RubyGems - probium - Versions diffs - 0.0.1 - Mend

probium 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0d8175b7893bcfa662a261942ea892c4d8be515f
+  data.tar.gz: 4e91a34fe46154dfc218d1b69346fe069a98eb90
+SHA512:
+  metadata.gz: 3ab68bd317fcf6788e044010caf43134e84963d56e0f39d8cddf62bbea5dc25f3029a0bbeff49a5b51dae20088c32f2028be51f04e064e1e33cc62dffb53afcb
+  data.tar.gz: ebac34f2db1e54128678caf76b93c81226be2e0898a96904463ab30d28f22bb3f18364a0c250f538cbb4662e2c5e9d2cd3f69d29bda7311f980daec1f878d92d

data/bin/probium ADDED

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+require 'runner'
+begin
+  runner = Runner.new
+  puts runner.run
+  exit runner.exit_code
+rescue StandardError => e
+  puts e
+  exit 1
+end

data/lib/command_line.rb ADDED

@@ -0,0 +1,46 @@
+require 'optparse'
+class CommandLine
+  VALID_OUTPUT_FORMATS = [:graphic, :json, :yaml, :csv].freeze
+  def self.parse!(options)
+    OptionParser.new do |opts|
+      opts.banner = 'Usage: probium my_policy.yaml [options]'
+      opts.on('-o', '--output-format=FORMAT', 'Format in which to display policy report (graphic, json, yaml, csv)') do |of|
+        if VALID_OUTPUT_FORMATS.include?(f = of.downcase.to_sym)
+          options[:output_format] = f
+        else
+          options[:message] =  "Invalid output-format '#{of}'. Options are #{VALID_OUTPUT_FORMATS.join(', ')}"
+          options[:state] = :fail
+        end
+      end
+      opts.on('-e', '--extension-dir=PATH', 'Location of extension files') do |path|
+        options[:extensions_path] = path
+      end
+      opts.on('-d', '--debug', 'Enable debug output') do
+        options[:debug] = true
+      end
+      opts.on('--no-color', 'Disable color in output') do
+        options[:color] = false
+      end
+      opts.on('-h', '--help', 'Print this help') do
+        options[:message] = opts
+        options[:state] = :exit
+      end
+    end.parse!
+    options
+  end
+  def self.policy!
+    policy_file = ARGV.shift
+    unless policy_file
+      raise StandardError, 'Missing required policy file as argument'
+    end
+    policy_file
+  end
+end

data/lib/extensions.rb ADDED

@@ -0,0 +1,50 @@
+require 'log'
+class Extensions
+  @@extensions = {}
+  def self.[](extension_name)
+    @@extensions[extension_name]
+  end
+  def initialize(location = File.join(File.dirname(__FILE__), 'extensions'))
+    validate_location(location)
+    @location = File.join(location, '*.rb')
+    load_extensions
+  end
+  private
+  def load_extensions
+    extension_files = Dir.glob(@location)
+    extension_files.each do |extension_file|
+      next if File.directory?(extension_file)
+      begin
+        Log.debug { "Loading extension file - #{extension_file}"}
+        instance_eval(File.read(extension_file))
+        Log.debug { "Successfully loaded extension file - #{extension_file}"}
+      rescue Exception => e
+        Log.debug { "Error in extension #{extension_file} - #{e}" }
+        raise "Cannot load extension file '#{extension_file}'"
+      end
+    end
+  end
+  def create_resource(name, &block)
+    @@extensions[name] = { :resource => block }
+  end
+  def compare_fn(name, &block)
+    @@extensions[name] = { :compare_fn => block }
+  end
+  def validate_location(location)
+    unless File.exist?(location)
+      raise "Extensions directory '#{location}' does not exist"
+    end
+    unless File.directory?(location)
+      raise "Extensions direcotry '#{location}' is not a directory"
+    end
+  end
+end

