abide_dev_utils 0.4.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71c8c65ce60fc385fdc289f00b98328f35e0b343b397864fea49010683ab274c
-  data.tar.gz: 1060f161729e0330efadf391bc35f9a84544522cc443364833c56beeec8fb308
+  metadata.gz: 3978f655b9053e54d4fd63d456d3d65b9079c7684c6fcc88a3f764ead1aa012a
+  data.tar.gz: 746265daf86c8095a0f4ddbf9909d85a30ba2495b2b449e19896584c6e88da2b
 SHA512:
-  metadata.gz: 608138ff9fecf9835094848f5d7967b8b9ba87d9da766e943e1ec053936cc605e823befa0e5c893579dd4a8ad9a3b8dff49b4129624e9a338cb5cf0775f32272
-  data.tar.gz: 3610c0fae0872a7883a5608e703c0a025ff529b39e025315f984c40f6a63bc09206eaa9e874a11a180c2ad392c9afb14cd2eb18974129fecfee8eed4bbb2470e
+  metadata.gz: a6bbb36782aff2d06e4fd55ea66582cf64c4414c2e13f1c3cca76c8b1c33c420f76474b058c2e2ce49bb294efc01b677588957fa8f745d3b2fa022683253281f
+  data.tar.gz: 78f92a917f547ba04f17610e0bca9cc5816efaadf7b066645cc75e40c303173a9b0d3e27ea0d7a741219f88c5e479810e14f180fc813cd5a31e3d6f0ee4bf65e

data/.gitignore

@@ -6,7 +6,8 @@
 /pkg/
 /spec/reports/
 /tmp/
-
+w10_20h2.xml
+w10_2004.xml
 # rspec failure tracking
 .rspec_status
 Gemfile.lock

data/.rubocop.yml

@@ -12,7 +12,7 @@ AllCops:
     - 'tmp/**/*'
     - '.git/**/*'
     - 'bin/*'
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
   SuggestExtensions: false
 
 Naming/PredicateName:

data/CODEOWNERS

@@ -0,0 +1 @@
+* @puppetlabs/abide-team

data/README.md

@@ -29,6 +29,10 @@ Issues and pull requests are welcome!
 
 * Create Jira issues in bulk from coverage reports
 
+### Puppet Comply Report Generation
+
+* Allows you ot programatically generate compliance reports from Puppet Comply
+
 ### Supports Configuration via Local YAML file
 
 * Fully configurable via the `~/.abide_dev.yaml` file
@@ -84,6 +88,8 @@ Install the gem:
 
 ### Overview of Commands
 
+* `abide comply` - Command namespace for Puppet Comply commands
+  * `abide comply report` - Creates a scan report in YAML format by scraping Puppet Comply
 * `abide jira` - Command namespace for Jira commands
   * `abide jira auth` - Authenticate with Jira. Only useful as a stand-alone command to test authentication
   * `abide jira from_coverage` - Creates a parent issue with subtasks from a Puppet coverage report
@@ -96,6 +102,34 @@ Install the gem:
 * `abide xccdf` - Command namespace for XCCDF commands
   * `abide xccdf to_hiera` - Converts a benchmark XCCDF file to a Hiera yaml file
 
+### Comply Command Reference
+
+#### report
+
+* Required positional parameters:
+  * `COMPLY_URL` - The URL of Puppet Comply
+  * `COMPLY_PASSWORD` - The password for the Puppet Comply user
+* Options:
+  * `--out-file`, `-o` - The path to save the scan report. Defaults to `./comply_scan_report.yaml`
+  * `--username`, `-u` - The Puppet Comply username. Defaults to `comply`
+  * `--status`, `-s` - A comma-separated list of check statuses to ONLY include in the report. Valid statuses are: `pass`, `fail`, `error`, `notapplicable`, `notchecked`, `unknown`, `informational`
+  * `--only`, `-O` - A comma-separated list of node certnames to ONLY build reports for. No other nodes will have reports built for them except the ones specified. This option is mutually exclusive with `--ignore` and, if both are set, this options will take precedence over `--ignore`.
+  * `--ignore`, `-I` - A comma-separated list of node certnames to ignore building reports for. This options is mutually exclusive with `--only` and, if both are set, `--only` will take precedence over this option.
+
+Examples:
+
+Generating a report of all failed and err'd scan checks
+
+```sh
+abide comply report https://comply.my.instance 'my_comply_password!' -s fail,error
+```
+
+Generating a report for certain nodes only
+
+```sh
+abide comply report https://comply.my.instance 'my_comply_password!' -O specific-node.my.instance
+```
+
 ### Jira Command Reference
 
