def __init__(self, imagename, allimages={}, tmpdirroot="/tmp", dockerfile=None, docker_cli=None, anchore_db=None, docker_images=None, usertype=None):
self._logger.debug("initializing image: " + str(imagename))
# all members
self.allimages = allimages
self.initialized = False
self.docleanup = True
self.tmpdirroot = tmpdirroot
self.tmpdir = '/'.join([self.tmpdirroot, str(random.randint(0, 9999999)) + ".anchoretmp"])
self.dockerfile = dockerfile
self.dockerfile_contents = None
self.dockerfile_mode = None
self.docker_cli = None
self.docker_data = {}
self.docker_history = {}
self.meta = {'imagename': None,
'shortname': None,
'humanname': None,
'imageId': None,
'shortId': None,
'parentId': None,
'shortparentId': None,
'usertype': usertype,
'sizebytes':0}
self.anchore_data = {}
self.anchore_allfiles = {}
self.anchore_allpkgs = {}
self.anchore_familytree = None
self.anchore_layers = None
self.anchore_current_tags = []
self.anchore_all_tags = []
self.anchore_tag_history = []
self.anchore_analyzer_meta = {}
self.anchore_analysis_report = None
self.anchore_gates_report = None
self.anchore_gates_eval_report = None
self.anchore_image_report = None
# some contexts
self.anchore_db = None
self.docker_images = None
self.anchore_config = None
# do some setup
# set up imageId
try:
result = anchore_utils.discover_imageId(imagename)
if not result:
raise Exception("could not locate image named ("+str(imagename)+") in anchore or local container system.")
except Exception as err:
raise Exception("input image name ("+str(imagename)+") is ambiguous. exception - " + str(err))
self.meta['imageId'] = result
if dockerfile and (os.stat(dockerfile).st_size <= 0 or not os.path.exists(dockerfile) or not os.path.isfile(dockerfile)):
raise Exception("input dockerfile ("+str(dockerfile)+") is invalid.")
# set up external contexts
if docker_cli:
self.docker_cli = docker_cli
elif 'docker_cli' in contexts and contexts['docker_cli']:
self.docker_cli = contexts['docker_cli']
else:
try:
self.docker_cli = docker.Client(base_url='unix://var/run/docker.sock', version='auto', timeout=300)
except Exception as err:
self._logger.warn("could not establish connection with docker, some operations (analyze) may fail: exception: " + str(err))
if anchore_db:
self.anchore_db = anchore_db
elif 'anchore_db' in contexts and contexts['anchore_db']:
self.anchore_db = contexts['anchore_db']
if not self.anchore_db:
raise Exception("could not init/connect to anchoreDB")
if docker_images:
self.docker_images = docker_images
elif 'docker_images' in contexts and contexts['docker_images']:
self.docker_images = contexts['docker_images']
else:
self.docker_images = anchore_utils.get_docker_images(self.docker_cli)
if 'anchore_config' in contexts and contexts['anchore_config']:
self.anchore_config = contexts['anchore_config']
# set up metadata about the image from anchoreDB and docker
if not self.load_image(dockerfile):
raise Exception("could not load image information from Docker or AnchoreDB")
# set up image directory structure
try:
self.anchore_db.create_image(self.meta['imageId'])
except Exception as err:
raise err
# set up any additional internal members
self.initialized = True
self.discover_layers()
self.discover_familytree()
self.discover_dockerfile_contents()
newlist = list(self.anchore_familytree)
while self.meta['imageId'] in newlist: newlist.remove(self.meta['imageId'])
anchore_utils.image_context_add(newlist, self.allimages, docker_cli=self.docker_cli, tmproot=self.tmpdirroot, anchore_db=self.anchore_db, docker_images=self.docker_images)
def run_bundle(anchore_config=None,
bundle={},
image=None,
matchtags=[],
stateless=False,
show_whitelisted=True,
show_triggerIds=True):
retecode = 0
if not anchore_config or not bundle or not image:
raise Exception("input error")
if not verify_policy_bundle(bundle=bundle):
raise Exception("input bundle does not conform to bundle schema")
imageId = anchore_utils.discover_imageId(image)
digests = []
if not matchtags:
matchtags = [image]
evalmap = {}
evalresults = {}
for matchtag in matchtags:
_logger.info("evaluating tag: " + str(matchtag))
mapping_results = get_mapping_actions(image=matchtag,
imageId=imageId,
in_digests=digests,
bundle=bundle)
