manageiq / manageiq-api-client-python Goto Github PK

View Code? Open in Web Editor NEW

12.0 13.0 23.0 133 KB

License: GNU General Public License v2.0

Python 100.00%

manageiq-api-client-python's Introduction

ManageIQ Python API Client

This python package provides the ManageIQ API Client library.

Getting Started

Preparing your python virtual environment:

$ virtualenv venv
$ source venv/bin/activate
$ pip install -e .  # To create an editable install of this package

If you want to install it directly from GitHub:

$ pip install git+https://github.com/ManageIQ/manageiq-api-client-python.git

To run the example present in this repository you probably need to configure your options (if different from the default shown here):

$ export MIQURL=http://localhost:3000/api
$ export MIQUSERNAME=admin
$ export MIQPASSWORD=smartvm

$ python example.py

To run the example with an API Token use these settings:

$ export MIQURL=http://localhost:3000/api
$ export MIQTOKEN=< place real token here >

$ python example.py

Legal

License: GPL version 2 or any later version (see COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html for details).

manageiq-api-client-python's People

Contributors

Stargazers

Watchers

manageiq-api-client-python's Issues

Recursion depth exceeded when getting an invalid action attribute from a collection

When attempting to get an action attribute value from the collection object, a RecursionError is raised if an invalid action is given. The expected behavior would be to raise an AttributeError which does happen in Python 2.7 but not in Python 3.6.

Python 2.7.14

from manageiq_client.api import ManageIQClient as MiqApi
client = MiqApi(url, dict(user=username, password=password))
# get the provision requests collection object
collection = getattr(client.collections, 'provision_requests')
# attempt to get an invalid provision requests action
action = getattr(collection.action, 'invalid_action')

# output
Traceback (most recent call last):
  File "example.py", line 21, in <module>
    action = getattr(collection.action, 'invalid_action')
  File "/home/rywillia/github/manageiq-api-client-python/src/manageiq_client/api.py", line 592, in __getattr__
    raise AttributeError("No such action {}".format(attr))
AttributeError: No such action invalid_action

Python 3.6.4

from manageiq_client.api import ManageIQClient as MiqApi
client = MiqApi(url, dict(user=username, password=password))
# get the provision requests collection object
collection = getattr(client.collections, 'provision_requests')
# attempt to get an invalid provision requests action
action = getattr(collection.action, 'invalid_action')

Traceback (most recent call last):
  File "example.py", line 21, in <module>
    action = getattr(collection.action, 'invalid_action')
  File "/home/rywillia/github/manageiq-api-client-python/src/manageiq_client/api.py", line 591, in __getattr__
    if not hasattr(self, attr):
  File "/home/rywillia/github/manageiq-api-client-python/src/manageiq_client/api.py", line 591, in __getattr__
    if not hasattr(self, attr):
  File "/home/rywillia/github/manageiq-api-client-python/src/manageiq_client/api.py", line 591, in __getattr__
    if not hasattr(self, attr):
  [Previous line repeated 327 more times]
  File "/home/rywillia/github/manageiq-api-client-python/src/manageiq_client/api.py", line 589, in __getattr__
    self.reload()
  File "/home/rywillia/github/manageiq-api-client-python/src/manageiq_client/api.py", line 555, in reload
    action_obj = Action(self, action["name"], action["method"], action["href"])
RecursionError: maximum recursion depth exceeded while calling a Python object

The bug is within the ActionContainer __getattr__ method.

    def __getattr__(self, attr):
        self.reload()
        if not hasattr(self, attr):
            raise AttributeError("No such action {}".format(attr))
        return getattr(self, attr)

When getattr is called on the action object, it first calls the reload method, then attempts to see if the action object has the attribute using built-in hasattr. Hasattr actually calls getattr which recursively calls itself again. Which causes it continue in this loop and eventually throw the recursion error.