 #### from_coverage

data/abide_dev_utils.gemspec

@@ -7,14 +7,14 @@ require "abide_dev_utils/version"
 Gem::Specification.new do |spec|
   spec.name          = "abide_dev_utils"
   spec.version       = AbideDevUtils::VERSION
-  spec.authors       = ["Heston Snodgrass"]
-  spec.email         = ["hsnodgrass3@gmail.com"]
+  spec.authors       = ["abide-team"]
+  spec.email         = ["abide-team@puppet.com"]
 
-  spec.summary       = "Helper utilities for developing Abide"
-  spec.description   = "Provides a CLI with helpful utilities for developing Abide"
-  spec.homepage      = "https://github.com/hsnodgrass/abide_dev_utils"
+  spec.summary       = "Helper utilities for developing compliance Puppet code"
+  spec.description   = "Provides a CLI with helpful utilities for developing compliance Puppet code"
+  spec.homepage      = "https://github.com/puppetlabs/abide_dev_utils"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.7.0")
 
   # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
 
@@ -34,9 +34,12 @@ Gem::Specification.new do |spec|
   # Prod dependencies
   spec.add_dependency 'nokogiri', '~> 1.11'
   spec.add_dependency 'cmdparse', '~> 3.0'
-  spec.add_dependency 'puppet', '>= 6.19'
+  spec.add_dependency 'puppet', '>= 6.23'
   spec.add_dependency 'jira-ruby', '~> 2.1'
   spec.add_dependency 'ruby-progressbar', '~> 1.11'
+  spec.add_dependency 'selenium-webdriver', '~> 4.0.0.beta4'
+  spec.add_dependency 'google-cloud-storage', '~> 1.34'
+  spec.add_dependency 'hashdiff', '~> 1.0'
 
   # Dev dependencies
   spec.add_development_dependency 'bundler'
@@ -44,6 +47,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'console'
   spec.add_development_dependency 'github_changelog_generator'
   spec.add_development_dependency 'gem-release'
+  spec.add_development_dependency 'pry'
   spec.add_development_dependency 'rspec', '~> 3.10'
   spec.add_development_dependency 'rubocop', '~> 1.8'
   spec.add_development_dependency 'rubocop-rspec', '~> 2.1'

