2015-02-05 18:06:56 +00:00
|
|
|
import logging
|
2015-01-07 21:20:51 +00:00
|
|
|
|
2016-09-29 00:17:14 +00:00
|
|
|
from auth.auth_context import get_authenticated_user
|
|
|
|
from data.users import LDAP_CERT_FILENAME
|
2018-06-01 15:31:19 +00:00
|
|
|
from util.secscan.secscan_util import get_blob_download_uri_getter
|
2018-05-25 19:42:27 +00:00
|
|
|
from util.config import URLSchemeAndHostname
|
2017-01-31 18:47:49 +00:00
|
|
|
|
2017-02-09 23:51:28 +00:00
|
|
|
from util.config.validators.validate_database import DatabaseValidator
|
|
|
|
from util.config.validators.validate_redis import RedisValidator
|
|
|
|
from util.config.validators.validate_storage import StorageValidator
|
|
|
|
from util.config.validators.validate_email import EmailValidator
|
2017-02-10 00:09:57 +00:00
|
|
|
from util.config.validators.validate_ldap import LDAPValidator
|
2017-02-10 00:30:07 +00:00
|
|
|
from util.config.validators.validate_keystone import KeystoneValidator
|
2017-02-10 01:07:14 +00:00
|
|
|
from util.config.validators.validate_jwt import JWTAuthValidator
|
2017-02-10 01:28:39 +00:00
|
|
|
from util.config.validators.validate_secscan import SecurityScannerValidator
|
2017-02-15 16:56:19 +00:00
|
|
|
from util.config.validators.validate_signer import SignerValidator
|
2017-02-15 17:12:19 +00:00
|
|
|
from util.config.validators.validate_torrent import BittorrentValidator
|
2017-02-15 20:17:07 +00:00
|
|
|
from util.config.validators.validate_ssl import SSLValidator, SSL_FILENAMES
|
2017-02-15 20:26:15 +00:00
|
|
|
from util.config.validators.validate_google_login import GoogleLoginValidator
|
2017-02-15 20:30:46 +00:00
|
|
|
from util.config.validators.validate_bitbucket_trigger import BitbucketTriggerValidator
|
2017-02-15 20:39:03 +00:00
|
|
|
from util.config.validators.validate_gitlab_trigger import GitLabTriggerValidator
|
2017-02-15 21:07:25 +00:00
|
|
|
from util.config.validators.validate_github import GitHubLoginValidator, GitHubTriggerValidator
|
2017-02-28 21:18:19 +00:00
|
|
|
from util.config.validators.validate_oidc import OIDCLoginValidator
|
2017-04-05 18:01:55 +00:00
|
|
|
from util.config.validators.validate_timemachine import TimeMachineValidator
|
2017-05-24 16:57:55 +00:00
|
|
|
from util.config.validators.validate_access import AccessSettingsValidator
|
2017-07-10 15:35:51 +00:00
|
|
|
from util.config.validators.validate_actionlog_archiving import ActionLogArchivingValidator
|
2017-12-08 22:05:59 +00:00
|
|
|
from util.config.validators.validate_apptokenauth import AppTokenAuthValidator
|
2015-01-07 21:20:51 +00:00
|
|
|
|
2015-02-05 18:06:56 +00:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2016-11-29 20:20:46 +00:00
|
|
|
class ConfigValidationException(Exception):
|
|
|
|
""" Exception raised when the configuration fails to validate for a known reason. """
|
|
|
|
pass
|
|
|
|
|
2015-07-15 21:49:07 +00:00
|
|
|
# Note: Only add files required for HTTPS to the SSL_FILESNAMES list.
|
|
|
|
DB_SSL_FILENAMES = ['database.pem']
|
2015-06-02 22:19:22 +00:00
|
|
|
JWT_FILENAMES = ['jwt-authn.cert']
|
2016-02-16 20:31:23 +00:00
|
|
|
ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg']
|
2016-05-03 19:02:39 +00:00
|
|
|
LDAP_FILENAMES = [LDAP_CERT_FILENAME]
|
|
|
|
CONFIG_FILENAMES = (SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES +
|
|
|
|
LDAP_FILENAMES)
|
2018-01-10 19:46:36 +00:00
|
|
|
CONFIG_FILE_SUFFIXES = ['-cloudfront-signing-key.pem']
|
2017-01-11 23:45:46 +00:00
|
|
|
EXTRA_CA_DIRECTORY = 'extra_ca_certs'
|
2015-01-07 21:20:51 +00:00
|
|
|
|
2017-02-15 21:07:25 +00:00
|
|
|
VALIDATORS = {
|
|
|
|
DatabaseValidator.name: DatabaseValidator.validate,
|
|
|
|
RedisValidator.name: RedisValidator.validate,
|
|
|
|
StorageValidator.name: StorageValidator.validate,
|
|
|
|
EmailValidator.name: EmailValidator.validate,
|
|
|
|
GitHubLoginValidator.name: GitHubLoginValidator.validate,
|
|
|
|
GitHubTriggerValidator.name: GitHubTriggerValidator.validate,
|
|
|
|
GitLabTriggerValidator.name: GitLabTriggerValidator.validate,
|
2017-02-15 21:21:45 +00:00
|
|
|
BitbucketTriggerValidator.name: BitbucketTriggerValidator.validate,
|
2017-02-15 21:07:25 +00:00
|
|
|
GoogleLoginValidator.name: GoogleLoginValidator.validate,
|
|
|
|
SSLValidator.name: SSLValidator.validate,
|
|
|
|
LDAPValidator.name: LDAPValidator.validate,
|
|
|
|
JWTAuthValidator.name: JWTAuthValidator.validate,
|
|
|
|
KeystoneValidator.name: KeystoneValidator.validate,
|
|
|
|
SignerValidator.name: SignerValidator.validate,
|
|
|
|
SecurityScannerValidator.name: SecurityScannerValidator.validate,
|
|
|
|
BittorrentValidator.name: BittorrentValidator.validate,
|
2017-02-28 21:18:19 +00:00
|
|
|
OIDCLoginValidator.name: OIDCLoginValidator.validate,
|
2017-04-05 18:01:55 +00:00
|
|
|
TimeMachineValidator.name: TimeMachineValidator.validate,
|
2017-05-24 16:57:55 +00:00
|
|
|
AccessSettingsValidator.name: AccessSettingsValidator.validate,
|
2017-07-10 15:35:51 +00:00
|
|
|
ActionLogArchivingValidator.name: ActionLogArchivingValidator.validate,
|
2017-12-08 22:05:59 +00:00
|
|
|
AppTokenAuthValidator.name: AppTokenAuthValidator.validate,
|
2017-02-15 21:07:25 +00:00
|
|
|
}
|
2015-01-16 21:10:40 +00:00
|
|
|
|
2018-05-25 19:42:27 +00:00
|
|
|
def validate_service_for_config(service, validator_context):
|
2015-01-07 21:20:51 +00:00
|
|
|
""" Attempts to validate the configuration for the given service. """
|
2016-11-29 20:20:46 +00:00
|
|
|
if not service in VALIDATORS:
|
2015-01-07 21:20:51 +00:00
|
|
|
return {
|
|
|
|
'status': False
|
|
|
|
}
|
|
|
|
|
|
|
|
try:
|
2018-05-25 19:42:27 +00:00
|
|
|
VALIDATORS[service](validator_context)
|
2015-01-07 21:20:51 +00:00
|
|
|
return {
|
|
|
|
'status': True
|
|
|
|
}
|
|
|
|
except Exception as ex:
|
2015-02-05 18:06:56 +00:00
|
|
|
logger.exception('Validation exception')
|
2015-01-07 21:20:51 +00:00
|
|
|
return {
|
|
|
|
'status': False,
|
|
|
|
'reason': str(ex)
|
|
|
|
}
|
2018-01-10 19:46:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
def is_valid_config_upload_filename(filename):
|
|
|
|
""" Returns true if and only if the given filename is one which is supported for upload
|
|
|
|
from the configuration UI tool.
