nexpose_ticketing 1.4.2 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bd6e9d8bd62c54470ca4f54e04771f6a12ccdd8c
-  data.tar.gz: 43dd34880ed11034f401ea0e848a88824446324f
+  metadata.gz: d1458f962f3e9bd3d18d9d2286438b3525d41811
+  data.tar.gz: 8eb1e53fe25c1562148ca9c83d04d79771cf68df
 SHA512:
-  metadata.gz: 9888c112b4b8f6fbefaa14a57631dd81beb24b343c17789f0e03a3f4bbd8881bec1b7e11967c0bc3fb0b3c5573c1e760d9cab06b75525c340123b5ee7d06f5a7
-  data.tar.gz: b87cf187e0344b22c4a9dc30db87a0befcff1323e4aad8aa4558a27de9191d70ee2dd0c78c863bb9ae75abad38783f0293df6e3f3b5c431a3ca4c48126510f21
+  metadata.gz: c81d2388596d93be2da301efafbbb96d9baf84a690cb5b75208839749ced211e690b477410b1a09bc0101f077584f138f5eb554e597ce18c09b30c2648f4ea2c
+  data.tar.gz: d1d3a1394b6de2bc5627f2ee0520dc61369f2ced8dbaa4ac37c89c73e53c340b4c85d911797477bf344f66562b2443eda2dd293c8e03e6a8c442b024c2c4f9ab

data/README.md

@@ -49,20 +49,33 @@ Please refer to your particular Ruby documentation for actual installation folde
 A logger is also implemented by default, and the log can be found under `<install_location>/lib/nexpose_ticketing/logs/`
 Please refer to the log file in case of an error.
 
+### Encryption Settings
+
+The usernames and passwords within the configuration files are automatically encrypted when the integration runs. The key and IV files used during encryption/decryption are saved within the config folder by default.
+
+#### Setting Custom Locations for Encryption Files
+
+To set custom locations for the key and IV files, update the following values within the encryption.config file:
+
+ - key_filename - The absolute path to where the key file will be created.
+ - iv_file - The absolute path to where the IV file will be created.
+
+To set a custom path after the integration has already executed, the files must be moved to the new location manually.
+
 ## Contributions
 
 To develop your own implementation for Ticketing service 'foo':
 
 1. Create a helper class that implements the following methods:
-	* Initialize: This is the constructor that will take the implementation options and the service options. It should inherit from the base_helper class.
-	* create_ticket(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc).
-	* prepare_create_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc). The implemented helpers group data into a single ticket according to the current ticketing mode: Per IP in IP mode and per vulnerability in Vulnerability mode.
+  * Initialize: This is the constructor that will take the implementation options and the service options. It should inherit from the base_helper class.
+  * create_ticket(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc).
+  * prepare_create_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc). The implemented helpers group data into a single ticket according to the current ticketing mode: Per IP in IP mode and per vulnerability in Vulnerability mode.
 
 2. For full functionality (updating and closing tickets), also implement the following methods:
-	* update_tickets(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc), to send updated ticket descriptions to the service for specific existing tickets.
-	* prepare_update_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc) for updating exisiting tickets.
-	* close_tickets(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc), to send closure messages to the service for a specific exisiting ticket.
-	* prepare_close_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc) containing information about the tickets to close.
+  * update_tickets(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc), to send updated ticket descriptions to the service for specific existing tickets.
+  * prepare_update_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc) for updating exisiting tickets.
+  * close_tickets(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc), to send closure messages to the service for a specific exisiting ticket.
+  * prepare_close_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc) containing information about the tickets to close.
 
 3. A configuration file will be needed in the config folder for service specific options. This is loaded at the start of operation. Please refer to the existing configuration files, as certain options are common to all services.
 