A simple change here is needed to eliminate calling itself again.

manageiq-client is incompatible with python 2.7

All manageiq ansible modules in combination with python 2.7 fail with the error 'AttributeError: 'module' object has no attribute 'monotonic'. This is cause by the required manageiq-client module that no longer can be created in pyhton 2.x. https://pypi.org/project/manageiq-client/ states manageiq-client is compatible with 2.7

==================================== ERRORS ====================================
_ ERROR collecting test/units/modules/remote_management/manageiq/test_create_tenant.py _
test/units/modules/remote_management/manageiq/test_create_tenant.py:7: in <module>
    from ansible.modules.remote_management.manageiq import manageiq_tenant
lib/ansible/modules/remote_management/manageiq/manageiq_tenant.py:172: in <module>
    from ansible.module_utils.manageiq import ManageIQ, manageiq_argument_spec
lib/ansible/module_utils/manageiq.py:37: in <module>
    from manageiq_client.api import ManageIQClient
venv2/local/lib/python2.7/site-packages/manageiq_client/api.py:14: in <module>
    from wait_for import wait_for
venv2/local/lib/python2.7/site-packages/wait_for/__init__.py:22: in <module>
    get_time = time.monotonic
E   AttributeError: 'module' object has no attribute 'monotonic'

The used module wait_for (https://pypi.org/project/wait-for/) is python 3 only.

Adding instruction for pytest

I like to suggest readme.rst to add a section on how to run the test cases.

I had to do followings to be able run all test cases.

# as root on miq appliance.
 yum install -y python-pip  pytest python2-mock
pip install  httmock # needed by test_miqapi.py
# pytest command is /usr/bin/py.test
cd /root/manageiq-api-client-python/testing
py.test conftest.py
py.test test_filter.py
py.test test_process_result.py
py.test test_miqapi.py

CVE-2023-37920 (Critical) detected in certifi-2021.10.8-py2.py3-none-any.whl

CVE-2023-37920 - Critical Severity Vulnerability

Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/manageiq-api-client-python

Path to vulnerable library: /tmp/ws-scm/manageiq-api-client-python,/requirements.txt

Dependency Hierarchy:

requests-2.27.1-py2.py3-none-any.whl (Root Library)
- ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution (certifi): 2023.7.22

Direct dependency fix Resolution (requests): 2.28.0

Step up your Open Source Security Game with Mend here

CVE-2022-42969 (High) detected in py-1.11.0-py2.py3-none-any.whl

CVE-2022-42969 - High Severity Vulnerability

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

tox-3.24.5-py2.py3-none-any.whl (Root Library)
- ❌ py-1.11.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Docker manageIQ

Good day!

I am trying to use API client together with docker container. For some reason, container starts SSL-enabled and client can't be connected.

I am having an error:
manageiq_client.api.APIException: JSONDecodeError:

<title>400 Bad Request</title>

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Have you tried your client with manageiq docker?
Do you know how can it be solved?

best,
Oleksii

CVE-2023-43804 (High) detected in urllib3-1.26.8-py2.py3-none-any.whl

CVE-2023-43804 - High Severity Vulnerability

Vulnerable Library - urllib3-1.26.8-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/4e/b8/f5a25b22e803f0578e668daa33ba3701bb37858ec80e08a150bd7d2cf1b1/urllib3-1.26.8-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/manageiq-api-client-python

Path to vulnerable library: /tmp/ws-scm/manageiq-api-client-python,/requirements.txt

Dependency Hierarchy:

requests-2.27.1-py2.py3-none-any.whl (Root Library)
- ❌ urllib3-1.26.8-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution (urllib3): 1.26.17

Direct dependency fix Resolution (requests): 2.28.0

Step up your Open Source Security Game with Mend here

Create new release

There have been lots of improvements since the last release v0.3.0. Would it be possible if you cut a new release so we can realize these changes when installing from pip?

Thanks!

For py3 better compatibility `map` object should not return.

I found our calls returning map objects. user will face problems like
TypeError: 'map' object is not subscriptable while they go for indexing.

As per me its should return list or tuple. return type should not be map object.

In py2 map object allow indexing but not in py3. For workaround user need list compression which is not good.

Let me know maintainers thought on it.

