foreman_openscap 4.1.1 → 4.3.1

data/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "foreman_openscap",
+  "version": "0.1.0",
+  "description": "Foreman plug-in for managing security compliance reports",
+  "main": "index.js",
+  "scripts": {
+    "lint": "tfm-lint --plugin -d /webpack",
+    "test": "tfm-test --plugin --config jest.config.js",
+    "test:watch": "tfm-test --plugin --watchAll --config jest.config.js",
+    "test:current": "tfm-test --plugin --watch --config jest.config.js",
+    "publish-coverage": "tfm-publish-coverage",
+    "stories": "tfm-stories --plugin",
+    "stories:build": "tfm-build-stories --plugin",
+    "create-react-component": "yo react-domain"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/theforeman/foreman_openscap.git"
+  },
+  "bugs": {
+    "url": "https://projects.theforeman.org/projects/foreman_openscap/issues"
+  },
+  "peerDependencies": {
+    "@theforeman/vendor": ">= 4.13.2"
+  },
+  "devDependencies": {
+    "@apollo/react-testing": "^4.0.0",
+    "@babel/core": "^7.7.0",
+    "@testing-library/dom": "^7.30.4",
+    "@testing-library/jest-dom": "^5.11.9",
+    "@testing-library/react": "^11.2.5",
+    "@testing-library/user-event": "^13.1.2",
+    "@theforeman/builder": "^8.4.1",
+    "@theforeman/eslint-plugin-foreman": "8.4.1",
+    "@theforeman/find-foreman": "^8.4.1",
+    "@theforeman/stories": "^8.4.1",
+    "@theforeman/test": "^8.4.1",
+    "@theforeman/vendor-dev": "^8.4.1",
+    "babel-eslint": "^10.0.3",
+    "eslint": "^6.7.2",
+    "jed": "^1.1.1",
+    "jest-svg-transformer": "^1.0.0",
+    "jest-transform-graphql": "^2.1.0",
+    "prettier": "^1.13.5",
+    "stylelint": "^9.3.0",
+    "stylelint-config-standard": "^18.0.0"
+  }
+}

data/test/factories/compliance_host_factory.rb

@@ -16,4 +16,16 @@ FactoryBot.define do
     openscap_proxy { SmartProxy.unscoped.with_features('Openscap').first || FactoryBot.create(:openscap_proxy) }
     policies { [] }
   end
+
+  factory :oval_facet, :class => ForemanOpenscap::Host::OvalFacet
+
+  factory :oval_host, :class => Host::Managed do
+    sequence(:name) { |n| "host#{n}" }
+  end
+
+  factory :cve, :class => ForemanOpenscap::Cve do
+    sequence(:ref_id) { |n| "CVE-#{n}" }
+    sequence(:ref_url) { |n| "https://access.redhat.com/security/cve/CVE-#{n}" }
+    sequence(:definition_id) { |n| "oval:com.redhat.rhsa:def:202015#{n}" }
+  end
 end

data/test/factories/oval_content_factory.rb

@@ -0,0 +1,7 @@
+FactoryBot.define do
+  factory :oval_content, :class => ::ForemanOpenscap::OvalContent do |f|
+    f.sequence(:name) { |n| "oval_content_#{n}" }
+    f.original_filename { 'test-oval.xml' }
+    f.scap_file { '<xml>foo</xml>' }
+  end
+end

data/test/factories/oval_policy_factory.rb

@@ -0,0 +1,9 @@
+FactoryBot.define do
+  factory :oval_policy, :class => ::ForemanOpenscap::OvalPolicy do
+    sequence(:name) { |n| "policy#{n}" }
+    period { 'weekly' }
+    weekday { 'monday' }
+    day_of_month { nil }
+    cron_line { nil }
+  end
+end

