quay/endpoints/api/secscan.py

""" List and manage repository vulnerabilities and other sec information. """

import logging
import features
import json
import requests

from app import secscan_api
from data import model
from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
                           RepositoryParamResource, resource, nickname, show_if, parse_args,
                           query_param)


logger = logging.getLogger(__name__)


class SCAN_STATUS(object):
  """ Security scan status enum """
  SCANNED = 'scanned'
  FAILED = 'failed'
  QUEUED = 'queued'


def _call_security_api(relative_url, *args, **kwargs):
  """ Issues an HTTP call to the sec API at the given relative URL. """
  try:
    response = secscan_api.call(relative_url, None, *args, **kwargs)
  except requests.exceptions.Timeout:
    raise DownstreamIssue(payload=dict(message='API call timed out'))
  except requests.exceptions.ConnectionError:
    raise DownstreamIssue(payload=dict(message='Could not connect to downstream service'))

  if response.status_code == 404:
    raise NotFound()

  try:
    response_data = json.loads(response.text)
  except ValueError:
    raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))

  if response.status_code / 100 != 2:
    logger.warning('Got %s status code to call: %s', response.status_code, response.text)
    raise DownstreamIssue(payload=dict(message=response_data['Message']))

  return response_data


def _get_status(repo_image):
  if repo_image.security_indexed_engine:
    return SCAN_STATUS.SCANNED if repo_image.security_indexed else SCAN_STATUS.FAILED

  return SCAN_STATUS.QUEUED


@show_if(features.SECURITY_SCANNER)
@resource('/v1/repository/<repopath:repository>/image/<imageid>/vulnerabilities')
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
@path_param('imageid', 'The image ID')
class RepositoryImageVulnerabilities(RepositoryParamResource):
  """ Operations for managing the vulnerabilities in a repository image. """

  @require_repo_read
  @nickname('getRepoImageVulnerabilities')
  @parse_args
  @query_param('minimumPriority', 'Minimum vulnerability priority', type=str,
               default='Low')
  def get(self, args, namespace, repository, imageid):
    """ Fetches the vulnerabilities (if any) for a repository tag. """
    repo_image = model.image.get_repo_image(namespace, repository, imageid)
    if repo_image is None:
      raise NotFound()

    if not repo_image.security_indexed:
      logger.debug('Image %s under repository %s/%s not security indexed',
                   repo_image.docker_image_id, namespace, repository)
      return {
        'status': _get_status(repo_image),
      }

    layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
    data = _call_security_api('layers/%s/vulnerabilities', layer_id,
                              minimumPriority=args.minimumPriority)

    return {
      'status': _get_status(repo_image),
      'data': data,
    }


@show_if(features.SECURITY_SCANNER)
@resource('/v1/repository/<repopath:repository>/image/<imageid>/packages')
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
@path_param('imageid', 'The image ID')
class RepositoryImagePackages(RepositoryParamResource):
  """ Operations for listing the packages added/removed in an image. """

  @require_repo_read
  @nickname('getRepoImagePackages')
  def get(self, namespace, repository, imageid):
    """ Fetches the packages added/removed in the given repo image. """
    repo_image = model.image.get_repo_image(namespace, repository, imageid)
    if repo_image is None:
      raise NotFound()

    if not repo_image.security_indexed:
      return {
        'status': _get_status(repo_image),
      }

    layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
    data = _call_security_api('layers/%s/packages', layer_id)

    return {
      'status': _get_status(repo_image),
      'data': data,
    }
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`""" List and manage repository vulnerabilities and other sec information. """`

			`import logging`
			`import features`
			`import json`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`import requests`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00
rename secscan_endpoint and move db close to API 2015-11-10 20:01:33 +00:00			`from app import secscan_api`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`from data import model`
			`from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,`
			`RepositoryParamResource, resource, nickname, show_if, parse_args,`
			`query_param)`


