2020-06-29 18:59:01 +02:00
|
|
|
// Copyright Project Harbor Authors
|
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
package preheat
|
|
|
|
|
|
|
|
|
|
import (
|
2020-07-01 18:12:43 +02:00
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
tk "github.com/docker/distribution/registry/auth/token"
|
|
|
|
|
"github.com/goharbor/harbor/src/common/models"
|
|
|
|
|
"github.com/goharbor/harbor/src/controller/artifact"
|
|
|
|
|
"github.com/goharbor/harbor/src/controller/project"
|
|
|
|
|
"github.com/goharbor/harbor/src/controller/scan"
|
|
|
|
|
"github.com/goharbor/harbor/src/controller/tag"
|
|
|
|
|
"github.com/goharbor/harbor/src/core/config"
|
|
|
|
|
"github.com/goharbor/harbor/src/core/service/token"
|
|
|
|
|
"github.com/goharbor/harbor/src/jobservice/job"
|
|
|
|
|
"github.com/goharbor/harbor/src/jobservice/logger"
|
|
|
|
|
"github.com/goharbor/harbor/src/lib/errors"
|
|
|
|
|
"github.com/goharbor/harbor/src/lib/q"
|
|
|
|
|
"github.com/goharbor/harbor/src/lib/selector"
|
|
|
|
|
"github.com/goharbor/harbor/src/pkg/p2p/preheat"
|
|
|
|
|
pol "github.com/goharbor/harbor/src/pkg/p2p/preheat/models/policy"
|
|
|
|
|
"github.com/goharbor/harbor/src/pkg/p2p/preheat/models/provider"
|
|
|
|
|
"github.com/goharbor/harbor/src/pkg/p2p/preheat/policy"
|
|
|
|
|
pr "github.com/goharbor/harbor/src/pkg/p2p/preheat/provider"
|
|
|
|
|
"github.com/goharbor/harbor/src/pkg/scan/report"
|
|
|
|
|
v1 "github.com/goharbor/harbor/src/pkg/scan/rest/v1"
|
|
|
|
|
"github.com/goharbor/harbor/src/pkg/scan/vuln"
|
|
|
|
|
"github.com/goharbor/harbor/src/pkg/task"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
defaultSeverityCode = 99
|
|
|
|
|
extraAttrTotal = "totalCount"
|
|
|
|
|
extraAttrTrigger = "trigger"
|
|
|
|
|
extraAttrTriggerSetting = "triggerSetting"
|
|
|
|
|
extraAttrArtifact = "artifact"
|
|
|
|
|
extraAttrDigest = "digest"
|
|
|
|
|
extraAttrKind = "kind"
|
|
|
|
|
resourceActionType = "repository"
|
|
|
|
|
resourcePullAction = "pull"
|
|
|
|
|
manifestAPIPattern = "%s/v2/%s/manifests/%s"
|
|
|
|
|
accessCredHeaderKey = "Authorization"
|
2020-06-29 18:59:01 +02:00
|
|
|
)
|
|
|
|
|
|
2020-07-01 18:12:43 +02:00
|
|
|
// Enforcer defines preheat policy enforcement operations.
|
2020-06-29 18:59:01 +02:00
|
|
|
type Enforcer interface {
|
2020-07-01 18:12:43 +02:00
|
|
|
// Enforce preheating action by the given policy.
|
|
|
|
|
// For manual and scheduled preheating scenarios.
|
2020-06-29 18:59:01 +02:00
|
|
|
//
|
|
|
|
|
// Arguments:
|
2020-07-01 18:12:43 +02:00
|
|
|
// ctx context.Context : system context
|
|
|
|
|
// policyID int64 : ID of the being enforced policy
|
2020-06-29 18:59:01 +02:00
|
|
|
//
|
|
|
|
|
// Returns:
|
|
|
|
|
// - ID of the execution
|
|
|
|
|
// - non-nil error if any error occurred during the enforcement
|
2020-07-01 18:12:43 +02:00
|
|
|
EnforcePolicy(ctx context.Context, policyID int64) (int64, error)
|
|
|
|
|
|
|
|
|
|
// Enforce preheating action by the given artifact.
|
|
|
|
|
// For event-based cases.