data/lib/extensions/port.rb ADDED

@@ -0,0 +1,103 @@
+require 'socket'
+require 'openssl'
+def is_ssl_enabled?(tcp_socket)
+  ctx = OpenSSL::SSL::SSLContext.new
+  ctx.set_params({ :options=>OpenSSL::SSL::OP_ALL })
+  ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  enabled = true
+  OpenSSL::SSL::SSLSocket.new(tcp_socket, ctx).tap do |socket|
+    begin
+      socket.sync_close = true
+      socket.connect_nonblock
+    rescue IO::WaitReadable
+      if IO.select([socket], nil, nil, 1)
+        retry
+      else
+        enabled = false
+      end
+    rescue IO::WaitWritable
+      if IO.select([socket], nil, nil, 1)
+        retry
+      else
+        enabled = false
+      end
+    rescue OpenSSL::SSL::SSLError
+      enabled = false
+    end
+    return enabled
+  end
+end
+def connect_to_port(port)
+  begin
+    TCPSocket.new('0.0.0.0', port)
+  rescue StandardError # Errno::ECONNREFUSED mainly but covering for timeouts
+    nil
+  end
+end
+def get_port_state(port)
+  state = { :open => false,
+            :ssl => "unknown" }
+  tcp_socket = connect_to_port(port)
+  return state unless tcp_socket # couldn't connect, can't figure anything out
+  state[:open] = true
+  state[:ssl] = is_ssl_enabled?(tcp_socket)
+  tcp_socket.close
+  state
+end
+def combine_port_states(states)
+  states.reduce({}) do |old_state, state|
+    old_state[:open] ||= state[:open]
+    old_state[:ssl] ||= state[:ssl]
+    old_state[:open] &&= state[:open]
+    old_state[:ssl] &&= state[:open]
+    old_state
+  end
+end
+# TODO(ploubser): Write custom compare function
+#compare_fn(:port) do |name, expected, actual|
+#end
+create_resource(:port) do |port|
+  resource = Puppet::Resource.new('ssl', port.to_s)
+  state = {}
+  if port =~ /^(\d+)-(\d+)$/
+    port_states = []
+    ports = ($1.to_i..$2.to_i).to_a
+    threads = (0...10).map do # god help us all
+      Thread.new do
+        while p = ports.pop
+          port_states << get_port_state(p)
+        end
+      end
+    end
+    threads.map(&:join)
+    state = combine_port_states(port_states)
+  elsif port =~ /^(\d+)$/
+    state = get_port_state(port)
+  else
+    state = { :open => 'unknown',
+              :ssl => 'unknown' }
+  end
+  # add the state keys to the resource
+  state.each do |key, val|
+    resource[key] = val
+  end
+  resource
+end

data/lib/log.rb ADDED

@@ -0,0 +1,18 @@
+require 'logger'
+class Log
+  @@log = Logger.new(STDOUT)
+  @@log.level = Logger::WARN
+  def self.initialize
+    @@log.level = Logger::DEBUG
+    @@log.formatter = proc do |severity, datetime, progname, msg|
+      calling_position = caller[5].split(/^.+\//).last.split(/:/)[0,2].join(':') # gross
+      "[#{datetime}] #{calling_position}: - #{msg}\n"
+    end
+  end
+  def self.debug(&blk)
+    @@log.debug &blk
+  end
+end

data/lib/policy.rb ADDED

@@ -0,0 +1,71 @@
+require 'rule'
+require 'facter'
+require 'log'
+class Policy
+  include Enumerable
+  extend Forwardable
+  def_delegators :@rules, :each
+  class PolicyError < StandardError
+    def initialize(message)
+      super("Invalid policy - #{message}")
+    end
+  end
+  VALID_KEYS = [:name, 'name', :rules, 'rules', :confine, 'confine'].freeze
+  attr_reader :rules
+  attr_reader :name
+  attr_reader :confines
+  def initialize(policy)
+    if (invalid_keys = policy.keys - VALID_KEYS).size > 0
+      raise PolicyError, "invalid field(s) '#{invalid_keys.join(',')}'"
+    end
+    @name = policy[:name] or policy['name'] or raise PolicyError, 'missing required field "name"'
+    @rules = policy[:rules] or policy['rules'] or raise PolicyError, 'missing required field "rules"'
+    @confines = policy[:confine] or policy['confine']
+    @confines ||= {}
+    unless @rules.is_a?(Array)
+      raise PolicyError, 'rules field must be an Array'
+    end
+    unless @rules.size > 0
+      raise PolicyError, 'rules Array must contain at least one rule'
+    end
+  end
+  def enabled?
+    Log.debug { "Checking confine rules for policy - #{@name}" }
+    @confines.each do |fact_name, value|
+      if (fact_value = Facter.value(fact_name)) != value
+        Log.debug { "Skipping policy '#{@name} - #{fact_name}: #{fact_value.inspect} != #{value.inspect}"}
+        return false
+      end
+    end
+    Log.debug { "Policy '#{@name}' passed all confine rules." }
+    true
+  end
+  def check_rules
+    # Delay loading rules until Policy is checked. Puppet resources are expensive
+    # and we avoid it incase enabled? = false
+    @rules.map! { |r| Rule.new(r) }
+    result = { :name => @name,
+               :success => true,
+               :rules => [] }
+    @rules.each do |rule|
+      rule_result = rule.check_resources
+      result[:rules] << rule_result
+      result[:success] = false unless rule_result[:success]
+    end
+    result
+  end
+end

data/lib/resource.rb ADDED

@@ -0,0 +1,90 @@
+require 'extensions'
+require 'log'
+require 'puppet'
+class Resource
+  class ResourceError < StandardError
+    def initialize(msg)
+      super("Invalid resource - #{msg}")
+    end
+  end
+  attr_reader :title
+  attr_reader :type
+  attr_reader :name
+  attr_reader :expected_properties
+  attr_reader :puppet_resource
+  def initialize(title, properties)
+    if title.to_s =~ /^([A-Z].+)\[(.+)\]$/
+      @type = $1.to_s.downcase.to_sym
+      @name =$2.to_s.gsub(/'|"/, '')
+    else
+      raise ResourceError, "invalid resource title - #{title}"
+    end
+    @title = title
+    @expected_properties = properties
+    @compare_fn = lambda do |name, expected, actual|
+      if name == :ensure
+        if expected == 'present'
+          return actual != :absent
+        end
+        if expected == 'absent'
+          expected = expected.to_sym # user can express it as 'absent' or :absent
+        end
+      end
+      expected == actual
+    end
+    create_resource
+  end
+  def check_properties
+    result = { :success => true,
+               :title => @title,
+               :properties => [] }
+    @expected_properties.each do |property, value|
+      status = @compare_fn.call(property, value, @puppet_resource[property])
+      result[:success] = false unless status
+      result[:properties] << { :name => property,
+                               :expected => value,
+                               :actual => @puppet_resource[property].to_s,
+                               :success => status }
+    end
+    result
+  end
+  private
+  def create_resource
+    Log.debug { "Loading resource #{@title}"}
+    start_time = Time.now
+    if extension = Extensions[@type]
+      Log.debug { "Found resource type '#{@type}' in extensions." }
+      @puppet_resource = extension[:resource].call(@name)
+      if extension[:compare_fn]
+        Log.debug { "Loading custom compare function for resource - #{@title}"}
+        @compare_fn = extension[:compare_fn]
+      end
+    else
+      begin
+        Log.debug { "Couldn't find resource type '#{@type}' in extensions. Creating Puppet resource." }
+        @puppet_resource = Puppet::Resource.indirection.find("#{@type}/#{@name}")
+      rescue Puppet::Error => e
+        msg = "Cannot create resource type - '#{@type}'. Unkown error - #{e}"
+        if e.message =~ /^.*Permission denied.*$/
+          msg = "Insufficient permissions to create resource - #{@title}"
+        elsif e.message =~ /^.*Could not find type.*$/
+          msg = "Cannot create unknown resource type - '#{@type}'"
+        end
+        raise Resource::ResourceError, msg
+      end
+    end
+    Log.debug { "Loaded resource #{@title} in #{Time.now - start_time}" }
+  end
+end

