abide_dev_utils 0.9.7 → 0.10.0

data/lib/abide_dev_utils/xccdf/diff.rb

@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+require 'hashdiff'
+
+module AbideDevUtils
+  module XCCDF
+    # Contains methods and classes used to diff XCCDF-derived objects.
+    module Diff
+      DEFAULT_DIFF_OPTS = {
+        similarity: 1,
+        strict: true,
+        strip: true,
+        array_path: true,
+        delimiter: '//',
+        use_lcs: true,
+      }.freeze
+
+      # Represents a change in a diff.
+      class ChangeSet
+        attr_reader :change, :key, :value, :value_to
+
+        def initialize(change:, key:, value:, value_to: nil)
+          validate_change(change)
+          @change = change
+          @key = key
+          @value = value
+          @value_to = value_to
+        end
+
+        def to_s
+          value_change_string(value, value_to)
+        end
+
+        def to_h
+          {
+            change: change,
+            key: key,
+            value: value,
+            value_to: value_to,
+          }
+        end
+
+        def can_merge?(other)
+          return false unless (change == '-' && other.change == '+') || (change == '+' && other.change == '-')
+          return false unless key == other.key || value_hash_equality(other)
+
+          true
+        end
+
+        def merge(other)
+          unless can_merge?(other)
+            raise ArgumentError, 'Cannot merge. Possible causes: change is identical; key or value do not match'
+          end
+
+          new_to_value = value == other.value ? nil : other.value
+          ChangeSet.new(
+            change: '~',
+            key: key,
+            value: value,
+            value_to: new_to_value
+          )
+        end
+
+        def merge!(other)
+          new_props = merge(other)
+          @change = new_props.change
+          @key = new_props.key
+          @value = new_props.value
+          @value_to = new_props.value_to
+        end
+
+        private
+
+        def value_hash_equality(other)
+          equality = false
+          value.each do |k, v|
+            equality = true if v == other.value[k]
+          end
+          equality
+        end
+
+        def validate_change(chng)
+          raise ArgumentError, "Change type #{chng} in invalid" unless ['+', '-', '~'].include?(chng)
+        end
+
+        def change_string(chng)
+          case chng
+          when '-'
+            'Remove'
+          when '+'
+            'Add'
+          else
+            'Change'
+          end
+        end
+
+        def value_change_string(value, value_to)
+          change_str = []
+          change_diff = Hashdiff.diff(value, value_to || {}, AbideDevUtils::XCCDF::Diff::DEFAULT_DIFF_OPTS)
+          return if change_diff.empty?
+          return value_change_string_single_type(change_diff, value) if all_single_change_type?(change_diff)
+
+          change_diff.each do |chng|
+            change_str << if chng.length == 4
+                            "#{change_string(chng[0])} #{chng[1][0]} \"#{chng[2]}\" to \"#{chng[3]}\""
+                          else
+                            "#{change_string(chng[0])} #{chng[1][0]} with value #{chng[2]}"
+                          end
+          end
+          change_str.join(', ')
+        end
+
+        def value_change_string_single_type(change_diff, value)
+          "#{change_string(change_diff[0][0])} #{value[:number]} - #{value[:level]} - #{value[:title]}"
+        end
+
+        def all_single_change_type?(change_diff)
+          change_diff.length > 1 && change_diff.map { |x| x[0] }.uniq.length == 1
+        end
+      end
+
+      # Class used to diff two Benchmark profiles.
