foreman_openscap 4.2.0 → 4.3.0

data/app/services/foreman_openscap/lookup_key_overrides_common.rb

@@ -0,0 +1,63 @@
+module ForemanOpenscap
+  module LookupKeyOverridesCommon
+    extend ActiveSupport::Concern
+
+    def override(config)
+      return unless handle_config_not_available(config)
+      override_required_params config
+    end
+
+    def override_required_params(config)
+      return unless config.managed_overrides?
+      item = config.find_config_item
+
+      return unless handle_config_item_not_available(config, item)
+      override_params item.public_send(config.override_method_name), config
+    end
+
+    def override_params(lookup_keys, config)
+      policies_param = lookup_keys.find_by :key => config.policies_param
+      port_param = lookup_keys.find_by :key => config.port_param
+      server_param = lookup_keys.find_by :key => config.server_param
+
+      missing_keys = missing_lookup_keys(config.policies_param => policies_param,
+                                         config.port_param => port_param,
+                                         config.server_param => server_param)
+
+      return unless handle_missing_lookup_keys config, missing_keys.compact.join(', ')
+
+      override_policies_param(policies_param, config)
+      override_port_param(port_param, config)
+      override_server_param(server_param, config)
+    end
+
+    def override_policies_param(parameter, config)
+      override_param 'policies', config.policies_param, parameter, config, 'array', config.policies_param_default_value
+    end
+
+    def override_port_param(param, config)
+      override_param 'port', config.port_param, param, config, 'integer'
+    end
+
+    def override_server_param(param, config)
+      override_param 'server', config.server_param, param, config, 'string'
+    end
+
+    def override_param(handler, param_name, param, config, key_type, default_value = nil)
+      param.override = true
+      param.hidden_value = false
+      param.key_type = key_type
+      param.default_value = default_value
+
+      send("handle_#{handler}_param_override", config, param)
+    end
+
+    def missing_lookup_keys(hash)
+      return [] if hash.values.all?
+      hash.reduce([]) do |memo, (key, value)|
+        memo << key if value.blank?
+        memo
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/oval/check_collection.rb

@@ -0,0 +1,45 @@
+module ForemanOpenscap
+  module Oval
+    class CheckCollection
+      attr_reader :checks
+
+      def initialize(initial_check_attrs = [])
+        @checks = initial_check_attrs.map { |hash| SetupCheck.new hash }
+      end
+
+      def all_passed?
+        @checks.all?(&:passed?)
+      end
+
+      def find_check(check_id)
+        @checks.find { |item| item.id == check_id }
+      end
+
+      def find_failed
+        @checks.select(&:failed?)
+      end
+
+      def fail_check(check_id, error_data = nil)
+        find_check(check_id).fail_with! error_data
+      end
+
+      def pass_check(check_id)
+        find_check(check_id).pass!
+      end
+
+      def add_check(check)
+        @checks << check
+        self
+      end
+
+      def merge(other)
+        @checks = @checks.concat other.checks
+        self
+      end
+
+      def to_h
+        @checks.map(&:to_h)
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/oval/configure.rb

@@ -0,0 +1,80 @@
+module ForemanOpenscap
+  module Oval
+    class Configure
+      include ::ForemanOpenscap::HostgroupOverriderCommon
+
+      def initialize
+        @config = ForemanOpenscap::ClientConfig::Ansible.new(::ForemanOpenscap::OvalPolicy)
+      end
+
+      def assign(oval_policy, ids, model_class)
+        check_collection = ::ForemanOpenscap::Oval::Setup.new.run
+        return check_collection unless check_collection.all_passed?
+
+        ansible_role = @config.find_config_item
+
+        if model_class == ::Hostgroup
+          roles_method = :inherited_and_own_ansible_roles
+          ids_setter = :hostgroup_ids=
+        elsif model_class == ::Host::Managed
+          roles_method = :all_ansible_roles
+          ids_setter = :host_ids=
+        else
+          raise "Unexpected model_class, expected ::Hostgroup or ::Host::Managed, got: #{model_class}"
+        end
+
+        items_with_proxy, items_without_proxy = openscap_proxy_associated(ids, model_class)
+
+        oval_policy.send(ids_setter, items_with_proxy.pluck(:id))
+
+        check_collection = without_proxy_to_check items_without_proxy
+
+        unless oval_policy.save
+          return check_collection.add_check model_to_check(oval_policy)
+        end
+
+        check_collection.merge modify_items(items_with_proxy, oval_policy, ansible_role, roles_method)
+      end
+
+      private
+
+      def openscap_proxy_associated(ids, model_class)
+        model_class.where(:id => ids).partition(&:openscap_proxy)
+      end
+
+      def modify_items(items, oval_policy, ansible_role, roles_method)
+        items.reduce(CheckCollection.new) do |memo, item|
+          role_ids = item.ansible_role_ids + [ansible_role.id]
+          item.ansible_role_ids = role_ids unless item.send(roles_method).include? ansible_role
+          item.save if item.changed?
+          memo.add_check model_to_check(item)
+          add_overrides ansible_role.ansible_variables, item, @config
+          memo
+        end
+      end
+
+      def without_proxy_to_check(items)
+        items.reduce(CheckCollection.new) do |memo, item|
+          memo.add_check(
+            SetupCheck.new(
+              :title => (_("Was %s configured successfully?") % item.class.name),
+              :fail_msg => ->(_) { _("Assign openscap_proxy to %s before proceeding.") % item.name }
+            ).fail!
+          )
+        end
+      end
+
+      def model_to_s(model)
+        model.is_a?(::Hostgroup) ? 'hostgroup' : 'host'
+      end
+
+      def model_to_check(model)
+        check = SetupCheck.new(
+          :title => (_("Was %{model_name} %{name} configured successfully?") % { :model_name => model_to_s(model), :name => model.name }),
+          :errors => model.errors.to_h
+        )
+        model.errors.any? ? check.fail! : check.pass!
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/oval/cves.rb

