Implement against new Clair paginated notification system

2016-02-25 15:58:42 -05:00 · 2016-02-25 15:58:42 -05:00 · f498e92d58
commit f498e92d58
parent b34314a584
10 changed files with 447 additions and 101 deletions
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@ -19,8 +19,8 @@ class APIRequestFailure(Exception):

 _API_METHOD_INSERT = 'layers'
 _API_METHOD_GET_LAYER = 'layers/%s'
-_API_METHOD_GET_WITH_VULNERABILITIES_FLAG = '?vulnerabilities'
-_API_METHOD_GET_WITH_FEATURES_FLAG = '?features'
+_API_METHOD_MARK_NOTIFICATION_READ = 'notifications/%s'
+_API_METHOD_GET_NOTIFICATION = 'notifications/%s'


 class SecurityScannerAPI(object):
@ -113,7 +113,7 @@ class SecurityScannerAPI(object):

    logger.info('Analyzing layer %s', request['Layer']['Name'])
    try:
-      response = self._call(_API_METHOD_INSERT, request)
+      response = self._call('POST', _API_METHOD_INSERT, request)
      json_response = response.json()
    except requests.exceptions.Timeout:
      logger.exception('Timeout when trying to post layer data response for %s', layer.id)
@ -146,35 +146,94 @@ class SecurityScannerAPI(object):
    return api_version, False


+  def check_layer_vulnerable(self, layer_id, cve_name):
+    """ Checks to see if the layer with the given ID is vulnerable to the specified CVE. """
+    layer_data = self._get_layer_data(layer_id, include_vulnerabilities=True)
+    if layer_data is None or 'Layer' not in layer_data or 'Features' not in layer_data['Layer']:
+      return False
+
+    for feature in layer_data['Layer']['Features']:
+      for vuln in feature.get('Vulnerabilities', []):
+        if vuln['Name'] == cve_name:
+          return True
+
+    return False
+
+
+  def get_notification(self, notification_name, layer_limit=10, page=None):
+    """ Gets the data for a specific notification, with optional page token.
+        Returns a tuple of the data (None on failure) and whether to retry.
+    """
+    try:
+      params = {
+        'limit': layer_limit
+      }
+
+      if page is not None:
+        params['page'] = page
+
+      response = self._call('GET', _API_METHOD_GET_NOTIFICATION % notification_name, params=params)
+      json_response = response.json()
+    except requests.exceptions.Timeout:
+      logger.exception('Timeout when trying to get notification for %s', notification_name)
+      return None, True
+    except requests.exceptions.ConnectionError:
+      logger.exception('Connection error when trying to get notification for %s', notification_name)
+      return None, True
+    except (requests.exceptions.RequestException, ValueError):
+      logger.exception('Failed to get notification for %s', notification_name)
+      return None, False
+
+    if response.status_code != 200:
+      return None, response.status_code != 404 and response.status_code != 400
+
+    return json_response, False
+
+
+  def mark_notification_read(self, notification_name):
+    """ Marks a security scanner notification as read. """
+    try:
+      response = self._call('DELETE', _API_METHOD_MARK_NOTIFICATION_READ % notification_name)
+      return response.status_code == 200
+    except requests.exceptions.RequestException:
+      logger.exception('Failed to mark notification as read: %s', notification_name)
+      return False
+
+
  def get_layer_data(self, layer, include_features=False, include_vulnerabilities=False):
    """ Returns the layer data for the specified layer. On error, returns None. """
    layer_id = '%s.%s' % (layer.docker_image_id, layer.storage.uuid)
+    return self._get_layer_data(layer_id, include_features, include_vulnerabilities)
+
+
+  def _get_layer_data(self, layer_id, include_features=False, include_vulnerabilities=False):
    try:
-      flag = ''
+      params = {}
      if include_features:
-        flag = _API_METHOD_GET_WITH_FEATURES_FLAG
+        params = {'features': True}

      if include_vulnerabilities:
-        flag = _API_METHOD_GET_WITH_VULNERABILITIES_FLAG
+        params = {'vulnerabilities': True}

-      response = self._call(_API_METHOD_GET_LAYER + flag, None, layer_id)
+      response = self._call('GET', _API_METHOD_GET_LAYER % layer_id, params=params)
      logger.debug('Got response %s for vulnerabilities for layer %s',
                   response.status_code, layer_id)
+      json_response = response.json()
    except requests.exceptions.Timeout:
      raise APIRequestFailure('API call timed out')
    except requests.exceptions.ConnectionError:
      raise APIRequestFailure('Could not connect to security service')
    except (requests.exceptions.RequestException, ValueError):
-      logger.exception('Failed to get layer data response for %s', layer.id)
+      logger.exception('Failed to get layer data response for %s', layer_id)
      raise APIRequestFailure()

    if response.status_code == 404:
      return None

-    return response.json()
+    return json_response


-  def _call(self, relative_url, body=None, *args, **kwargs):
+  def _call(self, method, relative_url, params=None, body=None):
    """ Issues an HTTP call to the sec API at the given relative URL.
        This function disconnects from the database while awaiting a response
        from the API server.
@ -184,18 +243,21 @@ class SecurityScannerAPI(object):
      raise Exception('Cannot call unconfigured security system')

    api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
-    url = urljoin(api_url, relative_url % args)
+    url = urljoin(api_url, relative_url)

    client = self.config['HTTPCLIENT']
    timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
-    logger.debug('Looking up sec information: %s', url)

    with CloseForLongOperation(self.config):
-      if body is not None:
+      if method == 'POST':
        logger.debug('POSTing security URL %s', url)
-        return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self._keys,
+        return client.post(url, json=body, params=params, timeout=timeout, cert=self._keys,
                           verify=self._certificate)
+      elif method == 'DELETE':
+        logger.debug('DELETEing security URL %s', url)
+        return client.delete(url, params=params, timeout=timeout, cert=self._keys,
+                             verify=self._certificate)
      else:
        logger.debug('GETing security URL %s', url)
-        return client.get(url, params=kwargs, timeout=timeout, cert=self._keys,
+        return client.get(url, params=params, timeout=timeout, cert=self._keys,
                          verify=self._certificate)