data/itests.rb

@@ -0,0 +1,138 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'yaml'
+require 'abide_dev_utils/comply'
+require 'abide_dev_utils/ppt/api'
+
+OS_BENCHMARK_MAP = {
+  'centos-7' => 'CIS_CentOS_Linux_7_Benchmark_v3.1.1-xccdf.xml',
+  'centos-8' => 'CIS_CentOS_Linux_8_Benchmark_v1.0.1-xccdf.xml',
+  'rhel-7' => 'CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v3.1.1-xccdf.xml',
+  'rhel-8' => 'CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1.0.1-xccdf.xml',
+  'serv-2016' => 'CIS_Microsoft_Windows_Server_2016_RTM_(Release_1607)_Benchmark_v1.3.0-xccdf.xml',
+  'serv-2019' => 'CIS_Microsoft_Windows_Server_2019_Benchmark_v1.2.1-xccdf.xml'
+}
+EL_PROFILE_1_SERVER = 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+WIN_PROFILE_1_MS = 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Member_Server'
+NIX_SCAN_HASH = {
+  'nix-centos-7.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['centos-7'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-centos-8.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['centos-8'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-rhel-7.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['rhel-7'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-rhel-8.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['rhel-8'],
+    'profile' => EL_PROFILE_1_SERVER
+  }
+}.freeze
+WIN_SCAN_HASH = {
+  'win-server-2016.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['serv-2016'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'win-serv-2019.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['serv-2019'],
+    'profile' => WIN_PROFILE_1_MS
+  }
+}.freeze
+
+scan_hash = ENV['ABIDE_OS'] == 'nix' ? NIX_SCAN_HASH : WIN_SCAN_HASH
+node_group_name = ENV['ABIDE_OS'] == 'nix' ? 'CEM Linux Nodes' : 'CEM Windows Nodes'
+
+puts 'Creating client...'
+client = AbideDevUtils::Ppt::ApiClient.new(ENV['PUPPET_HOST'], auth_token: ENV['PE_ACCESS_TOKEN'])
+puts 'Starting code deploy...'
+code_manager_deploy = client.post_codemanager_deploys('environments' => ['production'], 'wait' => true)
+raise 'Code manager deployment failed!' unless code_manager_deploy['status'] == 'complete'
+
+puts 'Code deploy successful...'
+puts 'Gathering node group ID...'
+node_groups = client.get_classifier1_groups
+node_group_id = nil
+node_groups.each { |x| node_group_id = x['id'] if x['name'] == node_group_name }
+raise 'Failed to find requested node group!' if node_group_id.nil?
+
+puts 'Running Puppet on nodes...'
+puppet_run = client.post_orchestrator_command_deploy('environment' => 'production', 'scope' => { 'node_group' => node_group_id })
+puts "Started job #{puppet_run['job']['name']}..."
+timeout = 0
+run_complete = false
+until run_complete || timeout >= 30
+  puts "Waiting on job #{puppet_run['job']['name']} to complete..."
+  status = client.get_orchestrator_jobs(puppet_run['job']['name'])
+  case status['state']
+  when 'failed'
+    raise "Job #{puppet_run['job']['name']} finished with failures!"
+  when 'finished'
+    run_complete = true
+    break
+  else
+    timeout += 1
+    sleep(10)
+  end
+end
+raise 'Job timed out waiting for completion' unless run_complete
+
+puts 'Starting node scans...'
+scan_job = client.post_orchestrator_command_task(
+  'environment' => 'production',
+  'task' => 'comply::ciscat_scan',
+  'params' => {
+    'comply_port' => '443',
+    'comply_server' => ENV['COMPLY_FQDN'],
+    'ssl_verify_mode' => 'none',
+    'scan_type' => 'desired',
+    'scan_hash' => JSON.generate(scan_hash)
+  },
+  'scope' => {
+    'node_group' => node_group_id
+  }
+)
+puts "Started scan #{scan_job['job']['name']}..."
+timeout = 0
+scan_complete = false
+until scan_complete || timeout >= 30
+  puts "Waiting on scan #{scan_job['job']['name']} to complete..."
+  status = client.get_orchestrator_jobs(scan_job['job']['name'])
+  case status['state']
+  when 'failed'
+    raise "Task #{scan_job['job']['name']} finished with failures!"
+  when 'finished'
+    scan_complete = true
+    break
+  else
+    timeout += 1
+    sleep(10)
+  end
+end
+raise 'Job timed out waiting for completion' unless scan_complete
+
+puts 'Collecting scan report from Comply...'
+onlylist = scan_hash.keys
+scan_report = AbideDevUtils::Comply.build_report("https://#{ENV['COMPLY_FQDN']}", ENV['COMPLY_PASSWORD'], nil, onlylist: onlylist)
+puts 'Saving report to nix_report.yaml...'
+File.open('nix_report.yaml', 'w') { |f| f.write(scan_report.to_yaml) }
+
+puts 'Comparing current report to last report...'
+opts = {
+  report_name: 'nix_report.yaml',
+  remote_storage: 'gcloud',
+  upload: true
+}
+result = AbideDevUtils::Comply.compare_reports(File.expand_path('./nix_report.yaml'), 'nix_report.yaml', opts)
+if result
+  puts 'Success!'
+  exit(0)
+else
+  puts 'Failure!'
+  exit(1)
+end

data/lib/abide_dev_utils/cli/abstract.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'abide_dev_utils/config'
+
 module Abide
   module CLI
     # @abstract

