foreman_openscap 0.6.3 → 0.6.4

data/app/helpers/compliance_dashboard_helper.rb

@@ -1,8 +1,8 @@
 module ComplianceDashboardHelper
 
   def latest_compliance_headers
-    string =  "<th>#{_("Host")}</th>"
-    string += "<th>#{_("Policy")}</th>"
+    string =  "<th class='col-md-7'>#{_("Host")}</th>"
+    string += "<th class='col-md-3'>#{_("Policy")}</th>"
     # TRANSLATORS: initial character of Passed
     string += translated_header(s_('Passed|P'), _('Passed'))
     # TRANSLATORS: initial character of Failed

data/app/helpers/policies_helper.rb

@@ -5,8 +5,16 @@ module PoliciesHelper
     return []
   end
 
+  def policy_profile_from_scap_content(policy)
+    policy.scap_content_profile.nil? ? "Default" : policy.scap_content_profile.title
+  end
+
+  def effective_policy_profile(policy)
+    policy.tailoring_file ? policy.tailoring_file_profile.title : policy_profile_from_scap_content(policy)
+  end
+
   def scap_content_selector(form)
-    scap_contents = ::ForemanOpenscap::ScapContent.all
+    scap_contents = ::ForemanOpenscap::ScapContent.authorized(:view_scap_contents).all
     if scap_contents.length > 1
       select_f form, :scap_content_id, scap_contents, :id, :title,
                {:include_blank => _("Choose existing SCAP Content")},
@@ -38,6 +46,26 @@ module PoliciesHelper
     end
   end
 
+  def tailoring_file_selector(form)
+    select_f form, :tailoring_file_id, ForemanOpenscap::TailoringFile.all.authorized(:view_tailoring_files), :id, :name,
+             { :include_blank => _('Choose Tailoring File') },
+             { :label => _('Tailoring File'),
+               :onchange => 'tailoring_file_selected(this)',
+               :'data-url' => method_path('tailoring_file_selected') }
+  end
+
+  def tailoring_file_profile_selector(form, tailoring_file)
+    if tailoring_file
+      select_f form, :tailoring_file_profile_id, tailoring_file.scap_content_profiles, :id, :title,
+               { :selected => tailoring_file.scap_content_profiles.first.id },
+               { :label => _("XCCDF Profile in Tailoring File"),
+                 :help_inline => _("This profile will be used to override the one from scap content") }
+    else
+      # to make sure tailoring profile id is nil when tailoring file is deselected
+      form.hidden_field(:tailoring_file_profile_id, :value => nil)
+    end
+  end
+
   def submit_or_cancel_policy(form, overwrite = nil, args = { })
     args[:cancel_path] ||= send("#{controller_name}_path")
     content_tag(:div, :class => "clearfix") do

data/app/helpers/tailoring_files_helper.rb

@@ -0,0 +1,5 @@
+module TailoringFilesHelper
+  def run_tailoring_proxy_check
+    ForemanOpenscap::OpenscapProxyVersionCheck.new.run
+  end
+end

data/app/lib/proxy_api/openscap.rb

@@ -4,14 +4,24 @@ module ::ProxyAPI
       @url = args[:url] + '/compliance/'
       super args
       @connect_params[:headers].merge!(:content_type => :xml)
+      @connect_params[:timeout] = timeout
     end
 
     def fetch_policies_for_scap_content(scap_file)
       parse(post(scap_file, "scap_content/policies"))
     end
 
-    def validate_scap_content(scap_file)
-      parse(post(scap_file, "scap_content/validator"))
+    def fetch_profiles_for_tailoring_file(scap_file)
+      parse(post(scap_file, "tailoring_file/profiles"))
+    end
+
+    def validate_scap_file(scap_file, type)
+      parse(post(scap_file, "scap_file/validator/#{type}"))
+    rescue RestClient::RequestTimeout => e
+      raise ::ProxyAPI::ProxyException.new(url, e, N_("Request timed out. Please try increasing Settings -> proxy_request_timeout"))
+    rescue RestClient::ResourceNotFound => e
+      raise ::ProxyAPI::ProxyException.new(url, e,
+        N_("Could not validate %s. Please make sure you have appropriate proxy version to use this functionality") % scap_file.class)
     end
 
     def policy_html_guide(scap_file, policy)
@@ -46,5 +56,11 @@ module ::ProxyAPI
         false
       end
     end
+
+    private
+
+    def timeout
+      Setting[:proxy_request_timeout] && Setting[:proxy_request_timeout] > 120 ? Setting[:proxy_request_timeout] : 120
+    end
   end
 end

