foreman_openscap 4.1.3 → 4.3.3

data/test/graphql/queries/oval_policies_query_test.rb

@@ -0,0 +1,35 @@
+require 'test_plugin_helper'
+
+module Queries
+  class OvalPoliciesQueryTest < GraphQLQueryTestCase
+    let(:query) do
+      <<-GRAPHQL
+      query {
+        ovalPolicies {
+          totalCount
+          nodes {
+            id
+            name
+          }
+        }
+      }
+      GRAPHQL
+    end
+
+    let(:data) { result['data']['ovalPolicies'] }
+
+    setup do
+      FactoryBot.create_list(:oval_policy, 2, :oval_content => FactoryBot.create(:oval_content))
+    end
+
+    test 'should fetch oval policies' do
+      assert_empty result['errors']
+
+      expected_count = ForemanOpenscap::OvalPolicy.count
+
+      assert_not_equal 0, expected_count
+      assert_equal expected_count, data['totalCount']
+      assert_equal expected_count, data['nodes'].count
+    end
+  end
+end

data/test/test_plugin_helper.rb

@@ -3,8 +3,12 @@ require 'test_helper'
 
 # Add plugin to FactoryBot's paths
 FactoryBot.definition_file_paths << File.join(File.dirname(__FILE__), 'factories')
+# Add factories from foreman_ansible
+FactoryBot.definition_file_paths << File.join(ForemanAnsible::Engine.root, '/test/factories')
 FactoryBot.reload
 
+require "#{ForemanOpenscap::Engine.root}/test/fixtures/cve_fixtures"
+
 module ScapClientPuppetclass
   def setup_puppet_class
     puppet_config = ::ForemanOpenscap::ClientConfig::Puppet.new

data/test/unit/oval_host_test.rb

@@ -0,0 +1,45 @@
+require 'test_plugin_helper'
+
+class OvalHostTest < ActiveSupport::TestCase
+  test 'should show oval policies in enc' do
+    setup_ansible
+
+    content = FactoryBot.create(:oval_content)
+    policy = FactoryBot.create(:oval_policy, :oval_content => content)
+    proxy = FactoryBot.create(:openscap_proxy)
+    host = FactoryBot.create(:oval_host, :ansible_roles => [@ansible_role], :openscap_proxy => proxy)
+    facet = FactoryBot.create(:oval_facet, :host => host, :oval_policies => [policy])
+
+    host_params = host.info["parameters"]
+    policies = JSON.parse(host_params[@config.policies_param])
+    assert_equal 1, policies.length
+    assert_equal policies.first["id"], policy.id
+
+    assert_equal host_params[@config.port_param], proxy.port.to_s
+    assert_equal host_params[@config.server_param], proxy.hostname
+  end
+
+  def setup_ansible
+    @config = ForemanOpenscap::ClientConfig::Ansible.new(::ForemanOpenscap::OvalPolicy)
+    @ansible_role = FactoryBot.create(:ansible_role, :name => @config.ansible_role_name)
+    @port_key = FactoryBot.create(
+      :ansible_variable,
+      :key => @config.port_param,
+      :ansible_role => @ansible_role,
+      :override => true
+    )
+    @server_key = FactoryBot.create(
+      :ansible_variable,
+      :key => @config.server_param,
+      :ansible_role => @ansible_role,
+      :override => true
+    )
+    @policies_param = FactoryBot.create(
+      :ansible_variable,
+      :key => @config.policies_param,
+      :ansible_role => @ansible_role,
+      :override => true,
+      :default_value => @config.policies_param_default_value
+    )
+  end
+end

