RubyGems - abide_dev_utils - Versions diffs - 0.11.0 → 0.11.1 - Mend

abide_dev_utils 0.11.0 → 0.11.1

Files changed (44) hide show

checksums.yaml +4 -4
data/Gemfile.lock +1 -14
data/lib/abide_dev_utils/cem/benchmark.rb +330 -136
data/lib/abide_dev_utils/cem/generate/coverage_report.rb +380 -0
data/lib/abide_dev_utils/cem/generate/reference.rb +157 -33
data/lib/abide_dev_utils/cem/generate.rb +5 -4
data/lib/abide_dev_utils/cem/hiera_data/mapping_data/map_data.rb +110 -0
data/lib/abide_dev_utils/cem/hiera_data/mapping_data/mixins.rb +46 -0
data/lib/abide_dev_utils/cem/hiera_data/mapping_data.rb +146 -0
data/lib/abide_dev_utils/cem/hiera_data/resource_data/control.rb +127 -0
data/lib/abide_dev_utils/cem/hiera_data/resource_data/parameters.rb +90 -0
data/lib/abide_dev_utils/cem/hiera_data/resource_data/resource.rb +102 -0
data/lib/abide_dev_utils/cem/hiera_data/resource_data.rb +310 -0
data/lib/abide_dev_utils/cem/hiera_data.rb +7 -0
data/lib/abide_dev_utils/cem/mapping/mapper.rb +161 -34
data/lib/abide_dev_utils/cem/validate/resource_data.rb +33 -0
data/lib/abide_dev_utils/cem/validate.rb +10 -0
data/lib/abide_dev_utils/cem.rb +0 -1
data/lib/abide_dev_utils/cli/cem.rb +20 -2
data/lib/abide_dev_utils/dot_number_comparable.rb +75 -0
data/lib/abide_dev_utils/errors/cem.rb +10 -0
data/lib/abide_dev_utils/ppt/class_utils.rb +1 -1
data/lib/abide_dev_utils/ppt/code_gen/data_types.rb +51 -0
data/lib/abide_dev_utils/ppt/code_gen/generate.rb +15 -0
data/lib/abide_dev_utils/ppt/code_gen/resource.rb +59 -0
data/lib/abide_dev_utils/ppt/code_gen/resource_types/base.rb +93 -0
data/lib/abide_dev_utils/ppt/code_gen/resource_types/class.rb +17 -0
data/lib/abide_dev_utils/ppt/code_gen/resource_types/manifest.rb +16 -0
data/lib/abide_dev_utils/ppt/code_gen/resource_types/parameter.rb +16 -0
data/lib/abide_dev_utils/ppt/code_gen/resource_types/strings.rb +13 -0
data/lib/abide_dev_utils/ppt/code_gen/resource_types.rb +6 -0
data/lib/abide_dev_utils/ppt/code_gen.rb +15 -0
data/lib/abide_dev_utils/ppt/code_introspection.rb +102 -0
data/lib/abide_dev_utils/ppt/hiera.rb +4 -1
data/lib/abide_dev_utils/ppt/puppet_module.rb +2 -1
data/lib/abide_dev_utils/ppt.rb +3 -0
data/lib/abide_dev_utils/version.rb +1 -1
data/lib/abide_dev_utils/xccdf/parser/helpers.rb +146 -0
data/lib/abide_dev_utils/xccdf/parser/objects.rb +87 -144
data/lib/abide_dev_utils/xccdf/parser.rb +5 -0
data/lib/abide_dev_utils/xccdf/utils.rb +89 -0
data/lib/abide_dev_utils/xccdf.rb +3 -0
metadata +27 -3
data/lib/abide_dev_utils/cem/coverage_report.rb +0 -348

