create class for security config validation
This commit is contained in:
Jimmy Zelinskie
parent
744ad9e79b
commit
e86a342868
1 changed files with 52 additions and 20 deletions
|
|
@ -98,6 +98,54 @@ def get_priority_for_index(index):
|
||||||
|
|
||||||
return 'Unknown'
|
return 'Unknown'
|
||||||
|
|
||||||
|
class SecurityConfigValidator(object):
|
||||||
|
def __init__(self, app, config_provider):
|
||||||
|
self._config_provider = config_provider
|
||||||
|
|
||||||
|
if not features.SECURITY_SCANNER:
|
||||||
|
return
|
||||||
|
|
||||||
|
self._security_config = app.config['SECURITY_SCANNER']
|
||||||
|
if self._security_config is None:
|
||||||
|
return
|
||||||
|
|
||||||
|
self._certificate = self._get_filepath('CA_CERTIFICATE_FILENAME') or False
|
||||||
|
self._public_key = self._get_filepath('PUBLIC_KEY_FILENAME')
|
||||||
|
self._private_key = self._get_filepath('PRIVATE_KEY_FILENAME')
|
||||||
|
|
||||||
|
if self._public_key and self._private_key:
|
||||||
|
self._keys = (self._public_key, self._private_key)
|
||||||
|
else:
|
||||||
|
self._keys = None
|
||||||
|
|
||||||
|
def _get_filepath(self, key):
|
||||||
|
config = self._security_config
|
||||||
|
|
||||||
|
if key in config:
|
||||||
|
with self._config_provider.get_volume_file(config[key]) as f:
|
||||||
|
return f.name
|
||||||
|
|
||||||
|
return None
|
||||||
|
|
||||||
|
def cert(self):
|
||||||
|
return self._certificate
|
||||||
|
|
||||||
|
def keypair(self):
|
||||||
|
return self._keys
|
||||||
|
|
||||||
|
def valid(self):
|
||||||
|
config = self._security_config
|
||||||
|
|
||||||
|
if (not features.SECURITY_SCANNER
|
||||||
|
or not config
|
||||||
|
or not 'ENDPOINT' in config
|
||||||
|
or not 'ENGINE_VERSION_TARGET' in config
|
||||||
|
or not 'DISTRIBUTED_STORAGE_PREFERENCE' in config
|
||||||
|
or (self._certificate is False and self._keys is None)):
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
class SecurityScannerAPI(object):
|
class SecurityScannerAPI(object):
|
||||||
""" Helper class for talking to the Security Scan service (Clair). """
|
""" Helper class for talking to the Security Scan service (Clair). """
|
||||||
|
|
@ -105,28 +153,12 @@ class SecurityScannerAPI(object):
|
||||||
self.app = app
|
self.app = app
|
||||||
self.config_provider = config_provider
|
self.config_provider = config_provider
|
||||||
|
|
||||||
if not features.SECURITY_SCANNER:
|
config_validator = SecurityConfigValidator(app, config_provider)
|
||||||
|
if not config_validator.valid():
|
||||||
return
|
return
|
||||||
|
|
||||||
self.security_config = app.config['SECURITY_SCANNER']
|
self.certificate = config_validator.cert()
|
||||||
|
self.keys = config_validator.keypair()
|
||||||
self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
|
|
||||||
self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
|
|
||||||
self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
|
|
||||||
|
|
||||||
if self.public_key and self.private_key:
|
|
||||||
self.keys = (self.public_key, self.private_key)
|
|
||||||
else:
|
|
||||||
self.keys = None
|
|
||||||
|
|
||||||
def _getfilepath(self, config_key):
|
|
||||||
security_config = self.security_config
|
|
||||||
|
|
||||||
if config_key in security_config:
|
|
||||||
with self.config_provider.get_volume_file(security_config[config_key]) as f:
|
|
||||||
return f.name
|
|
||||||
|
|
||||||
return None
|
|
||||||
|
|
||||||
def check_layer_vulnerable(self, layer_id, cve_id):
|
def check_layer_vulnerable(self, layer_id, cve_id):
|
||||||
""" Checks with Clair whether the given layer is vulnerable to the given CVE. """
|
""" Checks with Clair whether the given layer is vulnerable to the given CVE. """
|
||||||
|
|
|
||||||
Reference in a new issue