nexpose 6.1.1 → 7.0.0

data/COPYING

@@ -1,33 +1,29 @@
-Copyright (C) 2014, Rapid7, Inc.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-	  this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright notice,
-	  this list of conditions and the following disclaimer in the documentation
-	  and/or other materials provided with the distribution.
+BSD 3-Clause License
 
-    * Neither the name of Rapid7, Inc. nor the names of its contributors
-	  may be used to endorse or promote products derived from this software
-	  without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-================================================================================
-
-The nexpose-client gem is provided under the 3-clause BSD license above.
+Copyright (c) 2014-2017, Rapid7, Inc.
+All rights reserved.
 
-The copyright on this package is held by Rapid7, Inc.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/Gemfile.lock

@@ -1,53 +1,93 @@
 PATH
   remote: .
   specs:
-    nexpose (6.1.1)
+    nexpose (7.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.3.7)
-    ast (2.0.0)
-    astrolabe (1.3.0)
-      parser (>= 2.2.0.pre.3, < 3.0)
-    codeclimate-test-reporter (0.4.7)
+    activesupport (4.2.8)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    addressable (2.5.1)
+      public_suffix (~> 2.0, >= 2.0.2)
+    ast (2.3.0)
+    codeclimate-test-reporter (0.4.8)
       simplecov (>= 0.7.1, < 1.0.0)
-    crack (0.4.2)
+    coderay (1.1.1)
+    crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    diff-lcs (1.2.5)
+    diff-lcs (1.3)
     docile (1.1.5)
-    multi_json (1.10.1)
-    parser (2.2.0.3)
-      ast (>= 1.1, < 3.0)
-    powerpack (0.1.0)
-    rainbow (2.0.0)
-    rake (10.4.2)
-    rspec (3.2.0)
-      rspec-core (~> 3.2.0)
-      rspec-expectations (~> 3.2.0)
-      rspec-mocks (~> 3.2.0)
-    rspec-core (3.2.1)
-      rspec-support (~> 3.2.0)
-    rspec-expectations (3.2.0)
+    faraday (0.12.0.1)
+      multipart-post (>= 1.2, < 3)
+    faraday-http-cache (2.0.0)
+      faraday (~> 0.8)
+    github_changelog_generator (1.14.3)
+      activesupport
+      faraday-http-cache
+      multi_json
+      octokit (~> 4.6)
+      rainbow (>= 2.1)
+      rake (>= 10.0)
+      retriable (~> 2.1)
+    i18n (0.8.1)
+    method_source (0.8.2)
+    minitest (5.10.1)
+    multi_json (1.12.1)
+    multipart-post (2.0.0)
+    octokit (4.7.0)
+      sawyer (~> 0.8.0, >= 0.5.3)
+    parallel (1.12.0)
+    parser (2.4.0.0)
+      ast (~> 2.2)
+    powerpack (0.1.1)
+    pry (0.9.12.6)
+      coderay (~> 1.0)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    public_suffix (2.0.5)
+    rainbow (2.2.2)
+      rake
+    rake (12.0.0)
+    retriable (2.1.0)
+    rspec (3.6.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+    rspec-core (3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-expectations (3.6.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.2.0)
-    rspec-mocks (3.2.1)
+      rspec-support (~> 3.6.0)
+    rspec-mocks (3.6.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.2.0)
-    rspec-support (3.2.2)
-    rubocop (0.29.1)
-      astrolabe (~> 1.3)
-      parser (>= 2.2.0.1, < 3.0)
+      rspec-support (~> 3.6.0)
+    rspec-support (3.6.0)
+    rubocop (0.49.1)
+      parallel (~> 1.10)
+      parser (>= 2.3.3.1, < 3.0)
       powerpack (~> 0.1)
       rainbow (>= 1.99.1, < 3.0)
-      ruby-progressbar (~> 1.4)
-    ruby-progressbar (1.7.1)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.8.1)
     safe_yaml (1.0.4)
+    sawyer (0.8.1)
+      addressable (>= 2.3.5, < 2.6)
+      faraday (~> 0.8, < 1.0)
     simplecov (0.9.2)
       docile (~> 1.1.0)
       multi_json (~> 1.0)
       simplecov-html (~> 0.9.0)
     simplecov-html (0.9.0)
+    slop (3.6.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.3)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.3.0)
     vcr (2.9.3)
     webmock (1.20.4)
       addressable (>= 2.3.6)
@@ -59,7 +99,9 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 1.3)
   codeclimate-test-reporter (~> 0.4.6)
+  github_changelog_generator
   nexpose!
+  pry (= 0.9.12.6)
   rake
   rspec (~> 3.2)
   rubocop

data/README.markdown

@@ -3,7 +3,7 @@
 
 This is the official gem package for the Ruby Nexpose API client library.
 
