foreman_openscap 0.6.3 → 0.6.4

data/lib/foreman_openscap/version.rb

@@ -1,3 +1,3 @@
 module ForemanOpenscap
-  VERSION = "0.6.3"
+  VERSION = "0.6.4"
 end

data/test/factories/policy_factory.rb

@@ -5,6 +5,8 @@ FactoryGirl.define do
     weekday 'monday'
     scap_content
     scap_content_profile
+    tailoring_file nil
+    tailoring_file_profile nil
     day_of_month nil
     cron_line nil
     hosts []

data/test/factories/scap_content_related.rb

@@ -12,4 +12,11 @@ FactoryGirl.define do
     f.profile_id 'xccdf_org.test.common_test_profile'
     f.title 'test Profile for testing'
   end
+
+  factory :tailoring_file, :class => ForemanOpenscap::TailoringFile do |f|
+    f.sequence(:name) { |n| "tailoring_file_#{n}" }
+    f.original_filename 'original tailoring filename'
+    f.scap_file { File.new("#{ForemanOpenscap::Engine.root}/test/files/tailoring_files/ssg-firefox-ds-tailoring.xml", 'rb').read }
+    f.scap_content_profiles []
+  end
 end

data/test/files/tailoring_files/ssg-firefox-ds-tailoring-2.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
+  <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml"/>
+  <xccdf:version time="2016-11-23T11:15:52">1</xccdf:version>
+  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig-firefox-upstream_customized_again" extends="xccdf_org.ssgproject.content_profile_stig-firefox-upstream">
+    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Upstream Firefox STIG [CUSTOMIZED AGAIN]</xccdf:title>
+    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process,
+serving as the upstream development environment for the Firefox STIG.
+
+As a result of the upstream/downstream relationship between the SCAP Security Guide project
+and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content.
+For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx.
+
+While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
+that commercial support of this SCAP content is NOT available. This profile is provided as example
+SCAP content with no endorsement for suitability or production readiness. Support for this
+profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The
+upstream project homepage is https://fedorahosted.org/scap-security-guide/.
+</xccdf:description>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_context_menus" selected="false"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions" selected="false"/>
+  </xccdf:Profile>
+</xccdf:Tailoring>

data/test/files/tailoring_files/ssg-firefox-ds-tailoring.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
+  <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml"/>
+  <xccdf:version time="2016-11-10T11:24:26">1</xccdf:version>
+  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig-firefox-upstream_customized" extends="xccdf_org.ssgproject.content_profile_stig-firefox-upstream">
+    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Upstream Firefox STIG [CUSTOMIZED]</xccdf:title>
+    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process,
+serving as the upstream development environment for the Firefox STIG.
+
+As a result of the upstream/downstream relationship between the SCAP Security Guide project
+and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content.
+For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx.
+
+While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
+that commercial support of this SCAP content is NOT available. This profile is provided as example
+SCAP content with no endorsement for suitability or production readiness. Support for this
+profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The
+upstream project homepage is https://fedorahosted.org/scap-security-guide/.
+</xccdf:description>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-non-secure_page_warning" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_text" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_context_menus" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_changes" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-auto-update_of_firefox" selected="false"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords" selected="false"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms" selected="false"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates" selected="false"/>
+  </xccdf:Profile>
+</xccdf:Tailoring>

data/test/functional/api/v2/compliance/policies_controller_test.rb

@@ -3,6 +3,12 @@ require 'test_plugin_helper'
 class Api::V2::Compliance::PoliciesControllerTest < ActionController::TestCase
   setup do
     ::ForemanOpenscap::Policy.any_instance.stubs(:ensure_needed_puppetclasses).returns(true)
+    @scap_content_profile = FactoryGirl.create(:scap_content_profile)
+    @attributes = { :policy => { :name => 'my_policy',
+                                 :scap_content_profile_id => @scap_content_profile.id,
+                                 :scap_content_id => @scap_content_profile.scap_content_id,
+                                 :period => 'weekly',
+                                 :weekday => 'friday' }}
   end
 
   test "should get index" do
@@ -36,18 +42,30 @@ class Api::V2::Compliance::PoliciesControllerTest < ActionController::TestCase
   end
 
   test "should create a policy" do
-    scap_content_profile = FactoryGirl.create(:scap_content_profile)
-    attributes = { :policy => { :name => 'my_policy',
-                                :scap_content_profile_id => scap_content_profile.id,
-                                :scap_content_id => scap_content_profile.scap_content_id,
-                                :period => 'weekly',
-                                :weekday => 'friday' }}
-    post :create, attributes, set_session_user
+    post :create, @attributes, set_session_user
     response = ActiveSupport::JSON.decode(@response.body)
-    assert response['scap_content_profile_id'], scap_content_profile.to_param
+    assert response['scap_content_profile_id'], @scap_content_profile.to_param
     assert_response :created
   end
 
