identitynow_rule_validator 1.0.0b

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f72bbdbdfce7f45b1010ee5bc4f170fe219c83fd8e9b156d7b719dc912b7147d
+  data.tar.gz: 832e3afdb507f4d7d080709c209aa82edd338b82c5d281a4bc6a27909ca88206
+SHA512:
+  metadata.gz: 86e792cc08b0964c237e725e84895883854f40e45b5ea65b5571ddfbed39438e1f872989d48561d4f0fe2508b3e4ca55b470b13c63152a416299414f406fb06b
+  data.tar.gz: 70b4295494b9129f7df960015ecd52f73744e201895de2086a2933b5d8f90f7dd86f7537afddb4dd2d6b7907e22ba2b39e69d081fb37bb5f51f971798c520d84

checksums.yaml.gz.sig

@@ -0,0 +1,2 @@
+uH:B�\�o�P[�Qò9�슫Wĩz"�i����2�
J(������8�xY^)๕�	��s��UUZ��en����~D����5(�yg��K��Se؎��9�g~L	fuyK��dmr���d�K������=�sч+N�B��%�-����<�Vt����n�pvr�8�O���)q�A �`Z�3��TLB�'*T�i&\:
+��_G���'�'�9ܚ��8t���H��	]Tp�VK.ԋ$UH��x�Rn�"��$���>7�	�\9+0���i��8��Ixv	A�%sj��$1� 8�,wu�H�xCݢ����]f=?�r*Na��ڱ�fN�[�2��4������4��A��h�>>E_�

data/lib/identitynow_rule_validator.rb

@@ -0,0 +1,179 @@
+require 'json'
+require 'colorize'
+require 'program'
+
+class IdentityNowRuleValidator
+
+  #
+  # This will collect findings for each file.
+  #
+  @@findings = []
+
+  #
+  # This holds details about the files.
+  #
+  @@filesCount = 0;
+
+  #
+  # These are the rules which are used for validation.
+  #
+  @@rules = []
+
+  #
+  # This will help determine if we're still showing findings for the same file.
+  #
+  @@previousFile = nil
+
+  def self.validate_directory( directory )
+
+    self.initialize
+
+    puts "Validating files from directory: #{directory}"
+
+    Dir.glob( File.join( directory + '**/*.xml' ) ).each do |file|
+
+      self.analyze_file( file )
+
+    end # files.each do |file|
+
+    self.report_findings
+
+  end
+
+  def self.validate_files( files )
+
+    self.initialize
+
+    puts "Validating files: #{files}"
+
+    if ( !files.nil? && !files.empty? )
+
+      files.each do |file|
+
+        self.analyze_file( file )
+
+      end # files.each do |file|
+
+    end # if ( !files.nil? && !files.empty? )
+
+    self.report_findings
+
+  end
+
+  def self.validate_file( file )
+
+    self.initialize
+
+    puts "Validating file: #{file}"
+
+    self.analyze_file( file )
+
+    self.report_findings
+
+  end
+
+  private
+
+  def self.initialize
+
+    #
+    # Initialize findings to be empty.
+    #
+    @@findings = []
+
+    #
+    # Initialize filesCount to be 0.
+    #
+    @@filesCount = 0;
+
+    #
+    # Initialize rules from JSON.
+    #
+    @@rules = JSON.parse( File.read( File.join( __dir__, "rules.json" ) ) )
+
+    #
+    # Initialize previous file to empty
+    #
+    @@previousFile = nil
+
+    #
+    # Program Start / Version
+    #
+    Program.start( "IdentityNow Rule Validator", "Neil McGlennon (neil.mcglennon@sailpoint.com)", "1.0.0b", "2020-01-21" )
+
+  end
+
+  def self.analyze_file( file )
+
+    #
+    # Make sure we are working with files, not directories.
+    #
+    if File.file?( file )
+
+      @@filesCount += 1;
+      puts "\t" + File.basename( file )
+
+      File.readlines( file ).each_with_index do |line, lineNumber|
+
+        @@rules.each do |rule|
+
+          if line.valid_encoding?
+            if( line.match( /#{rule['pattern']}/ ) )
+
+              finding = {
+                'file': file,
+                'line': lineNumber + 1,
+                'text': line.strip,
+                'message': rule['message'],
+                'type': rule['type']
+              }
+              @@findings.push finding
+            end
+
+          end # if( line.match( /#{rule['pattern']}/ ) )
+
+        end # @@rules.each do |rule|
+
+      end # File.readlines( file ).each_with_index do |line, lineNumber|
+
+    end # if File.file?( file )
+
+  end
+
+  def self.report_findings
+
+    #
+    # Iterate through all of our findings.
+    #
+    @@findings.each do |finding|
+
+      #
+      # Output the file header
+      #
+      if ( finding[:file] != @@previousFile )
+        puts File.dirname( finding[:file] ) + "\n"
+        puts File.basename( finding[:file] ).bold + "\n\n"
+      end
+
+      #
+      # Output the issue
+      #
+      puts "\tLine #{finding[:line]}: #{finding[:text][0..80].gsub(/\s\w+$/,'...').light_black}"
+      type = ( finding[:type] == "error" ) ? "Error".red : "Warning".yellow
+      puts "\t#{type}: #{finding[:message]}\n\n"
+
+      #
+      # Set this for the next iteration
+      #
+      @@previousFile = finding[:file]
+
+    end
+
+    #
+    # Completion!
+    #
+    Program.end
+
+  end
+
+end

