chaitin · huzai9527 · Aug 4, 2022
diff --git a/veinmind-runner/cmd/cli.go b/veinmind-runner/cmd/cli.go
@@ -164,6 +164,38 @@ var authCmd = &cmd.Command{
 		return runner.Run()
 	},
 }
+
+var webhookCmd = &cmd.Command{
+	Use:   "webhook",
+	Short: "webhook for harbor",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path, err := cmd.Flags().GetString("config")
+		if err != nil {
+			return err
+		}
+
+		config, err := authz.NewHarborWebhookConfig(path)
+		if err != nil {
+			return err
+		}
+
+		options := []authz.HarborWebhookOption{
+			authz.WithHarborPolicy(config.Policies...),
+			authz.WithHarborAuthLog(config.Log.AuthZLogPath),
+			authz.WithHarborPluginLog(config.Log.PluginLogPath),
+			authz.WithWebhookServer(config.WebhookServer),
+			authz.WithAuthInfo(config.DockerAuth),
+			authz.WithMailServer(config.MailConf),
+		}
+
+		server, err := authz.NewHarborWebhookServer(options...)
+		if err != nil {
+			return err
+		}
+		runner := authz.NewDefaultRunner(&server)
+		return runner.Run()
+	},
+}
 var listCmd = &cmd.Command{
 	Use:   "list",
 	Short: "list relevant information",
@@ -230,7 +262,7 @@ var scanRegistryCmd = &cmd.Command{
 			if config == "" {
 				c, err = commonRuntime.NewDockerClient()
 			} else {
-				c, err = commonRuntime.NewDockerClient(commonRuntime.WithAuth(config))
+				c, err = commonRuntime.NewDockerClient(commonRuntime.WithAuthFromPath(config))
 			}
 			if err != nil {
 				return err
@@ -471,6 +503,8 @@ func init() {
 	rootCmd.AddCommand(scanRegistryCmd)
 	rootCmd.AddCommand(authCmd)
 	authCmd.Flags().StringP("config", "c", "", "authz config path")
+	rootCmd.AddCommand(webhookCmd)
+	webhookCmd.Flags().StringP("config", "c", "", "webhook config path")
 	rootCmd.AddCommand(listCmd)
 	rootCmd.PersistentFlags().IntP("exit-code", "e", 0, "exit-code when veinmind-runner find security issues")
 	listCmd.AddCommand(listPluginCmd)

diff --git a/veinmind-runner/go.mod b/veinmind-runner/go.mod
@@ -5,13 +5,15 @@ go 1.16
 require (
 	github.com/BurntSushi/toml v0.4.1
 	github.com/chaitin/libveinmind v1.1.1
-	github.com/chaitin/veinmind-common-go v1.0.5
+	github.com/chaitin/veinmind-common-go v1.1.0
 	github.com/distribution/distribution v2.8.1+incompatible
 	github.com/docker/docker v20.10.17+incompatible
 	github.com/gin-gonic/gin v1.8.1
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.4.0
+	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/mail.v2 v2.3.1
 	gotest.tools/v3 v3.1.0 // indirect
 )
 

diff --git a/veinmind-runner/go.sum b/veinmind-runner/go.sum
@@ -203,8 +203,8 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chaitin/libveinmind v1.1.1 h1:DoMJXAjw3xzOHcrAiBBQpbqudsumw5pGfRQko6f6USc=
 github.com/chaitin/libveinmind v1.1.1/go.mod h1:bUUjhkyZyZ9sTetpm5rOfj5TU3hr5moE3VQM+IgHrbw=
-github.com/chaitin/veinmind-common-go v1.0.5 h1:OA8c9IDMPGXUBQksiFck6tx5eEtfDz9LB1+FcmaSMDY=
-github.com/chaitin/veinmind-common-go v1.0.5/go.mod h1:pmtVj6duS6B3spaBPhMMXOZOzDyyABtcEIQEF4KpZaI=
+github.com/chaitin/veinmind-common-go v1.1.0 h1:YKE+KBVyP48IBKFf4dH5Ve8ayHz8rQ8S07iFPF8z60U=
+github.com/chaitin/veinmind-common-go v1.1.0/go.mod h1:Ap6KTM2qqKv+8tLeb38pX9DFWt/P8/1gmCO2b9tjNZo=
 github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg=
 github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU=
 github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
@@ -2047,6 +2047,8 @@ google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscL
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
 gopkg.in/cenkalti/backoff.v2 v2.2.1 h1:eJ9UAg01/HIHG987TwxvnzK2MgxXq97YY6rYDpY9aII=
 gopkg.in/cenkalti/backoff.v2 v2.2.1/go.mod h1:S0QdOvT2AlerfSBkp0O+dk+bbIMaNbEmVk876gPCthU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -2069,6 +2071,8 @@ gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
 gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/mail.v2 v2.3.1 h1:WYFn/oANrAGP2C0dcV6/pbkPzv8yGzqTjPmTeO7qoXk=
+gopkg.in/mail.v2 v2.3.1/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1 h1:d4KQkxAaAiRY2h5Zqis161Pv91A37uZyJOx73duwUwM=

