abide_dev_utils 0.10.1 → 0.11.0

data/lib/abide_dev_utils/cem/coverage_report.rb

@@ -0,0 +1,348 @@
+# frozen_string_literal: true
+
+require 'date'
+require 'json'
+require 'pathname'
+require 'yaml'
+require 'abide_dev_utils/ppt'
+require 'abide_dev_utils/validate'
+require 'abide_dev_utils/cem/benchmark'
+
+module AbideDevUtils
+  module CEM
+    # Methods and objects used to construct a report of what CEM enforces versus what
+    # the various compliance frameworks expect to be enforced.
+    module CoverageReport
+      # def self.generate(outfile: 'cem_coverage.yaml', **_filters)
+      #   pupmod = AbideDevUtils::Ppt::PuppetModule.new
+      #   # filter = Filter.new(pupmod, **filters)
+      #   benchmarks = AbideDevUtils::CEM::Benchmark.benchmarks_from_puppet_module(pupmod)
+      #   Report.new(benchmarks).generate(outfile: outfile)
+      # end
+
+      def self.basic_coverage(format_func: :to_yaml, ignore_benchmark_errors: false)
+        pupmod = AbideDevUtils::Ppt::PuppetModule.new
+        # filter = Filter.new(pupmod, **filters)
+        benchmarks = AbideDevUtils::CEM::Benchmark.benchmarks_from_puppet_module(pupmod,
+                                                                                 ignore_all_errors: ignore_benchmark_errors)
+        benchmarks.map do |b|
+          AbideDevUtils::CEM::CoverageReport::BenchmarkReport.new(b).basic_coverage.send(format_func)
+        end
+      end
+
+      class Filter
+        KEY_FACT_MAP = {
+          os_family: 'os.family',
+          os_name: 'os.name',
+          os_release_major: 'os.release.major',
+        }.freeze
+
+        attr_reader(*KEY_FACT_MAP.keys)
+
+        def initialize(pupmod, **filters)
+          @pupmod = pupmod
+          @benchmark = filters[:benchmark]
+          @profile = filters[:profile]
+          @level = filters[:level]
+          KEY_FACT_MAP.each_key do |k|
+            instance_variable_set "@#{k}", filters[k]
+          end
+        end
+
+        def resource_data
+          @resource_data ||= find_resource_data
+        end
+
+        def mapping_data
+          @mapping_data ||= find_mapping_data
+        end
+
+        private
+
+        def find_resource_data
+          fact_array = fact_array_for(:os_family, :os_name, :os_release_major)
+          @pupmod.hiera_conf.local_hiera_files_with_facts(*fact_array, hierarchy_name: 'Resource Data').map do |f|
+            YAML.load_file(f.path)
+          end
+        rescue NoMethodError
+          @pupmod.hiera_conf.local_hiera_files(hierarchy_name: 'Resource Data').map { |f| YAML.load_file(f.path) }
+        end
+
+        def find_mapping_data
+          fact_array = fact_array_for(:os_name, :os_release_major)
+          begin
+            data_array = @pupmod.hiera_conf.local_hiera_files_with_facts(*fact_array, hierarchy_name: 'Mapping Data').map do |f|
+              YAML.load_file(f.path)
+            end
+          rescue NoMethodError
+            data_array = @pupmod.hiera_conf.local_hiera_files(hierarchy_name: 'Mapping Data').map { |f| YAML.load_file(f.path) }
+          end
+          filter_mapping_data_array_by_benchmark!(data_array)
+          filter_mapping_data_array_by_profile!(data_array)
+          filter_mapping_data_array_by_level!(data_array)
+          data_array
+        end
+
+        def filter_mapping_data_array_by_benchmark!(data_array)
+          return unless @benchmark
+
+          data_array.select! do |d|
+            d.keys.all? do |k|
+              k == 'benchmark' || k.match?(/::#{@benchmark}::/)
+            end
+          end
+        end
+
+        def filter_mapping_data_array_by_profile!(data_array)
+          return unless @profile
+
+          data_array.reject! { |d| nested_hash_value(d, @profile).nil? }
+        end
+
+        def filter_mapping_data_array_by_level!(data_array)
+          return unless @level
+
+          data_array.reject! { |d| nested_hash_value(d, @level).nil? }
+        end
+
+        def nested_hash_value(obj, key)
+          if obj.respond_to?(:key?) && obj.key?(key)
+            obj[key]
+          elsif obj.respond_to?(:each)
+            r = nil
+            obj.find { |*a| r = nested_hash_value(a.last, key) }
+            r
+          end
+        end
+
+        def filter_stig_mapping_data(data_array); end
+
+        def fact_array_for(*keys)
+          keys.each_with_object([]) { |(k, _), a| a << fact_filter_value(k) }.compact
+        end
+
+        def fact_filter_value(key)
+          value = instance_variable_get("@#{key}")
+          return if value.nil? || value.empty?