+      class ProfileDiff
+        def initialize(profile_a, profile_b, opts = {})
+          @profile_a = profile_a
+          @profile_b = profile_b
+          @opts = opts
+        end
+
+        def diff
+          @diff ||= new_diff
+        end
+
+        private
+
+        def new_diff
+          Hashdiff.diff(@profile_a, @profile_b, AbideDevUtils::XCCDF::Diff::DEFAULT_DIFF_OPTS).each_with_object({}) do |change, diff|
+            val_to = change.length == 4 ? change[3] : nil
+            change_key = change[2].is_a?(Hash) ? change[2][:title] : change[2]
+            if diff.key?(change_key)
+              diff[change_key] = merge_changes(
+                [
+                  diff[change_key][0],
+                  ChangeSet.new(change: change[0], key: change[1], value: change[2], value_to: val_to),
+                ]
+              )
+            else
+              diff[change_key] = [ChangeSet.new(change: change[0], key: change[1], value: change[2], value_to: val_to)]
+            end
+          end
+        end
+
+        def merge_changes(changes)
+          return changes if changes.length < 2
+
+          if changes[0].can_merge?(changes[1])
+            [changes[0].merge(changes[1])]
+          else
+            changes
+          end
+        end
+      end
+
+      # Class used to diff two AbideDevUtils::XCCDF::Benchmark objects.
+      class BenchmarkDiff
+        def initialize(benchmark_a, benchmark_b, opts = {})
+          @benchmark_a = benchmark_a
+          @benchmark_b = benchmark_b
+          @opts = opts
+        end
+
+        def properties_to_diff
+          @properties_to_diff ||= %i[title version profiles]
+        end
+
+        def title_version
+          @title_version ||= diff_title_version
+        end
+
+        def profiles(profile: nil)
+          @profiles ||= diff_profiles(profile: profile)
+        end
+
+        private
+
+        def diff_title_version
+          diff = Hashdiff.diff(
+            @benchmark_a.to_h.reject { |k, _| k.to_s == 'profiles' },
+            @benchmark_b.to_h.reject { |k, _| k.to_s == 'profiles' },
+            AbideDevUtils::XCCDF::Diff::DEFAULT_DIFF_OPTS
+          )
+          diff.each_with_object({}) do |change, tdiff|
+            val_to = change.length == 4 ? change[3] : nil
+            change_key = change[2].is_a?(Hash) ? change[2][:title] : change[2]
+            tdiff[change_key] = [] unless tdiff.key?(change_key)
+            tdiff[change_key] << ChangeSet.new(change: change[0], key: change[1], value: change[2], value_to: val_to)
+          end
+        end
+
+        def diff_profiles(profile: nil)
+          diff = {}
+          other_hash = @benchmark_b.to_h[:profiles]
+          @benchmark_a.to_h[:profiles].each do |name, data|
+            next if profile && profile != name
+
+            diff[name] = ProfileDiff.new(data, other_hash[name], @opts).diff
+          end
+          diff
+        end
+      end
+
+      def self.diff_benchmarks(benchmark_a, benchmark_b, opts = {})
+        profile = opts.fetch(:profile, nil)
+        profile_key = profile.nil? ? 'all_profiles' : profile
+        benchmark_diff = BenchmarkDiff.new(benchmark_a, benchmark_b, opts)
+        transform_method_sym = opts.fetch(:raw, false) ? :to_h : :to_s
+        diff = if profile.nil?
+                 benchmark_diff.profiles.each do |_, v|
+                   v.transform_values! { |x| x.map!(&transform_method_sym) }
+                 end
+               else
+                 benchmark_diff.profiles(profile: profile)[profile].transform_values! { |x| x.map!(&transform_method_sym) }
+               end
+        return diff.values.flatten if opts.fetch(:raw, false)
+
+        {
+          'benchmark' => benchmark_diff.title_version.transform_values { |x| x.map!(&:to_s) },
+          profile_key => diff.values.flatten,
+        }
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/xccdf/parser/objects/digest_object.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module AbideDevUtils
+  module XCCDF
+    module Parser
+      module Objects
+        # Methods for providing and comparing hash digests of objects
+        module DigestObject
+          # Excludes instance variables that are not used in the digest
+          def exclude_from_digest(exclude)
+            unless exclude.is_a?(Array) || exclude.is_a?(Symbol)
+              raise ArgumentError, 'exclude must be an Array or Symbol'
+            end
+
+            @exclude_from_digest ||= []
+            if exclude.is_a?(Array)
+              exclude.map! do |e|
+                normalize_exclusion(e)
+              end
+              @exclude_from_digest += exclude
+            else
+              @exclude_from_digest << normalize_exclusion(exclude)
+            end
+            @exclude_from_digest.uniq!
