foreman_openscap 0.11.5 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 476be55fdeeda480329624fd4ca562c93e33c370
-  data.tar.gz: 7d58930838e01c45d99fcd9b11444696c336eaa0
+  metadata.gz: 32dd2a50a02e9810d04dbb252858b165e734c999
+  data.tar.gz: 40bd3d5ca9a1f27d8904fb07298772d624ac8728
 SHA512:
-  metadata.gz: d2bac463d3ffd03167b30a84d38194d6a5a12e8d331c09a0cbe4dabbd2ad2c785652b4bfe2ed873bd1af80ed24aeb73bd36459e0db2ecc067af975a6777d013f
-  data.tar.gz: 4cc7c132c045f5baf2a30e92cbc9bc55f39e4ae4eea23c044f87c981057e38a82b55c4a52e6ad08d3dc406e79c425115636110877d945d7e6fb4c20897b7d5be
+  metadata.gz: 51df4d59920bcc1e1467837d08ec086c4a9f3d304d39836f38b57654b5b5dbdb1f298feb426454e39623eefe5d984f6f4e5dc9c9ee8efb3a462fa3b58d71715b
+  data.tar.gz: 9f8b8ae9ac001d65a8bdcd773c7d729129ae889b080412bb7cc346913919739c9f079cd0ac78d5f1619b97beacc4efcea341dee48e1990238d1f39e9dac162ea

data/app/controllers/api/v2/compliance/arf_reports_controller.rb

@@ -76,7 +76,9 @@ module Api
         private
 
         def respond_for_report(arf_report)
-          if arf_report.new_record?
+          if arf_report.nil?
+            upload_fail(_("Policy with id %s not found.") % params[:policy_id])
+          elsif arf_report.new_record?
             upload_fail arf_report.errors.full_messages.to_sentence
           else
             render :json => { :result => :ok, :id => arf_report.id.to_s }
@@ -89,11 +91,6 @@ module Api
         end
 
         def find_resources_before_create
-          unless ForemanOpenscap::Policy.where(:id => params[:policy_id]).any?
-            upload_fail(_("Policy with id %s not found.") % params[:policy_id])
-            return
-          end
-
           @asset = ForemanOpenscap::Helper::get_asset(params[:cname], params[:policy_id])
 
           unless @asset

data/app/controllers/api/v2/compliance/policies_controller.rb

@@ -49,6 +49,7 @@ module Api::V2
           param :host_ids, Array, :desc => N_('Apply policy to hosts')
           param :tailoring_file_id, Integer, :desc => N_('Tailoring file ID')
           param :tailoring_file_profile_id, Integer, :desc => N_('Tailoring file profile ID')
+          param :deploy_by, ForemanOpenscap::Policy.deploy_by_variants, :desc => N_('How the policy should be deployed')
           param_group :taxonomies, ::Api::V2::BaseController
         end
       end
@@ -58,7 +59,8 @@ module Api::V2
 
       def create
         @policy = ForemanOpenscap::Policy.new(policy_params)
-        process_response @policy.save
+        ForemanOpenscap::LookupKeyOverrider.new(@policy).override
+        process_response(@policy.errors.none? && @policy.save)
       end
 
       api :PUT, '/compliance/policies/:id', N_('Update a Policy')

data/app/controllers/concerns/foreman/controller/parameters/policy_api.rb

@@ -3,7 +3,7 @@ module Foreman::Controller::Parameters::PolicyApi
 
   class_methods do
     def filter_params_list
-      [:description, :name, :period, :scap_content_id, :scap_content_profile_id,
+      [:description, :name, :period, :scap_content_id, :scap_content_profile_id, :deploy_by,
        :weekday, :day_of_month, :cron_line, :tailoring_file_id, :tailoring_file_profile_id,
        :location_ids => [], :organization_ids => [], :hostgroup_ids => [], :host_ids => []]
     end

