Autarch/web/routes/container_sec.py

"""Container Security routes."""

from flask import Blueprint, request, jsonify, render_template
from web.auth import login_required

container_sec_bp = Blueprint('container_sec', __name__, url_prefix='/container-sec')


def _get_cs():
    from modules.container_sec import get_container_sec
    return get_container_sec()


# ── Pages ────────────────────────────────────────────────────────────────────

@container_sec_bp.route('/')
@login_required
def index():
    return render_template('container_sec.html')


# ── Status ───────────────────────────────────────────────────────────────────

@container_sec_bp.route('/status')
@login_required
def status():
    """Check Docker and kubectl availability."""
    cs = _get_cs()
    return jsonify({
        'docker': cs.check_docker_installed(),
        'kubectl': cs.check_kubectl_installed(),
    })


# ── Docker: Host Audit ──────────────────────────────────────────────────────

@container_sec_bp.route('/docker/audit', methods=['POST'])
@login_required
def docker_audit():
    """Audit Docker host configuration."""
    findings = _get_cs().audit_docker_host()
    return jsonify({'findings': findings, 'total': len(findings)})


# ── Docker: Containers ──────────────────────────────────────────────────────

@container_sec_bp.route('/docker/containers')
@login_required
def docker_containers():
    """List Docker containers."""
    containers = _get_cs().list_containers(all=True)
    return jsonify({'containers': containers, 'total': len(containers)})


@container_sec_bp.route('/docker/containers/<container_id>/audit', methods=['POST'])
@login_required
def docker_container_audit(container_id):
    """Audit a specific container."""
    result = _get_cs().audit_container(container_id)
    return jsonify(result)


@container_sec_bp.route('/docker/containers/<container_id>/escape', methods=['POST'])
@login_required
def docker_container_escape(container_id):
    """Check container escape vectors."""
    result = _get_cs().check_escape_vectors(container_id)
    return jsonify(result)


# ── Docker: Images ───────────────────────────────────────────────────────────

@container_sec_bp.route('/docker/images')
@login_required
def docker_images():
    """List local Docker images."""
    images = _get_cs().list_images()
    return jsonify({'images': images, 'total': len(images)})


@container_sec_bp.route('/docker/images/scan', methods=['POST'])
@login_required
def docker_image_scan():
    """Scan a Docker image for vulnerabilities."""
    data = request.get_json(silent=True) or {}
    image_name = data.get('image_name', '').strip()
    if not image_name:
        return jsonify({'error': 'No image name provided'}), 400
    result = _get_cs().scan_image(image_name)
    return jsonify(result)


# ── Dockerfile Lint ──────────────────────────────────────────────────────────

@container_sec_bp.route('/docker/lint', methods=['POST'])
@login_required
def docker_lint():
    """Lint Dockerfile content for security issues."""
    data = request.get_json(silent=True) or {}
    content = data.get('content', '')
    if not content.strip():
        return jsonify({'error': 'No Dockerfile content provided'}), 400
    findings = _get_cs().lint_dockerfile(content)
    return jsonify({'findings': findings, 'total': len(findings)})


# ── Kubernetes: Namespaces & Pods ────────────────────────────────────────────

@container_sec_bp.route('/k8s/namespaces')
@login_required
def k8s_namespaces():
    """List Kubernetes namespaces."""
    namespaces = _get_cs().k8s_get_namespaces()
    return jsonify({'namespaces': namespaces, 'total': len(namespaces)})


@container_sec_bp.route('/k8s/pods')
@login_required
def k8s_pods():
    """List pods in a namespace."""
    namespace = request.args.get('namespace', 'default')
    pods = _get_cs().k8s_get_pods(namespace=namespace)
    return jsonify({'pods': pods, 'total': len(pods)})


@container_sec_bp.route('/k8s/pods/<name>/audit', methods=['POST'])
@login_required
def k8s_pod_audit(name):
    """Audit a specific pod."""
    data = request.get_json(silent=True) or {}
    namespace = data.get('namespace', 'default')
    result = _get_cs().k8s_audit_pod(name, namespace=namespace)
    return jsonify(result)