data/app/models/concerns/foreman_openscap/data_stream_content.rb

@@ -0,0 +1,43 @@
+module ForemanOpenscap
+  module DataStreamContent
+    require 'digest/sha2'
+
+    extend ActiveSupport::Concern
+
+    included do
+      validates :digest, :presence => true
+      validates :scap_file, :presence => true
+
+      validates_with ForemanOpenscap::DataStreamValidator
+
+      after_save :create_profiles
+
+      before_validation :redigest, :if => lambda { |ds_content| ds_content.persisted? && ds_content.scap_file_changed? }
+      before_destroy ActiveRecord::Base::EnsureNotUsedBy.new(:policies)
+    end
+
+    def proxy_url
+      @proxy_url ||= SmartProxy.with_features('Openscap').find do |proxy|
+        available = ProxyAPI::AvailableProxy.new(:url => proxy.url)
+        available.available?
+      end.try(:url)
+      @proxy_url
+    end
+
+    def digest
+      self[:digest] ||= Digest::SHA256.hexdigest(scap_file.to_s)
+    end
+
+    private
+
+    def redigest
+      self[:digest] = Digest::SHA256.hexdigest(scap_file.to_s)
+    end
+
+    def create_profiles
+      fetch_profiles.each do |key, title|
+        ScapContentProfile.where(:profile_id => key, :title => title, "#{self.class.to_s.demodulize.underscore}_id".to_sym => id).first_or_create
+      end
+    end
+  end
+end

data/app/models/concerns/foreman_openscap/host_extensions.rb

@@ -67,7 +67,7 @@ module ForemanOpenscap
     end
 
     def combined_policies
-      combined = self.hostgroup ? self.policies + self.hostgroup.policies : self.policies
+      combined = self.hostgroup ? self.policies + self.hostgroup.policies + self.hostgroup.inherited_policies : self.policies
       combined.uniq
     end
 

data/app/models/concerns/foreman_openscap/hostgroup_extensions.rb

@@ -8,6 +8,14 @@ module ForemanOpenscap
       has_many :policies, :through => :asset_policies, :class_name => "::ForemanOpenscap::Policy"
     end
 
+    def inherited_policies
+      return [] unless parent
+
+      ancestors.inject([]) do |policies, hostgroup|
+        policies += hostgroup.policies
+      end.uniq
+    end
+
     unless defined?(Katello::System)
       private
 

data/app/models/foreman_openscap/policy.rb

@@ -6,6 +6,8 @@ module ForemanOpenscap
 
     belongs_to :scap_content
     belongs_to :scap_content_profile
+    belongs_to :tailoring_file
+    belongs_to :tailoring_file_profile, :class_name => ForemanOpenscap::ScapContentProfile
     has_many :policy_arf_reports
     has_many :arf_reports, :through => :policy_arf_reports, :dependent => :destroy
     has_many :asset_policies
@@ -28,7 +30,7 @@ module ForemanOpenscap
     validates :scap_content_id, presence: true, if: Proc.new { |policy| policy.should_validate?('SCAP Content') }
     validates :scap_content_profile_id, presence: true, if: Proc.new { |policy| policy.should_validate?('SCAP Content') }
 
-    validate :valid_cron_line, :valid_weekday, :valid_day_of_month
+    validate :valid_cron_line, :valid_weekday, :valid_day_of_month, :valid_tailoring, :valid_tailoring_profile
 
     after_save :assign_policy_to_hostgroups
     # before_destroy - ensure that the policy has no hostgroups, or classes
@@ -166,9 +168,11 @@ module ForemanOpenscap
     def to_enc
       {
         'id'            => self.id,
-        'profile_id'    => self.scap_content_profile.try(:profile_id) || '',
+        'profile_id'    => profile_for_scan,
         'content_path'  => "/var/lib/openscap/content/#{self.scap_content.digest}.xml",
-        'download_path' => "/compliance/policies/#{self.id}/content" # default to proxy path
+        'tailoring_path' => tailoring_file ? "/var/lib/openscap/tailoring/#{self.tailoring_file.digest}.xml" : '',
+        'download_path' => "/compliance/policies/#{self.id}/content", # default to proxy path
+        'tailoring_download_path' => "/compliance/policies/#{self.id}/tailoring"
       }.merge(period_enc)
     end
 
