feat: Vulnerability Scanning via Clair

Signed-off-by: jay-dee7 <[email protected]>
containerish · Dec 21, 2023 · 124cf89 · 124cf89
1 parent 71b188f
commit 124cf89
Show file tree

Hide file tree

Showing 14 changed files with 1,337 additions and 487 deletions.
diff --git a/protos/services/yor/clair/v1/clair.proto b/protos/services/yor/clair/v1/clair.proto
@@ -4,10 +4,20 @@ package services.yor.clair.v1;
 option go_package = "github.com/containerish/OpenRegistry/services/yor/clair/v1;clair";
 import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
+import "common/v1/id.proto";
 
 service ClairService {
   rpc SubmitManifestToScan(SubmitManifestToScanRequest) returns (SubmitManifestToScanResponse) {}
   rpc GetVulnerabilityReport(GetVulnerabilityReportRequest) returns (GetVulnerabilityReportResponse) {}
+  rpc EnableVulnerabilityScanning(EnableVulnerabilityScanningRequest) returns (EnableVulnerabilityScanningResponse) {}
+}
+
+message EnableVulnerabilityScanningRequest {
+	common.v1.UUID repository_id = 1;
+}
+
+message EnableVulnerabilityScanningResponse {
+	string message = 1;
 }
 
 message ClairReportPackage {
@@ -16,6 +26,7 @@ message ClairReportPackage {
 	string version = 3;
 	string kind = 4;
 	string arch = 5;
+	ClairPackageSource source = 6;
 }
 
 message SubmitManifestToScanResponse  {
@@ -37,13 +48,17 @@ message ClairDescriptor {
 
 message SubmitManifestToScanRequest {
 	string hash = 1;
-	repeated ClairDescriptor layers = 2;
 }
 
 message GetVulnerabilityReportRequest {
 	string manifest_id = 1;
 }
 
+message ClairIndexManifestRequest {
+	string hash = 1;
+	repeated ClairDescriptor layers = 2;
+}
+
 message ClairPackageSource {
 	string id = 1;
 	string name = 2;

diff --git a/registry/v2/extensions/private_images.go b/registry/v2/extensions/private_images.go
@@ -1,7 +1,6 @@
 package extensions
 
 import (
-	"encoding/json"
 	"net/http"
 	"time"
 
@@ -14,21 +13,28 @@ func (ext *extension) ChangeContainerImageVisibility(ctx echo.Context) error {
 
 	var body types.ContainerImageVisibilityChangeRequest
 
-	if err := json.NewDecoder(ctx.Request().Body).Decode(&body); err != nil {
-		return ctx.JSON(http.StatusBadRequest, echo.Map{
+	if err := ctx.Bind(&body); err != nil {
+		echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
 			"error": "invalid request body",
 		})
+
+		ext.logger.Log(ctx, err).Send()
+		return echoErr
 	}
 	defer ctx.Request().Body.Close()
 
-	err := ext.store.SetContainerImageVisibility(ctx.Request().Context(), body.ImageManifestUUID, body.Visibility)
+	err := ext.store.SetContainerImageVisibility(ctx.Request().Context(), body.RepositoryID, body.Visibility)
 	if err != nil {
-		return ctx.JSON(http.StatusBadRequest, echo.Map{
+		echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
 			"error": err.Error(),
 		})
+		ext.logger.Log(ctx, err).Send()
+		return echoErr
 	}
 
-	return ctx.JSON(http.StatusOK, echo.Map{
+	echoErr := ctx.JSON(http.StatusOK, echo.Map{
 		"message": "container image visibility mode changed successfully",
 	})
+	ext.logger.Log(ctx, nil).Send()
+	return echoErr
 }
diff --git a/router/helpers.go b/router/helpers.go
@@ -19,7 +19,7 @@ func RegisterAuthRoutes(authRouter *echo.Group, authSvc auth.Authentication) {
 	authRouter.Add(http.MethodGet, "/sessions/me", authSvc.ReadUserWithSession)
 	authRouter.Add(http.MethodDelete, "/sessions", authSvc.ExpireSessions)
 	authRouter.Add(http.MethodGet, "/renew", authSvc.RenewAccessToken)
-	authRouter.Add(http.MethodPost, "/reset-password", authSvc.ResetPassword, authSvc.JWT())
+	authRouter.Add(http.MethodPost, "/reset-password", authSvc.ResetPassword, authSvc.JWTRest())
 	authRouter.Add(http.MethodPost, "/reset-forgotten-password", authSvc.ResetForgottenPassword, authSvc.JWT())
 	authRouter.Add(http.MethodGet, "/forgot-password", authSvc.ForgotPassword)
 }
diff --git a/router/middlewares.go b/router/middlewares.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"regexp"
+	"strings"
 