+          end
+
+          # Exclusions are instance variable symbols and must be prefixed with "@"
+          def normalize_exclusion(exclude)
+            exclude = "@#{exclude}" unless exclude.to_s.start_with?('@')
+            exclude.to_sym
+          end
+
+          # Checks SHA256 digest equality
+          def digest_equal?(other)
+            digest == other.digest
+          end
+
+          # Returns a SHA256 digest of the object, including the digests of all
+          # children
+          def digest
+            return @digest if defined?(@digest)
+
+            parts = [labeled_self_digest]
+            children.each { |child| parts << child.digest } unless children.empty?
+            @digest = parts.join('|')
+            @digest
+          end
+
+          # Returns a labeled digest of the current object
+          def labeled_self_digest
+            return "#{label}:#{Digest::SHA256.hexdigest(digestable_instance_variables)}" if respond_to?(:label)
+
+            "none:#{Digest::SHA256.hexdigest(digestable_instance_variables)}"
+          end
+
+          # Returns a string of all instance variable values that are not nil, empty, or excluded
+          def digestable_instance_variables
+            instance_vars = instance_variables.reject { |iv| @exclude_from_digest.include?(iv) }.sort_by!(&:to_s)
+            return 'empty' if instance_vars.empty?
+
+            var_vals = instance_vars.map { |iv| instance_variable_get(iv) }
+            var_vals.reject! { |v| v.nil? || v.empty? }
+            return 'empty' if var_vals.empty?
+
+            var_vals.join
+          end
+
+          # Compares two objects by their SHA256 digests
+          # and returns the degree to which they are similar
+          # as a percentage.
+          def digest_similarity(other, only_labels: [], label_weights: {})
+            digest_parts = sorted_digest_parts(digest)
+            number_compared = 0
+            cumulative_similarity = 0.0
+            digest_parts.each do |digest_part|
+              label, self_digest = split_labeled_digest(digest_part)
+              next unless only_labels.empty? || only_labels.include?(label)
+
+              label_weight = label_weights.key?(label) ? label_weights[label] : 1.0
+              sorted_digest_parts(other.digest).each do |other_digest_part|
+                other_label, other_digest = split_labeled_digest(other_digest_part)
+                next unless (label == other_label) && (self_digest == other_digest)
+
+                number_compared += 1
+                cumulative_similarity += 1.0 * label_weight
+                break # break when found
+              end
+            end
+            cumulative_similarity / (number_compared.zero? ? 1.0 : number_compared)
+          end
+
+          def sorted_digest_parts(dgst)
+            @sorted_digest_parts_cache = {} unless defined?(@sorted_digest_parts_cache)
+            return @sorted_digest_parts_cache[dgst] if @sorted_digest_parts_cache.key?(dgst)
+
+            @sorted_digest_parts_cache ||= {}
+            @sorted_digest_parts_cache[dgst] = dgst.split('|').sort_by { |part| split_labeled_digest(part).first }
+            @sorted_digest_parts_cache[dgst]
+          end
+
+          # If one of the digest parts is nil and the other is not, we can't compare
+          def non_compatible?(digest_part, other_digest_part)
+            (digest_part.nil? || other_digest_part.nil?) && digest_part != other_digest_part
+          end
+
+          # Splits a digest into a label and digest
+          def split_labeled_digest(digest_part)
+            @labeled_digest_part_cache = {} unless defined?(@labeled_digest_part_cache)
+            return @labeled_digest_part_cache[digest_part] if @labeled_digest_part_cache.key?(digest_part)
+
+            @labeled_digest_part_cache[digest_part] = digest_part.split(':')
+            @labeled_digest_part_cache[digest_part]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/abide_dev_utils/xccdf/parser/objects/numbered_object.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module AbideDevUtils
+  module XCCDF
+    module Parser
+      module Objects
+        # Methods for interacting with objects that have numbers (e.g. Group, Rule, etc.)
