vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add a SecEndpoint class and move all the cert and config handling in there

Browse source
This commit is contained in:
Joseph Schorr 2015-10-26 15:13:58 -04:00 committed by Jimmy Zelinskie
parent 87c56d1caa
commit fb3d0fa27d
3 changed files with 58 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

22
endpoints/api/sec.py
View file

@ -2,11 +2,10 @@
import logging import logging
import features import features
import requests
import json import json
import requests
from urlparse import urljoin from app import sec_endpoint
from app import app
from data import model from data import model
from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param, from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
RepositoryParamResource, resource, nickname, show_if, parse_args, RepositoryParamResource, resource, nickname, show_if, parse_args,
@ -15,17 +14,11 @@ from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_pa
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
def _call_security_api(relative_url, *args, **kwargs): def _call_security_api(relative_url, *args, **kwargs):
""" Issues an HTTP call to the sec API at the given relative URL. """ """ Issues an HTTP call to the sec API at the given relative URL. """
url = urljoin(app.config['SECURITY_SCANNER']['ENDPOINT'], relative_url % args)
client = app.config['HTTPCLIENT']
timeout = app.config['SECURITY_SCANNER'].get('API_CALL_TIMEOUT', 1)
logger.debug('Looking up sec information: %s', url)
try: try:
response = client.get(url, params=kwargs, timeout=timeout) response = sec_endpoint.call_api(relative_url, *args, **kwargs)
except requests.exceptions.Timeout: except requests.exceptions.Timeout:
raise DownstreamIssue(payload=dict(message='API call timed out')) raise DownstreamIssue(payload=dict(message='API call timed out'))
except requests.exceptions.ConnectionError: except requests.exceptions.ConnectionError:
@ -40,8 +33,7 @@ def _call_security_api(relative_url, *args, **kwargs):
raise DownstreamIssue(payload=dict(message='Non-json response from downstream service')) raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))
if response.status_code / 100 != 2: if response.status_code / 100 != 2:
logger.warning('Got %s status code to call %s: %s', response.status_code, url, logger.warning('Got %s status code to call: %s', response.status_code, response.text)
response.text)
raise DownstreamIssue(payload=dict(message=response_data['Message'])) raise DownstreamIssue(payload=dict(message=response_data['Message']))
return response_data return response_data
@ -73,7 +65,7 @@ class RepositoryTagVulnerabilities(RepositoryParamResource):
'security_indexed': False 'security_indexed': False
} }
data = _call_security_api('/layers/%s/vulnerabilities', tag_image.docker_image_id, data = _call_security_api('layers/%s/vulnerabilities', tag_image.docker_image_id,
minimumPriority=args.minimumPriority) minimumPriority=args.minimumPriority)
return { return {
@ -102,7 +94,7 @@ class RepositoryImagePackages(RepositoryParamResource):
'security_indexed': False 'security_indexed': False
} }
data = _call_security_api('/layers/%s/packages', repo_image.docker_image_id) data = _call_security_api('layers/%s/packages/diff', repo_image.docker_image_id)
return { return {
'security_indexed': True, 'security_indexed': True,

0
util/sec/__init__.py Normal file
View file

51
util/sec/secendpoint.py Normal file
View file

@ -0,0 +1,51 @@
import features
import logging
import requests
import json
from urlparse import urljoin
logger = logging.getLogger(__name__)
class SecEndpoint(object):
""" Helper class for talking to the Sec API. """
def __init__(self, app, config_provider):
self.app = app
self.config_provider = config_provider
if not features.SECURITY_SCANNER:
return
self.security_config = app.config['SECURITY_SCANNER']
self.certificate = self._getfilepath('CA_CERTIFICATE_FILENAME') or False
self.public_key = self._getfilepath('PUBLIC_KEY_FILENAME')
self.private_key = self._getfilepath('PRIVATE_KEY_FILENAME')
if self.public_key and self.private_key:
self.keys = (self.public_key, self.private_key)
else:
self.keys = None
def _getfilepath(self, config_key):
security_config = self.security_config
if config_key in security_config:
with self.config_provider.get_volume_file(security_config[config_key]) as f:
return f.name
return None
def call_api(self, relative_url, *args, **kwargs):
""" Issues an HTTP call to the sec API at the given relative URL. """
security_config = self.security_config
api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
url = urljoin(api_url, relative_url % args)
client = self.app.config['HTTPCLIENT']
timeout = security_config.get('API_CALL_TIMEOUT', 1)
logger.debug('Looking up sec information: %s', url)
return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
verify=self.certificate)