def __init__(self, app, instance_keys, storage):
self.app = app
self._legacy_secscan_api = None
validator = V2SecurityConfigValidator(
app.config.get("FEATURE_SECURITY_SCANNER", False),
app.config.get("SECURITY_SCANNER_ENDPOINT", None),
)
if not validator.valid():
msg = "Failed to validate security scanner V2 configuration"
logger.warning(msg)
raise InvalidConfigurationException(msg)
url_scheme_and_hostname = URLSchemeAndHostname(
app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"])
self._legacy_secscan_api = SecurityScannerAPI(
app.config,
storage,
app.config["SERVER_HOSTNAME"],
app.config["HTTPCLIENT"],
uri_creator=get_blob_download_uri_getter(
app.test_request_context("/"), url_scheme_and_hostname),
instance_keys=instance_keys,
)
def test_validate_gitlab_enterprise_trigger(app):
url_hit = [False]
@urlmatch(netloc=r"somegitlab", path="/oauth/token")
def handler(_, __):
url_hit[0] = True
return {
"status_code": 400,
"content": json.dumps({"error": "invalid code"})
}
with HTTMock(handler):
validator = GitLabTriggerValidator()
url_scheme_and_hostname = URLSchemeAndHostname("http",
"localhost:5000")
unvalidated_config = ValidatorContext(
{
"GITLAB_TRIGGER_CONFIG": {
"GITLAB_ENDPOINT": "http://somegitlab",
"CLIENT_ID": "foo",
"CLIENT_SECRET": "bar",
},
},
http_client=build_requests_session(),
url_scheme_and_hostname=url_scheme_and_hostname,
)
validator.validate(unvalidated_config)
assert url_hit[0]
def test_validate_bitbucket_trigger(app):
url_hit = [False]
@urlmatch(netloc=r"bitbucket.org")
def handler(url, request):
url_hit[0] = True
return {
"status_code": 200,
"content": "oauth_token=foo&oauth_token_secret=bar",
}
with HTTMock(handler):
validator = BitbucketTriggerValidator()
url_scheme_and_hostname = URLSchemeAndHostname("http", "localhost:5000")
unvalidated_config = ValidatorContext(
{
"BITBUCKET_TRIGGER_CONFIG": {
"CONSUMER_KEY": "foo",
"CONSUMER_SECRET": "bar",
},
},
url_scheme_and_hostname=url_scheme_and_hostname,
)
validator.validate(unvalidated_config)
assert url_hit[0]
def __init__(self, app, instance_keys, storage):
self.app = app
self._legacy_secscan_api = None
validator = V2SecurityConfigValidator(
app.config.get("FEATURE_SECURITY_SCANNER", False),
app.config.get("SECURITY_SCANNER_ENDPOINT"),
)
if not validator.valid():
msg = "Failed to validate security scanner V2 configuration"
logger.warning(msg)
raise InvalidConfigurationException(msg)
url_scheme_and_hostname = URLSchemeAndHostname(
app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"])
self._legacy_secscan_api = SecurityScannerAPI(
app.config,
storage,
app.config["SERVER_HOSTNAME"],
app.config["HTTPCLIENT"],
uri_creator=get_blob_download_uri_getter(
app.test_request_context("/"), url_scheme_and_hostname),
instance_keys=instance_keys,
)