@@ -273,6 +277,17 @@ module ForemanOpenscap
       end
     end
 
+    def valid_tailoring
+      errors.add(:tailoring_file_id, _("must be present when tailoring file profile present")) if tailoring_file_profile_id && !tailoring_file_id
+      errors.add(:tailoring_file_profile_id, _("must be present when tailoring file present")) if !tailoring_file_profile_id && tailoring_file_id
+    end
+
+    def valid_tailoring_profile
+      if tailoring_file && tailoring_file_profile && !ScapContentProfile.where(:tailoring_file_id => tailoring_file_id).include?(tailoring_file_profile)
+        errors.add(:tailoring_file_profile, _("does not come from selected tailoring file"))
+      end
+    end
+
     def assign_policy_to_hostgroups
       if hostgroups.any?
         puppetclass = find_scap_puppetclass
@@ -283,6 +298,16 @@ module ForemanOpenscap
       end
     end
 
+    def profile_for_scan
+      if tailoring_file_profile
+        tailoring_file_profile.profile_id
+      elsif scap_content_profile
+        scap_content_profile.profile_id
+      else
+        ''
+      end
+    end
+
     def find_scap_puppetclass
       Puppetclass.find_by_name(SCAP_PUPPET_CLASS)
     end

data/app/models/foreman_openscap/scap_content.rb

@@ -1,56 +1,13 @@
-require 'digest/sha2'
-
 module ForemanOpenscap
-  class DataStreamValidator < ActiveModel::Validator
-    def validate(scap_content)
-      return unless scap_content.scap_file_changed?
-
-      unless SmartProxy.with_features('Openscap').any?
-        scap_content.errors.add(:base, _('No proxy with OpenSCAP features'))
-        return false
-      end
-
-      if scap_content.proxy_url.nil?
-        scap_content.errors.add(:base, _('No available proxy to validate SCAP content'))
-        return false
-      end
-
-      begin
-        api = ProxyAPI::Openscap.new(:url => scap_content.proxy_url)
-        errors = api.validate_scap_content(scap_content.scap_file)
-        if errors && errors['errors'].any?
-          errors['errors'].each { |error| scap_content.errors.add(:scap_file, _(error)) }
-          return false
-        end
-      rescue *ProxyAPI::AvailableProxy::HTTP_ERRORS => e
-        scap_content.errors.add(:base, _('No available proxy to validate. Returned with error: %s') % e)
-        return false
-      end
-
-
-      unless (scap_content.scap_content_profiles.map(&:profile_id) - scap_content.fetch_profiles.keys).empty?
-        scap_content.errors.add(:scap_file, _('Changed file does not include existing SCAP content profiles'))
-        return false
-      end
-    end
-  end
-
   class ScapContent < ActiveRecord::Base
     include Authorizable
     include Taxonomix
+    include DataStreamContent
 
     has_many :scap_content_profiles, :dependent => :destroy
     has_many :policies
 
-    before_destroy EnsureNotUsedBy.new(:policies)
-
-    validates_with DataStreamValidator
     validates :title, :presence => true, :length => { :maximum => 255 }
-    validates :digest, :presence => true
-    validates :scap_file, :presence => true
-
-    after_save :create_profiles
-    before_validation :redigest, :if => lambda { |scap_content| scap_content.persisted? && scap_content.scap_file_changed? }
 
     scoped_search :on => :title,             :complete_value => true
     scoped_search :on => :original_filename, :complete_value => true, :rename => :filename
@@ -77,8 +34,9 @@ module ForemanOpenscap
       title
     end
 
-    def digest
-      self[:digest] ||= Digest::SHA256.hexdigest "#{scap_file}"
+    def as_json(*args)
+      hash = super
+      hash["scap_file"] = scap_file.to_s.encode('utf-8', :invalid => :replace, :undef => :replace, :replace => '_')
     end
 
     def fetch_profiles
@@ -86,31 +44,5 @@ module ForemanOpenscap
       profiles = api.fetch_policies_for_scap_content(scap_file)
       profiles
     end
-
-    def proxy_url
-      @proxy_url ||= SmartProxy.with_features('Openscap').find do |proxy|
-        available = ProxyAPI::AvailableProxy.new(:url => proxy.url)
-        available.available?
-      end.try(:url)
-      @proxy_url
-    end
-
-    def as_json(*args)
-      hash = super
-      hash["scap_file"] = scap_file.to_s.encode('utf-8', :invalid => :replace, :undef => :replace, :replace => '_')
-    end
-
-    private
-
-    def create_profiles
-      profiles = fetch_profiles
-      profiles.each {|key, title|
-        scap_content_profiles.where(:profile_id => key, :title => title).first_or_create
-      }
-    end
-
-    def redigest
-      self[:digest] = Digest::SHA256.hexdigest "#{scap_file}"
-    end
   end
 end

