create class for security config validation
This commit is contained in:
Jimmy Zelinskie
parent
744ad9e79b
commit
e86a342868
1 changed files with 52 additions and 20 deletions
|
|
@ -98,6 +98,54 @@ def get_priority_for_index(index):
|
|||
|
||||
return 'Unknown'
|
||||
|
||||
class SecurityConfigValidator(object):
|
||||
def __init__(self, app, config_provider):
|
||||
self._config_provider = config_provider
|
||||
|
||||
if not features.SECURITY_SCANNER:
|
||||
return
|
||||
|
||||
self._security_config = app.config['SECURITY_SCANNER']
|
||||
if self._security_config is None:
|
||||
return
|
||||
|
||||
self._certificate = self._get_filepath('CA_CERTIFICATE_FILENAME') or False
|
||||
self._public_key = self._get_filepath('PUBLIC_KEY_FILENAME')
|
||||
self._private_key = self._get_filepath('PRIVATE_KEY_FILENAME')
|
||||
|
||||
if self._public_key and self._private_key:
|
||||
self._keys = (self._public_key, self._private_key)
|
||||
else:
|
||||
self._keys = None
|
||||
|
||||
def _get_filepath(self, key):
|
||||
config = self._security_config
|
||||
|
||||
if key in config:
|
||||
with self._config_provider.get_volume_file(config[key]) as f:
|
||||
return f.name
|
||||
|
||||
return None
|
||||
|
||||
def cert(self):
|
||||
return self._certificate
|
||||
|
||||
def keypair(self):
|
||||
return self._keys
|
||||
|
||||
def valid(self):
|
||||
config = self._security_config
|
||||
|
||||
if (not features.SECURITY_SCANNER
|
||||
or not config
|
||||
or not 'ENDPOINT' in config
|
||||
or not 'ENGINE_VERSION_TARGET' in config
|
||||
or not 'DISTRIBUTED_STORAGE_PREFERENCE' in config
|
||||
or (self._certificate is False and self._keys is None)):
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
class SecurityScannerAPI(object):
|
||||
""" Helper class for talking to the Security Scan service (Clair). """
|
||||
|
|
@ -105,28 +153,12 @@ class SecurityScannerAPI(object):
|
|||
self.app = app
|
||||
self.config_provider = config_provider
|
||||
|
||||
if not features.SECURITY_SCANNER:
|
||||
config_validator = SecurityConfigValidator(app, config_provider)
|
||||
if not config_validator.valid():
|
||||
return
|
||||
|
||||
self.security_config = app.config['SECURITY_SCANNER']
|
||||
|
||||
self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
|
||||
self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
|
||||
self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
|
||||
|
||||
if self.public_key and self.private_key:
|
||||
self.keys = (self.public_key, self.private_key)
|
||||
else:
|
||||
self.keys = None
|
||||
|
||||
def _getfilepath(self, config_key):
|
||||
security_config = self.security_config
|
||||
|
||||
if config_key in security_config:
|
||||
with self.config_provider.get_volume_file(security_config[config_key]) as f:
|
||||
return f.name
|
||||
|
||||
return None
|
||||
self.certificate = config_validator.cert()
|
||||
self.keys = config_validator.keypair()
|
||||
|
||||
def check_layer_vulnerable(self, layer_id, cve_id):
|
||||
""" Checks with Clair whether the given layer is vulnerable to the given CVE. """
|
||||
|
|
|
|||
Reference in a new issue