abide_dev_utils 0.6.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cf0d6affedd8f13f06af7f1f0db11666b9df2707d87a7685a4bd39ecd3e1519d
-  data.tar.gz: 0f20af443ff1e13f9e854daa5e7cf5ec45213dfe9a2f0390c250dac92a8cc8d3
+  metadata.gz: 3978f655b9053e54d4fd63d456d3d65b9079c7684c6fcc88a3f764ead1aa012a
+  data.tar.gz: 746265daf86c8095a0f4ddbf9909d85a30ba2495b2b449e19896584c6e88da2b
 SHA512:
-  metadata.gz: '097e88fb6b19170c2b727fd8873fa3dbb766ace25a7538ab8cfbd0a35083cb11654b58fb7f45ee7130d7c4f4cb48b8b241de4849b0cb406de8f7eb62cf09ce68'
-  data.tar.gz: 4c0bc197da434b0ee25c9854b4b2af98a6ad9600733b734f9be21022ce312d7e8f0aea4f27c2217c3f56f7d2df26fedfe228f80b60fcd04da4ec08877a86bc54
+  metadata.gz: a6bbb36782aff2d06e4fd55ea66582cf64c4414c2e13f1c3cca76c8b1c33c420f76474b058c2e2ce49bb294efc01b677588957fa8f745d3b2fa022683253281f
+  data.tar.gz: 78f92a917f547ba04f17610e0bca9cc5816efaadf7b066645cc75e40c303173a9b0d3e27ea0d7a741219f88c5e479810e14f180fc813cd5a31e3d6f0ee4bf65e

data/.gitignore

@@ -6,7 +6,8 @@
 /pkg/
 /spec/reports/
 /tmp/
-
+w10_20h2.xml
+w10_2004.xml
 # rspec failure tracking
 .rspec_status
 Gemfile.lock

data/.rubocop.yml

@@ -12,7 +12,7 @@ AllCops:
     - 'tmp/**/*'
     - '.git/**/*'
     - 'bin/*'
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
   SuggestExtensions: false
 
 Naming/PredicateName:

data/CODEOWNERS

@@ -0,0 +1 @@
+* @puppetlabs/abide-team

data/abide_dev_utils.gemspec

@@ -7,14 +7,14 @@ require "abide_dev_utils/version"
 Gem::Specification.new do |spec|
   spec.name          = "abide_dev_utils"
   spec.version       = AbideDevUtils::VERSION
-  spec.authors       = ["Heston Snodgrass"]
-  spec.email         = ["hsnodgrass3@gmail.com"]
+  spec.authors       = ["abide-team"]
+  spec.email         = ["abide-team@puppet.com"]
 
-  spec.summary       = "Helper utilities for developing Abide"
-  spec.description   = "Provides a CLI with helpful utilities for developing Abide"
-  spec.homepage      = "https://github.com/hsnodgrass/abide_dev_utils"
+  spec.summary       = "Helper utilities for developing compliance Puppet code"
+  spec.description   = "Provides a CLI with helpful utilities for developing compliance Puppet code"
+  spec.homepage      = "https://github.com/puppetlabs/abide_dev_utils"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.7.0")
 
   # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
 
@@ -39,6 +39,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'ruby-progressbar', '~> 1.11'
   spec.add_dependency 'selenium-webdriver', '~> 4.0.0.beta4'
   spec.add_dependency 'google-cloud-storage', '~> 1.34'
+  spec.add_dependency 'hashdiff', '~> 1.0'
 
