From 933a6480c9e4e94d19f70f687eeb557c6c737345 Mon Sep 17 00:00:00 2001 From: BlakePatterson Date: Mon, 28 Oct 2024 16:26:39 -0400 Subject: [PATCH] feat(os_scanner): added policy 4.5 check implementation via os processor --- scanner/openstack/go.mod | 7 ++- scanner/openstack/go.sum | 4 ++ scanner/openstack/main.go | 26 +++++++++-- scanner/openstack/processor/config.go | 8 ++++ scanner/openstack/processor/processor.go | 57 ++++++++++++++++++++++++ 5 files changed, 98 insertions(+), 4 deletions(-) create mode 100644 scanner/openstack/processor/config.go diff --git a/scanner/openstack/go.mod b/scanner/openstack/go.mod index 29a35dc8..1851845b 100644 --- a/scanner/openstack/go.mod +++ b/scanner/openstack/go.mod @@ -8,4 +8,9 @@ require ( github.com/sirupsen/logrus v1.9.3 ) -require golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect +require github.com/vektah/gqlparser/v2 v2.5.11 // indirect + +require ( + github.com/Khan/genqlient v0.7.0 + golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect +) diff --git a/scanner/openstack/go.sum b/scanner/openstack/go.sum index 9e1ea67b..7e4ac38a 100644 --- a/scanner/openstack/go.sum +++ b/scanner/openstack/go.sum @@ -1,3 +1,5 @@ +github.com/Khan/genqlient v0.7.0 h1:GZ1meyRnzcDTK48EjqB8t3bcfYvHArCUUvgOwpz1D4w= +github.com/Khan/genqlient v0.7.0/go.mod h1:HNyy3wZvuYwmW3Y7mkoQLZsa/R5n5yIRajS1kPBvSFM= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -12,6 +14,8 @@ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/vektah/gqlparser/v2 v2.5.11 h1:JJxLtXIoN7+3x6MBdtIP59TP1RANnY7pXOaDnADQSf8= +github.com/vektah/gqlparser/v2 v2.5.11/go.mod h1:1rCcfwB2ekJofmluGWXMSEnPMZgbxzwj6FaZ/4OT8Cc= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/scanner/openstack/main.go b/scanner/openstack/main.go index a3835c60..8b52db4e 100644 --- a/scanner/openstack/main.go +++ b/scanner/openstack/main.go @@ -1,11 +1,13 @@ // SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors // SPDX-License-Identifier: Apache-2.0 + package main import ( "fmt" "os" + "github.com/cloudoperators/heureka/scanner/openstack/processor" "github.com/cloudoperators/heureka/scanner/openstack/scanner" "github.com/kelseyhightower/envconfig" log "github.com/sirupsen/logrus" @@ -46,17 +48,35 @@ func main() { log.WithError(err).Fatal("Error while reading env config for scanner") } - opScanner := scanner.NewScanner(scannerCfg) + var processorsCfg processor.Config + err = envconfig.Process("openstack", &processorsCfg) + if err != nil { + log.WithError(err).Fatal("Error while reading env config for processor") + } + + osScanner := scanner.NewScanner(scannerCfg) + osProcessor := processor.NewProcessor(processorsCfg) - service, err := opScanner.Setup() + service, err := osScanner.Setup() if err != nil { log.WithError(err).Fatal("Error during scanner setup") } - results, err := opScanner.GetServers(service) + servers, err := osScanner.GetServers(service) if err != nil { log.WithError(err).Fatal("Error during scanner get servers") } + fmt.Print("Servers: \n") + fmt.Print(servers) + fmt.Print("\n\n") + + results, err := osProcessor.ProcessServers(servers) + if err != nil { + log.WithError(err).Fatal("Error during processor process servers") + } + + fmt.Print("Results: \n") fmt.Print(results) + fmt.Print("\n\n") } diff --git a/scanner/openstack/processor/config.go b/scanner/openstack/processor/config.go new file mode 100644 index 00000000..aa3b1464 --- /dev/null +++ b/scanner/openstack/processor/config.go @@ -0,0 +1,8 @@ +// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +// SPDX-License-Identifier: Apache-2.0 + +package processor + +type Config struct { + HeurekaUrl string `envconfig:"HEUREKA_URL" required:"true" json:"-"` +} diff --git a/scanner/openstack/processor/processor.go b/scanner/openstack/processor/processor.go index cb96ad2e..0b84be47 100644 --- a/scanner/openstack/processor/processor.go +++ b/scanner/openstack/processor/processor.go @@ -2,3 +2,60 @@ // SPDX-License-Identifier: Apache-2.0 package processor + +import ( + "net/http" + "strings" + + "github.com/Khan/genqlient/graphql" + "github.com/gophercloud/gophercloud/openstack/compute/v2/servers" +) + +type Processor struct { + Client *graphql.Client +} + +func NewProcessor(cfg Config) *Processor { + httpClient := http.Client{} + gClient := graphql.NewClient(cfg.HeurekaUrl, &httpClient) + return &Processor{ + Client: &gClient, + } +} + +func (p *Processor) ProcessServers(serverList []servers.Server) ([]map[string]interface{}, error) { + // This function processes the list of servers and checks if they are compliant with policy 4.5 + + output := []map[string]interface{}{} + + for _, server := range serverList { + + imgName := server.Metadata["image_name"] + + resultObj := map[string]interface{}{ + "server_name": server.Name, + "server_image_name": imgName, + } + + if policy4dot5Check(imgName) { + resultObj["result"] = "compliant" + } else { + resultObj["result"] = "non-compliant" + } + + output = append(output, resultObj) + } + + return output, nil +} + +func policy4dot5Check(img_name string) bool { + // This is a temporary hardcoded implementation of policy 4.5 for the OpenStack scanner PoC + // This function will be replaced by the actual implementation of policy checks in the future + // Policy 4.5 checks that the image name contains either "gardenlinux" or "SAP-compliant" + + if strings.Contains(img_name, "gardenlinux") || strings.Contains(img_name, "SAP-compliant") { + return true + } + return false +}