foreman_openscap 0.4.3 → 0.5.0

data/app/models/concerns/foreman_openscap/hostgroup_extensions.rb

@@ -1,13 +1,11 @@
-require 'scaptimony/asset'
-
 module ForemanOpenscap
   module HostgroupExtensions
     extend ActiveSupport::Concern
 
     included do
-      has_one :asset, :as => :assetable, :class_name => "::Scaptimony::Asset"
-      has_many :asset_policies, :through => :asset, :class_name => "::Scaptimony::AssetPolicy"
-      has_many :policies, :through => :asset_policies, :class_name => "::Scaptimony::Policy"
+      has_one :asset, :as => :assetable, :class_name => "::ForemanOpenscap::Asset"
+      has_many :asset_policies, :through => :asset, :class_name => "::ForemanOpenscap::AssetPolicy"
+      has_many :policies, :through => :asset_policies, :class_name => "::ForemanOpenscap::Policy"
     end
   end
 end

data/app/models/foreman_openscap/arf_report.rb

@@ -0,0 +1,165 @@
+require 'foreman_openscap/helper'
+
+module ForemanOpenscap
+  class ArfReport < ::Report
+    include Taxonomix
+
+    RESULT = %w(pass fail error unknown notapplicable notchecked notselected informational fixed)
+    METRIC = %w(passed othered failed)
+    BIT_NUM = 10
+    MAX = (1 << BIT_NUM) - 1
+
+    has_one :policy_arf_report, :dependent => :destroy
+    has_one :policy, :through => :policy_arf_report
+    has_one :asset, :through => :host, :class_name => 'ForemanOpenscap::Asset'
+    after_save :assign_locations_organizations
+    validate :result, :inclusion => { :in => RESULT }
+
+    default_scope {
+      with_taxonomy_scope do
+        order("#{self.table_name}.created_at DESC")
+      end
+    }
+
+    scope :hosts, lambda { includes(:policy) }
+    scope :of_policy, lambda { |policy_id| joins(:policy_arf_report).merge(PolicyArfReport.of_policy(policy_id)) }
+
+    scope :latest,
+       joins('INNER JOIN (SELECT host_id, policy_id, max(reports.id) AS id
+                          FROM reports INNER JOIN foreman_openscap_policy_arf_reports
+                              ON reports.id = foreman_openscap_policy_arf_reports.arf_report_id
+                          GROUP BY host_id, policy_id) latest
+              ON reports.id = latest.id')
+
+    scope :latest_of_policy, lambda { |policy|
+      joins("INNER JOIN (SELECT host_id, policy_id, max(reports.id) AS id
+                         FROM reports INNER JOIN foreman_openscap_policy_arf_reports
+                            ON reports.id = foreman_openscap_policy_arf_reports.arf_report_id
+                         WHERE policy_id = #{policy.id}
+                         GROUP BY host_id, policy_id) latest
+             ON reports.id = latest.id")
+    }
+
+    scope :failed, lambda { where("(#{report_status_column} >> #{ bit_mask 'failed' }) > 0") }
+    scope :not_failed, lambda { where("(#{report_status_column} >> #{ bit_mask 'failed' }) = 0") }
+
+    scope :othered, lambda { where("(#{report_status_column} >> #{ bit_mask 'othered' }) > 0").merge(not_failed) }
+    scope :not_othered, lambda { where("(#{report_status_column} >> #{ bit_mask 'othered' }) = 0") }
+
+    scope :passed, lambda { where("(#{report_status_column} >> #{ bit_mask 'passed' }) > 0").merge(not_failed).merge(not_othered) }
+
+    def self.bit_mask(status)
+      ComplianceStatus.bit_mask(status)
+    end
+
+    def self.report_status_column
+      "status"
+    end
+
