hybrid_platforms_conductor 32.3.6

data/lib/hybrid_platforms_conductor/hpc_plugins/test/spectre.rb

@@ -0,0 +1,56 @@
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module Test
+
+      # Test that the vulnerabilities Spectre and Meltdown are patched
+      class Spectre < HybridPlatformsConductor::Test
+
+        VULNERABILITIES_TO_CHECK = {
+          'CVE-2017-5753' => 'Spectre Variant 1',
+          'CVE-2017-5715' => 'Spectre Variant 2',
+          'CVE-2017-5754' => 'Meltdown'
+        }
+
+        SPECTRE_CMD = <<~EOS
+          sudo /bin/bash <<'EOAction'
+          #{File.read("#{__dir__}/spectre-meltdown-checker.sh")}
+          EOAction
+        EOS
+
+        # Check my_test_plugin.rb.sample documentation for signature details.
+        def test_on_node
+          {
+            SPECTRE_CMD => {
+              validator: proc do |stdout|
+                VULNERABILITIES_TO_CHECK.each do |id, name|
+                  id_regexp = /#{Regexp.escape(id)}/
+                  status_idx = stdout.index { |line| line =~ id_regexp }
+                  if status_idx.nil?
+                    error "Unable to find vulnerability section #{id}"
+                  else
+                    while !stdout[status_idx].nil? && !(stdout[status_idx] =~ /STATUS:[^A-Z]+([A-Z ]+)/)
+                      status_idx += 1
+                    end
+                    if stdout[status_idx].nil?
+                      error "Unable to find vulnerability status for #{id}"
+                    else
+                      status = $1.strip
+                      error "Status for #{name}: #{status}" if status != 'NOT VULNERABLE'
+                    end
+                  end
+                end
+              end,
+              timeout: 30
+            }
+          }
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/test/veids.rb

@@ -0,0 +1,31 @@
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module Test
+
+      # Test that VEIDs are assigned correctly
+      class Veids < HybridPlatformsConductor::Test
+
+        # Check my_test_plugin.rb.sample documentation for signature details.
+        def test
+          # Get a map of VEIDs per node
+          @nodes_handler.prefetch_metadata_of @nodes_handler.known_nodes, :veid
+          veids = Hash[@nodes_handler.
+            known_nodes.
+            map { |node| [node, @nodes_handler.get_veid_of(node) ? @nodes_handler.get_veid_of(node).to_i : nil] }
+          ]
+
+          # Check there are no duplicates
+          veids.group_by { |_node, veid| veid }.each do |veid, nodes|
+            error "VEID #{veid} is used by the following nodes: #{nodes.map { |node, _veid| node }.join(', ')}" if !veid.nil? && nodes.size > 1
+          end
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/test/vulnerabilities.rb

@@ -0,0 +1,159 @@
+require 'nokogiri'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module Test
+
+      # Test that the node has not known vulnerabilities.
+      # Check this by using OVAL files published by vendors.
+      # For example, RedHat publishes them here: https://www.redhat.com/security/data/oval/v2/RHEL7/
+      # This test uses an oval.json file stored in the OS images folder, having the following structure:
+      # * *urls* (Array<String>): List of URLs pointing to OVAL files [default: []]
+      #     Each URL can be directly an XML file, either raw or compressed with .gz or .bz2.
+      # * *repo_urls* (Array<String>): List of URLs pointing to repositories of OVAL files [default: []]
+      #     The last HTML link of each repo URL is followed until an OVAL file is found.
+      #     Each final OVAL URL can be directly an XML file, either raw or compressed with .gz or .bz2.
+      #     This is useful to follow repository links, such as jFrog or web servers serving common file systems structure storing several versions of the OVAL file.
+      # * *reported_severities* (Array<String> or nil): List of severities to report, if any (use Unknown when the severity is not known), or nil for all [default: nil]
+      class Vulnerabilities < HybridPlatformsConductor::Test
+
+        # Known compression methods, per file extension, and their corresponding uncompress bash script
+        KNOWN_COMPRESSIONS = {
+          bz2: {
+            cmd: proc { |file| "if [ ! -f \"#{File.basename(file, '.bz2')}\" ] ; then bunzip2 \"#{file}\" ; fi" },
+            packages: ['bzip2']
+          },
+          gz: {
+            cmd: proc { |file| "if [ ! -f \"#{File.basename(file, '.gz')}\" ] ; then gunzip \"#{file}\" ; fi" },
+            packages: ['gzip']
+          }
+        }
+
+        # Check my_test_plugin.rb.sample documentation for signature details.