+        # This module is included in the Benchmark class and Group / Rule classes
+        module NumberedObject
+          include ::Comparable
+
+          def <=>(other)
+            return 0 if number_eq(number, other.number)
+            return 1 if number_gt(number, other.number)
+            return -1 if number_lt(number, other.number)
+          end
+
+          def number_eq(this_num, other_num)
+            this_num == other_num
+          end
+
+          def number_parent_of?(this_num, other_num)
+            return false if number_eq(this_num, other_num)
+
+            # We split the numbers into parts and compare the resulting arrays
+            num1_parts = this_num.to_s.split('.')
+            num2_parts = other_num.to_s.split('.')
+            # For this_num to be a parent of other_num, the number of parts in
+            # this_num must be less than the number of parts in other_num.
+            # Additionally, each part of this_num must be equal to the parts of
+            # other_num at the same index.
+            # Example: this_num = '1.2.3' and other_num = '1.2.3.4'
+            # In this case, num1_parts = ['1', '2', '3'] and num2_parts = ['1', '2', '3', '4']
+            # So, this_num is a parent of other_num because at indexes 0, 1, and 2
+            # of num1_parts and num2_parts, the parts are equal.
+            num1_parts.length < num2_parts.length &&
+              num2_parts[0..(num1_parts.length - 1)] == num1_parts
+          end
+
+          def number_child_of?(this_num, other_num)
+            number_parent_of?(other_num, this_num)
+          end
+
+          def number_gt(this_num, other_num)
+            return false if number_eq(this_num, other_num)
+            return true if number_parent_of?(this_num, other_num)
+
+            num1_parts = this_num.to_s.split('.')
+            num2_parts = other_num.to_s.split('.')
+            num1_parts.zip(num2_parts).each do |num1_part, num2_part|
+              next if num1_part == num2_part # we skip past equal parts
+
+              # If num1_part is nil that means that we've had equal numbers so far.
+              # Therfore, this_num is greater than other num because of the
+              # hierarchical nature of the numbers.
+              # Example: this_num = '1.2' and other_num = '1.2.3'
+              # In this case, num1_part is nil and num2_part is '3'
+              # So, this_num is greater than other_num
+              return true if num1_part.nil?
+              # If num2_part is nil that means that we've had equal numbers so far.
+              # Therfore, this_num is less than other num because of the
+              # hierarchical nature of the numbers.
+              # Example: this_num = '1.2.3' and other_num = '1.2'
+              # In this case, num1_part is '3' and num2_part is nil
+              # So, this_num is less than other_num
+              return false if num2_part.nil?
+
+              return num1_part.to_i > num2_part.to_i
+            end
+          end
+
+          def number_lt(this_num, other_num)
+            number_gt(other_num, this_num)
+          end
+
+          # This method will recursively walk the tree to find the first
+          # child, grandchild, etc. that has a number method and returns the
+          # matching number.
+          # @param [String] number The number to find in the tree
+          # @return [Group] The first child, grandchild, etc. that has a matching number
+          # @return [Rule] The first child, grandchild, etc. that has a matching number
+          # @return [nil] If no child, grandchild, etc. has a matching number
+          def search_children_by_number(number)
+            find_children_that_respond_to(:number).find do |child|
+              if number_eq(child.number, number)
+                child
+              elsif number_parent_of?(child.number, number)
+                # We recursively search the child for its child with the number
+                # if our number is a parent of the child's number
+                return child.search_children_by_number(number)
+              end
+            end
+          end
+
+          def find_child_by_number(number)
+            find_children_that_respond_to(:number).find do |child|
+              number_eq(child.number, number)
+            end
+          end
+        end
+      end
+    end
+  end
+end