data/lib/result_viewer.rb ADDED

@@ -0,0 +1,99 @@
+require 'yaml'
+require 'json'
+require 'csv'
+require 'rainbow'
+class ResultViewer
+  attr_reader :run_state
+  def initialize(policies)
+    @run_state = { :policies => policies,
+                   :total => policies.size,
+                   :successes => policies.reduce(0) { |count, policy| policy[:success] ? count + 1 : count } }
+  end
+  def to_s
+    string_buffer = []
+    string_buffer << "Total Policies: #{@run_state[:total]}"
+    @run_state[:policies].each do |policy|
+      string_buffer << stringify_policy(policy)
+    end
+    string_buffer << "Passed: #{@run_state[:successes]}/#{@run_state[:total]}"
+    string_buffer.join("\n\n")
+  end
+  def to_yaml
+    @run_state.to_yaml
+  end
+  def to_json
+    @run_state.to_json
+  end
+  def to_csv
+##    CSV.generate do |csv|
+ #     csv << ['Rule', 'Property', 'Expected Value', 'Actual Value', 'Success']
+ #     rule_results.each do |rule, result|
+ #       result.each do |r|
+  #        csv << [rule, r[:property], r[:expected], r[:actual], r[:success]]
+  #      end
+  #    end
+  #  end
+  "TODO(ploubser): Implement"
+  end
+  private
+  def stringify_policy(policy)
+    string_buffer = []
+    color = policy[:success] ? :green : :red
+    string_buffer << "Policy: #{Rainbow(policy[:name]).send(color)}"
+    policy[:rules].each do |rule|
+      string_buffer << stringify_rule(rule)
+    end
+    string_buffer.join("\n\n")
+  end
+  def stringify_rule(rule)
+    string_buffer = []
+    color = rule[:success] ? :green : :red
+    string_buffer << "Description: #{Rainbow(rule[:description]).send(color)}"
+    if rule[:severity]
+      string_buffer << "Severity: #{Rainbow(rule[:severity]).send(color)}"
+    end
+    rule[:resources].each do |resource|
+      string_buffer << stringify_resource(resource)
+    end
+    indent_buffer(string_buffer).join("\n")
+  end
+  def stringify_resource(resource)
+    string_buffer = []
+    string_buffer << resource[:title]
+    resource[:properties].each do |property|
+      string_buffer << stringify_property(property)
+    end
+    indent_buffer(string_buffer).join("\n")
+  end
+  def stringify_property(property)
+    string_buffer = []
+    color = property[:success] ? :green : :red
+    string_buffer << "#{property[:name]}: #{property[:expected]} -> #{Rainbow(property[:actual]).send(color)}"
+    indent_buffer(string_buffer, 8).join("\n")
+  end
+  def indent_buffer(buffer, count=4)
+    buffer.map do |s|
+      ' ' * count + s.to_s
+    end
+  end
+end

data/lib/rule.rb ADDED

@@ -0,0 +1,51 @@
+require 'log'
+require 'resource'
+class Rule
+  class RuleError < StandardError
+    def initialize(msg)
+      super("Invalid rule - #{msg}")
+    end
+  end
+  VALID_KEYS = [:resources, 'resources',
+                :description, 'description',
+                :severity, 'severity'].freeze
+  attr_reader :resources
+  attr_reader :description
+  attr_reader :severity
+  def initialize(rule)
+    if (invalid_keys = rule.keys - VALID_KEYS).size > 0
+      raise RuleError, "invalid field(s) '#{invalid_keys.join(',')}'"
+    end
+    tmp_resources = rule[:resources] or rule['resources'] or
+      raise RuleError, 'missing required field "resources"'
+    @description = rule[:description] or rule['description'] or
+                   raise RuleError, 'missing required field "description"'
+    @severity = rule[:severity] or rule['severity']
+    unless tmp_resources.is_a? Hash
+      raise RuleError, 'resources field must be an Hash'
+    end
+    @resources = tmp_resources.map do |title, properties|
+      Resource.new(title, properties)
+    end
+  end
+  def check_resources
+    result = { :description => @description,
+               :severity => @severity,
+               :success => true,
+               :resources => [] }
+    @resources.each do |resource|
+      resource_result = resource.check_properties
+      result[:resources] << resource_result
+      result[:success] = false unless resource_result[:success]
+    end
+    result
+  end
+end