data/lib/abide_dev_utils/cem/hiera_data/mapping_data/map_data.rb ADDED Viewed

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module MappingData
+        # Represents a single map data file
+        class MapData
+          def initialize(data)
+            @raw_data = data
+          end
+          def method_missing(meth, *args, &block)
+            if data.respond_to?(meth)
+              data.send(meth, *args, &block)
+            else
+              super
+            end
+          end
+          def respond_to_missing?(meth, include_private = false)
+            data.respond_to?(meth) || super
+          end
+          def find(identifier, level: nil, profile: nil)
+            levels.each do |lvl|
+              next unless level.nil? || lvl != level
+              data[lvl].each do |prof, prof_data|
+                if prof_data.respond_to?(:keys)
+                  next unless profile.nil? || prof != profile
+                  return prof_data[identifier] if prof_data.key?(identifier)
+                elsif prof == identifier
+                  return prof_data
+                end
+              end
+            end
+          end
+          def get(identifier, level: nil, profile: nil)
+            raise "Invalid level: #{level}" unless profile.nil? || levels.include?(level)
+            raise "Invalid profile: #{profile}" unless profile.nil? || profiles.include?(profile)
+            return find(identifier, level: level, profile: profile) if level.nil? || profile.nil?
+            begin
+              data.dig(level, profile, identifier)
+            rescue TypeError
+              data.dig(level, identifier)
+            end
+          end
+          def module_name
+            top_key_parts[0]
+          end
+          def framework
+            top_key_parts[2]
+          end
+          def type
+            top_key_parts[3]
+          end
+          def benchmark
+            @raw_data[top_key]['benchmark']
+          end
+          def levels_and_profiles
+            @levels_and_profiles ||= find_levels_and_profiles
+          end
+          def levels
+            levels_and_profiles[0]
+          end
+          def profiles
+            levels_and_profiles[1]
+          end
+          def top_key
+            @top_key ||= @raw_data.keys.first
+          end
+          private
+          def top_key_parts
+            @top_key_parts ||= top_key.split('::')
+          end
+          def data
+            @data ||= @raw_data[top_key].reject { |k, _| k == 'benchmark' }
+          end
+          def find_levels_and_profiles
+            lvls = []
+            profs = []
+            data.each do |lvl, prof_hash|
+              lvls << lvl
+              prof_hash.each do |prof, prof_data|
+                profs << prof if prof_data.respond_to?(:keys)
+              end
+            end
+            [lvls.flatten.compact.uniq, profs.flatten.compact.uniq]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/hiera_data/mapping_data/mixins.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module MappingData
+        # Mixin module used by Mapper to implement CIS-specific mapping behavior
+        module MixinCIS
+          def get_map(control_id, level: nil, profile: nil, **_)
+            identified_map_data(control_id, valid_types: CIS_TYPES).get(control_id, level: level, profile: profile)
+            return unless imdata
+            if level.nil? || profile.nil?
+              map_data[mtype][mtop].each do |lvl, profile_hash|
+                next if lvl == 'benchmark' || (level && level != lvl)
+                profile_hash.each do |prof, control_hash|
+                  next if profile && profile != prof
+                  return control_hash[control_id] if control_hash.key?(control_id)
+                end
+              end
+            else
+              imdata[level][profile][control_id]
+            end
+          end
+        end
+        # Mixin module used by Mapper to implement STIG-specific mapping behavior
+        module MixinSTIG
+          def get_map(control_id, level: nil, **_)
+            mtype, mtop = map_type_and_top_key(control_id)
+            return unless STIG_TYPES.include?(mtype)
+            return map_data[mtype][mtop][level][control_id] unless level.nil?
+            map_data[mtype][mtop].each do |lvl, control_hash|
+              next if lvl == 'benchmark'
+              return control_hash[control_id] if control_hash.key?(control_id)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/hiera_data/mapping_data.rb ADDED Viewed