Support for token auth

CVE-2023-32681 (Medium) detected in requests-2.27.1-py2.py3-none-any.whl

CVE-2023-32681 - Medium Severity Vulnerability

Vulnerable Library - requests-2.27.1-py2.py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/2d/61/08076519c80041bc0ffa1a8af0cbd3bf3e2b62af10435d269a9d0f40564d/requests-2.27.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/manageiq-api-client-python

Dependency Hierarchy:

❌ requests-2.27.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

Step up your Open Source Security Game with Mend here

Can not differentiate DELETE and POST (delete) requests on Action objects

In [1]: appliance.rest_api.collections.transformation_mappings.all
Out[1]: [<Entity u'https://10.8.198.48/api/transformation_mappings/1'>]
 
In [2]: map1 = appliance.rest_api.collections.transformation_mappings.all[0]
 
In [3]: map1.action.all
Out[3]: [u'edit', u'validate_vms', u'delete', u'delete']
 
In [4]: map1.action.delete.POST
Out[4]: <Action post https://10.8.198.48/api/transformation_mappings/1#delete>

This is correct ^^, now comes buggy part -

In [5]: map1.action.delete.DELETE
Out[5]: <Action post https://10.8.198.48/api/transformation_mappings/1#delete>

Have you noticed post after Action?

Use a different arg name in place of ``url``

While automating a manageiq test case for adding AnsibleTower via REST API, I encountered an issue.
Payload to add AnsibleTower

{
  "type": "ManageIQ::Providers::AnsibleTower::Provider",
  "url": ":url",
  "name": "API test",
  "verify_ssl": "false",
  "credentials": {
    "userid": ":userid",
    "password": ":password"
  }
}

API endpoint: https://<ip_address>/api/providers?provider_class=provider

I used appliace.rest_api.post(endpoint_href, **payload) to add the provider.
But I encountered TypeError: post() got multiple values for keyword argument 'url'error, reason being - post method expects a keyword argument called url, but since there is a keyword named url present in the payload, it throws error on unpacking.

There might be other API endpoints that may expect url in the payload, in which case, actions such as post would fail.

To avoid such conflicts, it might be a good idea to change the name of url to something like endpoint_url or endpoint_href. I don't think this change will affect any other part of the framework.

requests.exceptions.ConnectionError: ('Connection aborted.', error(97, 'Address family not supported by protocol'))

miq test server running fine-4:

hostname = miq01.test.com

commit a5e507b055d7bbd623d8994e5139b2d53dd77f45
Author: Satoe Imaishi <[email protected]>
Date:   Tue Oct 24 16:16:44 2017 -0400

    Release fine-4

example.py

All following manageiq_client.api test are running from same host on miq01.test.com.

[me@manageiq-client]$ cat  ./example.py
import os
from manageiq_client.api import ManageIQClient as MiqApi

url = os.environ.get('MIQURL') or 'http://localhost:3000/api'
username = os.environ.get('MIQUSERNAME') or 'admin'
password = os.environ.get('MIQPASSWORD') or 'smartvm'
token = os.environ.get('MIQTOKEN')

client = None

if token:
    print("\nAuthenticating with the API token")
    client = MiqApi(url, dict(token=token))
else:
    print("\nAuthenticating with the user credentials: "+username+" / "+password)
    client = MiqApi(url, dict(user=username, password=password))

print("\nManageIQ version: {0}".format(client.version))
print("\nVirtual Machines Collection\n")

for vm in client.collections.vms.all:
    print(vm.name)
[me@manageiq-client]$

Error message

[me@manageiq-client]$python ./example.py

Authenticating with the user credentials: admin / smartvm

ManageIQ version: 2.4.0

Virtual Machines Collection

Traceback (most recent call last):
  File "./example.py", line 21, in <module>
    for vm in client.collections.vms.all:
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 350, in all
    self.reload(expand=True)
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 280, in reload
    self._data = self._api.get(self._href, **kwargs)
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 111, in get
    partial(self._session.get, url, params=get_params))
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 106, in _sending_request
    raise last_connection_exception
requests.exceptions.ConnectionError: ('Connection aborted.', error(97, 'Address family not supported by protocol'))
[me@manageiq-client]$

curl -4 http://localhost:3000
ipv4 works.

<snipped>
<script>
  miqGetTZO();
  miqGetBrowserInfo();
  miqTreeClearState();
</script>

<script>
  API.logout();
  delete localStorage['patternfly-navigation-secondary'];
  delete localStorage['patternfly-navigation-tertiary'];
  miqFlashClearSaved();
</script>
</body>
</html>
<snipped>

curl -6 http://localhost:3000

miq01 doesn't have IPV6 enabled.

