#!/usr/bin/env python3 # # Copyright 2019 Canonical Ltd # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import configparser import json import os import sys sys.path.append('.') import charmhelpers.contrib.openstack.audits as audits from charmhelpers.contrib.openstack.audits import ( openstack_security_guide, ) # Via the openstack_security_guide above, we are running the following # security assertions automatically: # # - Check-Image-01 validate-file-ownership # - Check-Image-02 validate-file-permissions @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), audits.before_openstack_release('glance-common', 'rocky')) def prevent_masked_port_scans(audit_options): """Validate that masked port scans are disabled. Security Guide Check Name: Check-Image-05 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ try: with open('/etc/glance/policy.json') as f: policy = json.loads(f.read()) except json.decoder.JSONDecodeError: assert False, "policy.json is invalid JSON" assert policy is not None, "policy.json should restrict copy_from" assert policy.get('copy_from') is not None, \ "policy.json should restrict copy_from" @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide)) def validate_glance_uses_keystone(audit_options): """Validate that the service uses Keystone for authentication. Security Guide Check Name: Check-Image-03 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ conf = configparser.ConfigParser() conf.read(os.path.join('/etc/glance/glance-api.conf')) glance_api = dict(conf) assert glance_api.get('DEFAULT', {}).get('auth_strategy') == "keystone", \ "Keystone should be used for auth in glance-api.conf" conf = configparser.ConfigParser() conf.read(os.path.join('/etc/glance/glance-registry.conf')) glance_registry = dict(conf) assert glance_registry.get('DEFAULT', {}) \ .get('auth_strategy') == "keystone", \ "Keystone should be used for auth in glance-api.conf" @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide)) def validate_glance_uses_tls_for_keystone(audit_options): """Verify that TLS is used to communicate with Keystone. Security Guide Check Name: Check-Image-04 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ conf = configparser.ConfigParser() conf.read(os.path.join('/etc/glance/glance-api.conf')) glance_api = dict(conf) assert not glance_api.get('keystone_authtoken', {}).get('insecure'), \ "Insecure mode should not be used with TLS" assert glance_api.get('keystone_authtoken', {}).get('auth_uri'). \ startswith("https://"), \ "TLS should be used to authenticate with Keystone" conf = configparser.ConfigParser() conf.read(os.path.join('/etc/glance/glance-registry.conf')) glance_registry = dict(conf) assert not glance_registry.get('keystone_authtoken', {}).get('insecure'), \ "Insecure mode should not be used with TLS" assert glance_registry.get('keystone_authtoken', {}).get('auth_uri'). \ startswith("https://"), \ "TLS should be used to authenticate with Keystone" def main(): config = { 'config_path': '/etc/glance', 'config_file': 'glance-api.conf', 'audit_type': audits.AuditType.OpenStackSecurityGuide, 'files': openstack_security_guide.FILE_ASSERTIONS['glance'], 'excludes': [ 'validate-uses-tls-for-glance', 'validate-uses-keystone', 'validate-uses-tls-for-keystone', ], } return audits.action_parse_results(audits.run(config)) if __name__ == "__main__": sys.exit(main())