+  test "should not create a policy with tailoring file profile and without the actual file" do
+    tailoring_profile = FactoryGirl.create(:scap_content_profile, :profile_id => 'xccdf_org.test.tailoring_profile')
+    @attributes[:policy][:tailoring_file_profile_id] = tailoring_profile.id
+    post :create, @attributes, set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert_not_nil response['error']['errors']['tailoring_file_id']
+    assert_response :unprocessable_entity
+  end
+
+  test "should not create a policy with tailoring file and without tailoring profile" do
+    tailoring_file = FactoryGirl.create(:tailoring_file)
+    @attributes[:policy][:tailoring_file_id] = tailoring_file.id
+    post :create, @attributes, set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert_not_nil response['error']['errors']['tailoring_file_profile_id']
+    assert_response :unprocessable_entity
+  end
+
   test "should not create invalid policy" do
     post :create, {}, set_session_user
     assert_response :unprocessable_entity
@@ -66,4 +84,13 @@ class Api::V2::Compliance::PoliciesControllerTest < ActionController::TestCase
     assert(@response.header['Content-Type'], 'application/xml')
     assert_response :success
   end
+
+  test "should return xml of a tailoring file" do
+    tailoring_profile = FactoryGirl.create(:scap_content_profile)
+    policy = FactoryGirl.create(:policy, :tailoring_file => FactoryGirl.create(:tailoring_file, :scap_content_profiles => [tailoring_profile]),
+                                         :tailoring_file_profile => tailoring_profile)
+    get :tailoring, { :id => policy.id }, set_session_user
+    assert(@response.header['Content-Type'], 'application/xml')
+    assert_response :success
+  end
 end

data/test/functional/api/v2/compliance/scap_contents_controller_test.rb

@@ -17,7 +17,7 @@ class Api::V2::Compliance::ScapContentsControllerTest < ActionController::TestCa
     assert_response :success
   end
 
-  test "should create invalid scap content" do
+  test "should not create invalid scap content" do
     post :create, {}, set_session_user
     assert_response :unprocessable_entity
   end

data/test/functional/api/v2/compliance/tailoring_files_controller_test.rb

@@ -0,0 +1,63 @@
+require 'test_plugin_helper'
+
+class Api::V2::Compliance::TailoringFilesControllerTest < ActionController::TestCase
+
+  test "should get index" do
+    FactoryGirl.create(:tailoring_file)
+    get :index, {}, set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert response['results'].any?
+    assert_response :success
+  end
+
+  test "should return xml of tailoring_file" do
+    tailoring_file = FactoryGirl.create(:tailoring_file)
+    get :show, { :id => tailoring_file.id }, set_session_user
+    assert(@response.header['Content-Type'], 'application/xml')
+    assert_response :success
+  end
+
+  test "should not create invalid tailoring_file" do
+    post :create, {}, set_session_user
+    assert_response :unprocessable_entity
+  end
+
+  test "should create tailoring_file" do
+    tf = FactoryGirl.build(:tailoring_file)
+    tf_params = { :name => tf.name, :original_filename => tf.original_filename, :scap_file => tf.scap_file }
+    ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions).
+      returns({})
+    post :create, tf_params, set_session_user
+    assert_response :success
+  end
+
+  test "should update tailoring_file" do
+    tailoring_file = FactoryGirl.create(:tailoring_file)
+    put :update, { :id => tailoring_file.id, :tailoring_file => { :name => 'RHEL7 SCAP' }}, set_session_user
+    assert_response :success
+    assert tailoring_file.name, 'RHEL7 SCAP'
+  end
+
+  test "should not update invalid tailoring_file" do
+    tailoring_file = FactoryGirl.create(:tailoring_file)
+    ProxyAPI::Openscap.any_instance.stubs(:validate_scap_file).returns({'errors' => ['Invalid file']})
+    put :update, { :id => tailoring_file.id, :tailoring_file => { :scap_file => '<xml>blah</xml>' }}, set_session_user
+    assert_response :unprocessable_entity
+  end
+
+  test "should destory tailoring_file" do
+    tailoring_file = FactoryGirl.create(:tailoring_file)
+    delete :destroy, { :id => tailoring_file.id }, set_session_user
+    assert_response :ok
+    refute ForemanOpenscap::ScapContent.exists?(tailoring_file.id)
+  end
+
+  test "should not create tailoring file when there is outdated proxy version" do
+    tf = FactoryGirl.build(:tailoring_file)
+    tf_params = { :name => tf.name, :original_filename => tf.original_filename, :scap_file => tf.scap_file }
+    ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions).
+      returns('test-proxy' => '0.5.4')
+    post :create, tf_params, set_session_user
+    assert_response :unprocessable_entity
+  end
+end

