foreman_openscap 4.2.0 → 4.3.0

data/app/models/concerns/foreman_openscap/host_extensions.rb

@@ -151,13 +151,13 @@ module ForemanOpenscap
       def search_by_removed_from_policy(key, operator, policy_name)
         policy = ForemanOpenscap::Policy.find_by :name => policy_name
         host_ids = policy ? removed_from_policy(policy).pluck(:id) : []
-        { :conditions => Host::Managed.arel_table[:id].in(host_ids).to_sql }
+        { :conditions => ::Host::Managed.arel_table[:id].in(host_ids).to_sql }
       end
 
       def search_by_compliance(key, operator, policy_name, method)
         policy = ForemanOpenscap::Policy.find_by :name => policy_name
         host_ids = policy ? public_send(method, policy).pluck(:id) : []
-        { :conditions => Host::Managed.arel_table[:id].in(host_ids).to_sql }
+        { :conditions => ::Host::Managed.arel_table[:id].in(host_ids).to_sql }
       end
 
       def search_by_comply_with(key, operator, policy_name)
@@ -185,12 +185,12 @@ module ForemanOpenscap
       end
 
       def search_by_rule(rule_name, rule_result)
-        query = Host.joins(:arf_reports)
-                    .merge(ArfReport.latest
-                                    .by_rule_result(rule_name, rule_result)
-                                    .unscope(:order))
-                    .distinct
-                    .select(Host.arel_table[:id]).to_sql
+        query = ::Host.joins(:arf_reports)
+                      .merge(ArfReport.latest
+                                      .by_rule_result(rule_name, rule_result)
+                                      .unscope(:order))
+                      .distinct
+                      .select(::Host.arel_table[:id]).to_sql
 
         query_conditions query
       end
@@ -208,7 +208,7 @@ module ForemanOpenscap
                           else
                             ''
                           end
-        { :conditions => Host::Managed.arel_table[:id].in(Host::Managed.select(Host::Managed.arel_table[:id]).joins(:policies).where(cond).pluck(:id)).to_sql + host_group_cond }
+        { :conditions => ::Host::Managed.arel_table[:id].in(::Host::Managed.select(::Host::Managed.arel_table[:id]).joins(:policies).where(cond).pluck(:id)).to_sql + host_group_cond }
       end
 
       def search_by_policy_id(key, operator, policy_id)
@@ -249,8 +249,8 @@ module ForemanOpenscap
                                                           .joins(:policies)
                                                           .where(condition)
                                                           .pluck(:assetable_id)
-        subtree_ids = Hostgroup.where(:id => hostgroup_with_policy_ids).flat_map(&:subtree_ids).uniq
-        Host.where(:hostgroup_id => subtree_ids).where.not(:id => host_ids_from_arf).pluck(:id)
+        subtree_ids = ::Hostgroup.where(:id => hostgroup_with_policy_ids).flat_map(&:subtree_ids).uniq
+        ::Host.where(:hostgroup_id => subtree_ids).where.not(:id => host_ids_from_arf).pluck(:id)
       end
     end
   end

data/app/models/concerns/foreman_openscap/hostgroup_extensions.rb

@@ -2,6 +2,8 @@ module ForemanOpenscap
   module HostgroupExtensions
     extend ActiveSupport::Concern
 
+    include InheritedPolicies
+
     included do
       has_one :asset, :as => :assetable, :class_name => "::ForemanOpenscap::Asset", dependent: :destroy
       has_many :asset_policies, :through => :asset, :class_name => "::ForemanOpenscap::AssetPolicy"
@@ -9,11 +11,7 @@ module ForemanOpenscap
     end
 
     def inherited_policies
-      return [] unless parent
-
-      ancestors.inject([]) do |policies, hostgroup|
-        policies += hostgroup.policies
-      end.uniq
+      find_inherited_policies :policies
     end
 
     def openscap_proxy

data/app/models/concerns/foreman_openscap/inherited_policies.rb

@@ -0,0 +1,11 @@
+module ForemanOpenscap
+  module InheritedPolicies
+    def find_inherited_policies(policy_attr)
+      return [] unless parent
+
+      ancestors.reduce([]) do |policies, hostgroup|
+        policies += hostgroup.public_send(policy_attr)
+      end.uniq
+    end
+  end
+end