+
+          [KEY_FACT_MAP[key], value]
+        end
+      end
+
+      class OldReport
+        def initialize(benchmarks)
+          @benchmarks = benchmarks
+        end
+
+        def self.generate
+          coverage = {}
+          coverage['classes'] = {}
+          all_cap = ClassUtils.find_all_classes_and_paths(puppet_class_dir)
+          invalid_classes = find_invalid_classes(all_cap)
+          valid_classes = find_valid_classes(all_cap, invalid_classes)
+          coverage['classes']['invalid'] = invalid_classes
+          coverage['classes']['valid'] = valid_classes
+          hiera = YAML.safe_load(File.open(hiera_path))
+          profile&.gsub!(/^profile_/, '') unless profile.nil?
+
+          matcher = profile.nil? ? /^profile_/ : /^profile_#{profile}/
+          hiera.each do |k, v|
+            key_base = k.split('::')[-1]
+            coverage['benchmark'] = v if key_base == 'title'
+            next unless key_base.match?(matcher)
+
+            coverage[key_base] = generate_uncovered_data(v, valid_classes)
+          end
+          coverage
+        end
+
+        def self.generate_uncovered_data(ctrl_list, valid_classes)
+          out_hash = {}
+          out_hash[:num_total] = ctrl_list.length
+          out_hash[:uncovered] = []
+          out_hash[:covered] = []
+          ctrl_list.each do |c|
+            if valid_classes.include?(c)
+              out_hash[:covered] << c
+            else
+              out_hash[:uncovered] << c
+            end
+          end
+          out_hash[:num_covered] = out_hash[:covered].length
+          out_hash[:num_uncovered] = out_hash[:uncovered].length
+          out_hash[:coverage] = Float(
+            (Float(out_hash[:num_covered]) / Float(out_hash[:num_total])) * 100.0
+          ).floor(3)
+          out_hash
+        end
+
+        def self.find_valid_classes(all_cap, invalid_classes)
+          all_classes = all_cap.dup.transpose[0]
+          return [] if all_classes.nil?
+
+          return all_classes - invalid_classes unless invalid_classes.nil?
+
+          all_classes
+        end
+
+        def self.find_invalid_classes(all_cap)
+          invalid_classes = []
+          all_cap.each do |cap|
+            invalid_classes << cap[0] unless class_valid?(cap[1])
+          end
+          invalid_classes
+        end
+
+        def self.class_valid?(manifest_path)
+          compiler = Puppet::Pal::Compiler.new(nil)
+          ast = compiler.parse_file(manifest_path)
+          ast.body.body.statements.each do |s|
+            next unless s.respond_to?(:arguments)
+            next unless s.arguments.respond_to?(:each)
+
+            s.arguments.each do |i|
+              return false if i.value == 'Not implemented'
+            end
+          end
+          true
+        end
+      end
+
+      # Class manages organizing report data into various output formats
+      class ReportOutput
+        attr_reader :controls_in_resource_data, :rules_in_map, :timestamp,
+                    :title
+
+        def initialize(benchmark, controls_in_resource_data, rules_in_map)
+          @benchmark = benchmark
+          @controls_in_resource_data = controls_in_resource_data
+          @rules_in_map = rules_in_map
+          @timestamp = DateTime.now.iso8601
+          @title = "Coverage Report for #{@benchmark.title_key}"
+        end
+
+        def uncovered
+          @uncovered ||= rules_in_map - controls_in_resource_data
+        end
+
+        def uncovered_count
+          @uncovered_count ||= uncovered.length
+        end
+
+        def covered
+          @covered ||= rules_in_map - uncovered
+        end
+
+        def covered_count
+          @covered_count ||= covered.length
+        end
+
+        def total_count
+          @total_count ||= rules_in_map.length
+        end
+
+        def percentage
+          @percentage ||= covered_count.to_f / total_count
+        end
+
+        def to_h
+          {
+            title: title,
+            timestamp: timestamp,
+            benchmark: benchmark_hash,
+            coverage: coverage_hash,
+          }
+        end
+
+        def to_json(opts = nil)
+          JSON.generate(to_h, opts)
+        end
+
+        def to_yaml
+          to_h.to_yaml
+        end
+
+        def benchmark_hash
+          {
+            title: @benchmark.title,
