foreman_openscap 0.10.4 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9b441309459cd62b0c525d1b51dd856b28bf3b2e
-  data.tar.gz: 2b98addfa0d16368c3f9d9be4af017047ba56036
+  metadata.gz: ae4c20b57b85e1366a7e2b07e46bffbbdc4cab02
+  data.tar.gz: c9afcc7dd78320e4479487c23dc232f27a04a3b4
 SHA512:
-  metadata.gz: ddae8417386fa6877ce9b2873b94f1750dde15217cf29cc2fbb3d2e5e2ae7f07ee4905da0702a45c00d26b6ad8c20c5b0aa43d89b11becf04344feabba1d7af5
-  data.tar.gz: 6b843df78415ac1c53ee199e06abba468f0d3e0c121c890b0565aec35c38a788d9fde4092fcdd59a4410b97eb6f8c3039b2cc8228787e34866f7d5829e95b630
+  metadata.gz: 2c712c0f895f97a2a4154a23940da478ab7b1dc63fec766de9b667cac17c1e81998bcaaba4da69a105c2d93ce61f47d7709c08fd589661fdee91c9b51cd34745
+  data.tar.gz: 3dd60521f98b6fc961bb55f68e381442a1f8b8fe8f2a5403e8b3ccbca31d2cf8b6af2b8b2e3498605647e8ef1d5422efc3a823590b4d82a05b904f811c1c5ce4

data/app/controllers/api/v2/compliance/scap_contents_controller.rb

@@ -2,6 +2,7 @@ module Api::V2
   module Compliance
     class ScapContentsController < ::Api::V2::BaseController
       include Foreman::Controller::Parameters::ScapContent
+      include ForemanOpenscap::BodyLogExtensions
       before_action :find_resource, :except => %w[index create]
 
       def resource_name(resource = '::ForemanOpenscap::ScapContent')
@@ -19,7 +20,7 @@ module Api::V2
         @scap_contents = resource_scope_for_index(:permission => :view_scap_contents)
       end
 
-      api :GET, '/compliance/scap_contents/:id/xml', N_('Show an SCAP content as XML')
+      api :GET, '/compliance/scap_contents/:id/xml', N_('Download an SCAP content as XML')
       param :id, :identifier, :required => true
 
       def xml

data/app/controllers/api/v2/compliance/tailoring_files_controller.rb

@@ -2,6 +2,7 @@ module Api::V2
   module Compliance
     class TailoringFilesController < ::Api::V2::BaseController
       include Foreman::Controller::Parameters::TailoringFile
+      include ForemanOpenscap::BodyLogExtensions
       before_action :find_resource, :except => %w[index create]
       before_action :openscap_proxy_check, :only => %w[create]
 
@@ -20,7 +21,7 @@ module Api::V2
         @tailoring_files = resource_scope_for_index(:permission => :view_tailoring_files)
       end
 
-      api :GET, '/compliance/tailoring_files/:id/xml', N_('Show a Tailoring file as XML')
+      api :GET, '/compliance/tailoring_files/:id/xml', N_('Download a Tailoring file as XML')
       param :id, :identifier, :required => true
 
       def xml

data/app/controllers/concerns/foreman_openscap/body_log_extensions.rb

@@ -0,0 +1,18 @@
+module ForemanOpenscap
+  module BodyLogExtensions
+    extend ActiveSupport::Concern
+
+    def log_response_body
+      return super unless skip_body_log.include?(action_name)
+      logger.debug { logger_msg }
+    end
+
+    def skip_body_log
+      ['xml']
+    end
+
+    def logger_msg
+      "Logging response body of #{response.body.length} characters skipped when downloading DS files"
+    end
+  end
+end

data/app/controllers/concerns/foreman_openscap/hosts_controller_extensions.rb

@@ -23,7 +23,7 @@ module ForemanOpenscap
           host.openscap_proxy = smart_proxy
           host.save!
         end
-        notice _("Updated hosts: Assigned with OpenSCAP Proxy: %s") % smart_proxy.name
+        success _("Updated hosts: Assigned with OpenSCAP Proxy: %s") % smart_proxy.name
         redirect_to hosts_path
       else
         error _('No OpenSCAP Proxy selected.')