data/app/controllers/policies_controller.rb

@@ -32,9 +32,10 @@ class PoliciesController < ApplicationController
 
   def create
     @policy = ::ForemanOpenscap::Policy.new(policy_params)
+    ForemanOpenscap::LookupKeyOverrider.new(@policy).override if @policy.current_step?('Policy Attributes')
     if @policy.wizard_completed? && @policy.save
       process_success :success_redirect => policies_path
-    elsif @policy.valid?
+    elsif @policy.errors.none? && @policy.valid?
       render('new') && return
     else
       @policy.rewind_step

data/app/helpers/foreman_openscap_helper.rb

@@ -0,0 +1,14 @@
+module ForemanOpenscapHelper
+  def scap_doc_link(section = '', text = _('documentation'))
+    link_to(
+      text,
+      scap_doc_url(section),
+      :rel => 'external noopener noreferrer', :target => '_blank'
+    )
+  end
+
+  def scap_doc_url(section = '')
+    version = ForemanOpenscap::VERSION.split('.')[0..-2].join('.')
+    "https://theforeman.org/plugins/foreman_openscap/#{version}/index.html#{section}"
+  end
+end

data/app/helpers/policies_helper.rb

@@ -9,6 +9,42 @@ module PoliciesHelper
     policy.scap_content_profile.nil? ? "Default" : policy.scap_content_profile.title
   end
 
+  def deploy_by_radios(f, policy)
+    ForemanOpenscap::ConfigNameService.new.configs.map do |tool|
+      popover_block = popover("", config_inline_help(tool.inline_help))
+
+      label = label_tag('', :class => 'col-md-2 control-label') do
+        tool.type.to_s.capitalize.html_safe + ' ' + popover_block.html_safe
+      end
+
+      radio = content_tag(:div, :class => "col-md-2") do
+        f.radio_button(:deploy_by, tool.type, :disabled => !tool.available?, :checked => deploy_by_radio_checked(policy, tool))
+      end
+
+      content_tag(:div, :class => "clearfix") do
+        content_tag(:div, :class => "form-group") do
+          label.html_safe + radio.html_safe
+        end
+      end
+    end.join('').html_safe
+  end
+
+  def config_inline_help(help_hash)
+    link = if help_hash[:route_helper_method]
+             link_to_if_authorized help_hash[:replace_text], public_send(help_hash[:route_helper_method])
+           else
+             help_hash[:replace_text]
+           end
+    text = help_hash[:text]
+    text = text.split(help_hash[:replace_text], 2).join(link) if help_hash.key?(:replace_text)
+    text.html_safe
+  end
+
+  def deploy_by_radio_checked(policy, tool)
+    type = policy.deploy_by ? policy.deploy_by.to_sym : :puppet
+    tool.type == type
+  end
+
   def effective_policy_profile(policy)
     policy.tailoring_file ? policy.tailoring_file_profile.title : policy_profile_from_scap_content(policy)
   end

data/app/models/concerns/foreman_openscap/host_extensions.rb

@@ -36,7 +36,11 @@ module ForemanOpenscap
       base.scoped_search :on => :id, :rename => :others_xccdf_rule,
               :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_othered
 
-      base.after_update :puppetrun!, :if => ->(host) { Setting[:puppetrun] && host.changed.include?('openscap_proxy_id') }
+      base.after_update :puppetrun!, :if => ->(host) do
+        Setting[:puppetrun] &&
+        host.changed.include?('openscap_proxy_id') &&
+        (host.individual_puppetclasses + host.parent_classes).pluck(:name).include?(ClientConfig::Puppet.new.puppetclass_name)
+      end
 
       base.scope :comply_with, lambda { |policy|
         joins(:arf_reports).merge(ArfReport.latest_of_policy(policy)).merge(ArfReport.passed)

data/app/models/concerns/foreman_openscap/openscap_proxy_core_extensions.rb

@@ -4,22 +4,28 @@ module ForemanOpenscap
 
     included do
       validate :openscap_proxy_has_feature
-      validate :scap_client_class_present
       after_save :update_scap_client
     end
 
     def update_scap_client
-      update_scap_client_params if openscap_proxy_id_previously_changed?
+      name_service = ConfigNameService.new
+      if openscap_proxy_id_previously_changed?
+        model_match = self.class.name.underscore =~ /\Ahostgroup\z/ ? "hostgroup" : "fqdn"
+        name_service.all_available_except(:manual).each do |config|
+          update_client_params(model_match, config)
+        end
+      end
     end
 
-    def update_scap_client_params
-      model_match = self.class.name.underscore =~ /\Ahostgroup\z/ ? "hostgroup" : "fqdn"
-      scap_params = find_scap_client.class_params
-      server_lookup_key = scap_params.find { |param| param.key == "server" }
-      port_lookup_key = scap_params.find { |param| param.key == "port" }
-      pairs = scap_client_lookup_values_for([server_lookup_key, port_lookup_key], model_match)
+    def update_client_params(model_match, config)
+      client_item = config.find_config_item self.public_send(config.collection_method)
+      return unless client_item
+      lookup_keys = client_item.public_send(config.override_method_name)
+      server_key = lookup_keys.find { |param| param.key == config.server_param }
+      port_key = lookup_keys.find { |param| param.key == config.port_param }
+      pairs = scap_client_lookup_values_for([server_key, port_key], model_match)
       if openscap_proxy_id
-        mapping = { "server" => openscap_proxy.hostname, "port" => openscap_proxy.port }
+        mapping = { config.server_param => openscap_proxy.hostname, config.port_param => openscap_proxy.port }
         update_scap_client_lookup_values(pairs, model_match, mapping)
       else
         destroy_scap_client_lookup_values pairs
@@ -54,10 +60,6 @@ module ForemanOpenscap
       end
     end
 
-    def find_scap_client
-      Puppetclass.find_by(name: "foreman_scap_client")
-    end
-
     def lookup_matcher(model_match)
       model_match == "fqdn" ? "#{model_match}=#{name}" : "#{model_match}=#{title}"
     end
@@ -65,11 +67,5 @@ module ForemanOpenscap
     def openscap_proxy_has_feature
       errors.add(:openscap_proxy_id, _("must have Openscap feature")) if openscap_proxy_id && !openscap_proxy.has_feature?("Openscap")
     end
-
-    def scap_client_class_present
-      if changed.include?('openscap_proxy_id') && self.respond_to?(:openscap_proxy_id) && openscap_proxy_id
-        errors.add(:openscap_proxy_id, _("Puppet class 'foreman_scap_client' not found, make sure it is imported from Puppet master")) unless find_scap_client
-      end
-    end
   end
 end

data/app/models/foreman_openscap/policy.rb

@@ -16,18 +16,18 @@ module ForemanOpenscap
     has_many :assets, :through => :asset_policies, :as => :assetable, :dependent => :destroy
 
     scoped_search :on => :name, :complete_value => true
-
-    SCAP_PUPPET_CLASS        = 'foreman_scap_client'.freeze
-    POLICIES_CLASS_PARAMETER = 'policies'.freeze
-    SERVER_CLASS_PARAMETER   = 'server'.freeze
-    PORT_CLASS_PARAMETER     = 'port'.freeze
-
     before_validation :update_period_attrs
 
-    validates :name, :presence => true, :uniqueness => true, :length => { :maximum => 255 }
-    validate :ensure_needed_puppetclasses
+    def self.deploy_by_variants
+      %w[puppet ansible manual]
+    end
+
+    validates :name, :presence => true, :uniqueness => true, :length => { :maximum => 255 },
+                     :if => Proc.new { |policy| policy.should_validate?('Policy Attributes') }
     validates :period, :inclusion => { :in => %w[weekly monthly custom], :message => _('is not a valid value') },
                        :if => Proc.new { |policy| policy.should_validate?('Schedule') }
+    validates :deploy_by, :inclusion => { :in => Policy.deploy_by_variants },
+                          :if => Proc.new { |policy| policy.should_validate?('Deployment Options') }
 
     validates :scap_content_id, presence: true, if: Proc.new { |policy| policy.should_validate?('SCAP Content') }
     validate :matching_content_profile, if: Proc.new { |policy| policy.should_validate?('SCAP Content') }
@@ -97,7 +97,7 @@ module ForemanOpenscap
     end
 
     def steps
-      base_steps = [N_('Create policy'), N_('SCAP Content'), N_('Schedule')]
+      base_steps = [N_('Deployment Options'), N_('Policy Attributes'), N_('SCAP Content'), N_('Schedule')]
       base_steps << N_('Locations') if SETTINGS[:locations_enabled]
       base_steps << N_('Organizations') if SETTINGS[:organizations_enabled]
       base_steps << N_('Hostgroups') # always be last.
@@ -123,6 +123,10 @@ module ForemanOpenscap
       current_step == steps.first
     end
 
+    def current_step?(step_name)
+      current_step == step_name
+    end
+
     def last_step?
       current_step == steps.last
     end
@@ -246,49 +250,6 @@ module ForemanOpenscap
       (Date::DAYS_INTO_WEEK.with_indifferent_access[weekday] + 1) % 7
     end
 
-    def ensure_needed_puppetclasses
-      unless puppetclass = Puppetclass.find_by(name: SCAP_PUPPET_CLASS)
-        errors[:base] << _("Required Puppet class %{class} is not found, please ensure it imported first.") % { :class => SCAP_PUPPET_CLASS }
-        return false
-      end
-
-      return false unless override_policies_param(puppetclass)
-      return false unless override_port_param(puppetclass)
-      return false unless override_server_param(puppetclass)
-    end
-
-    def override_policies_param(puppetclass)
-      override_param(puppetclass, POLICIES_CLASS_PARAMETER) do |param|
-        param.key_type      = 'array'
-        param.default_value = '<%= @host.policies_enc %>'
-      end
-    end
-
-    def override_port_param(puppetclass)
-      override_param puppetclass, PORT_CLASS_PARAMETER
-    end
-
-    def override_server_param(puppetclass)
-      override_param puppetclass, SERVER_CLASS_PARAMETER
-    end
-
-    def override_param(puppetclass, param_name)
-      unless param = puppetclass.class_params.find_by(key: param_name)
-        errors[:base] << _("Puppet class %{class} does not have %{parameter} class parameter.") % { :class => SCAP_PUPPET_CLASS, :parameter => param_name }
-        return
-      end
-
-      param.override = true
-
-      yield param if block_given?
-
-      if param.changed? && !param.save
-        errors[:base] << _("%{parameter} class parameter for class %{class} could not be configured.") % { :class => SCAP_PUPPET_CLASS, :parameter => param_name }
-        return
-      end
-      param
-    end
-
     def cron_line_split
       cron_line.to_s.split(' ')
     end
@@ -329,13 +290,7 @@ module ForemanOpenscap
     end
 
     def assign_policy_to_hostgroups
-      if hostgroups.any?
-        puppetclass = find_scap_puppetclass
-        hostgroups.each do |hostgroup|
-          hostgroup.puppetclasses << puppetclass unless hostgroup.puppetclasses.include? puppetclass
-          populate_overrides(puppetclass, hostgroup)
-        end
-      end
+      HostgroupOverrider.new(self).populate
     end
 
     def profile_for_scan
@@ -348,27 +303,6 @@ module ForemanOpenscap
       end
     end
 