data/lib/program.rb

@@ -0,0 +1,167 @@
+# require "./lib/timer.rb"
+require "json"
+
+#
+# Time Utility
+#
+module Timer
+  @@timeStart = nil
+  @@timeEnd = nil
+
+  #
+  # Starts the timer
+  #
+  def self.start
+    @@timeStart = Process.clock_gettime( Process::CLOCK_MONOTONIC )
+  end
+
+  #
+  # Stops the timer
+  #
+  def self.stop
+    @@timeEnd = Process.clock_gettime( Process::CLOCK_MONOTONIC )
+  end
+
+  #
+  # Gets elapsed time
+  #
+  def self.elapsed
+    unless @@timeEnd.nil? || @@timeStart.nil?
+
+      elapsed = @@timeEnd.to_i - @@timeStart.to_i # distance between t1 and t2 in seconds
+
+      resolution = if elapsed > 29030400 # seconds in a year
+        [(elapsed/29030400), 'years']
+      elsif elapsed > 2419200
+        [(elapsed/2419200), 'months']
+      elsif elapsed > 604800
+        [(elapsed/604800), 'weeks']
+      elsif elapsed > 86400
+        [(elapsed/86400), 'days']
+      elsif elapsed > 3600 # seconds in an hour
+        [(elapsed/3600), 'hours']
+      elsif elapsed > 60
+        [(elapsed/60), 'minutes']
+      else
+        [elapsed, 'seconds']
+      end
+
+      if resolution[0] == 1
+        return resolution.join(' ')[0...-1]
+      else
+        return resolution.join(' ')
+      end
+
+    else
+      return nil
+    end
+  end
+
+end
+
+#
+# Program Utility
+#
+module Program
+
+  #
+  # Utility method for printing messages.
+  #
+  def self.line( )
+    puts ( "-" * 62 )
+  end
+
+  #
+  # Utility method for printing messages.
+  #
+  def self.output( message )
+    Program.line
+    puts " #{message}"
+    Program.line
+  end
+
+  #
+  # Utility to start the program
+  #
+  def self.start( name, author, version, date )
+    Timer.start
+
+    Program.line
+    puts " #{name} "
+    Program.line
+    puts " Version: #{version}"
+    puts " Date: #{date}"
+    puts " Author: #{author}"
+    Program.line
+
+    $tenant = nil
+
+    unless $tenant.nil?
+      puts " Tenant: #{$tenant}"
+      Program.line
+    end
+
+  end
+
+  #
+  # Utility to end the program
+  #
+  def self.end( )
+    Timer.stop
+    output( "Process completed in #{Timer.elapsed}" )
+  end
+
+
+  #
+  # Utility method to write output files to a directory.
+  #
+  def self.write_file( directory, name, text )
+    name.gsub!(/[^0-9A-Za-z. -]/,"-")
+    FileUtils.mkdir_p directory
+    File.open( File.join( directory, name ), 'w+') { |file| file.write( text ) }
+  end
+
+  def self.get_filenames( directory )
+    output = Array.new
+    Dir.glob("#{directory}/*.json") do |file|
+      #tmp = file.slice! "#{directory}/"
+      output.push(file)
+    end
+    return output
+  end
+
+  def self.read_directory( directory )
+    output = Array.new
+    Dir.glob("#{directory}/*.json") do |file|
+      output.push(Program.read_file(file))
+    end
+    return output
+  end
+
+  #
+  # Utility method to read output files to a directory.
+  #
+  def self.read_file( directory, name )
+    return Program.read_file("#{directory}/#{name}")
+  end
+
+  def self.read_file( name )
+    output = ""
+    #name.gsub!(/[^0-9A-Za-z. -]/,"-")
+    f = File.open( name, 'r')
+    f.each_line do |line|
+      output += line
+    end
+    f.close
+    return output
+  end
+
+  def self.write_csv(directory, name, content)
+    if !File.file?("#{directory}/#{name}")
+      Program.write_file(directory, name, "")
+    end
+    CSV.open("#{directory}/#{name}", "ab") do |csv|
+      csv << content
+    end
+  end
+end

