abide_dev_utils 0.11.0 → 0.12.1

data/lib/abide_dev_utils/xccdf/utils.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/validate'
+
+module AbideDevUtils
+  module XCCDF
+    module Utils
+      # Class for working with directories that contain XCCDF files
+      class FileDir
+        CIS_FILE_NAME_PARTS_PATTERN = /^CIS_(?<subject>[A-Za-z0-9._()-]+)_Benchmark_v(?<version>[0-9.]+)-xccdf$/.freeze
+        def initialize(path)
+          @path = File.expand_path(path)
+          AbideDevUtils::Validate.directory(@path)
+        end
+
+        def files
+          @files ||= Dir.glob(File.join(@path, '*-xccdf.xml')).map { |f| FileNameData.new(f) }
+        end
+
+        def fuzzy_find(label, value)
+          files.find { |f| f.fuzzy_match?(label, value) }
+        end
+
+        def fuzzy_select(label, value)
+          files.select { |f| f.fuzzy_match?(label, value) }
+        end
+
+        def fuzzy_reject(label, value)
+          files.reject { |f| f.fuzzy_match?(label, value) }
+        end
+
+        def label?(label)
+          files.select { |f| f.has?(label) }
+        end
+
+        def no_label?(label)
+          files.reject { |f| f.has?(label) }
+        end
+      end
+
+      # Parses XCCDF file names into labeled parts
+      class FileNameData
+        CIS_PATTERN = /^CIS_(?<subject>[A-Za-z0-9._()-]+?)(?<stig>_STIG)?_Benchmark_v(?<version>[0-9.]+)-xccdf$/.freeze
+
+        attr_reader :path, :name, :labeled_parts
+
+        def initialize(path)
+          @path = path
+          @name = File.basename(path, '.xml')
+          @labeled_parts = File.basename(name, '.xml').match(CIS_PATTERN)&.named_captures
+        end
+
+        def subject
+          @subject ||= labeled_parts&.fetch('subject', nil)
+        end
+
+        def stig
+          @stig ||= labeled_parts&.fetch('subject', nil)
+        end
+
+        def version
+          @version ||= labeled_parts&.fetch('version', nil)
+        end
+
+        def has?(label)
+          val = send(label.to_sym)
+          !val.nil? && !val.empty?
+        end
+
+        def fuzzy_match?(label, value)
+          return false unless has?(label)
+
+          this_val = normalize_char_array(send(label.to_sym).chars)
+          other_val = normalize_char_array(value.chars)
+          other_val.each_with_index do |c, idx|
+            return false unless this_val[idx] == c
+          end
+          true
+        end
+
+        private
+
+        def normalize_char_array(char_array)
+          char_array.grep_v(/[^A-Za-z0-9]/).map(&:downcase)[3..]
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/xccdf.rb

