Improved handling of deeply nested repositories

djcass44 · djcass44 · commit e4baa1341549 · 2022-02-05T18:11:04.000+11:00
diff --git a/cmd/cso/main.go b/cmd/cso/main.go
@@ -46,11 +46,16 @@ func main() {
 	}).Methods(http.MethodGet)
 
 	// setup caps
-	manifest := api.NewCapabilities(adapter.NewHarborAdapter(router))
+	dst := adapter.NewHarborAdapter()
+	manifest := api.NewCapabilities(dst)
+	middleware := api.NewMiddleware(dst)
 
 	// app paths
 	router.Handle("/.well-known/app-capabilities", manifest).
 		Methods(http.MethodGet)
+	router.PathPrefix("/cso/v1/repository/").
+		Handler(middleware).
+		Methods(http.MethodGet)
 
 	serverless.NewBuilder(router).
 		WithPort(e.Port).
diff --git a/internal/adapter/harbor.go b/internal/adapter/harbor.go
@@ -23,32 +23,22 @@ import (
 	"fmt"
 	"github.com/djcass44/cso-proxy/internal/adapter/harbor"
 	"github.com/djcass44/go-utils/pkg/httputils"
-	"github.com/gorilla/mux"
 	"github.com/quay/container-security-operator/secscan"
 	"github.com/quay/container-security-operator/secscan/quay"
 	log "github.com/sirupsen/logrus"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
-	"path/filepath"
+	"strings"
 	"time"
 )
 
 type Harbor struct{}
 
-func NewHarborAdapter(router *mux.Router) *Harbor {
+func NewHarborAdapter() *Harbor {
 	h := new(Harbor)
 
-	router.HandleFunc("/cso/v1/repository/{registry}/{namespace}/{reponame}/manifest/{digest}/security", h.ManifestSecurity).
-		Methods(http.MethodGet)
-	router.HandleFunc("/cso/v1/repository/{namespace}/{reponame}/manifest/{digest}/security", h.ManifestSecurity).
-		Methods(http.MethodGet)
-	router.HandleFunc("/cso/v1/repository/{registry}/{namespace}/{reponame}/image/{imageid}/security", h.ImageSecurity).
-		Methods(http.MethodGet)
-	router.HandleFunc("/cso/v1/repository/{namespace}/{reponame}/image/{imageid}/security", h.ImageSecurity).
-		Methods(http.MethodGet)
-
 	return h
 }
 
@@ -70,56 +60,22 @@ func (*Harbor) Capabilities(uri *url.URL) *quay.AppCapabilities {
 			ImageSecurity: struct {
 				RestApiTemplate string `json:"rest-api-template"`
 			}{
-				RestApiTemplate: fmt.Sprintf("%s/cso/v1/repository/{namespace}/{reponame}/image/{imageid}/security", appURL),
+				RestApiTemplate: "",
 			},
 		},
 	}
 }
 
-func (h *Harbor) ManifestSecurity(w http.ResponseWriter, r *http.Request) {
-	features, vulnerabilities := r.URL.Query().Get("features") == "true", r.URL.Query().Get("vulnerabilities") == "true"
-	vars := mux.Vars(r)
-	registry, namespace, reponame, digest := vars["registry"], vars["namespace"], vars["reponame"], vars["digest"]
-	log.WithContext(r.Context()).WithFields(log.Fields{
-		"registry":  registry,
+func (h *Harbor) ManifestSecurity(ctx context.Context, path, digest string, opts Opts) (*secscan.Response, int, error) {
+	bits := strings.SplitN(path, "/", 2)
+	namespace, reponame := bits[0], bits[1]
+	log.WithContext(ctx).WithFields(log.Fields{
 		"namespace": namespace,
 		"reponame":  reponame,
 		"digest":    digest,
 	}).Infof("fetching manifest information")
-	uri := fmt.Sprintf("https://%s", r.Host)
-	if registry != "" {
-		reponame = url.PathEscape(filepath.Join(namespace, reponame))
-		namespace = registry
-	}
-	report, code, err := h.vulnerabilityInfo(r.Context(), uri, namespace, reponame, digest, features, vulnerabilities)
-	if err != nil {
-		http.Error(w, err.Error(), code)
-		return
-	}
-	httputils.ReturnJSON(w, code, report)
-}
-
-func (h *Harbor) ImageSecurity(w http.ResponseWriter, r *http.Request) {
-	features, vulnerabilities := r.URL.Query().Get("features") == "true", r.URL.Query().Get("vulnerabilities") == "true"
-	vars := mux.Vars(r)
-	registry, namespace, reponame, imageid := vars["registry"], vars["namespace"], vars["reponame"], vars["imageid"]
-	log.WithContext(r.Context()).WithFields(log.Fields{
-		"registry":  registry,
-		"namespace": namespace,
-		"reponame":  reponame,
-		"imageid":   imageid,
-	}).Infof("fetching image information")
-	if registry != "" {
-		reponame = url.PathEscape(filepath.Join(namespace, reponame))
-		namespace = registry
-	}
-	uri := fmt.Sprintf("https://%s", r.Host)
-	report, code, err := h.vulnerabilityInfo(r.Context(), uri, namespace, reponame, imageid, features, vulnerabilities)
-	if err != nil {
-		http.Error(w, err.Error(), code)
-		return
-	}
-	httputils.ReturnJSON(w, code, report)
+	reponame = url.PathEscape(reponame)
+	return h.vulnerabilityInfo(ctx, opts.URI, namespace, reponame, digest, opts.Features, opts.Vulnerabilities)
 }
 