@@ -0,0 +1,146 @@
+# frozen_string_literal: true
+require 'abide_dev_utils/cem/hiera_data/mapping_data/map_data'
+require 'abide_dev_utils/cem/hiera_data/mapping_data/mixins'
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module MappingData
+        ALL_TYPES = %w[hiera_title_num number hiera_title vulnid title].freeze
+        FRAMEWORK_TYPES = {
+          'cis' => %w[hiera_title_num number hiera_title title],
+          'stig' => %w[hiera_title_num number hiera_title vulnid title],
+        }.freeze
+        CIS_TYPES = %w[hiera_title_num number hiera_title title].freeze
+        STIG_TYPES = %w[hiera_title_num number hiera_title vulnid title].freeze
+        # Handles interacting with mapping data
+        class Mapper
+          attr_reader :module_name, :framework, :map_data
+          def initialize(module_name, framework, map_data)
+            @module_name = module_name
+            @framework = framework
+            load_framework(@framework)
+            @map_data = map_data.map { |_, v| MapData.new(v) }
+            @cache = {}
+            @rule_cache = {}
+          end
+          def title
+            @title ||= benchmark_data['title']
+          end
+          def version
+            @version ||= benchmark_data['version']
+          end
+          def levels
+            @levels ||= default_map_data.levels
+          end
+          def profiles
+            @profiles ||= default_map_data.profiles
+          end
+          def each_like(identifier)
+            identified_map_data(identifier)&.each { |key, val| yield key, val }
+          end
+          def each_with_array_like(identifier)
+            identified_map_data(identifier)&.each_with_object([]) { |(key, val), ary| yield [key, val], ary }
+          end
+          def get(control_id, level: nil, profile: nil)
+            identified_map_data(control_id)&.get(control_id, level: level, profile: profile)
+          end
+          def map_type(control_id)
+            return control_id if ALL_TYPES.include?(control_id)
+            case control_id
+            when %r{^c[0-9_]+$}
+              'hiera_title_num'
+            when %r{^[0-9][0-9.]*$}
+              'number'
+            when %r{^[a-z][a-z0-9_]+$}
+              'hiera_title'
+            when %r{^V-[0-9]{6}$}
+              'vulnid'
+            else
+              'title'
+            end
+          end
+          private
+          def load_framework(framework)
+            case framework.downcase
+            when 'cis'
+              self.class.include AbideDevUtils::CEM::HieraData::MappingData::MixinCIS
+              extend AbideDevUtils::CEM::HieraData::MappingData::MixinCIS
+            when 'stig'
+              self.class.include AbideDevUtils::CEM::HieraData::MappingData::MixinSTIG
+              extend AbideDevUtils::CEM::HieraData::MappingData::MixinSTIG
+            else
+              raise "Invalid framework: #{framework}"
+            end
+          end
+          def map_data_by_type(map_type)
+            found_map_data = map_data.find { |x| x.type == map_type }
+            raise "Failed to find map data with type #{map_type}; Meta: #{{framework: framework, module_name: module_name}}" unless found_map_data
+            found_map_data
+          end
+          def identified_map_data(identifier, valid_types: ALL_TYPES)
+            mtype = map_type(identifier)
+            return unless FRAMEWORK_TYPES[framework].include?(mtype)
+            map_data_by_type(mtype)
+          end
+          def map_type_and_top_key(identifier)
+            mtype = ALL_TYPES.include?(identifier) ? identifier : map_type(identifier)
+            [mtype, map_top_key(mtype)]
+          end
+          def cached?(control_id, *args)
+            @cache.key?(cache_key(control_id, *args))
+          end
+          def cache_get(control_id, *args)
+            ckey = cache_key(control_id, *args)
+            @cache[ckey] if cached?(control_id, *args)
+          end
+          def cache_set(value, control_id, *args)
+            @cache[cache_key(control_id, *args)] = value unless value.nil?
+          end
+          def default_map_type
+            @default_map_type ||= (framework == 'stig' ? 'vulnid' : map_data.first.type)
+          end
+          def default_map_data
+            @default_map_data ||= map_data.first
+          end
+          def benchmark_data
+            @benchmark_data ||= default_map_data.benchmark
+          end
+          def cache_key(control_id, *args)
+            args.unshift(control_id).compact.join('-')
+          end
+          def map_top_key(mtype)
+            [module_name, 'mappings', framework, mtype].join('::')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/hiera_data/resource_data/control.rb ADDED Viewed