data/test/functional/openscap_proxies_controller_test.rb

@@ -0,0 +1,14 @@
+require 'test_plugin_helper'
+
+class OpenscapProxiesControllerTest < ActionController::TestCase
+  include ActionView::Helpers::DateHelper
+
+  test "should render spool error" do
+    spool_error = { "timestamp" => 1_487_144_633.951_368, "level" => "ERROR", "message"=> "Failed to parse Arf Report in test" }
+    OpenscapProxiesController.any_instance.stubs(:find_spool_error).returns(spool_error)
+    proxy = FactoryGirl.create(:openscap_proxy)
+    get :openscap_spool, { :id => proxy.id }, set_session_user
+    assert_template :partial => 'smart_proxies/_openscap_spool'
+    assert @response.body.match(time_ago_in_words(Time.at(spool_error["timestamp"])))
+  end
+end

data/test/functional/tailoring_files_controller_test.rb

@@ -0,0 +1,38 @@
+require 'test_plugin_helper'
+
+class TailoringFilesControllerTest < ActionController::TestCase
+  setup do
+    @tailoring_file = FactoryGirl.create(:tailoring_file)
+    @scap_file = File.new("#{ForemanOpenscap::Engine.root}/test/files/tailoring_files/ssg-firefox-ds-tailoring.xml", 'rb')
+  end
+
+  test 'index' do
+    get :index, {}, set_session_user
+    assert_template 'index'
+  end
+
+  test 'new' do
+    get :new, {}, set_session_user
+    assert_template 'new'
+  end
+
+  test 'edit' do
+    get :edit, { :id => @tailoring_file.id }, set_session_user
+    assert_template 'edit'
+  end
+
+  test 'create' do
+    uploaded_file = ActionDispatch::Http::UploadedFile.new(:tempfile => @scap_file,
+                                                           :content_type => 'text/xml')
+    uploaded_file.original_filename = 'uploaded-tailoring-file.xml'
+    post :create, { :tailoring_file => { :name => 'some_file', :scap_file => uploaded_file } }, set_session_user
+    assert_redirected_to tailoring_files_url
+  end
+
+  test 'destroy' do
+    tf = ForemanOpenscap::TailoringFile.first
+    delete :destroy, { :id => tf.id }, set_session_user
+    assert_redirected_to tailoring_files_url
+    refute ForemanOpenscap::TailoringFile.exists?(tf.id)
+  end
+end

data/test/test_plugin_helper.rb

@@ -13,6 +13,22 @@ module ScapClientPuppetclass
   end
 end
 
+module ScapTestProxy
+  private
+
+  def add_smart_proxy
+    FactoryGirl.create(:smart_proxy, :url => 'http://localhost:8443', :features => [FactoryGirl.create(:feature, :name => 'Openscap')])
+    ProxyAPI::Features.any_instance.stubs(:features).returns(%w(puppet openscap))
+    versions = { "version" => "1.11.0", "modules" => { "openscap" => "0.5.3" } }
+    ProxyAPI::Version.any_instance.stubs(:proxy_versions).returns(versions)
+    ProxyAPI::Openscap.any_instance.stubs(:validate_scap_file).returns({'errors' => []})
+    ProxyAPI::Openscap.any_instance.stubs(:fetch_policies_for_scap_content).
+      returns({'xccdf_org.ssgproject.content_profile_common' => 'Common Profile for General-Purpose Fedora Systems'})
+    ProxyAPI::Openscap.any_instance.stubs(:fetch_profiles_for_tailoring_file).
+      returns({'xccdf_org.ssgproject.test_profile_common' => 'Stubbed test profile'})
+  end
+end
+
 class ActionMailer::TestCase
   include ScapClientPuppetclass
   setup :skip_scap_callback
@@ -20,36 +36,14 @@ end
 