 func (*Harbor) vulnerabilityInfo(ctx context.Context, uri, namespace, repository, reference string, showFeatures, showVulnerabilities bool) (*secscan.Response, int, error) {
diff --git a/internal/adapter/types.go b/internal/adapter/types.go
@@ -18,16 +18,22 @@
 package adapter
 
 import (
+	"context"
 	"github.com/djcass44/cso-proxy/internal/adapter/harbor"
+	"github.com/quay/container-security-operator/secscan"
 	"github.com/quay/container-security-operator/secscan/quay"
-	"net/http"
 	"net/url"
 )
 
 type Adapter interface {
 	Capabilities(uri *url.URL) *quay.AppCapabilities
-	ManifestSecurity(w http.ResponseWriter, r *http.Request)
-	ImageSecurity(w http.ResponseWriter, r *http.Request)
+	ManifestSecurity(ctx context.Context, path, digest string, opts Opts) (*secscan.Response, int, error)
+}
+
+type Opts struct {
+	URI             string
+	Features        bool
+	Vulnerabilities bool
 }
 
 type HarborScan map[string]harbor.Report
diff --git a/internal/api/middleware.go b/internal/api/middleware.go
@@ -0,0 +1,59 @@
+/*
+ *    Copyright 2022 Django Cass
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ */
+
+package api
+
+import (
+	"fmt"
+	"github.com/djcass44/cso-proxy/internal/adapter"
+	"github.com/djcass44/go-utils/pkg/httputils"
+	"net/http"
+	"regexp"
+	"strings"
+)
+
+var ManifestRegex = regexp.MustCompile(`^/cso/v1/repository/([^/]+/){2,}manifest/([^/]+)/security$`)
+
+type Middleware struct {
+	dst adapter.Adapter
+}
+
+func NewMiddleware(dst adapter.Adapter) *Middleware {
+	return &Middleware{
+		dst: dst,
+	}
+}
+
+func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if !ManifestRegex.MatchString(r.URL.Path) {
+		http.NotFound(w, r)
+		return
+	}
+	features, vulnerabilities := r.URL.Query().Get("features") == "true", r.URL.Query().Get("vulnerabilities") == "true"
+	path := strings.SplitN(strings.TrimPrefix(r.URL.Path, "/cso/v1/repository/"), "/manifest/", 2)[0]
+	digest := ManifestRegex.FindStringSubmatch(r.URL.Path)[2]
+	resp, code, err := m.dst.ManifestSecurity(r.Context(), path, digest, adapter.Opts{
+		URI:             fmt.Sprintf("https://%s", r.Host),
+		Features:        features,
+		Vulnerabilities: vulnerabilities,
+	})
+	if err != nil {
+		http.Error(w, err.Error(), code)
+		return
+	}
+	httputils.ReturnJSON(w, code, resp)
+}
diff --git a/internal/api/middleware_test.go b/internal/api/middleware_test.go
@@ -0,0 +1,72 @@
+/*
+ *    Copyright 2022 Django Cass
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ */
+
+package api
+
+import (
+	"context"
+	"fmt"
+	"github.com/djcass44/cso-proxy/internal/adapter"
+	"github.com/quay/container-security-operator/secscan"
+	"github.com/quay/container-security-operator/secscan/quay"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+)
+
+type testAdapter struct{}
+
+func (t testAdapter) Capabilities(*url.URL) *quay.AppCapabilities {
+	return &quay.AppCapabilities{}
+}
+
+func (t testAdapter) ManifestSecurity(context.Context, string, string, adapter.Opts) (*secscan.Response, int, error) {
+	return &secscan.Response{
+		Status: "",
+		Data:   secscan.Data{},
+	}, http.StatusOK, nil
+}
+
+func TestMiddleware_ServeHTTP(t *testing.T) {
+	var cases = []struct {
+		path string
+		code int
+	}{
+		{
+			"/cso/v1/repository/registry.gitlab.com/av1o/base-images/alpine/manifest/sha256:f42e1d4f05bfd2911c7a205588348d06c7af7ec9bb46e2cb4846e733fb0399da/security",
+			http.StatusOK,
+		},
+		{
+			"/cso/v1/repository/bitnami/postgresql/manifest/foobar/security",
+			http.StatusOK,
+		},
+		{
+			"/cso/v1/repository/bitnami/postgresql/image/foobar/security",
+			http.StatusNotFound,
+		},
+	}
+	m := NewMiddleware(&testAdapter{})
+	for _, tt := range cases {
+		t.Run(tt.path, func(t *testing.T) {
+			w := httptest.NewRecorder()
+			m.ServeHTTP(w, httptest.NewRequest(http.MethodGet, fmt.Sprintf("https://example.org%s", tt.path), nil))
+			assert.EqualValues(t, tt.code, w.Code)
+		})
+	}
+}
