abide_dev_utils 0.9.4 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b3a74b07a3c45d7177fa8b2dd24f4c6eb0943f6ac9c907ab9d28878e628b990
-  data.tar.gz: 03de5f44f3150377e738bd7bb3f732136a956e463601f6b555b0ec5da1a3e574
+  metadata.gz: 4fc3820895d385ca28d6e097c1822cfaf878d41e2b282bfca55bec2e884a2dc2
+  data.tar.gz: de27ab8fb2021de5cd437695566e4ab0ad0531bc94659948557b3b09a05d59f5
 SHA512:
-  metadata.gz: bd522c8469aa8c96a75891366b636ef0c1ece9296c16e973896d8cb8e2c897a3d1b475ef98648a4be052085c8f7e681d708b2987df87e1fedaf2fa4a16d40011
-  data.tar.gz: 63720ae69e2ff22423f9ae2a6d217b6ccdbd0ce90f4fd79a8762579a9e1398bd5ea75e244aec64783029c74d9b9a76358ef5251c927a510684e4425f488cfb05
+  metadata.gz: 7df796781a8f4e4b87cf324c83273a9d2964f44f8dc8fd9f68c65610295f7b9f5161b70c23d66ab19ff75ca610860d27245256dabf6e69633850cbd2d1f3dd96
+  data.tar.gz: 3cf0142c1a0f3fae3bab07f65add4a320f90ca900adc5be63b77f72e40edba4936b6ea835796d0fd6b2c3cff034b6a2dcb4f5bd1ff43a476b40bcc053c5356cb