@@ -16,6 +16,8 @@ module AbideDevUtils
       case type.downcase
       when 'cis'
         Benchmark.new(xccdf_file).gen_map(**opts)
+      when 'stig'
+        Benchmark.new(xccdf_file).gen_map(**opts)
       else
         raise AbideDevUtils::Errors::UnsupportedXCCDFError, "XCCDF type #{type} is unsupported!"
       end
@@ -51,25 +53,31 @@ module AbideDevUtils
     module Common
       XPATHS = {
         benchmark: {
-          all: 'xccdf:Benchmark',
-          title: 'xccdf:Benchmark/xccdf:title',
-          version: 'xccdf:Benchmark/xccdf:version'
+          all: 'Benchmark',
+          title: 'Benchmark/title',
+          version: 'Benchmark/version'
         },
         cis: {
           profiles: {
-            all: 'xccdf:Benchmark/xccdf:Profile',
-            relative_title: './xccdf:title',
-            relative_select: './xccdf:select'
+            all: 'Benchmark/Profile',
+            relative_title: './title',
+            relative_select: './select'
           }
         }
       }.freeze
       CONTROL_PREFIX = /^[\d.]+_/.freeze
       UNDERSCORED = /(\s|\(|\)|-|\.)/.freeze
+      CIS_TITLE_MARKER = 'CIS'
       CIS_NEXT_GEN_WINDOWS = /[Nn]ext_[Gg]eneration_[Ww]indows_[Ss]ecurity/.freeze
       CIS_CONTROL_NUMBER = /([0-9.]+[0-9]+)/.freeze
       CIS_LEVEL_CODE = /(?:_|^)([Ll]evel_[0-9]|[Ll]1|[Ll]2|[NnBb][GgLl]|#{CIS_NEXT_GEN_WINDOWS})/.freeze
       CIS_CONTROL_PARTS = /#{CIS_CONTROL_NUMBER}#{CIS_LEVEL_CODE}?_+([A-Za-z].*)/.freeze
       CIS_PROFILE_PARTS = /#{CIS_LEVEL_CODE}[_-]+([A-Za-z].*)/.freeze
+      STIG_TITLE_MARKER = 'Security Technical Implementation Guide'
+      STIG_CONTROL_PARTS = /(V-[0-9]+)/.freeze
+      STIG_PROFILE_PARTS = /(MAC-\d+)_([A-Za-z].+)/.freeze
+      PROFILE_PARTS = /#{CIS_PROFILE_PARTS}|#{STIG_PROFILE_PARTS}/.freeze
+      CONTROL_PARTS = /#{CIS_CONTROL_PARTS}|#{STIG_CONTROL_PARTS}/.freeze
 
       def xpath(path)
         @xml.xpath(path)
@@ -119,19 +127,40 @@ module AbideDevUtils
       end
 
       def profile_parts(profile)
-        parts = control_profile_text(profile).match(CIS_PROFILE_PARTS)
+        parts = control_profile_text(profile).match(PROFILE_PARTS)
         raise AbideDevUtils::Errors::ProfilePartsError, profile if parts.nil?
 
-        parts[1].gsub!(/[Ll]evel_/, 'L')
-        parts[1..2]
+        if parts[1]
+          # CIS profile
+          parts[1].gsub!(/[Ll]evel_/, 'L')
+          parts[1..2]
+        elsif parts[3]
+          # STIG profile
+          parts[3..4]
+        else
+          raise AbideDevUtils::Errors::ProfilePartsError, profile
+        end
       end
 
-      def control_parts(control, parent_level: nil)
-        mdata = control_profile_text(control).match(CIS_CONTROL_PARTS)
+      def control_parts(control)
+        mdata = control_profile_text(control).match(CONTROL_PARTS)
         raise AbideDevUtils::Errors::ControlPartsError, control if mdata.nil?
 
-        mdata[2] = parent_level unless parent_level.nil?
-        mdata[1..3]
+        if mdata[1]
+          # CIS control
+          mdata[1..3]
+        elsif mdata[4]
+          # STIG control
+          vuln_id = mdata[4]
+          group = @benchmark.xpath("Group[@id='#{vuln_id}']")
+          if group.xpath('Rule').length != 1
+            raise AbideDevUtils::Errors::ControlPartsError, control
+          end
+          rule_id = group.xpath('Rule/@id').first.value
+          return [vuln_id, rule_id]
+        else
+          raise AbideDevUtils::Errors::ControlPartsError, control
+        end
       end
 
       def control_profile_text(item)
@@ -148,14 +177,6 @@ module AbideDevUtils
         end
       end
 
-      def sorted_control_classes(raw_select_list, sort_key: :number)
-        raw_select_list.map { |x| Control.new(x) }.sort_by(&sort_key)
-      end
-
-      def sorted_profile_classes(raw_profile_list, sort_key: :title)
-        raw_profile_list.map { |x| Profile.new(x) }.sort_by(&sort_key)
-      end
-
       def ==(other)
         diff_properties.map { |x| send(x) } == other.diff_properties.map { |x| other.send(x) }
       end
@@ -169,14 +190,17 @@ module AbideDevUtils
     class Benchmark
       include AbideDevUtils::XCCDF::Common
 
