Merge pull request #102 from carlosmmatos/minor-updates

redhatrises · web-flow · commit 552f7ca12ea7 · 2025-02-10T15:28:42.000-07:00
fix: update auth for podman login + minor fixes
diff --git a/README.md b/README.md
@@ -27,31 +27,44 @@ A CrowdStrike [OAuth2 API keys](https://falcon.crowdstrike.com/support/api-clien
 
 ## Installation
 
-### For Docker Only
+Choose ONE of the following installation methods based on your container runtime:
+
+### Option 1: Docker Installation
+
+If you're using Docker:
 
 ```shell
 pip3 install docker crowdstrike-falconpy retry
 ```
 
-### For Podman Only
+### Option 2: Podman Installation
+
+If you're using Podman:
 
 ```shell
 pip3 install podman crowdstrike-falconpy retry
 ```
 
-> [!WARNING]
->
-> The following command only needs to be executed if running podman as root:
->
-> ```shell
-> export CONTAINER_HOST="unix:///var/run/podman/podman.sock"
-> ```
+#### Important Podman Configuration Notes
+
+1. For ***rootless*** Podman, ensure the podman socket is running:
+
+   ```shell
+   systemctl --user start podman.socket
+   ```
+
+2. For ***rootful*** Podman, Set the container host environment variable:
+
+   ```shell
+   export CONTAINER_HOST="unix:///var/run/podman/podman.sock"
+   ```
+
+### Option 3: Complete Installation
 
-### Complete Installation (requirements.txt)
+To install support for both Docker and Podman:
 
 > [!NOTE]
-> Using the requirements.txt file will install both Docker and Podman python packages along with
-> any other dependency.
+> If using Podman, follow the [Podman Configuration Notes](#important-podman-configuration-notes) above after installing the requirements.
 
 ```shell
 pip3 install -r requirements.txt
@@ -94,11 +107,11 @@ required arguments:
 >
 > `FALCON_CLIENT_ID`, `FALCON_CLIENT_SECRET`, and `FALCON_CLOUD_REGION`.
 >
-> Establishing and retrieving API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys.
+> Establishing and retrieving API credentials can be performed at <https://falcon.crowdstrike.com/support/api-clients-and-keys>.
 
 ## Example Scans
 
-### Example 1:
+### Example 1
 
