abide_dev_utils 0.10.1 → 0.11.2

data/lib/abide_dev_utils/cem/hiera_data/resource_data.rb

@@ -0,0 +1,310 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/errors'
+require 'abide_dev_utils/ppt/facter_utils'
+require 'abide_dev_utils/cem/hiera_data/resource_data/control'
+require 'abide_dev_utils/cem/hiera_data/resource_data/resource'
+
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module ResourceData
+        # Creates Benchmark objects from a Puppet module
+        # @param pupmod [AbideDevUtils::Ppt::PuppetModule] A PuppetModule instance
+        # @param skip_errors [Boolean] True skips errors and loads non-erroring benchmarks, false raises the error.
+        # @return [Array<AbideDevUtils::CEM::Benchmark>] Array of Benchmark instances
+        def self.benchmarks_from_puppet_module(pupmod, ignore_all_errors: false, ignore_framework_mismatch: true)
+          frameworks = pupmod.hiera_conf.local_hiera_files(hierarchy_name: 'Mapping Data').each_with_object([]) do |hf, ary|
+            parts = hf.path.split(pupmod.hiera_conf.default_datadir)[-1].split('/')
+            ary << parts[2] unless ary.include?(parts[2])
+          end
+          pupmod.supported_os.each_with_object([]) do |supp_os, ary|
+            osname, majver = supp_os.split('::')
+            if majver.is_a?(Array)
+              majver.sort.each do |v|
+                frameworks.each do |fw|
+                  benchmark = Benchmark.new(osname,
+                                            v,
+                                            pupmod.hiera_conf,
+                                            pupmod.name(strip_namespace: true),
+                                            framework: fw)
+                  benchmark.controls
+                  ary << benchmark
+                rescue AbideDevUtils::Errors::MappingDataFrameworkMismatchError => e
+                  raise e unless ignore_all_errors || ignore_framework_mismatch
+                rescue StandardError => e
+                  raise e unless ignore_all_errors
+                end
+              end
+            else
+              frameworks.each do |fw|
+                benchmark = Benchmark.new(osname,
+                                          majver,
+                                          pupmod.hiera_conf,
+                                          pupmod.name(strip_namespace: true),
+                                          framework: fw)
+                benchmark.controls
+                ary << benchmark
+              rescue AbideDevUtils::Errors::MappingDataFrameworkMismatchError => e
+                raise e unless ignore_all_errors || ignore_framework_mismatch
+              rescue StandardError => e
+                raise e unless ignore_all_errors
+              end
+            end
+          end
+        end
+
+        # Repesents a benchmark based on resource and mapping data
+        class Benchmark
+          attr_reader :osname, :major_version, :os_facts, :osfamily, :hiera_conf, :module_name, :framework
+
+          def initialize(osname, major_version, hiera_conf, module_name, framework: 'cis')
+            @osname = osname
+            @major_version = major_version
+            @os_facts = AbideDevUtils::Ppt::FacterUtils.recursive_facts_for_os(@osname, @major_version)
+            @osfamily = @os_facts['os']['family']
+            @hiera_conf = hiera_conf
+            @module_name = module_name
+            @framework = framework
+            @map_cache = {}
+            @rules_in_map = {}
+          end
+
+          def resources
+            @resources ||= resource_data["#{module_name}::resources"].each_with_object([]) do |(rtitle, rdata), arr|
+              arr << Resource.new(rtitle, rdata, framework, mapper)
+            end
+          end
+
+          def controls
+            @controls ||= resources.map(&:controls).flatten.sort
+          end
+
+          def mapper
+            @mapper ||= AbideDevUtils::CEM::HieraData::MappingData::Mapper.new(module_name, framework, load_mapping_data)
+          end
+
+          def map_data
+            mapper.map_data
+          end
+
+          def resource_data
+            @resource_data ||= load_resource_data
+          end
+
+          def title
+            mapper.title
+          end
+
+          def version
+            mapper.version
+          end
+
+          def title_key
+            @title_key ||= "#{title} #{version}"
+          end
+
+          def add_rule(rule_hash)
+            @rules << rule_hash
+          end
+
+          def rules_in_map(mtype, level: nil, profile: nil)
+            real_mtype = map_type(mtype)
+            cache_key = [real_mtype, level, profile].compact.join('-')