@@ -77,6 +90,11 @@ We welcome contributions to this package. We ask only that pull requests and pat
 
 ## Changelog
 
+### 1.5.0
+16-05-17
+Added an encryption configuration file. 
+Usernames and passwords within the configuration files are now encrypted when the application runs.
+
 ### 1.4.2
 10-05-17
 

data/bin/nexpose_ticketing

@@ -1,13 +1,14 @@
 #!/usr/bin/env ruby
 require 'yaml'
 require 'nexpose_ticketing'
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 require 'nexpose_ticketing/version'
 require 'optparse'
+require_relative '../lib/nexpose_ticketing/utilities/config_parser'
 
 options = {}
 OptionParser.new do |opts|
-  opts.banner = "Usage: nexpose_ticketing [service name]"
+  opts.banner = 'Usage: nexpose_ticketing [service name]'
 end.parse!
 
 if ARGV.count == 0
@@ -16,20 +17,23 @@ if ARGV.count == 0
 end
 
 system = ARGV.first
-config_path = File.join(File.dirname(__FILE__),
-                        "../lib/nexpose_ticketing/config/#{system}.config")
+config_dir = File.join(File.dirname(__FILE__),
+                       '../lib/nexpose_ticketing/config/')
+config_path = File.join(config_dir, "#{system}.config")
+service_config_path = File.join(config_dir, 'ticket_service.config')
 
 unless File.exists? config_path
   puts "Configuration file could not be found at #{config_path}"
   exit -1
 end
 
-# Read in JIRA options from jira.config.
-service_options = begin
-  YAML.load_file(config_path)
-rescue ArgumentError => e
-  raise "Could not parse YAML #{config_path} : #{e.message}"
-end
+# We need to load the general config to get the encryption details location
+# This is because the ticket gem uses two configs at a time
+ticket_service = YAML.load_file(service_config_path)
+enc_path = ticket_service[:encryption_options][:directory]
+
+# Now we can load the config as normal
+service_options = ConfigParser.get_config(config_path, enc_path)
 
 log = NexposeTicketing::NxLogger.instance
 log.setup_statistics_collection(service_options[:vendor], 
@@ -37,9 +41,9 @@ log.setup_statistics_collection(service_options[:vendor],
                                 NexposeTicketing::VERSION)
 log.setup_logging(true, 'info')
 
-current_encoding = Encoding.default_external=Encoding.find("UTF-8")
+current_encoding = Encoding.default_external=Encoding.find('UTF-8')
 
 log.log_message("Current Encoding set to: #{current_encoding}")
 
-# Initialize Ticket Service using JIRA.
+# Initialize Ticket Service.
 NexposeTicketing.start(service_options)

data/lib/nexpose_ticketing/config/encryption.config

@@ -0,0 +1,20 @@
+#
+# Symmetric Encryption for Ruby
+#
+---
+production:
+  # Since the encryption key must NOT be stored along with the
+  # source code, only store the key encryption key here.
+  private_rsa_key:
+
+  # List Symmetric Key Ciphers in the order of current / newest first
+  ciphers:
+    -
+      # Name of the file containing the encrypted key and iv.
+      key_filename: <absolute/path/to/filename>.key
+      iv_filename: <absolute/path/to/filename>.iv
+
+      cipher: aes-256-cbc
+      encoding: base64strict
+      version: 1
+      always_add_header: true

data/lib/nexpose_ticketing/config/ticket_service.config

@@ -54,3 +54,8 @@
   :nxuser: nxadmin
   # (M) Nexpose password.
   :nxpasswd: nxadmin
+# Encryption options
+:encryption_options:
+  # (M) Path to the encryption.config file
+  :directory: ../../config/encryption.config
+  

data/lib/nexpose_ticketing/helpers/base_helper.rb

@@ -3,7 +3,7 @@ require 'net/http'
 require 'net/https'
 require 'uri'
 require 'csv'
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 require 'nexpose_ticketing/version'
 require_relative '../ticket_metrics'
 

data/lib/nexpose_ticketing/helpers/jira_helper.rb

@@ -3,7 +3,7 @@ require 'net/http'
 require 'net/https'
 require 'uri'
 require 'csv'
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 require 'nexpose_ticketing/version'
 require_relative './base_helper'
 

data/lib/nexpose_ticketing/helpers/remedy_helper.rb

@@ -4,7 +4,7 @@ require 'net/https'
 require 'uri'
 require 'csv'
 require 'savon'
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 require 'nexpose_ticketing/version'
 require_relative './base_helper'
 