data/test/fixtures/cve_fixtures.rb

@@ -0,0 +1,104 @@
+module ForemanOpenscap
+  class CveFixtures
+    def res_one(result_state = 'true')
+      init_result(
+        { "references" => [
+          { "ref_id" => "RHSA-2020:0215", "ref_url" => "https://access.redhat.com/errata/RHSA-2020:0215" },
+          { "ref_id" => "CVE-2019-16541", "ref_url" => "https://access.redhat.com/security/cve/CVE-2019-16541" },
+          { "ref_id" => "CVE-2020-14040", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-14040" },
+          { "ref_id" => "CVE-2020-14370", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-14370" },
+          { "ref_id" => "CVE-2020-15586", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-15586" },
+          { "ref_id" => "CVE-2020-16845", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-16845" },
+          { "ref_id" => "CVE-2020-2252", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2252" },
+          { "ref_id" => "CVE-2020-2254", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2254" },
+          { "ref_id" => "CVE-2020-2255", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2255" },
+          { "ref_id" => "CVE-2020-8564", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-8564" }
+        ] },
+        result_state,
+        "oval:com.redhat.rhsa:def:20201545"
+      )
+    end
+
+    def res_two(result_state = 'true')
+      init_result(
+        { "references" => [
+          { "ref_id" => "RHSA-2020:3601", "ref_url" => "https://access.redhat.com/errata/RHSA-2020:3601" },
+          { "ref_id" => "CVE-2020-2181", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2181" },
+          { "ref_id" => "CVE-2020-2182", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2182" },
+          { "ref_id" => "CVE-2020-2224", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2224" },
+          { "ref_id" => "CVE-2020-2225", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2225" },
+          { "ref_id" => "CVE-2020-2226", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2226" }
+        ] },
+        result_state,
+        "oval:com.redhat.rhsa:def:20201544"
+      )
+    end
+
+    def res_three(result_state = 'true')
+      init_result(
+        { "references" => [
+          { "ref_id" => "CVE-2019-17638", "ref_url" => "https://access.redhat.com/security/cve/CVE-2019-17638" },
+          { "ref_id" => "CVE-2020-2229", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2229" },
+          { "ref_id" => "CVE-2020-2230", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2230" },
+          { "ref_id" => "CVE-2020-2231", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2231" }
+        ] },
+        result_state,
+        "oval:com.redhat.rhsa:def:20201543"
+      )
+    end
+
+    def res_four(result_state = 'true')
+      init_result(
+        { "references" => [
+          { "ref_id" => "RHSA-2020:3601", "ref_url" => "https://access.redhat.com/errata/RHSA-2020:3601" },
+          { "ref_id" => "CVE-2019-17638", "ref_url" => "https://access.redhat.com/security/cve/CVE-2019-17638" },
+          { "ref_id" => "CVE-2020-2220", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2220" },
+          { "ref_id" => "CVE-2020-2221", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2221" },
+          { "ref_id" => "CVE-2020-2222", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2222" },
+          { "ref_id" => "CVE-2020-2223", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2223" },
+          { "ref_id" => "CVE-2020-2229", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2229" },
+          { "ref_id" => "CVE-2020-2230", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2230" },
+          { "ref_id" => "CVE-2020-2231", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2231" },
+          { "ref_id" => "CVE-2020-8557", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-8557" }
+        ] },
+        result_state,
+        "oval:com.redhat.rhsa:def:20201542"
+      )
+    end
+
+    def res_five(result_state = 'true')
+      init_result(
+        { "references" => [
+          { "ref_id" => "CVE-2020-2181", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2181" },
+          { "ref_id" => "CVE-2020-2182", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2182" },
+          { "ref_id" => "CVE-2020-2190", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2190" },
+          { "ref_id" => "CVE-2020-2224", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2224" },
+          { "ref_id" => "CVE-2020-2225", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2225" },
+          { "ref_id" => "CVE-2020-2226", "ref_url" => "https://access.redhat.com/security/cve/CVE-2020-2226" }
+        ] },
+        result_state,
+        "oval:com.redhat.rhsa:def:20201541"
+      )
+    end
+
+    def one
+      [res_one, res_two, res_three, res_four, res_five]
+    end
+
+    def two
+      [res_one('false'), res_two, res_three('false')]
+    end
+
+    def ids_from(fixture)
+      fixture['references'].pluck('ref_id')
+    end
+
+    private
+
+    def init_result(data, result_state, definition_id)
+      data['result'] = result_state
+      data['definition_id'] = definition_id
+      data
+    end
+  end
+end

data/test/functional/api/v2/compliance/oval_contents_controller_test.rb

@@ -0,0 +1,39 @@
+require 'test_plugin_helper'
+require 'tempfile'
+
+class Api::V2::Compliance::OvalContentsControllerTest < ActionController::TestCase
+  test "should get index" do
+    FactoryBot.create(:oval_content)
+    get :index, :session => set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert response['results'].any?
+    assert_response :success
+  end
+
+  test "should create OVAL content" do
+    post :create, :params => { :oval_content => { :name => 'OVAL test', :scap_file => content_file } }, :session => set_session_user
+    assert_response :success
+  end
+
+  test "should update OVAL content" do
+    new_name = 'RHEL7 OVAL'
+    oval_content = FactoryBot.create(:oval_content)
+    put :update, :params => { :id => oval_content.id, :oval_content => { :name => new_name } }, :session => set_session_user
+    assert_response :success
+    assert oval_content.name, new_name
+  end
+
+  test "should destory OVAL content" do
+    oval_content = FactoryBot.create(:oval_content)
+    delete :destroy, :params => { :id => oval_content.id }, :session => set_session_user
+    assert_response :ok
+    refute ForemanOpenscap::OvalContent.exists?(oval_content.id)
+  end
+
+  def content_file
+    file = Tempfile.new('test')
+    file.write('<xml>test</xml>')
+    file.rewind
+    Rack::Test::UploadedFile.new(file, '')
+  end
+end

data/test/functional/api/v2/compliance/oval_policies_controller_test.rb

@@ -0,0 +1,141 @@
+require 'test_plugin_helper'
+require 'base64'
+
+class Api::V2::Compliance::OvalPoliciesControllerTest < ActionController::TestCase
+  setup do
+    @file = Base64.encode64(read_oval_content('ansible-2.9.oval.xml.bz2'))
+    oval_content = FactoryBot.create(:oval_content, :scap_file => @file)
+    @attributes = { :oval_policy => { :name => 'my_policy', :period => 'weekly', :weekday => 'friday', :oval_content_id => oval_content.id } }
+    @config = ForemanOpenscap::ClientConfig::Ansible.new(::ForemanOpenscap::OvalPolicy)
+    @policy = FactoryBot.create(:oval_policy, :oval_content => oval_content)
+  end
+
+  test "should get index of OVAL policies" do
+    get :index, :session => set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert !response['results'].empty?
+    assert_response :success
+  end
+
+  test "should show OVAL policy" do
+    get :show, :params => { :id => @policy.to_param }, :session => set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert response['name'], @policy.name
+    assert_response :success
+  end
+
+  test "should update OVAL policy" do
+    put :update, :params => { :id => @policy.id, :oval_policy => { :period => 'monthly', :day_of_month => 15 } }
+    updated_policy = ActiveSupport::JSON.decode(@response.body)
+    assert(updated_policy['period'], 'monthly')
+    assert_response :ok
+  end
+
+  test "should not update invalid OVAL policy" do
+    put :update, :params => { :id => @policy.id, :oval_policy => { :name => '' } }
+    assert_response :unprocessable_entity
+  end
+
+  test "should create OVAL policy" do
+    post :create, :params => @attributes, :session => set_session_user
+    assert_response :created
+  end
+
+  test "should not create invalid OVAL policy" do
+    post :create, :session => set_session_user
+    assert_response :unprocessable_entity
+  end
+
+  test "should destroy OVAL policy" do
+    delete :destroy, :params => { :id => @policy.id }, :session => set_session_user
+    assert_response :ok
+    refute ForemanOpenscap::OvalPolicy.exists?(@policy.id)
+  end
+
+  test "should return error when OVAL policy not found" do
+    get :show, :params => { :id => @policy.id + 1 }, :session => set_session_user
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert response['error']
+    assert_response :missing
+  end
+
+  test "should assign policy to multiple hosts correctly" do
+    proxy = FactoryBot.create(:openscap_proxy)
+    host1 = FactoryBot.create(:compliance_host, :openscap_proxy => proxy)
+    host2 = FactoryBot.create(:compliance_host, :openscap_proxy => proxy)
+    setup_ansible
+
+    assert_empty host1.oval_policies
+    assert_empty host2.oval_policies
+
+    post :assign_hosts, :params => { :id => @policy.id, :host_ids => [host1, host2].pluck(:id) }, :session => set_session_user
+    assert_equal "OVAL policy successfully configured with hosts.", ActiveSupport::JSON.decode(@response.body)['message']
+
+    assert_equal 2, host1.lookup_values.count
+    server_value = @server_key.lookup_values.find_by :match => "fqdn=#{host1.name}"
+    port_value = @port_key.lookup_values.find_by :match => "fqdn=#{host1.name}"
+    assert_equal proxy.hostname, server_value.value
+    assert_equal proxy.port, port_value.value
+  end
+
+  test "should assign policy to multiple hostgroups correctly" do
+    proxy = FactoryBot.create(:openscap_proxy)
+    hg1 = FactoryBot.create(:hostgroup, :openscap_proxy => proxy)
+    hg2 = FactoryBot.create(:hostgroup, :openscap_proxy => proxy)
+    setup_ansible
+
+    assert_empty hg1.oval_policies
+    assert_empty hg2.oval_policies
+
+    post :assign_hostgroups, :params => { :id => @policy.id, :hostgroup_ids => [hg1, hg2].pluck(:id) }, :session => set_session_user
+    assert_equal "OVAL policy successfully configured with hostgroups.", ActiveSupport::JSON.decode(@response.body)['message']
+
+    assert_equal 2, hg1.lookup_values.count
+    server_value = @server_key.lookup_values.find_by :match => "hostgroup=#{hg1.name}"
+    port_value = @port_key.lookup_values.find_by :match => "hostgroup=#{hg1.name}"
+    assert_equal proxy.hostname, server_value.value
+    assert_equal proxy.port, port_value.value
+  end
+
+  test "should not assign policy to hostgroup without openscap proxy" do
+    hg = FactoryBot.create(:hostgroup)
+    setup_ansible
+
+    assert_empty hg.oval_policies
+
+    post :assign_hostgroups, :params => { :id => @policy.id, :hostgroup_ids => hg.id }, :session => set_session_user
+    res = ActiveSupport::JSON.decode(@response.body)['results'].first
+    assert_equal "Was Hostgroup configured successfully?", res['title']
+    assert_equal "fail", res['result']
+    assert_equal "Assign openscap_proxy to #{hg.name} before proceeding.", res['fail_message']
+    hg.reload
+    assert_empty hg.oval_policies
+  end
+
+  test "should not assign policy to hostgroup when ansible role not present" do
+    hg = FactoryBot.create(:hostgroup)
+    assert_empty hg.oval_policies
+
+    post :assign_hostgroups, :params => { :id => @policy.id, :hostgroup_ids => hg.id }, :session => set_session_user
+    res = ActiveSupport::JSON.decode(@response.body)['results'].first
+    assert_equal 'theforeman.foreman_scap_client Ansible Role not found, please import it before running this action again.', res['fail_message']
+    hg.reload
+    assert_empty hg.oval_policies
+  end
+
+  test "should show oval content" do
+    get :oval_content, :params => { :id => @policy.id }
+    assert response.body, @file
+  end
+
+  def setup_ansible
+    @ansible_role = FactoryBot.create(:ansible_role, :name => @config.ansible_role_name)
+    @port_key = FactoryBot.create(:ansible_variable, :key => @config.port_param, :ansible_role => @ansible_role)
+    @server_key = FactoryBot.create(:ansible_variable, :key => @config.server_param, :ansible_role => @ansible_role)
+    FactoryBot.create(:ansible_variable, :key => @config.policies_param, :ansible_role => @ansible_role)
+  end
+
+  def read_oval_content(file_name)
+    File.read "#{ForemanOpenscap::Engine.root}/test/files/oval_contents/#{file_name}"
+  end
+end

data/test/functional/api/v2/compliance/oval_reports_controller_test.rb

@@ -0,0 +1,32 @@
+require 'test_plugin_helper'
+
+class Api::V2::Compliance::OvalReportsControllerTest < ActionController::TestCase
+  setup do
+    @params = {
+      :oval_results => ForemanOpenscap::CveFixtures.new.one,
+      :oval_policy_id => 5,
+      :date => Time.now.to_i
+    }
+  end
+
+  test 'should accept new CVEs for host' do
+    host = FactoryBot.create(:host)
+    post :create, :params => @params.merge(:cname => host.name), :session => set_session_user
+
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert_equal 'ok', response['result']
+    assert_response :success
+  end
+
+  test 'should show host errors on CVEs upload' do
+    proxy = FactoryBot.create(:smart_proxy)
+    host = FactoryBot.create(:host, :puppet_proxy => proxy, :environment => FactoryBot.create(:environment))
+    SmartProxy.any_instance.stubs(:smart_proxy_features).returns([])
+    post :create, :params => @params.merge(:cname => host.name), :session => set_session_user
+
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert_equal 'fail', response['result']
+    refute response['errors'].empty?
+    assert_response :unprocessable_entity
+  end
+end

data/test/graphql/queries/oval_contents_query_test.rb

@@ -0,0 +1,35 @@
+require 'test_plugin_helper'
+
+module Queries
+  class OvalContentsQueryTest < GraphQLQueryTestCase
+    let(:query) do
+      <<-GRAPHQL
+      query {
+        ovalContents {
+          totalCount
+          nodes {
+            id
+            name
+          }
+        }
+      }
+      GRAPHQL
+    end
+
+    let(:data) { result['data']['ovalContents'] }
+
+    setup do
+      FactoryBot.create_list(:oval_content, 2)
+    end
+
+    test 'should fetch oval contentes' do
+      assert_empty result['errors']
+
+      expected_count = ForemanOpenscap::OvalContent.count
+
+      assert_not_equal 0, expected_count
+      assert_equal expected_count, data['totalCount']
+      assert_equal expected_count, data['nodes'].count
+    end
+  end
+end