 	"github.com/containerish/OpenRegistry/common"
 	"github.com/containerish/OpenRegistry/registry/v2"
@@ -20,12 +21,12 @@ func registryNamespaceValidator(logger telemetry.Logger) echo.MiddlewareFunc {
 	return func(handler echo.HandlerFunc) echo.HandlerFunc {
 		return func(ctx echo.Context) error {
 			// we skip the /v2/ path since it isn't a namespaced path
-			if ctx.Request().URL.Path == "/v2/" {
+			if ctx.Request().URL.Path == "/v2/" || strings.HasPrefix(ctx.Request().URL.Path, "/v2/ext/") {
 				return handler(ctx)
 			}
 
 			namespace := ctx.Param("username") + "/" + ctx.Param("imagename")
-			if namespace != "/" && !nsRegex.MatchString(namespace) {
+			if !nsRegex.MatchString(namespace) {
 				registryErr := common.RegistryErrorResponse(
 					registry.RegistryErrorCodeNameInvalid,
 					"invalid user namespace",

diff --git a/router/router.go b/router/router.go
@@ -9,6 +9,7 @@ import (
 	"github.com/containerish/OpenRegistry/auth"
 	auth_server "github.com/containerish/OpenRegistry/auth/server"
 	"github.com/containerish/OpenRegistry/config"
+	"github.com/containerish/OpenRegistry/dfs"
 	"github.com/containerish/OpenRegistry/orgmode"
 	"github.com/containerish/OpenRegistry/registry/v2"
 	"github.com/containerish/OpenRegistry/registry/v2/extensions"
@@ -37,6 +38,7 @@ func Register(
 	registryStore registry_store.RegistryStore,
 	usersStore users_store.UserStore,
 	automationStore automation.BuildAutomationStore,
+	dfs dfs.DFS,
 ) *echo.Echo {
 	e := setDefaultEchoOptions(cfg.WebAppConfig, healthCheckApi)
 
@@ -58,10 +60,17 @@ func Register(
 	RegisterUserRoutes(userApiRouter, usersApi)
 	RegisterNSRoutes(nsRouter, registryApi, registryStore, logger)
 	RegisterAuthRoutes(authRouter, authApi)
-	RegisterExtensionsRoutes(ociRouter, registryApi, extensionsApi)
+	RegisterExtensionsRoutes(ociRouter, registryApi, extensionsApi, authApi.JWTRest())
 	RegisterWebauthnRoutes(webauthnRouter, webauthnApi)
 	RegisterOrgModeRoutes(orgModeRouter, orgModeApi)
-	RegisterVulnScaningRoutes(cfg.Integrations.GetClairConfig(), logger)
+	RegisterVulnScaningRoutes(
+		usersStore,
+		cfg.Integrations.GetClairConfig(),
+		&cfg.Registry.Auth,
+		logger,
+		registryStore.GetLayersLinksForManifest,
+		dfs.GeneratePresignedURL,
+	)
 
 	if cfg.Integrations.GetGithubConfig() != nil && cfg.Integrations.GetGithubConfig().Enabled {
 		RegisterGitHubRoutes(

diff --git a/router/vuln_scanning_routes.go b/router/vuln_scanning_routes.go
@@ -7,20 +7,32 @@ import (
 
 	"github.com/containerish/OpenRegistry/config"
 	"github.com/containerish/OpenRegistry/services/yor/clair/v1/server"
+	"github.com/containerish/OpenRegistry/store/v1/users"
 	"github.com/containerish/OpenRegistry/telemetry"
 	"github.com/fatih/color"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 )
 
 func RegisterVulnScaningRoutes(
-	config *config.ClairIntegration,
+	userStore users.UserStore,
+	clairConfig *config.ClairIntegration,
+	authConfig *config.Auth,
 	logger telemetry.Logger,
+	layerLinkReader server.LayerLinkReader,
+	prePresignedURLGenerator server.PresignedURLGenerator,
 ) {
-	if config != nil && config.Enabled {
-		clairApi := server.NewClairClient(config, logger)
+	if clairConfig != nil && clairConfig.Enabled {
+		clairApi := server.NewClairClient(
+			userStore,
+			clairConfig,
+			authConfig,
+			logger,
+			layerLinkReader,
+			prePresignedURLGenerator,
+		)
 		go func() {
-			addr := net.JoinHostPort(config.Host, fmt.Sprintf("%d", config.Port))
+			addr := net.JoinHostPort(clairConfig.Host, fmt.Sprintf("%d", clairConfig.Port))
 			color.Green("connect-go Clair gRPC service running on: %s", addr)
 			if err := http.ListenAndServe(addr, h2c.NewHandler(clairApi, &http2.Server{})); err != nil {
 				color.Red("connect-go listen error: %s", err)

diff --git a/services/kon/github_actions/v1/server/build_logs.go b/services/kon/github_actions/v1/server/build_logs.go
@@ -316,7 +316,11 @@ func (ghs *GitHubActionsServer) waitForJobToFinish(
 	stream *connect_go.ServerStream[github_actions_v1.StreamWorkflowRunLogsResponse],
 ) error {
 	now := time.Now()
-	logEvent := ghs.logger.Debug().Str("method", "waitForJobToFinish").Int64("run_id", req.Msg.GetRunId()).Str("repo_name", req.Msg.GetRepoName()).Str("repo_owner", req.Msg.GetRepoOwner())
+	logEvent := ghs.logger.Debug().
+		Str("method", "waitForJobToFinish").
+		Int64("run_id", req.Msg.GetRunId()).
+		Str("repo_name", req.Msg.GetRepoName()).
+		Str("repo_owner", req.Msg.GetRepoOwner())
 
 	workflowRun, _, err := githubClient.Actions.GetWorkflowRunByID(
 		ctx,