data/app/models/concerns/foreman_openscap/oval_facet_host_extensions.rb

@@ -0,0 +1,38 @@
+module ForemanOpenscap
+  module OvalFacetHostExtensions
+    extend ActiveSupport::Concern
+
+    ::Host::Managed::Jail.allow :oval_policies_enc, :oval_policies_enc_raw, :cves, :cves_without_errata
+
+    included do
+      has_many :oval_policies, :through => :oval_facet, :class_name => 'ForemanOpenscap::OvalPolicy'
+
+      has_many :host_cves, :class_name => 'ForemanOpenscap::HostCve', :foreign_key => :host_id
+      has_many :cves, :through => :host_cves, :class_name => 'ForemanOpenscap::Cve', :source => :cve
+
+      scoped_search :relation => :host_cves, :on => :cve_id, :rename => :cve_id, :complete_value => false
+    end
+
+    def cves_without_errata
+      cves.where(:has_errata => false)
+    end
+
+    def cves_with_errata
+      cves.where(:has_errata => true)
+    end
+
+    def combined_oval_policies
+      combined = oval_policies
+      combined += hostgroup.oval_policies + hostgroup.inherited_oval_policies if hostgroup
+      combined.uniq
+    end
+
+    def oval_policies_enc_raw
+      combined_oval_policies.map(&:to_enc)
+    end
+
+    def oval_policies_enc
+      oval_policies_enc_raw.to_json
+    end
+  end
+end

data/app/models/concerns/foreman_openscap/oval_facet_hostgroup_extensions.rb

@@ -0,0 +1,15 @@
+module ForemanOpenscap
+  module OvalFacetHostgroupExtensions
+    extend ActiveSupport::Concern
+
+    include InheritedPolicies
+
+    included do
+      has_many :oval_policies, :through => :oval_facet, :class_name => 'ForemanOpenscap::OvalPolicy'
+    end
+
+    def inherited_oval_policies
+      find_inherited_policies :oval_policies
+    end
+  end
+end

data/app/models/concerns/foreman_openscap/policy_common.rb

@@ -0,0 +1,75 @@
+module ForemanOpenscap
+  module PolicyCommon
+    extend ActiveSupport::Concern
+
+    included do
+      before_validation :update_period_attrs
+    end
+
+    def cron_line_split
+      cron_line.to_s.split(' ')
+    end
+
+    def valid_cron_line
+      if period == 'custom'
+        errors.add(:cron_line, _("does not consist of 5 parts separated by space")) unless cron_line_split.size == 5
+      end
+    end
+
+    def valid_weekday
+      if period == 'weekly'
+        errors.add(:weekday, _("is not a valid value")) unless Date::DAYNAMES.map(&:downcase).include? weekday
+      end
+    end
+
+    def valid_day_of_month
+      if period == 'monthly'
+        errors.add(:day_of_month, _("must be between 1 and 31")) if !day_of_month || (day_of_month < 1 || day_of_month > 31)
+      end
+    end
+
+    def update_period_attrs
+      case period
+      when 'monthly'
+        erase_period_attrs(%w[cron_line weekday])
+      when 'weekly'
+        erase_period_attrs(%w[cron_line day_of_month])
+      when 'custom'
+        erase_period_attrs(%w[weekday day_of_month])
+      end
+    end
+
+    private
+
+    def erase_period_attrs(attrs)
+      attrs.each { |attr| self.public_send("#{attr}=", nil) }
+    end
+
+    def period_enc
+      # get crontab expression as an array (minute hour day_of_month month day_of_week)
+      cron_parts = case period
+                   when 'weekly'
+                     ['0', '1', '*', '*', weekday_number.to_s]
+                   when 'monthly'
+                     ['0', '1', day_of_month.to_s, '*', '*']
+                   when 'custom'
+                     cron_line_split
+                   else
+                     raise 'invalid period specification'
+                   end
+
+      {
+        'minute' => cron_parts[0],
+        'hour' => cron_parts[1],
+        'monthday' => cron_parts[2],
+        'month' => cron_parts[3],
+        'weekday' => cron_parts[4],
+      }
+    end
+
+    def weekday_number
+      # 0 is sunday, 1 is monday in cron, while DAYS_INTO_WEEK has 0 as monday, 6 as sunday
+      (Date::DAYS_INTO_WEEK.with_indifferent_access[weekday] + 1) % 7
+    end
+  end
+end