-For assistance with using the gem, to share your scripts, or to discuss different approaches, please visit the Rapid7 community: https://community.rapid7.com/
+For assistance with using the gem or to discuss different approaches, please open an issue. To share or discuss scripts which use the gem head over to the [Nexpose Resources](https://github.com/rapid7/nexpose-resources) project.
 
 Check out the [wiki](https://github.com/rapid7/nexpose-client/wiki) for walk-throughs and other documentation. Submit bugs and feature requests on the [issues](https://github.com/rapid7/nexpose-client/issues) page.
 
@@ -25,6 +25,8 @@ Our coding standards include:
 * Unless otherwise noted, code should adhere to the Ruby Style Guide: https://github.com/bbatsov/ruby-style-guide
 * Use YARDoc comment style to improve the API documentation of the gem.
 
+Full usage examples or task-oriented scripts should be submitted to the [Nexpose Resources](https://github.com/rapid7/nexpose-resources) project. Smaller examples can be added to the [wiki](https://github.com/rapid7/nexpose-client/wiki).
+
 ## License
 
 The nexpose-client gem is provided under the 3-Clause BSD License. See [COPYING](COPYING) for details.

data/Rakefile

@@ -4,3 +4,12 @@ require 'bundler/gem_tasks'
 task :clean do
 	system "rm *.gem &> /dev/null"
 end
+
+
+require 'github_changelog_generator/task'
+GitHubChangelogGenerator::RakeTask.new :changelog do |config|
+  token = ENV['CHANGELOG_GITHUB_TOKEN']
+  if token.nil?
+    warn "!!WARNING!! Missing Github Token Environment Variable. Fix before you run rake changelog. !!WARNING!!"
+  end
+end

data/lib/nexpose.rb

@@ -68,6 +68,7 @@ require 'nexpose/asset'
 require 'nexpose/blackout'
 require 'nexpose/common'
 require 'nexpose/console'
+require 'nexpose/credential_helper'
 require 'nexpose/credential'
 require 'nexpose/site_credentials'
 require 'nexpose/shared_credential'

data/lib/nexpose/ajax.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 module Nexpose
   # Accessor to the Nexpose AJAX API.
   # These core methods should allow direct access to underlying controllers
@@ -133,7 +134,8 @@ module Nexpose
     # Use the Nexpose::Connection to establish a correct HTTPS object.
     def https(nsc, timeout = nil)
       http = Net::HTTP.new(nsc.host, nsc.port)
-      http.read_timeout = timeout if timeout
+      http.read_timeout = (timeout || nsc.timeout)
+      http.open_timeout = nsc.open_timeout
       http.use_ssl = true
       if nsc.trust_store.nil?
         http.verify_mode = OpenSSL::SSL::VERIFY_NONE
@@ -183,8 +185,8 @@ module Nexpose
     def get_request_api_version(request)
       matches = request.path.match(API_PATTERN)
       matches[:version].to_f
-      rescue
-        0.0
+    rescue
+      0.0
     end
 
     # Get an error message from the response body if the request url api version
@@ -192,7 +194,7 @@ module Nexpose
     def get_error_message(request, response)
       version = get_request_api_version(request)
       data_request = use_response_error_message?(request, response)
-      return_response = (version >= 2.1 || data_request )
+      return_response = (version >= 2.1 || data_request)
       (return_response && response.body) ? "response body: #{response.body}" : "request body: #{request.body}"
     end
 
@@ -202,7 +204,7 @@ module Nexpose
       if (request.path.include?('/data/') && !response.content_type.nil?)
         response.content_type.include? 'text/plain'
       else
-        return false
+        false
       end
     end
 
@@ -253,7 +255,7 @@ module Nexpose
       pref_key = "#{pref}.rows"
       resp = get(nsc, uri)
       json = JSON.parse(resp)
-      if json.has_key?(pref_key)
+      if json.key?(pref_key)
         rows = json[pref_key].to_i
         rows > 0 ? rows : 10
       else

data/lib/nexpose/api_request.rb

@@ -42,17 +42,16 @@ module Nexpose
       else
         @http.cert_store = @trust_store
       end
-      @headers = {'Content-Type' => 'text/xml'}
+      @headers = { 'Content-Type' => 'text/xml' }
       @success = false
     end
 
     def execute(options = {})
       @conn_tries = 0
-
       begin
         prepare_http_client
-        @http.read_timeout = options[:timeout] if options.key? :timeout
-        @http.open_timeout = options.key?(:open_timeout) ? options[:open_timeout] : 60
+        @http.read_timeout = options.key?(:timeout) ? options[:timeout] : 120
+        @http.open_timeout = options.key?(:open_timeout) ? options[:open_timeout] : 120
         @raw_response = @http.post(@uri.path, @req, @headers)
         @raw_response_data = @raw_response.read_body
 