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+require 'abide_dev_utils/dot_number_comparable'
+require 'abide_dev_utils/errors'
+require 'abide_dev_utils/cem/hiera_data/mapping_data'
+require 'abide_dev_utils/cem/hiera_data/resource_data/parameters'
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module ResourceData
+        # Represents a singular rule in a benchmark
+        class Control
+          include AbideDevUtils::DotNumberComparable
+          attr_reader :id, :parameters, :resource, :framework
+          def initialize(id, params, resource, framework, mapper)
+            validate_id_with_framework(id, framework, mapper)
+            @id = id
+            @parameters = Parameters.new(params)
+            @resource = resource
+            @framework = framework
+            @mapper = mapper
+            raise AbideDevUtils::Errors::NoMappingDataForControlError, @id unless @mapper.get(id)
+          end
+          def alternate_ids(level: nil, profile: nil)
+            id_map = @mapper.get(id, level: level, profile: profile)
+            if display_title_type.to_s == @mapper.map_type(id)
+              id_map
+            else
+              alt_ids = id_map.each_with_object([]) do |mapval, arr|
+                arr << if display_title_type.to_s == @mapper.map_type(mapval)
+                         @mapper.get(mapval, level: level, profile: profile)
+                       else
+                         mapval
+                       end
+              end
+              alt_ids.flatten.uniq
+            end
+          end
+          def id_map_type
+            @mapper.map_type(id)
+          end
+          def display_title
+            send(display_title_type) unless display_title_type.nil?
+          end
+          def levels
+            levels_and_profiles[0]
+          end
+          def profiles
+            levels_and_profiles[1]
+          end
+          def method_missing(meth, *args, &block)
+            meth_s = meth.to_s
+            if AbideDevUtils::CEM::HieraData::MappingData::ALL_TYPES.include?(meth_s)
+              @mapper.get(id).find { |x| @mapper.map_type(x) == meth_s }
+            else
+              super
+            end
+          end
+          def respond_to_missing?(meth, include_private = false)
+            AbideDevUtils::CEM::HieraData::MappingData::ALL_TYPES.include?(meth.to_s) || super
+          end
+          def to_h
+            {
+              id: id,
+              display_title: display_title,
+              alternate_ids: alternate_ids,
+              levels: levels,
+              profiles: profiles,
+              resource: resource,
+            }.merge(parameters.to_h)
+          end
+          private
+          def display_title_type
+            if (!vulnid.nil? && !vulnid.is_a?(String)) || !title.is_a?(String)
+              nil
+            elsif framework == 'stig' && vulnid
+              :vulnid
+            else
+              :title
+            end
+          end
+          def validate_id_with_framework(id, framework, mapper)
+            mtype = mapper.map_type(id)
+            return if AbideDevUtils::CEM::HieraData::MappingData::FRAMEWORK_TYPES[framework].include?(mtype)
+            raise AbideDevUtils::Errors::ControlIdFrameworkMismatchError, [id, mtype, framework]
+          end
+          def map
+            @map ||= @mapper.get(id)
+          end
+          def levels_and_profiles
+            @levels_and_profiles ||= find_levels_and_profiles
+          end
+          def find_levels_and_profiles
+            lvls = []
+            profs = []
+            @mapper.levels.each do |lvl|
+              @mapper.profiles.each do |prof|
+                unless @mapper.get(id, level: lvl, profile: prof).nil?
+                  lvls << lvl
+                  profs << prof
+                end
+              end
+            end
+            [lvls.flatten.compact.uniq, profs.flatten.compact.uniq]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/hiera_data/resource_data/parameters.rb ADDED Viewed