+        def test_on_node
+          # Get the image name for this node
+          image = @nodes_handler.get_image_of(@node).to_sym
+          # Find if we have such an image registered
+          if @config.known_os_images.include?(image)
+            oval_file = "#{@config.os_image_dir(image)}/oval.json"
+            if File.exist?(oval_file)
+              oval_info = JSON.parse(File.read(oval_file))
+              # Get all URLs
+              urls = oval_info['urls'] || []
+              urls.concat(
+                (oval_info['repo_urls'] || []).map do |artifactory_url|
+                  # Follow the last link recursively until we find a .xml or compressed file
+                  current_url = artifactory_url
+                  loop do
+                    current_url = "#{current_url}#{current_url.end_with?('/') ? '' : '/'}#{Nokogiri::HTML.parse(URI.open(current_url)).css('a').last['href']}"
+                    break if current_url.end_with?('.xml') || KNOWN_COMPRESSIONS.keys.any? { |file_ext| current_url.end_with?(".#{file_ext}") }
+                    log_debug "Follow last link to #{current_url}"
+                  end
+                  current_url
+                end
+              )
+              Hash[urls.map do |url|
+                # 1. Get the OVAL file on the node to be tested (uncompress it if needed)
+                # 2. Make sure oscap is installed
+                # 3. Generate the report for this OVAL file using oscap
+                # 4. Get back the report here to analyze it
+                local_oval_file = File.basename(url)
+                uncompress_cmds = []
+                packages_to_install = []
+                KNOWN_COMPRESSIONS.each do |file_ext, compress_info|
+                  file_ending = ".#{file_ext}"
+                  if local_oval_file.end_with?(file_ending)
+                    uncompress_cmds << compress_info[:cmd].call(local_oval_file)
+                    packages_to_install.concat(compress_info[:packages])
+                    local_oval_file = File.basename(local_oval_file, file_ending)
+                  end
+                end
+                cmds = <<~EOS
+                  #{
+                    case image
+                    when :centos_7
+                      "sudo yum install -y wget openscap-scanner #{packages_to_install.join(' ')}"
+                    when :debian_9
+                      "sudo apt install -y wget libopenscap8 #{packages_to_install.join(' ')}"
+                    when :debian_10
+                      # On Debian 10 we have to compile it from sources, as the packaged official version has core dumps.
+                      # cf https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1688223.html
+                      # TODO: Remove this Debian 10 specificity when the official libopenscap8 will be corrected
+                      <<~EOS2
+                        if [ ! -x "$(command -v oscap)" ] || [ "$(oscap --version | head -n 1 | awk '{print $6}')" != "1.3.4" ]; then
+                          rm -rf openscap
+                          git clone --recurse-submodules https://github.com/OpenSCAP/openscap.git
+                          cd openscap
+                          sudo apt install -y cmake libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python-dev swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev librpm-dev g++ libapt-pkg-dev libyaml-dev
+                          cd build
+                          cmake ../
+                          make
+                          sudo make install
+                        fi
+                        sudo apt install -y wget #{packages_to_install.join(' ')}
+                      EOS2
+                    else
+                      raise "Non supported image: #{image}. Please adapt this test's code."
+                    end
+                  }
+                  rm -rf hpc_vulnerabilities_test
+                  mkdir -p hpc_vulnerabilities_test
+                  cd hpc_vulnerabilities_test
+                  wget -N #{url}
+                  #{uncompress_cmds.join("\n")}
+                  sudo oscap oval eval --skip-valid --results "#{local_oval_file}.results.xml" "#{local_oval_file}"
+                  echo "===== RESULTS ====="
+                  cat "#{local_oval_file}.results.xml"
+                  cd ..
