foreman_scap_client 0.4.7 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 613e57e5fe5d504abb771c1924649c18d3a01869e3d75fbf33c4d2078647dcaa
-  data.tar.gz: f5d061fd7061174a3ce2dd92348371a9cb672781b428950ccc7add94b1fa8b69
+  metadata.gz: 83d36963b277620c532c048595b0bc57f024918bcf0ee44073930bd0297b4b56
+  data.tar.gz: 9acaf0257a5c1b18ab6f096a2f4025e8d5732ee4e7a45ef195853fe70ab9dd55
 SHA512:
-  metadata.gz: 6e7d76224ae9440cad7ba6592a0aee99909ec7be581e1da4bc9310b74161504127b9631148bd5371bc7616718eac76b64a6565c04250c0488ac24d2db5860104
-  data.tar.gz: 2c6a1f7531f5a996847718255dca2e3bf4d1d5b091242402e71748450e3971ead373031217b3ce9b96d84aa568018374aacf37943786943db4becf068150d922
+  metadata.gz: 4d68a98ce43eb6ebae0f268a56c1ca87d2f84748e783c1bfda80ffbf170cf4443929b32543d9a30da85a6c554ff7b2952a275a90f98b521c63cae63ff562ebad
+  data.tar.gz: fc864752d527e1118ed4f4a147921ea4b5dd5c49f995e298a10a9400561f7df2bbf2a88bb8137a9c9262b781d791aad4fea672b652a1692d63e075aa3199e777

data/bin/foreman_scap_client

@@ -2,11 +2,22 @@
 require 'rubygems'
 require 'foreman_scap_client'
 
-if ARGV.size != 1
-  puts "Usage: #{$0} policy_id"
-  puts "  where policy_id is a key used in config file"
-  exit 2
+if ARGV.last == '--skip-upload'
+  skip_upload = true
+  args = ARGV[0...-1]
 else
-  ForemanScapClient::Client.new.run(ARGV[0].to_i)
+  skip_upload = false
+  args = ARGV
 end
 
+if args.size == 1
+  ForemanScapClient::Client.new.run(args[0].to_i, skip_upload)
+elsif args.size == 2 && args[0] == 'ds'
+  ForemanScapClient::Client.new.run(args[1].to_i, skip_upload)
+elsif args.size == 2 && args[0] == 'oval'
+  ForemanScapClient::OvalClient.new.run(args[1].to_i, skip_upload)
+else
+  puts "Usage: #{$0} [ds | oval] policy_id [--skip-upload]"
+  puts "  where policy_id is a key used in config file"
+  exit 2
+end

data/config/config.yaml.example

@@ -33,3 +33,7 @@
 2:
   :profile: 'xccdf_org.ssgproject.content_profile_common'
   :content_path: '/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml'
+
+:oval:
+  3:
+    :content_path: '/var/lib/openscap/oval_content/ansible-2.9.oval.xml.bz2'

data/lib/foreman_scap_client.rb

@@ -1,2 +1,3 @@
 require "foreman_scap_client/version"
 require "foreman_scap_client/client"
+require "foreman_scap_client/oval_client"