 ```shell
 python cs_scanimage.py --clientid FALCON_CLIENT_ID --repo <repo> --tag <tag> --cloud-region <cloud_region>
@@ -119,7 +132,7 @@ WARNING Alert: Misconfiguration found
 INFO    Vulnerability score threshold not met: '0' out of '500'
 ```
 
-### Example 2:
+### Example 2
 
 The script provided was built to score vulnerabilities on a scale show below.
 
diff --git a/cs_scanimage.py b/cs_scanimage.py
@@ -42,7 +42,6 @@
 import sys
 from os import environ as env
 from enum import Enum
-import subprocess  # nosec
 import time
 import getpass
 from falconpy import FalconContainer, ContainerBaseURL
@@ -58,16 +57,18 @@
 class ScanImage(Exception):
     """Scanning Image Tasks"""
 
+    # pylint:disable=too-many-instance-attributes
     def __init__(
         self, client_id, client_secret, repo, tag, client, runtime, cloud
-    ):  # pylint: disable=too-many-positional-arguments
+    ):  # pylint:disable=too-many-positional-arguments
         self.client_id = client_id
         self.client_secret = client_secret
         self.repo = repo
         self.tag = tag
         self.client = client
         self.runtime = runtime
         self.server_domain = ContainerBaseURL[cloud.replace("-", "").upper()].value
+        self.auth_config = None
 
     # Step 1: perform container tag to the registry corresponding to the cloud entered
     def container_tag(self):
@@ -104,23 +105,18 @@ def container_login(self):
                 log.error("Docker login failed: %s", str(e))
                 raise
         else:  # podman
-            command = ["podman", "login"]
-            command.extend(["--username", self.client_id])
-            command.extend(["--password", self.client_secret])
-            command.append(self.server_domain)
             try:
-                result = subprocess.run(
-                    command,
-                    shell=False,  # nosec
-                    encoding="utf-8",
-                    stdout=subprocess.PIPE,
-                    stderr=subprocess.PIPE,
-                    check=True,
-                )
-                log.info(result.stdout.strip())
-            except subprocess.CalledProcessError as e:
-                log.error("Podman login failed: %s", e.stderr)
-                raise RuntimeError(e.stderr.strip()) from None
+                auth_config = {
+                    "username": self.client_id,
+                    "password": self.client_secret,
+                }
+                response = self.client.login(registry=self.server_domain, **auth_config)
+                # Store auth config for subsequent operations
+                self.auth_config = auth_config
+                log.info(response["Status"])
+            except Exception as e:
+                log.error("Podman login failed: %s", str(e))
+                raise
 
     # Step 3: perform container push using the repo and tag supplied
     @retry(TimeoutError, tries=5, delay=5)
@@ -133,8 +129,12 @@ def container_push(self):
                 image_push = self.client.images.push(
                     image_str, stream=True, decode=True
                 )
-            else:
-                image_push = self.client.images.push(image_str, stream=True)
+            else:  # podman
+                image_push = self.client.images.push(
+                    image_str,
+                    stream=True,
+                    auth_config=getattr(self, "auth_config", None),
+                )
 
             for line in image_push:
                 if isinstance(line, str):
@@ -162,7 +162,7 @@ def container_push(self):
 # Step 4: poll and get scanreport for specified amount of retries
 def get_scanreport(
     client_id, client_secret, cloud, user_agent, repo, tag, retry_count
-):  # pylint: disable=too-many-positional-arguments
+):  # pylint:disable=too-many-positional-arguments
     log.info("Downloading Image Scan Report")
     falcon = FalconContainer(
         client_id=client_id,
@@ -474,33 +474,39 @@ def parse_args():
 def detect_container_runtime():
     """Detect whether Docker or Podman is available and return the appropriate client"""
     try:
-        import docker  # pylint: disable=C0415
+        import docker  # pylint:disable=C0415
 
         try:
             client = docker.from_env()
             client.ping()
             return client, "docker"
         except (docker.errors.APIError, docker.errors.DockerException):
-            import podman  # pylint: disable=C0415
+            import podman  # pylint:disable=C0415
 
             client = podman.from_env()
             try:
                 client.ping()
             except (ConnectionRefusedError, podman.errors.exceptions.APIError) as exc:
                 raise RuntimeError(
-                    "Could not connect to Podman socket, double check the CONTAINER_HOST environment variable."
+                    "Could not connect to Podman socket. "
+                    "If running rootless, ensure your podman.socket is running (systemctl --user start podman.socket). "
+                    "If running as root, ensure the CONTAINER_HOST environment variable is set correctly "
+                    "(e.g. unix:///var/run/podman/podman.sock)."
                 ) from exc
             return client, "podman"
     except ImportError:
         try:
-            import podman  # pylint: disable=C0415
+            import podman  # pylint:disable=C0415
 
             client = podman.from_env()
             try:
                 client.ping()
             except (ConnectionRefusedError, podman.errors.exceptions.APIError) as exc:
                 raise RuntimeError(
-                    "Could not connect to Podman socket, double check the CONTAINER_HOST environment variable."
+                    "Could not connect to Podman socket. "
+                    "If running rootless, ensure your podman.socket is running (systemctl --user start podman.socket). "
+                    "If running as root, ensure the CONTAINER_HOST environment variable is set correctly "
+                    "(e.g. unix:///var/run/podman/podman.sock)."
                 ) from exc
             return client, "podman"
         except ImportError as exc:
@@ -509,7 +515,7 @@ def detect_container_runtime():
             ) from exc
 
 
-def main():  # pylint: disable=R0915
+def main():  # pylint:disable=R0915
 
     try:
         (