data/test/unit/oval_policy_test.rb

@@ -0,0 +1,133 @@
+require 'test_plugin_helper'
+
+class OvalPolicyTest < ActiveSupport::TestCase
+  setup do
+    @oval_content = FactoryBot.create(:oval_content)
+  end
+
+  test "should not create OVAL policy with custom period" do
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'custom',
+                                             :cron_line => 'aaa',
+                                             :oval_content => @oval_content)
+    refute policy.save
+    assert policy.errors[:cron_line].include?("does not consist of 5 parts separated by space")
+  end
+
+  test "should create OVAL policy with weekly period" do
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'weekly',
+                                             :weekday => 'monday',
+                                             :oval_content => @oval_content)
+    assert policy.save
+  end
+
+  test "should not create OVAL policy with weekly period" do
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'weekly',
+                                             :weekday => 'someday',
+                                             :oval_content => @oval_content)
+    refute policy.save
+    assert policy.errors[:weekday].include?("is not a valid value")
+  end
+
+  test "should create OVAL policy with monthly period" do
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'monthly',
+                                             :day_of_month => '1',
+                                             :oval_content => @oval_content)
+    assert policy.save
+  end
+
+  test "should not create OVAL policy with monthly period" do
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'monthly',
+                                             :day_of_month => '0',
+                                             :oval_content => @oval_content)
+    refute policy.save
+    assert policy.errors[:day_of_month].include?("must be between 1 and 31")
+  end
+
+  test "should not create OVAL policy when attributes do not correspond to selected period in new record" do
+    policy_0 = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                               :period => 'monthly',
+                                               :weekday => 'tuesday',
+                                               :cron_line => "0 0 0 0 0",
+                                               :oval_content => @oval_content)
+    policy_1 = ForemanOpenscap::OvalPolicy.new(:name => "test policy",
+                                               :period => 'custom',
+                                               :weekday => 'tuesday',
+                                               :day_of_month => "15",
+                                               :oval_content => @oval_content)
+    refute policy_0.save
+    refute policy_1.save
+  end
+
+  test "should update OVAL policy period" do
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'monthly',
+                                             :day_of_month => '5',
+                                             :oval_content => @oval_content)
+    assert policy.save
+    policy.period = 'weekly'
+    policy.weekday = 'monday'
+    policy.day_of_month = nil
+    assert policy.save
+  end
+
+  test "should add and remove hosts for OVAL policy" do
+    host = FactoryBot.create(:oval_host)
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'monthly',
+                                             :day_of_month => '5',
+                                             :host_ids => [host.id],
+                                             :oval_content => @oval_content)
+
+    assert policy.save
+    assert policy.reload.hosts.include?(host)
+
+    policy.host_ids = []
+    assert policy.save
+    refute policy.reload.hosts.include?(host)
+  end
+
+  test "should add and remove hostgroups for OVAL policy" do
+    hostgroup = FactoryBot.create(:hostgroup)
+    policy = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                             :period => 'monthly',
+                                             :day_of_month => '5',
+                                             :hostgroup_ids => [hostgroup.id],
+                                             :oval_content => @oval_content)
+    assert policy.save
+    assert policy.reload.hostgroups.include?(hostgroup)
+
+    policy.hostgroup_ids = []
+    assert policy.save
+    refute policy.reload.hostgroups.include?(hostgroup)
+  end
+
+  test "should add and remove inherited OVAL policy" do
+    hostgroup = FactoryBot.create(:hostgroup)
+    host = FactoryBot.create(:oval_host, :hostgroup => hostgroup)
+    policy_1 = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy",
+                                               :period => 'monthly',
+                                               :day_of_month => '5',
+                                               :hostgroup_ids => [hostgroup.id],
+                                               :oval_content => @oval_content)
+    policy_2 = ForemanOpenscap::OvalPolicy.new(:name => "custom_policy_again",
+                                               :period => 'monthly',
+                                               :day_of_month => '6',
+                                               :host_ids => [host.id],
+                                               :oval_content => @oval_content)
+    assert policy_1.save
+    assert policy_2.save
+
+    assert host.reload.combined_oval_policies.include?(policy_1)
+    assert host.combined_oval_policies.include?(policy_2)
+
+    policy_1.hostgroup_ids = []
+    assert policy_1.save
+    refute host.reload.combined_oval_policies.include?(policy_1)
+    assert host.combined_oval_policies.include?(policy_2)
+  end
+end