data/app/models/concerns/foreman_openscap/scap_file_content.rb

@@ -0,0 +1,24 @@
+module ForemanOpenscap
+  module ScapFileContent
+    require 'digest/sha2'
+
+    extend ActiveSupport::Concern
+
+    included do
+      validates :digest, :presence => true
+      validates :scap_file, :presence => true
+
+      before_validation :redigest, :if => lambda { |file_content| file_content.persisted? && file_content.scap_file_changed? }
+    end
+
+    def digest
+      self[:digest] ||= Digest::SHA256.hexdigest(scap_file.to_s)
+    end
+
+    private
+
+    def redigest
+      self[:digest] = Digest::SHA256.hexdigest(scap_file.to_s)
+    end
+  end
+end

data/app/models/foreman_openscap/cve.rb

@@ -0,0 +1,23 @@
+module ForemanOpenscap
+  class Cve < ApplicationRecord
+    has_many :host_cves
+    has_many :hosts, :through => :host_cves
+    has_many :oval_policies, :through => :host_cves
+
+    scoped_search :relation => :host_cves, :on => :oval_policy_id, :rename => :oval_policy_id, :complete_value => false
+
+    scope :of_oval_policy, ->(policy_id) {
+      joins(:host_cves).where(:foreman_openscap_host_cves => { :oval_policy_id => policy_id })
+    }
+
+    scope :of_host, ->(host_id) {
+      joins(:host_cves).where(:foreman_openscap_host_cves => { :host_id => host_id })
+    }
+
+    validates :ref_id, :ref_url, :definition_id, :presence => true
+
+    class Jail < ::Safemode::Jail
+      allow :ref_id, :ref_url
+    end
+  end
+end

data/app/models/foreman_openscap/host/oval_facet.rb

@@ -0,0 +1,14 @@
+module ForemanOpenscap
+  module Host
+    class OvalFacet < ApplicationRecord
+      self.table_name = 'foreman_openscap_oval_facets'
+
+      include Facets::Base
+
+      validates :host, :presence => true, :allow_blank => false
+
+      has_many :oval_facet_oval_policies, :dependent => :destroy, :class_name => 'ForemanOpenscap::OvalFacetOvalPolicy'
+      has_many :oval_policies, :through => :oval_facet_oval_policies, :class_name => 'ForemanOpenscap::OvalPolicy'
+    end
+  end
+end

data/app/models/foreman_openscap/host_cve.rb

@@ -0,0 +1,7 @@
+module ForemanOpenscap
+  class HostCve < ApplicationRecord
+    belongs_to_host
+    belongs_to :cve
+    belongs_to :oval_policy
+  end
+end

data/app/models/foreman_openscap/hostgroup/oval_facet.rb

@@ -0,0 +1,14 @@
+module ForemanOpenscap
+  module Hostgroup
+    class OvalFacet < ApplicationRecord
+      self.table_name = 'foreman_openscap_hostgroup_oval_facets'
+
+      include Facets::HostgroupFacet
+
+      validates :hostgroup, :presence => true, :allow_blank => false
+
+      has_many :hostgroup_oval_facet_oval_policies, :dependent => :destroy, :class_name => 'ForemanOpenscap::HostgroupOvalFacetOvalPolicy'
+      has_many :oval_policies, :through => :hostgroup_oval_facet_oval_policies, :class_name => 'ForemanOpenscap::OvalPolicy'
+    end
+  end
+end

data/app/models/foreman_openscap/hostgroup_oval_facet_oval_policy.rb

@@ -0,0 +1,6 @@
+module ForemanOpenscap
+  class HostgroupOvalFacetOvalPolicy < ApplicationRecord
+    belongs_to :oval_policy
+    belongs_to :oval_facet, :class_name => 'ForemanOpenscap::Hostgroup::OvalFacet'
+  end
+end

data/app/models/foreman_openscap/oval_content.rb

@@ -0,0 +1,26 @@
+module ForemanOpenscap
+  class OvalContent < ApplicationRecord
+    audited :except => [:scap_file]
+    include Authorizable
+    include Taxonomix
+    include ScapFileContent
+
+    scoped_search :on => :name, :complete_value => true
+
+    has_many :oval_policies
+    validates :name, :presence => true, :length => { :maximum => 255 }, uniqueness: true
+    validates :url, :format => { :with => %r{\Ahttps?://} }, :allow_blank => true
+
+    before_validation :fetch_remote_content, :if => lambda { |oval_content| oval_content.url.present? }
+
+    def to_h
+      { :id => id, :name => name, :original_filename => original_filename, :changed_at => changed_at }
+    end
+
+    private
+
+    def fetch_remote_content
+      ForemanOpenscap::Oval::SyncOvalContents.new.sync self
+    end
+  end
+end