[me@miq01 manageiq-client]$  curl -6 http://localhost:3000
curl: (6) Couldn't resolve host 'localhost'
[me@miq01 manageiq-client]$ grep  localhost /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[me@miq01 manageiq-client]$
# switch to root
[root@miq01 ~]# ping ::1
ping: ::1: Address family for hostname not supported
[root@miq01 ~]# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
[root@miq01 ~]#

query on http://127.0.0.1:3000/api

[me@miq01 manageiq-client]$ python  example-127.0.0.1.py

Authenticating with the user credentials: admin / smartvm

ManageIQ version: 2.4.0

Virtual Machines Collection

Traceback (most recent call last):
  File "example-127.0.0.1.py", line 21, in <module>
    for vm in client.collections.vms.all:
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 350, in all
    self.reload(expand=True)
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 280, in reload
    self._data = self._api.get(self._href, **kwargs)
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 111, in get
    partial(self._session.get, url, params=get_params))
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 106, in _sending_request
    raise last_connection_exception
requests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
[me@miq01 manageiq-client]$ grep 127.0.0.1  example-127.0.0.1.py
url = os.environ.get('MIQURL') or 'http://127.0.0.1:3000/api'
[me@miq01 manageiq-client]$

CVE-2023-45803 (Medium) detected in urllib3-1.26.8-py2.py3-none-any.whl

CVE-2023-45803 - Medium Severity Vulnerability

Vulnerable Library - urllib3-1.26.8-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/4e/b8/f5a25b22e803f0578e668daa33ba3701bb37858ec80e08a150bd7d2cf1b1/urllib3-1.26.8-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/manageiq-api-client-python

Path to vulnerable library: /tmp/ws-scm/manageiq-api-client-python,/requirements.txt

Dependency Hierarchy:

requests-2.27.1-py2.py3-none-any.whl (Root Library)
- ❌ urllib3-1.26.8-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution (urllib3): 1.26.18

Direct dependency fix Resolution (requests): 2.28.0

Step up your Open Source Security Game with Mend here

Create an appropriate setup.py

Add documentation for the classes

CVE-2022-23491 (High) detected in certifi-2021.10.8-py2.py3-none-any.whl

CVE-2022-23491 - High Severity Vulnerability

Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/manageiq-api-client-python

Path to vulnerable library: /tmp/ws-scm/manageiq-api-client-python,/requirements.txt

Dependency Hierarchy:

requests-2.27.1-py2.py3-none-any.whl (Root Library)
- ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (requests): 2.28.0

Step up your Open Source Security Game with Mend here

Parse_date raise ParseError("Expecting a string %r" % datestring)

As root install manageiq-client-api libirary.

yum install -y python-pip
pip install git+https://github.com/ManageIQ/manageiq-api-client-python.git

miq server version tested.
- Master branch using API

commit 74e132dab2284a5d0fe3ab252b80ee6c54e94a66
Merge: 83a24ce 5dc0375
Author: Brandon Dunne <[email protected]>
Date:   Fri Feb 2 16:38:11 2018 -0500

    Merge pull request #16944 from bmclaughlin/add-missing-flavor-string

    Fix filename when downloading pdf from Flavor summary

example.py

[me@miqwk02 manageiq-client]$ python ./example.py

import os
from manageiq_client.api import ManageIQClient as MiqApi

url = os.environ.get('MIQURL') or 'http://localhost:3000/api'
username = os.environ.get('MIQUSERNAME') or 'admin'
password = os.environ.get('MIQPASSWORD') or 'smartvm'
token = os.environ.get('MIQTOKEN')

client = None

if token:
    print("\nAuthenticating with the API token")
    client = MiqApi(url, dict(token=token))
else:
    print("\nAuthenticating with the user credentials: "+username+" / "+password)
    client = MiqApi(url, dict(user=username, password=password))

print("\nManageIQ version: {0}".format(client.version))
print("\nVirtual Machines Collection\n")

for vm in client.collections.vms.all:
    print(vm.name)

Error message

[me@miqwk02 manageiq-client]$ python ./example.py

Authenticating with the user credentials: admin / smartvm

ManageIQ version: 4.0.0-pre

Virtual Machines Collection

Traceback (most recent call last):
  File "./example.py", line 21, in <module>
    for vm in client.collections.vms.all:
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 351, in all
    return [Entity(self, r) for r in self._resources]
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 408, in __init__
    self._load_data()
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 412, in _load_data
    self.reload(get=False)
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 442, in reload
    setattr(self, key, iso8601.parse_date(value))
  File "/usr/lib/python2.7/site-packages/iso8601/iso8601.py", line 192, in parse_date
    raise ParseError("Expecting a string %r" % datestring)
iso8601.iso8601.ParseError: Expecting a string None
[me@miqwk02 manageiq-client]$


[me@miq01t manageiq-api-client-python]$ python example.py

Authenticating with the user credentials: admin / smartvm
Traceback (most recent call last):
  File "example.py", line 16, in <module>
    client = MiqApi(url, dict(user=username, password=password))
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 39, in __init__
    self._load_data()
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 58, in _load_data
    data = self.get(self._entry_point)
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 111, in get
    partial(self._session.get, url, params=get_params))
  File "/usr/lib/python2.7/site-packages/manageiq_client/api.py", line 106, in _sending_request
    raise last_connection_exception
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
[me@miq01t manageiq-api-client-python]$

Convert to GitHub Actions

Extracted from ManageIQ/manageiq#21620

Example Code Errors On Python 3

I followed the docker ManageIQ documentation. When trying out the python client I ended up getting an AttributeError due to the use of iteritems.

Python Version

$ python --version
Python 3.5.2

Python 3 dict.iteritems

In [1]: {'a': 'b'}.iteritems()
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-1-2f0a6e5203dd> in <module>()
----> 1 {'a': 'b'}.iteritems()

AttributeError: 'dict' object has no attribute 'iteritems'

Stack Trace

In [7]: client = MiqApi(url, (username, password), verify_ssl=False)
../Tech/Envs/py3env/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py:843: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-7-c1feb22db785> in <module>()
----> 1 client = MiqApi(url, (username, password), verify_ssl=False)
../Tech/Envs/py3env/lib/python3.5/site-packages/miqclient/api.py in __init__(self, entry_point, auth, logger, verify_ssl, ca_bundle_path)
     39         self._session.headers.update({'Content-Type': 'application/json; charset=utf-8'})
     40         self.logger = logger or logging.getLogger(__name__)
---> 41         self._load_data()
     42 
     43     def _load_data(self):

../Tech/Envs/py3env/lib/python3.5/site-packages/miqclient/api.py in _load_data(self)
     48         for version in data.pop("versions", []):
     49             self._versions[version["name"]] = version["href"]
---> 50         for key, value in data.iteritems():
     51             setattr(self, key, value)
     52 

AttributeError: 'dict' object has no attribute 'iteritems'

Possible Solution

Both Python 2 and 3 dictionaries have items methods which can be looped over in the same way.

$ python2.7 -c "print({'a': 'b'}.items().__iter__)"
<method-wrapper '__iter__' of list object at 0x7f779ee5c680>
$ python3.5 -c "print({'a': 'b'}.items().__iter__)"
<method-wrapper '__iter__' of dict_items object at 0x7f0500e9b738>

manageiq / manageiq-api-client-python Goto Github PK

manageiq-api-client-python's Introduction

ManageIQ Python API Client

Getting Started

Legal

manageiq-api-client-python's People

Contributors

Stargazers

Watchers

Forkers

manageiq-api-client-python's Issues

CVE-2023-37920 - Critical Severity Vulnerability

CVE-2022-42969 - High Severity Vulnerability

Bad Request

CVE-2023-43804 - High Severity Vulnerability

CVE-2023-32681 - Medium Severity Vulnerability

CVE-2023-45803 - Medium Severity Vulnerability

CVE-2022-23491 - High Severity Vulnerability

Python Version

Python 3 dict.iteritems

Stack Trace

Possible Solution

Recommend Projects

Recommend Topics

Recommend Org