|
|
|
|
|
// Using the given artifact to located the matched preheat policy and bound this action
|
|
|
|
|
// with the located preheat policy.
|
|
|
|
|
//
|
|
|
|
|
// Arguments:
|
|
|
|
|
// ctx context.Context : system context
|
|
|
|
|
// art *artifact.Artifact: Artifact contained in the occurred events.
|
|
|
|
|
//
|
|
|
|
|
// Returns:
|
|
|
|
|
// - IDs of the executions
|
|
|
|
|
// - non-nil error if any error occurred during the enforcement
|
|
|
|
|
//
|
|
|
|
|
// Notes:
|
|
|
|
|
// The current design is artifact central mode (identified by digest). All the tags of
|
|
|
|
|
// the artifact are kept together. However, the preheating action is based on the specified
|
|
|
|
|
// tag and we need to split the all-tags-in-one artifact to one-tag artifacts here.
|
|
|
|
|
PreheatArtifact(ctx context.Context, art *artifact.Artifact) ([]int64, error)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// extURLGetter is a func template to get the external access endpoint
|
|
|
|
|
// The purpose of defining such a func template is decoupling code
|
|
|
|
|
type extURLGetter func(c *selector.Candidate) (string, error)
|
|
|
|
|
|
|
|
|
|
// accessCredMaker is a func template to generate the required credential header value
|
|
|
|
|
// The purpose of defining such a func template is decoupling code
|
|
|
|
|
type accessCredMaker func(c *selector.Candidate) (string, error)
|
|
|
|
|
|
|
|
|
|
// defaultEnforcer is default implementation of Enforcer.
|
|
|
|
|
type defaultEnforcer struct {
|
|
|
|
|
// for policy management
|
|
|
|
|
policyMgr policy.Manager
|
|
|
|
|
// for talking to job service to launch tasks
|
|
|
|
|
executionMgr task.ExecutionManager
|
|
|
|
|
taskMgr task.Manager
|
|
|
|
|
// for retrieving the artifact candidates (including tags and labels)
|
|
|
|
|
artCtl artifact.Controller
|
|
|
|
|
// for getting vulnerability severity of the specified artifact
|
|
|
|
|
scanCtl scan.Controller
|
|
|
|
|
// for getting project related info
|
|
|
|
|
proCtl project.Controller
|
|
|
|
|
// TODO: Need preheat provider manager
|
|
|
|
|
//
|
|
|
|
|
// for getting the access endpoint of registry V2
|
|
|
|
|
fullURLGetter extURLGetter
|
|
|
|
|
// for creating the access credential
|
|
|
|
|
credMaker accessCredMaker
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewEnforcer creat a new enforcer
|
|
|
|
|
func NewEnforcer() Enforcer {
|
|
|
|
|
return &defaultEnforcer{
|
|
|
|
|
policyMgr: policy.New(),
|
|
|
|
|
executionMgr: task.NewExecutionManager(),
|
|
|
|
|
taskMgr: task.NewManager(),
|
|
|
|
|
artCtl: artifact.NewController(),
|
|
|
|
|
scanCtl: scan.DefaultController,
|
|
|
|
|
proCtl: project.NewController(),
|
|
|
|
|
fullURLGetter: func(c *selector.Candidate) (s string, e error) {
|
|
|
|
|
edp, err := config.ExtEndpoint()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r := fmt.Sprintf("%s/%s", c.Namespace, c.Repository)
|
|
|
|
|
return fmt.Sprintf(manifestAPIPattern, edp, r, c.Tags[0]), nil
|
|
|
|
|
},
|
|
|
|
|
credMaker: func(c *selector.Candidate) (s string, e error) {
|
|
|
|
|
r := fmt.Sprintf("%s/%s", c.Namespace, c.Repository)
|
|
|
|
|
|
|
|
|
|
ac := []*tk.ResourceActions{
|
|
|
|
|
{
|
|
|
|
|
Type: resourceActionType,
|
|
|
|
|
Name: r,
|
|
|
|
|
// Only pull action is enough
|
|
|
|
|
Actions: []string{resourcePullAction},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
t, err := token.MakeToken("distributor", token.Registry, ac)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf("Bearer %s", t.Token), nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// EnforcePolicy enforces preheating action by the given policy
|
|
|
|
|
func (de *defaultEnforcer) EnforcePolicy(ctx context.Context, policyID int64) (int64, error) {
|
|
|
|
|
// Get the the given policy data
|
|
|
|
|
pl, err := de.policyMgr.Get(ctx, policyID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, enforceError(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if policy is enabled
|
|
|
|
|
if !pl.Enabled {
|
|
|
|
|
return -1, enforceError(errors.Errorf("policy %d:%s is not enabled", pl.ID, pl.Name))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Retrieve the initial candidates
|
|
|
|
|
candidates, err := de.getCandidates(ctx, pl)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, enforceError(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Do filters
|
|
|
|
|
filtered, err := policy.NewFilter().