-      MAP_INDICES = %w[title hiera_title hiera_title_num number].freeze
+      CIS_MAP_INDICES = %w[title hiera_title hiera_title_num number].freeze
+      STIG_MAP_INDICES = %w[vulnid ruleid].freeze
 
-      attr_reader :xml, :title, :version, :diff_properties
+      attr_reader :xml, :title, :version, :diff_properties, :benchmark
 
       def initialize(path)
         @xml = parse(path)
-        @title = xpath('xccdf:Benchmark/xccdf:title').text
-        @version = xpath('xccdf:Benchmark/xccdf:version').text
+        @xml.remove_namespaces!
+        @benchmark = xpath('Benchmark')
+        @title = xpath('Benchmark/title').text
+        @version = xpath('Benchmark/version').text
         @diff_properties = %i[title version profiles]
       end
 
@@ -185,7 +209,7 @@ module AbideDevUtils
       end
 
       def profiles
-        @profiles ||= Profiles.new(xpath('xccdf:Benchmark/xccdf:Profile'))
+        @profiles ||= Profiles.new(xpath('Benchmark/Profile'), @benchmark)
       end
 
       def profile_levels
@@ -197,7 +221,7 @@ module AbideDevUtils
       end
 
       def controls
-        @controls ||= Controls.new(xpath('//xccdf:select'))
+        @controls ||= Controls.new(xpath('//select'))
       end
 
       def controls_by_profile_level(level_code)
@@ -209,15 +233,22 @@ module AbideDevUtils
       end
 
       def gen_map(dir: nil, type: 'cis', parent_key_prefix: '', version_output_dir: false, **_)
-        os, ver = facter_platform
+        case type
+        when 'cis'
+          os, ver = facter_platform
+          indicies = CIS_MAP_INDICES
+        when 'stig'
+          os, ver = facter_benchmark
+          indicies = STIG_MAP_INDICES
+        end
         output_path = [type, os, ver]
         output_path.unshift(File.expand_path(dir)) if dir
         output_path << version if version_output_dir
         mapping_dir = File.expand_path(File.join(output_path))
         parent_key_prefix = '' if parent_key_prefix.nil?
-        MAP_INDICES.each_with_object({}) do |idx, h|
+        indicies.each_with_object({}) do |idx, h|
           map_file_path = "#{mapping_dir}/#{idx}.yaml"
-          h[map_file_path] = map_indexed(index: idx, framework: type, key_prefix: parent_key_prefix)
+          h[map_file_path] = map_indexed(indicies: indicies, index: idx, framework: type, key_prefix: parent_key_prefix)
         end
       end
 
@@ -237,10 +268,10 @@ module AbideDevUtils
         }
       end
 
-      def map_indexed(index: 'title', framework: 'cis', key_prefix: '')
+      def map_indexed(indicies: [], index: 'title', framework: 'cis', key_prefix: '')
         c_map = profiles.each_with_object({}) do |profile, obj|
           obj[profile.level.downcase] = {} unless obj[profile.level.downcase].is_a?(Hash)
-          obj[profile.level.downcase][profile.title.downcase] = map_controls_hash(profile, index).sort_by { |k, _| k }.to_h
+          obj[profile.level.downcase][profile.title.downcase] = map_controls_hash(profile, indicies, index).sort_by { |k, _| k }.to_h
         end
 
         c_map['benchmark'] = { 'title' => title, 'version' => version }
@@ -249,8 +280,13 @@ module AbideDevUtils
         { mappings.join('::') => c_map }.to_yaml
       end
 
+      def facter_benchmark
+        id = xpath('Benchmark/@id').text
+        id.split('_')[0..-2]
+      end
+
       def facter_platform
-        cpe = xpath('xccdf:Benchmark/xccdf:platform')[0]['idref'].split(':')
+        cpe = xpath('Benchmark/platform')[0]['idref'].split(':')
         if cpe.length > 4
           product_name = cpe[4].split('_')
           product_version = cpe[5].split('.') unless cpe[5].nil?
@@ -280,8 +316,8 @@ module AbideDevUtils
         hash.to_yaml
       end
 
