[podman_wrapper] simplify gather UID/GID mapping (RedHatProductSecuri…

…ty#131)

Originally, the method was a strict rewrite from
https://github.com/containers/podman/blob/main/troubleshooting.md#39-podman-run-fails-with-error-unrecognized-namespace-mode-keep-iduid1000gid1000-passed
Which contained a terrible eval() call

We modified it in commit 3c7e1c8, creating a "safe_eval".

However, this does not work well on MacOS

Rewriting the methodology from scratch: retreive the JSON output, and
make the calculations from there.

Added pytest for it

scanners/podman_wrapper.py

@@ -1,11 +1,10 @@
+import json
 import logging
 import random
 import shutil
 import string
 import subprocess
 
-from utils import safe_add
-
 
 class PodmanWrapper:
     ###############################################################
@@ -98,38 +97,30 @@ def change_user_id(self, runas_uid, runas_gid):
         https://github.com/containers/podman/blob/main/troubleshooting.md#39-podman-run-fails-with-error-unrecognized-namespace-mode-keep-iduid1000gid1000-passed
         """
 
-        sizes = (
-            subprocess.run(
-                [
-                    "podman",
-                    "info",
-                    "--format",
-                    "{{ range .Host.IDMappings.UIDMap }}+{{ .Size }}{{ end }}",
-                ],
-                stdout=subprocess.PIPE,
-                check=True,
+        try:
+            info = json.loads(
+                subprocess.run(
+                    ["podman", "info", "--format", "json"],
+                    stdout=subprocess.PIPE,
+                    check=True,
+                ).stdout.decode("utf-8")
             )
-            .stdout.decode("utf-8")
-            .strip("\n")
-        )
-        logging.debug(f"UIDmapping sizes: {sizes}")
-        subuid_size = safe_add(f"{sizes} - 1")
-        sizes = (
-            subprocess.run(
-                [
-                    "podman",
-                    "info",
-                    "--format",
-                    "{{ range .Host.IDMappings.GIDMap }}+{{ .Size }}{{ end }}",
-                ],
-                stdout=subprocess.PIPE,
-                check=True,
+            logging.debug(f"podman UID mapping: {info['host']['idMappings']['uidmap']}")
+            subuid_size = (
+                sum(i["size"] for i in info["host"]["idMappings"]["uidmap"]) - 1
             )
-            .stdout.decode("utf-8")
-            .strip("\n")
-        )
-        logging.debug(f"UIDmapping sizes: {sizes}")
-        subgid_size = safe_add(f"{sizes} - 1")
+            subgid_size = (
+                sum(i["size"] for i in info["host"]["idMappings"]["gidmap"]) - 1
+            )
+        except json.JSONDecodeError as exc:
+            raise RuntimeError(f"Unable to parse `podman info` output: {exc}") from exc
+        except (KeyError, AttributeError) as exc:
+            raise RuntimeError(
+                f"Unexpected podman info output: entry not found: {exc}"
+            ) from exc
+        except Exception as exc:
+            logging.error(f"change_user_id unexpected error: {exc}")
+            raise RuntimeError(f"Unable to retrieve podman UID mapping: {exc}") from exc
 
         # UID mapping
         self.add_option("--uidmap", f"0:1:{runas_uid}")

tests/scanners/test_podman_wrapper.py

@@ -0,0 +1,18 @@
+import shutil
+
+import pytest
+
+from scanners.podman_wrapper import PodmanWrapper
+
+
+@pytest.mark.skipif(
+    shutil.which("podman") == False, reason="podman is required for this test"
+)
+def test_podman_mappings():
+    wrap = PodmanWrapper(app_name="pytest", scan_name="pytest", image="nothing")
+
+    wrap.change_user_id(1000, 1000)
+
+    assert "--uidmap" in wrap.opts
+    assert "0:1:1000" in wrap.opts
+    assert "--gidmap" in wrap.opts

utils/__init__.py

@@ -1,2 +1 @@
 from .add_logging_level import add_logging_level
-from .safe_add import safe_add