quay/endpoints/api/secscan.py

""" List and manage repository vulnerabilities and other security information. """

import logging
import features

from app import secscan_api
from auth.decorators import process_basic_auth_no_pass
from data.registry_model import registry_model
from data.registry_model.datatypes import SecurityScanStatus
from endpoints.api import (require_repo_read, path_param,
                           RepositoryParamResource, resource, nickname, show_if, parse_args,
                           query_param, truthy_bool, disallow_for_app_repositories)
from endpoints.exception import NotFound, DownstreamIssue
from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE
from util.secscan.api import APIRequestFailure


logger = logging.getLogger(__name__)

def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):
  """ Returns a dict representing the result of a call to the security status API for the given
      manifest or image.
  """
  status = registry_model.get_security_status(manifest_or_legacy_image)
  if status is None:
    raise NotFound()

  if status != SecurityScanStatus.SCANNED:
    return {
      'status': status.value,
    }

  try:
    if include_vulnerabilities:
      data = secscan_api.get_layer_data(manifest_or_legacy_image, include_vulnerabilities=True)
    else:
      data = secscan_api.get_layer_data(manifest_or_legacy_image, include_features=True)
  except APIRequestFailure as arf:
    raise DownstreamIssue(arf.message)

  if data is None:
    raise NotFound()

  return {
    'status': status.value,
    'data': data,
  }


@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')
@show_if(features.SECURITY_SCANNER)
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
@path_param('imageid', 'The image ID')
class RepositoryImageSecurity(RepositoryParamResource):
  """ Operations for managing the vulnerabilities in a repository image. """

  @process_basic_auth_no_pass
  @require_repo_read
  @nickname('getRepoImageSecurity')
  @disallow_for_app_repositories
  @parse_args()
  @query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
               default=False)
  def get(self, namespace, repository, imageid, parsed_args):
    """ Fetches the features and vulnerabilities (if any) for a repository image. """
    repo_ref = registry_model.lookup_repository(namespace, repository)
    if repo_ref is None:
      raise NotFound()

    legacy_image = registry_model.get_legacy_image(repo_ref, imageid)
    if legacy_image is None:
      raise NotFound()

    return _security_info(legacy_image, parsed_args.vulnerabilities)


@resource(MANIFEST_DIGEST_ROUTE + '/security')
@show_if(features.SECURITY_SCANNER)
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
@path_param('manifestref', 'The digest of the manifest')
class RepositoryManifestSecurity(RepositoryParamResource):
  """ Operations for managing the vulnerabilities in a repository manifest. """

  @process_basic_auth_no_pass
  @require_repo_read
  @nickname('getRepoManifestSecurity')
  @disallow_for_app_repositories
  @parse_args()
  @query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
               default=False)
  def get(self, namespace, repository, manifestref, parsed_args):
    repo_ref = registry_model.lookup_repository(namespace, repository)
    if repo_ref is None:
      raise NotFound()

    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref, allow_dead=True)
    if manifest is None:
      raise NotFound()

    return _security_info(manifest, parsed_args.vulnerabilities)
Adapt secscan API for Clair v1.0 Squash /vulnerabilities and /packages as it basically does the same action on Clair and we don't need both for Quay 2016-02-17 14:48:50 -05:00			`""" List and manage repository vulnerabilities and other security information. """`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00
			`import logging`
			`import features`

rename secscan_endpoint and move db close to API 2015-11-10 15:01:33 -05:00			`from app import secscan_api`
Allow use of basic auth for security scan endpoints This will allow the security labeler to send a pull secret to retrieve security information for a manifest Fixes https://jira.coreos.com/browse/QUAY-1087 2018-09-21 13:54:33 -04:00			`from auth.decorators import process_basic_auth_no_pass`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`from data.registry_model import registry_model`
			`from data.registry_model.datatypes import SecurityScanStatus`
Use new error format for auth errors (factor exceptions into module) 2016-04-11 16:20:11 -04:00			`from endpoints.api import (require_repo_read, path_param,`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00			`RepositoryParamResource, resource, nickname, show_if, parse_args,`
Disallow non-apps-supported APIs for application repositories 2017-03-22 14:30:13 -04:00			`query_param, truthy_bool, disallow_for_app_repositories)`
Use new error format for auth errors (factor exceptions into module) 2016-04-11 16:20:11 -04:00			`from endpoints.exception import NotFound, DownstreamIssue`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE`
Refactor the security worker and API calls and add a bunch of tests 2016-02-24 16:01:27 -05:00			`from util.secscan.api import APIRequestFailure`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00

			`logger = logging.getLogger(__name__)`

Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`""" Returns a dict representing the result of a call to the security status API for the given`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`manifest or image.`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`"""`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`status = registry_model.get_security_status(manifest_or_legacy_image)`
			`if status is None:`
			`raise NotFound()`

			`if status != SecurityScanStatus.SCANNED:`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`return {`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`'status': status.value,`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`}`

			`try:`
			`if include_vulnerabilities:`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`data = secscan_api.get_layer_data(manifest_or_legacy_image, include_vulnerabilities=True)`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`else:`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`data = secscan_api.get_layer_data(manifest_or_legacy_image, include_features=True)`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`except APIRequestFailure as arf:`
Make downstream issues show their error in the UI 2017-07-21 13:20:31 -04:00			`raise DownstreamIssue(arf.message)`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00
			`if data is None:`
			`raise NotFound()`

			`return {`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`'status': status.value,`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`'data': data,`
			`}`

Vulnerability UI part 2 Fixes #860 Fixes #855 2015-11-12 15:42:45 -05:00
Adapt secscan API for Clair v1.0 Squash /vulnerabilities and /packages as it basically does the same action on Clair and we don't need both for Quay 2016-02-17 14:48:50 -05:00			`@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')`
Fix show_if ordering and add a check that fails if misordered Before this change, these endpoints still existed even if the flag was off 2017-05-01 13:14:20 -04:00			`@show_if(features.SECURITY_SCANNER)`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00			`@path_param('repository', 'The full path of the repository. e.g. namespace/name')`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 15:52:30 -05:00			`@path_param('imageid', 'The image ID')`
Adapt secscan API for Clair v1.0 Squash /vulnerabilities and /packages as it basically does the same action on Clair and we don't need both for Quay 2016-02-17 14:48:50 -05:00			`class RepositoryImageSecurity(RepositoryParamResource):`
New Quay Sec UI and fix some small bugs Fixes #855 2015-11-11 15:52:30 -05:00			`""" Operations for managing the vulnerabilities in a repository image. """`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00
Allow use of basic auth for security scan endpoints This will allow the security labeler to send a pull secret to retrieve security information for a manifest Fixes https://jira.coreos.com/browse/QUAY-1087 2018-09-21 13:54:33 -04:00			`@process_basic_auth_no_pass`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00			`@require_repo_read`
Adapt secscan API for Clair v1.0 Squash /vulnerabilities and /packages as it basically does the same action on Clair and we don't need both for Quay 2016-02-17 14:48:50 -05:00			`@nickname('getRepoImageSecurity')`
Disallow non-apps-supported APIs for application repositories 2017-03-22 14:30:13 -04:00			`@disallow_for_app_repositories`
Refactor how parsed_args are passed to methods 2016-01-26 16:27:36 -05:00			`@parse_args()`
Adapt secscan API for Clair v1.0 Squash /vulnerabilities and /packages as it basically does the same action on Clair and we don't need both for Quay 2016-02-17 14:48:50 -05:00			`@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,`
			`default=False)`
Refactor how parsed_args are passed to methods 2016-01-26 16:27:36 -05:00			`def get(self, namespace, repository, imageid, parsed_args):`
Fix doc comment on security scan API endpoint Fixes #2216 2016-12-07 11:50:22 -05:00			`""" Fetches the features and vulnerabilities (if any) for a repository image. """`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`repo_ref = registry_model.lookup_repository(namespace, repository)`
			`if repo_ref is None:`
			`raise NotFound()`

			`legacy_image = registry_model.get_legacy_image(repo_ref, imageid)`
			`if legacy_image is None:`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00			`raise NotFound()`

Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`return _security_info(legacy_image, parsed_args.vulnerabilities)`

Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00
			`@resource(MANIFEST_DIGEST_ROUTE + '/security')`
Fix show_if ordering and add a check that fails if misordered Before this change, these endpoints still existed even if the flag was off 2017-05-01 13:14:20 -04:00			`@show_if(features.SECURITY_SCANNER)`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`@path_param('repository', 'The full path of the repository. e.g. namespace/name')`
			`@path_param('manifestref', 'The digest of the manifest')`
			`class RepositoryManifestSecurity(RepositoryParamResource):`
			`""" Operations for managing the vulnerabilities in a repository manifest. """`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00
Allow use of basic auth for security scan endpoints This will allow the security labeler to send a pull secret to retrieve security information for a manifest Fixes https://jira.coreos.com/browse/QUAY-1087 2018-09-21 13:54:33 -04:00			`@process_basic_auth_no_pass`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`@require_repo_read`
			`@nickname('getRepoManifestSecurity')`
Disallow non-apps-supported APIs for application repositories 2017-03-22 14:30:13 -04:00			`@disallow_for_app_repositories`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00			`@parse_args()`
			`@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,`
			`default=False)`
			`def get(self, namespace, repository, manifestref, parsed_args):`
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`repo_ref = registry_model.lookup_repository(namespace, repository)`
			`if repo_ref is None:`
Refactor the security worker and API calls and add a bunch of tests 2016-02-24 16:01:27 -05:00			`raise NotFound()`
Add vulnerabilities and packages API to Quay Fixes #564 2015-10-23 15:20:28 -04:00
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref, allow_dead=True)`
			`if manifest is None:`
			`raise NotFound()`
Add API endpoint for retrieving security status by manifest, rather than Docker V1 image ID 2017-02-02 17:51:18 -05:00
Change secscan API endpoints to use new registry model interface 2018-08-23 16:36:04 -04:00			`return _security_info(manifest, parsed_args.vulnerabilities)`