foreman-proxy_openscap 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b07def3843e258c2cdcc80990bdded54251a60a6
-  data.tar.gz: d393b368946c3ee1e301f475d4da7120685671ac
+  metadata.gz: a666dc3985dd08637d39416bec98b242a32cada9
+  data.tar.gz: df79ba41c09a04079fc09c615804d43317fb06ea
 SHA512:
-  metadata.gz: 5d454e571e6267a8842ed2e448eb406b78b9be692b0c80b0b7877b91562720051f43d000b0212884eab4183d8ed5a65f6fe7dead8830559b54f0d818b8a5f5df
-  data.tar.gz: dd83dd11dbd51761f2933cd764b292dc9b0ff60d76c26fba879e4982650e43adf444645ef54d335844c8e5c524e4dc4184a97dad8e169c2543cf01c3f656c1cf
+  metadata.gz: 8624fd542f7bbadb842b0b55eb32ba16243a98d414f43fc51c33956907bcef51ee68dff3738e1309cd24b4c4bbf91b2e5e02db937495d648e0beea2cf2bad704
+  data.tar.gz: 8f2ad83e0601b13cdf4cf11486f3eac55e7bbaced8816f53f7199a25ced7aa3748cb91050c0f1c35cb2cc3f2b30f4597676396471892f23863b959c70e0376d2

data/README.md

@@ -3,8 +3,11 @@
 A plug-in to the Foreman Proxy which receives bzip2ed ARF files
 and forwards them to the Foreman.
 
-Current version only receives and stores the ARF files. The
-reports will be forwarded to foreman_openscap in future versions.
+Incoming ARF files are authenticated using puppet certificate of
+the client machine. Proxy caches collected ARF files until they
+are forwarded to Foreman.
+
+Learn more about [Foreman-OpenSCAP](https://github.com/OpenSCAP/foreman_openscap) workflow.
 
 ## Installation
 
@@ -20,7 +23,7 @@ reports will be forwarded to foreman_openscap in future versions.
   ```
   ~$ cd foreman-proxy_openscap
   ~$ gem build foreman_proxy_openscap.gemspec
-  ~# yum install yum-utils
+  ~# yum install yum-utils rpm-build
   ~# yum-builddep extra/rubygem-foreman-proxy_openscap.spec
   ~# rpmbuild  --define "_sourcedir `pwd`" -ba extra/rubygem-foreman-proxy_openscap.spec
   ```
@@ -36,6 +39,7 @@ reports will be forwarded to foreman_openscap in future versions.
   ```
   cp /etc/foreman-proxy/settings.d/openscap.yml{.example,}
   vim /etc/foreman-proxy/settings.d/openscap.yml
+  echo ":foreman_url: https://my-foreman.local.lan" >> /etc/foreman-proxy/settings.yml
   ```
 
 - Deploy
@@ -46,5 +50,21 @@ reports will be forwarded to foreman_openscap in future versions.
 
 - Usage:
 
-  Deploy openscap::xccdf::foreman_audit puppet class from Foreman on your clients.
-  The client will upload their audit results to your Foreman proxies.
+  Learn more about [Foreman-OpenSCAP](https://github.com/OpenSCAP/foreman_openscap) workflow.
+
+## Copyright
+
+Copyright (c) 2014 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.

data/bin/foreman-proxy-openscap-send

@@ -0,0 +1,43 @@
+#!/usr/bin/env ruby
+#
+# Copyright (c) 2014 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+
+$LOAD_PATH.unshift '/usr/share/foreman-proxy/lib'
+$LOAD_PATH.unshift '/usr/share/foreman-proxy/modules'
+
+require 'smart_proxy'
+require 'foreman-proxy_openscap'
+require 'foreman-proxy_openscap/openscap_lib'
+
+# Don't run if OpenSCAP plugin is disabled.
+exit unless Proxy::OpenSCAP::Plugin.settings.enabled == true
+
+# TODO: include some jitter to not bring Foreman to its knees
+
+module Proxy
+  module Log
+    @@logger = ::Logger.new(Proxy::OpenSCAP::Plugin.settings.openscap_send_log_file, 6, 1024*1024*10)
+    @@logger.level = ::Logger.const_get(Proxy::SETTINGS.log_level.upcase)
+  end
+end
+include Proxy::Log
+
+if !Proxy::SETTINGS.foreman_url
+  logger.error "Foreman URL not configured"
+  exit false
+end
+
+begin
+  Proxy::OpenSCAP::send_spool_to_foreman
+rescue StandardError => e
+  logger.debug e.backtrace.join("\n\t")
+  logger.error "Failed to send SCAP results to the Foreman server: #{e}"
+  exit false
+end

data/extra/foreman-proxy-openscap-send.cron

@@ -0,0 +1,2 @@
+# Send all collected OpenSCAP reports once every 30 minutes
+*/30 * * * * foreman-proxy foreman-proxy-openscap-send >>/var/log/foreman-proxy/cron.log 2>&1