   # Dev dependencies
   spec.add_development_dependency 'bundler'

data/itests.rb

@@ -0,0 +1,138 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'yaml'
+require 'abide_dev_utils/comply'
+require 'abide_dev_utils/ppt/api'
+
+OS_BENCHMARK_MAP = {
+  'centos-7' => 'CIS_CentOS_Linux_7_Benchmark_v3.1.1-xccdf.xml',
+  'centos-8' => 'CIS_CentOS_Linux_8_Benchmark_v1.0.1-xccdf.xml',
+  'rhel-7' => 'CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v3.1.1-xccdf.xml',
+  'rhel-8' => 'CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1.0.1-xccdf.xml',
+  'serv-2016' => 'CIS_Microsoft_Windows_Server_2016_RTM_(Release_1607)_Benchmark_v1.3.0-xccdf.xml',
+  'serv-2019' => 'CIS_Microsoft_Windows_Server_2019_Benchmark_v1.2.1-xccdf.xml'
+}
+EL_PROFILE_1_SERVER = 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+WIN_PROFILE_1_MS = 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Member_Server'
+NIX_SCAN_HASH = {
+  'nix-centos-7.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['centos-7'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-centos-8.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['centos-8'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-rhel-7.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['rhel-7'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-rhel-8.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['rhel-8'],
+    'profile' => EL_PROFILE_1_SERVER
+  }
+}.freeze
+WIN_SCAN_HASH = {
+  'win-server-2016.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['serv-2016'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'win-serv-2019.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['serv-2019'],
+    'profile' => WIN_PROFILE_1_MS
+  }
+}.freeze
+
+scan_hash = ENV['ABIDE_OS'] == 'nix' ? NIX_SCAN_HASH : WIN_SCAN_HASH
+node_group_name = ENV['ABIDE_OS'] == 'nix' ? 'CEM Linux Nodes' : 'CEM Windows Nodes'
+
+puts 'Creating client...'
+client = AbideDevUtils::Ppt::ApiClient.new(ENV['PUPPET_HOST'], auth_token: ENV['PE_ACCESS_TOKEN'])
+puts 'Starting code deploy...'
+code_manager_deploy = client.post_codemanager_deploys('environments' => ['production'], 'wait' => true)
+raise 'Code manager deployment failed!' unless code_manager_deploy['status'] == 'complete'
+
+puts 'Code deploy successful...'
+puts 'Gathering node group ID...'
+node_groups = client.get_classifier1_groups
+node_group_id = nil
+node_groups.each { |x| node_group_id = x['id'] if x['name'] == node_group_name }
+raise 'Failed to find requested node group!' if node_group_id.nil?
+
+puts 'Running Puppet on nodes...'
+puppet_run = client.post_orchestrator_command_deploy('environment' => 'production', 'scope' => { 'node_group' => node_group_id })
+puts "Started job #{puppet_run['job']['name']}..."
+timeout = 0
+run_complete = false
+until run_complete || timeout >= 30
+  puts "Waiting on job #{puppet_run['job']['name']} to complete..."
+  status = client.get_orchestrator_jobs(puppet_run['job']['name'])
+  case status['state']
+  when 'failed'
+    raise "Job #{puppet_run['job']['name']} finished with failures!"
+  when 'finished'
+    run_complete = true
+    break
+  else
+    timeout += 1
+    sleep(10)
+  end
+end
+raise 'Job timed out waiting for completion' unless run_complete
+
+puts 'Starting node scans...'
+scan_job = client.post_orchestrator_command_task(
+  'environment' => 'production',
+  'task' => 'comply::ciscat_scan',
+  'params' => {
+    'comply_port' => '443',
+    'comply_server' => ENV['COMPLY_FQDN'],
+    'ssl_verify_mode' => 'none',
+    'scan_type' => 'desired',
+    'scan_hash' => JSON.generate(scan_hash)
+  },
+  'scope' => {
+    'node_group' => node_group_id
+  }
+)
+puts "Started scan #{scan_job['job']['name']}..."
+timeout = 0
+scan_complete = false
+until scan_complete || timeout >= 30
+  puts "Waiting on scan #{scan_job['job']['name']} to complete..."
+  status = client.get_orchestrator_jobs(scan_job['job']['name'])
+  case status['state']
+  when 'failed'
+    raise "Task #{scan_job['job']['name']} finished with failures!"
+  when 'finished'
+    scan_complete = true
+    break
+  else
+    timeout += 1
+    sleep(10)
+  end
+end
+raise 'Job timed out waiting for completion' unless scan_complete
+
+puts 'Collecting scan report from Comply...'
+onlylist = scan_hash.keys
+scan_report = AbideDevUtils::Comply.build_report("https://#{ENV['COMPLY_FQDN']}", ENV['COMPLY_PASSWORD'], nil, onlylist: onlylist)
+puts 'Saving report to nix_report.yaml...'
+File.open('nix_report.yaml', 'w') { |f| f.write(scan_report.to_yaml) }
+
+puts 'Comparing current report to last report...'
+opts = {
+  report_name: 'nix_report.yaml',
+  remote_storage: 'gcloud',
+  upload: true
+}
+result = AbideDevUtils::Comply.compare_reports(File.expand_path('./nix_report.yaml'), 'nix_report.yaml', opts)
+if result
+  puts 'Success!'
+  exit(0)
+else
+  puts 'Failure!'
+  exit(1)
+end