 class ActionController::TestCase
   include ScapClientPuppetclass
+  include ScapTestProxy
 
   setup :add_smart_proxy, :skip_scap_callback
-
-  private
-
-  def add_smart_proxy
-    FactoryGirl.create(:smart_proxy, :url => 'http://localhost:8443', :features => [FactoryGirl.create(:feature, :name => 'Openscap')])
-    ::ProxyAPI::Features.any_instance.stubs(:features).returns(%w(puppet openscap))
-    versions = { "version" => "1.11.0", "modules" => { "openscap" => "0.5.3" } }
-    ::ProxyAPI::Version.any_instance.stubs(:proxy_versions).returns(versions)
-    ProxyAPI::Openscap.any_instance.stubs(:validate_scap_content).returns({'errors' => []})
-    ProxyAPI::Openscap.any_instance.stubs(:fetch_policies_for_scap_content)
-        .returns({'xccdf_org.ssgproject.content_profile_common' => 'Common Profile for General-Purpose Fedora Systems'})
-  end
 end
 
 class ActiveSupport::TestCase
   include ScapClientPuppetclass
+  include ScapTestProxy
 
   setup :add_smart_proxy, :skip_scap_callback
-
-  private
-
-  def add_smart_proxy
-    FactoryGirl.create(:smart_proxy, :url => 'http://localhost:8443', :features => [FactoryGirl.create(:feature, :name => 'Openscap')])
-    ::ProxyAPI::Features.any_instance.stubs(:features).returns(%w(puppet openscap))
-    versions = { "version" => "1.11.0", "modules" => { "openscap" => "0.5.3" } }
-    ::ProxyAPI::Version.any_instance.stubs(:proxy_versions).returns(versions)
-    ProxyAPI::Openscap.any_instance.stubs(:validate_scap_content).returns({'errors' => []})
-    ProxyAPI::Openscap.any_instance.stubs(:fetch_policies_for_scap_content)
-        .returns({'xccdf_org.ssgproject.content_profile_common' => 'Common Profile for General-Purpose Fedora Systems'})
-  end
 end

data/test/unit/openscap_host_test.rb

@@ -20,7 +20,17 @@ class OpenscapHostTest < ActiveSupport::TestCase
   test 'Host has policies via its hostgroup' do
     host = FactoryGirl.create(:host, :with_hostgroup)
     hostgroup = host.hostgroup
-    @policy.hostgroup_ids = ["#{hostgroup.id}"]
+    @policy.hostgroup_ids = [ hostgroup.id ]
+    assert @policy.save
+    refute_empty(host.combined_policies)
+    assert_includes(host.combined_policies, @policy)
+  end
+
+  test 'Host has policies via its host group and its parent host groups' do
+    host = FactoryGirl.create(:host, :with_hostgroup)
+    hostgroup = host.hostgroup
+    hostgroup.parent = FactoryGirl.create(:hostgroup)
+    @policy.hostgroup_ids = [ hostgroup.parent.id ]
     assert @policy.save
     refute_empty(host.combined_policies)
     assert_includes(host.combined_policies, @policy)

