Add API endpoint for retrieving security status by *manifest*, rather than Docker V1 image ID
This commit is contained in:
Joseph Schorr
parent
0150abc488
commit
cf539487a1
4 changed files with 107 additions and 33 deletions
|
|
@ -9,6 +9,7 @@ from endpoints.api import (require_repo_read, path_param,
|
|||
RepositoryParamResource, resource, nickname, show_if, parse_args,
|
||||
query_param, truthy_bool)
|
||||
from endpoints.exception import NotFound, DownstreamIssue
|
||||
from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE
|
||||
from util.secscan.api import APIRequestFailure
|
||||
|
||||
|
||||
|
|
@ -23,11 +24,39 @@ class SCAN_STATUS(object):
|
|||
|
||||
|
||||
def _get_status(repo_image):
|
||||
""" Returns the SCAN_STATUS value for the given image. """
|
||||
if repo_image.security_indexed_engine is not None and repo_image.security_indexed_engine >= 0:
|
||||
return SCAN_STATUS.SCANNED if repo_image.security_indexed else SCAN_STATUS.FAILED
|
||||
|
||||
return SCAN_STATUS.QUEUED
|
||||
|
||||
def _security_status_for_image(namespace, repository, repo_image, include_vulnerabilities=True):
|
||||
""" Returns a dict representing the result of a call to the security status API for the given
|
||||
image.
|
||||
"""
|
||||
if not repo_image.security_indexed:
|
||||
logger.debug('Image %s under repository %s/%s not security indexed',
|
||||
repo_image.docker_image_id, namespace, repository)
|
||||
return {
|
||||
'status': _get_status(repo_image),
|
||||
}
|
||||
|
||||
try:
|
||||
if include_vulnerabilities:
|
||||
data = secscan_api.get_layer_data(repo_image, include_vulnerabilities=True)
|
||||
else:
|
||||
data = secscan_api.get_layer_data(repo_image, include_features=True)
|
||||
except APIRequestFailure as arf:
|
||||
raise DownstreamIssue({'message': arf.message})
|
||||
|
||||
if data is None:
|
||||
raise NotFound()
|
||||
|
||||
return {
|
||||
'status': _get_status(repo_image),
|
||||
'data': data,
|
||||
}
|
||||
|
||||
|
||||
@show_if(features.SECURITY_SCANNER)
|
||||
@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')
|
||||
|
|
@ -47,25 +76,28 @@ class RepositoryImageSecurity(RepositoryParamResource):
|
|||
if repo_image is None:
|
||||
raise NotFound()
|
||||
|
||||
if not repo_image.security_indexed:
|
||||
logger.debug('Image %s under repository %s/%s not security indexed',
|
||||
repo_image.docker_image_id, namespace, repository)
|
||||
return {
|
||||
'status': _get_status(repo_image),
|
||||
}
|
||||
return _security_status_for_image(namespace, repository, repo_image,
|
||||
parsed_args.vulnerabilities)
|
||||
|
||||
@show_if(features.SECURITY_SCANNER)
|
||||
@resource(MANIFEST_DIGEST_ROUTE + '/security')
|
||||
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
||||
@path_param('manifestref', 'The digest of the manifest')
|
||||
class RepositoryManifestSecurity(RepositoryParamResource):
|
||||
""" Operations for managing the vulnerabilities in a repository manifest. """
|
||||
|
||||
@require_repo_read
|
||||
@nickname('getRepoManifestSecurity')
|
||||
@parse_args()
|
||||
@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
|
||||
default=False)
|
||||
def get(self, namespace, repository, manifestref, parsed_args):
|
||||
try:
|
||||
if parsed_args.vulnerabilities:
|
||||
data = secscan_api.get_layer_data(repo_image, include_vulnerabilities=True)
|
||||
else:
|
||||
data = secscan_api.get_layer_data(repo_image, include_features=True)
|
||||
except APIRequestFailure as arf:
|
||||
raise DownstreamIssue({'message': arf.message})
|
||||
|
||||
if data is None:
|
||||
tag_manifest = model.tag.load_manifest_by_digest(namespace, repository, manifestref)
|
||||
except model.DataModelException:
|
||||
raise NotFound()
|
||||
|
||||
return {
|
||||
'status': _get_status(repo_image),
|
||||
'data': data,
|
||||
}
|
||||
repo_image = tag_manifest.tag.image
|
||||
|
||||
return _security_status_for_image(namespace, repository, repo_image,
|
||||
parsed_args.vulnerabilities)
|
||||
|
|
|
|||
|
|
@ -10,8 +10,12 @@ wellknown = Blueprint('wellknown', __name__)
|
|||
@wellknown.route('/app-capabilities', methods=['GET'])
|
||||
def app_capabilities():
|
||||
view_image_tmpl = '%s/{namespace}/{reponame}:{tag}' % get_app_url()
|
||||
image_security_tmpl = ('%s/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security' %
|
||||
get_app_url())
|
||||
|
||||
image_security = '%s/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security'
|
||||
image_security_tmpl = image_security % get_app_url()
|
||||
|
||||
manifest_security = '%s/api/v1/repository/{namespace}/{reponame}/manifest/{digest}/security'
|
||||
manifest_security_tmpl = manifest_security % get_app_url()
|
||||
|
||||
metadata = {
|
||||
'appName': 'io.quay',
|
||||
|
|
@ -23,6 +27,10 @@ def app_capabilities():
|
|||
'io.quay.image-security': {
|
||||
'rest-api-template': image_security_tmpl,
|
||||
},
|
||||
|
||||
'io.quay.manifest-security': {
|
||||
'rest-api-template': manifest_security_tmpl,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
|
|
|||
Reference in a new issue