for pol, wl, polname, wlnames, mapmatch, match_json, evalhash in mapping_results:
evalmap[matchtag] = evalhash
_logger.debug("attempting eval: " + evalhash + " : " + matchtag)
if evalhash not in evalresults:
fnames = {}
try:
if stateless:
policies = structure_policy(pol)
whitelists = structure_whitelist(wl)
rc = execute_gates(imageId, policies)
result, fullresult = evaluate_gates_results(
imageId, policies, {}, whitelists)
eval_result = structure_eval_results(
imageId,
fullresult,
show_whitelisted=show_whitelisted,
show_triggerIds=show_triggerIds,
imageName=matchtag)
gate_result = {}
gate_result[imageId] = eval_result
else:
con = controller.Controller(
anchore_config=anchore_config,
imagelist=[imageId],
allimages=contexts['anchore_allimages'],
force=True)
for (fname, data) in [('tmppol', pol), ('tmpwl', wl)]:
fh, thefile = tempfile.mkstemp(
dir=anchore_config['tmpdir'])
fnames[fname] = thefile
try:
with open(thefile, 'w') as OFH:
for l in data:
OFH.write(l + "\n")
except Exception as err:
raise err
finally:
os.close(fh)
gate_result = con.run_gates(
policy=fnames['tmppol'],
global_whitelist=fnames['tmpwl'],
show_triggerIds=show_triggerIds,
show_whitelisted=show_whitelisted)
evalel = {
'results': list(),
'policy_name': "N/A",
'whitelist_names': "N/A",
'policy_data': list(),
'whitelist_data': list(),
'mapmatch': "N/A",
'matched_mapping_rule': {}
}
evalel['results'] = gate_result
evalel['policy_name'] = polname
evalel['whitelist_names'] = wlnames
evalel['policy_data'] = pol
evalel['whitelist_data'] = wl
evalel['mapmatch'] = mapmatch
evalel['matched_mapping_rule'] = match_json
_logger.debug("caching eval result: " + evalhash + " : " +
matchtag)
evalresults[evalhash] = evalel
ecode = result_get_highest_action(gate_result)
if ecode == 1:
retecode = 1
elif retecode == 0 and ecode > retecode:
retecode = ecode
except Exception as err:
_logger.error("policy evaluation error: " + str(err))
finally:
for f in fnames.keys():
if os.path.exists(fnames[f]):
os.remove(fnames[f])
else:
_logger.debug("skipping eval, result already cached: " +
evalhash + " : " + matchtag)
ret = {}
for matchtag in matchtags:
ret[matchtag] = {}
ret[matchtag]['bundle_name'] = bundle['name']
try:
evalresult = evalresults[evalmap[matchtag]]
ret[matchtag]['evaluations'] = [evalresult]
except Exception as err:
raise err
return (ret, retecode)
def __init__(self,
imagename,
anchore_image_datadir,
allimages,
tmpdirroot="/tmp",
dockerfile=None,
docker_cli=None,
anchore_db=None,
docker_images=None,
usertype=None):
# all members
self.allimages = allimages
self.initialized = False
self.docleanup = True
self.tmpdirroot = tmpdirroot
self.tmpdir = '/'.join(
[self.tmpdirroot,
str(random.randint(0, 9999999)) + ".anchoretmp"])
self.dockerfile = dockerfile
self.dockerfile_contents = None
self.dockerfile_mode = None
self.docker_cli = None
self.docker_data = {}
self.docker_history = {}
#self.docker_data_json = ""
self.meta = {
'imagename': None,
'shortname': None,
'humanname': None,
'imageId': None,
'shortId': None,
'parentId': None,
'shortparentId': None,
'usertype': usertype,
'sizebytes': 0
}
self.anchore_image_datadir = None
self.anchore_imagedir = None
self.anchore_data = {}
self.anchore_allfiles = {}
self.anchore_allpkgs = {}
self.anchore_familytree = None
self.anchore_layers = None
self.anchore_current_tags = []
self.anchore_all_tags = []
self.anchore_tag_history = []
self.anchore_analyzer_meta = {}
self.anchore_analysis_report = None
self.anchore_gates_report = None
self.anchore_gates_eval_report = None
self.anchore_image_report = None
# some contexts
self.anchore_db = None
self.docker_images = None
# do some setup
# set up imageId
result = anchore_utils.discover_imageId(imagename)
if len(result.keys()) <= 0:
raise Exception("could not locate image named (" + str(imagename) +
") in anchore or local container system.")
elif len(result.keys()) > 1:
raise Exception("input image name (" + str(imagename) +
") is ambiguous.")
else:
self.meta['imageId'] = result.keys()[0]
if dockerfile and (os.stat(dockerfile).st_size <= 0
or not os.path.exists(dockerfile)
or not os.path.isfile(dockerfile)):
raise Exception("input dockerfile (" + str(dockerfile) +
") is invalid.")