+            version: @benchmark.version,
+            framework: @benchmark.framework,
+          }
+        end
+
+        def coverage_hash
+          {
+            total_count: total_count,
+            uncovered_count: uncovered_count,
+            uncovered: uncovered,
+            covered_count: covered_count,
+            covered: covered,
+            percentage: percentage,
+            controls_in_resource_data: controls_in_resource_data,
+            rules_in_map: rules_in_map,
+          }
+        end
+      end
+
+      # Creates ReportOutput objects based on the given Benchmark
+      class BenchmarkReport
+        def initialize(benchmark)
+          @benchmark = benchmark
+        end
+
+        def controls_in_resource_data
+          @controls_in_resource_data ||= find_controls_in_resource_data
+        end
+
+        def controls_in_mapping_data
+          @controls_in_mapping_data ||= find_controls_in_mapping_data
+        end
+
+        def basic_coverage(level: nil, profile: nil)
+          map_type = @benchmark.map_type(controls_in_resource_data[0])
+          rules_in_map = @benchmark.rules_in_map(map_type, level: level, profile: profile)
+          AbideDevUtils::CEM::CoverageReport::ReportOutput.new(@benchmark, controls_in_resource_data, rules_in_map)
+        end
+
+        private
+
+        def find_controls_in_resource_data
+          controls = @benchmark.resource_data["#{@benchmark.module_name}::resources"].each_with_object([]) do |(rname, rval), arr|
+            arr << case rval['controls'].class.to_s
+                   when 'Hash'
+                     rval['controls'].keys
+                   when 'Array'
+                     rval['controls']
+                   else
+                     raise "Invalid controls type: #{rval['controls'].class}"
+                   end
+          end
+          controls.flatten.uniq.select do |c|
+            case @benchmark.framework
+            when 'cis'
+              @benchmark.map_type(c) != 'vulnid'
+            when 'stig'
+              @benchmark.map_type(c) == 'vulnid'
+            else
+              raise "Cannot find controls for framework #{@benchmark.framework}"
+            end
+          end
+        end
+
+        def find_controls_in_mapping_data
+          controls = @benchmark.map_data[0].each_with_object([]) do |(_, mapping), arr|
+            mapping.each do |level, profs|
+              next if level == 'benchmark'
+
+              profs.each do |_, ctrls|
+                arr << ctrls.keys
+                arr << ctrls.values
+              end
+            end
+          end
+          controls.flatten.uniq
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/generate/reference.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'yaml'
+require 'abide_dev_utils/markdown'
+require 'abide_dev_utils/ppt'
+require 'abide_dev_utils/cem/benchmark'
+
+module AbideDevUtils
+  module CEM
+    module Generate
+      # Holds objects and methods for generating a reference doc
+      module Reference
+        MAPPING_PATH_KEY = 'Mapping Data'
+        RESOURCE_DATA_PATH_KEY = 'Resource Data'
+
+        def self.generate(data = {})
+          pupmod = AbideDevUtils::Ppt::PuppetModule.new
+          doc_title = case pupmod.name
+                      when 'puppetlabs-cem_linux'
+                        'CEM Linux Reference'
+                      when 'puppetlabs-cem_windows'
+                        'CEM Windows Reference'
+                      else
+                        'Reference'
+                      end
+          benchmarks = AbideDevUtils::CEM::Benchmark.benchmarks_from_puppet_module(pupmod)
+          case data.fetch(:format, 'markdown')
+          when 'markdown'
+            MarkdownGenerator.new(benchmarks).generate(doc_title)
+          else
+            raise "Format #{data[:format]} is unsupported! Only `markdown` format supported"
+          end
+        end
+
+        def self.generate_markdown
+          AbideDevUtils::Markdown.new('REFERENCE.md').generate
+        end
+
+        def self.config_example(control, params_array)
+          out_str = ['cem_windows::config:', '  control_configs:', "    \"#{control}\":"]
+          indent = '      '
+          params_array.each do |param_hash|
+            val = case param_hash[:type]
+                  when 'String'
+                    "'#{param_hash[:default]}'"
+                  else
+                    param_hash[:default]
+                  end
+
+            out_str << "#{indent}#{param_hash[:name]}: #{val}"
+          end
+          out_str.join("\n")
+        end
+
+        # Generates a markdown reference doc
+        class MarkdownGenerator
+          def initialize(benchmarks)
+            @benchmarks = benchmarks
+            @md = AbideDevUtils::Markdown.new('REFERENCE.md')
+          end
+
+          def generate(doc_title = 'Reference')
+            md.add_title(doc_title)
+            benchmarks.each do |benchmark|
+              md.add_h1(benchmark.title_key)
+              benchmark.rules.each do |title, rule|
+                md.add_h2("#{rule['number']} #{title}")
+                md.add_ul('Parameters:')
+                rule['params'].each do |p|
+                  md.add_ul("#{md.code(p[:name])} - [ #{md.code(p[:type])} ] - #{md.italic('Default:')} #{md.code(p[:default])}", indent: 1)
+                end
+                md.add_ul('Config Example:')
+                example = config_example(benchmark.module_name, title, rule['params'])
+                md.add_code_block(example, language: 'yaml')
+                md.add_ul('Supported Levels:')
+                rule['level'].each do |l|
+                  md.add_ul(md.code(l), indent: 1)
+                end
+                md.add_ul('Supported Profiles:')
+                rule['profile'].each do |l|
+                  md.add_ul(md.code(l), indent: 1)
+                end
+                md.add_ul('Alternate Config IDs:')
+                rule['alternate_ids'].each do |l|
+                  md.add_ul(md.code(l), indent: 1)
+                end
+                md.add_ul("Resource: #{md.code(rule['resource'].capitalize)}")
+              end
+            end
+            md.to_file
+          end
+
+          private
+
+          attr_reader :benchmarks, :md
+
+          def config_example(module_name, control, params_array)
+            out_str = ["#{module_name}::config:", '  control_configs:', "    \"#{control}\":"]
+            indent = '      '
+            params_array.each do |param_hash|
+              val = case param_hash[:type]
+                    when 'String'
+                      "'#{param_hash[:default]}'"
+                    else
+                      param_hash[:default]
+                    end
+              out_str << "#{indent}#{param_hash[:name]}: #{val}"
+            end
+            out_str.join("\n")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/generate.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module AbideDevUtils
+  module CEM
+    # Holds objects and methods for `abide cem generate` subcommands
+    module Generate
+      require 'abide_dev_utils/cem/generate/reference'
+    end
+  end
+end

data/lib/abide_dev_utils/cem/mapping/mapper.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+module AbideDevUtils
+  module CEM
+    module Mapping
+      # Handles interacting with mapping data
+      class Mapper
+        MAP_TYPES = %w[hiera_title_num number hiera_title vulnid title].freeze
+
+        attr_reader :module_name, :framework, :map_data
+
+        def initialize(module_name, framework, map_data)
+          @module_name = module_name
+          @framework = framework
+          load_framework(@framework)
+          @map_data = map_data
+          @cache = {}
+          @rule_cache = {}
+        end
+
+        def title
+          @title ||= benchmark_data['title']
+        end
+
+        def version
+          @version ||= benchmark_data['version']
+        end
+
+        def each_like(identifier)
+          mtype, mtop = map_type_and_top_key(identifier)
+          map_data[mtype][mtop].each { |key, val| yield key, val }
+        end
+
+        def each_with_array_like(identifier)
+          mtype, mtop = map_type_and_top_key(identifier)
+          map_data[mtype][mtop].each_with_object([]) { |(key, val), ary| yield [key, val], ary }
+        end
+
+        def get(control_id, level: nil, profile: nil)
+          return cache_get(control_id, level, profile) if cached?(control_id, level, profile)
+
+          value = get_map(control_id, level: level, profile: profile)
+          return if value.nil? || value.empty?
