2015-11-10 00:17:15 +00:00
|
|
|
import logging
|
|
|
|
import time
|
2016-02-25 20:58:42 +00:00
|
|
|
import json
|
2015-11-10 00:17:15 +00:00
|
|
|
|
|
|
|
import features
|
|
|
|
|
2015-11-10 20:01:33 +00:00
|
|
|
from app import secscan_notification_queue, secscan_api
|
2016-02-25 20:58:42 +00:00
|
|
|
from workers.queueworker import QueueWorker, JobException
|
2016-12-19 22:15:59 +00:00
|
|
|
from util.secscan.notifier import SecurityNotificationHandler, ProcessNotificationPageResult
|
2015-11-10 00:17:15 +00:00
|
|
|
|
2016-10-28 21:11:54 +00:00
|
|
|
|
2015-11-10 00:17:15 +00:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2016-10-28 21:11:54 +00:00
|
|
|
|
2016-08-29 17:08:38 +00:00
|
|
|
_PROCESSING_SECONDS = 60 * 60 # 1 hour
|
2016-12-04 12:39:34 +00:00
|
|
|
_LAYER_LIMIT = 1000 # The number of layers to request on each page.
|
2015-11-10 00:17:15 +00:00
|
|
|
|
2016-10-28 21:11:54 +00:00
|
|
|
|
2015-11-10 00:17:15 +00:00
|
|
|
class SecurityNotificationWorker(QueueWorker):
|
2015-11-12 22:47:19 +00:00
|
|
|
def process_queue_item(self, data):
|
2016-03-28 20:41:37 +00:00
|
|
|
self.perform_notification_work(data)
|
|
|
|
|
2016-12-14 22:11:45 +00:00
|
|
|
def perform_notification_work(self, data, layer_limit=_LAYER_LIMIT):
|
2016-03-28 20:41:37 +00:00
|
|
|
""" Performs the work for handling a security notification as referenced by the given data
|
|
|
|
object. Returns True on successful handling, False on non-retryable failure and raises
|
|
|
|
a JobException on retryable failure.
|
|
|
|
"""
|
|
|
|
|
2016-02-25 20:58:42 +00:00
|
|
|
notification_name = data['Name']
|
|
|
|
current_page = data.get('page', None)
|
2016-12-19 22:15:59 +00:00
|
|
|
handler = SecurityNotificationHandler(layer_limit)
|
2015-11-10 00:17:15 +00:00
|
|
|
|
2016-02-25 20:58:42 +00:00
|
|
|
while True:
|
2016-12-19 22:15:59 +00:00
|
|
|
# Retrieve the current page of notification data from the security scanner.
|
2016-03-19 00:28:06 +00:00
|
|
|
(response_data, should_retry) = secscan_api.get_notification(notification_name,
|
2016-12-14 22:11:45 +00:00
|
|
|
layer_limit=layer_limit,
|
2016-03-19 00:28:06 +00:00
|
|
|
page=current_page)
|
2016-12-19 22:15:59 +00:00
|
|
|
|
|
|
|
# If no response, something went wrong.
|
2016-02-25 20:58:42 +00:00
|
|
|
if response_data is None:
|
|
|
|
if should_retry:
|
|
|
|
raise JobException()
|
|
|
|
else:
|
2016-12-06 00:08:52 +00:00
|
|
|
# Remove the job from the API.
|
2016-02-25 20:58:42 +00:00
|
|
|
logger.error('Failed to handle security notification %s', notification_name)
|
2016-12-06 00:08:52 +00:00
|
|
|
secscan_api.mark_notification_read(notification_name)
|
|
|
|
|
|
|
|
# Return to mark the job as "complete", as we'll never be able to finish it.
|
2016-03-19 00:28:06 +00:00
|
|
|
return False
|
2016-02-25 20:58:42 +00:00
|
|
|
|
2016-12-19 22:15:59 +00:00
|
|
|
# Extend processing on the queue item so it doesn't expire while we're working.
|
2016-08-29 17:08:38 +00:00
|
|
|
self.extend_processing(_PROCESSING_SECONDS, json.dumps(data))
|
2016-12-19 22:15:59 +00:00
|
|
|
|
|
|
|
# Process the notification data.
|
2016-02-25 20:58:42 +00:00
|
|
|
notification_data = response_data['Notification']
|
2016-12-19 22:15:59 +00:00
|
|
|
result = handler.process_notification_page_data(notification_data)
|
|
|
|
|
|
|
|
# Possible states after processing: failed to process, finished processing entirely
|
|
|
|
# or finished processing the page.
|
|
|
|
if result == ProcessNotificationPageResult.FAILED:
|
|
|
|
# Something went wrong.
|
|
|
|
raise JobException
|
2016-02-25 20:58:42 +00:00
|
|
|
|
2016-12-19 22:15:59 +00:00
|
|
|
if result == ProcessNotificationPageResult.FINISHED_PROCESSING:
|
|
|
|
# Mark the notification as read.
|
2016-03-19 00:28:06 +00:00
|
|
|
if not secscan_api.mark_notification_read(notification_name):
|
|
|
|
# Return to mark the job as "complete", as we'll never be able to finish it.
|
|
|
|
logger.error('Failed to mark notification %s as read', notification_name)
|
|
|
|
return False
|
|
|
|
|
2016-12-19 22:15:59 +00:00
|
|
|
# Send the generated Quay notifications.
|
|
|
|
handler.send_notifications()
|
2016-03-19 00:28:06 +00:00
|
|
|
return True
|
2016-02-25 20:58:42 +00:00
|
|
|
|
2016-12-19 22:15:59 +00:00
|
|
|
if result == ProcessNotificationPageResult.FINISHED_PAGE:
|
|
|
|
# Continue onto the next page.
|
|
|
|
current_page = notification_data['NextPage']
|
|
|
|
continue
|
2015-11-10 00:17:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
2016-03-01 20:35:00 +00:00
|
|
|
if not features.SECURITY_SCANNER or not features.SECURITY_NOTIFICATIONS:
|
2015-11-10 00:17:15 +00:00
|
|
|
logger.debug('Security scanner disabled; skipping SecurityNotificationWorker')
|
|
|
|
while True:
|
|
|
|
time.sleep(100000)
|
|
|
|
|
|
|
|
worker = SecurityNotificationWorker(secscan_notification_queue, poll_period_seconds=30,
|
|
|
|
reservation_seconds=30, retry_after_seconds=30)
|
|
|
|
worker.start()
|