Scan templated python files with bandit
This change adds a zuul check job to export any templated python contained in the helm charts and scan it with bandit for any potential security flaws. This also adds two nosec comments on the instances of subprocess used as they currently do not appear to be malicious, as well as changing the endpoint_update python code to prevent sql injection, which satisfies bandit code B608. Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
This commit is contained in:
parent
cc4c9cdc9d
commit
482dbcac29
@ -73,9 +73,8 @@ except:
|
|||||||
# Set Internal Endpoint
|
# Set Internal Endpoint
|
||||||
try:
|
try:
|
||||||
endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
|
endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
|
||||||
user_engine.execute(
|
cmd = "update endpoint set url = %s where interface ='internal' and service_id = (select id from service where service.type = 'identity')"
|
||||||
"update endpoint set url = '{0}' where interface ='internal' and service_id = (select id from service where service.type = 'identity')".
|
user_engine.execute(cmd, (endpoint_url,))
|
||||||
format(endpoint_url))
|
|
||||||
except:
|
except:
|
||||||
logger.critical("Could not update internal endpoint")
|
logger.critical("Could not update internal endpoint")
|
||||||
raise
|
raise
|
||||||
@ -83,9 +82,8 @@ except:
|
|||||||
# Set Admin Endpoint
|
# Set Admin Endpoint
|
||||||
try:
|
try:
|
||||||
endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
|
endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
|
||||||
user_engine.execute(
|
cmd = "update endpoint set url = %s where interface ='admin' and service_id = (select id from service where service.type = 'identity')"
|
||||||
"update endpoint set url = '{0}' where interface ='admin' and service_id = (select id from service where service.type = 'identity')".
|
user_engine.execute(cmd, (endpoint_url,))
|
||||||
format(endpoint_url))
|
|
||||||
except:
|
except:
|
||||||
logger.critical("Could not update admin endpoint")
|
logger.critical("Could not update admin endpoint")
|
||||||
raise
|
raise
|
||||||
@ -93,9 +91,8 @@ except:
|
|||||||
# Set Public Endpoint
|
# Set Public Endpoint
|
||||||
try:
|
try:
|
||||||
endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
|
endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
|
||||||
user_engine.execute(
|
cmd = "update endpoint set url = %s where interface ='public' and service_id = (select id from service where service.type = 'identity')"
|
||||||
"update endpoint set url = '{0}' where interface ='public' and service_id = (select id from service where service.type = 'identity')".
|
user_engine.execute(cmd, (endpoint_url,))
|
||||||
format(endpoint_url))
|
|
||||||
except:
|
except:
|
||||||
logger.critical("Could not update public endpoint")
|
logger.critical("Could not update public endpoint")
|
||||||
raise
|
raise
|
||||||
|
@ -25,7 +25,7 @@ import os
|
|||||||
import pwd
|
import pwd
|
||||||
import re
|
import re
|
||||||
import six
|
import six
|
||||||
import subprocess
|
import subprocess #nosec
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
|
|
||||||
@ -127,7 +127,7 @@ def execute_command(cmd):
|
|||||||
LOG.info("Executing 'keystone-manage %s --keystone-user=%s "
|
LOG.info("Executing 'keystone-manage %s --keystone-user=%s "
|
||||||
"--keystone-group=%s' command.",
|
"--keystone-group=%s' command.",
|
||||||
cmd, KEYSTONE_USER, KEYSTONE_GROUP)
|
cmd, KEYSTONE_USER, KEYSTONE_GROUP)
|
||||||
subprocess.call(['keystone-manage', cmd,
|
subprocess.call(['keystone-manage', cmd, #nosec
|
||||||
'--keystone-user=%s' % KEYSTONE_USER,
|
'--keystone-user=%s' % KEYSTONE_USER,
|
||||||
'--keystone-group=%s' % KEYSTONE_GROUP])
|
'--keystone-group=%s' % KEYSTONE_GROUP])
|
||||||
|
|
||||||
|
16
tools/gate/files/template-python.sh
Executable file
16
tools/gate/files/template-python.sh
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
EXCLUDES="helm-toolkit doc tests tools logs tmp roles playbooks releasenotes zuul.d python-files"
|
||||||
|
DIRS=`ls -d */ | cut -f1 -d'/'`
|
||||||
|
|
||||||
|
for EX in $EXCLUDES; do
|
||||||
|
DIRS=`echo $DIRS | sed "s/\b$EX\b//g"`
|
||||||
|
done
|
||||||
|
|
||||||
|
for DIR in $DIRS; do
|
||||||
|
PYFILES=$(helm template $DIR | yq 'select(.data != null) | .data | to_entries | map(select(.key | test(".*\\.py"))) | select(length > 0) | values[] | {(.key) : (.value)}' | jq -s add)
|
||||||
|
PYKEYS=$(echo "$PYFILES" | jq -r 'select(. != null) | keys[]')
|
||||||
|
for KEY in $PYKEYS; do
|
||||||
|
echo "$PYFILES" | jq -r --arg KEY "$KEY" '.[$KEY]' > ./python-files/"$DIR-$KEY"
|
||||||
|
done
|
||||||
|
done
|
28
tools/gate/playbooks/osh-bandit.yaml
Normal file
28
tools/gate/playbooks/osh-bandit.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
- hosts: all
|
||||||
|
name: openstack-helm-bandit
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: Install Required Packages and Setup Host
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
./tools/deployment/common/install-packages.sh
|
||||||
|
./tools/deployment/common/deploy-k8s.sh
|
||||||
|
sudo -H pip install yq bandit
|
||||||
|
environment:
|
||||||
|
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
|
||||||
|
- name: Template out python files
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
make all
|
||||||
|
mkdir -p python-files
|
||||||
|
./tools/gate/files/template-python.sh
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
||||||
|
|
||||||
|
- name: Run bandit against python files
|
||||||
|
shell: bandit -r ./python-files
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.project.src_dir }}"
|
@ -24,6 +24,20 @@
|
|||||||
- ^doc/.*$
|
- ^doc/.*$
|
||||||
- ^releasenotes/.*$
|
- ^releasenotes/.*$
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: openstack-helm-bandit
|
||||||
|
timeout: 3600
|
||||||
|
run: tools/gate/playbooks/osh-bandit.yaml
|
||||||
|
required-projects:
|
||||||
|
- openstack/openstack-helm-infra
|
||||||
|
# NOTE(gagehugo): Look into only running this for py.tpl file changes
|
||||||
|
# files:
|
||||||
|
# - ^.*\.py\.tpl$
|
||||||
|
irrelevant-files:
|
||||||
|
- ^.*\.rst$
|
||||||
|
- ^doc/.*$
|
||||||
|
- ^releasenotes/.*$
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: openstack-helm-chart-deploy
|
name: openstack-helm-chart-deploy
|
||||||
parent: openstack-helm-functional-temp
|
parent: openstack-helm-functional-temp
|
||||||
|
@ -24,6 +24,7 @@
|
|||||||
check:
|
check:
|
||||||
jobs:
|
jobs:
|
||||||
- openstack-helm-lint
|
- openstack-helm-lint
|
||||||
|
- openstack-helm-bandit
|
||||||
- openstack-helm-keystone
|
- openstack-helm-keystone
|
||||||
- openstack-helm-keystone-ldap
|
- openstack-helm-keystone-ldap
|
||||||
- openstack-helm-glance
|
- openstack-helm-glance
|
||||||
|
Loading…
Reference in New Issue
Block a user