+
+          cache_set(value, control_id, level, profile)
+          value
+        end
+
+        def map_type(control_id)
+          return control_id if MAP_TYPES.include?(control_id)
+
+          case control_id
+          when %r{^c[0-9_]+$}
+            'hiera_title_num'
+          when %r{^[0-9][0-9.]*$}
+            'number'
+          when %r{^[a-z][a-z0-9_]+$}
+            'hiera_title'
+          when %r{^V-[0-9]{6}$}
+            'vulnid'
+          else
+            'title'
+          end
+        end
+
+        private
+
+        def load_framework(framework)
+          case framework.downcase
+          when 'cis'
+            self.class.include AbideDevUtils::CEM::Mapping::MixinCIS
+            extend AbideDevUtils::CEM::Mapping::MixinCIS
+          when 'stig'
+            self.class.include AbideDevUtils::CEM::Mapping::MixinSTIG
+            extend AbideDevUtils::CEM::Mapping::MixinSTIG
+          else
+            raise "Invalid framework: #{framework}"
+          end
+        end
+
+        def map_type_and_top_key(identifier)
+          mtype = MAP_TYPES.include?(identifier) ? identifier : map_type(identifier)
+          [mtype, map_top_key(mtype)]
+        end
+
+        def cached?(control_id, *args)
+          @cache.key?(cache_key(control_id, *args))
+        end
+
+        def cache_get(control_id, *args)
+          ckey = cache_key(control_id, *args)
+          @cache[ckey] if cached?(control_id, *args)
+        end
+
+        def cache_set(value, control_id, *args)
+          @cache[cache_key(control_id, *args)] = value unless value.nil?
+        end
+
+        def default_map_type
+          @default_map_type ||= (framework == 'stig' ? 'vulnid' : map_data.keys.first)
+        end
+
+        def benchmark_data
+          @benchmark_data ||= map_data[default_map_type][map_top_key(default_map_type)]['benchmark']
+        end
+
+        def cache_key(control_id, *args)
+          args.unshift(control_id).compact.join('-')
+        end
+
+        def map_top_key(mtype)
+          [module_name, 'mappings', framework, mtype].join('::')
+        end
+      end
+
+      # Mixin module used by Mapper to implement CIS-specific mapping behavior
+      module MixinCIS
+        def get_map(control_id, level: nil, profile: nil, **_)
+          mtype, mtop = map_type_and_top_key(control_id)
+          return if mtype == 'vulnid'
+
+          return map_data[mtype][mtop][level][profile][control_id] unless level.nil? || profile.nil?
+
+          map_data[mtype][mtop].each do |lvl, profile_hash|
+            next if lvl == 'benchmark'
+
+            profile_hash.each do |prof, control_hash|
+              return map_data[mtype][mtop][lvl][prof][control_id] if control_hash.key?(control_id)
+            end
+          end
+        end
+      end
+
+      # Mixin module used by Mapper to implement STIG-specific mapping behavior
+      module MixinSTIG
+        def get_map(control_id, level: nil, **_)
+          mtype, mtop = map_type_and_top_key(control_id)
+          return map_data[mtype][mtop][level][control_id] unless level.nil?
+
+          begin
+            map_data[mtype][mtop].each do |lvl, control_hash|
+              next if lvl == 'benchmark'
+
+              return control_hash[control_id] if control_hash.key?(control_id)
+            end
+          rescue NoMethodError => e
+            require 'pry'
+            binding.pry
+            #raise "Control ID: #{control_id}, Level: #{level}, #{e.message}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require 'abide_dev_utils/xccdf'
+require 'abide_dev_utils/cem/coverage_report'
+require 'abide_dev_utils/cem/generate'
 
 module AbideDevUtils
   # Methods for working with Compliance Enforcement Modules (CEM)