-    def find_scap_puppetclass
-      Puppetclass.find_by(name: SCAP_PUPPET_CLASS)
-    end
-
-    def populate_overrides(puppetclass, hostgroup)
-      puppetclass.class_params.where(:override => true).find_each do |override|
-        next unless hostgroup.puppet_proxy && (url = hostgroup.puppet_proxy.url).present?
-
-        case override.key
-        when SERVER_CLASS_PARAMETER
-          lookup_value      = LookupValue.where(:match => "hostgroup=#{hostgroup.to_label}", :lookup_key_id => override.id).first_or_initialize
-          puppet_proxy_fqdn = URI.parse(url).host
-          lookup_value.update_attribute(:value, puppet_proxy_fqdn)
-        when PORT_CLASS_PARAMETER
-          lookup_value      = LookupValue.where(:match => "hostgroup=#{hostgroup.to_label}", :lookup_key_id => override.id).first_or_initialize
-          puppet_proxy_port = URI.parse(url).port
-          lookup_value.update_attribute(:value, puppet_proxy_port)
-        end
-      end
-    end
-
     def assign_ids(ids, class_name)
       new_assets = ids.reject { |id| id.respond_to?(:empty?) && id.empty? }.reduce([]) do |memo, id|
         memo << assets.where(:assetable_type => class_name, :assetable_id => id).first_or_initialize

data/app/services/foreman_openscap/client_config/ansible.rb

@@ -0,0 +1,38 @@
+module ForemanOpenscap
+  module ClientConfig
+    class Ansible < Base
+      delegate :ansible_role_name, :to => :constants
+
+      alias config_item_name ansible_role_name
+
+      def type
+        :ansible
+      end
+
+      def available?
+        defined?(ForemanAnsible)
+      end
+
+      def inline_help
+        {
+          :text => "Requires Ansible plugin, #{ansible_role_name} Ansible role and variables. This will assign the role to the hosts or selected hostgroups.<br>To deploy foreman_scap_client, ansible roles run needs to be triggered manually. Manual run is also required after any change to this policy.",
+          :replace_text => 'Ansible role',
+          :route_helper_method => :hash_for_ansible_roles_path
+        }
+      end
+
+      def constants
+        OpenStruct.new(
+          :server_param => 'foreman_scap_client_server',
+          :port_param => 'foreman_scap_client_port',
+          :policies_param => 'foreman_scap_client_policies',
+          :ansible_role_name => 'theforeman.foreman_scap_client',
+          :config_item_class_name => 'AnsibleRole',
+          :override_method_name => 'ansible_variables',
+          :msg_name => _('Ansible role'),
+          :lookup_key_plural_name => _('Ansible variables')
+        )
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/client_config/base.rb

@@ -0,0 +1,41 @@
+module ForemanOpenscap
+  module ClientConfig
+    class Base
+      delegate :server_param, :port_param, :policies_param, :config_item_name,
+               :config_item_class_name, :override_method_name, :msg_name,
+               :lookup_key_plural_name, :to => :constants
+
+      def type
+        raise NotImplementedError
+      end
+
+      def inline_help
+        {
+          :text => '',
+          :replace_text => '',
+          :route_helper_method => nil
+        }
+      end
+
+      def managed_overrides?
+        true
+      end
+
+      def available?
+        raise NotImplementedError
+      end
+
+      def constants
+        raise NotImplementedError
+      end
+
+      def collection_method
+        constants.config_item_class_name&.pluralize&.underscore
+      end
+
+      def find_config_item(scope = config_item_class_name.constantize)
+        scope.find_by :name => config_item_name
+      end
+    end
+  end
+end

data/app/services/foreman_openscap/client_config/manual.rb

@@ -0,0 +1,27 @@
+module ForemanOpenscap
+  module ClientConfig
+    class Manual < Base
+      def type
+        :manual
+      end
+
+      def available?
+        true
+      end
+
+      def inline_help
+        {
+          :text => "This leaves the setup of the foreman_scap_client solely on the user. The policy still needs to be defined in order to link incoming ARF reports."
+        }
+      end
+
+      def constants
+        OpenStruct.new
+      end
+
+      def managed_overrides?
+        false
+      end
+    end
+  end
+end