cem_acpt 0.11.2 → 0.12.0

data/lib/cem_acpt/test_runner.rb

@@ -7,7 +7,8 @@ require_relative 'bolt'
 require_relative 'goss'
 require_relative 'logging'
 require_relative 'platform'
-require_relative 'provision'
+require_relative 'provision/terraform'
+require_relative 'scan'
 require_relative 'test_data'
 require_relative 'utils'
 require_relative 'version'
@@ -53,6 +54,7 @@ module CemAcpt
         @old_dir = Dir.pwd
         Dir.chdir(module_dir)
         configure_actions
+        validate_scan_mode_constraints!
         logger.start_ci_group("CemAcpt v#{CemAcpt::VERSION} run started at #{@start_time}")
         logger.info('CemAcpt::TestRunner') { "Using module directory: #{module_dir}..." }
         pre_provision_test_nodes
@@ -116,9 +118,24 @@ module CemAcpt
 
       attr_reader :config
 
-      # Configures the actions to run based on the config
+      # Configures the actions to run based on the config. Acceptance-mode
+      # configs register the existing :goss + :bolt groups; scan-mode configs
+      # register a single :scan group instead. The dispatch keys off
+      # `config.scan_mode?`, which is overridden to true on
+      # {Config::CemAcptScan} and false everywhere else.
       def configure_actions
         logger.info('CemAcpt::TestRunner') { 'Configuring and registering actions...' }
+        if config.respond_to?(:scan_mode?) && config.scan_mode?
+          configure_scan_actions
+        else
+          configure_acceptance_actions
+        end
+        logger.info('CemAcpt::TestRunner') do
+          "Configured and registered actions, will run actions: #{CemAcpt::Actions.config.action_names.join(', ')}"
+        end
+      end
+
+      def configure_acceptance_actions
         CemAcpt::Actions.configure(config) do |c|
           c.register_group(:goss, order: 0, async: true)
           CemAcpt::Goss::Api::ACTIONS.each_key do |a|
@@ -137,8 +154,15 @@ module CemAcpt
             run_bolt_tests(context)
           end
         end
-        logger.info('CemAcpt::TestRunner') do
-          "Configured and registered actions, will run actions: #{CemAcpt::Actions.config.action_names.join(', ')}"
+      end
+
+      def configure_scan_actions
+        CemAcpt::Actions.configure(config) do |c|
+          c.register_group(:scan, order: 0).register_action(:scan) do |context|
+            context[:results] = @results
+            run_scan_action
+            context[:results]
+          end
         end
       end
 
@@ -224,7 +248,7 @@ module CemAcpt
 
       def provision_test_nodes
         logger.info('CemAcpt::TestRunner') { 'Provisioning test nodes...' }
-        @provisioner = CemAcpt::Provision.new_provisioner(config, @run_data)
+        @provisioner = CemAcpt::Provision::Terraform.new(config, @run_data)
         @provisioner.provision
       end
 
@@ -281,6 +305,80 @@ module CemAcpt
         @results << @bolt_test_runner.results
       end
 
+      # Per-host scan loop. For each provisioned instance, look up the test
+      # case it represents in the run's test_data, build a DaemonClient
+      # against the node, wait for the scan daemon to come up, hit /scan,
+      # and append the resulting {CemAcpt::Scan::Result} to @results. The
+      # JSON view of each result goes to stdout and to disk if
+      # `cem_acpt_scan.scan_output` is set.
+      def run_scan_action
+        logger.info('CemAcpt::TestRunner') { 'Running scan action...' }
+        port = config.get('cem_acpt_scan.daemon.port') || CemAcpt::Scan::DaemonClient::DEFAULT_PORT
+        ready_timeout = config.get('cem_acpt_scan.daemon.ready_timeout') || CemAcpt::Scan::DaemonClient::DEFAULT_READY_TIMEOUT
+        global_threshold = (config.get('cem_acpt_scan.threshold') || 80.0).to_f
+        per_case_thresholds = config.get('cem_acpt_scan.test_thresholds') || {}
+        scan_output = config.get('cem_acpt_scan.scan_output')
+
+        scan_results = []
+        @instance_names_ips.each do |_instance_name, host_data|
+          host = host_data['ip']
+          test_name = host_data['test_name']
+          scan_meta = scan_meta_for(test_name)
+          threshold = per_case_thresholds[test_name] || per_case_thresholds[test_name.to_sym] || global_threshold
+
+          client = CemAcpt::Scan::DaemonClient.new(host: host, port: port, ready_timeout: ready_timeout)
+          client.wait_until_ready
+          result = client.scan(
+            test_case: test_name,
+            scanner: scan_meta[:scanner],
+            profile: scan_meta[:profile],
+            threshold: threshold.to_f,
+          )
+          scan_results << result
+          @results << result
+        end
+
+        write_scan_output!(scan_output, scan_results) if scan_output
+      end
+
+      # Writes scan results to disk per the `--scan-output FILE` contract:
+      # single-case runs write `FILE`, multi-case runs fan out to
+      # `FILE.<test_case>.json` so reports don't collide.
+      def write_scan_output!(path, scan_results)
+        if scan_results.size <= 1
+          File.write(path, JSON.pretty_generate(scan_results.first&.to_h || {}))
+        else
+          scan_results.each do |r|
+            File.write("#{path}.#{r.test_case}.json", JSON.pretty_generate(r.to_h))
+          end
+        end
+      end
+
+      # Fail early in scan mode if any requested test is a Windows test or
+      # if a required CIS-CAT Pro source is missing. Catches misconfiguration
+      # before we spend time provisioning a node we cannot use.
+      def validate_scan_mode_constraints!
+        return unless config.respond_to?(:scan_mode?) && config.scan_mode?
+
+        tests = config.get('tests') || []
+        windows_tests = tests.select { |t| CemAcpt::Provision::OsData.os_family_for(t) == :windows }
+        unless windows_tests.empty?
+          raise "Windows scanning is not supported by cem_acpt_scan in this version (got: #{windows_tests.join(', ')})"
+        end
+      end
+
+      def scan_meta_for(test_name)
+        td = (@run_data[:test_data] || []).find { |t| (t[:test_name] || t['test_name']) == test_name }
+        scan_block = td && (td[:scan] || td['scan'])
+        raise "No scan metadata found for test '#{test_name}'" unless scan_block
+
+        {
+          scanner: (scan_block[:scanner] || scan_block['scanner']).to_sym,
+          profile: scan_block[:profile] || scan_block['profile'],
+          level: scan_block[:level] || scan_block['level'],
+        }
+      end
+
       def filtered_bolt_hosts
         tests_only = config.get('bolt.tests.only')
         tests_only_unset = tests_only.nil? || tests_only.empty?

data/lib/cem_acpt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CemAcpt
-  VERSION = '0.11.2'
+  VERSION = '0.12.0'
 end

data/lib/cem_acpt.rb

@@ -4,6 +4,7 @@ module CemAcpt
   require_relative 'cem_acpt/config'
   require_relative 'cem_acpt/logging'
   require_relative 'cem_acpt/image_builder'
+  require_relative 'cem_acpt/scan'
   require_relative 'cem_acpt/test_runner'
   require_relative 'cem_acpt/version'
 
@@ -34,6 +35,8 @@ module CemAcpt
         trace_it(options[:trace], options[:trace_events]) { run_cem_acpt(options) }
       when :cem_acpt_image
         trace_it(options[:trace], options[:trace_events]) { run_cem_acpt_image(options) }
+      when :cem_acpt_scan
+        trace_it(options[:trace], options[:trace_events]) { run_cem_acpt_scan(options) }
       else
         raise "Command #{command} does not exist"
       end
@@ -47,6 +50,8 @@ module CemAcpt
         CemAcpt::Config::CemAcpt.new(opts: options, config_file: options[:config_file])
       when :cem_acpt_image
         CemAcpt::Config::CemAcptImage.new(opts: options, config_file: options[:config_file])
+      when :cem_acpt_scan
+        CemAcpt::Config::CemAcptScan.new(opts: options, config_file: options[:config_file])
       else
         raise "Config does not exist for command: #{command}"
       end
@@ -157,5 +162,18 @@ module CemAcpt
       logger.debug('CemAcptImage') { 'Building images...' }
       CemAcpt::ImageBuilder.build_images(@config)
     end
+
+    def run_cem_acpt_scan(options)
+      @config = new_config(options, command: :cem_acpt_scan)
+      initialize_logger!
+      logger.debug('CemAcptScan') { 'Config set and logger initialized...' }
+      runner = new_runner
+      logger.debug('CemAcptScan') { 'Runner initialized in scan mode...' }
+
+      logger.debug('CemAcptScan') { 'Running scan suite...' }
+      runner.run
+      logger.debug('CemAcptScan') { "Scan suite run complete, exiting with code #{runner.exit_code}" }
+      exit runner.exit_code
+    end
   end
 end

