compliance_engine 0.1.6 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cf000d354045bd026560c6973a78b8939d7e1afbcabcfceea28514c9cad4cb2
-  data.tar.gz: 4d2bc0af35450a9304c54894935898438a220f4a9dd2ec3cf27fd4464fdc85f1
+  metadata.gz: 6243625cabdaf239f089f05704cf4a7584d4d7631f6f81ff0cab3bbf8cb4cf49
+  data.tar.gz: 81d9b5d6a80799384f052e0dab725fcdbb34804691b591cf8101ff08411ae6c7
 SHA512:
-  metadata.gz: 46feb241ff9d68a5664992212a4b5b30852359e94a9b97b4d9adc26189fa18a8112e3c2ee3ff7b8eeacd717b315a1d38535e7f2a44266c88cc029559529d5d5e
-  data.tar.gz: 894d7860b229bf92db40bf7ca4583d1119da1b047b04899e99c2a3054e3c195770fddd0eb524312577acd678da3b7b5c4ffe3288c5a342efe83ac3bf536b5bb6
+  metadata.gz: b29bfb3cbb236ca9b384b5ee08db766a438dbc64aece96f1427a86fdb9389306b606fc12fe3f5bcbfa174ebfe810d88b1dd27fb55f77e084521dabb0db6083c1
+  data.tar.gz: 8d95140ec88142904d3614239bf2b1100876650a320fd4db38028493fe9a974d12342083e5f5b2f73fb48f79b5622fd13f6fb0b96940452621e4c82e769014f1

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+### 0.2.0 / 2026-01-15
+* Add Hiera backend (#33)
+
 ### 0.1.6 / 2026-01-08
 * Add Ruby 4.0 support (#77)
 

data/README.md

@@ -42,6 +42,34 @@ Options:
 
 See the [`ComplianceEngine::Data`](https://rubydoc.info/gems/compliance_engine/ComplianceEngine/Data) class for details.
 
+## Using as a Puppet Module
+
+The Compliance Engine can be used as a Puppet module to provide a Hiera backend for compliance data. This allows you to enforce compliance profiles through Hiera lookups within your Puppet manifests.
+
+### Hiera Backend
+
+To use the Compliance Engine Hiera backend, configure it in your `hiera.yaml`:
+
+```yaml
+---
+version: 5
+hierarchy:
+  - name: "Compliance Engine"
+    lookup_key: compliance_engine::enforcement
+```
+
+Specify the profile used by setting the `compliance_engine::enforcement` key in your Hiera data.
+
+```yaml
+---
+compliance_engine::enforcement:
+  - your_profile
+```
+
+The `compliance_engine::enforcement` function serves as the Hiera entry point and allows you to look up compliance data based on configured profiles.
+
+For detailed information about available functions, parameters, and configuration options, see [REFERENCE.md](REFERENCE.md).
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/simp/rubygem-simp-compliance_engine.

data/REFERENCE.md

@@ -0,0 +1,42 @@
+# Reference
+
+<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
+
+## Table of Contents
+
+### Functions
+
+* [`compliance_engine::enforcement`](#compliance_engine--enforcement): Hiera entry point for Compliance Engine
+
+## Functions
+
+### <a name="compliance_engine--enforcement"></a>`compliance_engine::enforcement`
+
+Type: Ruby 4.x API
+
+Hiera entry point for Compliance Engine
+
+#### `compliance_engine::enforcement(String[1] $key, Hash[String[1], Any] $options, Puppet::LookupContext $context)`
+
+The compliance_engine::enforcement function.
+
+Returns: `String` The value of the key in the Hiera data
+
+##### `key`
+
+Data type: `String[1]`
+
+String The key to lookup in the Hiera data
+
+##### `options`
+
+Data type: `Hash[String[1], Any]`
+
+
+
+##### `context`
+
+Data type: `Puppet::LookupContext`
+
+
+

data/compliance_engine.gemspec

@@ -19,14 +19,14 @@ Gem::Specification.new do |spec|
   spec.metadata['bug_tracker_uri'] = 'https://github.com/simp/rubygem-simp-compliance_engine/issues'
 
   # Specify which files should be added to the gem when it is released.
-  spec.files = Dir.glob(['*.gemspec', '*.md', 'LICENSE', 'exe/*', 'lib/**/*.rb'])
+  spec.files = Dir.glob(['*.gemspec', '*.md', 'LICENSE', 'exe/*', 'lib/**/*.rb']).reject { |f| f.start_with?('lib/puppet/') }
   spec.bindir = 'exe'
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
   spec.add_dependency 'deep_merge', '~> 1.2'
   spec.add_dependency 'irb', '~> 1.14'
-  spec.add_dependency 'logger', '>= 1.4', '< 2.0'
+  spec.add_dependency 'logger', '~> 1.4'
   spec.add_dependency 'observer', '~> 0.1'
   spec.add_dependency 'rubyzip', '>= 2.3', '< 4'
   spec.add_dependency 'semantic_puppet', '~> 1.1'