-      def resolve_control_reference(control)
-        xpath("//xccdf:Rule[@id='#{control.reference}']")
+      def resolve_cis_control_reference(control)
+        xpath("//Rule[@id='#{control.reference}']")
       end
 
       private
@@ -291,15 +327,15 @@ module AbideDevUtils
         when 'hiera_title_num'
           control.hiera_title(number_format: true)
         when 'title'
-          resolve_control_reference(control).xpath('./xccdf:title').text
+          resolve_cis_control_reference(control).xpath('./title').text
         else
           control.send(index.to_sym)
         end
       end
 
-      def map_controls_hash(profile, index)
+      def map_controls_hash(profile, indicies, index)
         profile.controls.each_with_object({}) do |ctrl, hsh|
-          control_array = MAP_INDICES.each_with_object([]) do |idx_sym, ary|
+          control_array = indicies.each_with_object([]) do |idx_sym, ary|
             next if idx_sym == index
 
             item = format_map_control_index(idx_sym, ctrl)
@@ -316,13 +352,9 @@ module AbideDevUtils
         end
       end
 
-      def sorted_profile_classes(raw_profile_list, sort_key: :level)
-        raw_profile_list.map { |x| Profile.new(x) }.sort_by(&sort_key)
-      end
-
       def find_profiles
         profs = {}
-        xpath('xccdf:Benchmark/xccdf:Profile').each do |profile|
+        xpath('Benchmark/Profile').each do |profile|
           level_code, name = profile_parts(profile['id'])
           profs[name] = {} unless profs.key?(name)
           profs[name][level_code] = profile
@@ -349,11 +381,66 @@ module AbideDevUtils
       end
     end
 
-    class ObjectContainer
+    class XccdfObject
       include AbideDevUtils::XCCDF::Common
 
-      def initialize(list, object_creation_method, *args, **kwargs)
-        @object_list = send(object_creation_method.to_sym, list, *args, **kwargs)
+      def initialize(benchmark)
+        @benchmark = benchmark
+        @benchmark_type = benchmark_type
+      end
+
+      def controls_class
+        case @benchmark_type
+        when :cis
+          CisControls
+        when :stig
+          StigControls
+        else
+          raise AbideDevUtils::Errors::UnsupportedXCCDFError
+        end
+      end
+
+      def control_sort_key
+        case @benchmark_type
+        when :cis
+          :number
+        when :stig
+          :vulnid
+        else
+          raise AbideDevUtils::Errors::UnsupportedXCCDFError
+        end
+      end
+
+      def control_class
+        case @benchmark_type
+        when :cis
+          CisControl
+        when :stig
+          StigControl
+        else
+          raise AbideDevUtils::Errors::UnsupportedXCCDFError
+        end
+      end
+
+      private
+
+      def benchmark_type
+        title = @benchmark.at_xpath('title').text
+        if title.include?(STIG_TITLE_MARKER)
+          return :stig
+        elsif title.include?(CIS_TITLE_MARKER)
+          return :cis
+        end
+        raise AbideDevUtils::Errors::UnsupportedXCCDFError, "XCCDF type is unsupported!"
+      end
+    end
+
+    class ObjectContainer < XccdfObject
+      include AbideDevUtils::XCCDF::Common
+
+      def initialize(list, object_creation_method, benchmark, *args, **kwargs)
+        super(benchmark)
+        @object_list = send(object_creation_method.to_sym, list, benchmark, *args, **kwargs)
         @searchable = []
       end
 
@@ -396,6 +483,14 @@ module AbideDevUtils
 
       private
 
+      def sorted_control_classes(raw_select_list, benchmark)
+        raw_select_list.map { |x| control_class.new(x, benchmark) }.sort_by(&control_sort_key)
+      end
+
+      def sorted_profile_classes(raw_profile_list, benchmark)
+        raw_profile_list.map { |x| Profile.new(x, benchmark) }.sort_by(&:title)
+      end
+
       def resolve_hash_key(obj)
         return obj.send(:raw_title) unless defined?(@hash_key)
 
@@ -416,8 +511,8 @@ module AbideDevUtils
     end
 
     class Profiles < ObjectContainer
-      def initialize(list)
-        super(list, :sorted_profile_classes)
+      def initialize(list, benchmark)
+        super(list, :sorted_profile_classes, benchmark)
         searchable! :level, :title
         index! :title
         hash_key! :level, :title
@@ -440,9 +535,34 @@ module AbideDevUtils
       end
     end
 
-    class Controls < ObjectContainer
-      def initialize(list)
-        super(list, :sorted_control_classes)
+    class StigControls < ObjectContainer
+      def initialize(list, benchmark)
+        super(list, :sorted_control_classes, benchmark)
+        searchable! :vulnid, :ruleid
+        index! :vulnid
+        hash_key! :vulnid
+      end
+
+      def vulnids
+        @vulnids ||= @object_list.map(&:vulnid).sort
+      end
+
+      def ruleids
+        @ruleids ||= @object_list.map(&:ruleid).sort
+      end
+
+      def include_vulnid?(item)
+        @object_list.map(&:vulnid).include?(item)
+      end
+
+      def include_ruleid?(item)
+        @object_list.map(&:ruleid).include?(item)
+      end
+    end
+
+    class CisControls < ObjectContainer
+      def initialize(list, benchmark)
+        super(list, :sorted_control_classes, benchmark)
         searchable! :level, :title, :number
         index! :number
         hash_key! :number
@@ -473,10 +593,11 @@ module AbideDevUtils
       end
     end
 
-    class XccdfElement
+    class XccdfElement < XccdfObject
       include AbideDevUtils::XCCDF::Common
 
-      def initialize(element)
+      def initialize(element, benchmark)
+        super(benchmark)
         @xml = element
         @element_type = self.class.name.split('::').last.downcase
         @raw_title = control_profile_text(element)
@@ -498,11 +619,12 @@ module AbideDevUtils
       end
 
       def reference
-        @reference ||= @element_type == 'control' ? @xml['idref'] : @xml['id']
+        @reference ||= @element_type.include?('control') ? @xml['idref'] : @xml['id']
       end
 
       def hiera_title(**opts)
-        send("normalize_#{@element_type}_name".to_sym, @xml, **opts)
+        e_type = @element_type.include?('control') ? 'control' : 'profile'
+        send("normalize_#{e_type}_name".to_sym, @xml, **opts)
       end
 
       private
@@ -524,19 +646,27 @@ module AbideDevUtils
     end
 
     class Profile < XccdfElement
-      def initialize(profile)
-        super(profile)
+      def initialize(profile, benchmark)
+        super(profile, benchmark)
         @level, @title = profile_parts(control_profile_text(profile))
-        @plain_text_title = @xml.xpath('./xccdf:title').text
-        @controls = Controls.new(xpath('./xccdf:select'))
+        @plain_text_title = @xml.xpath('./title').text
+        @controls = controls_class.new(xpath('./select'), benchmark)
         properties :title, :level, :plain_text_title, controls: :to_h
       end
     end
 
-    class Control < XccdfElement
-      def initialize(control, parent_level: nil)
-        super(control)
-        @number, @level, @title = control_parts(control_profile_text(control), parent_level: parent_level)
+    class StigControl < XccdfElement
+      def initialize(control, benchmark)
+        super(control, benchmark)
+        @vulnid, @ruleid = control_parts(control_profile_text(control))
+        properties :vulnid, :ruleid
+      end
+    end
+
+    class CisControl < XccdfElement
+      def initialize(control, benchmark)
+        super(control, benchmark)
+        @number, @level, @title = control_parts(control_profile_text(control))
         properties :number, :level, :title
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: abide_dev_utils
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.12.1
 platform: ruby
 authors:
 - abide-team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-07-25 00:00:00.000000000 Z
+date: 2022-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -360,10 +360,20 @@ files:
 - lib/abide_dev_utils.rb
 - lib/abide_dev_utils/cem.rb
 - lib/abide_dev_utils/cem/benchmark.rb
-- lib/abide_dev_utils/cem/coverage_report.rb
 - lib/abide_dev_utils/cem/generate.rb
+- lib/abide_dev_utils/cem/generate/coverage_report.rb
 - lib/abide_dev_utils/cem/generate/reference.rb
+- lib/abide_dev_utils/cem/hiera_data.rb
+- lib/abide_dev_utils/cem/hiera_data/mapping_data.rb
+- lib/abide_dev_utils/cem/hiera_data/mapping_data/map_data.rb
+- lib/abide_dev_utils/cem/hiera_data/mapping_data/mixins.rb
+- lib/abide_dev_utils/cem/hiera_data/resource_data.rb
+- lib/abide_dev_utils/cem/hiera_data/resource_data/control.rb
+- lib/abide_dev_utils/cem/hiera_data/resource_data/parameters.rb
+- lib/abide_dev_utils/cem/hiera_data/resource_data/resource.rb
 - lib/abide_dev_utils/cem/mapping/mapper.rb
+- lib/abide_dev_utils/cem/validate.rb
+- lib/abide_dev_utils/cem/validate/resource_data.rb
 - lib/abide_dev_utils/cli.rb
 - lib/abide_dev_utils/cli/abstract.rb
 - lib/abide_dev_utils/cli/cem.rb
@@ -375,6 +385,7 @@ files:
 - lib/abide_dev_utils/comply.rb
 - lib/abide_dev_utils/config.rb
 - lib/abide_dev_utils/constants.rb
+- lib/abide_dev_utils/dot_number_comparable.rb
 - lib/abide_dev_utils/errors.rb
 - lib/abide_dev_utils/errors/base.rb
 - lib/abide_dev_utils/errors/cem.rb
@@ -393,6 +404,17 @@ files:
 - lib/abide_dev_utils/ppt.rb
 - lib/abide_dev_utils/ppt/api.rb
 - lib/abide_dev_utils/ppt/class_utils.rb
+- lib/abide_dev_utils/ppt/code_gen.rb
+- lib/abide_dev_utils/ppt/code_gen/data_types.rb
+- lib/abide_dev_utils/ppt/code_gen/generate.rb
+- lib/abide_dev_utils/ppt/code_gen/resource.rb
+- lib/abide_dev_utils/ppt/code_gen/resource_types.rb
+- lib/abide_dev_utils/ppt/code_gen/resource_types/base.rb
+- lib/abide_dev_utils/ppt/code_gen/resource_types/class.rb
+- lib/abide_dev_utils/ppt/code_gen/resource_types/manifest.rb
+- lib/abide_dev_utils/ppt/code_gen/resource_types/parameter.rb
+- lib/abide_dev_utils/ppt/code_gen/resource_types/strings.rb
+- lib/abide_dev_utils/ppt/code_introspection.rb
 - lib/abide_dev_utils/ppt/facter_utils.rb
 - lib/abide_dev_utils/ppt/hiera.rb
 - lib/abide_dev_utils/ppt/new_obj.rb
@@ -411,9 +433,11 @@ files:
 - lib/abide_dev_utils/xccdf/diff/benchmark/property_existence.rb
 - lib/abide_dev_utils/xccdf/diff/utils.rb
 - lib/abide_dev_utils/xccdf/parser.rb
+- lib/abide_dev_utils/xccdf/parser/helpers.rb
 - lib/abide_dev_utils/xccdf/parser/objects.rb
 - lib/abide_dev_utils/xccdf/parser/objects/digest_object.rb
 - lib/abide_dev_utils/xccdf/parser/objects/numbered_object.rb
+- lib/abide_dev_utils/xccdf/utils.rb
 - new_diff.rb
 homepage: https://github.com/puppetlabs/abide_dev_utils
 licenses: