134 lines
4.9 KiB
Python
Executable File
134 lines
4.9 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
#
|
|
# Copyright 2019 Canonical Ltd
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import configparser
|
|
import json
|
|
import os
|
|
import sys
|
|
|
|
sys.path.append('.')
|
|
|
|
import charmhelpers.contrib.openstack.audits as audits
|
|
from charmhelpers.contrib.openstack.audits import (
|
|
openstack_security_guide,
|
|
)
|
|
from charmhelpers.contrib.openstack.utils import (
|
|
CompareOpenStackReleases,
|
|
os_release)
|
|
|
|
|
|
# Via the openstack_security_guide above, we are running the following
|
|
# security assertions automatically:
|
|
#
|
|
# - Check-Image-01 validate-file-ownership
|
|
# - Check-Image-02 validate-file-permissions
|
|
|
|
|
|
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),
|
|
audits.before_openstack_release('glance-common', 'rocky'))
|
|
def prevent_masked_port_scans(audit_options):
|
|
"""Validate that masked port scans are disabled.
|
|
|
|
Security Guide Check Name: Check-Image-05
|
|
|
|
:param audit_options: Dictionary of options for audit configuration
|
|
:type audit_options: Dict
|
|
:raises: AssertionError if the assertion fails.
|
|
"""
|
|
try:
|
|
with open('/etc/glance/policy.json') as f:
|
|
policy = json.loads(f.read())
|
|
except json.decoder.JSONDecodeError:
|
|
assert False, "policy.json is invalid JSON"
|
|
assert policy is not None, "policy.json should restrict copy_from"
|
|
assert policy.get('copy_from') is not None, \
|
|
"policy.json should restrict copy_from"
|
|
|
|
|
|
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide))
|
|
def validate_glance_uses_keystone(audit_options):
|
|
"""Validate that the service uses Keystone for authentication.
|
|
|
|
Security Guide Check Name: Check-Image-03
|
|
|
|
:param audit_options: Dictionary of options for audit configuration
|
|
:type audit_options: Dict
|
|
:raises: AssertionError if the assertion fails.
|
|
"""
|
|
conf = configparser.ConfigParser()
|
|
conf.read(os.path.join('/etc/glance/glance-api.conf'))
|
|
glance_api = dict(conf)
|
|
assert glance_api.get('DEFAULT', {}).get('auth_strategy') == "keystone", \
|
|
"Keystone should be used for auth in glance-api.conf"
|
|
cmp_release = CompareOpenStackReleases(os_release('glance-common'))
|
|
if cmp_release <= 'stein':
|
|
conf = configparser.ConfigParser()
|
|
conf.read(os.path.join('/etc/glance/glance-registry.conf'))
|
|
glance_registry = dict(conf)
|
|
assert glance_registry.get('DEFAULT', {}) \
|
|
.get('auth_strategy') == "keystone", \
|
|
"Keystone should be used for auth in glance-registry.conf"
|
|
|
|
|
|
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide))
|
|
def validate_glance_uses_tls_for_keystone(audit_options):
|
|
"""Verify that TLS is used to communicate with Keystone.
|
|
|
|
Security Guide Check Name: Check-Image-04
|
|
|
|
:param audit_options: Dictionary of options for audit configuration
|
|
:type audit_options: Dict
|
|
:raises: AssertionError if the assertion fails.
|
|
"""
|
|
conf = configparser.ConfigParser()
|
|
conf.read(os.path.join('/etc/glance/glance-api.conf'))
|
|
glance_api = dict(conf)
|
|
assert not glance_api.get('keystone_authtoken', {}).get('insecure'), \
|
|
"Insecure mode should not be used with TLS"
|
|
assert glance_api.get('keystone_authtoken', {}).get('auth_uri'). \
|
|
startswith("https://"), \
|
|
"TLS should be used to authenticate with Keystone"
|
|
cmp_release = CompareOpenStackReleases(os_release('glance-common'))
|
|
if cmp_release <= 'stein':
|
|
conf = configparser.ConfigParser()
|
|
conf.read(os.path.join('/etc/glance/glance-registry.conf'))
|
|
glance_registry = dict(conf)
|
|
assert not glance_registry.get(
|
|
'keystone_authtoken', {}).get('insecure'), \
|
|
"Insecure mode should not be used with TLS"
|
|
assert glance_registry.get('keystone_authtoken', {}).get('auth_uri'). \
|
|
startswith("https://"), \
|
|
"TLS should be used to authenticate with Keystone"
|
|
|
|
|
|
def main():
|
|
config = {
|
|
'config_path': '/etc/glance',
|
|
'config_file': 'glance-api.conf',
|
|
'audit_type': audits.AuditType.OpenStackSecurityGuide,
|
|
'files': openstack_security_guide.FILE_ASSERTIONS['glance'],
|
|
'excludes': [
|
|
'validate-uses-tls-for-glance',
|
|
'validate-uses-keystone',
|
|
'validate-uses-tls-for-keystone',
|
|
],
|
|
}
|
|
return audits.action_parse_results(audits.run(config))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|