+                EOS
+                [
+                  cmds,
+                  {
+                    validator: proc do |stdout|
+                      idx_results = stdout.index('===== RESULTS =====')
+                      if idx_results.nil?
+                        error 'No results given by the oscap run', stdout.join("\n")
+                      else
+                        results = Nokogiri::XML(stdout[idx_results + 1..-1].join("\n"))
+                        results.remove_namespaces!
+                        oval_definitions = results.css('oval_results oval_definitions definitions definition')
+                        results.css('results system definitions definition').each do |definition_xml|
+                          if definition_xml['result'] == 'true'
+                            # Just found an OVAL item to be patched.
+                            definition_id = definition_xml['definition_id']
+                            oval_definition = oval_definitions.find { |el| el['id'] == definition_id }
+                            # We don't forcefully want to report all missing patches. Only the most important ones.
+                            severity = oval_definition.css('metadata advisory severity').text
+                            severity = 'Unknown' if severity.empty?
+                            if !oval_info.key?('reported_severities') || oval_info['reported_severities'].include?(severity)
+                              # Only consider the first line of the description, as sometimes it's very long
+                              error "Non-patched #{severity} vulnerability found: #{oval_definition.css('metadata title').text} - #{oval_definition.css('metadata description').text.split("\n").first}"
+                            end
+                          end
+                        end
+                      end
+                    end,
+                    # Increase timeout in case we have to install a lot of dependencies (like for Debian 10)
+                    timeout: 240
+                  }
+                ]
+              end]
+            else
+              error "No OVAL file defined for image #{image} at #{oval_file}"
+              {}
+            end
+          else
+            error "Unknown OS image #{image} defined for node #{@node}"
+            {}
+          end
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/test_report/confluence.rb

@@ -0,0 +1,122 @@
+require 'cgi'
+require 'erubis'
+require 'hybrid_platforms_conductor/confluence'
+require 'hybrid_platforms_conductor/common_config_dsl/confluence'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module TestReport
+
+      # Report tests results on a generated Confluence page
+      class Confluence < HybridPlatformsConductor::TestReport
+
+        self.extend_config_dsl_with CommonConfigDsl::Confluence, :init_confluence
+
+        # Maximum errors to be reported by item
+        MAX_ERROR_ITEMS_DISPLAYED = 10
+
+        # Maximal length of an error message to be reported
+        MAX_ERROR_MESSAGE_LENGTH_DISPLAYED = 4096
+
+        # Number of cells in the nodes list's progress status bars
+        NBR_CELLS_IN_STATUS_BARS = 28
+
+        # Handle tests reports
+        def report
+          confluence_info = @config.confluence_info
+          if confluence_info
+            if confluence_info[:tests_report_page_id]
+              HybridPlatformsConductor::Confluence.with_confluence(confluence_info[:url], @logger, @logger_stderr) do |confluence|
+                # Get previous percentages for the evolution
+                @previous_success_percentages = confluence.page_storage_format(confluence_info[:tests_report_page_id]).
+                  at('h1:contains("Evolution")').
+                  search('~ structured-macro:first-of-type').
+                  css('table td').
+                  map { |td_element| td_element.text }.
+                  each_slice(2).
+                  to_a.
+                  map { |(time_str, value_str)| [Time.parse("#{time_str} UTC"), value_str.to_f] }
+                @nbr_cells_in_status_bars = NBR_CELLS_IN_STATUS_BARS
+                log_error 'Unable to extract previous percentages from Confluence page' if @previous_success_percentages.empty?
+                confluence.update_page(confluence_info[:tests_report_page_id], render('confluence'))
+              end
+              out "Inventory report Confluence page updated. Please visit #{confluence_info[:url]}/pages/viewpage.action?pageId=#{confluence_info[:tests_report_page_id]}"
+            else
+              log_warn 'No tests_report_page_id in the Confluence information defined. Ignoring the Confluence report.'
+            end
+          else
+            log_warn 'No Confluence information defined. Ignoring the Confluence report.'