data/Gemfile.lock

@@ -1,11 +1,12 @@
 PATH
   remote: .
   specs:
-    abide_dev_utils (0.9.3)
+    abide_dev_utils (0.10.0)
+      amatch (~> 0.4)
       cmdparse (~> 3.0)
       google-cloud-storage (~> 1.34)
       hashdiff (~> 1.0)
-      jira-ruby (~> 2.1)
+      jira-ruby (~> 2.2)
       nokogiri (~> 1.11)
       puppet (>= 6.23)
       ruby-progressbar (~> 1.11)
@@ -14,13 +15,16 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.1)
+    activesupport (7.0.2.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
     addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
+    amatch (0.4.0)
+      mize
+      tins (~> 1.0)
     ast (2.4.2)
     async (1.30.1)
       console (~> 1.10)
@@ -53,10 +57,10 @@ GEM
     diff-lcs (1.5.0)
     digest-crc (0.6.4)
       rake (>= 12.0.0, < 14.0.0)
-    facter (4.2.7)
+    facter (4.2.9)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (1.9.3)
+    faraday (1.10.0)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -93,7 +97,7 @@ GEM
       octokit (~> 4.6)
       rainbow (>= 2.2.1)
       rake (>= 10.0)
-    google-apis-core (0.4.1)
+    google-apis-core (0.4.2)
       addressable (~> 2.5, >= 2.5.1)
       googleauth (>= 0.16.2, < 2.a)
       httpclient (>= 2.8.1, < 3.a)
@@ -104,15 +108,15 @@ GEM
       webrick
     google-apis-iamcredentials_v1 (0.10.0)
       google-apis-core (>= 0.4, < 2.a)
-    google-apis-storage_v1 (0.11.0)
+    google-apis-storage_v1 (0.13.0)
       google-apis-core (>= 0.4, < 2.a)
     google-cloud-core (1.6.0)
       google-cloud-env (~> 1.0)
       google-cloud-errors (~> 1.0)
-    google-cloud-env (1.5.0)
-      faraday (>= 0.17.3, < 2.0)
+    google-cloud-env (1.6.0)
+      faraday (>= 0.17.3, < 3.0)
     google-cloud-errors (1.2.0)
-    google-cloud-storage (1.36.0)
+    google-cloud-storage (1.36.1)
       addressable (~> 2.8)
       digest-crc (~> 0.4)
       google-apis-iamcredentials_v1 (~> 0.1)
@@ -120,18 +124,18 @@ GEM
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    googleauth (1.1.0)
-      faraday (>= 0.17.3, < 2.0)
+    googleauth (1.1.2)
+      faraday (>= 0.17.3, < 3.a)
       jwt (>= 1.4, < 3.0)
       memoist (~> 0.16)
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     hashdiff (1.0.1)
-    hiera (3.8.0)
+    hiera (3.9.0)
     hocon (1.3.1)
     httpclient (2.8.3)
-    i18n (1.8.11)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
     jira-ruby (2.2.0)
       activesupport
@@ -143,13 +147,15 @@ GEM
     memoist (0.16.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
-    mini_portile2 (2.7.1)
+    mini_portile2 (2.8.0)
     minitest (5.15.0)
+    mize (0.4.0)
+      protocol (~> 2.0)
     multi_json (1.15.0)
     multipart-post (2.1.1)
     nio4r (2.5.8)
-    nokogiri (1.13.1)
-      mini_portile2 (~> 2.7.0)
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     oauth (0.5.8)
     octokit (4.22.0)
@@ -157,8 +163,10 @@ GEM
       sawyer (~> 0.8.0, >= 0.5.3)
     os (1.1.4)
     parallel (1.21.0)
-    parser (3.1.0.0)
+    parser (3.1.1.0)
       ast (~> 2.4.1)
+    protocol (2.0.0)
+      ruby_parser (~> 3.0)
     protocol-hpack (1.4.2)
     protocol-http (0.22.5)
     protocol-http1 (0.14.2)
@@ -170,7 +178,7 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
-    puppet (7.13.1)
+    puppet (7.16.0)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
       facter (> 2.0.1, < 5)
@@ -186,46 +194,48 @@ GEM
     racc (1.6.0)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.2.0)
+    regexp_parser (2.2.1)
     representable (3.1.1)
       declarative (< 0.1.0)
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
     rexml (3.2.5)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.2)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.3)
-    rubocop (1.24.1)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (1.25.1)
       parallel (~> 1.10)
-      parser (>= 3.0.0.0)
+      parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml
       rubocop-ast (>= 1.15.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.15.1)
-      parser (>= 3.0.1.1)
+    rubocop-ast (1.16.0)
+      parser (>= 3.1.1.0)
     rubocop-i18n (3.0.0)
       rubocop (~> 1.0)
-    rubocop-performance (1.13.1)
+    rubocop-performance (1.13.2)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
-    rubocop-rspec (2.7.0)
+    rubocop-rspec (2.9.0)
       rubocop (~> 1.19)
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.5)
+    ruby_parser (3.19.1)
+      sexp_processor (~> 4.16)
     rubyzip (2.3.2)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
@@ -236,13 +246,17 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2)
     semantic_puppet (1.0.4)
-    signet (0.16.0)
+    sexp_processor (4.16.1)
+    signet (0.16.1)
       addressable (~> 2.8)
-      faraday (>= 0.17.3, < 2.0)
+      faraday (>= 0.17.5, < 3.0)
       jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
+    sync (0.5.0)
     thor (1.2.1)
     timers (4.3.3)
+    tins (1.31.0)
+      sync
     trailblazer-option (0.1.2)
     tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)

data/abide_dev_utils.gemspec

@@ -35,11 +35,12 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'nokogiri', '~> 1.11'
   spec.add_dependency 'cmdparse', '~> 3.0'
   spec.add_dependency 'puppet', '>= 6.23'
-  spec.add_dependency 'jira-ruby', '~> 2.1'
+  spec.add_dependency 'jira-ruby', '~> 2.2'
   spec.add_dependency 'ruby-progressbar', '~> 1.11'
   spec.add_dependency 'selenium-webdriver', '~> 4.0.0.beta4'
   spec.add_dependency 'google-cloud-storage', '~> 1.34'
   spec.add_dependency 'hashdiff', '~> 1.0'
+  spec.add_dependency 'amatch', '~> 0.4'
 