diff --git a/veinmind-runner/pkg/authz/action/harbor_webhook.go b/veinmind-runner/pkg/authz/action/harbor_webhook.go
@@ -0,0 +1,29 @@
+package action
+
+var (
+	PULL_ARTIFACT   string = "PULL_ARTIFACT"
+	PUSH_ARTIFACT   string = "PUSH_ARTIFACT"
+	DELETE_ARTIFACT string = "DELETE_ARTIFACT"
+)
+
+// only for push and pull api
+// TODO: parse scan/helm/etc. api post data
+type PullandPushData struct {
+	Type      string `json:"type"`
+	OccurAt   int    `json:"occur_at"`
+	Operator  string `json:"operator"`
+	EventData struct {
+		Resources []struct {
+			Digest      string `json:"digest"`
+			Tag         string `json:"tag"`
+			ResourceURL string `json:"resource_url"`
+		} `json:"resources"`
+		Repository struct {
+			DateCreated  int    `json:"date_created"`
+			Name         string `json:"name"`
+			Namespace    string `json:"namespace"`
+			RepoFullName string `json:"repo_full_name"`
+			RepoType     string `json:"repo_type"`
+		} `json:"repository"`
+	} `json:"event_data"`
+}
diff --git a/veinmind-runner/pkg/authz/authz_config.go b/veinmind-runner/pkg/authz/authz_config.go
@@ -14,6 +14,8 @@ const (
 	defaultSockListenAddr = "/run/docker/plugins/veinmind-broker.sock"
 )
 
+
+
 type Policy struct {
 	Action          string   `toml:"action"`
 	EnabledPlugins  []string `toml:"enabled_plugins"`

diff --git a/veinmind-runner/pkg/authz/authz_report.go b/veinmind-runner/pkg/authz/authz_report.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"io"
 
+	gomail "gopkg.in/mail.v2"
+
 	"github.com/chaitin/libveinmind/go/plugin/log"
 	"github.com/chaitin/veinmind-common-go/service/report"
 	"github.com/chaitin/veinmind-tools/veinmind-runner/pkg/reporter"
@@ -54,3 +56,34 @@ func handleDockerPluginReportEvents(eventListCh <-chan []reporter.ReportEvent, b
 		log.Warn(err)
 	}
 }
+
+func handleHarborWebhookReportEvents(eventListCh <-chan []reporter.ReportEvent, hpolicy HarborPolicy,
+	pluginLog io.Writer, mailconf MailConf) {
+	filter, events := processReportEvents(eventListCh, hpolicy.Policy, pluginLog)
+	if filter {
+		if hpolicy.Alert {
+			log.Warn(fmt.Sprintf("Action %s has risks!", hpolicy.Action))
+		}
+		if hpolicy.SendMail {
+			err := sendReport2Mail(events, mailconf)
+			if err != nil {
+				log.Error(err)
+			}
+		}
+	}
+	if err := reporter.WriteEvents2Log(events, pluginLog); err != nil {
+		log.Warn(err)
+	}
+}
+func sendReport2Mail(events []reporter.ReportEvent, mailconf MailConf) error {
+	d := gomail.NewDialer(mailconf.Host, mailconf.Port, mailconf.Name, mailconf.Password)
+	m := gomail.NewMessage()
+	m.SetHeader("From", mailconf.Name)
+	m.SetHeader("To", mailconf.Subscriber...)
+	m.SetHeader("Subject", "Harbor webhook Report")
+	m.SetBody("text/plain", fmt.Sprintf("%#v", events))
+	if err := d.DialAndSend(m); err != nil {
+		return err
+	}
+	return nil
+}