+          end
+        end
+
+        private
+
+        TEMPLATES_PATH = File.expand_path("#{File.dirname(__FILE__)}/templates")
+
+        # Render a given ERB template into a String
+        #
+        # Parameters::
+        # * *template* (String): Template name
+        # Result::
+        # * String: Rendered template
+        def render(template)
+          Erubis::Eruby.new(File.read("#{TEMPLATES_PATH}/#{template}.html.erb")).result(binding)
+        end
+
+        # Render a status to be integrated in a Confluence page for a given test
+        #
+        # Parameters::
+        # * *test_name* (String): Test name
+        # * *test_criteria* (Hash<Symbol,Object>): Test criteria
+        # Result::
+        # * String: Rendered status
+        def render_status(test_name, test_criteria)
+          @status_test_name = test_name
+          @status_test_criteria = test_criteria
+          @max_errors = MAX_ERROR_ITEMS_DISPLAYED
+          @max_error_message_length = MAX_ERROR_MESSAGE_LENGTH_DISPLAYED
+          render '_confluence_errors_status'
+        end
+
+        # Render a gauge displaying statuses of tests.
+        #
+        # Parameters::
+        # * *info* (Hash<Symbol,Object>): The info about tests to render gauge for (check classify_tests to know about info)
+        def render_gauge(info)
+          @gauge_success = info[:success].size
+          @gauge_unexpected_error = info[:unexpected_error].size
+          @gauge_expected_error = info[:expected_error].size
+          @gauge_not_run = info[:not_run].size
+          render '_confluence_gauge'
+        end
+
+        # Return the color linked to a status
+        #
+        # Parameters::
+        # * *status* (Symbol): Status (check classify_tests to know about possible statuses)
+        # Result::
+        # * String: Corresponding color
+        def status_color(status)
+          case status
+          when :success
+            'Green'
+          when :unexpected_error
+            'Red'
+          when :expected_error
+            'Yellow'
+          when :not_run
+            'Grey'
+          else
+            raise "Unknown status: #{status}"
+          end
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/test_report/my_test_report.rb.sample

@@ -0,0 +1,48 @@
+require 'hybrid_platforms_conductor/test_report'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module TestReport
+
+      class MyTestReport < HybridPlatformsConductor::TestReport
+
+        # Are dependencies met before using this plugin?
+        # [API] - This method is optional
+        #
+        # Result::
+        # * Boolean: Are dependencies met before using this plugin?
+        def self.valid?
+          true
+        end
+
+        # Add a Mixin to the DSL parsing the platforms configuration file.
+        # This can be used by any plugin to add plugin-specific configuration getters and setters, accessible later from NodesHandler instances.
+        # An optional initializer can also be given.
+        # [API] - Those calls are optional
+        module MyDSLExtension
+
+          attr_accessor :my_property
+
+          # Initialize the DSL
+          def init_my_dsl_extension
+            @my_property = 42
+          end
+
+        end
+        self.extend_config_dsl_with MyDSLExtension, :init_my_dsl_extension
+
+        # Handle tests reports
+        def report
+          puts "#{@tested_nodes.size} nodes have been tested."
+          puts "#{@tests.select { |test| !test.errors.empty? }.size} tests have failed."
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/test_report/stdout.rb

@@ -0,0 +1,120 @@
+require 'terminal-table'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module TestReport
+
+      # Report tests results on stdout
+      class Stdout < HybridPlatformsConductor::TestReport
+
+        # Size of the progress bar, in characters
+        PROGRESS_BAR_SIZE = 41
+
+        # Handle tests reports
+        def report
+          out
+          out "========== Error report of #{@tests.size} tests run on #{@tested_nodes.size} nodes"
+          out
+
+          errors = group_errors(global_tests, :test_name, filter: :only_as_non_expected)
+          out "======= #{errors.size} unexpected failing global tests:"
+          out
+          errors.each do |test_name, test_errors|
+            out "===== #{test_name} found #{test_errors.size} errors:"
+            test_errors.each do |error|
+              out "    - #{error}"
+            end
+            out
+          end
+          out
+
+          errors = group_errors(platform_tests, :test_name, :platform, filter: :only_as_non_expected)
+          out "======= #{errors.size} unexpected failing platform tests:"
+          out
+          errors.each do |test_name, errors_by_platform|
+            out "===== #{test_name} found #{errors_by_platform.size} platforms having errors:"
+            errors_by_platform.each do |platform, test_errors|
+              out "  * [ #{platform.repository_path} ] - #{test_errors.size} errors:"
+              test_errors.each do |error|
+                out "    - #{error}"
+              end
+            end
+            out
+          end
+          out
+
+          errors = group_errors(node_tests, :test_name, :node, filter: :only_as_non_expected)
+          out "======= #{errors.size} unexpected failing node tests:"
+          out
+          errors.each do |test_name, errors_by_node|
+            out "===== #{test_name} found #{errors_by_node.size} nodes having errors:"
+            errors_by_node.each do |node, test_errors|
+              out "  * [ #{node} ] - #{test_errors.size} errors:"
+              test_errors.each do |error|
+                out "    - #{error}"
+              end
+            end
+            out
+          end
+          out
+
+          errors = group_errors(platform_tests, :platform, :test_name, filter: :only_as_non_expected)
+          out "======= #{errors.size} unexpected failing platforms:"
+          out
+          errors.each do |platform, errors_by_test|
+            out "===== #{platform.repository_path} has #{errors_by_test.size} failing tests:"
+            errors_by_test.each do |test_name, test_errors|
+              out "  * [ #{test_name} ] - #{test_errors.size} errors:"
+              test_errors.each do |error|
+                out "    - #{error}"
+              end
+            end
+            out
+          end
+          out
+
+          errors = group_errors(node_tests, :node, :test_name, filter: :only_as_non_expected)
+          out "======= #{errors.size} unexpected failing nodes:"
+          out
+          errors.each do |node, errors_by_test|
+            out "===== #{node} has #{errors_by_test.size} failing tests:"
+            errors_by_test.each do |test_name, test_errors|
+              out "  * [ #{test_name} ] - #{test_errors.size} errors:"
+              test_errors.each do |error|
+                out "    - #{error}"
+              end
+            end
+            out
+          end
+          out
+
+          out '========== Stats by nodes list:'
+          out
+          out(Terminal::Table.new(headings: ['List name', '# nodes', '% tested', '% expected success', '% success', '[Expected] '.yellow.bold + '[Error] '.red.bold + '[Success] '.green.bold + '[Non tested]'.white.bold]) do |table|
+            nodes_by_nodes_list.each do |nodes_list, nodes_info|
+              table << [
+                nodes_list,
+                nodes_info[:nodes].size,
+                nodes_info[:nodes].empty? ? '' : "#{(nodes_info[:tested_nodes].size*100.0/nodes_info[:nodes].size).to_i} %",
+                nodes_info[:tested_nodes].empty? ? '' : "#{((nodes_info[:tested_nodes].size - nodes_info[:tested_nodes_in_error_as_expected].size) * 100.0 / nodes_info[:tested_nodes].size).to_i} %",
+                nodes_info[:tested_nodes].empty? ? '' : "#{((nodes_info[:tested_nodes].size - nodes_info[:tested_nodes_in_error].size) * 100.0 / nodes_info[:tested_nodes].size).to_i} %",
+                nodes_info[:nodes].empty? ? '' :
+                  ('=' * ((nodes_info[:tested_nodes_in_error_as_expected].size * PROGRESS_BAR_SIZE.to_f) / nodes_info[:nodes].size).round).yellow.bold +
+                  ('=' * (((nodes_info[:tested_nodes_in_error].size - nodes_info[:tested_nodes_in_error_as_expected].size).abs * PROGRESS_BAR_SIZE.to_f) / nodes_info[:nodes].size).round).red.bold +
+                  ('=' * (((nodes_info[:tested_nodes].size - nodes_info[:tested_nodes_in_error].size) * PROGRESS_BAR_SIZE.to_f) / nodes_info[:nodes].size).round).green.bold +
+                  ('=' * (((nodes_info[:nodes].size - nodes_info[:tested_nodes].size) * PROGRESS_BAR_SIZE.to_f) / nodes_info[:nodes].size).round).white.bold
+              ]
+            end
+          end)
+
+        end
+
+      end
+
+    end
+
+  end
+
+end