data/lib/abide_dev_utils/cli/comply.rb

@@ -12,6 +12,7 @@ module Abide
       def initialize
         super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
         add_command(ComplyReportCommand.new)
+        add_command(ComplyCompareReportCommand.new)
       end
     end
 
@@ -57,23 +58,19 @@ module Abide
         options.on('-t [SECONDS]', '--timeout [SECONDS]', OPT_TIMEOUT_DESC) do |t|
           @data[:timeout] = t
         end
-        options.on('-s x,y,z', '--status x,y,x',
+        options.on('-s [X,Y,Z]', '--status [X,Y,Z]',
                    %w[pass fail error notapplicable notchecked unknown informational],
                    Array,
                    OPT_STATUS_DESC) do |s|
           s&.map! { |i| i == 'notchecked' ? 'not checked' : i }
           @data[:status] = s
         end
-        options.on('--only x,y,z', Array, OPT_ONLY_NODES) do |o|
+        options.on('--only [X,Y,Z]', Array, OPT_ONLY_NODES) do |o|
           @data[:onlylist] = o
         end
-        options.on('--ignore x,y,z', Array, OPT_IGNORE_NODES) do |i|
+        options.on('--ignore [X,Y,Z]', Array, OPT_IGNORE_NODES) do |i|
           @data[:ignorelist] = i
         end
-        # options.on('-R', '--[no-]regression-test', OPT_REGRESSION_TEST) do |r|
-        #   @data[:regression] = r
-        # end
-        # options.on('--')
       end
 
       def help_arguments
@@ -95,5 +92,24 @@ module Abide
         Abide::CLI::OUTPUT.yaml(report, file: outfile)
       end
     end
+
+    class ComplyCompareReportCommand < AbideCommand
+      CMD_NAME = 'compare-report'
+      CMD_SHORT = 'Compare two Comply reports and get the differences.'
+      CMD_LONG = 'Compare two Comply reports and get the differences. Report A is compared to report B, showing what changes it would take for A to equal B.'
+      CMD_REPORT_A = 'The current Comply report yaml file'
+      CMD_REPORT_B = 'The old Comply report yaml file name or full path'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(REPORT_A: CMD_REPORT_A, REPORT_B: CMD_REPORT_B)
+        options.on('-u', '--upload-new', 'If you want to upload the new scan report') { @data[:upload] = true }
+        options.on('-s [STORAGE]', '--remote-storage [STORAGE]', 'Remote storage to upload the report to. (Only supports "gcloud")') { |x| @data[:remote_storage] = x }
+        options.on('-r [NAME]', '--name [NAME]', 'The name to upload the report as') { |x| @data[:report_name] = x }
+      end
+
+      def execute(report_a, report_b)
+        AbideDevUtils::Comply.compare_reports(report_a, report_b, @data)
+      end
+    end
   end
 end