@@ -62,7 +61,7 @@ module Nexpose
             @success = true
           else
             @success = false
-            @error = "User requested raw XML response. Not parsing failures."
+            @error = 'User requested raw XML response. Not parsing failures.'
           end
         else
           @res = parse_xml(@raw_response_data)
@@ -74,19 +73,19 @@ module Nexpose
 
           @sid = attributes['session-id']
 
-          if (attributes['success'] and attributes['success'].to_i == 1)
+          if (attributes['success'] && attributes['success'].to_i == 1)
             @success = true
-          elsif @api_version =~ /1.2/ and @res and (@res.get_elements '//Exception').count < 1
+          elsif @api_version =~ /1.2/ && @res && (@res.get_elements '//Exception').count < 1
             @success = true
           else
             @success = false
             if @api_version =~ /1.2/
               @res.elements.each('//Exception/Message') do |message|
-              @error = message.text.sub(/.*Exception: */, '')
+                @error = message.text.sub(/.*Exception: */, '')
+              end
+              @res.elements.each('//Exception/Stacktrace') do |stacktrace|
+                @trace = stacktrace.text
               end
-            @res.elements.each('//Exception/Stacktrace') do |stacktrace|
-              @trace = stacktrace.text
-            end
             else
               @res.elements.each('//message') do |message|
                 @error = message.text.sub(/.*Exception: */, '')
@@ -97,27 +96,29 @@ module Nexpose
             end
           end
         end
-        # This is a hack to handle corner cases where a heavily loaded Nexpose instance
-        # drops our HTTP connection before processing. We try 5 times to establish a
-        # connection in these situations. The actual exception occurs in the Ruby
-        # http library, which is why we use such generic error classes.
-      rescue OpenSSL::SSL::SSLError => e
+      # This is a hack to handle corner cases where a heavily loaded Nexpose instance
+      # drops our HTTP connection before processing. We try 5 times to establish a
+      # connection in these situations. The actual exception occurs in the Ruby
+      # http library, which is why we use such generic error classes.
+      rescue OpenSSL::SSL::SSLError => error
         if @conn_tries < 5
           @conn_tries += 1
+          $stderr.puts "\n\nRetrying the request due to #{error}. If you see this message please open an Issue on Github with the error.\n\n"
           retry
         end
-      rescue ::ArgumentError, ::NoMethodError => e
+      rescue ::ArgumentError, ::NoMethodError => error
         if @conn_tries < 5
           @conn_tries += 1
+          $stderr.puts "\n\nRetrying the request due to #{error}. If you see this message please open an Issue on Github with the error.\n\n"
           retry
         end
-      rescue ::Timeout::Error
-        if @conn_tries < 5
-          @conn_tries += 1
-          # If an explicit timeout is set, don't retry.
-          retry unless options.key? :timeout
-        end
-        @error = "Nexpose did not respond within #{@http.read_timeout} seconds."
+      ### HTTP Specific Timeout Errors.
+      rescue ::Net::ReadTimeout, ::Net::OpenTimeout => error
+        timeout_value = error.instance_of?(Net::ReadTimeout) ? @http.read_timeout : @http.open_timeout
+        @error = "Nexpose did not respond within #{timeout_value} seconds #{error}. Reference the Wiki for information on setting the different Timeout values."
+      ### Catch all Timeout Error.
+      rescue ::Timeout::Error => error
+        @error = "Nexpose did not respond within #{@http.read_timeout} seconds #{error}. Reference the Wiki for information on setting the different Timeout values."
       rescue ::Errno::EHOSTUNREACH, ::Errno::ENETDOWN, ::Errno::ENETUNREACH, ::Errno::ENETRESET, ::Errno::EHOSTDOWN, ::Errno::EACCES, ::Errno::EINVAL, ::Errno::EADDRNOTAVAIL
         @error = 'Nexpose host is unreachable.'
         # Handle console-level interrupts
@@ -129,7 +130,7 @@ module Nexpose
         @error = "Error parsing response: #{exc.message}"
       end
 