+    def status=(st)
+      s = case st
+          when Integer, Fixnum
+            st
+          when Hash
+            ArfReportStatusCalculator.new(:counters => st).calculate
+          else
+            fail Foreman::Exception(N_('Unsupported report status format'))
+          end
+      write_attribute(:status, s)
+    end
+
+    delegate :status, :status_of, :to => :calculator
+    delegate(*METRIC, :to => :calculator)
+
+    def calculator
+      ArfReportStatusCalculator.new(:bit_field => read_attribute(self.class.report_status_column))
+    end
+
+    def passed
+      status_of "passed"
+    end
+
+    def failed
+      status_of "failed"
+    end
+
+    def othered
+      status_of "othered"
+    end
+
+    def rules_count
+      status.values.sum
+    end
+
+    def self.create_arf(asset, params)
+      # fail if policy does not exist.
+      arf_report = nil
+      policy = Policy.find(params[:policy_id])
+      ArfReport.transaction do
+        # TODO:RAILS-4.0: This should become arf_report = ArfReport.find_or_create_by! ...
+        arf_report = ArfReport.create!(:host_id => asset.host.id,
+                                       :reported_at => Time.at(params[:date].to_i),
+                                       :status => params[:metrics],
+                                       :metrics => params[:metrics])
+        PolicyArfReport.where(:arf_report_id => arf_report.id, :policy_id => policy.id, :digest => params[:digest]).first_or_create!
+        if params[:logs]
+          params[:logs].each do |log|
+            src = Source.find_or_create(log[:source])
+            msg = Message.find_or_create(N_(log[:title]))
+            #TODO: log level
+            Log.create!(:source_id => src.id,
+                        :message_id => msg.id,
+                        :level_id => 1,
+                        :result => log[:result],
+                        :report_id => arf_report.id)
+          end
+        end
+      end
+      arf_report
+    end
+
+    def assign_locations_organizations
+      if host
+        self.location_ids = [host.location_id] if SETTINGS[:locations_enabled]
+        self.organization_ids = [host.organization_id] if SETTINGS[:organizations_enabled]
+      end
+    end
+
+    def failed?
+      failed > 0
+    end
+
+    def passed?
+      passed > 0 && failed == 0 && othered == 0
+    end
+
+    def othered?
+      !passed? && !failed?
+    end
+
+    def to_html
+      proxy.arf_report_html(self, ForemanOpenscap::Helper::find_name_or_uuid_by_host(host))
+    end
+
+    def to_bzip
+      proxy.arf_report_bzip(self, ForemanOpenscap::Helper::find_name_or_uuid_by_host(host))
+    end
+
+    def equal?(other)
+      results = [logs, other.logs].flatten.group_by(&:source_id).values
+      # for each rule, there should be one result from both reports
+      return false unless results.map(&:length).all? { |item| item == 2 }
+      results.all? { |result| result.first.source_id == result.last.source_id } &&
+        host_id == other.host_id &&
+        policy.id == other.policy.id
+    end
+
+    def proxy
+      return @proxy if @proxy
+      scap_class = host.info['classes']['foreman_scap_client']
+      port = scap_class['port']
+      server = scap_class['server']
+      @proxy = ::ProxyAPI::Openscap.new(:url => "https://#{server}:#{port}")
+    end
+  end
+end