   # Dev dependencies
   spec.add_development_dependency 'bundler'

data/lib/abide_dev_utils/cem.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/xccdf'
+
+module AbideDevUtils
+  # Methods for working with Compliance Enforcement Modules (CEM)
+  module CEM
+    def self.xccdf
+      return @xccdf if defined?(@xccdf)
+
+      xccdf = Object.new
+      xccdf.extend AbideDevUtils::XCCDF::Common
+      @xccdf = xccdf
+      @xccdf
+    end
+
+    def self.rule_id_format(rule_id)
+      case rule_id
+      when /^c[0-9_]+$/
+        :hiera_title_num
+      when /^[a-z][a-z0-9_]+$/
+        :hiera_title
+      when /^[0-9.]+$/
+        :number
+      else
+        :title
+      end
+    end
+
+    def self.rule_identifiers(rule_id)
+      {
+        number: xccdf.control_parts(rule_id).first,
+        hiera_title: xccdf.name_normalize_control(rule_id),
+        hiera_title_num: xccdf.number_normalize_control(rule_id),
+      }
+    end
+
+    def self.update_legacy_config_from_diff(config_hiera, diff)
+      new_config_hiera = config_hiera.dup
+      new_control_configs = {}
+      change_report = []
+      changes = diff.select { |d| d[:type][0] == :number }
+      config_hiera['config']['control_configs'].each do |key, val_hash|
+        key_id_format = rule_id_format(key)
+        changed = false
+        changes.each do |change|
+          if key_id_format == :title
+            next unless change[:title] == key
+          else
+            next unless rule_identifiers(change[:self].id)[key_id_format] == key
+          end
+
+          changed = true
+          new_key = if key_id_format == :title
+                      change[:other_title]
+                    else
+                      rule_identifiers(change[:other].id)[key_id_format]
+                    end
+          new_control_configs[new_key] = val_hash
+          change_report << {
+            type: :identifier_update,
+            from: key,
+            to: new_key,
+          }
+        end
+        new_control_configs[key] = val_hash unless changed
+      end
+      new_config_hiera['config']['control_configs'] = new_control_configs
+      [new_config_hiera, change_report]
+    end
+  end
+end

data/lib/abide_dev_utils/cli/cem.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'abide_dev_utils/cem'
+require 'abide_dev_utils/files'
+require 'abide_dev_utils/output'
+require 'abide_dev_utils/validate'
+require 'abide_dev_utils/xccdf/diff/benchmark'
+require 'abide_dev_utils/cli/abstract'
+
+module Abide
+  module CLI
+    class CemCommand < AbideCommand
+      CMD_NAME = 'cem'
+      CMD_SHORT = 'Commands related to Puppet CEM'
+      CMD_LONG = 'Namespace for commands related to Puppet CEM'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
+        add_command(CemUpdateConfig.new)
+      end
+    end
+
+    class CemUpdateConfig < AbideCommand
+      CMD_NAME = 'update-config'
+      CMD_SHORT = 'Updates the Puppet CEM config'
+      CMD_LONG = 'Updates the Puppet CEM config'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
+        add_command(CemUpdateConfigFromDiff.new)
+      end
+    end
+
+    class CemUpdateConfigFromDiff < AbideCommand
+      CMD_NAME = 'from-diff'
+      CMD_SHORT = 'Update by diffing two XCCDF files'
+      CMD_LONG = 'Update by diffing two XCCDF files'
+      CMD_CONFIG_FILE = 'Path to the Puppet CEM config file'
+      CMD_CURRENT_XCCDF = 'Path to the current XCCDF file'
+      CMD_NEW_XCCDF = 'Path to the new XCCDF file'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(CONFIG_FILE: CMD_CONFIG_FILE, CURRENT_XCCDF: CMD_CURRENT_XCCDF, NEW_XCCDF: CMD_NEW_XCCDF)
+        options.on('-o [FILE]', '--out-file [FILE]', 'Path to save the updated config file') do |o|
+          @data[:out_file] = o
+        end
+        options.on('-v', '--verbose', 'Verbose output') do
+          @data[:verbose] = true
+        end
+        options.on('-q', '--quiet', 'Quiet output') do
+          @data[:quiet] = true
+        end
+      end
+
+      def help_arguments
+        <<~ARGHELP
+          Arguments:
+            CONFIG_FILE:   #{CMD_CONFIG_FILE}
+            CURRENT_XCCDF: #{CMD_CURRENT_XCCDF}
+            NEW_XCCDF:     #{CMD_NEW_XCCDF}
+        ARGHELP
+      end
+
+      def execute(config_file, cur_xccdf, new_xccdf)
+        AbideDevUtils::Validate.file(config_file, extension: 'yaml')
+        AbideDevUtils::Validate.file(cur_xccdf, extension: 'xml')
+        config_hiera = AbideDevUtils::Files::Reader.read(config_file, safe: true)
+        diff = AbideDevUtils::XCCDF::Diff::BenchmarkDiff.new(cur_xccdf, new_xccdf).diff[:diff][:number_title]
+        new_config_hiera, change_report = AbideDevUtils::CEM.update_legacy_config_from_diff(config_hiera, diff)
+        AbideDevUtils::Output.yaml(new_config_hiera, console: @data[:verbose], file: @data[:out_file])
+        AbideDevUtils::Output.simple(change_report) unless @data[:quiet]
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/cli/xccdf.rb