data/app/controllers/openscap_proxies_controller.rb

@@ -2,8 +2,8 @@ class OpenscapProxiesController < ApplicationController
   before_action :find_proxy, :only => [:openscap_spool]
 
   def openscap_spool
-    last_error = @smart_proxy ? find_spool_error : nil
-    render :partial => 'smart_proxies/openscap_spool', :locals => { :last_error => last_error }
+    spool_errors = @smart_proxy ? @smart_proxy.statuses[:openscap].spool_status : nil
+    render :partial => 'smart_proxies/openscap_spool', :locals => { :spool_errors => spool_errors }
   end
 
   private
@@ -20,13 +20,4 @@ class OpenscapProxiesController < ApplicationController
   def find_proxy
     @smart_proxy = SmartProxy.find params[:id]
   end
-
-  def find_spool_error
-    log_status = @smart_proxy.statuses[:logs]
-    return {} unless log_status
-    log_status.logs
-              .log_entries
-              .reverse
-              .find { |entry| entry["level"] == "ERROR" && entry["message"].start_with?("Failed to parse Arf Report") }
-  end
 end

data/app/controllers/policies_controller.rb

@@ -80,7 +80,7 @@ class PoliciesController < ApplicationController
     if (id = params['policy']['id'])
       policy = ::ForemanOpenscap::Policy.find(id)
       policy.assign_hosts(@hosts)
-      notice _("Updated hosts: Assigned with compliance policy: %s") % policy.name
+      success _("Updated hosts: Assigned with compliance policy: %s") % policy.name
       # We prefer to go back as this does not lose the current search
       redirect_to hosts_path
     else
@@ -96,7 +96,7 @@ class PoliciesController < ApplicationController
     if (id = params.fetch(:policy, {})[:id])
       policy = ::ForemanOpenscap::Policy.find(id)
       policy.unassign_hosts(@hosts)
-      notice _("Updated hosts: Unassigned from compliance policy '%s'") % policy.name
+      success _("Updated hosts: Unassigned from compliance policy '%s'") % policy.name
     else
       error _('No valid policy ID provided')
     end

data/app/helpers/arf_reports_helper.rb

@@ -78,4 +78,10 @@ module ArfReportsHelper
     msg += _(" through %s") % openscap_proxy_link(arf_report)
     msg.html_safe
   end
+
+  def host_search_by_rule_result_buttons(source)
+    action_buttons(display_link_if_authorized(_('Hosts failing this rule'), hash_for_hosts_path(:search => "fails_xccdf_rule = #{source}")),
+                   display_link_if_authorized(_('Hosts passing this rule'), hash_for_hosts_path(:search => "passes_xccdf_rule = #{source}")),
+                   display_link_if_authorized(_('Hosts othering this rule'), hash_for_hosts_path(:search => "others_xccdf_rule = #{source}")))
+  end
 end

data/app/lib/proxy_api/openscap.rb

@@ -61,6 +61,14 @@ module ::ProxyAPI
       end
     end
 
+    def spool_status
+      parse(get('spool_errors'))
+    rescue => e
+      msg = "Failed to get spool status from proxy, cause: #{e.message}"
+      logger.error msg
+      {}
+    end
+
     private
 
     def timeout

data/app/models/concerns/foreman_openscap/compliance_status_scoped_search.rb

@@ -9,9 +9,9 @@ module ForemanOpenscap
       end
 
       def search_by_policy_name(_key, _operator, policy_name)
-        query = PolicyArfReport.of_policy(Policy.find_by(:name => policy_name))
+        scope = PolicyArfReport.of_policy(Policy.find_by(:name => policy_name))
                                .select(PolicyArfReport.arel_table[:arf_report_id]).to_sql
-        query_conditions query
+        query_conditions scope
       end
 
       def search_by_comply_with(_key, _operator, policy_name)
@@ -27,9 +27,21 @@ module ForemanOpenscap
       end
 