			`logger = logging.getLogger(__name__)`

Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00
Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 20:42:45 +00:00			`class SCAN_STATUS(object):`
			`""" Security scan status enum """`
			`SCANNED = 'scanned'`
			`FAILED = 'failed'`
			`QUEUED = 'queued'`


Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`def _call_security_api(relative_url, args, *kwargs):`
			`""" Issues an HTTP call to the sec API at the given relative URL. """`
			`try:`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`response = secscan_api.call(relative_url, None, args, *kwargs)`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`except requests.exceptions.Timeout:`
			`raise DownstreamIssue(payload=dict(message='API call timed out'))`
			`except requests.exceptions.ConnectionError:`
			`raise DownstreamIssue(payload=dict(message='Could not connect to downstream service'))`

			`if response.status_code == 404:`
			`raise NotFound()`

			`try:`
			`response_data = json.loads(response.text)`
			`except ValueError:`
			`raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))`

			`if response.status_code / 100 != 2:`
Add a SecScanEndpoint class and move all the cert and config handling in there 2015-10-26 19:13:58 +00:00			`logger.warning('Got %s status code to call: %s', response.status_code, response.text)`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`raise DownstreamIssue(payload=dict(message=response_data['Message']))`

			`return response_data`


Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 20:42:45 +00:00			`def _get_status(repo_image):`
			`if repo_image.security_indexed_engine:`
			`return SCAN_STATUS.SCANNED if repo_image.security_indexed else SCAN_STATUS.FAILED`

			`return SCAN_STATUS.QUEUED`


Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`@show_if(features.SECURITY_SCANNER)`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`@resource('/v1/repository/<repopath:repository>/image/<imageid>/vulnerabilities')`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`@path_param('repository', 'The full path of the repository. e.g. namespace/name')`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`@path_param('imageid', 'The image ID')`
			`class RepositoryImageVulnerabilities(RepositoryParamResource):`
			`""" Operations for managing the vulnerabilities in a repository image. """`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00
			`@require_repo_read`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`@nickname('getRepoImageVulnerabilities')`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`@parse_args`
			`@query_param('minimumPriority', 'Minimum vulnerability priority', type=str,`
			`default='Low')`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`def get(self, args, namespace, repository, imageid):`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`""" Fetches the vulnerabilities (if any) for a repository tag. """`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`repo_image = model.image.get_repo_image(namespace, repository, imageid)`
			`if repo_image is None:`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`raise NotFound()`

New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`if not repo_image.security_indexed:`
			`logger.debug('Image %s under repository %s/%s not security indexed',`
			`repo_image.docker_image_id, namespace, repository)`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`return {`
Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 20:42:45 +00:00			`'status': _get_status(repo_image),`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`}`

New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)`
			`data = _call_security_api('layers/%s/vulnerabilities', layer_id,`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`minimumPriority=args.minimumPriority)`

			`return {`
Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 20:42:45 +00:00			`'status': _get_status(repo_image),`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`'data': data,`
			`}`


			`@show_if(features.SECURITY_SCANNER)`
			`@resource('/v1/repository/<repopath:repository>/image/<imageid>/packages')`
			`@path_param('repository', 'The full path of the repository. e.g. namespace/name')`
			`@path_param('imageid', 'The image ID')`
			`class RepositoryImagePackages(RepositoryParamResource):`
			`""" Operations for listing the packages added/removed in an image. """`

			`@require_repo_read`
			`@nickname('getRepoImagePackages')`
			`def get(self, namespace, repository, imageid):`
			`""" Fetches the packages added/removed in the given repo image. """`
			`repo_image = model.image.get_repo_image(namespace, repository, imageid)`
			`if repo_image is None:`
			`raise NotFound()`

			`if not repo_image.security_indexed:`
			`return {`
Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 20:42:45 +00:00			`'status': _get_status(repo_image),`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`}`

New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 20:52:30 +00:00			`layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)`
			`data = _call_security_api('layers/%s/packages', layer_id)`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00
			`return {`
Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 20:42:45 +00:00			`'status': _get_status(repo_image),`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 19:20:28 +00:00			`'data': data,`
			`}`