data/lib/abide_dev_utils/cli/comply.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/comply'
+require 'abide_dev_utils/cli/abstract'
+
+module Abide
+  module CLI
+    class ComplyCommand < AbideCommand
+      CMD_NAME = 'comply'
+      CMD_SHORT = 'Commands related to Puppet Comply'
+      CMD_LONG = 'Namespace for commands related to Puppet Comply'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
+        add_command(ComplyReportCommand.new)
+        add_command(ComplyCompareReportCommand.new)
+      end
+    end
+
+    class ComplyReportCommand < AbideCommand
+      CMD_NAME = 'report'
+      CMD_SHORT = 'Generates a yaml report of Puppet Comply scan results'
+      CMD_LONG = <<~LONGCMD
+        Generates a yaml file that shows the scan results of all nodes in Puppet Comply.
+        This command utilizes Selenium WebDriver and the Google Chrome browser to automate
+        clicking through the Comply UI and building a report. In order to use this command,
+        you MUST have Google Chrome installed and you MUST install the chromedriver binary.
+        More info and instructions can be found here:
+        https://www.selenium.dev/documentation/en/getting_started_with_webdriver/.
+      LONGCMD
+      CMD_COMPLY_URL = 'The URL (including https://) of Puppet Comply'
+      CMD_COMPLY_PASSWORD = 'The password for Puppet Comply'
+      OPT_TIMEOUT_DESC = <<~EOTO
+        The number of seconds you would like requests to wait before timing out. Defaults
+        to 10 seconds.
+      EOTO
+      OPT_STATUS_DESC = <<~EODESC
+        A comma-separated list of check statuses to ONLY include in the report.
+        Valid statuses are: pass, fail, error, notapplicable, notchecked, unknown, informational
+      EODESC
+      OPT_IGNORE_NODES = <<~EOIGN
+        A comma-separated list of node certnames to ignore building reports for. This
+        options is mutually exclusive with --only and, if both are set, --only will take precedence
+        over this option.
+      EOIGN
+      OPT_ONLY_NODES = <<~EOONLY
+        A comma-separated list of node certnames to ONLY build reports for. No other
+        nodes will have reports built for them except the ones specified. This option
+        is mutually exclusive with --ignore and, if both are set, this options will
+        take precedence over --ignore.
+      EOONLY
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(COMPLY_URL: CMD_COMPLY_URL, COMPLY_PASSWORD: CMD_COMPLY_PASSWORD)
+        options.on('-o [FILE]', '--out-file [FILE]', 'Path to save the report') { |f| @data[:file] = f }
+        options.on('-u [USERNAME]', '--username [USERNAME]', 'The username for Comply (defaults to comply)') do |u|
+          @data[:username] = u
+        end
+        options.on('-t [SECONDS]', '--timeout [SECONDS]', OPT_TIMEOUT_DESC) do |t|
+          @data[:timeout] = t
+        end
+        options.on('-s [X,Y,Z]', '--status [X,Y,Z]',
+                   %w[pass fail error notapplicable notchecked unknown informational],
+                   Array,
+                   OPT_STATUS_DESC) do |s|
+          s&.map! { |i| i == 'notchecked' ? 'not checked' : i }
+          @data[:status] = s
+        end
+        options.on('--only [X,Y,Z]', Array, OPT_ONLY_NODES) do |o|
+          @data[:onlylist] = o
+        end
+        options.on('--ignore [X,Y,Z]', Array, OPT_IGNORE_NODES) do |i|
+          @data[:ignorelist] = i
+        end
+      end
+
+      def help_arguments
+        <<~ARGHELP
+          Arguments:
+              COMPLY_URL        #{CMD_COMPLY_URL}
+              COMPLY_PASSWORD   #{CMD_COMPLY_PASSWORD}
+
+        ARGHELP
+      end
+
+      def execute(comply_url = nil, comply_password = nil)
+        Abide::CLI::VALIDATE.filesystem_path(`command -v chromedriver`.strip)
+        conf = config_section('comply')
+        comply_url = conf.fetch(:url) if comply_url.nil?
+        comply_password = comply_password.nil? ? conf.fetch(:password, Abide::CLI::PROMPT.password) : comply_password
+        report = AbideDevUtils::Comply.build_report(comply_url, comply_password, conf, **@data)
+        outfile = @data.fetch(:file, nil).nil? ? conf.fetch(:report_path, 'comply_scan_report.yaml') : @data[:file]
+        Abide::CLI::OUTPUT.yaml(report, file: outfile)
+      end
+    end
+
+    class ComplyCompareReportCommand < AbideCommand
+      CMD_NAME = 'compare-report'
+      CMD_SHORT = 'Compare two Comply reports and get the differences.'
+      CMD_LONG = 'Compare two Comply reports and get the differences. Report A is compared to report B, showing what changes it would take for A to equal B.'
+      CMD_REPORT_A = 'The current Comply report yaml file'
+      CMD_REPORT_B = 'The old Comply report yaml file name or full path'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(REPORT_A: CMD_REPORT_A, REPORT_B: CMD_REPORT_B)
+        options.on('-u', '--upload-new', 'If you want to upload the new scan report') { @data[:upload] = true }
+        options.on('-s [STORAGE]', '--remote-storage [STORAGE]', 'Remote storage to upload the report to. (Only supports "gcloud")') { |x| @data[:remote_storage] = x }
+        options.on('-r [NAME]', '--name [NAME]', 'The name to upload the report as') { |x| @data[:report_name] = x }
+      end
+
+      def execute(report_a, report_b)
+        AbideDevUtils::Comply.compare_reports(report_a, report_b, @data)
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cli/jira.rb

@@ -59,8 +59,8 @@ module Abide
       def execute(issue)
         client = JIRA.client(options: {})
         issue = client.Issue.find(issue)
-        console = @data[:file].nil? ? true : false
-        out_json = issue.attrs.select { |_,v| !v.nil? || !v.empty? }
+        console = @data[:file].nil?
+        out_json = issue.attrs.select { |_, v| !v.nil? || !v.empty? }
         Abide::CLI::OUTPUT.json(out_json, console: console, file: @data[:file])
       end
     end

data/lib/abide_dev_utils/cli/puppet.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require 'abide_dev_utils/cli/abstract'
+require 'abide_dev_utils/output'
+require 'abide_dev_utils/ppt'
 
 module Abide
   module CLI
@@ -12,6 +14,10 @@ module Abide
         super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
         add_command(PuppetCoverageCommand.new)
         add_command(PuppetNewCommand.new)
+        add_command(PuppetRenameCommand.new)
+        add_command(PuppetFixClassNamesCommand.new)
+        add_command(PuppetAuditClassNamesCommand.new)
+        add_command(PuppetAddCISCommentCommand.new)
       end
     end
 
@@ -38,12 +44,12 @@ module Abide
       end
 
       def execute(class_dir, hiera_file)
-        require 'abide_dev_utils/ppt'
+        require 'abide_dev_utils/ppt/coverage'
         Abide::CLI::VALIDATE.directory(class_dir)
         Abide::CLI::VALIDATE.file(hiera_file)
-        coverage = AbideDevUtils::Ppt::CoverageReport.generate(class_dir, hiera_file, @data[:profile])
+        coverage = AbideDevUtils::Ppt.generate_coverage_report(class_dir, hiera_file, @data[:profile])
         coverage.each do |k, v|
-          next if ['classes', 'benchmark'].include?(k)
+          next if k.match?(/classes|benchmark/)
 
           Abide::CLI::OUTPUT.simple("#{k} coverage: #{v[:coverage]}%")
         end
@@ -100,14 +106,133 @@ module Abide
       end
 