       def search_by_policy_results(policy_name, &selection)
-        query = ArfReport.of_policy(Policy.find_by(:name => policy_name).id)
-                         .instance_eval(&selection).select(ArfReport.arel_table[:id]).to_sql
-        query_conditions query
+        scope = ArfReport.of_policy(Policy.find_by(:name => policy_name).id)
+                         .instance_eval(&selection)
+        query_conditions_from_scope scope
+      end
+
+      def search_by_rule_failed(key, operator, rule_name)
+        search_by_rule rule_name, "fail"
+      end
+
+      def search_by_rule_passed(key, operator, rule_name)
+        search_by_rule rule_name, "pass"
+      end
+
+      def search_by_rule_othered(key, operator, rule_name)
+        search_by_rule rule_name, LogExtensions.othered_result_constants
       end
 
       def search_by_last_for(key, operator, by)
@@ -64,17 +76,54 @@ module ForemanOpenscap
                 when 'inconclusive'
                   ArfReport.othered
                 end
-        query_conditions scope.select(ArfReport.arel_table[:id]).to_sql
+        query_conditions_from_scope scope
+      end
+
+      def search_by_host_collection_name(key, operator, value)
+        scope = apply_condition(Host.joins(:host_collections),
+                                operator == '!= ',
+                                :katello_host_collections => { :name => value })
+        query_conditions_from_scope ForemanOpenscap::ArfReport.where(:host_id => scope)
       end
 
       private
 
+      def query_conditions_from_scope(scope)
+        query = scope.select(ArfReport.arel_table[:id]).to_sql
+        query_conditions query
+      end
+
       def query_conditions(query)
         { :conditions => "reports.id IN (#{query})" }
       end
+
+      def search_by_rule(rule_name, rule_result)
+        query = ArfReport.by_rule_result(rule_name, rule_result)
+                         .select(ArfReport.arel_table[:id]).to_sql
+
+        query_conditions query
+      end
+
+      def apply_condition(scope, negate, conditions)
+        if negate
+          scope.where.not(conditions)
+        else
+          scope.where(conditions)
+        end
+      end
     end
 
     included do
+      if ForemanOpenscap.with_katello?
+        has_one :lifecycle_environment, :through => :host
+
+        has_many :host_collections, :through => :host
+
+        scoped_search :relation => :lifecycle_environment, :on => :name, :complete_value => true, :rename => :lifecycle_environment
+        scoped_search :relation => :host_collections, :on => :name, :complete_value => true, :rename => :host_collection,
+                      :operators => ['= ', '!= '], :ext_method => :search_by_host_collection_name
+      end
+
       policy_search :compliance_policy
 
       policy_search :policy
@@ -93,12 +142,24 @@ module ForemanOpenscap
 
       scoped_search :relation => :openscap_proxy, :on => :name, :complete_value => true, :only_explicit => true, :rename => :openscap_proxy
 
+      scoped_search :relation => :sources, :on => :value, :complete_value => true, :rename => :xccdf_rule_name,
+                    :only_explicit => true, :operators => ['= ']
+
+      scoped_search :relation => :sources, :on => :value, :rename => :xccdf_rule_failed,
+                    :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_failed
+
+      scoped_search :relation => :sources, :on => :value, :rename => :xccdf_rule_passed,
+                    :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_passed
+
+      scoped_search :relation => :sources, :on => :value, :rename => :xccdf_rule_othered,
+                    :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_othered
+
       scoped_search :on => :status, :rename => :compliance_status, :operators => ['= '],
-                          :ext_method => :search_by_compliance_status,
-                          :complete_value => { :compliant => ::ForemanOpenscap::ComplianceStatus::COMPLIANT,
-                                               :incompliant => ::ForemanOpenscap::ComplianceStatus::INCOMPLIANT,
-                                               :inconclusive => ::ForemanOpenscap::ComplianceStatus::INCONCLUSIVE },
-                          :validator => ->(value) { ['compliant', 'incompliant', 'inconclusive'].reduce(false) { |memo, item| memo || (item == value) } }
+                           :ext_method => :search_by_compliance_status,
+                           :complete_value => { :compliant => ::ForemanOpenscap::ComplianceStatus::COMPLIANT,
+                                                :incompliant => ::ForemanOpenscap::ComplianceStatus::INCOMPLIANT,
+                                                :inconclusive => ::ForemanOpenscap::ComplianceStatus::INCONCLUSIVE },
+                           :validator => ->(value) { ['compliant', 'incompliant', 'inconclusive'].reduce(false) { |memo, item| memo || (item == value) } }
     end
   end
 end