+            return @rules_in_map[cache_key] if @rules_in_map.key?(cache_key)
+
+            all_rim = mapper.each_with_array_like(real_mtype) do |(lvl, profs), arr|
+              next if lvl == 'benchmark' || (!level.nil? && lvl != level)
+
+              profs.each do |prof, maps|
+                next if !profile.nil? && prof != profile
+
+                # CIS and STIG differ in that STIG does not have profiles
+                control_ids = maps.respond_to?(:keys) ? maps.keys : prof
+                arr << control_ids
+              end
+            end
+            @rules_in_map[cache_key] = all_rim.flatten.uniq
+            @rules_in_map[cache_key]
+          end
+
+          def map(control_id, level: nil, profile: nil)
+            mapper.get(control_id, level: level, profile: profile)
+          end
+
+          def map_type(control_id)
+            mapper.map_type(control_id)
+          end
+
+          private
+
+          # def load_rules
+          #   @rules ||= resources.map(&:controls).flatten
+          #   rule_hash = resource_data["#{module_name}::resources"].each_with_object({}) do |(_, rdata), rhsh|
+          #     unless rdata.key?('controls')
+          #       puts "Controls key not found in #{rdata}"
+          #       next
+          #     end
+          #     rdata['controls'].each do |control, control_data|
+          #       rule = Rule.new(control, data, framework, mapper)
+          #       rhsh[rule.display_title] = {} unless rhsh.key?(rule.display_title)
+          #       rhsh[rule.display_title]['number'] = rule.number
+          #       rhsh[rule.display_title]['alternate_ids'] = alternate_ids
+          #       rhsh[rule.display_title]['params'] = [] unless rhsh[rule.display_title].key?('params')
+          #       rhsh[rule.display_title]['level'] = [] unless rhsh[rule.display_title].key?('level')
+          #       rhsh[rule.display_title]['profile'] = [] unless rhsh[rule.display_title].key?('profile')
+          #       param_hashes(control_data).each do |param_hash|
+          #         next if rhsh[rule_title]['params'].include?(param_hash[:name])
+
+          #         rhsh[rule_title]['params'] << param_hash
+          #       end
+          #       levels, profiles = find_levels_and_profiles(control)
+          #       unless rhsh[rule_title]['level'] == levels
+          #         rhsh[rule_title]['level'] = rhsh[rule_title]['level'] || levels
+          #       end
+          #       unless rhsh[rule_title]['profile'] == profiles
+          #         rhsh[rule_title]['profile'] = rhsh[rule_title]['profile'] || profiles
+          #       end
+          #       rhsh[rule_title]['resource'] = rdata['type']
+          #     end
+          #   end
+          #   sort_rules(rule_hash)
+          # end
+
+          # def param_hashes(control_data)
+          #   return [] if control_data.nil? || control_data.empty?
+
+          #   p_hashes = []
+          #   if !control_data.respond_to?(:each) && control_data == 'no_params'
+          #     p_hashes << no_params
+          #   else
+          #     control_data.each do |param, param_val|
+          #       p_hashes << {
+          #         name: param,
+          #         type: ruby_class_to_puppet_type(param_val.class.to_s),
+          #         default: param_val,
+          #       }
+          #     end
+          #   end
+          #   p_hashes
+          # end
+
+          # def no_params
+          #   { name: 'No parameters', type: nil, default: nil }
+          # end
+
+          # # We sort the rules by their control number so they
+          # # appear in the REFERENCE in benchmark order
+          # def sort_rules(rule_hash)
+          #   sorted = rule_hash.dup.sort_by do |_, v|
+          #     control_num_to_int(v['number'])
+          #   end
+          #   sorted.to_h
+          # end
+
+          # In order to sort the rules by their control number,
+          # we need to convert the control number to an integer.
+          # This is a rough conversion, but should be sufficient
+          # for the purposes of sorting. The multipliers are
+          # the 20th, 15th, 10th, and 5th numbers in the Fibonacci
+          # sequence, then 1 after that. The reason for this is to
+          # ensure a "spiraled" wieghting of the sections in the control
+          # number, with 1st section having the most sorting weight, 2nd
+          # having second most, etc. However, the differences in the multipliers
+          # are such that it would be difficult for the product of a lesser-weighted
+          # section to be greater than a greater-weighted section.