|
|
|
|
|
BuildFrom(pl).
|
|
|
|
|
Filter(candidates)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, enforceError(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Launch execution
|
|
|
|
|
eid, err := de.launchExecutions(ctx, filtered, pl)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// NOTES: Please pay attention here, even the non-nil error returned, it does not mean
|
|
|
|
|
// the relevant execution is not available. The execution ID should also be checked(>0)
|
|
|
|
|
// at any time.
|
|
|
|
|
return eid, enforceError(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return eid, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// PreheatArtifact enforces preheating action by the given artifact.
|
|
|
|
|
func (de *defaultEnforcer) PreheatArtifact(ctx context.Context, art *artifact.Artifact) ([]int64, error) {
|
|
|
|
|
if art == nil {
|
|
|
|
|
return nil, errors.New("nil artifact")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get project info
|
|
|
|
|
p, err := de.proCtl.Get(ctx, art.ProjectID, project.CVEAllowlist(true))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, enforceErrorExt(err, art)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Convert to candidates
|
|
|
|
|
candidates, err := de.toCandidates(ctx, p, []*artifact.Artifact{art})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, enforceErrorExt(err, art)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Find all the policies that match the given artifact
|
2020-07-03 05:59:32 +02:00
|
|
|
l, err := de.policyMgr.ListPoliciesByProject(ctx, art.ProjectID, nil)
|
2020-07-01 18:12:43 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, enforceErrorExt(err, art)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
matched := 0
|
|
|
|
|
ids := make([]int64, 0)
|
|
|
|
|
for _, pl := range l {
|
|
|
|
|
// Skip disabled policies
|
|
|
|
|
if !pl.Enabled {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Only look for the event-based policies
|
|
|
|
|
if pl.Trigger == nil ||
|
|
|
|
|
pl.Trigger.Type != pol.TriggerTypeEventBased {
|
|
|
|
|
// Skip
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filtered, err := policy.NewFilter().BuildFrom(pl).Filter(candidates)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Log error and continue
|
|
|
|
|
logger.Errorf("Failed to do filter for policy %d:%s with error: %s", pl.ID, pl.Name, err.Error())
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
matched++
|
|
|
|
|
|
|
|
|
|
if len(filtered) > 0 {
|
|
|
|
|
// Matched
|
|
|
|
|
eid, err := de.launchExecutions(ctx, filtered, pl)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Log error and continue
|
|
|
|
|
logger.Errorf("Failed to launch execution for policy %d:%s with error: %s", pl.ID, pl.Name, err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
// Success and then append the execution id to list
|
|
|
|
|
ids = append(ids, eid)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if matched != len(ids) {
|
|
|
|
|
// Some policy enforcement are failed
|
|
|
|
|
// Treat it as an error case
|
|
|
|
|
return ids, enforceErrorExt(errors.Errorf("%d policies matched but only %d successfully enforced", matched, len(ids)), art)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ids, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getCandidates get the initial candidates by evaluating the policy
|
|
|
|
|
func (de *defaultEnforcer) getCandidates(ctx context.Context, ps *pol.Schema) ([]*selector.Candidate, error) {
|
|
|
|
|
// Get project info
|
|
|
|
|
p, err := de.proCtl.Get(ctx, ps.ProjectID, project.CVEAllowlist(true))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the initial candidates
|
|
|
|
|
// Here we have a hidden filter, the artifact type filter.
|
|
|
|
|
// Only get the image type at this moment.
|
|
|
|
|
arts, err := de.artCtl.List(ctx, &q.Query{
|
|
|
|
|
Keywords: map[string]interface{}{
|
|
|
|
|
"project_id": ps.ProjectID,
|
|
|
|
|
"type": pr.SupportedType,
|
|
|
|
|
},
|
|
|
|
|
}, &artifact.Option{
|
|
|
|
|
WithLabel: true,
|
|
|
|
|
WithTag: true,
|
|
|
|
|
TagOption: &tag.Option{
|
|
|
|
|
WithSignature: true,
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return de.toCandidates(ctx, p, arts)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// launchExecutions create execution record and launch tasks to preheat the filtered artifacts.
|
|
|
|
|
func (de *defaultEnforcer) launchExecutions(ctx context.Context, candidates []*selector.Candidate, pl *pol.Schema) (int64, error) {
|
|
|
|
|
// Create execution first anyway
|
|
|
|
|
attrs := map[string]interface{}{
|
|
|
|
|
extraAttrTotal: len(candidates),
|
|
|
|
|
extraAttrTrigger: pl.Trigger.Type,
|
|
|
|
|
extraAttrTriggerSetting: pl.Trigger.Settings.Cron,
|
|
|
|
|
}
|
|
|
|
|
if pl.Trigger.Type != pol.TriggerTypeScheduled {
|
|
|
|
|
attrs[extraAttrTriggerSetting] = "-"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
eid, err := de.executionMgr.Create(ctx, job.P2PPreheat, pl.ID, pl.Trigger.Type, attrs)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Handle empty candidate list case
|
|
|
|
|
if len(candidates) == 0 {
|
|
|
|
|
// Return earlier
|
|
|
|
|
if err := de.executionMgr.MarkDone(ctx, eid, "no artifacts to preheat"); err != nil {
|
|
|
|
|
return eid, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return eid, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TODO: Get provider instance by the provider ID
|
|
|
|
|
// Placeholder
|
|
|
|
|
ins := &provider.Instance{}
|
|
|
|
|
insData, err := ins.ToJSON()
|
|
|
|
|
if err != nil {
|
|
|
|
|
// In case
|
|
|
|
|
if er := de.executionMgr.MarkError(ctx, eid, err.Error()); er != nil {
|
|
|
|
|
return eid, errors.Wrap(er, err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return eid, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Start tasks
|
|
|
|
|
count := 0
|
|
|
|
|
for _, c := range candidates {
|
|
|
|
|
if _, err = de.startTask(ctx, eid, c, insData); err != nil {
|
|
|
|
|
// Just log the error and skip
|
|
|
|
|
logger.Errorf("start task error for preheating image: %s/%s:%s@%s", c.Namespace, c.Repository, c.Tags[0], c.Digest)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
count++
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if count != len(candidates) {
|
|
|
|
|
// Obviously, failed to start some tasks
|
|
|
|
|
// Return as an error but the execution can still be queried.
|
|
|
|
|
return eid, errors.Errorf("some errors occurred when enforcing policy '%s(%d)' but execution '%d' is still available", pl.Name, pl.ID, eid)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return eid, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// startTask starts the preheat task(job) for the given candidate
|
|
|
|
|
func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, candidate *selector.Candidate, instance string) (int64, error) {
|
|
|
|
|
u, err := de.fullURLGetter(candidate)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cred, err := de.credMaker(candidate)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pi := &pr.PreheatImage{
|
|
|
|
|
Type: pr.SupportedType,
|
|
|
|
|
URL: u,
|
|
|
|
|
Headers: map[string]interface{}{
|
|
|
|
|
accessCredHeaderKey: cred,
|
|
|
|
|
},
|
|
|
|
|
ImageName: fmt.Sprintf("%s/%s", candidate.Namespace, candidate.Repository),
|
|
|
|
|
Tag: candidate.Tags[0],
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
piData, err := pi.ToJSON()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
j := &task.Job{
|
|
|
|
|
Name: job.P2PPreheat,
|
|
|
|
|
Parameters: job.Parameters{
|
|
|
|
|
preheat.PreheatParamProvider: instance,
|
|
|
|
|
preheat.PreheatParamImage: piData,
|
|
|
|
|
},
|
|
|
|
|
Metadata: &job.Metadata{
|
|
|
|
|
JobKind: job.KindGeneric,
|
|
|
|
|
IsUnique: true,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tid, err := de.taskMgr.Create(ctx, executionID, j, map[string]interface{}{
|
|
|
|
|
extraAttrArtifact: fmt.Sprintf("%s:%s", pi.ImageName, pi.Tag),
|
|
|
|
|
extraAttrDigest: candidate.Digest,
|
|
|
|
|
extraAttrKind: pi.Type,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return -1, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tid, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
|
|
|
|
|
func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *models.Project, art *artifact.Artifact) (uint, error) {
|
|
|
|
|
al := report.CVESet(p.CVEAllowlist.CVESet())
|
|
|
|
|
r, err := de.scanCtl.GetSummary(ctx, art, []string{v1.MimeTypeNativeReport}, report.WithCVEAllowlist(&al))
|
|
|
|
|
if err != nil {
|
|
|
|
|
if errors.IsNotFoundErr(err) {
|
|
|
|
|
// no vulnerability report
|
|
|
|
|
return defaultSeverityCode, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return defaultSeverityCode, errors.Wrap(err, "get vulnerability severity")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Severity is based on the native report format.
