client (CVE-2016-6515 - https://security-tracker.debian.org/tracker/CVE-2016-6515)",
"trigger": "VULNHIGH",
"whitelisted": {
"whitelist_id": "wl_jessie",
"matched_rule_id": "testinserted3",
"whitelist_name": "CVE whitelist for jessie - 12092017"
},
"trigger_id": "CVE-2016-6515+openssh-client"
}
}
self.assertIn(
open_ssl_wl_match,
evaluation.json()['bundle_decision']['policy_decisions'][0]
['decisions'])
self.assertGreaterEqual(
len([
x for x in evaluation.json()['bundle_decision']
['policy_decisions'][0]['decisions']
if x['match'].get('whitelisted', {}).get(
'matched_rule_id',
'') in ['testinserted1', 'testinserted2', 'testinserted3']
]), 1)
def test_regexes(large_whitelist, test_data_env_with_images_loaded):
"""
Test regular expressions in the trigger_id part of the WL rule
:return:
"""
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/node:latest'
bundle = copy.deepcopy(default_bundle)
node_whitelist = [
x for x in bundle['whitelists'] if x['id'] == 'wl_jessie'
][0]
node_whitelist['items'] = [
x for x in node_whitelist['items'] if 'binutils' in x['trigger_id']
]
node_whitelist['items'].append({
'gate': 'vulnerabilities',
'trigger_id': 'CVE-2016-6515+openssh-client',
'id': 'testinserted3'
})
node_whitelist['items'].append({
'gate': 'vulnerabilities',
'trigger_id': 'CVE-2016-6515+*',
'id': 'test-cve-2016-6515'
})
node_whitelist['items'].append({
'gate': 'vulnerabilities',
'trigger_id': 'CVE-2017*',
'id': 'testinserted2'
})
node_whitelist['items'].append({
'gate': 'vulnerabilities',
'trigger_id': '*binutils*',
'id': 'testinserted1'
})
db = get_session()
img_obj = db.query(Image).get(
(test_data_env_with_images_loaded.get_images_named('node')[0][0], '0'))
assert img_obj is not None
ExecutableWhitelist._use_indexes = True
built = build_bundle(bundle, for_tag=test_tag)
assert not built.init_errors
logger.info('Executing with indexes')
t = time.time()
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
t1 = time.time() - t
logger.info(('Took: {}'.format(t1)))
assert evaluation is not None
ExecutableWhitelist._use_indexes = False
non_index_built = build_bundle(bundle, for_tag=test_tag)
assert not non_index_built.init_errors
logger.info('Executing without indexes')
t2 = time.time()
evaluation2 = non_index_built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(
db_session=db, configuration={}))
t2 = time.time() - t2
logger.info(('Took: {}'.format(t2)))
assert evaluation2 is not None
ExecutableWhitelist._use_indexes = True
assert evaluation.json()['bundle_decision']['policy_decisions'][0][
'decisions'] == evaluation2.json(
)['bundle_decision']['policy_decisions'][0]['decisions']
logger.info(
('Evaluation: {}'.format(json.dumps(evaluation.json(), indent=2))))
open_ssl_wl_match = {
"action": "go",
"rule": {
"action": "stop",
"gate": "vulnerabilities",
"trigger": "package",
"params": {}
},
"match": {
"message":
"HIGH Vulnerability found in package - openssh-client (CVE-2016-6515 - https://security-tracker.debian.org/tracker/CVE-2016-6515)",
"trigger": "package",
"whitelisted": {
"whitelist_id": "wl_jessie",
"matched_rule_id": "testinserted3",
"whitelist_name": "CVE whitelist for jessie - 12092017"
},
"trigger_id": "CVE-2016-6515+openssh-client"
}
}
assert open_ssl_wl_match in evaluation.json(
)['bundle_decision']['policy_decisions'][0]['decisions']
assert len([
x for x in evaluation.json()['bundle_decision']['policy_decisions'][0]
['decisions']
if x['match'].get('whitelisted', {}).get('matched_rule_id', '') in
['testinserted1', 'testinserted2', 'testinserted3']
]) >= 1
def exec_context():
return ExecutionContext(db_session=None, configuration={})
def test_image_blacklist(self):
bundle = {
'id':
'multigate1',
'name':
'Multigate test1',
'version':
'1_0',
'policies': [{
'id':
'policy1',
'name':
'Test policy1',
'version':
'1_0',
'rules': [{
'gate': 'always',
'trigger': 'always',
'params': [],
'action': 'STOP'
}]
}],
'whitelists': [],
'mappings': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
},
'policy_id': 'policy1',
'whitelist_ids': []
}],
'blacklisted_images': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': 'latest'
}
}],
'whitelisted_images': []
}
db = get_session()
img_obj = db.query(Image).get((self.test_image_ids['ruby'], '0'))
if not img_obj:
self.load_images()
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
test_tag = 'docker.io/library/ruby:alpine'
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation)
self.assertEqual(GateAction.stop,
evaluation.bundle_decision.final_decision)
self.assertEqual('policy_evaluation',
evaluation.bundle_decision.reason)
self.assertIsNotNone(img_obj, 'Failed to get an image object to test')
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation)
self.assertEqual(GateAction.stop,
evaluation.bundle_decision.final_decision)