+          # def control_num_to_int(control_num)
+          #   multipliers = [6765, 610, 55, 5, 1]
+          #   nsum = 0
+          #   midx = 0
+          #   control_num.split('.').each do |num|
+          #     multiplier = midx >= multipliers.length ? 1 : multipliers[midx]
+          #     nsum += num.to_i * multiplier
+          #     midx += 1
+          #   end
+          #   nsum
+          # end
+
+          # def find_levels_and_profiles(control_id)
+          #   levels = []
+          #   profiles = []
+          #   mapper.each_like(control_id) do |lvl, profile_hash|
+          #     next if lvl == 'benchmark'
+
+          #     profile_hash.each do |prof, _|
+          #       unless map(control_id, level: lvl, profile: prof).nil?
+          #         levels << lvl
+          #         profiles << prof
+          #       end
+          #     end
+          #   end
+          #   [levels, profiles]
+          # end
+
+          # def ruby_class_to_puppet_type(class_name)
+          #   pup_type = class_name.split('::').last.capitalize
+          #   case pup_type
+          #   when %r{(Trueclass|Falseclass)}
+          #     'Boolean'
+          #   when %r{(String|Pathname)}
+          #     'String'
+          #   when %r{(Integer|Fixnum)}
+          #     'Integer'
+          #   when %r{(Float|Double)}
+          #     'Float'
+          #   else
+          #     pup_type
+          #   end
+          # end
+
+          def load_mapping_data
+            files = case module_name
+                    when /_windows$/
+                      cem_windows_mapping_files
+                    when /_linux$/
+                      cem_linux_mapping_files
+                    else
+                      raise "Module name '#{module_name}' is not a CEM module"
+                    end
+            validate_mapping_files_framework(files).each_with_object({}) do |f, h|
+              h[File.basename(f.path, '.yaml')] = YAML.load_file(f.path)
+            end
+          end
+
+          def cem_linux_mapping_files
+            facts = [['os.name', osname], ['os.release.major', major_version]]
+            mapping_files = hiera_conf.local_hiera_files_with_facts(*facts, hierarchy_name: 'Mapping Data')
+            raise AbideDevUtils::Errors::MappingFilesNotFoundError, facts if mapping_files.nil? || mapping_files.empty?
+
+            mapping_files
+          end
+
+          def cem_windows_mapping_files
+            facts = ['os.release.major', major_version]
+            mapping_files = hiera_conf.local_hiera_files_with_fact(facts[0], facts[1], hierarchy_name: 'Mapping Data')
+            raise AbideDevUtils::Errors::MappingFilesNotFoundError, facts if mapping_files.nil? || mapping_files.empty?
+
+            mapping_files
+          end
+
+          def validate_mapping_files_framework(files)
+            validated_files = files.select { |f| f.path_parts.include?(framework) }
+            if validated_files.nil? || validated_files.empty?
+              raise AbideDevUtils::Errors::MappingDataFrameworkMismatchError, framework
+            end
+
+            validated_files
+          end
+
+          def load_resource_data
+            facts = [['os.family', osfamily], ['os.name', osname], ['os.release.major', major_version]]
+            rdata_files = hiera_conf.local_hiera_files_with_facts(*facts, hierarchy_name: 'Resource Data')
+            raise AbideDevUtils::Errors::ResourceDataNotFoundError, facts if rdata_files.nil? || rdata_files.empty?
+
+            YAML.load_file(rdata_files[0].path)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/hiera_data.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module AbideDevUtils
+  module CEM
+    module HieraData; end
+  end
+end

data/lib/abide_dev_utils/cem/mapping/mapper.rb

@@ -0,0 +1,282 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/cem/hiera_data/mapping_data/map_data'
+require 'abide_dev_utils/cem/hiera_data/mapping_data/mixins'
+
+module AbideDevUtils
+  module CEM
+    module Mapping
+      ALL_TYPES = %w[hiera_title_num number hiera_title vulnid title].freeze
+      FRAMEWORK_TYPES = {
+        'cis' => %w[hiera_title_num number hiera_title title],
+        'stig' => %w[hiera_title_num number hiera_title vulnid title],
+      }.freeze
+      CIS_TYPES = %w[hiera_title_num number hiera_title title].freeze
+      STIG_TYPES = %w[hiera_title_num number hiera_title vulnid title].freeze
+
+      # Represents a single map data file
+      class MapData
+        def initialize(data)
+          @raw_data = data
+        end
+
+        def method_missing(meth, *args, &block)
+          if data.respond_to?(meth)
+            data.send(meth, *args, &block)
+          else
+            super
+          end
+        end
+
+        def respond_to_missing?(meth, include_private = false)
+          data.respond_to?(meth) || super
+        end
+
+        def find(identifier, level: nil, profile: nil)
+          levels.each do |lvl|
+            next unless level.nil? || lvl != level
+
+            data[lvl].each do |prof, prof_data|
+              if prof_data.respond_to?(:keys)
+                next unless profile.nil? || prof != profile
+
+                return prof_data[identifier] if prof_data.key?(identifier)
+              elsif prof == identifier
+                return prof_data
+              end
+            end
+          end
+        end
+
+        def get(identifier, level: nil, profile: nil)
+          raise "Invalid level: #{level}" unless profile.nil? || levels.include?(level)
+          raise "Invalid profile: #{profile}" unless profile.nil? || profiles.include?(profile)
+          return find(identifier, level: level, profile: profile) if level.nil? || profile.nil?
