Merge pull request CactuseSecurity#4227 from tpurschke/fix/docker-pull

tpurschke · web-flow · commit 6f72b577a57a · 2026-02-03T10:08:52.000+01:00
Fix/docker pull
diff --git a/agents b/agents
@@ -1 +1 @@
-Subproject commit 808e0fed7e41b9d5296ea42d5c4e3436a8a57c54
+Subproject commit a5ed1716a99d6f4d31be3f3889f6b2e4916b417c
diff --git a/documentation/installer/install-advanced.md b/documentation/installer/install-advanced.md
@@ -83,7 +83,7 @@ Note that the following domains (and their sub-domains) must be reachable throug
     github.com, api.github.com
     githubusercontent.com
     docker.com (and subdomains)
-    docker.io, auth.docker.io
+    docker.io (and subdomains)
     hasura.io, releases.hasura.io
     postgresql.org
     microsoft.com
diff --git a/roles/api/tasks/hasura-install.yml b/roles/api/tasks/hasura-install.yml
@@ -177,6 +177,37 @@
     var: hasura_env
   when: debug_level > '1'
 
+- name: request Docker Hub token for hasura/graphql-engine
+  uri:
+    url: "https://auth.docker.io/token?service=registry.docker.io&scope=repository:hasura/graphql-engine:pull"
+    method: GET
+    return_content: true
+  register: dockerhub_token
+  environment: "{{ proxy_env }}"
+  failed_when: dockerhub_token.status | default(-1) != 200
+
+- name: check Docker Hub manifest access for hasura/graphql-engine:{{ api_hasura_version }}
+  uri:
+    url: "https://registry-1.docker.io/v2/hasura/graphql-engine/manifests/{{ api_hasura_version }}"
+    method: HEAD
+    headers:
+      Authorization: "Bearer {{ dockerhub_token.json.token }}"
+      Accept: "application/vnd.docker.distribution.manifest.v2+json"
+    status_code:
+      - 200
+  register: dockerhub_manifest_check
+  environment: "{{ proxy_env }}"
+  failed_when: false
+
+- name: fail if Docker Hub manifest access is blocked
+  fail:
+    msg: >-
+      Cannot access Docker Hub manifest for hasura/graphql-engine:{{ api_hasura_version }}
+      (HTTP {{ dockerhub_manifest_check.status | default('unknown') }}). This typically indicates
+      blocked registry access or proxy restrictions. Ensure the host can reach registry-1.docker.io
+      or configure a registry mirror.
+  when: dockerhub_manifest_check.status | default(0) != 200
+
 - name: start hasura container
   docker_container:
     name: "{{ api_container_name }}"
@@ -194,7 +225,7 @@
     env: "{{ hasura_env }}"
     container_default_behavior: no_defaults
     user: "1001:1001" # hasura user and group id
-    pull: no
+    pull: false
   register: docker_return
   become: true
   become_user: "{{ fworch_user }}"
diff --git a/roles/lib/files/FWO.Report/ReportRules.cs b/roles/lib/files/FWO.Report/ReportRules.cs
@@ -366,21 +366,6 @@ private string ExportSingleRulebaseToCsv(StringBuilder report, RuleDisplayCsv ru
             if (rbLink == null)
             {
                 return report.ToString();
-                //NOSONAR
-                // from develop:
-                // foreach (var dev in mgt.Devices.Where(d => d.Rules != null && d.Rules.Length > 0))
-                // {
-                //     if (dev.Rules != null)
-                //     {
-                //         foreach (Rule rule in dev.Rules)
-                //         {
-                //             rule.ManagementName = mgt.Name ?? "";
-                //             rule.DeviceName = dev.Name ?? "";
-                //             mgt.ReportedRuleIds.Add(rule.Id);
-                //         }
-                //     }
-                // }
-                // mgt.ReportedRuleIds = mgt.ReportedRuleIds.Distinct().ToList();
             }
             foreach (var rule in GetRulesByRulebaseId(rbLink.NextRulebaseId, managementReport)) // just dealing with the first rb for starters
             {
