drop scanner_image_prefix

dev/box_setup.sh

@@ -22,9 +22,9 @@ EOF
 # create images for sample scanners
 cat <<EOF | dexec -T surface ./manage.py shell
 from scanners import models
-models.ScannerImage.objects.get_or_create(name='example')
-models.ScannerImage.objects.get_or_create(name='httpx')
-models.ScannerImage.objects.get_or_create(name='nmap')
+models.ScannerImage.objects.update_or_create(name='example', defaults={'image': 'ghcr.io/surface-security/scanner-example'})
+models.ScannerImage.objects.update_or_create(name='httpx', defaults={'image': 'ghcr.io/surface-security/scanner-httpx'})
+models.ScannerImage.objects.update_or_create(name='nmap', defaults={'image': 'ghcr.io/surface-security/scanner-nmap'})
 EOF
 
 echo done

surface/scanners/apps.py

@@ -4,8 +4,7 @@
 APP_SETTINGS = dict(
     PUBLIC_KEY_PATH=None,
     PRIVATE_KEY_PATH=None,
-    REGISTRY_TOKEN=None,
-    IMAGE_PREFIX=None,
+    REGISTRY_AUTH={},
     DOCKER_CA_CERT=None,
     DOCKER_CA_CERT_PATH=None,
     DOCKER_CLIENT_KEY=None,
@@ -14,6 +13,10 @@
     DOCKER_CLIENT_CERT_PATH=None,
     PROXY_USERNAME=None,
     PROXY_PASSWORD=None,
+    HELPER_IMAGE='ghcr.io/surface-security/scanner-helper',
+    HELPER_IMAGE_TAG='1',
+    PROXY_IMAGE='ghcr.io/surface-security/scanner-proxy',
+    PROXY_IMAGE_TAG='latest',
 )
 
 

surface/scanners/management/commands/resync_rootbox.py

@@ -22,7 +22,7 @@ class Command(LogBaseCommand):
     def __init__(self, *a, **b):
         super().__init__(*a, **b)
         self.__run_match = re.compile(rf'scanner-{settings.AVZONE}-(\d+)-(.*)')
-        self._helper = f'{settings.SCANNERS_IMAGE_PREFIX}helper:85'
+        self._helper = f'{settings.SCANNERS_HELPER_IMAGE}:{settings.SCANNERS_HELPER_IMAGE_TAG}'
 
     def add_arguments(self, parser):
         parser.add_argument('-1', '--run-once', action='store_true', default=False, help='Run only one check')

surface/scanners/management/commands/run_scanner.py

@@ -118,17 +118,16 @@ def handle(self, *args, **options):
                 # no input
                 return
 
-            image_name = f'{settings.SCANNERS_IMAGE_PREFIX}{ scanner.image.name }'
             try:
-                docker.images.pull(image_name, scanner.docker_tag)
+                docker.images.pull(scanner.image.image, scanner.docker_tag)
             except APIError as e:
                 # log warning only, this is optional tag "refresh"
                 # registry might be down from time to time (maintenance, etc)
                 self.log_warning('failed to pull image: %s', str(e))
 
             scanner_timestamp = int(time.time())
             c = docker.containers.create(
-                f'{image_name}:{scanner.docker_tag}',
+                f'{scanner.image.image}:{scanner.docker_tag}',
                 name=f'{cont_name}{ scanner_timestamp }',
                 command=' '.join(scanner_args),
                 privileged=True,

surface/scanners/management/commands/run_squid_proxy.py

@@ -24,11 +24,10 @@ def handle(self, *args, **options):
         # validate that all rootboxes exist before processing
         boxes = [models.Rootbox.objects.get(name=rootbox) for rootbox in set(options['rootbox'])]
         container_name = f'squid-{settings.AVZONE}'
-        image_name = f'{settings.SCANNERS_IMAGE_PREFIX}squid'
 