-      if !(@success or @error)
+      if !(@success || @error)
         @error = "Nexpose service returned an unrecognized response: #{@raw_response_data.inspect}"
       end
 
@@ -137,7 +138,7 @@ module Nexpose
     end
 
     def attributes(*args)
-      return if not @res.root
+      return unless @res.root
       @res.root.attributes(*args)
     end
 

data/lib/nexpose/connection.rb

@@ -51,14 +51,20 @@ module Nexpose
     attr_reader :url
     # The token used to login to the NSC
     attr_reader :token
-
     # The last XML request sent by this object, useful for debugging.
     attr_reader :request_xml
     # The last XML response received by this object, useful for debugging.
     attr_reader :response_xml
-
     # The trust store to validate connections against if any
     attr_reader :trust_store
+    # The main HTTP read_timeout value
+    # For more information visit the link below:
+    # https://ruby-doc.org/stdlib/libdoc/net/http/rdoc/Net/HTTP.html#read_timeout-attribute-method
+    attr_accessor :timeout
+    # The optional HTTP open_timeout value
+    # For more information visit the link below:
+    # http://ruby-doc.org/stdlib/libdoc/net/http/rdoc/Net/HTTP.html#open_timeout-attribute-method
+    attr_accessor :open_timeout
 
     # A constructor to load a Connection object from a URI
     def self.from_uri(uri, user, pass, silo_id = nil, token = nil, trust_cert = nil)
@@ -76,23 +82,23 @@ module Nexpose
     # @param [String] token The two-factor authentication (2FA) token for Nexpose sessions.
     # @param [String] trust_cert The PEM-formatted web certificate of the Nexpose console. Used for SSL validation.
     def initialize(ip, user, pass, port = 3780, silo_id = nil, token = nil, trust_cert = nil)
-      @host = ip
-      @port = port
-      @username = user
-      @password = pass
-      @token = token
-      @silo_id = silo_id
-      unless trust_cert.nil?
-        @trust_store = create_trust_store(trust_cert)
-      end
-      @session_id = nil
-      @url = "https://#{@host}:#{@port}/api/API_VERSION/xml"
+      @host         = ip
+      @username     = user
+      @password     = pass
+      @port         = port
+      @silo_id      = silo_id
+      @token        = token
+      @trust_store  = create_trust_store(trust_cert) unless trust_cert.nil?
+      @session_id   = nil
+      @url          = "https://#{@host}:#{@port}/api/API_VERSION/xml"
+      @timeout      = 120
+      @open_timeout = 120
     end
 
     # Establish a new connection and Session ID
     def login
       begin
-        login_hash = {'sync-id' => 0, 'password' => @password, 'user-id' => @username, 'token' => @token}
+        login_hash = { 'sync-id' => 0, 'password' => @password, 'user-id' => @username, 'token' => @token }
         login_hash['silo-id'] = @silo_id if @silo_id
         r = execute(make_xml('LoginRequest', login_hash))
         if r.success
@@ -106,13 +112,15 @@ module Nexpose
 
     # Logout of the current connection
     def logout
-      r = execute(make_xml('LogoutRequest', {'sync-id' => 0}))
+      r = execute(make_xml('LogoutRequest', { 'sync-id' => 0 }))
       return true if r.success
       raise APIError.new(r, 'Logout failed')
     end
 
     # Execute an API request
     def execute(xml, version = '1.1', options = {})
+      options.store(:timeout, @timeout) unless options.key?(:timeout)
+      options.store(:open_timeout, @open_timeout)
       @request_xml = xml.to_s
       @api_version = version
       response = APIRequest.execute(@url, @request_xml, @api_version, options, @trust_store)
@@ -127,17 +135,17 @@ module Nexpose
     #       Would need to do something more sophisticated to grab
     #       all the associated image files.
     def download(url, file_name = nil)
-      return nil if url.nil? or url.empty?
-      uri = URI.parse(url)
-      http = Net::HTTP.new(@host, @port)
+      return nil if (url.nil? || url.empty?)
+      uri          = URI.parse(url)
+      http         = Net::HTTP.new(@host, @port)
       http.use_ssl = true
       if @trust_store.nil?
         http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX: security issue
       else
         http.cert_store = @trust_store
       end
-      headers = {'Cookie' => "nexposeCCSessionID=#{@session_id}"}
-      resp = http.get(uri.to_s, headers)
+      headers = { 'Cookie' => "nexposeCCSessionID=#{@session_id}" }
+      resp    = http.get(uri.to_s, headers)
 
       if file_name
         ::File.open(file_name, 'wb') { |file| file.write(resp.body) }