data/lib/foreman_scap_client/base_client.rb

@@ -0,0 +1,240 @@
+require 'rubygems' if RUBY_VERSION.start_with? '1.8'
+require 'yaml'
+require 'tmpdir'
+require 'net/http'
+require 'net/https'
+require 'uri'
+require 'open-uri'
+require 'open3'
+require 'json'
+
+module ForemanScapClient
+  class BaseClient
+    attr_reader :policy_id, :config
+
+    CONFIG_FILE = '/etc/foreman_scap_client/config.yaml'
+
+    def run(policy_id, skip_upload = false)
+      @policy_id = policy_id
+      load_config
+      ensure_scan_files
+      run_in_tmpdir skip_upload
+    end
+
+    private
+
+    def ensure_scan_files
+      raise NotImplementedError
+    end
+
+    def policy_namespace
+      raise NotImplementedError
+    end
+
+    def upload_uri
+      raise NotImplementedError
+    end
+
+    def scan_command
+      raise NotImplementedError
+    end
+
+    def run_in_tmpdir(skip_upload)
+      if skip_upload
+        @tmp_dir = Dir.mktmpdir
+        scan
+        bzip
+      else
+        Dir.mktmpdir do |dir|
+          @tmp_dir = dir
+          scan
+          bzip
+          upload
+        end
+      end
+    end
+
+    def policy_from_config
+      config && config[policy_namespace] && config[policy_namespace][@policy_id]
+    end
+
+    def load_config
+      @config ||= YAML.load_file(CONFIG_FILE)
+      ensure_policy_exists
+    rescue => e
+      puts 'Config file could not be loaded'
+      puts e.message
+      exit(1)
+    end
+
+    def scan
+      puts "DEBUG: running: " + scan_command
+      puts "with ENV vars: #{scan_command_env_vars}" unless scan_command_env_vars.empty?
+
+      if RUBY_VERSION.start_with? '1.8'
+        legacy_run_scan
+      else
+        run_scan
+      end
+    end
+
+    def run_scan
+      stdout_str, error_str, result = Open3.capture3(scan_command_env_vars, scan_command)
+      if result.success? || result.exitstatus == 2
+        puts error_str.split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n")
+        @report = results_path
+      else
+        puts 'Scan failed'
+        puts stdout_str
+        puts error_str
+        exit(2)
+      end
+    end
+
+    def legacy_run_scan
+      warn_proxy_not_supported
+      result = `#{scan_command}`
+
+      if $?.success? || $?.exitstatus == 2
+        @report = results_path
+      else
+        puts 'Scan failed'
+        puts result
+        exit(2)
+      end
+    end
+
+    def scan_command_env_vars
+      if http_proxy_uri
+        {
+          'HTTP_PROXY'  => http_proxy_uri,
+          'HTTPS_PROXY' => http_proxy_uri
+        }
+      else
+        {}
+      end
+    end
+
+    def http_proxy_uri
+      return nil unless config[:http_proxy_server] && config[:http_proxy_port]
+      http_proxy_server = config[:http_proxy_server]
+      http_proxy_port   = config[:http_proxy_port]
+      "http://#{http_proxy_server}:#{http_proxy_port}"
+    end
+
+    def results_path
+      "#{@tmp_dir}/results.xml"
+    end
+
+    def results_bzip_path
+      "#{results_path}.bz2"
+    end
+
+    def warn_proxy_not_supported
+      puts 'Configuration for HTTP(S) proxy found but not supported for ruby 1.8' if http_proxy_uri
+    end
+
+    def bzip_command
+      "/usr/bin/env bzip2 #{results_path}"
+    end
+
+    def bzip
+      puts 'DEBUG: running: ' + bzip_command
+      result = `#{bzip_command}`
+      if !$?.success?
+        puts 'bzip failed'
+        puts results
+        exit(2)
+      end
+    end
+
+    def upload
+      uri = URI.parse(upload_uri)
+      puts "Uploading results to #{uri}"
+      https = generate_https_object(uri)
+      https.read_timeout = config[:timeout] if config[:timeout]
+      request = Net::HTTP::Post.new uri.path
+      request.body = File.read(results_bzip_path)
+      request['Content-Type'] = 'text/xml'
+      request['Content-Encoding'] = 'x-bzip2'
+      begin
+        res = https.request(request)
+        value = res.value
+        foreman_upload_result res
+      rescue StandardError => e
+        puts res.body if res
+        puts "Upload failed: #{e.message}"
+        exit(4)
+      end
+    end
+
+    def foreman_proxy_uri
+      foreman_proxy_fqdn = config[:server]
+      foreman_proxy_port = config[:port]
+      "https://#{foreman_proxy_fqdn}:#{foreman_proxy_port}"
+    end
+
+    def generate_https_object(uri)
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = true
+      https.ciphers = config[:ciphers] if config[:ciphers]
+      https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      https.ca_file = config[:ca_file]
+      begin
+        https.cert = OpenSSL::X509::Certificate.new File.read(config[:host_certificate])
+        https.key = OpenSSL::PKey::RSA.new File.read(config[:host_private_key])
+      rescue StandardError => e
+        puts 'Unable to load certs'
+        puts e.message
+        exit(3)
+      end
+      https
+    end
+
+    def ensure_policy_exists
+      if policy_from_config.nil?
+        puts "Policy id #{@policy_id} not found."
+        exit(1)
+      end
+    end
+
+    def ensure_file(dir, download_path, type_humanized)
+      return if File.exist?(policy_from_config[dir])
+      puts "File #{policy_from_config[dir]} is missing. Downloading it from proxy."
+      begin
+        FileUtils.mkdir_p(File.dirname(policy_from_config[dir]))
+        uri = URI.parse(download_uri(policy_from_config[download_path]))
+        puts "Download #{type_humanized} xml from: #{uri}"
+        request = generate_https_object(uri).get(uri.path)
+        request.value
+        content_xml = request.body
+        open(policy_from_config[dir], 'wb') do |file|
+          file << content_xml
+        end
+      rescue StandardError => e
+        puts "#{type_humanized} is missing and download failed with error: #{e.message}"
+        exit(5)
+      end
+    end
+
+    def download_uri(download_path)
+      foreman_proxy_uri + "#{download_path}"
+    end
+
+    def foreman_upload_result(response)
+      begin
+        print_upload_result JSON.parse(response.body)
+      rescue StandardError => e
+        # rescue and print nothing if older proxy version does not respond with json we expect
+      end
+    end
+
+    def print_upload_result(parsed)
+      if parsed['id']
+        puts "Report uploaded, report id: #{parsed['id']}"
+      else
+        puts "Report not uploaded from proxy to Foreman server, cause: #{parsed['result']}"
+      end
+    end
+  end
+end

