walking hierarchy to build allows

Cargo.toml

@@ -4,8 +4,11 @@ version = "0.1.0"
 edition = "2018"
 
 [dependencies]
-git2 = "0.13"
 clap = "3.0.0-beta.2"
+git2 = "0.13"
+glob = "0.3.0"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
 
 [lib]
 name = "whitelists"

src/allow.rs

@@ -0,0 +1,133 @@
+use std::fs::File;
+use std::io::BufReader;
+use std::path::Path;
+
+use glob::glob;
+use serde_json::from_reader;
+
+use serde::Deserialize;
+use std::collections::HashMap;
+
+#[derive(Deserialize, Debug)]
+struct Greylist {
+    image_name: String,
+    image_tag: String,
+    image_parent_name: String,
+    image_parent_tag: String,
+    whitelisted_vulnerabilities: Vec<Vuln>,
+}
+
+#[derive(Deserialize, Debug)]
+pub struct Vuln {
+    #[serde(rename = "vulnerability")]
+    id: String,
+}
+
+pub struct Allowed {
+    pub id: String,
+    pub by: String,
+}
+
+impl Greylist {
+    fn image(&self) -> String {
+        format!("{}:{}", self.image_name, self.image_tag)
+    }
+    fn image_parent(&self) -> Option<String> {
+        match (&self.image_parent_name, &self.image_parent_tag) {
+            (i, t) if !i.is_empty() && !t.is_empty() => Some(i.to_string()),
+            _ => None,
+        }
+    }
+}
+
+fn vuln_to_allow(v: &Vuln, g: &Greylist) -> Allowed {
+    Allowed {
+        id: v.id.clone(),
+        by: g.image(),
+    }
+}
+
+pub fn greylisted(name: &str, repo: &str) -> Result<Vec<Allowed>, String> {
+    match glob(format!("{}/{}/*.greylist", repo, name).as_str()) {
+        Ok(mut e) => {
+            let path = e.next().expect("image not found").unwrap();
+
+            let file = File::open(&path).unwrap();
+            let reader = BufReader::new(file);
+            let r: serde_json::error::Result<Greylist> = serde_json::from_reader(reader);
+            match r {
+                Ok(mut gl) => match gl.image_parent() {
+                    Some(p) => {
+                        let mut x = vec![];
+                        x.append(&mut greylisted(&p, repo).unwrap());
+                        x.append(
+                            &mut gl
+                                .whitelisted_vulnerabilities
+                                .iter()
+                                .map(|v| vuln_to_allow(v, &gl))
+                                .collect(),
+                        );
+                        Ok(x)
+                    }
+                    None => Ok(gl
+                        .whitelisted_vulnerabilities
+                        .iter()
+                        .map(|v| vuln_to_allow(v, &gl))
+                        .collect()),
+                },
+                Err(e) => Err(format!("ERROR: {}", e)),
+            }
+        }
+        _ => Err(String::from("Error _")),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    const VULN_STR: &str = r#"{
+        "vulnerability": "CCE-12345-6",
+        "vuln_description": "description-text",
+        "vuln_source": "OpenSCAP",
+        "status": "approved",
+        "approved_date": "1/1/2020",
+        "approved_by": "[email protected]",
+        "justification": "justification-text"
+      }"#;
+
+    const GL_STR: &str = r#"{
+        "image_name": "image/name",
+        "image_tag": "1.0",
+        "image_parent_name": "redhat/ubi/ubi8",
+        "image_parent_tag": "8.3",
+        "container_owner": "[email protected]",
+        "approval_status": "notapproved",
+        "authorized_approvers": [
+            "[email protected]"
+        ],
+        "whitelisted_vulnerabilities": [
+              {
+                "vulnerability": "CCE-12345-6",
+                "vuln_description": "description-text",
+                "vuln_source": "OpenSCAP",
+                "status": "approved",
+                "approved_date": "1/1/2020",
+                "approved_by": "[email protected]",
+                "justification": "justification-text"
+              }
+        ]
+    }"#;
+
+    #[test]
+    fn deserilize_list() {
+        let gl: Greylist = serde_json::from_str(GL_STR).unwrap();
+        println!("{}", gl.whitelisted_vulnerabilities.first().unwrap().id);
+    }
+
+    #[test]
+    fn deserilize_vuln() {
+        let v: Vuln = serde_json::from_str(VULN_STR).unwrap();
+        println!("{}", v.id);
+    }
+}

src/lib.rs

@@ -1 +1,2 @@
+pub mod allow;
 pub mod repo;

src/main.rs

@@ -1,19 +1,36 @@
 use clap::Clap;
 
+use whitelists::allow;
 use whitelists::repo;
 
 #[derive(Clap)]
 #[clap(version = "v0.1.0")]
 /// DCCSCR Whitelist Tool
 struct Opts {
     /// url of whiltelist repository
-    #[clap(short, long, default_value = "https://repo1.dso.mil/dsop/dccscr-whitelists")]
+    #[clap(
+        short,
+        long,
+        default_value = "https://repo1.dso.mil/dsop/dccscr-whitelists"
+    )]
     url: String,
+
+    /// image name excluding tag
+    image: String,
 }
 
 fn main() {
     let opts: Opts = Opts::parse();
 
     let (repo, sha) = repo::latest(&opts.url).unwrap();
-    println!("{}", sha)
+    match allow::greylisted(&opts.image, repo.as_str()) {
+        Ok(list) => {
+            for i in list {
+                println!("{}", i.id);
+                eprintln!("{} ({})", i.id, i.by);
+            }
+        }
+        Err(e) => println!("Failure {}", e),
+    }
+    eprintln!("sha: {}", sha)
 }

src/repo.rs

@@ -6,8 +6,7 @@ const REPODIR: &str = "/tmp/dccscr";
 pub fn latest(url: &str) -> Result<(String, String), String> {
     if !Path::new(REPODIR).join(".git").exists() {
         clone(url)
-    }
-    else {
+    } else {
         pull()
     }
 }
@@ -18,7 +17,7 @@ fn clone(url: &str) -> Result<(String, String), String> {
         Ok(r) => {
             let sha = r.revparse_single("HEAD").unwrap().id().to_string();
             Ok((String::from(REPODIR), sha))
-        },
+        }
         Err(e) => Err(format!("failed to clone: {}", e)),
     }
 }
@@ -29,7 +28,7 @@ fn pull() -> Result<(String, String), String> {
         Ok(r) => {
             let sha = r.revparse_single("HEAD").unwrap().id().to_string();
             Ok((String::from(REPODIR), sha))
-        },
+        }
         Err(e) => Err(format!("failed to pull: {}", e)),
     }
 }
@@ -42,7 +41,7 @@ mod tests {
     fn it_works() {
         match latest("https://repo1.dso.mil/dsop/dccscr-whitelists") {
             Ok((path, sha)) => println!("{}", sha),
-            Err(e) => println!("error: {}", e)
+            Err(e) => println!("error: {}", e),
         }
     }
 }

tests/data/test-repo/redhat/python/python/python.greylist

@@ -0,0 +1,9 @@
+{
+    "image_name": "redhat/python/python",
+    "image_tag": "3.6",
+    "image_parent_name": "redhat/ubi/ubi8",
+    "image_parent_tag": "8.1",
+    "authorized_approvers": [
+    ],
+    "whitelisted_vulnerabilities": []
+}