|
|
|
|
"""
|
|
|
|
if filename in CONFIG_FILENAMES:
|
|
|
|
return True
|
|
|
|
|
|
|
|
return any([filename.endswith(suffix) for suffix in CONFIG_FILE_SUFFIXES])
|
2018-05-25 19:42:27 +00:00
|
|
|
|
|
|
|
|
|
|
|
class ValidatorContext(object):
|
|
|
|
""" Context to run validators in, with any additional runtime configuration they need
|
|
|
|
"""
|
|
|
|
def __init__(self, config, user_password=None, http_client=None, context=None,
|
2018-05-29 17:50:51 +00:00
|
|
|
url_scheme_and_hostname=None, jwt_auth_max=None, registry_title=None,
|
|
|
|
ip_resolver=None, feature_sec_scanner=False, is_testing=False,
|
|
|
|
uri_creator=None, config_provider=None):
|
2018-05-25 19:42:27 +00:00
|
|
|
self.config = config
|
|
|
|
self.user = get_authenticated_user()
|
|
|
|
self.user_password = user_password
|
|
|
|
self.http_client = http_client
|
|
|
|
self.context = context
|
2018-05-29 17:50:51 +00:00
|
|
|
self.url_scheme_and_hostname = url_scheme_and_hostname
|
2018-05-25 19:42:27 +00:00
|
|
|
self.jwt_auth_max = jwt_auth_max
|
|
|
|
self.registry_title = registry_title
|
|
|
|
self.ip_resolver = ip_resolver
|
2018-05-29 17:50:51 +00:00
|
|
|
self.feature_sec_scanner = feature_sec_scanner
|
|
|
|
self.is_testing = is_testing
|
|
|
|
self.uri_creator = uri_creator
|
|
|
|
self.config_provider = config_provider
|
2018-05-25 19:42:27 +00:00
|
|
|
|
|
|
|
@classmethod
|
2018-06-01 15:31:19 +00:00
|
|
|
def from_app(cls, app, config, user_password, ip_resolver, client=None, config_provider=None):
|
|
|
|
"""
|
|
|
|
Creates a ValidatorContext from an app config, with a given config to validate
|
|
|
|
:param app: the Flask app to pull configuration information from
|
|
|
|
:param config: the config to validate
|
|
|
|
:param user_password: request password
|
|
|
|
:param ip_resolver: an App
|
|
|
|
:param client:
|
|
|
|
:param config_provider:
|
|
|
|
:return:
|
|
|
|
"""
|
|
|
|
url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app.config)
|
2018-05-29 17:50:51 +00:00
|
|
|
|
2018-06-05 15:41:35 +00:00
|
|
|
return cls(config,
|
|
|
|
user_password,
|
|
|
|
client or app.config['HTTPCLIENT'],
|
|
|
|
app.app_context,
|
|
|
|
url_scheme_and_hostname,
|
|
|
|
app.config.get('JWT_AUTH_MAX_FRESH_S', 300),
|
|
|
|
app.config['REGISTRY_TITLE'],
|
|
|
|
ip_resolver,
|
|
|
|
app.config.get('FEATURE_SECURITY_SCANNER', False),
|
|
|
|
app.config.get('TESTING', False),
|
|
|
|
get_blob_download_uri_getter(app.test_request_context('/'), url_scheme_and_hostname),
|
|
|
|
config_provider)
|
2018-05-29 17:50:51 +00:00
|
|
|
|
2018-05-25 19:42:27 +00:00
|
|
|
|
|
|
|
|
|
|
|
|