@@ -0,0 +1,41 @@
+module ForemanOpenscap
+  module Oval
+    class Cves
+      def create(host, cve_data)
+        policy_id = cve_data['oval_policy_id']
+
+        incoming_cves = cve_data['oval_results'].reduce([]) do |memo, data|
+          next memo unless data['result'] == 'true'
+          cves, errata = data['references'].partition { |ref| ref['ref_id'].start_with?('CVE') }
+
+          cves.map do |cve|
+            memo << ::ForemanOpenscap::Cve.find_or_create_by(
+              :ref_id => cve['ref_id'],
+              :ref_url => cve['ref_url'],
+              :has_errata => !errata.empty?,
+              :definition_id => data['definition_id']
+            )
+          end
+          memo
+        end
+
+        current = ForemanOpenscap::Cve.of_oval_policy(policy_id).of_host(host.id)
+        to_delete = current - incoming_cves
+        to_create = incoming_cves - current
+
+        ::ForemanOpenscap::HostCve.where(:host_id => host.id, :oval_policy_id => policy_id, :cve_id => to_delete.pluck(:id)).destroy_all
+        host.host_cves.build(to_create.map { |cve| { :host_id => host.id, :oval_policy_id => policy_id, :cve_id => cve.id } })
+
+        delete_orphaned_cves to_delete.pluck(:id) if host.save
+        host
+      end
+
+      private
+
+      def delete_orphaned_cves(ids)
+        associated_ids = ::ForemanOpenscap::HostCve.where(:cve_id => ids).select(:cve_id).distinct.pluck(:cve_id)
+        ::ForemanOpenscap::Cve.where(:id => ids - associated_ids).destroy_all
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/oval/setup.rb

@@ -0,0 +1,93 @@
+module ForemanOpenscap
+  module Oval
+    class Setup
+      include ::ForemanOpenscap::LookupKeyOverridesCommon
+
+      def initialize
+        @config = ForemanOpenscap::ClientConfig::Ansible.new(::ForemanOpenscap::OvalPolicy)
+        @check_collection = CheckCollection.new initial_check_attrs
+      end
+
+      def run
+        override @config
+        @check_collection
+      end
+
+      def handle_config_not_available(config)
+        return @check_collection.pass_check :foreman_ansible_present if config.available?
+        fail_check :foreman_ansible_present
+      end
+
+      def handle_config_item_not_available(config, item)
+        return @check_collection.pass_check :foreman_scap_client_role_present if item
+        fail_check :foreman_scap_client_role_present
+      end
+
+      def handle_missing_lookup_keys(config, key_names)
+        return @check_collection.pass_check :foreman_scap_client_vars_present if key_names.empty?
+        fail_check :foreman_scap_client_vars_present, :missing_vars => key_names
+      end
+
+      def handle_server_param_override(config, param)
+        handle_param_override :foreman_scap_client_server_overriden, config, param
+      end
+
+      def handle_port_param_override(config, param)
+        handle_param_override :foreman_scap_client_port_overriden, config, param
+      end
+
+      def handle_policies_param_override(config, param)
+        handle_param_override :foreman_scap_client_policies_overriden, config, param
+      end
+
+      def handle_param_override(check_id, config, param)
+        return fail_check check_id if param.changed? && !param.save
+        @check_collection.pass_check check_id
+      end
+
+      def fail_check(check_id, error_data = nil)
+        @check_collection.fail_check(check_id, error_data)
+        false
+      end
+
+      private
+
+      def initial_check_attrs
+        override_msg = _("Could not update Ansible Variables with override: true")
+
+        [
+          {
+            :id => :foreman_ansible_present,
+            :title => _("Is foreman_ansible present?"),
+            :fail_msg => ->(hash) { _("foreman_ansible plugin not found, please install it before running this action again.") }
+          },
+          {
+            :id => :foreman_scap_client_role_present,
+            :title => _("Is theforeman.foreman_scap_client present?"),
+            :fail_msg => ->(hash) { @config.ansible_role_missing_msg }
+          },
+          {
+            :id => :foreman_scap_client_vars_present,
+            :title => _("Are required variables for theforeman.foreman_scap_client present?"),
+            :fail_msg => ->(hash) { _("The following Ansible Variables were not found: %{missing_vars}, please import them before running this action again.") % hash }
+          },
+          {
+            :id => :foreman_scap_client_server_overriden,
+            :title => _("Is %s param set to be overriden?") % @config.server_param,
+            :fail_msg => ->(hash) { override_msg }
+          },
+          {
+            :id => :foreman_scap_client_port_overriden,
+            :title => _("Is %s param set to be overriden?") % @config.port_param,
+            :fail_msg => ->(hash) { override_msg }
+          },
+          {
+            :id => :foreman_scap_client_policies_overriden,
+            :title => _("Is %s param set to be overriden?") % @config.policies_param,
+            :fail_msg => ->(hash) { override_msg }
+          }
+        ]
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/oval/setup_check.rb

@@ -0,0 +1,55 @@
+module ForemanOpenscap
+  module Oval
+    class SetupCheck
+      attr_reader :result, :id
+
+      def initialize(hash)
+        @id = hash[:id]
+        @title = hash[:title]
+        @fail_msg = hash[:fail_msg]
+        @errors = hash[:errors]
+        @result = :skip
+      end
+
+      def fail_with!(fail_data)
+        @fail_msg_data = fail_data
+        fail!
+      end
+
+      def fail!
+        @result = :fail
+        self
+      end
+
+      def pass!
+        @result = :pass
+        self
+      end
+
+      def failed?
+        @result == :fail
+      end
+
+      def passed?
+        @result == :pass
+      end
+
+      def skipped?
+        @result == :skip
+      end
+
+      def fail_msg
+        @fail_msg.call @fail_msg_data if @fail_msg
+      end
+
+      def to_h
+        {
+          :title => @title,
+          :result => @result,
+          :fail_message => failed? ? fail_msg : nil,
+          :errors => @errors
+        }
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/oval/sync_oval_contents.rb

@@ -0,0 +1,42 @@
+module ForemanOpenscap
+  module Oval
+    class SyncOvalContents
+      def sync(oval_content)
+        begin
+          content_blob = fetch_content_blob(oval_content.url)
+        rescue StandardError => e
+          oval_content.errors.add(:base, "#{fail_msg oval_content}, cause: #{e.message}")
+          return oval_content
+        end
+
+        unless content_blob
+          oval_content.errors.add(:base, fail_msg(oval_content))
+          return oval_content
+        end
+        oval_content.scap_file = content_blob
+        oval_content
+      end
+
+      def sync_all
+        to_sync = ForemanOpenscap::OvalContent.where.not(:url => nil)
+        to_sync.map { |content| content.tap { |item| sync(item).save } }
+      end
+
+      private
+
+      def fail_msg(content)
+        "Failed to fetch content file from #{content.url}"
+      end
+
+      def fetch_content_blob(url)
+        response = fetch url
+        return unless response.code == 200
+        response.body
+      end
+
+      def fetch(url)
+        RestClient.get(url)
+      end
+    end
+  end
+end

data/app/views/api/v2/compliance/oval_contents/base.json.rabl

@@ -0,0 +1,6 @@
+object @oval_content
+
+extends "api/v2/compliance/common/org"
+extends "api/v2/compliance/common/loc"
+
+attributes :id, :name, :original_filename, :digest, :created_at, :updated_at, :url

data/app/views/api/v2/compliance/oval_contents/create.json.rabl

@@ -0,0 +1,3 @@
+object @oval_content
+
+extends "api/v2/compliance/oval_contents/base"

data/app/views/api/v2/compliance/oval_contents/index.json.rabl

@@ -0,0 +1,3 @@
+collection @oval_contents
+
+extends "api/v2/compliance/oval_contents/base"