data/app/models/foreman_openscap/asset.rb

@@ -0,0 +1,27 @@
+module ForemanOpenscap
+  class Asset < ActiveRecord::Base
+    has_many :asset_policies
+    has_many :policies, :through => :asset_policies
+    belongs_to :assetable, :polymorphic => true
+
+    scope :hosts, where(:assetable_type => 'Host::Base')
+
+    def host
+      fetch_asset('Host::Base')
+    end
+
+    def hostgroup
+      fetch_asset('Hostgroup')
+    end
+
+    def name
+      assetable.name
+    end
+
+    private
+
+    def fetch_asset(type)
+      assetable if assetable_type == type
+    end
+  end
+end

data/app/models/foreman_openscap/asset_policy.rb

@@ -0,0 +1,6 @@
+module ForemanOpenscap
+  class AssetPolicy < ActiveRecord::Base
+    belongs_to :policy
+    belongs_to :asset
+  end
+end

data/app/models/foreman_openscap/compliance_status.rb

@@ -0,0 +1,50 @@
+module ForemanOpenscap
+  class ComplianceStatus < ::HostStatus::Status
+    COMPLIANT = 0
+    INCONCLUSIVE = 1
+    INCOMPLIANT = 2
+
+    def self.status_name
+      N_('Compliance')
+    end
+
+    def self.bit_mask(status)
+      "#{ArfReport::BIT_NUM * ArfReport::METRIC.index(status)} & #{ArfReport::MAX}"
+    end
+
+    def to_label(options = {})
+      case to_status
+      when COMPLIANT
+        N_('Compliant')
+      when INCONCLUSIVE
+        N_('Inconclusive')
+      when INCOMPLIANT
+        N_('Incompliant')
+      else
+        N_('Unknown Compliance status')
+      end
+    end
+
+    def to_global(options = {})
+      case to_status
+      when COMPLIANT
+        ::HostStatus::Global::OK
+      when INCONCLUSIVE
+        ::HostStatus::Global::WARN
+      else
+        ::HostStatus::Global::ERROR
+      end
+    end
+
+    def relevant?
+      host.policies.present?
+    end
+
+    def to_status(options = {})
+      latest_reports = host.policies.map { |p| host.last_report_for_policy p }.flatten
+      return INCOMPLIANT if latest_reports.any?(&:failed?)
+      return INCONCLUSIVE if latest_reports.any?(&:othered?)
+      COMPLIANT
+    end
+  end
+end

data/app/models/{concerns/foreman_openscap/policy_extensions.rb → foreman_openscap/policy.rb}

@@ -1,49 +1,64 @@
-#
-# Copyright (c) 2014 Red Hat Inc.
-#
-# This software is licensed to you under the GNU General Public License,
-# version 3 (GPLv3). There is NO WARRANTY for this software, express or
-# implied, including the implied warranties of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
-# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
-#
-
 module ForemanOpenscap
-  module PolicyExtensions
-    extend ActiveSupport::Concern
-
+  class Policy < ActiveRecord::Base
     include Authorizable
     include Taxonomix
+    attr_accessible :description, :name, :period, :scap_content_id, :scap_content_profile_id,
+                    :weekday, :day_of_month, :cron_line, :location_ids, :organization_ids,
+                    :current_step, :hostgroup_ids
+    attr_writer :current_step
+
+    belongs_to :scap_content
+    belongs_to :scap_content_profile
+    has_many :policy_arf_reports
+    has_many :arf_reports, :through => :policy_arf_reports, :dependent => :destroy
+    has_many :asset_policies
+    has_many :assets, :through => :asset_policies
+
+    scoped_search :on => :name, :complete_value => true
+
+    SCAP_PUPPET_CLASS        = 'foreman_scap_client'
+    POLICIES_CLASS_PARAMETER = 'policies'
+    SERVER_CLASS_PARAMETER   = 'server'
+    PORT_CLASS_PARAMETER     = 'port'
+
+    validates :name, :presence => true, :uniqueness => true, :format => {without: /\s/}
+    validate :ensure_needed_puppetclasses
+    validates :period, :inclusion => {:in => %w[weekly monthly custom]},
+              :if                 => Proc.new { |policy| policy.new_record? ? policy.step_index > 3 : !policy.id.blank? }
+    validates :weekday, :inclusion => {:in => Date::DAYNAMES.map(&:downcase)},
+              :if                  => Proc.new { |policy| policy.period == 'weekly' && (policy.new_record? ? policy.step_index > 3 : !policy.id.blank?) }
+    validates :day_of_month, :numericality => {:greater_than => 0, :less_than => 32},
+              :if                          => Proc.new { |policy| policy.period == 'monthly'&& (policy.new_record? ? policy.step_index > 3 : !policy.id.blank?) }
+    validate :valid_cron_line
+    validate :ensure_period_specification_present
+
+
+    after_save :assign_policy_to_hostgroups
+    # before_destroy - ensure that the policy has no hostgroups, or classes
+
+    default_scope {
+      with_taxonomy_scope do
+        order("foreman_openscap_policies.name")
+      end
+    }
 
-    included do
-      attr_accessible :location_ids, :organization_ids, :current_step, :hostgroup_ids
-      attr_writer :current_step
-
-      SCAP_PUPPET_CLASS        = 'foreman_scap_client'
-      POLICIES_CLASS_PARAMETER = 'policies'
-      SERVER_CLASS_PARAMETER   = 'server'
-      PORT_CLASS_PARAMETER     = 'port'
-
-      validates :name, :presence => true, :uniqueness => true, :format => {without: /\s/}
-      validate :ensure_needed_puppetclasses
-      validates :period, :inclusion => {:in => %w[weekly monthly custom]},
-                :if                 => Proc.new { |policy| policy.new_record? ? policy.step_index > 3 : !policy.id.blank? }
-      validates :weekday, :inclusion => {:in => Date::DAYNAMES.map(&:downcase)},
-                :if                  => Proc.new { |policy| policy.period == 'weekly' && (policy.new_record? ? policy.step_index > 3 : !policy.id.blank?) }
-      validates :day_of_month, :numericality => {:greater_than => 0, :less_than => 32},
-                :if                          => Proc.new { |policy| policy.period == 'monthly'&& (policy.new_record? ? policy.step_index > 3 : !policy.id.blank?) }
-      validate :valid_cron_line
-      validate :ensure_period_specification_present
-
-
-      after_save :assign_policy_to_hostgroups
-      # before_destroy - ensure that the policy has no hostgroups, or classes
-
-      default_scope {
-        with_taxonomy_scope do
-          order("scaptimony_policies.name")
-        end
-      }
+    def assign_assets(a)
+      self.asset_ids = (self.asset_ids + a.collect(&:id)).uniq
+    end
+
+    def to_html
+      if scap_content.nil? || scap_content_profile.nil?
+        return (_('<h2>Cannot generate HTML guide for %{scap_content}/%{profile}</h2>') %
+          { :scap_content => self.scap_content, :profile => self.scap_content_profile }).html_safe
+      end
+
+      if (proxy = scap_content.proxy_url)
+        api = ProxyAPI::Openscap.new(:url => proxy)
+      else
+        return _('<h2>No valid OpenScap proxy server found.</h2>').html_safe
+      end
+
+      api.policy_html_guide(scap_content.scap_file, scap_content_profile.profile_id)
     end
 
     def hostgroup_ids
@@ -66,6 +81,18 @@ module ForemanOpenscap
       hostgroup_ids = hostgroups.map(&:id).map(&:to_s)
     end
 
+    def host_ids
+      assets.where(:assetable_type => 'Host::Base').pluck(:assetable_id)
+    end
+
+    def hosts
+      Host.where(:id => host_ids)
+    end
+
+    def hosts=(hosts)
+      host_ids = hosts.map(&:id).map(&:to_s)
+    end
+
     def steps
       base_steps = ['Create policy', 'SCAP Content', 'Schedule']
       base_steps << 'Locations' if SETTINGS[:locations_enabled]
@@ -111,13 +138,13 @@ module ForemanOpenscap
 
     def used_location_ids
       Location.joins(:taxable_taxonomies).where(
-          'taxable_taxonomies.taxable_type' => 'Scaptimony::Policy',
+          'taxable_taxonomies.taxable_type' => 'ForemanOpenscap::Policy',
           'taxable_taxonomies.taxable_id'   => id).pluck("#{Location.arel_table.name}.id")
     end
 
     def used_organization_ids
       Organization.joins(:taxable_taxonomies).where(
-          'taxable_taxonomies.taxable_type' => 'Scaptimony::Policy',
+          'taxable_taxonomies.taxable_type' => 'ForemanOpenscap::Policy',
           'taxable_taxonomies.taxable_id'   => id).pluck("#{Location.arel_table.name}.id")
     end
 
@@ -130,7 +157,7 @@ module ForemanOpenscap
     end
 
     def unassign_hosts(hosts)
-      host_asset_ids = Scaptimony::Asset.where(:assetable_type => 'Host::Base', :assetable_id => hosts.map(&:id)).pluck(:id)
+      host_asset_ids = ForemanOpenscap::Asset.where(:assetable_type => 'Host::Base', :assetable_id => hosts.map(&:id)).pluck(:id)
       self.asset_ids = self.asset_ids - host_asset_ids
     end
 

data/app/models/foreman_openscap/policy_arf_report.rb

@@ -0,0 +1,8 @@
+module ForemanOpenscap
+  class PolicyArfReport < ::ActiveRecord::Base
+    belongs_to :arf_report
+    belongs_to :policy
+
+    scope :of_policy, lambda { |policy_id| joins(:policy).where(:policy_id => policy_id) }
+  end
+end

data/app/models/foreman_openscap/policy_revision.rb

@@ -0,0 +1,6 @@
+module ForemanOpenscap
+  class PolicyRevision < ActiveRecord::Base
+    belongs_to :policy
+    belongs_to :scap_content
+  end
+end

data/app/models/foreman_openscap/scap_content.rb

@@ -0,0 +1,112 @@
+require 'digest/sha2'
+
+module ForemanOpenscap
+  class DataStreamValidator < ActiveModel::Validator
+    def validate(scap_content)
+      return unless scap_content.scap_file_changed?
+
+      unless SmartProxy.with_features('Openscap').any?
+        scap_content.errors.add(:base, _('No Proxy with OpenScap features'))
+        return false
+      end
+
+      if scap_content.proxy_url.nil?
+        scap_content.errors.add(:base, _('No Available Proxy to validate SCAP content'))
+        return false
+      end
+
+      begin
+        api = ProxyAPI::Openscap.new(:url => scap_content.proxy_url)
+        errors = api.validate_scap_content(scap_content.scap_file)
+        if errors && errors['errors'].any?
+          errors['errors'].each {|error| scap_content.errors.add(:scap_file, _(error))}
+          return false
+        end
+      rescue *ProxyAPI::AvailableProxy::HTTP_ERRORS => e
+        scap_content.errors.add(:base, _('No available proxy to validate. Returned with error: %s') % e)
+        return false
+      end
+
+
+      unless (scap_content.scap_content_profiles.map(&:profile_id) - scap_content.fetch_profiles.keys).empty?
+        scap_content.errors.add(:scap_file, _('Changed file does not include existing SCAP Content profiles'))
+        return false
+      end
+    end
+  end
+
+  class ScapContent < ActiveRecord::Base
+    include Authorizable
+    include Taxonomix
+
+    attr_accessible :original_filename, :scap_file, :title, :location_ids, :organization_ids
+
+    has_many :scap_content_profiles, :dependent => :destroy
+    has_many :policies
+
+    before_destroy EnsureNotUsedBy.new(:policies)
+
+    validates_with DataStreamValidator
+    validates :title, :presence => true
+    validates :digest, :presence => true
+    validates :scap_file, :presence => true
+
+    after_save :create_profiles
+    before_validation :redigest, :if => lambda { |scap_content| scap_content.persisted? && scap_content.scap_file_changed? }
+
+    scoped_search :on => :title,             :complete_value => true
+    scoped_search :on => :original_filename, :complete_value => true, :rename => :filename
+
+    default_scope {
+      with_taxonomy_scope do
+        order("foreman_openscap_scap_contents.title")
+      end
+    }
+
+    def used_location_ids
+      Location.joins(:taxable_taxonomies).where(
+          'taxable_taxonomies.taxable_type' => 'ForemanOpenscap::ScapContent',
+          'taxable_taxonomies.taxable_id' => id).pluck("#{Location.arel_table.name}.id")
+    end
+
+    def used_organization_ids
+      Organization.joins(:taxable_taxonomies).where(
+          'taxable_taxonomies.taxable_type' => 'ForemanOpenscap::ScapContent',
+          'taxable_taxonomies.taxable_id' => id).pluck("#{Location.arel_table.name}.id")
+    end
+
+    def to_label
+      title
+    end
+
+    def digest
+      self[:digest] ||= Digest::SHA256.hexdigest "#{scap_file}"
+    end
+
+    def fetch_profiles
+      api = ProxyAPI::Openscap.new(:url => proxy_url)
+      profiles = api.fetch_policies_for_scap_content(scap_file)
+      profiles
+    end
+
+    def proxy_url
+      @proxy_url ||= SmartProxy.with_features('Openscap').each do |proxy|
+        available = ProxyAPI::AvailableProxy.new(:url => proxy.url)
+        break proxy.url if available.available?
+      end
+    end
+
+    private
+
+    def create_profiles
+      profiles = fetch_profiles
+      profiles.each {|key, title|
+        scap_content_profiles.find_or_create_by_profile_id_and_title(key, title)
+      }
+    end
+
+    def redigest
+      self[:digest] = Digest::SHA256.hexdigest "#{scap_file}"
+    end
+  end
+end