data/lib/nexpose_ticketing/helpers/servicedesk_helper.rb

@@ -2,7 +2,7 @@ require 'net/http'
 require 'nokogiri'
 require 'dbm'
 require_relative './base_helper'
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 require 'nexpose_ticketing/version'
 
 class ServiceDeskHelper < BaseHelper

data/lib/nexpose_ticketing/helpers/servicenow_helper.rb

@@ -3,7 +3,7 @@ require 'net/http'
 require 'net/https'
 require 'uri'
 require 'csv'
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 require 'nexpose_ticketing/version'
 require_relative './base_helper'
 require 'securerandom'

data/lib/nexpose_ticketing/modes/base_mode.rb

@@ -1,4 +1,4 @@
-require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/utilities/nx_logger'
 
 class BaseMode 
 

data/lib/nexpose_ticketing/ticket_repository.rb

@@ -5,7 +5,7 @@ module NexposeTicketing
     require 'nexpose'
     require 'nexpose_ticketing/queries'
     require 'nexpose_ticketing/report_helper'
-    require 'nexpose_ticketing/nx_logger'
+    require 'nexpose_ticketing/utilities/nx_logger'
     require 'nexpose_ticketing/version'
 
     API_VERSION = '1.2.0'

data/lib/nexpose_ticketing/ticket_service.rb

@@ -53,22 +53,19 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     require 'fileutils'
     require 'nexpose_ticketing/ticket_repository'
     require 'nexpose_ticketing'
-    require 'nexpose_ticketing/nx_logger'
+    require 'nexpose_ticketing/utilities/nx_logger'
     require 'nexpose_ticketing/version'
     require 'nexpose_ticketing/store'
+    require_relative './utilities/config_parser'
 
-    TICKET_SERVICE_CONFIG_PATH =  File.join(File.dirname(__FILE__), '/config/ticket_service.config')
+    TICKET_SERVICE_CONFIG_PATH =  File.join(File.dirname(__FILE__),
+                                            '/config/ticket_service.config')
     LOGGER_FILE = File.join(File.dirname(__FILE__), '/logs/ticket_service.log')
 
     attr_accessor :helper_data, :nexpose_data, :options, :ticket_repository, :first_time
 
     def setup(helper_data)
-      # Gets the Ticket Service configuration.
-      service_data = begin
-        YAML.load_file(TICKET_SERVICE_CONFIG_PATH)
-      rescue ArgumentError => e
-        raise "Could not parse YAML #{TICKET_SERVICE_CONFIG_PATH} : #{e.message}"
-      end
+      service_data = ConfigParser.get_config(TICKET_SERVICE_CONFIG_PATH)
 
       @helper_data = helper_data
       @nexpose_data = service_data[:nexpose_data]

