Apply autoprettier

2024-11-13 19:08:56 +00:00 · 2020-11-25 07:52:57 +00:00 · 2020-11-25 07:52:57 +00:00 · 0206be67e5
commit 0206be67e5
parent 7bd86a5425
3 changed files with 80 additions and 87 deletions
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@ -32,12 +32,12 @@ jobs:
      - name: Install python
        uses: actions/setup-python@v1
        with:
-          python-version: '3.9'
+          python-version: "3.9"
      - name: Generate cache key CACHE
        run:
-          echo "CACHE=${{ secrets.CACHE_DATE }} ${{ runner.os }}
-          $(python -VV | sha256sum | cut -d' ' -f1) ${{ hashFiles('pyproject.toml') }}
-          ${{ hashFiles('poetry.lock') }}" >> $GITHUB_ENV
+          echo "CACHE=${{ secrets.CACHE_DATE }} ${{ runner.os }} $(python -VV |
+          sha256sum | cut -d' ' -f1) ${{ hashFiles('pyproject.toml') }} ${{
+          hashFiles('poetry.lock') }}" >> $GITHUB_ENV
      - uses: actions/cache@v2
        with:
          path: |
--- a/README.md
+++ b/README.md
@ -11,36 +11,36 @@ This is a security-enhanced proxy for the Docker Socket.

 ## Why?

-Giving access to your Docker socket could mean giving root access to your host,
-or even to your whole swarm, but some services require hooking into that socket
-to react to events, etc. Using this proxy lets you block anything you consider
-those services should not do.
+Giving access to your Docker socket could mean giving root access to your host, or even
+to your whole swarm, but some services require hooking into that socket to react to
+events, etc. Using this proxy lets you block anything you consider those services should
+not do.

 ## How?

-We use the official [Alpine][]-based [HAProxy][] image with a small
-configuration file.
+We use the official [Alpine][]-based [HAProxy][] image with a small configuration file.

-It blocks access to the Docker socket API according to the environment
-variables you set. It returns a `HTTP 403 Forbidden` status for those dangerous
-requests that should never happen.
+It blocks access to the Docker socket API according to the environment variables you
+set. It returns a `HTTP 403 Forbidden` status for those dangerous requests that should
+never happen.

 ## Security recommendations

- Never expose this container's port to a public network. Only to a Docker
-  networks where only reside the proxy itself and the service that uses it.
- Revoke access to any API section that you consider your service should not
-  need.
- This image does not include TLS support, just plain HTTP proxy to the host
-  Docker Unix socket (which is not TLS protected even if you configured your
-  host for TLS protection). This is by design because you are supposed to
-  restrict access to it through Docker's built-in firewall.
- [Read the docs](#suppported-api-versions) for the API version you are using,
-  and **know what you are doing**.
+-   Never expose this container's port to a public network. Only to a Docker networks
+    where only reside the proxy itself and the service that uses it.
+-   Revoke access to any API section that you consider your service should not need.
+-   This image does not include TLS support, just plain HTTP proxy to the host Docker
+    Unix socket (which is not TLS protected even if you configured your host for TLS
+    protection). This is by design because you are supposed to restrict access to it
+    through Docker's built-in firewall.
+-   [Read the docs](#suppported-api-versions) for the API version you are using, and
+    **know what you are doing**.

 ## Usage

-1.  Run the API proxy (`--privileged` flag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise):
+1.  Run the API proxy (`--privileged` flag is required here because it connects with the
+    docker socket, which is a privileged connection in some SELinux/AppArmor contexts
+    and would get locked otherwise):

        $ docker container run \
            -d --privileged \
@ -80,85 +80,84 @@ requests that should never happen.
        Request forbidden by administrative rules.
        </body></html>

-The same will happen to any containers that use this proxy's `2375` port to
-access the Docker socket API.
+The same will happen to any containers that use this proxy's `2375` port to access the
+Docker socket API.

 ## Grant or revoke access to certain API sections

-You grant and revoke access to certain features of the Docker API through
-environment variables.
+You grant and revoke access to certain features of the Docker API through environment
+variables.

-Normally the variables match the URL prefix (i.e. `AUTH` blocks access to
-`/auth/*` parts of the API, etc.).
+Normally the variables match the URL prefix (i.e. `AUTH` blocks access to `/auth/*`
+parts of the API, etc.).

 Possible values for these variables:

- `0` to **revoke** access.
- `1` to **grant** access.
+-   `0` to **revoke** access.
+-   `1` to **grant** access.

 ### Access granted by default

-These API sections are mostly harmless and almost required for any service that
-uses the API, so they are granted by default.
+These API sections are mostly harmless and almost required for any service that uses the
+API, so they are granted by default.

- `EVENTS`
- `PING`
- `VERSION`
+-   `EVENTS`
+-   `PING`
+-   `VERSION`

 ### Access revoked by default

 #### Security-critical

-These API sections are considered security-critical, and thus access is revoked
-by default. Maximum caution when enabling these.
+These API sections are considered security-critical, and thus access is revoked by
+default. Maximum caution when enabling these.