data/lib/terraform/gcp/linux/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "7.24.0"
+      version = "7.31.0"
     }
   }
 }
@@ -56,6 +56,21 @@ variable "node_data" {
     provision_dir_source = string
     provision_dir_dest   = string
     provision_commands   = list(string)
+    # Scan-mode fields. Empty strings in acceptance mode; populated by
+    # cem_acpt_scan to upload the CIS-CAT Pro bundle, the CIS-CAT Pro
+    # license, and the scan daemon config. The scan_config_upload and
+    # cis_cat_pro_upload null_resources below filter on these.
+    # cis_cat_pro_format and cis_cat_pro_license_format are each "tar.gz"
+    # or "zip" depending on what the vendor ships; the cis_cat_pro_upload
+    # null_resource dispatches to the matching extractor for each. Ruby
+    # always populates the *_format fields alongside their *_bundle /
+    # *_license paths via archive_format, so the empty default on
+    # cis_cat_pro_license_format is purely defensive.
+    cis_cat_pro_bundle         = optional(string, "")
+    cis_cat_pro_format         = optional(string, "tar.gz")
+    cis_cat_pro_license        = optional(string, "")
+    cis_cat_pro_license_format = optional(string, "")
+    scan_config_json           = optional(string, "")
   }))
 }
 
@@ -202,6 +217,119 @@ resource "google_compute_instance" "acpt-test-node" {
   tags = ["cem-acpt-test-node"]
 }
 
+# Scan-mode config upload. for_each filters to nodes whose node_data
+# carries a non-empty scan_config_json, so this resource is a no-op for
+# cem_acpt acceptance runs and for any scan-mode node that does not need
+# scan_config.json materialized.
+resource "null_resource" "scan_config_upload" {
+  for_each = {
+    for k, v in var.node_data : k => v if v.scan_config_json != ""
+  }
+
+  triggers = {
+    instance_id = google_compute_instance.acpt-test-node[each.key].id
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.username
+    timeout     = "5m"
+    host        = google_compute_instance.acpt-test-node[each.key].network_interface.0.access_config.0.nat_ip
+    port        = 22
+    private_key = file(var.private_key)
+    agent       = false
+    script_path = "/var/tmp/terraform_%RAND%.sh"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo mkdir -p ${each.value.provision_dir_dest}/scan",
+      "sudo chown -R ${var.username}:${var.username} ${each.value.provision_dir_dest}/scan",
+    ]
+  }
+
+  provisioner "file" {
+    content     = each.value.scan_config_json
+    destination = "${each.value.provision_dir_dest}/scan/scan_config.json"
+  }
+}
+
+# CIS-CAT Pro bundle upload. Filtered separately so OpenSCAP-only scan
+# runs do not require a CIS-CAT Pro bundle to be present.
+resource "null_resource" "cis_cat_pro_upload" {
+  for_each = {
+    for k, v in var.node_data : k => v if v.cis_cat_pro_bundle != ""
+  }
+
+  triggers = {
+    instance_id = google_compute_instance.acpt-test-node[each.key].id
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.username
+    timeout     = "10m"
+    host        = google_compute_instance.acpt-test-node[each.key].network_interface.0.access_config.0.nat_ip
+    port        = 22
+    private_key = file(var.private_key)
+    agent       = false
+    script_path = "/var/tmp/terraform_%RAND%.sh"
+  }
+
+  provisioner "file" {
+    source      = each.value.cis_cat_pro_bundle
+    destination = "${each.value.provision_dir_dest}/cis-cat-pro.${each.value.cis_cat_pro_format}"
+  }
+
+  # Extract immediately so /opt/cis-cat-pro/Assessor-CLI.sh exists by the time
+  # the host-side scan daemon hits /scan. Provisioners within a single
+  # resource run sequentially, so the file is guaranteed to be on disk before
+  # the extraction commands run. The vendor packages a single top-level
+  # Assessor-CLI-<version>/ directory in either format; tar's
+  # --strip-components=1 strips it directly, while the zip path stages into a
+  # temp dir and moves the inner directory's contents (including dotfiles via
+  # `shopt -s dotglob`) up into /opt/cis-cat-pro/.
+  provisioner "remote-exec" {
+    inline = each.value.cis_cat_pro_format == "zip" ? [
+      "sudo dnf install -y unzip || sudo apt-get install -y unzip",
+      "sudo mkdir -p /opt/cis-cat-pro",
+      "sudo rm -rf /tmp/cis-cat-pro-extract",
+      "sudo unzip -q -o ${each.value.provision_dir_dest}/cis-cat-pro.zip -d /tmp/cis-cat-pro-extract",
+      "sudo bash -c 'shopt -s dotglob && mv /tmp/cis-cat-pro-extract/*/* /opt/cis-cat-pro/'",
+      "sudo rm -rf /tmp/cis-cat-pro-extract",
+      "sudo chmod +x /opt/cis-cat-pro/Assessor-CLI.sh",
+    ] : [
+      "sudo mkdir -p /opt/cis-cat-pro",
+      "sudo tar -xzf ${each.value.provision_dir_dest}/cis-cat-pro.tar.gz -C /opt/cis-cat-pro --strip-components=1",
+      "sudo chmod +x /opt/cis-cat-pro/Assessor-CLI.sh",
+    ]
+  }
+
+  # License upload + extract. Provisioners 1 and 2 (above) place the
+  # assessor at /opt/cis-cat-pro/Assessor-CLI.sh; provisioners 3 and 4
+  # (below) place the license bundle's contents at /opt/cis-cat-pro/license/.
+  # The vendor's license archive contents are dropped in as-packaged: tar
+  # uses no --strip-components and zip extracts straight into the license
+  # dir, so any subdirectories the vendor ships are preserved. Permissions
+  # are left at the archive defaults until a real end-to-end scan tells us
+  # what the assessor actually wants.
+  provisioner "file" {
+    source      = each.value.cis_cat_pro_license
+    destination = "${each.value.provision_dir_dest}/cis-cat-pro-license.${each.value.cis_cat_pro_license_format}"
+  }
+
+  provisioner "remote-exec" {
+    inline = each.value.cis_cat_pro_license_format == "zip" ? [
+      "sudo dnf install -y unzip || sudo apt-get install -y unzip",
+      "sudo mkdir -p /opt/cis-cat-pro/license",
+      "sudo unzip -q -o ${each.value.provision_dir_dest}/cis-cat-pro-license.zip -d /opt/cis-cat-pro/license",
+    ] : [
+      "sudo mkdir -p /opt/cis-cat-pro/license",
+      "sudo tar -xzf ${each.value.provision_dir_dest}/cis-cat-pro-license.tar.gz -C /opt/cis-cat-pro/license",
+    ]
+  }
+}
+
 output "instance_name_ip" {
   value = {
     for k, v in google_compute_instance.acpt-test-node : v.name => {

data/lib/terraform/gcp/linux/scan/scan_service.rb

@@ -0,0 +1,148 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# On-node scan daemon installed by cem_acpt_scan. Runs as a systemd unit
+# and exposes /health and /scan endpoints over HTTP. The host-side
+# CemAcpt::Scan::DaemonClient hits these endpoints to drive the scan and
+# pull back results.
+#
+# scan_config.json is uploaded to /opt/cem_acpt/scan/scan_config.json by the
+# scan_config_upload null_resource in main.tf and carries the resolved
+# scanner choice, profile id, and level for the test case running on this
+# node. The daemon reads it on each /scan call so reruns pick up rewritten
+# config without restart.
+
+require 'fileutils'
+require 'json'
+require 'open3'
+require 'rexml/document'
+require 'webrick'
+
+CONFIG_PATH = '/opt/cem_acpt/scan/scan_config.json'
+REPORT_DIR  = '/opt/cem_acpt/scan/reports'
+FileUtils.mkdir_p(REPORT_DIR)
+
+def load_config
+  JSON.parse(File.read(CONFIG_PATH))
+rescue StandardError => e
+  { 'error' => "Cannot read #{CONFIG_PATH}: #{e.class}: #{e.message}" }
+end
+
+def run_openscap(profile, datastream)
+  xml_out = File.join(REPORT_DIR, 'openscap-results.xml')
+  html_out = File.join(REPORT_DIR, 'openscap-results.html')
+  cmd = [
+    'sudo', 'oscap', 'xccdf', 'eval',
+    '--profile', profile,
+    '--results', xml_out,
+    '--report', html_out,
+    datastream,
+  ]
+  _stdout, stderr, status = Open3.capture3(*cmd)
+  parsed = parse_openscap_xml(xml_out)
+  unless status.success? || File.exist?(xml_out)
+    oscap_msg = "oscap exited #{status.exitstatus}: #{stderr.strip}"
+    parsed['error'] = parsed['error'] ? "#{oscap_msg}; #{parsed['error']}" : oscap_msg
+  end
+  parsed
+end
+
+def parse_openscap_xml(path)
+  return { 'error' => "Result file missing: #{path}" } unless File.exist?(path)
+
+  doc = REXML::Document.new(File.read(path))
+  results = REXML::XPath.match(doc, '//rule-result').map do |r|
+    {
+      'id' => r.attributes['idref'],
+      'severity' => r.attributes['severity'],
+      'result' => REXML::XPath.first(r, 'result')&.text,
+    }
+  end
+  score_el = REXML::XPath.first(doc, '//score')
+  score = score_el ? score_el.text.to_f : 0.0
+  counts = results.group_by { |r| r['result'] }.transform_values(&:size)
+  {
+    'score' => score,
+    'passed_count' => counts['pass'] || 0,
+    'failed_count' => counts['fail'] || 0,
+    'not_applicable_count' => (counts['notapplicable'] || 0) + (counts['notselected'] || 0),
+    'error_count' => (counts['error'] || 0) + (counts['unknown'] || 0),
+    'rules' => results,
+  }
+end
+
+def run_ciscat(profile, benchmark)
+  json_out = File.join(REPORT_DIR, 'ciscat-results.json')
+  cmd = [
+    'sudo', '/opt/cis-cat-pro/Assessor-CLI.sh',
+    '-rd', REPORT_DIR,
+    '-rp', 'ciscat-results',
+    '-nts',
+    '-json',
+    '-p', profile,
+  ]
+  cmd += ['-b', "/opt/cis-cat-pro/benchmarks/#{benchmark}"] if benchmark
+  _stdout, stderr, status = Open3.capture3(*cmd)
+  parsed = parse_ciscat_json(json_out)
+  unless status.success? || File.exist?(json_out)
+    assessor_msg = "Assessor-CLI exited #{status.exitstatus}: #{stderr.strip}"
+    parsed['error'] = parsed['error'] ? "#{assessor_msg}; #{parsed['error']}" : assessor_msg
+  end
+  parsed
+end
+
+def parse_ciscat_json(path)
+  return { 'error' => "Result file missing: #{path}" } unless File.exist?(path)
+
+  raw = JSON.parse(File.read(path))
+  results = (raw['rules'] || []).map do |r|
+    {
+      'id' => r['rule-id'],
+      'result' => r['result'],
+    }
+  end
+  score = (raw['score'] || 0.0).to_f
+  counts = results.group_by { |r| (r['result'] || '').to_s.downcase }.transform_values(&:size)
+  {
+    'score' => score,
+    'passed_count' => counts['pass'] || 0,
+    'failed_count' => counts['fail'] || 0,
+    'not_applicable_count' => (counts['notchecked'] || 0) + (counts['notapplicable'] || 0),
+    'error_count' => (counts['error'] || 0) + (counts['informational'] || 0),
+    'rules' => results,
+  }
+end
+
+def perform_scan
+  cfg = load_config
+  return cfg if cfg['error']
+
+  case cfg['scanner']
+  when 'openscap'
+    run_openscap(cfg['profile'], cfg['datastream'] || '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml')
+  when 'ciscat'
+    run_ciscat(cfg['profile'], cfg['benchmark'])
+  else
+    { 'error' => "Unknown scanner '#{cfg['scanner']}'" }
+  end
+end
+
+port = ENV.fetch('SCAN_DAEMON_PORT', '8084').to_i
+server = WEBrick::HTTPServer.new(Port: port, BindAddress: '0.0.0.0')
+
+server.mount_proc('/health') do |_req, res|
+  res.status = 200
+  res['Content-Type'] = 'application/json'
+  res.body = JSON.generate('status' => 'ok')
+end
+
+server.mount_proc('/scan') do |_req, res|
+  payload = perform_scan
+  res.status = payload['error'] ? 500 : 200
+  res['Content-Type'] = 'application/json'
+  res.body = JSON.generate(payload)
+end
+
+trap('INT')  { server.shutdown }
+trap('TERM') { server.shutdown }
+server.start

data/lib/terraform/gcp/linux/scan/scan_service.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=cem_acpt scan daemon
+After=network.target
+
+[Service]
+Type=simple
+Environment=SCAN_DAEMON_PORT=8084
+ExecStart=/opt/puppetlabs/puppet/bin/ruby /opt/cem_acpt/scan/scan_service.rb
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

data/lib/terraform/gcp/windows/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "7.24.0"
+      version = "7.31.0"
     }
   }
 }

data/lib/terraform/image/gcp/linux/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "7.24.0"
+      version = "7.31.0"
     }
   }
 }