data/lib/nexpose_ticketing/utilities/config_parser.rb

@@ -0,0 +1,140 @@
+require 'erb'
+require 'yaml'
+require 'fileutils'
+require 'symmetric-encryption'
+
+class ConfigParser
+  ENCRYPTED_FORMAT = '<%%= SymmetricEncryption.try_decrypt "%s" %%>'
+  PLACEHOLDER = '<absolute/path/to/filename>'
+  # The environment to use, defined within the encryption config
+  STANZA = 'production'
+  # The line width of the YAML file before line-wrapping occurs
+  WIDTH = 120
+
+  # Encrypts a configuration file and returns the unencrypted hash.
+  def self.get_config(config_path, enc_path=nil)
+    # Try to load a path from the provided config
+    custom_enc_path = get_enc_directory(config_path)
+    enc_path = custom_enc_path unless custom_enc_path.nil?
+
+    enc_path = File.expand_path(enc_path, __FILE__)
+    config_path = File.expand_path(config_path, __FILE__)
+
+    generate_keys(enc_path, config_path)
+    encrypt_config(enc_path, config_path)
+    decrypt_config(enc_path, config_path)
+  end
+
+  # Writes the YAML to file with custom formatting options
+  def self.save_config(config_details, config_path)
+    yaml = config_details.to_yaml(line_width: WIDTH)
+    File.open(config_path, 'w') {|f| f.write yaml }
+  end
+
+  def self.encrypt_field(value)
+    encrypted_value = SymmetricEncryption.encrypt value
+    ENCRYPTED_FORMAT % encrypted_value
+  end
+
+  # Retrieves the custom directory of the encryption config
+  def self.get_enc_directory(config_path)
+    settings = YAML.load_file(config_path)
+    return nil if settings[:encryption_options].nil?
+
+    enc_dir = settings[:encryption_options][:directory]
+    return nil if (enc_dir.nil? || enc_dir == '')
+
+    File.expand_path(enc_dir, __FILE__)
+  end
+
+  # Generates the RSA key, associated files and directories.
+  def self.generate_keys(enc_path, config_path)
+    settings = YAML.load_file(enc_path)
+    key = settings[STANZA]['private_rsa_key']
+
+    # Recognise an existing key
+    return unless (key.nil? || key == '')
+
+    # Generate a new RSA key and store the details
+    new_rsa_key = SymmetricEncryption::KeyEncryptionKey.generate
+    settings[STANZA]['private_rsa_key'] = new_rsa_key
+    save_config(settings, enc_path)
+
+    # Populate the placeholder values within the config
+    populate_ciphers(enc_path, config_path)
+
+    # Need to create a folder (specified by the user) to store the key files
+    dir = File.dirname(settings[STANZA]['ciphers'].first['key_filename'])
+
+    begin
+      unless File.directory?(dir) || PLACEHOLDER.include?(dir)
+        puts "Creating folder: #{dir}"
+        FileUtils::mkdir_p dir
+      end
+    rescue Exception => e
+      msg = "Unable to create the folders used to store encryption details.\n"\
+            'Please ensure the user has permissions to create folders in the ' \
+            "path specified in the  encryption config: #{enc_path}\n"
+      handle_error(msg, e)
+    end
+
+    SymmetricEncryption.generate_symmetric_key_files(enc_path, STANZA)
+  end
+
+  # Replace placeholder values for the key and iv file paths,
+  # placing them in the config folder by default.
+  def self.populate_ciphers(enc_path, config_path)
+    settings = YAML.load_file(enc_path)
+    ciphers = settings[STANZA]['ciphers'].first
+    config_folder = File.dirname(config_path)
+    config_name = File.basename(config_path, File.extname(config_path))
+
+    %w(key iv).each do |file|
+      label = "#{file}_filename"
+      file_path = ciphers[label]
+      next unless file_path.include? PLACEHOLDER
+
+      filename = ".#{config_name}.#{file}"
+      ciphers[label] = File.join(config_folder, filename)
+    end
+
+    save_config(settings, enc_path)
+  end
+
+  def self.encrypt_config(enc_path, config_path)
+    SymmetricEncryption.load!(enc_path, STANZA)
+
+    # Read the config in as an array of strings
+    f = File.open(config_path)
+    config_lines = f.readlines
+    f.close
+
+    # Define the regex that can find relevant fields
+    regex = /^(?<label>\s*:?\w*(passw|pwd|user|usr)\w*:?\s)(?<value>.*)$/
+
+    # Line by line, write the line to file, encrypting sensitive fields
+    File.open(config_path, 'w+') do |f|
+      config_lines.each do |l|
+        matches = l.match(regex)
+
+        # Encrypt fields with username/password labels that are in plaintext
+        unless matches.nil? || matches['value'].include?('SymmetricEncryption')
+          l = "#{matches['label']}#{encrypt_field(matches['value'])}"
+        end
+
+        f.puts l
+      end
+    end
+  end
+
+  # Returns a hash containing the decrypted details from a config file.
+  def self.decrypt_config(enc_path, config_path)
+    SymmetricEncryption.load!(enc_path, STANZA)
+    return YAML.load(ERB.new(File.new(config_path).read).result)
+  end
+
+  def self.handle_error(message, error)
+    puts message
+    raise error
+  end
+end