       def execute(type, name)
-        require 'abide_dev_utils/ppt/new_obj'
-        builder = AbideDevUtils::Ppt::NewObjectBuilder.new(
-          type,
-          name,
-          opts: @data,
-          vars: @data.fetch(:vars, '').split(',').map { |i| i.split('=') }.to_h # makes the str a hash
-        )
-        builder.build
+        AbideDevUtils::Ppt.build_new_object(type, name, @data)
+      end
+    end
+
+    class PuppetRenameCommand < AbideCommand
+      CMD_NAME = 'rename'
+      CMD_SHORT = 'Renames a Puppet class'
+      CMD_LONG = 'Renames a Puppet class. It does this by renaming the file and also the class name in the file. This command can also move class files based on the new class name.'
+      CMD_FROM_ARG = 'The current full class name'
+      CMD_TO_ARG = 'The new full class name'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(FROM: CMD_FROM_ARG, TO: CMD_TO_ARG)
+        options.on(
+          '-d',
+          '--declaration-only',
+          'Will not rename the class file, only the class declaration in the file'
+        ) { @data[:declaration_only] = true }
+        options.on(
+          '-t',
+          '--declaration-in-to-file',
+          'Use the path derived from the TO class name as the existing file path when renaming class declaration'
+        ) { @data[:declaration_in_to_file] = true }
+        options.on(
+          '-f',
+          '--force',
+          'Forces file move operations'
+        ) { @data[:force] = true }
+        options.on(
+          '-v',
+          '--verbose',
+          'Sets verbose mode on file operations'
+        ) { @data[:verbose] = true }
+      end
+
+      def execute(from, to)
+        AbideDevUtils::Ppt.rename_puppet_class(from, to, **@data)
+      end
+    end
+
+    class PuppetFixClassNamesCommand < AbideCommand
+      CMD_NAME = 'fix-class-names'
+      CMD_SHORT = 'Fixes Puppet class names that are mismatched'
+      CMD_LONG = 'Fixes Puppet class names that are mismatched'
+      CMD_MODE_ARG = '"file" or "class". If "file", the file names will be changed to match their class declarations. If "class", the class declarations will be changed to match the file names.'
+      CMD_DIR_ARG = 'The directory containing the Puppet class files'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(MODE: CMD_MODE_ARG, DIR: CMD_DIR_ARG)
+        options.on(
+          '-f',
+          '--force',
+          'Forces file move operations'
+        ) { @data[:force] = true }
+        options.on(
+          '-v',
+          '--verbose',
+          'Sets verbose mode on file operations'
+        ) { @data[:verbose] = true }
+      end
+
+      def execute(mode, dir)
+        case mode
+        when /^f.*/
+          AbideDevUtils::Ppt.fix_class_names_file_rename(dir, **@data)
+        when /^c.*/
+          AbideDevUtils::Ppt.fix_class_names_class_rename(dir, **@data)
+        else
+          raise ::ArgumentError, "Invalid mode. Mode:#{mode}"
+        end
+      end
+    end
+
+    class PuppetAuditClassNamesCommand < AbideCommand
+      CMD_NAME = 'audit-class-names'
+      CMD_SHORT = 'Finds Puppet classes in a directory that have names that do not match their path'
+      CMD_LONG = 'Finds Puppet classes in a directory that have names that do not match their path. This is helpful because class names that do not match their path structure break Puppet autoloading.'
+      CMD_DIR_ARG = 'The directory containing the Puppet class files'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(DIR: CMD_DIR_ARG)
+        options.on('-o [FILE]', '--out-file [FILE]', 'Save results to a file') { |f| @data[:file] = f }
+        options.on('-q', '--quiet', 'Do not print results to console') { @data[:quiet] = true }
+      end
+
+      def execute(dir)
+        if @data.fetch(:quiet, false) && !@data.key?(:file)
+          AbideDevUtils::Output.simple('ERROR: Specifying --quiet without --out-file is useless.', stream: $stderr)
+          exit 1
+        end
+
+        AbideDevUtils::Ppt.audit_class_names(dir, **@data)
+      end
+    end
+
+    class PuppetAddCISCommentCommand < AbideCommand
+      CMD_NAME = 'add-cis-comment'
+      CMD_SHORT = 'Adds the CIS recommendation name to the top of a .pp file'
+      CMD_LONG = 'Adds the CIS recommendation name to the top of a .pp file. Finds CIS recommendation by pattern-matching the class name against XCCDF recommendations.'
+      CMD_PATH_ARG = 'Path to a .pp file or to a directory containing .pp files'
+      CMD_XCCDF_ARG = 'Path to XCCDF file to source recommendation names from'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(PATH: CMD_PATH_ARG, XCCDF: CMD_XCCDF_ARG)
+        options.on('-N', '--number-format', 'Matches based on number-formatted control class names') { @data[:number_format] = true }
+      end
+
+      def execute(path, xccdf)
+        AbideDevUtils::Ppt.add_cis_comment(path, xccdf, number_format: @data.fetch(:number_format, false))
+      end
+    end
+
+    class PuppetScoreModuleCommand < AbideCommand
+      CMD_NAME = 'score'
+      CMD_SHORT = 'Scores a Puppet module just like Puppet Forge'
+      CMD_LONG = 'Scores a Puppet module just like Puppet Forge. This is a useful quality-check before publishing a module.'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        options.on('-o [PATH]', '--outfile [PATH]', 'Save results to a file') { |x| @data[:outfile] = x }
+        options.on('-q', '--quiet', FalseClass, 'Do not print results to console') { |x| @data[:quiet] = x }
+        options.on('-c', '--checks', Array, 'Comma-separated list of individual checks to run. Defaults to running all checks.') { |x| @data[:check] = x }
+        options.on('-m [PATH]', '--module [PATH]', 'Path to a Puppet module to score. Defaults to using the current directory.') { |x| @data[:module] = x }
+      end
+
+      def execute
+        module_path = @data.fetch(:module, nil)
+        AbideDevUtils::Ppt.score_module(module_path, **@data)
       end
     end
   end

