Merge branch 'avoid_import_unknown_external_library' into 'master'

Added whitelisted cloud provider names See merge request !572

Merge branch 'avoid_import_unknown_external_library' into 'master'
dd4d195d · Shane Hutchins · 4a64c083 · 03b9c97e · dd4d195d · dd4d195d
Commit dd4d195d authored 1 week ago by Shane Hutchins
--- a/app/README.md
+++ b/app/README.md
@@ -39,11 +39,18 @@ Recently policy service was migrated from Flask to FastAPI, this was done in par
    * baremetal
    * aws
    * azure
-    * gcp
+    * gc
    * ibm
    * LOCAL
    * MOCK or undefined
-
+  
+    Libraries for working with storage can only be imported for the following providers:
+    * baremetal
+    * aws
+    * azure
+    * gc
+    * ibm
+    
    Related Settings/Environmental variables:
    - `POLICY_BUCKET` - used by AWS, Google Cloud and IBM to determine which bucket is used for providing bundle files. Service identity running policy service needs to have write permission to contents in this bucket. Note us-east-1 is only region supported at this time for AWS.
    - `CONTAINER_NAME` - used by Azure to determine which container is used for providing bundle files. Service principal running policy service needs to have write permission to contents in this bucket.

--- a/app/bundles/storage.py
+++ b/app/bundles/storage.py
@@ -22,6 +22,8 @@ from typing import Tuple

 from osdu_api.providers.types import FileLikeObject

+import conf
+
 logger = logging.getLogger(__name__)


@@ -56,11 +58,16 @@ def get_storage() -> BundleStorageClient:
        sys.exit(1)

    cloud_env = os.environ.get("CLOUD_PROVIDER")
-    try:
-        provider_module = _import_provider_specific_module(cloud_env)
-    except ModuleNotFoundError as exc:
-        logger.critical(f"Error occurred while importing module for {cloud_env}")
-        logger.critical(f"Exception: {exc}")
+
+    if cloud_env in conf.ALLOWED_CLOUD_PROVIDERS:
+        try:
+            provider_module = _import_provider_specific_module(cloud_env)
+        except ModuleNotFoundError as exc:
+            logger.critical(f"Error occurred while importing module for {cloud_env}")
+            logger.critical(f"Exception: {exc}")
+    else:
+        logger.critical("Error: specified CLOUD_PROVIDER wasn't in allowed list")
+        sys.exit(1)

    logger.info(f"get_storage provider for cloud_env {cloud_env}")
    return provider_module.storage_client()
--- a/app/conf.py
+++ b/app/conf.py
@@ -546,4 +546,8 @@ ALLOW_CORRELATION_ID_PATTERN = "^[A-Za-z0-9_-]*$"
 # OCI Registry not supported
 OPA_SUPPORTED_SERVICES = ["s3", "gcs", "gcp", "blob", "nginx"]

+# whitelisted cloud providers to import libraries
+ALLOWED_CLOUD_PROVIDERS = {"aws", "azure", "baremetal", "gc", "ibm"}
+
+
 CLOUD_PROVIDER = os.getenv("CLOUD_PROVIDER", "LOCAL")