data/test/unit/oval_status_test.rb

@@ -0,0 +1,47 @@
+require 'test_plugin_helper'
+
+class OvalStatusTest < ActiveSupport::TestCase
+  setup do
+    @policy = FactoryBot.create(:oval_policy, :oval_content => FactoryBot.create(:oval_content))
+  end
+
+  test 'should have no vulnerabilities' do
+    host = FactoryBot.create(:oval_host)
+    FactoryBot.create(:oval_facet, :host => host, :oval_policies => [@policy])
+
+    status = ForemanOpenscap::OvalStatus.new
+    status.host = host
+    assert_equal 0, status.to_status
+    assert_equal ::HostStatus::Global::OK, status.to_global
+    assert status.relevant?
+  end
+
+  test 'should have vulnerabilities with available patch' do
+    host = FactoryBot.create(:oval_host, :cves => [FactoryBot.create(:cve, :has_errata => false), FactoryBot.create(:cve, :has_errata => true)])
+    FactoryBot.create(:oval_facet, :host => host, :oval_policies => [@policy])
+
+    status = ForemanOpenscap::OvalStatus.new
+    status.host = host
+    assert_equal 2, status.to_status
+    assert_equal ::HostStatus::Global::ERROR, status.to_global
+    assert status.relevant?
+  end
+
+  test 'should have vulnerabilities without available patch' do
+    host = FactoryBot.create(:oval_host, :cves => [FactoryBot.create(:cve, :has_errata => false), FactoryBot.create(:cve, :has_errata => false)])
+    FactoryBot.create(:oval_facet, :host => host, :oval_policies => [@policy])
+
+    status = ForemanOpenscap::OvalStatus.new
+    status.host = host
+    assert_equal 1, status.to_status
+    assert_equal ::HostStatus::Global::WARN, status.to_global
+    assert status.relevant?
+  end
+
+  test 'should not be relevant without oval policy' do
+    host = FactoryBot.create(:oval_host, :cves => [FactoryBot.create(:cve)])
+    status = ForemanOpenscap::OvalStatus.new
+    status.host = host
+    refute status.relevant?
+  end
+end

data/test/unit/services/oval/cves_test.rb

@@ -0,0 +1,81 @@
+require 'test_plugin_helper'
+
+class ForemanOpenscap::Oval::CvesTest < ActiveSupport::TestCase
+  setup do
+    @fxs = ForemanOpenscap::CveFixtures.new
+    @instance = ForemanOpenscap::Oval::Cves.new
+  end
+
+  test "should add CVEs to host" do
+    oval_data = create_cve_data @fxs.one
+    host = FactoryBot.create(:host)
+    assert_empty host.cves
+    @instance.create host, oval_data
+    refute_empty host.cves
+
+    assert_equal host.cves, host.cves.distinct
+  end
+
+  test "should filter out CVEs that do not affect the host" do
+    oval_data = create_cve_data @fxs.two
+    host = FactoryBot.create(:host)
+    assert_empty host.cves
+    @instance.create host, oval_data
+    refute_empty host.cves
+
+    assert_equal host.cves, ForemanOpenscap::Cve.where(:ref_id => @fxs.ids_from(@fxs.res_two))
+  end
+
+  test "should update host with a new set of CVEs" do
+    oval_data = create_cve_data @fxs.one
+    host = FactoryBot.create(:host)
+    assert_empty host.cves
+    @instance.create host, oval_data
+    refute_empty host.cves
+
+    cve_ids_before = host.reload.cve_ids
+    new_oval_data = create_cve_data @fxs.two
+    @instance.create host, new_oval_data
+
+    refute_equal host.reload.cve_ids, cve_ids_before
+    assert_equal host.cves, ForemanOpenscap::Cve.where(:ref_id => @fxs.ids_from(@fxs.res_two))
+
+    @fxs.ids_from(@fxs.res_three).map do |ref_id|
+      refute ForemanOpenscap::Cve.find_by :ref_id => ref_id
+    end
+  end
+
+  test "should not delete CVEs associated to another host" do
+    oval_data = create_cve_data @fxs.one
+    host = FactoryBot.create(:host)
+    @instance.create host, oval_data
+    refute_empty host.cves
+
+    cves_before = host.reload.cves
+
+    oval_data_2 = create_cve_data @fxs.two
+    host_2 = FactoryBot.create(:host)
+    @instance.create host_2, oval_data_2
+
+    assert_equal host.reload.cves, cves_before
+  end
+
+  test "should not delete CVEs associated to another policy" do
+    oval_data = create_cve_data [@fxs.res_three]
+    host = FactoryBot.create(:host)
+    assert_empty host.cves
+    @instance.create host, oval_data
+    refute_empty host.cves
+
+    cve_ids_before = host.reload.cve_ids
+    new_oval_data = create_cve_data [@fxs.res_four], 2
+    @instance.create host, new_oval_data
+
+    refute_equal host.reload.cve_ids, cve_ids_before
+    assert_equal host.cves, ForemanOpenscap::Cve.where(:ref_id => @fxs.ids_from(@fxs.res_three).concat(@fxs.ids_from(@fxs.res_four)))
+  end
+
+  def create_cve_data(fixture, policy_id = 1)
+    { 'oval_results' => fixture, 'oval_policy_id' => policy_id }
+  end
+end