# ── Kubernetes: RBAC, Secrets, Network Policies ──────────────────────────────

@container_sec_bp.route('/k8s/rbac', methods=['POST'])
@login_required
def k8s_rbac():
    """Audit RBAC configuration."""
    data = request.get_json(silent=True) or {}
    namespace = data.get('namespace') or None
    result = _get_cs().k8s_audit_rbac(namespace=namespace)
    return jsonify(result)


@container_sec_bp.route('/k8s/secrets', methods=['POST'])
@login_required
def k8s_secrets():
    """Check secrets exposure."""
    data = request.get_json(silent=True) or {}
    namespace = data.get('namespace', 'default')
    result = _get_cs().k8s_check_secrets(namespace=namespace)
    return jsonify(result)


@container_sec_bp.route('/k8s/network', methods=['POST'])
@login_required
def k8s_network():
    """Check network policies."""
    data = request.get_json(silent=True) or {}
    namespace = data.get('namespace', 'default')
    result = _get_cs().k8s_check_network_policies(namespace=namespace)
    return jsonify(result)


# ── Export ───────────────────────────────────────────────────────────────────

@container_sec_bp.route('/export')
@login_required
def export():
    """Export all audit results."""
    fmt = request.args.get('format', 'json')
    result = _get_cs().export_results(fmt=fmt)
    return jsonify(result)
v2.3.0 — RCS exploit v2.0, Starlink hack, SMS forge, Archon RCS module Major RCS/SMS exploitation rewrite (v2.0): - bugle_db direct extraction (plaintext messages, no decryption needed) - CVE-2024-0044 run-as privilege escalation (Android 12-13) - AOSP RCS provider queries (content://rcs/) - Archon app relay for Shizuku-elevated bugle_db access - 7-tab web UI: Extract, Database, Forge, Modify, Exploit, Backup, Monitor - SQL query interface for extracted databases - Full backup/restore/clone with SMS Backup & Restore XML support - Known CVE database (CVE-2023-24033, CVE-2024-49415, CVE-2025-48593) - IMS/RCS diagnostics, Phenotype verbose logging, Pixel tools New modules: Starlink hack, SMS forge, SDR drone detection Archon Android app: RCS messaging module with Shizuku integration Updated manuals to v2.3, 60 web blueprints confirmed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-03 13:50:29 -08:00			`"""Container Security routes."""`

			`from flask import Blueprint, request, jsonify, render_template`
			`from web.auth import login_required`

			`container_sec_bp = Blueprint('container_sec', __name__, url_prefix='/container-sec')`


			`def _get_cs():`
			`from modules.container_sec import get_container_sec`
			`return get_container_sec()`


			`# ── Pages ────────────────────────────────────────────────────────────────────`

			`@container_sec_bp.route('/')`
			`@login_required`
			`def index():`
			`return render_template('container_sec.html')`


			`# ── Status ───────────────────────────────────────────────────────────────────`

			`@container_sec_bp.route('/status')`
			`@login_required`
			`def status():`
			`"""Check Docker and kubectl availability."""`
			`cs = _get_cs()`
			`return jsonify({`
			`'docker': cs.check_docker_installed(),`
			`'kubectl': cs.check_kubectl_installed(),`
			`})`


			`# ── Docker: Host Audit ──────────────────────────────────────────────────────`

			`@container_sec_bp.route('/docker/audit', methods=['POST'])`
			`@login_required`
			`def docker_audit():`
			`"""Audit Docker host configuration."""`
			`findings = _get_cs().audit_docker_host()`
			`return jsonify({'findings': findings, 'total': len(findings)})`


			`# ── Docker: Containers ──────────────────────────────────────────────────────`

			`@container_sec_bp.route('/docker/containers')`
			`@login_required`
			`def docker_containers():`
			`"""List Docker containers."""`
			`containers = _get_cs().list_containers(all=True)`
			`return jsonify({'containers': containers, 'total': len(containers)})`


			`@container_sec_bp.route('/docker/containers/<container_id>/audit', methods=['POST'])`
			`@login_required`
			`def docker_container_audit(container_id):`
			`"""Audit a specific container."""`
			`result = _get_cs().audit_container(container_id)`
			`return jsonify(result)`