@@ -104,13 +104,24 @@ module Abide
         options.on('-p [PROFILE]', '--profile', 'Only diff and specific profile in the benchmarks') do |x|
           @data[:profile] = x
         end
+        options.on('-l [LEVEL]', '--level', 'Only diff the specific level in the benchmarks') do |x|
+          @data[:level] = x
+        end
+        options.on('-r', '--raw', 'Output the diff in raw hash format') { @data[:raw] = true }
         options.on('-q', '--quiet', 'Show no output in the terminal') { @data[:quiet] = false }
         options.on('--no-diff-profiles', 'Do not diff the profiles in the XCCDF files') { @data[:diff_profiles] = false }
         options.on('--no-diff-controls', 'Do not diff the controls in the XCCDF files') { @data[:diff_controls] = false }
+        options.on('--old-style', 'Use old-style diffs') { @data[:old_style] = true }
       end
 
       def execute(file1, file2)
-        diffreport = AbideDevUtils::XCCDF.diff(file1, file2, @data)
+        diffreport = if @data[:old_style]
+                       AbideDevUtils::XCCDF.diff(file1, file2, @data)
+                     else
+                       dr = AbideDevUtils::XCCDF.new_style_diff(file1, file2, @data)
+                       dr[:diff][:number_title].map! { |d| d[:text] }
+                       dr
+                     end
         AbideDevUtils::Output.yaml(diffreport, console: @data.fetch(:quiet, true), file: @data.fetch(:outfile, nil))
       end
     end

data/lib/abide_dev_utils/cli.rb

@@ -2,6 +2,7 @@
 
 require 'cmdparse'
 require 'abide_dev_utils/version'
+require 'abide_dev_utils/cli/cem'
 require 'abide_dev_utils/constants'
 require 'abide_dev_utils/cli/comply'
 require 'abide_dev_utils/cli/puppet'
@@ -22,6 +23,7 @@ module Abide
       parser.main_options.banner = ROOT_CMD_BANNER
       parser.add_command(CmdParse::HelpCommand.new, default: true)
       parser.add_command(CmdParse::VersionCommand.new(add_switches: true))
+      parser.add_command(CemCommand.new)
       parser.add_command(ComplyCommand.new)
       parser.add_command(PuppetCommand.new)
       parser.add_command(XccdfCommand.new)

data/lib/abide_dev_utils/files.rb

@@ -1,7 +1,41 @@
 # frozen_string_literal: true
 
+require 'abide_dev_utils/validate'
+
 module AbideDevUtils
   module Files
+    class Reader
+      def self.read(path, raw: false, safe: true, opts: {})
+        AbideDevUtils::Validate.file(path)
+        return File.read(path) if raw
+
+        extension = File.extname(path)
+        case extension
+        when /\.yaml|\.yml/
+          require 'yaml'
+          if safe
+            YAML.safe_load(File.read(path))
+          else
+            YAML.load_file(path)
+          end
+        when '.json'
+          require 'json'
+          return JSON.parse(File.read(path), opts) if safe
+
+          JSON.parse!(File.read(path), opts)
+        when '.xml'
+          require 'nokogiri'
+          File.open(path, 'r') do |file|
+            Nokogiri::XML.parse(file) do |config|
+              config.strict.noblanks.norecover
+            end
+          end
+        else
+          File.read(path)
+        end
+      end
+    end
+
     class Writer
       MSG_EXT_APPEND = 'Appending %s extension to file'
 

data/lib/abide_dev_utils/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AbideDevUtils
-  VERSION = "0.9.4"
+  VERSION = "0.10.0"
 end