data/lib/foreman_scap_client/client.rb

@@ -1,109 +1,28 @@
-require 'rubygems' if RUBY_VERSION.start_with? '1.8'
-require 'yaml'
-require 'tmpdir'
-require 'net/http'
-require 'net/https'
-require 'uri'
-require 'open-uri'
-require 'open3'
-require 'json'
+require 'foreman_scap_client/base_client'
 
 module ForemanScapClient
-  CONFIG_FILE = '/etc/foreman_scap_client/config.yaml'
-
-  class Client
-    attr_reader :config, :policy_id, :tailored
-
-    def run(policy_id)
-      @policy_id = policy_id
-      load_config
-      ensure_scan_file
-      ensure_tailoring_file
-      Dir.mktmpdir do |dir|
-        @tmp_dir = dir
-        scan
-        bzip
-        upload
-      end
-    end
+  class Client < BaseClient
+    attr_reader :tailored
 
     private
 
-    def warn_proxy_not_supported
-      puts 'Configuration for HTTP(S) proxy found but not supported for ruby 1.8' if http_proxy_uri
-    end
-
-    def load_config
-      @config ||= YAML.load_file(CONFIG_FILE)
-      ensure_policy_exist
-      @tailored = @config[policy_id][:tailoring_path] && !@config[policy_id][:tailoring_path].empty?
-    rescue => e
-      puts 'Config file could not be loaded'
-      puts e.message
-      exit(1)
+    def policy_namespace
+      :ds
     end
 
-    def scan
-      puts "DEBUG: running: " + scan_command
-      puts "with ENV vars: #{scan_command_env_vars}" unless scan_command_env_vars.empty?
-
-      if RUBY_VERSION.start_with? '1.8'
-        legacy_run_scan
-      else
-        run_scan
-      end
+    # remove when we have made changes to puppet module/ansible role to start namespacing existing ds policies in config
+    def policy_from_config
+      super || @config[policy_id]
     end
 
-    def run_scan
-      stdout_str, error_str, result = Open3.capture3(scan_command_env_vars, scan_command)
-      if result.success? || result.exitstatus == 2
-        puts error_str.split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n")
-        @report = results_path
-      else
-        puts 'Scan failed'
-        puts stdout_str
-        puts error_str
-        exit(2)
-      end
+    def ensure_policy_exists
+      super
+      @tailored = policy_from_config[:tailoring_path] && !policy_from_config[:tailoring_path].empty?
     end
 
-    def legacy_run_scan
-      warn_proxy_not_supported
-      result = `#{scan_command}`
-
-      if $?.success? || $?.exitstatus == 2
-        @report = results_path
-      else
-        puts 'Scan failed'
-        puts result
-        exit(2)
-      end
-    end
-
-    def scan_command_env_vars
-      if http_proxy_uri
-        {
-          'HTTP_PROXY'  => http_proxy_uri,
-          'HTTPS_PROXY' => http_proxy_uri
-        }
-      else
-        {}
-      end
-    end
-
-    def http_proxy_uri
-      return nil unless config[:http_proxy_server] && config[:http_proxy_port]
-      http_proxy_server = config[:http_proxy_server]
-      http_proxy_port   = config[:http_proxy_port]
-      "http://#{http_proxy_server}:#{http_proxy_port}"
-    end
-
-    def results_path
-      "#{@tmp_dir}/results.xml"
-    end
-
-    def results_bzip_path
-      "#{results_path}.bz2"
+    def ensure_scan_files
+      ensure_scan_file
+      ensure_tailoring_file if tailored
     end
 
     def scan_command
@@ -124,120 +43,17 @@ module ForemanScapClient
       tailored ? "--tailoring-file #{config[policy_id][:tailoring_path]}" : ""
     end
 
-    def bzip_command
-      "/usr/bin/env bzip2 #{results_path}"
-    end
-
-    def bzip
-      puts 'DEBUG: running: ' + bzip_command
-      result = `#{bzip_command}`
-      if !$?.success?
-        puts 'bzip failed'
-        puts results
-        exit(2)
-      end
-    end
-
-    def upload
-      uri = URI.parse(upload_uri)
-      puts "Uploading results to #{uri}"
-      https = generate_https_object(uri)
-      https.read_timeout = config[:timeout] if config[:timeout]
-      request = Net::HTTP::Post.new uri.path
-      request.body = File.read(results_bzip_path)
-      request['Content-Type'] = 'text/xml'
-      request['Content-Encoding'] = 'x-bzip2'
-      begin
-        res = https.request(request)
-        value = res.value
-        foreman_upload_result res
-      rescue StandardError => e
-        puts res.body if res
-        puts "Upload failed: #{e.message}"
-        exit(4)
-      end
-    end
 
     def upload_uri
       foreman_proxy_uri + "/compliance/arf/#{@policy_id}"
     end
 