self.assertEqual('blacklisted', evaluation.bundle_decision.reason)
bundle = {
'id':
'emptytest1',
'name':
'Empty mapping test1',
'version':
'1_0',
'policies': [],
'whitelists': [],
'mappings': [],
'blacklisted_images': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}],
'whitelisted_images': []
}
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation)
self.assertEqual(GateAction.stop,
evaluation.bundle_decision.final_decision)
self.assertEqual('blacklisted', evaluation.bundle_decision.reason)
bundle = {
'id':
'emptytest1',
'name':
'Empty mapping test1',
'version':
'1_0',
'policies': [],
'whitelists': [],
'mappings': [],
'whitelisted_images': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}],
'blacklisted_images': []
}
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
self.assertIsNotNone(evaluation)
self.assertEqual(GateAction.go,
evaluation.bundle_decision.final_decision)
self.assertEqual('whitelisted', evaluation.bundle_decision.reason)
def test_image_blacklist(test_data_env_with_images_loaded):
bundle = {
'id':
'multigate1',
'name':
'Multigate test1',
'version':
'1_0',
'policies': [{
'id':
'policy1',
'name':
'Test policy1',
'version':
'1_0',
'rules': [{
'gate': 'always',
'trigger': 'always',
'params': [],
'action': 'STOP'
}]
}],
'whitelists': [],
'mappings': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
},
'policy_id': 'policy1',
'whitelist_ids': []
}],
'blacklisted_images': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': 'latest'
}
}],
'whitelisted_images': []
}
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None, 'Failed to get an image object to test'
test_tag = 'docker.io/library/ruby:alpine'
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.stop == evaluation.bundle_decision.final_decision
assert 'policy_evaluation' == evaluation.bundle_decision.reason
assert img_obj is not None, 'Failed to get an image object to test'
test_tag = 'docker.io/library/ruby:latest'
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.stop == evaluation.bundle_decision.final_decision
assert 'blacklisted' == evaluation.bundle_decision.reason
bundle = {
'id':
'emptytest1',
'name':
'Empty mapping test1',
'version':
'1_0',
'policies': [],
'whitelists': [],
'mappings': [],
'blacklisted_images': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}],
'whitelisted_images': []
}
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.stop == evaluation.bundle_decision.final_decision
assert 'blacklisted' == evaluation.bundle_decision.reason
bundle = {
'id':
'emptytest1',
'name':
'Empty mapping test1',
'version':
'1_0',
'policies': [],
'whitelists': [],
'mappings': [],
'whitelisted_images': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
}
}],
'blacklisted_images': []
}
built = build_bundle(bundle, for_tag=test_tag)
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None
assert GateAction.go == evaluation.bundle_decision.final_decision
assert 'whitelisted' == evaluation.bundle_decision.reason
def test_duplicate_rule_evaluation(test_data_env_with_images_loaded):
logger.info('Building executable bundle from default bundle')
test_tag = 'docker.io/library/ruby:latest'
multi_gate_bundle = {
'id':
'multigate1',
'name':
'Multigate test1',
'version':
'1_0',
'policies': [{
'id':
'policy1',
'name':
'Test policy1',
'version':
'1_0',
'rules': [{
'gate': 'always',
'trigger': 'always',
'params': [],
'action': 'GO'
}, {
'gate': 'always',
'trigger': 'always',
'params': [],
'action': 'STOP'
}, {
'action':
'stop',
'gate':
'dockerfile',
'trigger':
'instruction',
'params': [{
'name': 'instruction',
'value': 'RUN'
}, {
'name': 'check',
'value': 'exists'
}]
}, {
'action':
'STOP',
'gate':
'dockerfile',
'trigger':
'instruction',
'params': [{
'name': 'instruction',
'value': 'USER'
}, {
'name': 'CHECK',
'value': 'not_exists'
}]
}, {
'action':
'STOP',
'gate':
'dockerfile',
'trigger':
'instruction',
'params': [{
'name': 'instruction',
'value': 'RUN'
}, {
'name': 'CHECK',
'value': '=',
'check_value': 'yum update -y'
}]
}]
}],
'whitelists': [],
'mappings': [{
'registry': '*',
'repository': '*',
'image': {
'type': 'tag',
'value': '*'
},
'policy_id': 'policy1',
'whitelist_ids': []
}]
}
built = build_bundle(multi_gate_bundle, for_tag=test_tag)
assert not built.init_errors
logger.info('Got: {}'.format(built))
db = get_thread_scoped_session()
img_obj = get_image_named(db, test_data_env_with_images_loaded, 'ruby')
assert img_obj is not None
assert img_obj is not None, 'Failed to get an image object to test'
evaluation = built.execute(img_obj,
tag=test_tag,
context=ExecutionContext(db_session=db,
configuration={}))
assert evaluation is not None, 'Got None eval'
logger.info(json.dumps(evaluation.json(), indent=2))
logger.info(json.dumps(evaluation.as_table_json(), indent=2))