			`@container_sec_bp.route('/docker/containers/<container_id>/escape', methods=['POST'])`
			`@login_required`
			`def docker_container_escape(container_id):`
			`"""Check container escape vectors."""`
			`result = _get_cs().check_escape_vectors(container_id)`
			`return jsonify(result)`


			`# ── Docker: Images ───────────────────────────────────────────────────────────`

			`@container_sec_bp.route('/docker/images')`
			`@login_required`
			`def docker_images():`
			`"""List local Docker images."""`
			`images = _get_cs().list_images()`
			`return jsonify({'images': images, 'total': len(images)})`


			`@container_sec_bp.route('/docker/images/scan', methods=['POST'])`
			`@login_required`
			`def docker_image_scan():`
			`"""Scan a Docker image for vulnerabilities."""`
			`data = request.get_json(silent=True) or {}`
			`image_name = data.get('image_name', '').strip()`
			`if not image_name:`
			`return jsonify({'error': 'No image name provided'}), 400`
			`result = _get_cs().scan_image(image_name)`
			`return jsonify(result)`


			`# ── Dockerfile Lint ──────────────────────────────────────────────────────────`

			`@container_sec_bp.route('/docker/lint', methods=['POST'])`
			`@login_required`
			`def docker_lint():`
			`"""Lint Dockerfile content for security issues."""`
			`data = request.get_json(silent=True) or {}`
			`content = data.get('content', '')`
			`if not content.strip():`
			`return jsonify({'error': 'No Dockerfile content provided'}), 400`
			`findings = _get_cs().lint_dockerfile(content)`
			`return jsonify({'findings': findings, 'total': len(findings)})`


			`# ── Kubernetes: Namespaces & Pods ────────────────────────────────────────────`

			`@container_sec_bp.route('/k8s/namespaces')`
			`@login_required`
			`def k8s_namespaces():`
			`"""List Kubernetes namespaces."""`
			`namespaces = _get_cs().k8s_get_namespaces()`
			`return jsonify({'namespaces': namespaces, 'total': len(namespaces)})`


			`@container_sec_bp.route('/k8s/pods')`
			`@login_required`
			`def k8s_pods():`
			`"""List pods in a namespace."""`
			`namespace = request.args.get('namespace', 'default')`
			`pods = _get_cs().k8s_get_pods(namespace=namespace)`
			`return jsonify({'pods': pods, 'total': len(pods)})`


			`@container_sec_bp.route('/k8s/pods/<name>/audit', methods=['POST'])`
			`@login_required`
			`def k8s_pod_audit(name):`
			`"""Audit a specific pod."""`
			`data = request.get_json(silent=True) or {}`
			`namespace = data.get('namespace', 'default')`
			`result = _get_cs().k8s_audit_pod(name, namespace=namespace)`
			`return jsonify(result)`


			`# ── Kubernetes: RBAC, Secrets, Network Policies ──────────────────────────────`

			`@container_sec_bp.route('/k8s/rbac', methods=['POST'])`
			`@login_required`
			`def k8s_rbac():`
			`"""Audit RBAC configuration."""`
			`data = request.get_json(silent=True) or {}`
			`namespace = data.get('namespace') or None`
			`result = _get_cs().k8s_audit_rbac(namespace=namespace)`
			`return jsonify(result)`


			`@container_sec_bp.route('/k8s/secrets', methods=['POST'])`
			`@login_required`
			`def k8s_secrets():`
			`"""Check secrets exposure."""`
			`data = request.get_json(silent=True) or {}`
			`namespace = data.get('namespace', 'default')`
			`result = _get_cs().k8s_check_secrets(namespace=namespace)`
			`return jsonify(result)`


			`@container_sec_bp.route('/k8s/network', methods=['POST'])`
			`@login_required`
			`def k8s_network():`
			`"""Check network policies."""`
			`data = request.get_json(silent=True) or {}`
			`namespace = data.get('namespace', 'default')`
			`result = _get_cs().k8s_check_network_policies(namespace=namespace)`
			`return jsonify(result)`


			`# ── Export ───────────────────────────────────────────────────────────────────`

			`@container_sec_bp.route('/export')`
			`@login_required`
			`def export():`
			`"""Export all audit results."""`
			`fmt = request.args.get('format', 'json')`
			`result = _get_cs().export_results(fmt=fmt)`
			`return jsonify(result)`