data/extra/rubygem-foreman-proxy_openscap.spec

@@ -6,7 +6,7 @@
 %global proxy_user foreman-proxy
 
 Name: rubygem-%{gem_name}
-Version: 0.0.1
+Version: 0.1.0
 Release: 1%{?dist}
 Summary: OpenSCAP plug-in for Foreman's smart-proxy.
 Group: Applications/Internet
@@ -15,7 +15,8 @@ URL: http://github.com/openscap/foreman-proxy_openscap
 Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
 #Requires: ruby(release)
 Requires: ruby(rubygems)
-Requires: foreman-proxy
+Requires: foreman-proxy >= 1.7.0-0.develop.201410221520
+Requires: crontabs
 #BuildRequires: ruby(release)
 BuildRequires: rubygems-devel
 BuildRequires: ruby
@@ -46,6 +47,11 @@ cp -a .%{gem_dir}/* \
 mv %{buildroot}%{gem_instdir}/foreman-proxy_openscap.gemspec %{buildroot}/%{gem_spec}
 rm %{buildroot}%{gem_instdir}/extra/*.spec # this specfile
 
+# executables
+mkdir -p %{buildroot}%{_bindir}
+mv  %{buildroot}%{gem_instdir}/bin/* \
+	%{buildroot}%{_bindir}
+
 # bundler file
 mkdir -p %{buildroot}%{foreman_proxy_bundlerd_dir}
 mv %{buildroot}%{gem_instdir}/bundler.d/openscap.rb \
@@ -56,6 +62,11 @@ mkdir -p %{buildroot}%{foreman_proxy_pluginconf_dir}
 mv %{buildroot}%{gem_instdir}/settings.d/openscap.yml.example \
    %{buildroot}%{foreman_proxy_pluginconf_dir}/
 
+# crontab
+mkdir -p %{buildroot}%{_sysconfdir}/cron.d/
+mv %{buildroot}%{gem_instdir}/extra/foreman-proxy-openscap-send.cron \
+   %{buildroot}%{_sysconfdir}/cron.d/%{name}
+
 # create spool directory
 mkdir -p %{buildroot}%{spool_dir}
 
@@ -67,12 +78,17 @@ mkdir -p %{buildroot}%{spool_dir}
 
 %attr(-,%{proxy_user},%{proxy_user}) %{spool_dir}
 %{foreman_proxy_bundlerd_dir}/openscap.rb
+%{_bindir}/foreman-proxy-openscap-send
 %doc %{foreman_proxy_pluginconf_dir}/openscap.yml.example
+%config(noreplace) %attr(0644, root, root) %{_sysconfdir}/cron.d/%{name}
 
 %{gem_docdir}
 %{gem_instdir}/README.md
 %{gem_instdir}/COPYING
 
 %changelog
+* Fri Oct 24 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.0-1
+- rebuilt
+
 * Fri Jul 18 2014 Šimon Lukašík <slukasik@redhat.com> - 0.0.1-1
 - Initial package

data/foreman-proxy_openscap.gemspec

@@ -13,4 +13,5 @@ Gem::Specification.new do |s|
   s.license = 'GPL-3'
 
   s.files = `git ls-files`.split("\n") - ['.gitignore']
+  s.executables = ['foreman-proxy-openscap-send']
 end

data/lib/foreman-proxy_openscap/openscap_api.rb

@@ -8,7 +8,6 @@
 # along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
 #
 
-require 'digest'
 require 'foreman-proxy_openscap/openscap_lib'
 
 module Proxy::OpenSCAP
@@ -34,9 +33,7 @@ module Proxy::OpenSCAP
       end
 
       begin
-        filename = Digest::SHA256.hexdigest request.body.string
-        target_path = target_dir + filename
-        File.open(target_path,'w') { |f| f.write(request.body.string) }
+        target_path = Proxy::OpenSCAP::store_arf(target_dir, request.body.string)
       rescue StandardError => e
         log_halt 500, "Could not store file: #{e.message}"
       end

data/lib/foreman-proxy_openscap/openscap_lib.rb

@@ -8,8 +8,11 @@
 # along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
 #
 
+require 'digest'
 require 'fileutils'
+require 'json'
 require 'proxy/error'
+require 'proxy/request'
 
 module Proxy::OpenSCAP
   def self.common_name(request)
@@ -40,6 +43,18 @@ module Proxy::OpenSCAP
     dir
   end
 
+  def self.store_arf(spool_arf_dir, data)
+    filename = Digest::SHA256.hexdigest data
+    target_path = spool_arf_dir + filename
+    File.open(target_path,'w') { |f| f.write(data) }
+    return target_path
+  end
+
+  def self.send_spool_to_foreman
+    arf_dir = File.join(Proxy::OpenSCAP::Plugin.settings.spooldir, "/arf")
+    return unless File.exists? arf_dir
+    ForemanForwarder.new.do arf_dir
+  end
 
   private
   def self.validate_policy_name name
@@ -55,5 +70,93 @@ module Proxy::OpenSCAP
       raise Proxy::Error::BadRequest, "Malformed date"
     end
   end
+
+  class ForemanForwarder < Proxy::HttpRequest::ForemanRequest
+    def do(arf_dir)
+      Dir.foreach(arf_dir) { |cname|
+        cname_dir = File.join(arf_dir, cname)
+        if File.directory? cname_dir and !(cname == '.' || cname == '..')
+          forward_cname_dir(cname, cname_dir)
+        end
+      }
+    end
+
+    private
+    def forward_cname_dir(cname, cname_dir)
+      Dir.foreach(cname_dir) { |policy_name|
+        policy_dir = File.join(cname_dir, policy_name)
+        if File.directory? policy_dir and !(policy_name == '.' || policy_name == '..')
+          forward_policy_dir(cname, policy_name, policy_dir)
+        end
+      }
+      remove cname_dir
+    end
+
+    def forward_policy_dir(cname, policy_name, policy_dir)
+      Dir.foreach(policy_dir) { |date|
+        date_dir = File.join(policy_dir, date)
+        if File.directory? date_dir and !(date == '.' || date == '..')
+          forward_date_dir(cname, policy_name, date, date_dir)
+        end
+      }
+      remove policy_dir
+    end
+
+    def forward_date_dir(cname, policy_name, date, date_dir)
+      path = upload_path(cname, policy_name, date)
+      Dir.foreach(date_dir) { |arf|
+        arf_path = File.join(date_dir, arf)
+        if File.file? arf_path and !(arf == '.' || arf == '..')
+          logger.debug("Uploading #{arf} to #{path}")
+          forward_arf_file(path, arf_path)
+        end
+      }
+      remove date_dir
+    end
+
+    def upload_path(cname, policy_name, date)
+      return "/api/v2/openscap/arf_reports/#{cname}/#{policy_name}/#{date}"
+    end
+
+    def forward_arf_file(foreman_api_path, arf_file_path)
+      begin
+        data = File.read(arf_file_path)
+        response = send_request(foreman_api_path, data)
+        response.value
+        raise StandardError, "Received #{response.code}: #{response.message}" unless response.code.to_i == 200
+        res = JSON.parse(response.body)
+        raise StandardError, "Received result: #{res['result']}" unless res['result'] == 'OK'
+        raise StandardError, "Sent bytes: #{data.length}, but foreman received: #{res['received']}" unless data.length == res['received']
+        File.delete arf_file_path
+      rescue StandardError => e
+        logger.debug response.body if response
+        raise e
+      end
+    end
+
+    def remove(dir)
+      begin
+        Dir.delete dir
+      rescue StandardError => e
+        logger.error "Could not remove directory: #{e.message}"
+      end
+    end
+
+    def send_request(path, body)
+      # Override the parent method to set the right headers
+      path = [uri.path, path].join('/') unless uri.path.empty?
+      req = Net::HTTP::Post.new(URI.join(uri.to_s, path).path)
+      # Well, this is unfortunate. We want to have content-type text/xml. We
+      # also need the content-encoding to equal with x-bzip2. However, when
+      # the Foreman's framework sees text/xml, it will rewrite it to application/xml.
+      # What's worse, a framework will try to parse body as an utf8 string,
+      # no matter what content-encoding says. Oh my.
+      # Let's pass content-type arf-bzip2 and move forward.
+      req.content_type = 'application/arf-bzip2'
+      req['Content-Encoding'] = 'x-bzip2'
+      req.body = body
+      http.request(req)
+    end
+  end
 end
 

data/lib/foreman-proxy_openscap/openscap_plugin.rb

@@ -17,7 +17,8 @@ module Proxy::OpenSCAP
     http_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
     https_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
 
-    default_settings :spooldir => '/var/spool/foreman-proxy/openscap'
+    default_settings :spooldir => '/var/spool/foreman-proxy/openscap',
+                     :openscap_send_log_file => '/var/log/foreman-proxy/openscap-send.log'
   end
 end
 

data/lib/foreman-proxy_openscap/openscap_version.rb

@@ -10,7 +10,7 @@
 
 module Proxy
   module OpenSCAP
-    VERSION = '0.0.1'
+    VERSION = '0.1.0'
   end
 end
 

data/settings.d/openscap.yml.example

@@ -1,6 +1,9 @@
 ---
 :enabled: true
 
+# Log file for the forwarding script.
+#:abrt_send_log_file: /var/log/foreman-proxy/openscap-send.log
+
 # Directory where OpenSCAP audits are stored
 # before they are forwarded to Foreman
 #:spooldir: /var/spool/foreman-proxy/openscap

metadata

@@ -1,26 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: foreman-proxy_openscap
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Šimon Lukašík
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-07-28 00:00:00.000000000 Z
+date: 2014-10-24 00:00:00.000000000 Z
 dependencies: []
 description: |-
   A plug-in to the Foreman's smart-proxy which receives
     bzip2ed ARF files and forwards them to the Foreman.
 email: slukasik@redhat.com
-executables: []
+executables:
+- foreman-proxy-openscap-send
 extensions: []
 extra_rdoc_files: []
 files:
 - COPYING
 - README.md
+- bin/foreman-proxy-openscap-send
 - bundler.d/openscap.rb
+- extra/foreman-proxy-openscap-send.cron
 - extra/rubygem-foreman-proxy_openscap.spec
 - foreman-proxy_openscap.gemspec
 - lib/foreman-proxy_openscap.rb