Add API endpoint for retrieving security status by *manifest*, rather than Docker V1 image ID

2017-02-02 17:51:18 -05:00 · 2017-02-02 17:51:18 -05:00 · cf539487a1
commit cf539487a1
parent 0150abc488
4 changed files with 107 additions and 33 deletions
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@ -56,7 +56,7 @@ from endpoints.api.superuser import (SuperUserLogs, SuperUserList, SuperUserMana
                                     SuperUserCustomCertificate, SuperUserRepositoryBuildLogs,
                                     SuperUserRepositoryBuildResource, SuperUserRepositoryBuildStatus)
 from endpoints.api.globalmessages import GlobalUserMessage, GlobalUserMessages
-from endpoints.api.secscan import RepositoryImageSecurity
+from endpoints.api.secscan import RepositoryImageSecurity, RepositoryManifestSecurity
 from endpoints.api.manifest import RepositoryManifestLabels, ManageRepositoryManifestLabel


@ -4522,6 +4522,23 @@ class TestRepositoryImageSecurity(ApiTestCase):
    self._run_test('GET', 404, 'devtable', None)


+class TestRepositoryManifestSecurity(ApiTestCase):
+  def setUp(self):
+    ApiTestCase.setUp(self)
+    self._set_url(RepositoryManifestSecurity, repository='devtable/simple', manifestref='sha256:abcd')
+
+  def test_get_anonymous(self):
+    self._run_test('GET', 401, None, None)
+
+  def test_get_freshuser(self):
+    self._run_test('GET', 403, 'freshuser', None)
+
+  def test_get_reader(self):
+    self._run_test('GET', 403, 'reader', None)
+
+  def test_get_devtable(self):
+    self._run_test('GET', 404, 'devtable', None)
+
 class TestRepositoryManifestLabels(ApiTestCase):
  def setUp(self):
    ApiTestCase.setUp(self)
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -70,7 +70,7 @@ from endpoints.api.superuser import (SuperUserLogs, SuperUserList, SuperUserMana
                                     SuperUserServiceKeyApproval, SuperUserTakeOwnership,
                                     SuperUserCustomCertificates, SuperUserCustomCertificate)
 from endpoints.api.globalmessages import (GlobalUserMessage, GlobalUserMessages,)
-from endpoints.api.secscan import RepositoryImageSecurity
+from endpoints.api.secscan import RepositoryImageSecurity, RepositoryManifestSecurity
 from endpoints.api.suconfig import (SuperUserRegistryStatus, SuperUserConfig, SuperUserConfigFile,
                                    SuperUserCreateInitialSuperUser)
 from endpoints.api.manifest import RepositoryManifestLabels, ManageRepositoryManifestLabel
@ -4257,14 +4257,24 @@ class TestRepositoryImageSecurity(ApiTestCase):
  def test_get_vulnerabilities(self):
    self.login(ADMIN_ACCESS_USER)

+    tag = model.tag.get_active_tag(ADMIN_ACCESS_USER, 'simple', 'latest')
    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, 'simple', 'latest')

+    tag_manifest = database.TagManifest.get(tag=tag)
+
    # Grab the security info for the tag. It should be queued.
-    response = self.getJsonResponse(RepositoryImageSecurity,
-                                    params=dict(repository=ADMIN_ACCESS_USER + '/simple',
-                                                imageid=layer.docker_image_id,
-                                                vulnerabilities='true'))
-    self.assertEquals('queued', response['status'])
+    manifest_response = self.getJsonResponse(RepositoryManifestSecurity,
+                                             params=dict(repository=ADMIN_ACCESS_USER + '/simple',
+                                                         manifestref=tag_manifest.digest,
+                                                         vulnerabilities='true'))
+
+    image_response = self.getJsonResponse(RepositoryImageSecurity,
+                                          params=dict(repository=ADMIN_ACCESS_USER + '/simple',
+                                                      imageid=layer.docker_image_id,
+                                                      vulnerabilities='true'))
+
+    self.assertEquals(manifest_response, image_response)
+    self.assertEquals('queued', image_response['status'])

    # Mark the layer as indexed.
    layer.security_indexed = True
@ -4275,12 +4285,19 @@ class TestRepositoryImageSecurity(ApiTestCase):
    with fake_security_scanner() as security_scanner:
      security_scanner.add_layer(security_scanner.layer_id(layer))

-      response = self.getJsonResponse(RepositoryImageSecurity,
-                                      params=dict(repository=ADMIN_ACCESS_USER + '/simple',
-                                                  imageid=layer.docker_image_id,
-                                                  vulnerabilities='true'))
-      self.assertEquals('scanned', response['status'])
-      self.assertEquals(1, response['data']['Layer']['IndexedByVersion'])
+      manifest_response = self.getJsonResponse(RepositoryManifestSecurity,
+                                               params=dict(repository=ADMIN_ACCESS_USER + '/simple',
+                                                           manifestref=tag_manifest.digest,
+                                                           vulnerabilities='true'))
+
+      image_response = self.getJsonResponse(RepositoryImageSecurity,
+                                            params=dict(repository=ADMIN_ACCESS_USER + '/simple',
+                                                        imageid=layer.docker_image_id,
+                                                        vulnerabilities='true'))
+
+      self.assertEquals(manifest_response, image_response)
+      self.assertEquals('scanned', image_response['status'])
+      self.assertEquals(1, image_response['data']['Layer']['IndexedByVersion'])


 class TestSuperUserCustomCertificates(ApiTestCase):