quay/util/secscan/api.py

import features
import logging
import requests

from data.database import CloseForLongOperation
from urlparse import urljoin

logger = logging.getLogger(__name__)

# NOTE: This objects are used directly in the external-notification-data and vulnerability-service
# on the frontend, so be careful with changing their existing keys.
PRIORITY_LEVELS = {
 'Unknown': {
   'title': 'Unknown',
   'index': '6',
   'level': 'info',

   'description': 'Unknown is either a security problem that has not been assigned ' +
                  'to a priority yet or a priority that our system did not recognize',
   'banner_required': False
 },

 'Negligible': {
   'title': 'Negligible',
   'index': '5',
   'level': 'info',

   'description': 'Negligible is technically a security problem, but is only theoretical ' +
                  'in nature, requires a very special situation, has almost no install base, ' +
                  'or does no real damage.',
   'banner_required': False
 },

 'Low': {
   'title': 'Low',
   'index': '4',
   'level': 'warning',

   'description': 'Low is a security problem, but is hard to exploit due to environment, ' +
                  'requires a user-assisted attack, a small install base, or does very ' +
                  'little damage.',
   'banner_required': False
 },

 'Medium': {
   'title': 'Medium',
   'value': 'Medium',
   'index': '3',
   'level': 'warning',

   'description': 'Medium is a real security problem, and is exploitable for many people. ' +
                  'Includes network daemon denial of service attacks, cross-site scripting, ' +
                  'and gaining user privileges.',
   'banner_required': False
 },

 'High': {
   'title': 'High',
   'value': 'High',
   'index': '2',
   'level': 'warning',

   'description': 'High is a real problem, exploitable for many people in a default installation. ' +
                  'Includes serious remote denial of services, local root privilege escalations, ' +
                  'or data loss.',
   'banner_required': False
 },

 'Critical': {
   'title': 'Critical',
   'value': 'Critical',
   'index': '1',
   'level': 'error',

   'description': 'Critical is a world-burning problem, exploitable for nearly all people in ' +
                  'a installation of the package. Includes remote root privilege escalations, ' +
                  'or massive data loss.',
   'banner_required': True
 },

 'Defcon1': {
   'title': 'Defcon 1',
   'value': 'Defcon1',
   'index': '0',
   'level': 'error',

   'description': 'Defcon1 is a Critical problem which has been manually highlighted ' +
                  'by the Quay team. It requires immediate attention.',
   'banner_required': True
 }
}


def get_priority_for_index(index):
 for priority in PRIORITY_LEVELS:
   if PRIORITY_LEVELS[priority]['index'] == index:
     return priority

 return 'Unknown'

class SecurityConfigValidator(object):
  def __init__(self, app, config_provider):
    self._config_provider = config_provider

    if not features.SECURITY_SCANNER:
      return

    self._security_config = app.config['SECURITY_SCANNER']
    if self._security_config is None:
      return

    self._certificate = self._get_filepath('CA_CERTIFICATE_FILENAME') or False
    self._public_key = self._get_filepath('PUBLIC_KEY_FILENAME')
    self._private_key = self._get_filepath('PRIVATE_KEY_FILENAME')

    if self._public_key and self._private_key:
      self._keys = (self._public_key, self._private_key)
    else:
      self._keys = None

  def _get_filepath(self, key):
    config = self._security_config

    if key in config:
      with self._config_provider.get_volume_file(config[key]) as f:
        return f.name

    return None

  def cert(self):
    return self._certificate

  def keypair(self):
    return self._keys

  def valid(self):
    if (not features.SECURITY_SCANNER
        or not self._security_config
        or not 'ENDPOINT' in self._security_config
        or not 'ENGINE_VERSION_TARGET' in self._security_config
        or not 'DISTRIBUTED_STORAGE_PREFERENCE' in self._security_config
        or (self._certificate is False and self._keys is None)):
      return False

    return True


class SecurityScannerAPI(object):
  """ Helper class for talking to the Security Scan service (Clair). """
  def __init__(self, app, config_provider):
    self.app = app
    self.config_provider = config_provider

    config_validator = SecurityConfigValidator(app, config_provider)
    if not config_validator.valid():
      logger.warning('Invalid config provided to SecurityScannerAPI')
      return

    self._security_config = app.config.get('SECURITY_SCANNER')
    self._certificate = config_validator.cert()
    self._keys = config_validator.keypair()

  def check_layer_vulnerable(self, layer_id, cve_id):
    """ Checks with Clair whether the given layer is vulnerable to the given CVE. """
    try:
      body = {
        'LayersIDs': [layer_id]
      }
      response = self.call('vulnerabilities/%s/affected-layers', body, cve_id)
    except requests.exceptions.RequestException:
      logger.exception('Got exception when trying to call Clair endpoint')
      return False

    if response.status_code != 200:
      return False

    try:
      response_data = response.json()
    except ValueError:
      logger.exception('Got exception when trying to parse Clair response')
      return False