data/lib/compliance_engine/component.rb

@@ -134,7 +134,7 @@ class ComplianceEngine::Component
 
       fact == confine
     elsif confine.is_a?(Array)
-      if depth == 0
+      if depth.zero?
         confine.any? { |value| fact_match?(fact, value, depth + 1) }
       else
         fact == confine
@@ -155,12 +155,13 @@ class ComplianceEngine::Component
       if k == 'module_name'
         unless environment_data.nil?
           return true unless environment_data.key?(v)
+
           module_version = fragment['confine']['module_version']
           unless module_version.nil?
             require 'semantic_puppet'
             begin
               return true unless SemanticPuppet::VersionRange.parse(module_version).include?(SemanticPuppet::Version.parse(environment_data[v]))
-            rescue => e
+            rescue StandardError => e
               ComplianceEngine.log.error "Failed to compare #{v} #{environment_data[v]} with version confinement #{module_version}: #{e.message}"
               return true
             end
@@ -172,12 +173,8 @@ class ComplianceEngine::Component
         # Confinement based on Puppet facts
         unless facts.nil?
           fact = facts.dig(*k.split('.'))
-          if fact.nil?
-            return true
-          end
-          unless fact_match?(fact, v)
-            return true
-          end
+          return true if fact.nil?
+          return true unless fact_match?(fact, v)
         end
       end
     end
@@ -185,6 +182,34 @@ class ComplianceEngine::Component
     false
   end
 
+  # Check if a fragment is has remediation risk too high or if remediation is disabled
+  #
+  # @param fragment [Hash] The fragment to check
+  # @return [TrueClass, FalseClass] true if the fragment should be dropped
+  def risk_too_high?(fragment)
+    return false unless is_a?(ComplianceEngine::Check)
+    return false unless fragment.key?('remediation')
+    return false unless enforcement_tolerance.is_a?(Integer) && enforcement_tolerance.positive?
+
+    if fragment['remediation'].key?('disabled')
+      message = "Remediation disabled for #{fragment}"
+      reason = fragment['remediation']['disabled']&.map { |value| value['reason'] }&.reject(&:nil?)&.join("\n")
+      message += "\n#{reason}" unless reason.nil?
+      ComplianceEngine.log.info message
+      return true
+    end
+
+    if fragment['remediation'].key?('risk')
+      risk_level = fragment['remediation']['risk']&.map { |value| value['level'] }&.select { |value| value.is_a?(Integer) }&.max
+      if risk_level.is_a?(Integer) && risk_level >= enforcement_tolerance
+        ComplianceEngine.log.info "Remediation risk #{risk_level} exceeds enforcement enforcement_tolerance #{enforcement_tolerance} for #{fragment}"
+        return true
+      end
+    end
+
+    false
+  end
+
   # Returns the fragments of the component after confinement
   #
   # @return [Hash] the fragments of the component
@@ -208,25 +233,7 @@ class ComplianceEngine::Component
       end
 
       next if confine_away?(fragment)
-
-      # Confinement based on remediation risk
-      if enforcement_tolerance.is_a?(Integer) && is_a?(ComplianceEngine::Check) && fragment.key?('remediation')
-        if fragment['remediation'].key?('disabled')
-          message = "Remediation disabled for #{fragment}"
-          reason = fragment['remediation']['disabled']&.map { |value| value['reason'] }&.reject { |value| value.nil? }&.join("\n")
-          message += "\n#{reason}" unless reason.nil?
-          ComplianceEngine.log.info message
-          next
-        end
-
-        if fragment['remediation'].key?('risk')
-          risk_level = fragment['remediation']['risk']&.map { |value| value['level'] }&.select { |value| value.is_a?(Integer) }&.max
-          if risk_level.is_a?(Integer) && risk_level >= enforcement_tolerance
-            ComplianceEngine.log.info "Remediation risk #{risk_level} exceeds enforcement tolerance #{enforcement_tolerance} for #{fragment}"
-            next
-          end
-        end
-      end
+      next if risk_too_high?(fragment)
 
       @fragments[filename] = fragment
     end

data/lib/compliance_engine/data.rb

@@ -28,7 +28,7 @@ class ComplianceEngine::Data
   # @param facts [Hash] The facts to use while evaluating the data
   # @param enforcement_tolerance [Integer] The tolerance to use while evaluating the data
   def initialize(*paths, facts: nil, enforcement_tolerance: nil)
-    @data ||= {}
+    @data = {}
     @facts = facts
     @enforcement_tolerance = enforcement_tolerance
     open(*paths) unless paths.nil? || paths.empty?
@@ -201,7 +201,7 @@ class ComplianceEngine::Data
     end
 
     reset_collection
-  rescue => e
+  rescue StandardError => e
     ComplianceEngine.log.error e.message
   end
 
@@ -210,6 +210,7 @@ class ComplianceEngine::Data
   # @return [Array<String>]
   def files
     return @files unless @files.nil?
+
     @files = data.select { |_, file| file.key?(:content) }.keys
   end
 
@@ -219,7 +220,7 @@ class ComplianceEngine::Data
   # @return [Hash]
   def get(file)
     data[file][:content]
-  rescue
+  rescue StandardError
     nil
   end
 
@@ -263,6 +264,7 @@ class ComplianceEngine::Data
       collection.each_value do |v|
         v.to_a.each do |component|
           next unless component.key?('confine')
+
           @confines = DeepMerge.deep_merge!(component['confine'], @confines)
         end
       end
@@ -404,9 +406,7 @@ class ComplianceEngine::Data
   # @return [TrueClass, FalseClass]
   def correlate(a, b)
     return false if a.nil? || b.nil?
-    unless a.is_a?(Array) && b.is_a?(Hash)
-      raise ComplianceEngine::Error, "Expected array and hash, got #{a.class} and #{b.class}"
-    end
+    raise ComplianceEngine::Error, "Expected array and hash, got #{a.class} and #{b.class}" unless a.is_a?(Array) && b.is_a?(Hash)
     return false if a.empty? || b.empty?
 
     a.any? { |item| b[item] }

data/lib/compliance_engine/data_loader.rb

@@ -25,6 +25,7 @@ class ComplianceEngine::DataLoader
   # @raise [ComplianceEngine::Error] If the value is not a Hash
   def data=(value)
     raise ComplianceEngine::Error, 'Data must be a hash' unless value.is_a?(Hash)
+
     @data = value
     changed
     notify_observers(self)

data/lib/compliance_engine/environment_loader.rb

@@ -13,6 +13,7 @@ class ComplianceEngine::EnvironmentLoader
   # @param zipfile_path [String, nil] the path to the zip file if loading from a zip archive
   def initialize(*paths, fileclass: File, dirclass: Dir, zipfile_path: nil)
     raise ArgumentError, 'No paths specified' if paths.empty?
+
     @modulepath ||= paths
     @zipfile_path = zipfile_path
     modules = paths.map do |path|
@@ -21,7 +22,7 @@ class ComplianceEngine::EnvironmentLoader
               .select { |child| fileclass.directory?(File.join(path, child)) }
               .map { |child| File.join(path, child) }
               .sort
-    rescue
+    rescue StandardError
       []
     end
     modules.flatten!

data/lib/compliance_engine/module_loader.rb

@@ -27,7 +27,7 @@ class ComplianceEngine::ModuleLoader
         metadata = ComplianceEngine::DataLoader::Json.new(metadata_json, fileclass: fileclass)
         @name = metadata.data['name']
         @version = metadata.data['version']
-      rescue => e
+      rescue StandardError => e
         ComplianceEngine.log.warn "Could not parse #{metadata_json}: #{e.message}"
       end
     end
@@ -53,7 +53,7 @@ class ComplianceEngine::ModuleLoader
                    ComplianceEngine::DataLoader::Yaml.new(file.to_s, fileclass: fileclass, key: key)
                  end
         @files << loader
-      rescue => e
+      rescue StandardError => e
         ComplianceEngine.log.warn "Could not load #{file}: #{e.message}"
       end
     end

data/lib/compliance_engine/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module ComplianceEngine
-  VERSION = '0.1.6'
+  VERSION = '0.2.0'
 
   # Handle supported compliance data versions
   class Version
@@ -11,6 +11,7 @@ module ComplianceEngine
     def initialize(version)
       raise 'Missing version' if version.nil?
       raise "Unsupported version '#{version}'" unless version == '2.0.0'
+
       @version = version
     end
 

data/lib/compliance_engine.rb

@@ -30,7 +30,7 @@ module ComplianceEngine
   def self.log
     return @log unless @log.nil?
 
-    @log = Logger.new(STDERR)
+    @log = Logger.new($stderr)
     @log.level = Logger::WARN
     @log
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: compliance_engine
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.2.0
 platform: ruby
 authors:
 - Steven Pritchard
@@ -41,22 +41,16 @@ dependencies:
   name: logger
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: observer
   requirement: !ruby/object:Gem::Requirement
@@ -129,6 +123,7 @@ files:
 - CHANGELOG.md
 - LICENSE
 - README.md
+- REFERENCE.md
 - compliance_engine.gemspec
 - exe/compliance_engine
 - lib/compliance_engine.rb
@@ -158,7 +153,7 @@ licenses:
 metadata:
   homepage_uri: https://simp-project.com/docs/sce/
   source_code_uri: https://github.com/simp/rubygem-simp-compliance_engine
-  changelog_uri: https://github.com/simp/rubygem-simp-compliance_engine/releases/tag/0.1.6
+  changelog_uri: https://github.com/simp/rubygem-simp-compliance_engine/releases/tag/0.2.0
   bug_tracker_uri: https://github.com/simp/rubygem-simp-compliance_engine/issues
 rdoc_options: []
 require_paths: