removed hyper settings, now using tmpfiles/tmpdirs

parent ac8581e1
Pipeline #32360953 passed with stages
in 22 minutes and 2 seconds
......@@ -2,6 +2,7 @@ import logging
import random
import re
import subprocess
import tempfile
import time
import traceback
from base64 import b64decode
......@@ -184,11 +185,11 @@ class Credential(models.Model):
return {'what': what, 'running': running, 'max': max, 'available': available}
def hyper_cmd_run(self, label, cmd):
self.update_hyper_config_file()
hyper_config_dir = self.create_tmp_hyper_config()
log.info(label)
# add the standard hyper command:
stdcmd = ["hyper", "--config="+self.config_dirname()]
stdcmd = ["hyper", "--config="+hyper_config_dir]
cmd = stdcmd + cmd
......@@ -198,7 +199,12 @@ class Credential(models.Model):
log.info(pretty)
return pretty
def update_hyper_config_file(self):
def create_tmp_hyper_config(self):
# you need a serparate dir per config file...
# you need to manually delete this... which we currently wont.
tmp_dir = tempfile.mkdtemp()
"""Writes credentials file for this Credential"""
full_config = """
......@@ -214,17 +220,10 @@ class Credential(models.Model):
}
""" % {'accesskey': self.access_key, 'secretkey': self.secret_key, 'region': self.region}
with open(self.config_dirname() + '/config.json', 'w') as file:
with open(tmp_dir + '/config.json', 'w') as file:
file.write(full_config)
def config_dirname(self):
import os
directory = "%s/%s" % (settings.HYPER_CREDENTIALS_DIR, self.pk)
if not os.path.exists(directory):
os.makedirs(directory)
return directory
return tmp_dir
@app.task
def task_validate(self):
......@@ -237,18 +236,6 @@ class Credential(models.Model):
if not is_validation_save:
self.task_validate.apply_async(args=(self,))
self.update_certificate()
# Certificate is needed to communicate between failmap and it's workers. This cert is stored as base64 in the
# configuration and stored as a file on save. Configure HYPER_CERTIFICATE_DIR on the server to give these files
# a special location.
def update_certificate(self):
with open(self.certificate_path(), 'wb') as file:
file.write(b64decode(self.communication_certificate))
def certificate_path(self):
return settings.HYPER_CERTIFICATE_DIR + "/hyper_certificate_%s.p12" % self.pk
class ContainerEnvironment(models.Model):
"""Single environment variable for docker container."""
......@@ -462,9 +449,16 @@ class ContainerGroup(models.Model):
conf = self.configuration.as_dict
# create a temporary file with certificate information. Will be deleted asap.
# will leak the certificate if temporaryfile can be accessed by others etc.
# you really need to save it... can't unlink it manually as exceptions below will make sure it remains.
# starting containers can be really slow.
with tempfile.NamedTemporaryFile(delete=False) as tmp_certfile:
tmp_certfile.write(b64decode(self.credential.communication_certificate))
tmp_certfile.flush() # make sure it's actually written.
# Give $certificate the correct name and id:
conf['volumes'] = [volume.replace("$certificate",
self.credential.certificate_path()) for volume in conf['volumes']]
conf['volumes'] = [volume.replace("$certificate", tmp_certfile.name) for volume in conf['volumes']]
"""
You'll see that we use commands to perform certain hyper operations. This is due to the mismatch with the
......
......@@ -853,7 +853,10 @@ MEDIA_ROOT = os.environ.get('MEDIA_ROOT', os.path.abspath(os.path.dirname(__file