+
+          begin
+            data.dig(level, profile, identifier)
+          rescue TypeError
+            data.dig(level, identifier)
+          end
+        end
+
+        def module_name
+          top_key_parts[0]
+        end
+
+        def framework
+          top_key_parts[2]
+        end
+
+        def type
+          top_key_parts[3]
+        end
+
+        def benchmark
+          @raw_data[top_key]['benchmark']
+        end
+
+        def levels_and_profiles
+          @levels_and_profiles ||= find_levels_and_profiles
+        end
+
+        def levels
+          levels_and_profiles[0]
+        end
+
+        def profiles
+          levels_and_profiles[1]
+        end
+
+        def top_key
+          @top_key ||= @raw_data.keys.first
+        end
+
+        private
+
+        def top_key_parts
+          @top_key_parts ||= top_key.split('::')
+        end
+
+        def data
+          @data ||= @raw_data[top_key].reject { |k, _| k == 'benchmark' }
+        end
+
+        def find_levels_and_profiles
+          lvls = []
+          profs = []
+          data.each do |lvl, prof_hash|
+            lvls << lvl
+            prof_hash.each do |prof, prof_data|
+              profs << prof if prof_data.respond_to?(:keys)
+            end
+          end
+          [lvls.flatten.compact.uniq, profs.flatten.compact.uniq]
+        end
+      end
+
+      # Handles interacting with mapping data
+      class Mapper
+        attr_reader :module_name, :framework, :map_data
+
+        def initialize(module_name, framework, map_data)
+          @module_name = module_name
+          @framework = framework
+          load_framework(@framework)
+          @map_data = map_data.map { |_, v| MapData.new(v) }
+          @cache = {}
+          @rule_cache = {}
+        end
+
+        def title
+          @title ||= benchmark_data['title']
+        end
+
+        def version
+          @version ||= benchmark_data['version']
+        end
+
+        def levels
+          @levels ||= default_map_data.levels
+        end
+
+        def profiles
+          @profiles ||= default_map_data.profiles
+        end
+
+        def each_like(identifier)
+          identified_map_data(identifier)&.each { |key, val| yield key, val }
+        end
+
+        def each_with_array_like(identifier)
+          identified_map_data(identifier)&.each_with_object([]) { |(key, val), ary| yield [key, val], ary }
+        end
+
+        def get(control_id, level: nil, profile: nil)
+          identified_map_data(control_id)&.get(control_id, level: level, profile: profile)
+        end
+
+        def map_type(control_id)
+          return control_id if ALL_TYPES.include?(control_id)
+
+          case control_id
+          when %r{^c[0-9_]+$}
+            'hiera_title_num'
+          when %r{^[0-9][0-9.]*$}
+            'number'
+          when %r{^[a-z][a-z0-9_]+$}
+            'hiera_title'
+          when %r{^V-[0-9]{6}$}
+            'vulnid'
+          else
+            'title'
+          end
+        end
+
+        private
+
+        def load_framework(framework)
+          case framework.downcase
+          when 'cis'
+            self.class.include AbideDevUtils::CEM::Mapping::MixinCIS
+            extend AbideDevUtils::CEM::Mapping::MixinCIS
+          when 'stig'
+            self.class.include AbideDevUtils::CEM::Mapping::MixinSTIG
+            extend AbideDevUtils::CEM::Mapping::MixinSTIG
+          else
+            raise "Invalid framework: #{framework}"
+          end
+        end
+
+        def map_data_by_type(map_type)
+          found_map_data = map_data.find { |x| x.type == map_type }
+          raise "Failed to find map data with type #{map_type}; Meta: #{{framework: framework, module_name: module_name}}" unless found_map_data
+
+          found_map_data
+        end
+
+        def identified_map_data(identifier, valid_types: ALL_TYPES)
+          mtype = map_type(identifier)
+          return unless valid_types.include?(mtype)
+
+          map_data_by_type(mtype)
+        end
+
+        def map_type_and_top_key(identifier)
+          mtype = ALL_TYPES.include?(identifier) ? identifier : map_type(identifier)
+          [mtype, map_top_key(mtype)]
+        end
+
+        def cached?(control_id, *args)
+          @cache.key?(cache_key(control_id, *args))
+        end
+
+        def cache_get(control_id, *args)
+          ckey = cache_key(control_id, *args)
+          @cache[ckey] if cached?(control_id, *args)
+        end
+
+        def cache_set(value, control_id, *args)
+          @cache[cache_key(control_id, *args)] = value unless value.nil?