data/app/models/concerns/foreman_openscap/host_extensions.rb

@@ -22,6 +22,20 @@ module ForemanOpenscap
                     :complete_value => { :compliant => ::ForemanOpenscap::ComplianceStatus::COMPLIANT,
                                          :incompliant => ::ForemanOpenscap::ComplianceStatus::INCOMPLIANT,
                                          :inconclusive => ::ForemanOpenscap::ComplianceStatus::INCONCLUSIVE }
+
+      base.scoped_search :relation => :policies, :on => :name, :complete_value => { :true => true, :false => false },
+                         :only_explicit => true, :rename => :is_compliance_host, :operators => ['= '], :ext_method => :search_for_any_with_policy,
+                         :validator => ->(value) { ['true', 'false'].include? value }
+
+      base.scoped_search :on => :id, :rename => :passes_xccdf_rule,
+              :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_passed
+
+      base.scoped_search :on => :id, :rename => :fails_xccdf_rule,
+              :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_failed
+
+      base.scoped_search :on => :id, :rename => :others_xccdf_rule,
+              :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_othered
+
       base.after_update :puppetrun!, :if => ->(host) { Setting[:puppetrun] && host.changed.include?('openscap_proxy_id') }
 
       base.scope :comply_with, lambda { |policy|
@@ -100,6 +114,33 @@ module ForemanOpenscap
     end
 
     module ClassMethods
+      def search_by_rule_passed(key, operator, rule_name)
+        search_by_rule rule_name, 'pass'
+      end
+
+      def search_by_rule_failed(key, operator, rule_name)
+        search_by_rule rule_name, 'fail'
+      end
+
+      def search_by_rule_othered(key, operator, rule_name)
+        search_by_rule rule_name, LogExtensions.othered_result_constants
+      end
+
+      def search_by_rule(rule_name, rule_result)
+        query = Host.joins(:arf_reports)
+                    .merge(ArfReport.latest
+                                    .by_rule_result(rule_name, rule_result)
+                                    .unscope(:order))
+                    .distinct
+                    .select(Host.arel_table[:id]).to_sql
+
+        query_conditions query
+      end
+
+      def query_conditions(query)
+        { :conditions => "hosts.id IN (#{query})" }
+      end
+
       def search_by_policy_name(key, operator, policy_name)
         cond = sanitize_sql_for_conditions(["foreman_openscap_policies.name #{operator} ?", value_to_sql(operator, policy_name)])
 
@@ -125,11 +166,16 @@ module ForemanOpenscap
         search_assigned_all cond, host_ids_from_arf_of_policy
       end
 
-      def search_assigned_all(condition, not_in_host_ids)
+      def search_for_any_with_policy(key, operator, value)
+        search_assigned_all nil, [], (value == "false")
+      end
+
+      def search_assigned_all(condition, not_in_host_ids, negate = false)
+        sql_not = negate ? "NOT" : ""
         direct_result = policy_assigned_directly_host_ids condition, not_in_host_ids
         hg_result = policy_assigned_using_hostgroup_host_ids condition, not_in_host_ids
         result = (direct_result + hg_result).uniq
-        { :conditions => "hosts.id IN (#{result.empty? ? 'NULL' : result.join(',')})" }
+        { :conditions => "hosts.id #{sql_not} IN (#{result.empty? ? 'NULL' : result.join(',')})" }
       end
 
       def policy_assigned_directly_host_ids(condition, host_ids_from_arf)

data/app/models/concerns/foreman_openscap/log_extensions.rb

@@ -6,6 +6,10 @@ module ForemanOpenscap
       validate :scap_result
     end
 
+    def self.othered_result_constants
+      SCAP_RESULT.reject { |item| item == "pass" || item == "fail" }
+    end
+
     private
 
     def scap_result

data/app/models/concerns/foreman_openscap/openscap_proxy_core_extensions.rb

@@ -40,7 +40,7 @@ module ForemanOpenscap
     end
 
     def destroy_scap_client_lookup_values(pairs)
-      pairs.values.map(&:destroy)
+      pairs.values.compact.map(&:destroy)
     end
 
     def update_scap_client_lookup_values(pairs, model_match, mapping)

data/app/models/foreman_openscap/arf_report.rb

@@ -59,6 +59,8 @@ module ForemanOpenscap
 
     scope :passed, lambda { where("(#{report_status_column} >> #{bit_mask 'passed'}) > 0").merge(not_failed).merge(not_othered) }
 