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+require 'set'
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module ResourceData
+        class Parameters
+          def initialize(*param_collections)
+            @param_collections = param_collections
+          end
+          def exist?
+            !@param_collections.nil? && !@param_collections.empty?
+          end
+          def to_h
+            @to_h ||= { parameters: @param_collections.map { |x| collection_to_h(x) unless x.nil? || x.empty? } }
+          end
+          def to_puppet_code
+            parray = to_h[:parameters].each_with_object([]) do |x, arr|
+              x.each do |_, val|
+                arr << param_to_code(**val[:display_value]) if val.respond_to?(:key)
+              end
+            end
+            parray.reject { |x| x.nil? || x.empty? }.compact.join("\n")
+          end
+          def to_display_fmt
+            to_h[:parameters].values.map { |x| x[:display_value] }
+          end
+          private
+          def collection_to_h(collection)
+            return no_params_display if collection == 'no_params'
+            collection.each_with_object({}) do |(param, param_val), hsh|
+              hsh[param] = {
+                raw_value: param_val,
+                display_value: param_display(param, param_val),
+              }
+            end
+          end
+          def param_display(param, param_val)
+            {
+              name: param,
+              type: ruby_class_to_puppet_type(param_val.class.to_s),
+              default: param_val,
+            }
+          end
+          def no_params_display
+            { name: 'No parameters', type: nil, default: nil }
+          end
+          def param_to_code(name: nil, type: nil, default: nil)
+            return if name.nil?
+            return "  #{name}," if default.nil?
+            return "  #{name} => #{default}," if %w[Boolean Integer Float].include?(type)
+            return "  #{name} => '#{default}'," if type == 'String'
+            "  #{name} => undef,"
+          end
+          def ruby_class_to_puppet_type(class_name)
+            pup_type = class_name.split('::').last.capitalize
+            case pup_type
+            when %r{(Trueclass|Falseclass)}
+              'Boolean'
+            when %r{(String|Pathname)}
+              'String'
+            when %r{(Integer|Fixnum)}
+              'Integer'
+            when %r{(Float|Double)}
+              'Float'
+            when %r{Nilclass}
+              'Optional'
+            else
+              pup_type
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cem/hiera_data/resource_data/resource.rb ADDED Viewed

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+require 'set'
+require 'abide_dev_utils/errors'
+require 'abide_dev_utils/cem/hiera_data/resource_data/control'
+require 'abide_dev_utils/cem/hiera_data/resource_data/parameters'
+module AbideDevUtils
+  module CEM
+    module HieraData
+      module ResourceData
+        # Represents a resource data resource statement
+        class Resource
+          attr_reader :title, :type
+          def initialize(title, data, framework, mapper)
+            @title = title
+            @data = data
+            @type = data['type']
+            @framework = framework
+            @mapper = mapper
+          end
+          def controls
+            @controls ||= load_controls
+          end
+          def cem_options
+            @cem_options ||= Parameters.new(data['cem_options'])
+          end
+          def cem_protected
+            @cem_protected ||= Parameters.new(data['cem_protected'])
+          end
+          def to_stubbed_h
+            {
+              title: title,
+              type: type,
+              cem_options: cem_options.to_h,
+              cem_protected: cem_protected.to_h,
+              reference: to_reference,
+            }
+          end
+          def to_reference
+            "#{type.split('::').map(&:capitalize).join('::')}['#{title}']"
+          end
+          def to_puppet_code
+            parray = controls.map { |x| x.parameters.to_puppet_code if x.parameters.exist? }.flatten.compact.uniq
+            return "#{type} { '#{title}': }" if parray.empty? || parray.all?(&:empty?) || parray.all?("\n")
+            # if title == 'cem_linux::utils::packages::linux::auditd::time_change'
+            #   require 'pry'
+            #   binding.pry
+            # end
+            <<~EOPC
+              #{type} { '#{title}':
+              #{parray.join("\n")}
+              }
+            EOPC
+          end
+          private
+          attr_reader :data, :framework, :mapper
+          def load_controls
+            if data['controls'].respond_to?(:keys)
+              load_hash_controls(data['controls'], framework, mapper)
+            elsif data['controls'].respond_to?(:each_with_index)
+              load_array_controls(data['controls'], framework, mapper)
+            else
+              raise "Control type is invalid. Type: #{data['controls'].class}"
+            end
+          end
+          def load_hash_controls(ctrls, framework, mapper)
+            ctrls.each_with_object([]) do |(name, data), arr|
+              ctrl = Control.new(name, data, to_stubbed_h, framework, mapper)
+              arr << ctrl
+            rescue AbideDevUtils::Errors::ControlIdFrameworkMismatchError,
+                   AbideDevUtils::Errors::NoMappingDataForControlError
+              next
+            end
+          end
+          def load_array_controls(ctrls, framework, mapper)
+            ctrls.each_with_object([]) do |c, arr|
+              ctrl = Control.new(c, 'no_params', to_stubbed_h, framework, mapper)
+              arr << ctrl
+            rescue AbideDevUtils::Errors::ControlIdFrameworkMismatchError,
+                   AbideDevUtils::Errors::NoMappingDataForControlError
+              next
+            end
+          end
+        end
+      end
+    end
+  end
+end