data/test/unit/services/oval/setup_test.rb

@@ -0,0 +1,87 @@
+require 'test_plugin_helper'
+
+class ForemanOpenscap::Oval::SetupTest < ActiveSupport::TestCase
+  setup do
+    @config = ForemanOpenscap::ClientConfig::Ansible.new(::ForemanOpenscap::OvalPolicy)
+  end
+
+  test "should fail check when Ansible not available" do
+    ForemanOpenscap::ClientConfig::Ansible.any_instance.stubs(:available?).returns(false)
+
+    check_collection = ForemanOpenscap::Oval::Setup.new.run
+    assert check_collection.find_check(:foreman_ansible_present).failed?
+    assert check_collection.checks.reject { |res| res.id == :foreman_ansible_present }.all?(&:skipped?)
+  end
+
+  test "should fail check when Ansible role for client not imported" do
+    ForemanOpenscap::ClientConfig::Ansible.any_instance.stubs(:find_config_item).returns(nil)
+
+    check_collection = ForemanOpenscap::Oval::Setup.new.run
+    assert check_collection.find_check(:foreman_ansible_present).passed?
+    assert check_collection.find_check(:foreman_scap_client_role_present).failed?
+
+    assert check_collection.checks
+                           .select { |res| res.id != :foreman_ansible_present && res.id != :foreman_scap_client_role_present }
+                           .all?(&:skipped?)
+  end
+
+  test "should fail check when required Ansible variables are not imported" do
+    FactoryBot.create(:ansible_role, :name => @config.ansible_role_name)
+    check_collection = ForemanOpenscap::Oval::Setup.new.run
+    assert check_collection.find_check(:foreman_ansible_present).passed?
+    assert check_collection.find_check(:foreman_scap_client_role_present).passed?
+
+    res = check_collection.find_check(:foreman_scap_client_vars_present)
+    assert res.failed?
+    msg = "The following Ansible Variables were not found: foreman_scap_client_oval_policies, foreman_scap_client_port, foreman_scap_client_server, please import them before running this action again."
+    assert res.fail_msg, msg
+    assert override_results(check_collection.checks).all?(&:skipped?)
+  end
+
+  test "should fail check when fails to override a variable" do
+    role = FactoryBot.create(:ansible_role, :name => @config.ansible_role_name)
+    FactoryBot.create(:ansible_variable, :key => @config.port_param, :ansible_role => role)
+    FactoryBot.create(:ansible_variable, :key => @config.server_param, :ansible_role => role)
+    FactoryBot.create(:ansible_variable, :key => @config.policies_param, :ansible_role => role)
+    AnsibleVariable.any_instance.stubs(:save).returns(false)
+    AnsibleVariable.any_instance.stubs(:changed?).returns(true)
+    check_collection = ForemanOpenscap::Oval::Setup.new.run
+    assert check_collection.find_check(:foreman_ansible_present).passed?
+    assert check_collection.find_check(:foreman_scap_client_role_present).passed?
+    assert check_collection.find_check(:foreman_scap_client_vars_present).passed?
+    assert override_results(check_collection.checks).all?(&:failed?)
+  end
+
+  test "should pass all checks" do
+    role = FactoryBot.create(:ansible_role, :name => @config.ansible_role_name)
+    port_param = FactoryBot.create(:ansible_variable, :key => @config.port_param, :ansible_role => role)
+    server_param = FactoryBot.create(:ansible_variable, :key => @config.server_param, :ansible_role => role)
+    policies_param = FactoryBot.create(:ansible_variable, :key => @config.policies_param, :ansible_role => role)
+    check_collection = ForemanOpenscap::Oval::Setup.new.run
+
+    [policies_param, port_param, server_param].map(&:reload)
+
+    assert check_collection.all_passed?
+
+    assert @config.policies_param_default_value, policies_param.default_value
+    assert_equal 'array', policies_param.key_type
+    refute policies_param.hidden_value?
+    assert policies_param.override
+
+    refute port_param.value
+    assert_equal 'integer', port_param.key_type
+    assert port_param.override
+
+    refute server_param.hidden_value?
+    assert_equal 'string', server_param.key_type
+    assert server_param.override
+  end
+
+  def override_results(checks)
+    checks.select do |res|
+      res.id == :foreman_scap_client_server_overriden ||
+      res.id == :foreman_scap_client_port_overriden ||
+      res.id == :foreman_scap_client_policies_overriden
+    end
+  end
+end