         def _doit(docker, rootbox):
             c = docker.containers.create(
-                f'{image_name}:latest',
+                f'{settings.SCANNERS_PROXY_IMAGE}:{settings.SCANNERS_PROXY_IMAGE_TAG}',
                 name=container_name,
                 environment={
                     'SCANNER_USERNAME': settings.SCANNERS_PROXY_USERNAME,
@@ -43,7 +42,7 @@ def _doit(docker, rootbox):
         for rootbox in boxes:
             docker = utils.get_docker_client(rootbox.ip, rootbox.dockerd_port, use_tls=rootbox.dockerd_tls)
             try:
-                docker.images.pull(image_name, 'latest')
+                docker.images.pull(settings.SCANNERS_PROXY_IMAGE, settings.SCANNERS_PROXY_IMAGE_TAG)
             except APIError as e:
                 # log warning only, this is optional tag "refresh"
                 # registry might be down from time to time (maintenance, etc)

surface/scanners/migrations/0002_scannerimage_image.py

@@ -0,0 +1,19 @@
+# Generated by Django 3.2.12 on 2022-02-19 01:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanners', '0001_initial_20211102'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='scannerimage',
+            name='image',
+            field=models.CharField(default='', help_text='Full path to image, including registry', max_length=255),
+            preserve_default=False,
+        ),
+    ]

surface/scanners/models.py

@@ -35,6 +35,9 @@ class Meta:
 
 class ScannerImage(models.Model):
     name = models.CharField(max_length=255, primary_key=True)
+    image = models.CharField(
+        max_length=255, null=False, blank=False, help_text='Full path to image, including registry'
+    )
     description = models.TextField(null=True, blank=True)
     vault_secrets = models.BooleanField(default=False)
 

surface/scanners/utils/__init__.py

@@ -38,16 +38,7 @@ def get_docker_client(ip, port=80, use_tls=True):
         tls=tlsconfig,
     )
     # set _auth_configs to avoid need of config.json on disk or passing the info on every method
-    client.api._auth_configs = docker.auth.AuthConfig(
-        {
-            'auths': {
-                docker.auth.resolve_repository_name(settings.SCANNERS_IMAGE_PREFIX)[0]: {
-                    'username': 'ignored',
-                    'password': settings.SCANNERS_REGISTRY_TOKEN,
-                }
-            }
-        }
-    )
+    client.api._auth_configs = docker.auth.AuthConfig({'auths': settings.SCANNERS_REGISTRY_AUTH})
     return client
 
 

surface/surface/settings.py

@@ -138,8 +138,7 @@
 DEBUG = ENV_VAR.bool('SURF_DEBUG', default=True)
 ALLOWED_HOSTS = ENV_VAR.list('SURF_ALLOWED_HOSTS', default=['127.0.0.1', 'localhost'])
 
-SCANNERS_REGISTRY_TOKEN = ENV_VAR('SURF_SCANNERS_REGISTRY_TOKEN', default='NOT_THIS_ONE')
-SCANNERS_IMAGE_PREFIX = ENV_VAR.str('SURF_SCANNERS_IMAGE_PREFIX', default='ghcr.io/surface-security', must_end_with='/')
+SCANNERS_REGISTRY_AUTH = ENV_VAR.json('SURF_SCANNERS_REGISTRY_AUTH', default={})
 SCANNERS_DOCKER_CA_CERT = ENV_VAR('SURF_SCANNERS_DOCKER_CA_CERT', default=None)
 SCANNERS_DOCKER_CA_CERT_PATH = ENV_VAR('SURF_SCANNERS_DOCKER_CA_CERT_PATH', default=None)
 SCANNERS_DOCKER_CLIENT_KEY = ENV_VAR('SURF_SCANNERS_DOCKER_CLIENT_KEY', default='')

surface/surface/settings_test.py

@@ -7,5 +7,5 @@
 from .settings import *
 
 AVZONE = 'test'
-SCANNERS_IMAGE_PREFIX = 'registry.com/test/'
 LOGBASECOMMAND_PREFIX = 'surface.command'
+SCANNERS_PROXY_IMAGE = 'registry.com/test/squid'