    if (not layer_id in response_data or
        not response_data[layer_id].get('Vulnerable', False)):
      return False

    return True

  def call(self, relative_url, body=None, *args, **kwargs):
    """ Issues an HTTP call to the sec API at the given relative URL.
        This function disconnects from the database while awaiting a response
        from the API server.
    """
    security_config = self._security_config
    api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
    url = urljoin(api_url, relative_url % args)

    client = self.app.config['HTTPCLIENT']
    timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
    logger.debug('Looking up sec information: %s', url)

    with CloseForLongOperation(self.app.config):
      if body is not None:
        return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self._keys,
                           verify=self._certificate)
      else:
        return client.get(url, params=kwargs, timeout=timeout, cert=self._keys,
                          verify=self._certificate)
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`import features`
			`import logging`
			`import requests`

Only send vulnerability events if the minimum priority is gte to that specified Fixes #770 2015-11-10 20:08:14 +00:00			`from data.database import CloseForLongOperation`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`from urlparse import urljoin`

			`logger = logging.getLogger(__name__)`

Only send vulnerability events if the minimum priority is gte to that specified Fixes #770 2015-11-10 20:08:14 +00:00			`# NOTE: This objects are used directly in the external-notification-data and vulnerability-service`
			`# on the frontend, so be careful with changing their existing keys.`
			`PRIORITY_LEVELS = {`
			`'Unknown': {`
			`'title': 'Unknown',`
			`'index': '6',`
			`'level': 'info',`

			`'description': 'Unknown is either a security problem that has not been assigned ' +`
			`'to a priority yet or a priority that our system did not recognize',`
			`'banner_required': False`
			`},`

			`'Negligible': {`
			`'title': 'Negligible',`
			`'index': '5',`
			`'level': 'info',`

			`'description': 'Negligible is technically a security problem, but is only theoretical ' +`
			`'in nature, requires a very special situation, has almost no install base, ' +`
			`'or does no real damage.',`
			`'banner_required': False`
			`},`

			`'Low': {`
			`'title': 'Low',`
			`'index': '4',`
			`'level': 'warning',`

			`'description': 'Low is a security problem, but is hard to exploit due to environment, ' +`
			`'requires a user-assisted attack, a small install base, or does very ' +`
			`'little damage.',`
			`'banner_required': False`
			`},`

			`'Medium': {`
			`'title': 'Medium',`
			`'value': 'Medium',`
			`'index': '3',`
			`'level': 'warning',`

			`'description': 'Medium is a real security problem, and is exploitable for many people. ' +`
			`'Includes network daemon denial of service attacks, cross-site scripting, ' +`
			`'and gaining user privileges.',`
			`'banner_required': False`
			`},`

			`'High': {`
			`'title': 'High',`
			`'value': 'High',`
			`'index': '2',`
			`'level': 'warning',`

			`'description': 'High is a real problem, exploitable for many people in a default installation. ' +`
			`'Includes serious remote denial of services, local root privilege escalations, ' +`
			`'or data loss.',`
			`'banner_required': False`
			`},`

			`'Critical': {`
			`'title': 'Critical',`
			`'value': 'Critical',`
			`'index': '1',`
			`'level': 'error',`

			`'description': 'Critical is a world-burning problem, exploitable for nearly all people in ' +`
			`'a installation of the package. Includes remote root privilege escalations, ' +`
			`'or massive data loss.',`
			`'banner_required': True`
			`},`

			`'Defcon1': {`
			`'title': 'Defcon 1',`
			`'value': 'Defcon1',`
			`'index': '0',`
			`'level': 'error',`

			`'description': 'Defcon1 is a Critical problem which has been manually highlighted ' +`
			`'by the Quay team. It requires immediate attention.',`
			`'banner_required': True`
			`}`
			`}`


			`def get_priority_for_index(index):`
			`for priority in PRIORITY_LEVELS:`
			`if PRIORITY_LEVELS[priority]['index'] == index:`
			`return priority`

			`return 'Unknown'`

create class for security config validation 2015-11-12 20:46:31 +00:00			`class SecurityConfigValidator(object):`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`def __init__(self, app, config_provider):`
create class for security config validation 2015-11-12 20:46:31 +00:00			`self._config_provider = config_provider`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00
			`if not features.SECURITY_SCANNER:`
			`return`

create class for security config validation 2015-11-12 20:46:31 +00:00			`self._security_config = app.config['SECURITY_SCANNER']`
			`if self._security_config is None:`
			`return`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00
create class for security config validation 2015-11-12 20:46:31 +00:00			`self._certificate = self._get_filepath('CA_CERTIFICATE_FILENAME') or False`
			`self._public_key = self._get_filepath('PUBLIC_KEY_FILENAME')`
			`self._private_key = self._get_filepath('PRIVATE_KEY_FILENAME')`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00
create class for security config validation 2015-11-12 20:46:31 +00:00			`if self._public_key and self._private_key:`
			`self._keys = (self._public_key, self._private_key)`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`else:`
create class for security config validation 2015-11-12 20:46:31 +00:00			`self._keys = None`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00
create class for security config validation 2015-11-12 20:46:31 +00:00			`def _get_filepath(self, key):`
			`config = self._security_config`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00
create class for security config validation 2015-11-12 20:46:31 +00:00			`if key in config:`
			`with self._config_provider.get_volume_file(config[key]) as f:`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`return f.name`

