Merge pull request #83 from secureCodeBox/result-download-links

Add Presigned URLs to download Scan Results to Scan Status

Author: J12934

operator/PROJECT

@@ -17,9 +17,6 @@ resources:
 - group: execution
   kind: ScheduledScan
   version: v1
-- group: targets
-  kind: Host
-  version: v1
 - group: cascading
   kind: CascadingRule
   version: v1

operator/apis/execution/v1/scan_types.go

@@ -52,6 +52,11 @@ type ScanStatus struct {
 	// RawResultFile Filename of the result file of the scanner. e.g. `nmap-result.xml`
 	RawResultFile string `json:"rawResultFile,omitempty"`
 
+	// FindingDownloadLink link to download the finding json file from. Valid for 7 days
+	FindingDownloadLink string `json:"findingDownloadLink,omitempty"`
+	// RawResultDownloadLink link to download the raw result file from. Valid for 7 days
+	RawResultDownloadLink string `json:"rawResultDownloadLink,omitempty"`
+
 	Findings FindingStats `json:"findings,omitempty"`
 
 	ReadAndWriteHookStatus []HookStatus `json:"readAndWriteHookStatus,omitempty"`

operator/config/crd/bases/execution.experimental.securecodebox.io_scans.yaml

@@ -218,6 +218,10 @@ spec:
           properties:
             errorDescription:
               type: string
+            findingDownloadLink:
+              description: FindingDownloadLink link to download the finding json file
+                from. Valid for 7 days
+              type: string
             findings:
               description: FindingStats contains the general stats about the results
                 of the scan
@@ -257,6 +261,10 @@ spec:
                 parser & hooks) has been marked as "Done"
               format: date-time
               type: string
+            rawResultDownloadLink:
+              description: RawResultDownloadLink link to download the raw result file
+                from. Valid for 7 days
+              type: string
             rawResultFile:
               description: RawResultFile Filename of the result file of the scanner.
                 e.g. `nmap-result.xml`

operator/config/crd/kustomization.yaml

@@ -2,13 +2,12 @@
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
-- bases/execution.experimental.securecodebox.io_scans.yaml
-- bases/execution.experimental.securecodebox.io_scantypes.yaml
-- bases/execution.experimental.securecodebox.io_scancompletionhooks.yaml
-- bases/execution.experimental.securecodebox.io_parsedefinitions.yaml
-- bases/execution.experimental.securecodebox.io_scheduledscans.yaml
-- bases/targets.experimental.securecodebox.io_hosts.yaml
-- bases/cascading.experimental.securecodebox.io_cascadingrules.yaml
+  - bases/execution.experimental.securecodebox.io_scans.yaml
+  - bases/execution.experimental.securecodebox.io_scantypes.yaml
+  - bases/execution.experimental.securecodebox.io_scancompletionhooks.yaml
+  - bases/execution.experimental.securecodebox.io_parsedefinitions.yaml
+  - bases/execution.experimental.securecodebox.io_scheduledscans.yaml
+  - bases/cascading.experimental.securecodebox.io_cascadingrules.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -36,4 +35,4 @@ patchesStrategicMerge:
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
-- kustomizeconfig.yaml
+  - kustomizeconfig.yaml

operator/config/rbac/host_editor_role.yaml

@@ -82,20 +82,20 @@ func (r *ScanReconciler) executeReadAndWriteHooks(scan *executionv1.Scan) error
 
 	switch nonCompletedHook.State {
 	case executionv1.Pending:
-		rawFileURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile)
+		rawFileURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile, defaultPresignDuration)
 		if err != nil {
 			return err
 		}
-		findingsFileURL, err := r.PresignedGetURL(scan.UID, "findings.json")
+		findingsFileURL, err := r.PresignedGetURL(scan.UID, "findings.json", defaultPresignDuration)
 		if err != nil {
 			return err
 		}
 
-		rawFileUploadURL, err := r.PresignedPutURL(scan.UID, scan.Status.RawResultFile)
+		rawFileUploadURL, err := r.PresignedPutURL(scan.UID, scan.Status.RawResultFile, defaultPresignDuration)
 		if err != nil {
 			return err
 		}
-		findingsUploadURL, err := r.PresignedPutURL(scan.UID, "findings.json")
+		findingsUploadURL, err := r.PresignedPutURL(scan.UID, "findings.json", defaultPresignDuration)
 		if err != nil {
 			return err
 		}
@@ -242,11 +242,11 @@ func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error {
 			continue
 		}
 
-		rawFileURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile)
+		rawFileURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile, defaultPresignDuration)
 		if err != nil {
 			return err
 		}
-		findingsFileURL, err := r.PresignedGetURL(scan.UID, "findings.json")
+		findingsFileURL, err := r.PresignedGetURL(scan.UID, "findings.json", defaultPresignDuration)
 		if err != nil {
 			return err
 		}

operator/config/rbac/host_viewer_role.yaml

@@ -49,12 +49,12 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 	}
 	log.Info("Matching ParseDefinition Found", "ParseDefinition", parseType)
 
-	findingsUploadURL, err := r.PresignedPutURL(scan.UID, "findings.json")
+	findingsUploadURL, err := r.PresignedPutURL(scan.UID, "findings.json", defaultPresignDuration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
 		return err
 	}
-	rawResultDownloadURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile)
+	rawResultDownloadURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile, defaultPresignDuration)
 	if err != nil {
 		return err
 	}

operator/controllers/execution/scans/hook_reconciler.go

@@ -52,6 +52,8 @@ var (
 // https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#finalizers
 var s3StorageFinalizer = "s3.storage.experimental.securecodebox.io"
 
+const defaultPresignDuration = 12 * time.Hour
+
 // +kubebuilder:rbac:groups=execution.experimental.securecodebox.io,resources=scans,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=execution.experimental.securecodebox.io,resources=scans/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=execution.experimental.securecodebox.io,resources=scantypes,verbs=get;list;watch
@@ -147,11 +149,11 @@ func (r *ScanReconciler) handleFinalizer(scan *executionv1.Scan) error {
 }
 
 // PresignedGetURL returns a presigned URL from the s3 (or compatible) serice.
-func (r *ScanReconciler) PresignedGetURL(scanID types.UID, filename string) (string, error) {
+func (r *ScanReconciler) PresignedGetURL(scanID types.UID, filename string, duration time.Duration) (string, error) {
 	bucketName := os.Getenv("S3_BUCKET")
 
 	reqParams := make(url.Values)
-	rawResultDownloadURL, err := r.MinioClient.PresignedGetObject(bucketName, fmt.Sprintf("scan-%s/%s", string(scanID), filename), 12*time.Hour, reqParams)
+	rawResultDownloadURL, err := r.MinioClient.PresignedGetObject(bucketName, fmt.Sprintf("scan-%s/%s", string(scanID), filename), duration, reqParams)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
 		return "", err
@@ -160,10 +162,10 @@ func (r *ScanReconciler) PresignedGetURL(scanID types.UID, filename string) (str
 }
 
 // PresignedPutURL returns a presigned URL from the s3 (or compatible) serice.
-func (r *ScanReconciler) PresignedPutURL(scanID types.UID, filename string) (string, error) {
+func (r *ScanReconciler) PresignedPutURL(scanID types.UID, filename string, duration time.Duration) (string, error) {
 	bucketName := os.Getenv("S3_BUCKET")
 
-	rawResultDownloadURL, err := r.MinioClient.PresignedPutObject(bucketName, fmt.Sprintf("scan-%s/%s", string(scanID), filename), 12*time.Hour)
+	rawResultDownloadURL, err := r.MinioClient.PresignedPutObject(bucketName, fmt.Sprintf("scan-%s/%s", string(scanID), filename), duration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
 		return "", err

operator/controllers/execution/scans/parse_reconciler.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	executionv1 "github.com/secureCodeBox/secureCodeBox-v2/operator/apis/execution/v1"
 	util "github.com/secureCodeBox/secureCodeBox-v2/operator/utils"
@@ -89,6 +90,19 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error {
 	scan.Status.State = "Scanning"
 	scan.Status.RawResultType = scanType.Spec.ExtractResults.Type
 	scan.Status.RawResultFile = filepath.Base(scanType.Spec.ExtractResults.Location)
+
+	findingsDownloadURL, err := r.PresignedGetURL(scan.UID, "findings.json", 7*24*time.Hour)
+	if err != nil {
+		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
+		return err
+	}
+	scan.Status.FindingDownloadLink = findingsDownloadURL
+	rawResultDownloadURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile, 7*24*time.Hour)
+	if err != nil {
+		return err
+	}
+	scan.Status.RawResultDownloadLink = rawResultDownloadURL
+
 	if err := r.Status().Update(ctx, scan); err != nil {
 		log.Error(err, "unable to update Scan status")
 		return err
@@ -129,7 +143,7 @@ func (r *ScanReconciler) checkIfScanIsCompleted(scan *executionv1.Scan) error {
 
 func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *executionv1.ScanType) (*batch.Job, error) {
 	filename := filepath.Base(scanType.Spec.ExtractResults.Location)
-	resultUploadURL, err := r.PresignedPutURL(scan.UID, filename)
+	resultUploadURL, err := r.PresignedPutURL(scan.UID, filename, defaultPresignDuration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
 		return nil, err