# NOTE: This import is in here because otherwise this class would depend upon app.
# Its not great, but as this is intended to be legacy until its removed, its okay.
from util.secscan.analyzer import LayerAnalyzer
self._target_version = app.config.get(
"SECURITY_SCANNER_ENGINE_VERSION_TARGET", 3)
self._analyzer = LayerAnalyzer(app.config, self._legacy_secscan_api)
def test_validate_bitbucket_trigger(app):
url_hit = [False]
@urlmatch(netloc=r'bitbucket.org')
def handler(url, request):
url_hit[0] = True
return {
'status_code': 200,
'content': 'oauth_token=foo&oauth_token_secret=bar',
}
with HTTMock(handler):
validator = BitbucketTriggerValidator()
url_scheme_and_hostname = URLSchemeAndHostname('http',
'localhost:5000')
unvalidated_config = ValidatorContext(
{
'BITBUCKET_TRIGGER_CONFIG': {
'CONSUMER_KEY': 'foo',
'CONSUMER_SECRET': 'bar',
},
},
url_scheme_and_hostname=url_scheme_and_hostname)
validator.validate(unvalidated_config)
assert url_hit[0]
def test_validate_gitlab_enterprise_trigger(app):
url_hit = [False]
@urlmatch(netloc=r'somegitlab', path='/oauth/token')
def handler(_, __):
url_hit[0] = True
return {
'status_code': 400,
'content': json.dumps({'error': 'invalid code'})
}
with HTTMock(handler):
validator = GitLabTriggerValidator()
url_scheme_and_hostname = URLSchemeAndHostname('http',
'localhost:5000')
unvalidated_config = ValidatorContext(
{
'GITLAB_TRIGGER_CONFIG': {
'GITLAB_ENDPOINT': 'http://somegitlab',
'CLIENT_ID': 'foo',
'CLIENT_SECRET': 'bar',
},
},
http_client=build_requests_session(),
url_scheme_and_hostname=url_scheme_and_hostname)
validator.validate(unvalidated_config)
assert url_hit[0]
def test_validate_noop(unvalidated_config, app):
unvalidated_config = ValidatorContext(
unvalidated_config,
feature_sec_scanner=False,
is_testing=True,
http_client=build_requests_session(),
url_scheme_and_hostname=URLSchemeAndHostname('http', 'localhost:5000'))
SecurityScannerValidator.validate(unvalidated_config)
def test_validate(unvalidated_config, expected_error, app):
unvalidated_config = ValidatorContext(
unvalidated_config,
feature_sec_scanner=True,
is_testing=True,
http_client=build_requests_session(),
url_scheme_and_hostname=URLSchemeAndHostname('http', 'localhost:5000'))
with fake_security_scanner(hostname='fakesecurityscanner'):
if expected_error is not None:
with pytest.raises(expected_error):
SecurityScannerValidator.validate(unvalidated_config)
else:
SecurityScannerValidator.validate(unvalidated_config)
import pytest
from app import app
from util.config import URLSchemeAndHostname
from util.secscan.secscan_util import get_blob_download_uri_getter
from test.fixtures import *
@pytest.mark.parametrize(
'url_scheme_and_hostname, repo_namespace, checksum, expected_value,', [
(URLSchemeAndHostname(
'http', 'localhost:5000'), 'devtable/simple', 'tarsum+sha256:123',
'http://localhost:5000/v2/devtable/simple/blobs/tarsum%2Bsha256:123'),
])
def test_blob_download_uri_getter(app, url_scheme_and_hostname, repo_namespace,
checksum, expected_value):
blob_uri_getter = get_blob_download_uri_getter(
app.test_request_context('/'), url_scheme_and_hostname)
assert blob_uri_getter(repo_namespace, checksum) == expected_value
# Note: We set `has_namespace` to `False` here, as we explicitly want this queue to not be emptied
# when a namespace is marked for deletion.
namespace_gc_queue = WorkQueue(app.config["NAMESPACE_GC_QUEUE_NAME"], tf, has_namespace=False)
all_queues = [
image_replication_queue,
dockerfile_build_queue,
notification_queue,
secscan_notification_queue,
chunk_cleanup_queue,
repository_gc_queue,
namespace_gc_queue,
]
url_scheme_and_hostname = URLSchemeAndHostname(
app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"]
)
repo_mirror_api = RepoMirrorAPI(
app.config,
app.config["SERVER_HOSTNAME"],
app.config["HTTPCLIENT"],
instance_keys=instance_keys,
)
tuf_metadata_api = TUFMetadataAPI(app, app.config)
# Check for a key in config. If none found, generate a new signing key for Docker V2 manifests.
_v2_key_path = os.path.join(OVERRIDE_CONFIG_DIRECTORY, DOCKER_V2_SIGNINGKEY_FILENAME)
if os.path.exists(_v2_key_path):
docker_v2_signing_key = RSAKey().load(_v2_key_path)