			`return None`

create class for security config validation 2015-11-12 20:46:31 +00:00			`def cert(self):`
			`return self._certificate`

			`def keypair(self):`
			`return self._keys`

			`def valid(self):`
			`if (not features.SECURITY_SCANNER`
tiny fixes to securityworker 2015-11-12 22:02:18 +00:00			`or not self._security_config`
			`or not 'ENDPOINT' in self._security_config`
			`or not 'ENGINE_VERSION_TARGET' in self._security_config`
			`or not 'DISTRIBUTED_STORAGE_PREFERENCE' in self._security_config`
create class for security config validation 2015-11-12 20:46:31 +00:00			`or (self._certificate is False and self._keys is None)):`
			`return False`

			`return True`


			`class SecurityScannerAPI(object):`
			`""" Helper class for talking to the Security Scan service (Clair). """`
			`def __init__(self, app, config_provider):`
			`self.app = app`
			`self.config_provider = config_provider`

			`config_validator = SecurityConfigValidator(app, config_provider)`
			`if not config_validator.valid():`
tiny fixes to securityworker 2015-11-12 22:02:18 +00:00			`logger.warning('Invalid config provided to SecurityScannerAPI')`
create class for security config validation 2015-11-12 20:46:31 +00:00			`return`

tiny fixes to securityworker 2015-11-12 22:02:18 +00:00			`self._security_config = app.config.get('SECURITY_SCANNER')`
			`self._certificate = config_validator.cert()`
			`self._keys = config_validator.keypair()`
create class for security config validation 2015-11-12 20:46:31 +00:00
Update quay sec code to fix problems identified in previous review - Change get_repository_images_recursive to operate over a single docker image and storage uuid - Move endpoints/sec to endpoints/secscan - Change notification system to work with new Quay-sec format Fixes #768 2015-11-09 22:12:22 +00:00			`def check_layer_vulnerable(self, layer_id, cve_id):`
			`""" Checks with Clair whether the given layer is vulnerable to the given CVE. """`
			`try:`
			`body = {`
			`'LayersIDs': [layer_id]`
			`}`
rename secscan_endpoint and move db close to API 2015-11-10 20:01:33 +00:00			`response = self.call('vulnerabilities/%s/affected-layers', body, cve_id)`
Update quay sec code to fix problems identified in previous review - Change get_repository_images_recursive to operate over a single docker image and storage uuid - Move endpoints/sec to endpoints/secscan - Change notification system to work with new Quay-sec format Fixes #768 2015-11-09 22:12:22 +00:00			`except requests.exceptions.RequestException:`
			`logger.exception('Got exception when trying to call Clair endpoint')`
			`return False`

			`if response.status_code != 200:`
			`return False`

			`try:`
			`response_data = response.json()`
			`except ValueError:`
			`logger.exception('Got exception when trying to parse Clair response')`
			`return False`

			`if (not layer_id in response_data or`
			`not response_data[layer_id].get('Vulnerable', False)):`
			`return False`

			`return True`

rename secscan_endpoint and move db close to API 2015-11-10 20:01:33 +00:00			`def call(self, relative_url, body=None, args, *kwargs):`
			`""" Issues an HTTP call to the sec API at the given relative URL.`
			`This function disconnects from the database while awaiting a response`
			`from the API server.`
			`"""`
tiny fixes to securityworker 2015-11-12 22:02:18 +00:00			`security_config = self._security_config`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'`
			`url = urljoin(api_url, relative_url % args)`

			`client = self.app.config['HTTPCLIENT']`
			`timeout = security_config.get('API_TIMEOUT_SECONDS', 1)`
			`logger.debug('Looking up sec information: %s', url)`

Only send vulnerability events if the minimum priority is gte to that specified Fixes #770 2015-11-10 20:08:14 +00:00			`with CloseForLongOperation(self.app.config):`
rename secscan_endpoint and move db close to API 2015-11-10 20:01:33 +00:00			`if body is not None:`
tiny fixes to securityworker 2015-11-12 22:02:18 +00:00			`return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self._keys,`
			`verify=self._certificate)`
rename secscan_endpoint and move db close to API 2015-11-10 20:01:33 +00:00			`else:`
tiny fixes to securityworker 2015-11-12 22:02:18 +00:00			`return client.get(url, params=kwargs, timeout=timeout, cert=self._keys,`
			`verify=self._certificate)`