data/lib/rules.json

@@ -0,0 +1,228 @@
+[{
+        "pattern": "System\\.(out|err)\\.print",
+        "message": "Remove any System.out configurations in favor of logging statements.",
+        "type": "warning"
+    },
+    {
+        "pattern": "\\.printStackTrace\\(",
+        "message": "Detected instances of printStackTrace(...). Remove this reference.",
+        "type": "warning"
+    },
+    {
+        "pattern": "public static",
+        "message": "Remove references to 'static' in methods. This can cause unexpected behavior.",
+        "type": "warning"
+    },
+    {
+        "pattern": "(<Source>)((?!<\\!\\[CDATA\\[).)*\\s?$",
+        "message": "Correct tag to be <Source><![CDATA[",
+        "type": "warning"
+    },
+    {
+        "pattern": "^(\\s)?(\\<\\/Source\\>)",
+        "message": "Correct tag to be ]]></Source>",
+        "type": "warning"
+    },
+    {
+        "pattern": "&gt;",
+        "message": "Detected instances of '&gt;' Convert to '>'.",
+        "type": "warning"
+    },
+    {
+        "pattern": "&lt;",
+        "message": "Detected instances of '&lt;' Convert to '<'.",
+        "type": "warning"
+    },
+    {
+        "pattern": "&amp;",
+        "message": "Detected instances of '&amp;' Convert to '&'.",
+        "type": "warning"
+    },
+    {
+        "pattern": "context\\.decrypt(\\s)?\\(",
+        "message": "Remove references to 'decrypt'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.commitTransaction(\\s)?\\(",
+        "message": "Remove references to 'commitTransaction'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.saveObject(\\s)?\\(",
+        "message": "Remove references to 'saveObject'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.authenticate(\\s)?\\(",
+        "message": "Remove references to 'authenticate'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.close(\\s)?\\(",
+        "message": "Remove references to 'close'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.decache(\\s)?\\(",
+        "message": "Remove references to 'decache'. This is not allowed.",
+        "type": "error"
+    },
+
+    {
+        "pattern": "context\\.encrypt(\\s)?\\(",
+        "message": "Remove references to 'encrypt'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.getJdbcConnection(\\s)?\\(",
+        "message": "Remove references to 'encrypt'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.impersonate(\\s)?\\(",
+        "message": "Remove references to 'impersonate'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.importObject(\\s)?\\(",
+        "message": "Remove references to 'importObject'. This is not allowed.",
+        "type": "error"
+    },
+
+    {
+        "pattern": "XMLObjectFactory\\.getInstance()\\.toXml\\(*\\)",
+        "message": "Remove references to XMLObjectFactory.getInstance().toXml(...).",
+        "type": "error"
+    },
+    {
+        "pattern": "\\.toXml(\\s)?\\(*\\)",
+        "message": "Remove references to 'toXml'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "Thread\\.",
+        "message": "Remove references to 'Thread'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "Runnable\\.",
+        "message": "Remove references to 'Runnable'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.lockObject(\\s)?\\(",
+        "message": "Remove references to 'lockObject'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.lockObjectById(\\s)?\\(",
+        "message": "Remove references to 'lockObjectById'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.lockObjectByName(\\s)?\\(",
+        "message": "Remove references to 'lockObjectByName'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.notify(\\s)?\\(",
+        "message": "Remove references to 'notify'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.notifyAll(\\s)?\\(",
+        "message": "Remove references to 'notifyAll'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.printStatistics(\\s)?\\(",
+        "message": "Remove references to 'printStatistics'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.reconnect(\\s)?\\(",
+        "message": "Remove references to 'reconnect'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.removeObject(\\s)?\\(",
+        "message": "Remove references to 'removeObject'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.removeObjects(\\s)?\\(",
+        "message": "Remove references to 'removeObjects'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.rollbackTransaction\\(",
+        "message": "Remove references to 'rollbackTransaction'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.runRule(\\s)?\\(",
+        "message": "Remove references to 'runRule'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.runScript(\\s)?\\(",
+        "message": "Remove references to 'runScript'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "context\\.sendEmailNotification(\\s)?\\(",
+        "message": "Remove references to 'sendEmailNotification'. This is not allowed.",
+        "type": "error"
+    },
+    {
+        "pattern": "TimeZone\\.setTimeZone\\(",
+        "message": "Setting TimeZones is not supported.",
+        "type": "error"
+    },
+    {
+        "pattern": "identity\\.getLinks(\\s)?\\(",
+        "message": "The function 'getLinks' is deprecated.  Use an identity search instead.",
+        "type": "error"
+    },
+    {
+        "pattern": "^(\\s)?(<Rule)(.*?)(type=)('|\")(ResourceObjectCustomization)('|\")",
+        "message": "Unsupported Rule Type: ResourceObjectCustomization rules are not supported, and cannot be submitted.",
+        "type": "error"
+    },
+    {
+        "pattern": "^(\\s)?(<Rule)(.*?)(type=)('|\")(Integration)('|\")",
+        "message": "Unsupported Rule Type: Integration rules are not supported. Consider implementation of a BeforeProvisioning rule instead.",
+        "type": "error"
+    },
+    {
+        "pattern": "^(\\s)?(<Rule)(.*?)(type=)('|\")(?!(IdentityAttribute|AttributeGenerator|AttributeGeneratorFromTemplate|Correlation|ManagerCorrelation|BeforeProvisioning|ConnectorAfterCreate|ConnectorAfterModify|BuildMap|JDBCBuildMap|JDBCProvisioning|SAPBuildMap|SapHrOperationProvisioning|WebServiceBeforeOperation|WebServiceAfterOperation))('|\")",
+        "message": "Unsupported Rule Type: This type of rule is not supported. See the IdentityNow Rule Guide for more details on supported rules.",
+        "type": "error"
+    },
+    {
+        "pattern": "^(\\s)?(<Rule)(.*?)(type=)('|\")(CertificationExclusion)('|\")",
+        "message": "Deprecated Rule Type: CertificationExclusion rules are deprecated.  Consider configuration via certification campaign filters instead.",
+        "type": "warning"
+    },
+    {
+        "pattern": "^(\\s)?(<Rule)(.*?)(type=)('|\")(IdentitySelector)('|\")",
+        "message": "Deprecated Rule Type: IdentitySelector rules are deprecated.  Consider configuration via rule assignment criteria instead.",
+        "type": "warning"
+    },
+    {
+        "pattern": "(context\\.)(getObjectByName|getObjectById|getObjects|getObject)(.*?)(\\s)?(\\()+(\\s)?(?!((\\s)?(sailpoint\\.object\\.)?(Identity|Link)))",
+        "message": "Cannot get objects other than sailpoint.object.Identity or sailpoint.object.Link objects.",
+        "type": "error"
+    },
+    {
+        "pattern": "Log4j",
+        "message": "Do not declare your own loggers.",
+        "type": "error"
+    },
+    {
+        "pattern": "(context\\.search)(\\s)?(\\()+(\\s)?(?!((\\s)?(sailpoint\\.object\\.)?(Identity|Link)))",
+        "message": "Only sailpoint.object.Identity or sailpoint.object.Link objects are searchable.",
+        "type": "error"
+    }
+]

metadata

@@ -0,0 +1,102 @@
+--- !ruby/object:Gem::Specification
+name: identitynow_rule_validator
+version: !ruby/object:Gem::Version
+  version: 1.0.0b
+platform: ruby
+authors:
+- neil-mcglennon-sp
+autorequire: 
+bindir: bin
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEYjCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDDCJuZWls
+  Lm1jZ2xlbm5vbi9EQz1zYWlscG9pbnQvREM9Y29tMB4XDTIwMDEyODE3MzYwNloX
+  DTIxMDEyNzE3MzYwNlowLTErMCkGA1UEAwwibmVpbC5tY2dsZW5ub24vREM9c2Fp
+  bHBvaW50L0RDPWNvbTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKqi
+  9+1E2sipSc7Iju7N6oQT1NNnRzjC0lQYh2w8XyrkNrmBDq3DrZcK08tDHSZDeII3
+  pI3wUduamXJ9fLlIp3THv01sB/PZGpcuLsJlxlCnnXrnckFqGoWApgRgtDChn5xk
+  CqQshFrk7felCJj95RmhWqgjp/jzRL8djksbxVB4wc3qCBkw2mS6v3Z516gALJrK
+  ILXwttgQoXZipvm1GAnfXBOJaXVO1yGt4D7egeNnqLZ8p92vBEI8gwhA4nsw2bgI
+  Rm7Y/eeWMuzoNBAXVZnPUB65hrS7kpSpKomWHbV91TzjcKohyjYBj4/1xuIhED31
+  jxpoIOOIdzvCxERxPS5ay5+VlTaBXxNsIz12UFUImSMjqLpa6i/SLLwLXO4pyq8q
+  6seUSqpLai6vue7pFFQSgINrpTfw2VxrhF4mSipEwgkQ479e451/tFG1Fw5jJWtz
+  o95bJWBBxH8mm8T+z/XUeY0xMyHegAN7cHXfe8wU3z2OLLop3XzB+7P/P8zYdwID
+  AQABo4GMMIGJMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQ5225b
+  ZgQ6rTZpji087FmAGRc02TAnBgNVHREEIDAegRxuZWlsLm1jZ2xlbm5vbkBzYWls
+  cG9pbnQuY29tMCcGA1UdEgQgMB6BHG5laWwubWNnbGVubm9uQHNhaWxwb2ludC5j
+  b20wDQYJKoZIhvcNAQELBQADggGBAJgrmpwrIu1WO1r8WL62je6PcJdBjKHux5xU
+  D/x3oiSG+qrP2XMKHIHmo1mjQmObWviMVmgU238imT/hcelGbZnkGQ82swAECvZ2
+  SEDYx6Dpu0qisI1GliK5m/T7aGhkjxlCxcBa8/eDUwmU55sEXY0Xu1lkq5XoTUwQ
+  rEsm8j74ilJOdRf3nla3UUrxGAfWvC/Jul4CTlNt7ADQcMKUiFvkSswY2R+pQWXu
+  PKfzNu+y/GU4zwLwfbfPYh9k3s8ynqodBFbwnkh5Q+1CUgYyb//HyOmV5emphaf7
+  inuam3RWZl2R2x4o0bOrj277XWJtUoOKgEuV27tmT1TdpAnuaPIrCR/sr7w383aO
+  NLKmt0gcTRRt327KOFTls9hByUNR6uEglbaDyErVRECLYOUk19wo6vE9onjaEZTR
+  KxiqTPt+66S5Zu9TMeBdYHKYzP8OMs2AwIPrSQH1tGxuGdrjvMvRU3XPxEnuJTwE
+  1Av2VddcX+awmjPuUJVxXSyVzEbPZg==
+  -----END CERTIFICATE-----
+date: 2020-01-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: A tool to validate IdentityNow rules.
+email:
+- neil.mcglennon@sailpoint.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/identitynow_rule_validator.rb
+- lib/program.rb
+- lib/rules.json
+homepage: http://www.sailpoint.com
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: IdentityNow Rule Validator
+test_files: []