Fix deleting repos when sec scan or signing is disabled
Make sure we don't invoke the APIs to non-existent endpoints
This commit is contained in:
Joseph Schorr
parent
624d8e1851
commit
c5bb9abf11
4 changed files with 181 additions and 40 deletions
|
|
@ -1,10 +1,14 @@
|
|||
import logging
|
||||
|
||||
from abc import ABCMeta, abstractmethod
|
||||
from six import add_metaclass
|
||||
from urlparse import urljoin
|
||||
from posixpath import join
|
||||
|
||||
import requests
|
||||
|
||||
from data.database import CloseForLongOperation
|
||||
from util.abchelpers import nooper
|
||||
from util.failover import failover, FailoverException
|
||||
from util.security.instancekeys import InstanceKeys
|
||||
from util.security.registry_jwt import build_context_and_subject, generate_bearer_token, QUAY_TUF_ROOT
|
||||
|
|
@ -30,7 +34,60 @@ class Non200ResponseException(Exception):
|
|||
|
||||
|
||||
class TUFMetadataAPI(object):
|
||||
""" Helper class for talking to the Security Scan service (usually Clair). """
|
||||
def __init__(self, app, config, client=None):
|
||||
feature_enabled = config.get('FEATURE_SIGNING', False)
|
||||
if feature_enabled:
|
||||
self.state = ImplementedTUFMetadataAPI(app, config, client=client)
|
||||
else:
|
||||
self.state = NoopTUFMetadataAPI()
|
||||
|
||||
def __getattr__(self, name):
|
||||
return getattr(self.state, name, None)
|
||||
|
||||
|
||||
@add_metaclass(ABCMeta)
|
||||
class TUFMetadataAPIInterface(object):
|
||||
""" Helper class for talking to the TUF Metadata service (Apostille). """
|
||||
|
||||
@abstractmethod
|
||||
def get_default_tags_with_expiration(self, namespace, repository, targets_file=None):
|
||||
"""
|
||||
Gets the tag -> sha mappings for a repo, as well as the expiration of the signatures.
|
||||
Does not verify the metadata, this is purely for display purposes.
|
||||
|
||||
Args:
|
||||
namespace: namespace containing the repository
|
||||
repository: the repo to get tags for
|
||||
targets_file: the specific delegation to read from. Default: targets/releases.json
|
||||
|
||||
Returns:
|
||||
targets, expiration or None, None
|
||||
"""
|
||||
pass
|
||||
|
||||
@abstractmethod
|
||||
def delete_metadata(self, namespace, repository):
|
||||
"""
|
||||
Deletes the TUF metadata for a repo
|
||||
|
||||
Args:
|
||||
namespace: namespace containing the repository
|
||||
repository: the repo to delete metadata for
|
||||
|
||||
Returns:
|
||||
True if successful, False otherwise
|
||||
"""
|
||||
pass
|
||||
|
||||
|
||||
@nooper
|
||||
class NoopTUFMetadataAPI(TUFMetadataAPIInterface):
|
||||
""" No-op version of the TUF API. """
|
||||
pass
|
||||
|
||||
|
||||
class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
|
||||
def __init__(self, app, config, client=None):
|
||||
self._app = app
|
||||
self._instance_keys = InstanceKeys(app)
|
||||
|
|
@ -42,7 +99,7 @@ class TUFMetadataAPI(object):
|
|||
"""
|
||||
Gets the tag -> sha mappings for a repo, as well as the expiration of the signatures.
|
||||
Does not verify the metadata, this is purely for display purposes.
|
||||
|
||||
|
||||
Args:
|
||||
namespace: namespace containing the repository
|
||||
repository: the repo to get tags for
|
||||
|
|
@ -51,11 +108,11 @@ class TUFMetadataAPI(object):
|
|||
Returns:
|
||||
targets, expiration or None, None
|
||||
"""
|
||||
|
||||
|
||||
if not targets_file:
|
||||
targets_file = 'targets/releases.json'
|
||||
gun = self._gun(namespace, repository)
|
||||
|
||||
|
||||
try:
|
||||
response = self._get(gun, targets_file)
|
||||
signed = self._parse_signed(response.json())
|
||||
|
|
@ -63,26 +120,26 @@ class TUFMetadataAPI(object):
|
|||
expiration = signed.get('expires')
|
||||
except requests.exceptions.Timeout:
|
||||
logger.exception('Timeout when trying to get metadata for %s', gun)
|
||||
return None, None
|
||||
return None, None
|
||||
except requests.exceptions.ConnectionError:
|
||||
logger.exception('Connection error when trying to get metadata for %s', gun)
|
||||
return None, None
|
||||
return None, None
|
||||
except (requests.exceptions.RequestException, ValueError):
|
||||
logger.exception('Failed to get metadata for %s', gun)
|
||||
return None, None
|
||||
return None, None
|
||||
except Non200ResponseException as ex:
|
||||
logger.exception('Failed request for %s: %s', gun, str(ex))
|
||||
return None, None
|
||||
return None, None
|
||||
except InvalidMetadataException as ex:
|
||||
logger.exception('Failed to parse targets from metadata', str(ex))
|
||||
return None, None
|
||||
|
||||
return None, None
|
||||
|
||||
return targets, expiration
|
||||
|
||||
|
||||
def delete_metadata(self, namespace, repository):
|
||||
"""
|
||||
Deletes the TUF metadata for a repo
|
||||
|
||||
|
||||
Args:
|
||||
namespace: namespace containing the repository
|
||||
repository: the repo to delete metadata for
|
||||
|
|
@ -92,7 +149,7 @@ class TUFMetadataAPI(object):
|
|||
"""
|
||||
gun = self._gun(namespace, repository)
|
||||
try:
|
||||
self._delete(gun)
|
||||
self._delete(gun)
|
||||
except requests.exceptions.Timeout:
|
||||
logger.exception('Timeout when trying to delete metadata for %s', gun)
|
||||
return False
|
||||
|
|
@ -106,17 +163,17 @@ class TUFMetadataAPI(object):
|
|||
logger.exception('Failed request for %s: %s', gun, str(ex))
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
def _gun(self, namespace, repository):
|
||||
return join(self._gun_prefix, namespace, repository)
|
||||
|
||||
|
||||
def _parse_signed(self, json_response):
|
||||
""" Attempts to parse the targets from a metadata response """
|
||||
signed = json_response.get('signed')
|
||||
if not signed:
|
||||
raise InvalidMetadataException("Could not find `signed` in metadata: %s" % json_response)
|
||||
return signed
|
||||
|
||||
return signed
|
||||
|
||||
def _auth_header(self, gun, actions):
|
||||
""" Generate a registry auth token for apostille"""
|
||||
access = [{
|
||||
|
|
@ -128,19 +185,19 @@ class TUFMetadataAPI(object):
|
|||
token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access,
|
||||
TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
|
||||
return {'Authorization': 'Bearer %s' % token}
|
||||
|
||||
|
||||
def _get(self, gun, metadata_file):
|
||||
return self._call('GET', '/v2/%s/_trust/tuf/%s' % (gun, metadata_file), headers=self._auth_header(gun, ['pull']))
|
||||
|
||||
def _delete(self, gun):
|
||||
return self._call('DELETE', '/v2/%s/_trust/tuf/' % (gun), headers=self._auth_header(gun, ['*']))
|
||||
|
||||
|
||||
def _request(self, method, endpoint, path, body, headers, params, timeout):
|
||||
""" Issues an HTTP request to the signing endpoint. """
|
||||
url = urljoin(endpoint, path)
|
||||
logger.debug('%sing signing URL %s', method.upper(), url)
|
||||
|
||||
headers.update(DEFAULT_HTTP_HEADERS)
|
||||
headers.update(DEFAULT_HTTP_HEADERS)
|
||||
resp = self._client.request(method, url, json=body, params=params, timeout=timeout,
|
||||
verify=MITM_CERT_PATH, headers=headers)
|
||||
if resp.status_code // 100 != 2:
|
||||
|
|
@ -150,9 +207,6 @@ class TUFMetadataAPI(object):
|
|||
def _call(self, method, path, params=None, body=None, headers=None):
|
||||
""" Issues an HTTP request to signing service and handles failover for GET requests.
|
||||
"""
|
||||
if self._config is None:
|
||||
raise Exception('Cannot call unconfigured signing service')
|
||||
|
||||
timeout = self._config.get('TUF_API_TIMEOUT_SECONDS', 1)
|
||||
endpoint = self._config['TUF_SERVER']
|
||||
|
||||
|
|
|
|||
Reference in a new issue