+        end
+
+        def default_map_type
+          @default_map_type ||= (framework == 'stig' ? 'vulnid' : map_data.first.type)
+        end
+
+        def default_map_data
+          @default_map_data ||= map_data.first
+        end
+
+        def benchmark_data
+          @benchmark_data ||= default_map_data.benchmark
+        end
+
+        def cache_key(control_id, *args)
+          args.unshift(control_id).compact.join('-')
+        end
+
+        def map_top_key(mtype)
+          [module_name, 'mappings', framework, mtype].join('::')
+        end
+      end
+
+      # Mixin module used by Mapper to implement CIS-specific mapping behavior
+      module MixinCIS
+        def get_map(control_id, level: nil, profile: nil, **_)
+          identified_map_data(control_id, valid_types: CIS_TYPES).get(control_id, level: level, profile: profile)
+          return unless imdata
+
+          if level.nil? || profile.nil?
+            map_data[mtype][mtop].each do |lvl, profile_hash|
+              next if lvl == 'benchmark' || (level && level != lvl)
+
+              profile_hash.each do |prof, control_hash|
+                next if profile && profile != prof
+
+                return control_hash[control_id] if control_hash.key?(control_id)
+              end
+            end
+          else
+            imdata[level][profile][control_id]
+          end
+        end
+      end
+
+      # Mixin module used by Mapper to implement STIG-specific mapping behavior
+      module MixinSTIG
+        def get_map(control_id, level: nil, **_)
+          mtype, mtop = map_type_and_top_key(control_id)
+          return unless STIG_TYPES.include?(mtype)
+          return map_data[mtype][mtop][level][control_id] unless level.nil?
+
+          map_data[mtype][mtop].each do |lvl, control_hash|
+            next if lvl == 'benchmark'
+
+            return control_hash[control_id] if control_hash.key?(control_id)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/validate/resource_data.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/ppt'
+require 'abide_dev_utils/cem/benchmark'
+
+module AbideDevUtils
+  module CEM
+    module Validate
+      # Validation methods for resource data
+      module ResourceData
+        class ControlsWithoutMapsError < StandardError; end
+
+        def self.controls_without_maps(module_dir = Dir.pwd)
+          pupmod = AbideDevUtils::Ppt::PuppetModule.new(module_dir)
+          benchmarks = AbideDevUtils::CEM::Benchmark.benchmarks_from_puppet_module(pupmod)
+          without_maps = benchmarks.each_with_object({}) do |benchmark, hsh|
+            puts "Validating #{benchmark.title}..."
+            hsh[benchmark.title] = benchmark.controls.each_with_object([]) do |ctrl, no_maps|
+              no_maps << ctrl.id unless ctrl.valid_maps?
+            end
+          end
+          err = ['Found controls in resource data without maps.']
+          without_maps.each do |key, val|
+            next if val.empty?
+
+            err << val.unshift("#{key}:").join("\n  ")
+          end
+          raise ControlsWithoutMapsError, err.join("\n") unless without_maps.values.all?(&:empty?)
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/validate.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/cem/validate/resource_data'
+
+module AbideDevUtils
+  module CEM
+    # Namespace for CEM validation modules / classes
+    module Validate; end
+  end
+end

data/lib/abide_dev_utils/cem.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'abide_dev_utils/xccdf'
+require 'abide_dev_utils/cem/generate'
 
 module AbideDevUtils
   # Methods for working with Compliance Enforcement Modules (CEM)