|
|
|
|
|
// In case no supported report format, treat as same to the no report scenario
|
|
|
|
|
sum, ok := r[v1.MimeTypeNativeReport]
|
|
|
|
|
if !ok {
|
|
|
|
|
return defaultSeverityCode, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm, ok := sum.(*vuln.NativeReportSummary)
|
|
|
|
|
if !ok {
|
|
|
|
|
return defaultSeverityCode, errors.New("malformed native summary report")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (uint)(sm.Severity.Code()), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// toCandidates converts the artifacts to filtering candidates
|
|
|
|
|
func (de *defaultEnforcer) toCandidates(ctx context.Context, p *models.Project, arts []*artifact.Artifact) ([]*selector.Candidate, error) {
|
|
|
|
|
// Convert to filtering candidates first
|
|
|
|
|
candidates := make([]*selector.Candidate, 0)
|
|
|
|
|
|
|
|
|
|
for _, a := range arts {
|
|
|
|
|
// Vulnerability severity is property of artifact
|
|
|
|
|
sev, err := de.getVulnerabilitySev(ctx, p, a)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If artifact has more than one tag, then split them into separate candidate for easy filtering.
|
|
|
|
|
for _, t := range a.Tags {
|
|
|
|
|
candidates = append(candidates, &selector.Candidate{
|
|
|
|
|
NamespaceID: p.ProjectID,
|
|
|
|
|
Namespace: p.Name,
|
|
|
|
|
Repository: pureRepository(p.Name, a.RepositoryName),
|
|
|
|
|
Kind: pr.SupportedType,
|
|
|
|
|
Digest: a.Digest,
|
|
|
|
|
Tags: []string{t.Name},
|
|
|
|
|
Labels: getLabels(a.Labels),
|
|
|
|
|
Signatures: map[string]bool{
|
|
|
|
|
t.Name: t.Signed,
|
|
|
|
|
},
|
|
|
|
|
VulnerabilitySeverity: sev,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return candidates, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// enforceError is a wrap error
|
|
|
|
|
func enforceError(e error) error {
|
|
|
|
|
return errors.Wrap(e, "enforce policy error")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// enforceErrorExt is an enhanced wrap error
|
|
|
|
|
func enforceErrorExt(e error, art *artifact.Artifact) error {
|
|
|
|
|
return errors.Wrap(e, fmt.Sprintf("enforce policy for given artifact error: %s@%s", art.RepositoryName, art.Digest))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pureRepository removes project name from the repository
|
|
|
|
|
func pureRepository(ns, r string) string {
|
|
|
|
|
return strings.TrimPrefix(r, fmt.Sprintf("%s/", ns))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getLabels gets label texts from the label objects
|
|
|
|
|
func getLabels(labels []*models.Label) []string {
|
|
|
|
|
lt := make([]string, 0)
|
|
|
|
|
for _, l := range labels {
|
|
|
|
|
lt = append(lt, l.Name)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return lt
|
2020-06-29 18:59:01 +02:00
|
|
|
}
|