data/lib/nexpose_ticketing/version.rb

@@ -1,3 +1,3 @@
 module NexposeTicketing
-  VERSION = "1.4.2"
+  VERSION = '1.5.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nexpose_ticketing
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.5.0
 platform: ruby
 authors:
 - Damian Finol
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-10 00:00:00.000000000 Z
+date: 2017-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nexpose
@@ -81,6 +81,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.1.2
+- !ruby/object:Gem::Dependency
+  name: symmetric-encryption
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.9.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -132,10 +152,10 @@ extra_rdoc_files:
 - README.md
 files:
 - Gemfile
-- Gemfile.lock
 - README.md
 - bin/nexpose_ticketing
 - lib/nexpose_ticketing.rb
+- lib/nexpose_ticketing/config/encryption.config
 - lib/nexpose_ticketing/config/jira.config
 - lib/nexpose_ticketing/config/remedy.config
 - lib/nexpose_ticketing/config/remedy_wsdl/HPD_IncidentInterface_Create_WS.xml
@@ -153,13 +173,14 @@ files:
 - lib/nexpose_ticketing/modes/default_mode.rb
 - lib/nexpose_ticketing/modes/ip_mode.rb
 - lib/nexpose_ticketing/modes/vulnerability_mode.rb
-- lib/nexpose_ticketing/nx_logger.rb
 - lib/nexpose_ticketing/queries.rb
 - lib/nexpose_ticketing/report_helper.rb
 - lib/nexpose_ticketing/store.rb
 - lib/nexpose_ticketing/ticket_metrics.rb
 - lib/nexpose_ticketing/ticket_repository.rb
 - lib/nexpose_ticketing/ticket_service.rb
+- lib/nexpose_ticketing/utilities/config_parser.rb
+- lib/nexpose_ticketing/utilities/nx_logger.rb
 - lib/nexpose_ticketing/version.rb
 homepage: https://github.com/rapid7/nexpose_ticketing
 licenses:
@@ -181,7 +202,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.7
 signing_key: 
 specification_version: 4
 summary: Ruby Nexpose Ticketing Engine.

data/Gemfile.lock

@@ -1,69 +0,0 @@
-PATH
-  remote: .
-  specs:
-    nexpose_ticketing (1.3.0)
-      nexpose (~> 3.1, >= 3.1.0)
-      nokogiri (~> 1.6)
-      savon (~> 2.1)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    akami (1.2.2)
-      gyoku (>= 0.4.0)
-      nokogiri
-    builder (3.2.2)
-    diff-lcs (1.2.5)
-    gyoku (1.1.1)
-      builder (>= 2.1.2)
-    httpi (2.1.1)
-      rack
-      rubyntlm (~> 0.3.2)
-    macaddr (1.7.1)
-      systemu (~> 2.6.2)
-    mini_portile2 (2.0.0)
-    nexpose (3.3.0)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    nori (2.4.0)
-    rack (1.6.4)
-    rspec (3.4.0)
-      rspec-core (~> 3.4.0)
-      rspec-expectations (~> 3.4.0)
-      rspec-mocks (~> 3.4.0)
-    rspec-core (3.4.4)
-      rspec-support (~> 3.4.0)
-    rspec-expectations (3.4.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.4.0)
-    rspec-mocks (3.4.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.4.0)
-    rspec-support (3.4.1)
-    rubyntlm (0.3.4)
-    savon (2.5.1)
-      akami (~> 1.2.0)
-      builder (>= 2.1.2)
-      gyoku (~> 1.1.0)
-      httpi (~> 2.1.0)
-      nokogiri (>= 1.4.0)
-      nori (~> 2.4.0)
-      uuid (~> 2.3.7)
-      wasabi (~> 3.3.0)
-    systemu (2.6.5)
-    uuid (2.3.8)
-      macaddr (~> 1.0)
-    wasabi (3.3.1)
-      httpi (~> 2.0)
-      nokogiri (>= 1.4.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  nexpose_ticketing!
-  rspec (~> 3.2, >= 3.2.0)
-  rspec-mocks (~> 3.2, >= 3.2.0)
-
-BUNDLED WITH
-   1.12.5