data/app/models/foreman_openscap/oval_facet_oval_policy.rb

@@ -0,0 +1,6 @@
+module ForemanOpenscap
+  class OvalFacetOvalPolicy < ApplicationRecord
+    belongs_to :oval_policy
+    belongs_to :oval_facet, :class_name => 'ForemanOpenscap::Host::OvalFacet'
+  end
+end

data/app/models/foreman_openscap/oval_policy.rb

@@ -0,0 +1,54 @@
+module ForemanOpenscap
+  class OvalPolicy < ApplicationRecord
+    graphql_type '::Types::OvalPolicy'
+
+    audited
+    include Authorizable
+    include Taxonomix
+
+    include PolicyCommon
+
+    belongs_to :oval_content
+
+    validates :name, :presence => true, :uniqueness => true, :length => { :maximum => 255 }
+    validates :period, :inclusion => { :in => %w[weekly monthly custom], :message => _('is not a valid value') }
+    validate :valid_cron_line, :valid_weekday, :valid_day_of_month
+    validates :oval_content, :presence => true
+
+    has_many :oval_facet_oval_policies, :class_name => 'ForemanOpenscap::OvalFacetOvalPolicy'
+    has_many :oval_facets, :through => :oval_facet_oval_policies, :class_name => 'ForemanOpenscap::Host::OvalFacet'
+    has_many :hosts, :through => :oval_facets
+
+    has_many :hostgroup_oval_facet_oval_policies, :class_name => 'ForemanOpenscap::HostgroupOvalFacetOvalPolicy'
+    has_many :hostgroup_oval_facets, :through => :hostgroup_oval_facet_oval_policies, :class_name => 'ForemanOpenscap::Hostgroup::OvalFacet', :source => :oval_facet
+    has_many :hostgroups, :through => :hostgroup_oval_facets
+
+    has_many :host_cves
+    has_many :cves, :through => :host_cves
+
+    def host_ids=(host_ids)
+      self.oval_facets = facets_to_assign(host_ids, :host_id, ForemanOpenscap::Host::OvalFacet)
+    end
+
+    def hostgroup_ids=(hostgroup_ids)
+      self.hostgroup_oval_facets = facets_to_assign(hostgroup_ids, :hostgroup_id, ForemanOpenscap::Hostgroup::OvalFacet)
+    end
+
+    def to_enc
+      {
+        :id => id,
+        :oval_content_path => "/var/lib/openscap/oval_content/#{oval_content.digest}.oval.xml.bz2",
+        :download_path => "/compliance/oval_policies/#{id}/oval_content/#{oval_content.digest}"
+      }.merge(period_enc).with_indifferent_access
+    end
+
+    private
+
+    def facets_to_assign(ids, key, facet_class)
+      filtered_ids = ids.uniq.reject { |id| respond_to?(:empty) && id.empty? }
+      existing_facets = facet_class.where(key => filtered_ids)
+      new_facets = (filtered_ids - existing_facets.pluck(key)).map { |id| facet_class.new(key => id) }
+      existing_facets + new_facets
+    end
+  end
+end

data/app/models/foreman_openscap/oval_status.rb

@@ -0,0 +1,45 @@
+module ForemanOpenscap
+  class OvalStatus < ::HostStatus::Status
+    PATCHED = 0
+    VULNERABLE = 1
+    PATCH_AVAILABLE = 2
+
+    def self.status_name
+      N_('OVAL scan')
+    end
+
+    def to_label(options = {})
+      case to_status
+      when PATCHED
+        N_('No Vulnerabilities found')
+      when VULNERABLE
+        N_("%s vulnerabilities found") % host.cves_without_errata.count
+      when PATCH_AVAILABLE
+        N_("%s vulnerabilities with available patch found") % host.cves_with_errata.count
+      else
+        N_('Unknown OVAL status')
+      end
+    end
+
+    def to_global(options = {})
+      case to_status
+      when PATCHED
+        ::HostStatus::Global::OK
+      when VULNERABLE
+        ::HostStatus::Global::WARN
+      when PATCH_AVAILABLE
+        ::HostStatus::Global::ERROR
+      end
+    end
+
+    def relevant?(options = {})
+      host.combined_oval_policies.any?
+    end
+
+    def to_status(options = {})
+      return PATCH_AVAILABLE if host.cves_with_errata.any?
+      return VULNERABLE if host.cves_without_errata.any?
+      PATCHED
+    end
+  end
+end