data/lib/abide_dev_utils/cli/xccdf.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'abide_dev_utils/cli/abstract'
 require 'abide_dev_utils/xccdf'
 
 module Abide
@@ -14,11 +15,12 @@ module Abide
         long_desc(CMD_LONG)
         add_command(CmdParse::HelpCommand.new, default: true)
         add_command(XccdfToHieraCommand.new)
+        add_command(XccdfDiffCommand.new)
       end
     end
 
     class XccdfToHieraCommand < CmdParse::Command
-      CMD_NAME = 'to_hiera'
+      CMD_NAME = 'to-hiera'
       CMD_SHORT = 'Generates control coverage report'
       CMD_LONG = 'Generates report of valid Puppet classes that match with Hiera controls'
       def initialize
@@ -37,15 +39,32 @@ module Abide
 
       def execute(xccdf_file)
         @data[:type] = 'cis' if @data[:type].nil?
-
-        to_hiera(xccdf_file)
+        hfile = AbideDevUtils::XCCDF.to_hiera(xccdf_file, @data)
+        AbideDevUtils::Output.yaml(hfile, console: @data[:file].nil?, file: @data[:file])
       end
+    end
 
-      private
+    class XccdfDiffCommand < AbideCommand
+      CMD_NAME = 'diff'
+      CMD_SHORT = 'Generates a diff report between two XCCDF files'
+      CMD_LONG = 'Generates a diff report between two XCCDF files'
+      CMD_FILE1_ARG = 'path to first XCCDF file'
+      CMD_FILE2_ARG = 'path to second XCCDF file'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(FILE1: CMD_FILE1_ARG, FILE2: CMD_FILE2_ARG)
+        options.on('-o [PATH]', '--out-file', 'Save the report as a yaml file') { |x| @data[:outfile] = x }
+        options.on('-p [PROFILE]', '--profile', 'Only diff and specific profile in the benchmarks') do |x|
+          @data[:profile] = x
+        end
+        options.on('-q', '--quiet', 'Show no output in the terminal') { @data[:quiet] = false }
+        options.on('--no-diff-profiles', 'Do not diff the profiles in the XCCDF files') { @data[:diff_profiles] = false }
+        options.on('--no-diff-controls', 'Do not diff the controls in the XCCDF files') { @data[:diff_controls] = false }
+      end
 
-      def to_hiera(xccdf_file)
-        xfile = AbideDevUtils::XCCDF.to_hiera(xccdf_file, @data)
-        Abide::CLI::OUTPUT.yaml(xfile, console: @data[:file].nil?, file: @data[:file])
+      def execute(file1, file2)
+        diffreport = AbideDevUtils::XCCDF.diff(file1, file2, @data)
+        AbideDevUtils::Output.yaml(diffreport, console: @data.fetch(:quiet, true), file: @data.fetch(:outfile, nil))
       end
     end
   end

data/lib/abide_dev_utils/cli.rb

@@ -3,6 +3,7 @@
 require 'cmdparse'
 require 'abide_dev_utils/version'
 require 'abide_dev_utils/constants'
+require 'abide_dev_utils/cli/comply'
 require 'abide_dev_utils/cli/puppet'
 require 'abide_dev_utils/cli/xccdf'
 require 'abide_dev_utils/cli/test'
@@ -21,6 +22,7 @@ module Abide
       parser.main_options.banner = ROOT_CMD_BANNER
       parser.add_command(CmdParse::HelpCommand.new, default: true)
       parser.add_command(CmdParse::VersionCommand.new(add_switches: true))
+      parser.add_command(ComplyCommand.new)
       parser.add_command(PuppetCommand.new)
       parser.add_command(XccdfCommand.new)
       parser.add_command(TestCommand.new)