- `AUTH`
- `SECRETS`
- `POST`: When disabled, only `GET` and `HEAD` operations are allowed, meaning
-  any section of the API is read-only.
+-   `AUTH`
+-   `SECRETS`
+-   `POST`: When disabled, only `GET` and `HEAD` operations are allowed, meaning any
+    section of the API is read-only.

 #### Not always needed

-You will possibly need to grant access to some of these API sections, which are
-not so extremely critical but can expose some information that your service
-does not need.
+You will possibly need to grant access to some of these API sections, which are not so
+extremely critical but can expose some information that your service does not need.

- `BUILD`
- `COMMIT`
- `CONFIGS`
- `CONTAINERS`
- `DISTRIBUTION`
- `EXEC`
- `IMAGES`
- `INFO`
- `NETWORKS`
- `NODES`
- `PLUGINS`
- `SERVICES`
- `SESSION`
- `SWARM`
- `SYSTEM`
- `TASKS`
- `VOLUMES`
+-   `BUILD`
+-   `COMMIT`
+-   `CONFIGS`
+-   `CONTAINERS`
+-   `DISTRIBUTION`
+-   `EXEC`
+-   `IMAGES`
+-   `INFO`
+-   `NETWORKS`
+-   `NODES`
+-   `PLUGINS`
+-   `SERVICES`
+-   `SESSION`
+-   `SWARM`
+-   `SYSTEM`
+-   `TASKS`
+-   `VOLUMES`

 ## Logging

 You can set the logging level or severity level of the messages to be logged with the
- environment variable `LOG_LEVEL`. Defaul value is info. Possible values are: debug, 
- info, notice, warning, err, crit, alert and emerg.
+environment variable `LOG_LEVEL`. Defaul value is info. Possible values are: debug,
+info, notice, warning, err, crit, alert and emerg.

 ## Supported API versions

- [1.27](https://docs.docker.com/engine/api/v1.27/)
- [1.28](https://docs.docker.com/engine/api/v1.28/)
- [1.29](https://docs.docker.com/engine/api/v1.29/)
- [1.30](https://docs.docker.com/engine/api/v1.30/)
- [1.37](https://docs.docker.com/engine/api/v1.37/)
+-   [1.27](https://docs.docker.com/engine/api/v1.27/)
+-   [1.28](https://docs.docker.com/engine/api/v1.28/)
+-   [1.29](https://docs.docker.com/engine/api/v1.29/)
+-   [1.30](https://docs.docker.com/engine/api/v1.30/)
+-   [1.37](https://docs.docker.com/engine/api/v1.37/)

 ## Feedback

 Please send any feedback (issues, questions) to the [issue tracker][].

-[Alpine]: https://alpinelinux.org/
-[HAProxy]: http://www.haproxy.org/
+[alpine]: https://alpinelinux.org/
+[haproxy]: http://www.haproxy.org/
 [issue tracker]: https://github.com/Tecnativa/docker-socket-proxy/issues
--- a/tests/test_service.py
+++ b/tests/test_service.py
@ -1,10 +1,7 @@
-
-import pytest
 import logging

-from plumbum import ProcessExecutionError, local
+from plumbum import ProcessExecutionError
 from plumbum.cmd import docker
-from plumbum.machines.local import LocalCommand

 logger = logging.getLogger()

@ -13,18 +10,19 @@ SOCKET_PROXY = "127.0.0.1:2375"


 def _start_proxy(
-    container_name=CONTAINER_NAME,
-    socket_proxy=SOCKET_PROXY,
-    extra_args=None
+    container_name=CONTAINER_NAME, socket_proxy=SOCKET_PROXY, extra_args=None
 ):
    logger.info(f"Starting {container_name} with args: {extra_args}...")
    docker(
        "run",
        "-d",
-        "--name", container_name,
+        "--name",
+        container_name,
        "--privileged",
-        "-v", "/var/run/docker.sock:/var/run/docker.sock",
-        "-p", f"{socket_proxy}:2375",
+        "-v",
+        "/var/run/docker.sock:/var/run/docker.sock",
+        "-p",
+        f"{socket_proxy}:2375",
        extra_args,
        "tecnativa/docker-socket-proxy",
    )
@ -86,7 +84,6 @@ def test_default_permissions():
        _check_permission("forbidden", ["build", "."])
        _check_permission("forbidden", ["swarm", "init"])
    finally:
-        pass
        _stop_and_delete_proxy()


@ -100,7 +97,6 @@ def test_container_permissions():
        _check_permission("forbidden", ["rm", "-f", CONTAINER_NAME])
        _check_permission("forbidden", ["restart", CONTAINER_NAME])
    finally:
-        pass
        _stop_and_delete_proxy()


@ -112,7 +108,6 @@ def test_post_permissions():
        _check_permission("forbidden", ["run", "--rm", "alpine"])
        _check_permission("forbidden", ["network", "create", "foobar"])
    finally:
-        pass
        _stop_and_delete_proxy()


@ -123,5 +118,4 @@ def test_network_post_permissions():
        _check_permission("allowed", ["network", "create", "foo"])
        _check_permission("allowed", ["network", "rm", "foo"])
    finally:
-        pass
-        _stop_and_delete_proxy()
+        _stop_and_delete_proxy()