# core.site (we only have one site)
# scanners.state, will be deprecated and removed (if not already)
# See: http://jet.readthedocs.io/en/latest/config_file.html#custom-menu
# Permissions are AND-ed together.
# admin (a nonsense permission) has been added everywhere to avoid "empty arrows" when signing in with a role with
# limited permissions.
# For the default labels, see: https://docs.djangoproject.com/en/2.1/topics/auth/default/#topic-authorization
JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
{'label': _('🔧 configuration'), 'items': [
......@@ -862,7 +865,7 @@ JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
{'name': 'constance.config', 'label': _('configuration')},
{'name': 'map.configuration', 'label': _('map configuration')},
{'name': 'map.administrativeregion', 'label': _('import regions')},
]},
], 'permissions': ['admin']},
{'app_label': 'organizations', 'label': _('🏢 organizations'), 'items': [
{'name': 'organization'},
......@@ -870,24 +873,25 @@ JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
{'name': 'promise'},
{'name': 'coordinate'},
{'name': 'organizationtype'},
]},
], 'permissions': ['admin']},
# todo: sort scan moment to show latest first.
{'app_label': 'scanners', 'label': _('🔬 scanners'), 'items': [
{'name': 'endpoint'},
{'name': 'endpointgenericscan'},
{'name': 'tlsscan'},
{'name': 'tlsqualysscan'},
{'name': 'urlgenericscan'},
{'name': 'screenshot'},
{'name': 'urlip'},
{'name': 'tlsqualysscratchpad'},
{'name': 'endpointgenericscanscratchpad'},
{'name': 'endpoint', 'permissions': ['admin']},
{'name': 'endpointgenericscan', 'permissions': ['scanners.change_endpointgenericscan']},
{'name': 'tlsscan', 'permissions': ['scanners.change_tlsscan']},
{'name': 'tlsqualysscan', 'permissions': ['scanners.change_tlsqualysscan']},
{'name': 'urlgenericscan', 'permissions': ['scanners.change_urlgenericscan']},
{'name': 'screenshot', 'permissions': ['admin']},
{'name': 'urlip', 'permissions': ['admin']},
{'name': 'tlsqualysscratchpad', 'permissions': ['admin']},
{'name': 'endpointgenericscanscratchpad', 'permissions': ['admin']},
]},
{'label': _('🗺️ map (autogenerated)'), 'items': [
{'name': 'map.organizationrating'},
{'name': 'map.urlrating'},
]},
], 'permissions': ['admin']},
{'label': _('🕒 periodic tasks'), 'items': [
{'name': 'app.job'},
......@@ -895,7 +899,7 @@ JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
{'name': 'django_celery_beat.crontabschedule'},
{'name': 'django_celery_beat.intervalschedule'},
{'name': 'django_celery_beat.solarschedule'},
]},
], 'permissions': ['admin']},
{'app_label': 'helpdesk', 'label': _('ℹ️ helpdesk'), 'items': [
{'name': 'queue'},
......@@ -908,14 +912,14 @@ JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
{'name': 'ignoreemail'},
{'name': 'kbcategory'},
{'name': 'kbitem'},
]},
], 'permissions': ['admin']},
{'app_label': 'hypersh', 'label': _('☁️ hypersh cloud scans'), 'items': [
{'name': 'containerenvironment'},
{'name': 'containerconfiguration'},
{'name': 'containergroup'},
{'name': 'credential'},
]},
], 'permissions': ['admin']},
{'app_label': 'game', 'label': _('👾️ the game'), 'items': [
{'name': 'contest'},
......@@ -928,7 +932,7 @@ JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
{'label': _('New urls'),
'url': '/admin/game/urlsubmission/?has_been_accepted__exact=0&has_been_rejected__exact=0&o=-6.2.3',
'url_blank': False},
]},
], 'permissions': ['admin']},
]
# end django jet menu configuration
########
......@@ -970,13 +974,3 @@ JET_SIDE_MENU_ITEMS = [ # A list of application or custom item dicts
# }
# End cacheops
########
# Hyper Cloud Scanning
# This is where certificates are stored from the credentials table when they are uploaded to Hyper.
# the name of the certificate name is the number of the credentials record + .p12
# Thus: HYPER_CERTIFICATE_DIR + '/hyper_certificate_1.p12' for the first configuration.
# Make sure it has NO trailing slash.
HYPER_CERTIFICATE_DIR = os.environ.get('HYPER_CERTIFICATE_DIR', BASE_DIR + '/..')
# Hyper credential files will be written here in a separate dir per config. So config /1/, /2/ etc...
HYPER_CREDENTIALS_DIR = os.environ.get('HYPER_CREDENTIALS_DIR', BASE_DIR + '/..')
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment