feat: add cloudpi producer

smithy-security · Sep 29, 2024 · ee23c6a · ee23c6a
1 parent aa2b2b2
commit ee23c6a
Show file tree

Hide file tree

Showing 5 changed files with 361 additions and 0 deletions.
diff --git a/components/producers/cloudpi/Dockerfile b/components/producers/cloudpi/Dockerfile
@@ -0,0 +1,22 @@
+FROM python:3.12.2-slim as builder
+
+WORKDIR /app
+
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends gcc
+
+COPY requirements.txt .
+RUN pip wheel --no-cache-dir --wheel-dir /app/wheels -r requirements.txt
+
+
+FROM python:3.12.2-slim
+
+WORKDIR /app
+
+COPY --from=builder /app/wheels /wheels
+COPY --from=builder /app/requirements.txt .
+
+RUN pip install --no-cache /wheels/*
diff --git a/components/producers/cloudpi/requirements.txt b/components/producers/cloudpi/requirements.txt
@@ -0,0 +1,293 @@
+#
+# This file is autogenerated by pip-compile with python 3.10
+# To update, run:
+#
+#    pip-compile
+#
+--extra-index-url https://alpine-wheels.github.io/index
+
+adal>=1.2.7
+    # via
+    #   cartography
+    #   msrestazure
+applicationinsights>=0.11.10
+    # via azure-cli-telemetry
+argcomplete>=1.12.3
+    # via
+    #   azure-cli-core
+    #   knack
+azure-cli-core>=2.37.0
+    # via cartography
+azure-cli-telemetry>=1.0.6
+    # via azure-cli-core
+azure-common>=1.1.28
+    # via
+    #   azure-mgmt-compute
+    #   azure-mgmt-cosmosdb
+    #   azure-mgmt-resource
+    #   azure-mgmt-sql
+    #   azure-mgmt-storage
+azure-core>=1.24.0
+    # via
+    #   azure-identity
+    #   azure-mgmt-core
+azure-identity>=1.10.0
+    # via cartography
+azure-mgmt-compute>=27.0.0
+    # via cartography
+azure-mgmt-core>=1.3.0
+    # via
+    #   azure-cli-core
+    #   azure-mgmt-compute
+    #   azure-mgmt-cosmosdb
+    #   azure-mgmt-resource
+    #   azure-mgmt-sql
+    #   azure-mgmt-storage
+azure-mgmt-cosmosdb>=6.4.0
+    # via cartography
+azure-mgmt-resource>=21.1.0
+    # via cartography
+azure-mgmt-sql>=1.0.0
+    # via cartography
+azure-mgmt-storage>=20.0.0
+    # via cartography
+bcrypt>=3.2.2
+    # via paramiko
+boto3>=1.23.8
+    # via cartography
+botocore>=1.26.8
+    # via
+    #   boto3
+    #   cartography
+    #   s3transfer
+cachetools>=5.1.0
+    # via google-auth
+cartography>=0.93.0
+    # via -r requirements.in
+certifi>=2022.5.18.1
+    # via
+    #   kubernetes
+    #   msrest
+    #   requests
+cffi>=1.15.0
+    # via
+    #   bcrypt
+    #   cryptography
+    #   pynacl
+charset-normalizer>=2.0.12
+    # via requests
+crowdstrike-falconpy>=1.1.2
+    # via cartography
+cryptography>=3.3.2
+    # via
+    #   adal
+    #   azure-cli-core
+    #   azure-identity
+    #   cartography
+    #   msal
+    #   paramiko
+    #   pyjwt
+    #   pyopenssl
+dnspython>=2.2.1
+    # via cartography
+google-api-core>=2.8.0
+    # via google-api-python-client
+google-api-python-client>=2.49.0
+    # via cartography
+google-auth>=2.6.6
+    # via
+    #   google-api-core
+    #   google-api-python-client
+    #   google-auth-httplib2
+    #   kubernetes
+google-auth-httplib2>=0.1.0
+    # via google-api-python-client
+googleapis-common-protos>=1.56.1
+    # via google-api-core
+httplib2>=0.20.4
+    # via
+    #   google-api-python-client
+    #   google-auth-httplib2
+    #   oauth2client
+humanfriendly>=10.0
+    # via azure-cli-core
+idna>=3.3
+    # via requests
+isodate>=0.6.1
+    # via msrest
+jmespath>=1.0.0
+    # via
+    #   azure-cli-core
+    #   boto3
+    #   botocore
+    #   knack
+jsonpickle>=2.2.0
+    # via python-digitalocean
+knack>=0.9.0
+    # via azure-cli-core
+kubernetes>=21.7.0
+    # via cartography
+marshmallow>=3.15.0
+    # via cartography
+msal>=1.18.0b1
+    # via
+    #   azure-cli-core
+    #   azure-identity
+    #   msal-extensions
+msal-extensions>=1.0.0
+    # via
+    #   azure-cli-core
+    #   azure-identity
+msrest>=0.6.21
+    # via
+    #   azure-mgmt-compute
+    #   azure-mgmt-cosmosdb
+    #   azure-mgmt-resource
+    #   azure-mgmt-sql
+    #   azure-mgmt-storage
+    #   msrestazure
+msrestazure>=0.6.4
+    # via
+    #   azure-cli-core
+    #   cartography
+neo4j>=1.7.6
+    # via cartography
+neobolt>=1.7.17
+    # via
+    #   cartography
+    #   neo4j
+neotime>=1.7.4
+    # via neo4j
+oauth2client>=4.1.3
+    # via cartography
+oauthlib>=3.2.0
+    # via requests-oauthlib
+okta>=0.0.4
+    # via cartography
+packaging>=21.3
+    # via
+    #   azure-cli-core
+    #   cartography
+    #   marshmallow
+paramiko>=2.11.0
+    # via azure-cli-core
+pdpyras>=4.5.0
+    # via cartography
+pkginfo>=1.8.2
+    # via azure-cli-core
+policyuniverse>=1.5.0.20220523
+    # via cartography
+portalocker>=1.7.1
+    # via
+    #   azure-cli-telemetry
+    #   msal-extensions
+protobuf>=3.20.1
+    # via
+    #   google-api-core
+    #   googleapis-common-protos
+psutil>=5.9.1
+    # via azure-cli-core
+pyasn1>=0.4.8
+    # via
+    #   oauth2client
+    #   pyasn1-modules
+    #   rsa
+pyasn1-modules>=0.2.8
+    # via
+    #   google-auth
+    #   oauth2client
+pycparser>=2.21
+    # via cffi
+pygments>=2.12.0
+    # via knack
+pyjwt[crypto]>=2.4.0
+    # via
+    #   adal
+    #   azure-cli-core
+    #   msal
+pynacl>=1.5.0
+    # via paramiko
+pyopenssl>=20.0.1
+    # via azure-cli-core
+pyparsing>=3.0.9
+    # via
+    #   httplib2
+    #   packaging
+pysocks>=1.7.1
+    # via requests
+python-dateutil>=2.8.2
+    # via
+    #   adal
+    #   botocore
+    #   kubernetes
+    #   okta
+python-digitalocean>=1.17.0
+    # via cartography
+pytz>=2022.1
+    # via neotime
+pyyaml>=6.0
+    # via
+    #   cartography
+    #   knack
+    #   kubernetes
+requests[socks]>=2.27.1
+    # via
+    #   adal
+    #   azure-cli-core
+    #   azure-core
+    #   cartography
+    #   crowdstrike-falconpy
+    #   google-api-core
+    #   kubernetes
+    #   msal
+    #   msrest
+    #   okta
+    #   pdpyras
+    #   python-digitalocean
+    #   requests-oauthlib
+requests-oauthlib>=1.3.1
+    # via
+    #   kubernetes
+    #   msrest
+rsa>=4.8
+    # via
+    #   google-auth
+    #   oauth2client
+s3transfer>=0.5.2
+    # via boto3
+six>=1.16.0
+    # via
+    #   azure-core
+    #   azure-identity
+    #   cryptography
+    #   google-auth
+    #   google-auth-httplib2
+    #   isodate
+    #   kubernetes
+    #   msrestazure
+    #   neotime
+    #   oauth2client
+    #   okta
+    #   paramiko
+    #   pyopenssl
+    #   python-dateutil
+statsd>=3.3.0
+    # via cartography
+tabulate>=0.8.9
+    # via knack
+typing-extensions>=4.2.0
+    # via azure-core
+uritemplate>=4.1.1
+    # via google-api-python-client
+urllib3>=1.26.9
+    # via
+    #   botocore
+    #   crowdstrike-falconpy
+    #   kubernetes
+    #   pdpyras
+    #   requests
+websocket-client>=1.3.2
+    # via kubernetes
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools
diff --git a/components/producers/cloudpi/task.yaml b/components/producers/cloudpi/task.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: producer-cloudpi
+  labels:
+    v1.dracon.ocurity.com/component: producer
+    v1.dracon.ocurity.com/test-type: sca
+spec:
+  params:
+  - name: AWS_ACCESS_KEY_ID
+    type: string
+    description: "aws access key id"
+  - name: AWS_SECRET_ACCESS_KEY
+    type: string
+    description: "aws secret access key"
+  volumes:
+    - name: scratch
+      emptyDir: {}
+  # workspaces:
+  #   - name: output
+  #     description: The workspace containing the source-code to scan.
+  steps:
+  - name: run-cartography
+    image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/docker-cloudpi:{{ .Chart.AppVersion }}'
+    env:
+      - name: AWS_ACCESS_KEY_ID
+        value: $(params.AWS_ACCESS_KEY_ID)
+      - name: AWS_SECRET_ACCESS_KEY
+        value: $(params.AWS_SECRET_ACCESS_KEY)
+    command: 
+      - cartography
+    args:
+      - --neo4j-uri
+      - bolt://dracon.dracon.svc:7687
+    volumeMounts:
+    - mountPath: /scratch
+      name: scratch
diff --git a/deploy/dracon/chart/values.yaml b/deploy/dracon/chart/values.yaml
@@ -62,6 +62,10 @@ neo4j:
   services:
     neo4j:
       enabled: false
+  # TODO: add authorization
+  dbms:
+    security:
+      auth_enabled: false
 
 # this section controls aspects of managing a database used to store deduplication enrichments
 # the database should use the Postgres dialect.

diff --git a/deploy/dracon/values/dev.yaml b/deploy/dracon/values/dev.yaml
@@ -49,6 +49,10 @@ neo4j:
   volumes:
     data:
       mode: defaultStorageClass
+  # TODO: add authorization
+  dbms:
+    security:
+      auth_enabled: false
 
 tekton:
   enabled: true