self.anchore_image_datadir = anchore_image_datadir
self.anchore_imagedir = os.path.join(anchore_image_datadir,
self.meta['imageId'])
# set up external contexts
if docker_cli:
self.docker_cli = docker_cli
else:
self.docker_cli = docker.Client(
base_url='unix://var/run/docker.sock', timeout=300)
if anchore_db:
self.anchore_db = anchore_db
else:
self.anchore_db = anchore_image_db.AnchoreImageDB(
imagerootdir=self.anchore_image_datadir)
if docker_images:
self.docker_images = docker_images
else:
self.docker_images = self.docker_cli.images(all=True)
# set up metadata about the image from anchoreDB and docker
if not self.load_image(dockerfile):
raise Exception(
"could not load image information from Docker or AnchoreDB")
# set up image directory structure
try:
self.anchore_db.create_image(self.meta['imageId'])
except Exception as err:
raise err
# set up any additional internal members
self.initialized = True
self.discover_layers()
self.discover_familytree()
self.discover_dockerfile_contents()
newlist = list(self.anchore_familytree)
while self.meta['imageId'] in newlist:
newlist.remove(self.meta['imageId'])
anchore_utils.image_context_add(
newlist,
self.allimages,
docker_cli=self.docker_cli,
anchore_datadir=self.anchore_image_datadir,
tmproot=self.tmpdirroot,
anchore_db=self.anchore_db,
docker_images=self.docker_images)
def run_bundle(anchore_config=None, bundle={}, image=None, matchtags=[], stateless=False, show_whitelisted=True, show_triggerIds=True):
retecode = 0
if not anchore_config or not bundle or not image:
raise Exception("input error")
if not verify_policy_bundle(bundle=bundle):
raise Exception("input bundle does not conform to bundle schema")
imageId = anchore_utils.discover_imageId(image)
digests = []
if not matchtags:
matchtags = [image]
evalmap = {}
evalresults = {}
for matchtag in matchtags:
_logger.info("evaluating tag: " + str(matchtag))
mapping_results = get_mapping_actions(image=matchtag, imageId=imageId, in_digests=digests, bundle=bundle)
for pol,wl,polname,wlnames,mapmatch,match_json,evalhash in mapping_results:
evalmap[matchtag] = evalhash
_logger.debug("attempting eval: " + evalhash + " : " + matchtag)
if evalhash not in evalresults:
fnames = {}
try:
if stateless:
policies = structure_policy(pol)
whitelists = structure_whitelist(wl)
rc = execute_gates(imageId, policies)
result, fullresult = evaluate_gates_results(imageId, policies, {}, whitelists)
eval_result = structure_eval_results(imageId, fullresult, show_whitelisted=show_whitelisted, show_triggerIds=show_triggerIds, imageName=matchtag)
gate_result = {}
gate_result[imageId] = eval_result
else:
con = controller.Controller(anchore_config=anchore_config, imagelist=[imageId], allimages=contexts['anchore_allimages'], force=True)
for (fname, data) in [('tmppol', pol), ('tmpwl', wl)]:
fh, thefile = tempfile.mkstemp(dir=anchore_config['tmpdir'])
fnames[fname] = thefile
try:
with open(thefile, 'w') as OFH:
for l in data:
OFH.write(l + "\n")
except Exception as err:
raise err
finally:
os.close(fh)
gate_result = con.run_gates(policy=fnames['tmppol'], global_whitelist=fnames['tmpwl'], show_triggerIds=show_triggerIds, show_whitelisted=show_whitelisted)
evalel = {
'results': list(),
'policy_name':"N/A",
'whitelist_names':"N/A",
'policy_data':list(),
'whitelist_data':list(),
'mapmatch':"N/A",
'matched_mapping_rule': {}
}
evalel['results'] = gate_result
evalel['policy_name'] = polname
evalel['whitelist_names'] = wlnames
evalel['policy_data'] = pol
evalel['whitelist_data'] = wl
evalel['mapmatch'] = mapmatch
evalel['matched_mapping_rule'] = match_json
_logger.debug("caching eval result: " + evalhash + " : " + matchtag)
evalresults[evalhash] = evalel
ecode = result_get_highest_action(gate_result)
if ecode == 1:
retecode = 1
elif retecode == 0 and ecode > retecode:
retecode = ecode
except Exception as err:
_logger.error("policy evaluation error: " + str(err))
finally:
for f in fnames.keys():
if os.path.exists(fnames[f]):
os.remove(fnames[f])
else:
_logger.debug("skipping eval, result already cached: " + evalhash + " : " + matchtag)
ret = {}
for matchtag in matchtags:
ret[matchtag] = {}
ret[matchtag]['bundle_name'] = bundle['name']
try:
evalresult = evalresults[evalmap[matchtag]]
ret[matchtag]['evaluations'] = [evalresult]
except Exception as err:
raise err
return(ret, retecode)