data/app/models/foreman_openscap/scap_content_profile.rb

@@ -2,5 +2,7 @@ module ForemanOpenscap
   class ScapContentProfile < ActiveRecord::Base
     belongs_to :scap_content
     has_many :policies
+    belongs_to :tailoring_file
+    has_many :tailoring_file_policies, :class_name => ForemanOpenscap::Policy
   end
 end

data/app/models/foreman_openscap/tailoring_file.rb

@@ -0,0 +1,19 @@
+module ForemanOpenscap
+  class TailoringFile < ActiveRecord::Base
+    include Authorizable
+    include Taxonomix
+    include DataStreamContent
+
+    has_many :policies
+    has_many :scap_content_profiles, :dependent => :destroy
+    validates :name, :presence => true, :uniqueness => true, :length => { :maximum => 255 }
+
+    scoped_search :on => :name,              :complete_value => true
+    scoped_search :on => :original_filename, :complete_value => true, :rename => :filename
+
+    def fetch_profiles
+      api = ProxyAPI::Openscap.new(:url => proxy_url)
+      api.fetch_profiles_for_tailoring_file(scap_file)
+    end
+  end
+end

data/app/services/foreman_openscap/openscap_proxy_version_check.rb

@@ -0,0 +1,63 @@
+module ForemanOpenscap
+  class OpenscapProxyVersionCheck
+
+    def initialize
+      @versions = {}
+      @message = ''
+      @down = []
+    end
+
+    def run
+      @versions = openscap_proxy_versions.select do |key, value|
+        Gem::Version.new(value) <= Gem::Version.new("0.6.1")
+      end
+      self
+    end
+
+    def pass?
+      !any_outdated? && !any_unreachable?
+    end
+
+    def any_outdated?
+      !@versions.empty?
+    end
+
+    def any_unreachable?
+      !@down.empty?
+    end
+
+    def message
+      if pass?
+        @message
+      else
+        build_message
+      end
+    end
+
+    private
+
+    def build_message
+      @message = _('This feature is temporarily disabled. ')
+      @message << _('The following Smart Proxies need to be updated to unlock the feature: %s. ') % @versions.keys.to_sentence if any_outdated?
+      @message << _('The following proxies could not be reached: %s. Please make sure they are available so Foreman can check their versions.') % @down.to_sentence if any_unreachable?
+      @message
+    end
+
+    def get_openscap_proxies
+      SmartProxy.with_features "Openscap"
+    end
+
+    def openscap_proxy_versions
+      get_openscap_proxies.inject({}) do |memo, proxy|
+        begin
+          status = ProxyStatus::Version.new(proxy).version
+          openscap_version = status["modules"]["openscap"]
+          memo[proxy.name] = openscap_version
+        rescue Foreman::WrappedException
+          @down << proxy.name
+        end
+        memo
+      end
+    end
+  end
+end

data/app/validators/foreman_openscap/data_stream_validator.rb

@@ -0,0 +1,44 @@
+module ForemanOpenscap
+  class DataStreamValidator < ActiveModel::Validator
+    def validate(data_stream_content)
+      return unless data_stream_content.scap_file_changed?
+
+      content_type = data_type(data_stream_content)
+
+      unless SmartProxy.with_features('Openscap').any?
+        data_stream_content.errors.add(:base, _('No proxy with OpenSCAP features'))
+        return false
+      end
+
+      if data_stream_content.proxy_url.nil?
+        data_stream_content.errors.add(:base, _('No available proxy to validate SCAP data stream file'))
+        return false
+      end
+
+      begin
+        api = ProxyAPI::Openscap.new(:url => data_stream_content.proxy_url)
+        errors = api.validate_scap_file(data_stream_content.scap_file, content_type)
+        if errors && errors['errors'].any?
+          errors['errors'].each { |error| data_stream_content.errors.add(:scap_file, _(error)) }
+          return false
+        end
+      rescue *ProxyAPI::AvailableProxy::HTTP_ERRORS => e
+        data_stream_content.errors.add(:base, _('No available proxy to validate. Returned with error: %s') % e)
+        return false
+      end
+
+      is_scap_content = content_type == 'scap_content'
+
+      if is_scap_content && !(data_stream_content.scap_content_profiles.map(&:profile_id) - data_stream_content.fetch_profiles.keys).empty?
+        data_stream_content.errors.add(:scap_file, _('Changed file does not include existing SCAP content profiles'))
+        return false
+      end
+    end
+
+    private
+
+    def data_type(data_stream_content)
+      data_stream_content.class.to_s.demodulize.underscore
+    end
+  end
+end