data/lib/runner.rb ADDED

@@ -0,0 +1,117 @@
+require 'yaml'
+require 'erb'
+require 'command_line'
+require 'extensions'
+require 'result_viewer'
+require 'policy'
+require 'log'
+class Runner
+  attr_reader :exit_code
+  def initialize
+    @defaults = { :output_format => :graphic,
+                  :extensions_path => File.join(File.dirname(__FILE__), 'extensions'),
+                  :debug => false,
+                  :color => true,
+                  :state => :run,
+                  :msg => nil }
+    @options = CommandLine.parse!(@defaults)
+    if msg = @options.delete(:message)
+      puts msg
+    end
+    case @options.delete(:state)
+    when :exit
+      exit 0
+    when :fail
+      exit 1
+    end
+    if @options[:debug]
+      Log.initialize
+    end
+    unless @options[:color]
+      Rainbow.enabled = false
+    end
+    Log.debug { "Starting policy check with configured option - #{@options.inspect}" }
+    @extensions = Extensions.new(@options[:extensions_path])
+    policy_file = CommandLine.policy!
+    @policies = load_policies(policy_file).map { |policy| Policy.new(policy) }
+    @exit_code = 0
+  end
+  def run
+    processed_policies = []
+    @policies.each do |policy|
+      if policy.enabled?
+        processed_policies << policy.check_rules
+      end
+    end
+    result_viewer = ResultViewer.new(processed_policies)
+    if result_viewer.run_state[:successes] != result_viewer.run_state[:total]
+      @exit_code = 1
+    end
+    case @options[:output_format]
+    when :graphic
+      result_viewer.to_s
+    when :json
+      result_viewer.to_json
+    when :yaml
+      result_viewer.to_yaml
+    # TODO(ploubser): Fix this
+    #when :csv
+    #  result_viewer.to_csv
+    end
+  end
+  private
+  def load_policies(target_location)
+    policies = []
+    if File.directory?(target_location)
+      Dir.glob(target_location + '/*').each do |policy_file|
+        policies << load_policy_file(policy_file)
+      end
+    else
+      policies << load_policy_file(target_location)
+    end
+    policies
+  end
+  def load_policy_file(policy_file)
+    Log.debug { "Loading policy file - #{policy_file}" }
+    unless File.exist?(policy_file)
+      raise "Cannot find policy file - '#{policy_file}'"
+    end
+    policy = {}
+    begin
+      if policy_file =~ /^.*\.erb$/
+        template = ERB.new(File.read(policy_file, 3, '>')).result
+        policy = YAML.load(template)
+      else
+        policy = YAML.load_file(policy_file)
+      end
+    rescue StandardError => e
+        Log.debug { e.message }
+        raise "Invalid Policy file - '#{policy_file}'"
+    end
+    Log.debug { "Successfully loaded policy file - #{policy_file}"}
+    policy
+  end
+end

metadata ADDED

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: probium
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Pieter Loubser
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+- !ruby/object:Gem::Dependency
+  name: puppet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.3.2
+description: A CLI tool that uses Puppet resources to validate YAML or JSON policies.
+email: ploubser@gmail.com
+executables:
+- probium
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/probium
+- lib/command_line.rb
+- lib/extensions.rb
+- lib/extensions/port.rb
+- lib/log.rb
+- lib/policy.rb
+- lib/resource.rb
+- lib/result_viewer.rb
+- lib/rule.rb
+- lib/runner.rb
+homepage: https://github.com/ploubser/probium
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.8
+signing_key:
+specification_version: 4
+summary: CLI policy checking tool
+test_files: []