data/lib/abide_dev_utils/cli/puppet.rb

@@ -217,5 +217,23 @@ module Abide
         AbideDevUtils::Ppt.add_cis_comment(path, xccdf, number_format: @data.fetch(:number_format, false))
       end
     end
+
+    class PuppetScoreModuleCommand < AbideCommand
+      CMD_NAME = 'score'
+      CMD_SHORT = 'Scores a Puppet module just like Puppet Forge'
+      CMD_LONG = 'Scores a Puppet module just like Puppet Forge. This is a useful quality-check before publishing a module.'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        options.on('-o [PATH]', '--outfile [PATH]', 'Save results to a file') { |x| @data[:outfile] = x }
+        options.on('-q', '--quiet', FalseClass, 'Do not print results to console') { |x| @data[:quiet] = x }
+        options.on('-c', '--checks', Array, 'Comma-separated list of individual checks to run. Defaults to running all checks.') { |x| @data[:check] = x }
+        options.on('-m [PATH]', '--module [PATH]', 'Path to a Puppet module to score. Defaults to using the current directory.') { |x| @data[:module] = x }
+      end
+
+      def execute
+        module_path = @data.fetch(:module, nil)
+        AbideDevUtils::Ppt.score_module(module_path, **@data)
+      end
+    end
   end
 end

data/lib/abide_dev_utils/cli/xccdf.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'abide_dev_utils/cli/abstract'
 require 'abide_dev_utils/xccdf'
 
 module Abide
@@ -14,11 +15,12 @@ module Abide
         long_desc(CMD_LONG)
         add_command(CmdParse::HelpCommand.new, default: true)
         add_command(XccdfToHieraCommand.new)
+        add_command(XccdfDiffCommand.new)
       end
     end
 
     class XccdfToHieraCommand < CmdParse::Command
-      CMD_NAME = 'to_hiera'
+      CMD_NAME = 'to-hiera'
       CMD_SHORT = 'Generates control coverage report'
       CMD_LONG = 'Generates report of valid Puppet classes that match with Hiera controls'
       def initialize
@@ -37,15 +39,32 @@ module Abide
 
       def execute(xccdf_file)
         @data[:type] = 'cis' if @data[:type].nil?
-
-        to_hiera(xccdf_file)
+        hfile = AbideDevUtils::XCCDF.to_hiera(xccdf_file, @data)
+        AbideDevUtils::Output.yaml(hfile, console: @data[:file].nil?, file: @data[:file])
       end
+    end
 
-      private
+    class XccdfDiffCommand < AbideCommand
+      CMD_NAME = 'diff'
+      CMD_SHORT = 'Generates a diff report between two XCCDF files'
+      CMD_LONG = 'Generates a diff report between two XCCDF files'
+      CMD_FILE1_ARG = 'path to first XCCDF file'
+      CMD_FILE2_ARG = 'path to second XCCDF file'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(FILE1: CMD_FILE1_ARG, FILE2: CMD_FILE2_ARG)
+        options.on('-o [PATH]', '--out-file', 'Save the report as a yaml file') { |x| @data[:outfile] = x }
+        options.on('-p [PROFILE]', '--profile', 'Only diff and specific profile in the benchmarks') do |x|
+          @data[:profile] = x
+        end
+        options.on('-q', '--quiet', 'Show no output in the terminal') { @data[:quiet] = false }
+        options.on('--no-diff-profiles', 'Do not diff the profiles in the XCCDF files') { @data[:diff_profiles] = false }
+        options.on('--no-diff-controls', 'Do not diff the controls in the XCCDF files') { @data[:diff_controls] = false }
+      end
 
-      def to_hiera(xccdf_file)
-        xfile = AbideDevUtils::XCCDF.to_hiera(xccdf_file, @data)
-        Abide::CLI::OUTPUT.yaml(xfile, console: @data[:file].nil?, file: @data[:file])
+      def execute(file1, file2)
+        diffreport = AbideDevUtils::XCCDF.diff(file1, file2, @data)
+        AbideDevUtils::Output.yaml(diffreport, console: @data.fetch(:quiet, true), file: @data.fetch(:outfile, nil))
       end
     end
   end