data/test/unit/policy_test.rb

@@ -3,6 +3,8 @@ require 'test_plugin_helper'
 class PolicyTest < ActiveSupport::TestCase
   setup do
     ForemanOpenscap::Policy.any_instance.stubs(:ensure_needed_puppetclasses).returns(true)
+    ForemanOpenscap::DataStreamValidator.any_instance.stubs(:validate)
+    ForemanOpenscap::ScapContent.any_instance.stubs(:fetch_profiles).returns({ 'test_profile_key' => 'test_profile_title' })
     @scap_content = FactoryGirl.create(:scap_content)
     @scap_profile = FactoryGirl.create(:scap_content_profile)
   end
@@ -140,4 +142,28 @@ class PolicyTest < ActiveSupport::TestCase
     refute p.save
     assert p.errors[:scap_content_profile_id].include?("can't be blank")
   end
+
+  test "should have correct scap profile in enc" do
+    p = FactoryGirl.create(:policy)
+    profile_id = p.scap_content_profile.profile_id
+    assert_equal profile_id, p.to_enc['profile_id']
+    tailoring_profile = FactoryGirl.create(:scap_content_profile, :profile_id => 'xccdf_org.test.tailoring_test_profile')
+    p.tailoring_file_profile = tailoring_profile
+    assert_equal tailoring_profile.profile_id, p.to_enc['profile_id']
+  end
+
+  test "should not create policy with incorrect tailoring profile" do
+    tailoring_profile = FactoryGirl.create(:scap_content_profile, :profile_id => 'xccdf_org.test.common_tailoring_profile')
+    tailoring_file = FactoryGirl.create(:tailoring_file, :scap_content_profiles => [tailoring_profile])
+    p = ForemanOpenscap::Policy.create(:name => "custom_policy",
+                                       :period => 'monthly',
+                                       :day_of_month => '5',
+                                       :scap_content => @scap_content,
+                                       :scap_content_profile => @scap_profile,
+                                       :tailoring_file => tailoring_file,
+                                       :tailoring_file_profile => @scap_profile)
+    refute p.valid?
+    p.tailoring_file_profile = tailoring_profile
+    assert p.save
+  end
 end

data/test/unit/services/tailoring_files_proxy_check_test.rb

@@ -0,0 +1,27 @@
+require 'test_plugin_helper'
+
+class TailoringFilesProxyCheckTest < ActiveSupport::TestCase
+  test 'should find proxies with old versions' do
+    ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions).
+      returns('old-proxy.test.com' => "0.5.4", "outdate-proxy.test.com" => "0.6.0")
+    check = ForemanOpenscap::OpenscapProxyVersionCheck.new.run
+    refute check.pass?
+    refute check.message.empty?
+  end
+
+  test 'should not find any outdated proxies' do
+    ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions).
+      returns({})
+    check = ForemanOpenscap::OpenscapProxyVersionCheck.new.run
+    assert check.pass?
+    assert check.message.empty?
+  end
+
+  test 'should fail when proxy cannot be reached' do
+    ProxyStatus::Version.any_instance.stubs(:version).raises(Foreman::WrappedException.new(nil, 'test message'))
+    ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:get_openscap_proxies).returns([FactoryGirl.create(:openscap_proxy)])
+    check = ForemanOpenscap::OpenscapProxyVersionCheck.new.run
+    refute check.pass?
+    refute check.message.empty?
+  end
+end

data/test/unit/tailoring_file_test.rb

@@ -0,0 +1,26 @@
+require 'test_plugin_helper'
+
+class TailoringFileTest < ActiveSupport::TestCase
+  setup do
+    @scap_file = File.new("#{ForemanOpenscap::Engine.root}/test/files/tailoring_files/ssg-firefox-ds-tailoring.xml", 'rb').read
+  end
+
+  test 'should create tailoring file' do
+    tailoring_file = ForemanOpenscap::TailoringFile.create(:name => 'test_file', :scap_file => @scap_file, :original_filename => 'original name')
+    assert tailoring_file.valid?
+  end
+
+  test 'should not create tailoring_file without scap file' do
+    tailoring_file = ForemanOpenscap::TailoringFile.create(:name => 'test_file', :original_filename => 'original name')
+    refute tailoring_file.valid?
+  end
+
+  test 'should redigist when scap file changed' do
+    scap_file = File.new("#{ForemanOpenscap::Engine.root}/test/files/tailoring_files/ssg-firefox-ds-tailoring-2.xml", 'rb').read
+    tailoring_file = ForemanOpenscap::TailoringFile.create(:name => 'test_file', :scap_file => @scap_file, :original_filename => 'original name')
+    original_digest = tailoring_file.digest
+    tailoring_file.scap_file = scap_file
+    assert tailoring_file.save
+    refute_equal original_digest, tailoring_file.digest
+  end
+end