+    scope :by_rule_result, lambda { |rule_name, rule_result| joins(:sources).where(:sources => { :value => rule_name }, :logs => { :result => rule_result }) }
+
     def self.bit_mask(status)
       ComplianceStatus.bit_mask(status)
     end

data/app/services/proxy_status/openscap_spool.rb

@@ -0,0 +1,13 @@
+module ProxyStatus
+  class OpenscapSpool < Base
+    def spool_status
+      fetch_proxy_data do
+        api.spool_status
+      end
+    end
+
+    def self.humanized_name
+      'Openscap'
+    end
+  end
+end

data/app/validators/concerns/foreman_openscap/bookmark_controller_validator_extensions.rb

@@ -0,0 +1,19 @@
+module ForemanOpenscap
+  module BookmarkControllerValidatorExtensions
+    module ClassMethods
+      def valid_controllers_list
+        super + ActiveRecord::Base.connection
+                                  .tables
+                                  .map(&:to_s)
+                                  .select { |table| table.start_with? 'foreman_openscap_' }
+                                  .map { |table| table.sub('foreman_openscap_', '') }
+      end
+    end
+
+    def self.prepended(base)
+      class << base
+        prepend ClassMethods
+      end
+    end
+  end
+end

data/app/views/arf_reports/_output.html.erb

@@ -3,8 +3,9 @@
     <tr>
       <th><%= _("Severity") %></th>
       <th><%= _("Message") %></th>
-      <th><%= _("Resource") %></th>
-      <th><%= _("Result") %></th>
+      <th class="col-md-4"><%= _("Resource") %></th>
+      <th class="col-md-1"><%= _("Result") %></th>
+      <th class="col-md-1"><%= _("Actions") %></th>
     </tr>
   </thead>
   <tbody>
@@ -14,8 +15,9 @@
         <td>
           <%= render :partial => 'detailed_message', :locals => { :message => log.message } %>
         </td>
-        <td><%= h trunc_with_tooltip(log.source) %></td>
+        <td><%= log.source %></td>
         <td><span <%= result_tag log.result %>><%= h log.result %></span></td>
+        <td><%= host_search_by_rule_result_buttons(log.source) %></td>
       </tr>
     <% end %>
     <tr id='ntsh' <%= "style='display: none;'".html_safe if logs.size > 0%>>

data/app/views/compliance_hosts/show.html.erb

@@ -1,14 +1,16 @@
 <% javascript 'charts', 'dashboard', 'foreman_openscap/scap_hosts_show' %>
 
 <%= breadcrumbs(:resource_url => api_hosts_path,
-    :name_field => 'name',
-    :switchable => false,
-    :items => [
-      { :caption => _('Compliance Hosts') },
-      { :caption => (N_("%s compliance reports by policy") % @host.to_label) }
-    ])
+                :resource_filter => "is_compliance_host = true",
+                :name_field => 'name',
+                :switchable => true,
+                :items => [
+                  { :caption => _('Compliance Hosts'),
+                    :url => url_for(hosts_path(:search => "is_compliance_host = true")) },
+                  { :caption => ((N_("%s compliance reports by policy") % @host.to_label)),
+                    :url => (host_path(@host) if authorized_for(hash_for_host_path(@host))) }
+                ])
 %>
-
 <% title n_("%s compliance report by policy", "%s compliance reports by policy" , @host.combined_policies.length) % @host.to_label %>
 <% @host.combined_policies.each do |policy| %>
   <h2 class="center-block"><%= _('Policy %s') % policy %></h2>