-    def foreman_proxy_uri
-      foreman_proxy_fqdn = config[:server]
-      foreman_proxy_port = config[:port]
-      "https://#{foreman_proxy_fqdn}:#{foreman_proxy_port}"
-    end
-
-    def generate_https_object(uri)
-      https = Net::HTTP.new(uri.host, uri.port)
-      https.use_ssl = true
-      https.ciphers = config[:ciphers] if config[:ciphers]
-      https.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      https.ca_file = config[:ca_file]
-      begin
-        https.cert = OpenSSL::X509::Certificate.new File.read(config[:host_certificate])
-        https.key = OpenSSL::PKey::RSA.new File.read(config[:host_private_key])
-      rescue StandardError => e
-        puts 'Unable to load certs'
-        puts e.message
-        exit(3)
-      end
-      https
-    end
-
-    def ensure_policy_exist
-      if config[@policy_id].nil?
-        puts "Policy id #{@policy_id} not found."
-        exit(1)
-      end
-    end
-
-    def ensure_file(dir, download_path, type_humanized)
-      return if File.exist?(config[policy_id][dir])
-      puts "File #{config[policy_id][dir]} is missing. Downloading it from proxy."
-      begin
-        FileUtils.mkdir_p(File.dirname(config[policy_id][dir]))
-        uri = URI.parse(download_uri(config[policy_id][download_path]))
-        puts "Download #{type_humanized} xml from: #{uri}"
-        request = generate_https_object(uri).get(uri.path)
-        request.value
-        ds_content_xml = request.body
-        open(config[policy_id][dir], 'wb') do |file|
-          file << ds_content_xml
-        end
-      rescue StandardError => e
-        puts "#{type_humanized} is missing and download failed with error: #{e.message}"
-        exit(5)
-      end
-    end
-
     def ensure_scan_file
       ensure_file :content_path, :download_path, "SCAP content"
     end
 
     def ensure_tailoring_file
-      return unless tailored
       ensure_file :tailoring_path, :tailoring_download_path, "Tailoring file"
     end
-
-    def download_uri(download_path)
-      foreman_proxy_uri + "#{download_path}"
-    end
-
-    def foreman_upload_result(response)
-      begin
-        print_upload_result JSON.parse(response.body)
-      rescue StandardError => e
-        # rescue and print nothing if older proxy version does not respond with json we expect
-      end
-    end
-
-    def print_upload_result(parsed)
-      if parsed['id']
-        puts "Report uploaded, report id: #{parsed['id']}"
-      else
-        puts "Report not uploaded from proxy to Foreman server, cause: #{parsed['result']}"
-      end
-    end
   end
 end

data/lib/foreman_scap_client/oval_client.rb

@@ -0,0 +1,31 @@
+require 'foreman_scap_client/base_client'
+
+module ForemanScapClient
+  class OvalClient < BaseClient
+    private
+
+    def policy_namespace
+      :oval
+    end
+
+    def ensure_scan_files
+      ensure_file :content_path, :download_path, "OVAL content"
+    end
+
+    def upload_uri
+      foreman_proxy_uri + "/compliance/oval_reports/#{@policy_id}"
+    end
+
+    def scan_command
+      "oscap oval eval --results #{results_path} #{policy_from_config[:content_path]}"
+    end
+
+    def print_upload_result(parsed)
+      if parsed['reported_at']
+        puts "Report successfully uploaded at #{parsed['reported_at']}"
+      else
+        puts "Report not uploaded, cause: #{parsed['result']}"
+      end
+    end
+  end
+end

data/lib/foreman_scap_client/version.rb

@@ -1,3 +1,3 @@
 module ForemanScapClient
-  VERSION = "0.4.7"
+  VERSION = "0.5.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: foreman_scap_client
 version: !ruby/object:Gem::Version
-  version: 0.4.7
+  version: 0.5.0
 platform: ruby
 authors:
 - Marek Hulan
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-17 00:00:00.000000000 Z
+date: 2021-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -56,7 +56,9 @@ files:
 - bin/foreman_scap_client
 - config/config.yaml.example
 - lib/foreman_scap_client.rb
+- lib/foreman_scap_client/base_client.rb
 - lib/foreman_scap_client/client.rb
+- lib/foreman_scap_client/oval_client.rb
 - lib/foreman_scap_client/version.rb
 homepage: https://github.com/openscap/foreman_scap_client
 licenses: