RubyGems - probium - Versions diffs - 0.0.1 - Mend

probium 0.0.1

Files changed (12) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0d8175b7893bcfa662a261942ea892c4d8be515f
+  data.tar.gz: 4e91a34fe46154dfc218d1b69346fe069a98eb90
+SHA512:
+  metadata.gz: 3ab68bd317fcf6788e044010caf43134e84963d56e0f39d8cddf62bbea5dc25f3029a0bbeff49a5b51dae20088c32f2028be51f04e064e1e33cc62dffb53afcb
+  data.tar.gz: ebac34f2db1e54128678caf76b93c81226be2e0898a96904463ab30d28f22bb3f18364a0c250f538cbb4662e2c5e9d2cd3f69d29bda7311f980daec1f878d92d

data/bin/probium ADDED

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+require 'runner'
+begin
+  runner = Runner.new
+  puts runner.run
+  exit runner.exit_code
+rescue StandardError => e
+  puts e
+  exit 1
+end

data/lib/command_line.rb ADDED

@@ -0,0 +1,46 @@
+require 'optparse'
+class CommandLine
+  VALID_OUTPUT_FORMATS = [:graphic, :json, :yaml, :csv].freeze
+  def self.parse!(options)
+    OptionParser.new do |opts|
+      opts.banner = 'Usage: probium my_policy.yaml [options]'
+      opts.on('-o', '--output-format=FORMAT', 'Format in which to display policy report (graphic, json, yaml, csv)') do |of|
+        if VALID_OUTPUT_FORMATS.include?(f = of.downcase.to_sym)
+          options[:output_format] = f
+        else
+          options[:message] =  "Invalid output-format '#{of}'. Options are #{VALID_OUTPUT_FORMATS.join(', ')}"
+          options[:state] = :fail
+        end
+      end
+      opts.on('-e', '--extension-dir=PATH', 'Location of extension files') do |path|
+        options[:extensions_path] = path
+      end
+      opts.on('-d', '--debug', 'Enable debug output') do
+        options[:debug] = true
+      end
+      opts.on('--no-color', 'Disable color in output') do
+        options[:color] = false
+      end
+      opts.on('-h', '--help', 'Print this help') do
+        options[:message] = opts
+        options[:state] = :exit
+      end
+    end.parse!
+    options
+  end
+  def self.policy!
+    policy_file = ARGV.shift
+    unless policy_file
+      raise StandardError, 'Missing required policy file as argument'
+    end
+    policy_file
+  end
+end

data/lib/extensions.rb ADDED

@@ -0,0 +1,50 @@
+require 'log'
+class Extensions
+  @@extensions = {}
+  def self.[](extension_name)
+    @@extensions[extension_name]
+  end
+  def initialize(location = File.join(File.dirname(__FILE__), 'extensions'))
+    validate_location(location)
+    @location = File.join(location, '*.rb')
+    load_extensions
+  end
+  private
+  def load_extensions
+    extension_files = Dir.glob(@location)
+    extension_files.each do |extension_file|
+      next if File.directory?(extension_file)
+      begin
+        Log.debug { "Loading extension file - #{extension_file}"}
+        instance_eval(File.read(extension_file))
+        Log.debug { "Successfully loaded extension file - #{extension_file}"}
+      rescue Exception => e
+        Log.debug { "Error in extension #{extension_file} - #{e}" }
+        raise "Cannot load extension file '#{extension_file}'"
+      end
+    end
+  end
+  def create_resource(name, &block)
+    @@extensions[name] = { :resource => block }
+  end
+  def compare_fn(name, &block)
+    @@extensions[name] = { :compare_fn => block }
+  end
+  def validate_location(location)
+    unless File.exist?(location)
+      raise "Extensions directory '#{location}' does not exist"
+    end
+    unless File.directory?(location)
+      raise "Extensions direcotry '#{location}' is not a directory"
+    end
+  end
+end

data/lib/extensions/port.rb ADDED

@@ -0,0 +1,103 @@
+require 'socket'
+require 'openssl'
+def is_ssl_enabled?(tcp_socket)
+  ctx = OpenSSL::SSL::SSLContext.new
+  ctx.set_params({ :options=>OpenSSL::SSL::OP_ALL })
+  ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  enabled = true
+  OpenSSL::SSL::SSLSocket.new(tcp_socket, ctx).tap do |socket|
+    begin
+      socket.sync_close = true
+      socket.connect_nonblock
+    rescue IO::WaitReadable
+      if IO.select([socket], nil, nil, 1)
+        retry
+      else
+        enabled = false
+      end
+    rescue IO::WaitWritable
+      if IO.select([socket], nil, nil, 1)
+        retry
+      else
+        enabled = false
+      end
+    rescue OpenSSL::SSL::SSLError
+      enabled = false
+    end
+    return enabled
+  end
+end
+def connect_to_port(port)
+  begin
+    TCPSocket.new('0.0.0.0', port)
+  rescue StandardError # Errno::ECONNREFUSED mainly but covering for timeouts
+    nil
+  end
+end
+def get_port_state(port)
+  state = { :open => false,
+            :ssl => "unknown" }
+  tcp_socket = connect_to_port(port)
+  return state unless tcp_socket # couldn't connect, can't figure anything out
+  state[:open] = true
+  state[:ssl] = is_ssl_enabled?(tcp_socket)
+  tcp_socket.close
+  state
+end
+def combine_port_states(states)
+  states.reduce({}) do |old_state, state|
+    old_state[:open] ||= state[:open]
+    old_state[:ssl] ||= state[:ssl]
+    old_state[:open] &&= state[:open]
+    old_state[:ssl] &&= state[:open]
+    old_state
+  end
+end
+# TODO(ploubser): Write custom compare function
+#compare_fn(:port) do |name, expected, actual|
+#end
+create_resource(:port) do |port|
+  resource = Puppet::Resource.new('ssl', port.to_s)
+  state = {}
+  if port =~ /^(\d+)-(\d+)$/
+    port_states = []
+    ports = ($1.to_i..$2.to_i).to_a
+    threads = (0...10).map do # god help us all
+      Thread.new do
+        while p = ports.pop
+          port_states << get_port_state(p)
+        end
+      end
+    end
+    threads.map(&:join)
+    state = combine_port_states(port_states)
+  elsif port =~ /^(\d+)$/
+    state = get_port_state(port)
+  else
+    state = { :open => 'unknown',
+              :ssl => 'unknown' }
+  end
+  # add the state keys to the resource
+  state.each do |key, val|
+    resource[key] = val
+  end
+  resource
+end

data/lib/log.rb ADDED

@@ -0,0 +1,18 @@
+require 'logger'
+class Log
+  @@log = Logger.new(STDOUT)
+  @@log.level = Logger::WARN
+  def self.initialize
+    @@log.level = Logger::DEBUG
+    @@log.formatter = proc do |severity, datetime, progname, msg|
+      calling_position = caller[5].split(/^.+\//).last.split(/:/)[0,2].join(':') # gross
+      "[#{datetime}] #{calling_position}: - #{msg}\n"
+    end
+  end
+  def self.debug(&blk)
+    @@log.debug &blk
+  end
+end

data/lib/policy.rb ADDED

@@ -0,0 +1,71 @@
+require 'rule'
+require 'facter'
+require 'log'
+class Policy
+  include Enumerable
+  extend Forwardable
+  def_delegators :@rules, :each
+  class PolicyError < StandardError
+    def initialize(message)
+      super("Invalid policy - #{message}")
+    end
+  end
+  VALID_KEYS = [:name, 'name', :rules, 'rules', :confine, 'confine'].freeze
+  attr_reader :rules
+  attr_reader :name
+  attr_reader :confines
+  def initialize(policy)
+    if (invalid_keys = policy.keys - VALID_KEYS).size > 0
+      raise PolicyError, "invalid field(s) '#{invalid_keys.join(',')}'"
+    end
+    @name = policy[:name] or policy['name'] or raise PolicyError, 'missing required field "name"'
+    @rules = policy[:rules] or policy['rules'] or raise PolicyError, 'missing required field "rules"'
+    @confines = policy[:confine] or policy['confine']
+    @confines ||= {}
+    unless @rules.is_a?(Array)
+      raise PolicyError, 'rules field must be an Array'
+    end
+    unless @rules.size > 0
+      raise PolicyError, 'rules Array must contain at least one rule'
+    end
+  end
+  def enabled?
+    Log.debug { "Checking confine rules for policy - #{@name}" }
+    @confines.each do |fact_name, value|
+      if (fact_value = Facter.value(fact_name)) != value
+        Log.debug { "Skipping policy '#{@name} - #{fact_name}: #{fact_value.inspect} != #{value.inspect}"}
+        return false
+      end
+    end
+    Log.debug { "Policy '#{@name}' passed all confine rules." }
+    true
+  end
+  def check_rules
+    # Delay loading rules until Policy is checked. Puppet resources are expensive
+    # and we avoid it incase enabled? = false
+    @rules.map! { |r| Rule.new(r) }
+    result = { :name => @name,
+               :success => true,
+               :rules => [] }
+    @rules.each do |rule|
+      rule_result = rule.check_resources
+      result[:rules] << rule_result
+      result[:success] = false unless rule_result[:success]
+    end
+    result
+  end
+end

data/lib/resource.rb ADDED

@@ -0,0 +1,90 @@
+require 'extensions'
+require 'log'
+require 'puppet'
+class Resource
+  class ResourceError < StandardError
+    def initialize(msg)
+      super("Invalid resource - #{msg}")
+    end
+  end
+  attr_reader :title
+  attr_reader :type
+  attr_reader :name
+  attr_reader :expected_properties
+  attr_reader :puppet_resource
+  def initialize(title, properties)
+    if title.to_s =~ /^([A-Z].+)\[(.+)\]$/
+      @type = $1.to_s.downcase.to_sym
+      @name =$2.to_s.gsub(/'|"/, '')
+    else
+      raise ResourceError, "invalid resource title - #{title}"
+    end
+    @title = title
+    @expected_properties = properties
+    @compare_fn = lambda do |name, expected, actual|
+      if name == :ensure
+        if expected == 'present'
+          return actual != :absent
+        end
+        if expected == 'absent'
+          expected = expected.to_sym # user can express it as 'absent' or :absent
+        end
+      end
+      expected == actual
+    end
+    create_resource
+  end
+  def check_properties
+    result = { :success => true,
+               :title => @title,
+               :properties => [] }
+    @expected_properties.each do |property, value|
+      status = @compare_fn.call(property, value, @puppet_resource[property])
+      result[:success] = false unless status
+      result[:properties] << { :name => property,
+                               :expected => value,
+                               :actual => @puppet_resource[property].to_s,
+                               :success => status }
+    end
+    result
+  end
+  private
+  def create_resource
+    Log.debug { "Loading resource #{@title}"}
+    start_time = Time.now
+    if extension = Extensions[@type]
+      Log.debug { "Found resource type '#{@type}' in extensions." }
+      @puppet_resource = extension[:resource].call(@name)
+      if extension[:compare_fn]
+        Log.debug { "Loading custom compare function for resource - #{@title}"}
+        @compare_fn = extension[:compare_fn]
+      end
+    else
+      begin
+        Log.debug { "Couldn't find resource type '#{@type}' in extensions. Creating Puppet resource." }
+        @puppet_resource = Puppet::Resource.indirection.find("#{@type}/#{@name}")
+      rescue Puppet::Error => e
+        msg = "Cannot create resource type - '#{@type}'. Unkown error - #{e}"
+        if e.message =~ /^.*Permission denied.*$/
+          msg = "Insufficient permissions to create resource - #{@title}"
+        elsif e.message =~ /^.*Could not find type.*$/
+          msg = "Cannot create unknown resource type - '#{@type}'"
+        end
+        raise Resource::ResourceError, msg
+      end
+    end
+    Log.debug { "Loaded resource #{@title} in #{Time.now - start_time}" }
+  end
+end

data/lib/result_viewer.rb ADDED

@@ -0,0 +1,99 @@
+require 'yaml'
+require 'json'
+require 'csv'
+require 'rainbow'
+class ResultViewer
+  attr_reader :run_state
+  def initialize(policies)
+    @run_state = { :policies => policies,
+                   :total => policies.size,
+                   :successes => policies.reduce(0) { |count, policy| policy[:success] ? count + 1 : count } }
+  end
+  def to_s
+    string_buffer = []
+    string_buffer << "Total Policies: #{@run_state[:total]}"
+    @run_state[:policies].each do |policy|
+      string_buffer << stringify_policy(policy)
+    end
+    string_buffer << "Passed: #{@run_state[:successes]}/#{@run_state[:total]}"
+    string_buffer.join("\n\n")
+  end
+  def to_yaml
+    @run_state.to_yaml
+  end
+  def to_json
+    @run_state.to_json
+  end
+  def to_csv
+##    CSV.generate do |csv|
+ #     csv << ['Rule', 'Property', 'Expected Value', 'Actual Value', 'Success']
+ #     rule_results.each do |rule, result|
+ #       result.each do |r|
+  #        csv << [rule, r[:property], r[:expected], r[:actual], r[:success]]
+  #      end
+  #    end
+  #  end
+  "TODO(ploubser): Implement"
+  end
+  private
+  def stringify_policy(policy)
+    string_buffer = []
+    color = policy[:success] ? :green : :red
+    string_buffer << "Policy: #{Rainbow(policy[:name]).send(color)}"
+    policy[:rules].each do |rule|
+      string_buffer << stringify_rule(rule)
+    end
+    string_buffer.join("\n\n")
+  end
+  def stringify_rule(rule)
+    string_buffer = []
+    color = rule[:success] ? :green : :red
+    string_buffer << "Description: #{Rainbow(rule[:description]).send(color)}"
+    if rule[:severity]
+      string_buffer << "Severity: #{Rainbow(rule[:severity]).send(color)}"
+    end
+    rule[:resources].each do |resource|
+      string_buffer << stringify_resource(resource)
+    end
+    indent_buffer(string_buffer).join("\n")
+  end
+  def stringify_resource(resource)
+    string_buffer = []
+    string_buffer << resource[:title]
+    resource[:properties].each do |property|
+      string_buffer << stringify_property(property)
+    end
+    indent_buffer(string_buffer).join("\n")
+  end
+  def stringify_property(property)
+    string_buffer = []
+    color = property[:success] ? :green : :red
+    string_buffer << "#{property[:name]}: #{property[:expected]} -> #{Rainbow(property[:actual]).send(color)}"
+    indent_buffer(string_buffer, 8).join("\n")
+  end
+  def indent_buffer(buffer, count=4)
+    buffer.map do |s|
+      ' ' * count + s.to_s
+    end
+  end
+end

data/lib/rule.rb ADDED

@@ -0,0 +1,51 @@
+require 'log'
+require 'resource'
+class Rule
+  class RuleError < StandardError
+    def initialize(msg)
+      super("Invalid rule - #{msg}")
+    end
+  end
+  VALID_KEYS = [:resources, 'resources',
+                :description, 'description',
+                :severity, 'severity'].freeze
+  attr_reader :resources
+  attr_reader :description
+  attr_reader :severity
+  def initialize(rule)
+    if (invalid_keys = rule.keys - VALID_KEYS).size > 0
+      raise RuleError, "invalid field(s) '#{invalid_keys.join(',')}'"
+    end
+    tmp_resources = rule[:resources] or rule['resources'] or
+      raise RuleError, 'missing required field "resources"'
+    @description = rule[:description] or rule['description'] or
+                   raise RuleError, 'missing required field "description"'
+    @severity = rule[:severity] or rule['severity']
+    unless tmp_resources.is_a? Hash
+      raise RuleError, 'resources field must be an Hash'
+    end
+    @resources = tmp_resources.map do |title, properties|
+      Resource.new(title, properties)
+    end
+  end
+  def check_resources
+    result = { :description => @description,
+               :severity => @severity,
+               :success => true,
+               :resources => [] }
+    @resources.each do |resource|
+      resource_result = resource.check_properties
+      result[:resources] << resource_result
+      result[:success] = false unless resource_result[:success]
+    end
+    result
+  end
+end

data/lib/runner.rb ADDED

@@ -0,0 +1,117 @@
+require 'yaml'
+require 'erb'
+require 'command_line'
+require 'extensions'
+require 'result_viewer'
+require 'policy'
+require 'log'
+class Runner
+  attr_reader :exit_code
+  def initialize
+    @defaults = { :output_format => :graphic,
+                  :extensions_path => File.join(File.dirname(__FILE__), 'extensions'),
+                  :debug => false,
+                  :color => true,
+                  :state => :run,
+                  :msg => nil }
+    @options = CommandLine.parse!(@defaults)
+    if msg = @options.delete(:message)
+      puts msg
+    end
+    case @options.delete(:state)
+    when :exit
+      exit 0
+    when :fail
+      exit 1
+    end
+    if @options[:debug]
+      Log.initialize
+    end
+    unless @options[:color]
+      Rainbow.enabled = false
+    end
+    Log.debug { "Starting policy check with configured option - #{@options.inspect}" }
+    @extensions = Extensions.new(@options[:extensions_path])
+    policy_file = CommandLine.policy!
+    @policies = load_policies(policy_file).map { |policy| Policy.new(policy) }
+    @exit_code = 0
+  end
+  def run
+    processed_policies = []
+    @policies.each do |policy|
+      if policy.enabled?
+        processed_policies << policy.check_rules
+      end
+    end
+    result_viewer = ResultViewer.new(processed_policies)
+    if result_viewer.run_state[:successes] != result_viewer.run_state[:total]
+      @exit_code = 1
+    end
+    case @options[:output_format]
+    when :graphic
+      result_viewer.to_s
+    when :json
+      result_viewer.to_json
+    when :yaml
+      result_viewer.to_yaml
+    # TODO(ploubser): Fix this
+    #when :csv
+    #  result_viewer.to_csv
+    end
+  end
+  private
+  def load_policies(target_location)
+    policies = []
+    if File.directory?(target_location)
+      Dir.glob(target_location + '/*').each do |policy_file|
+        policies << load_policy_file(policy_file)
+      end
+    else
+      policies << load_policy_file(target_location)
+    end
+    policies
+  end
+  def load_policy_file(policy_file)
+    Log.debug { "Loading policy file - #{policy_file}" }
+    unless File.exist?(policy_file)
+      raise "Cannot find policy file - '#{policy_file}'"
+    end
+    policy = {}
+    begin
+      if policy_file =~ /^.*\.erb$/
+        template = ERB.new(File.read(policy_file, 3, '>')).result
+        policy = YAML.load(template)
+      else
+        policy = YAML.load_file(policy_file)
+      end
+    rescue StandardError => e
+        Log.debug { e.message }
+        raise "Invalid Policy file - '#{policy_file}'"
+    end
+    Log.debug { "Successfully loaded policy file - #{policy_file}"}
+    policy
+  end
+end

metadata ADDED

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: probium
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Pieter Loubser
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+- !ruby/object:Gem::Dependency
+  name: puppet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.3.2
+description: A CLI tool that uses Puppet resources to validate YAML or JSON policies.
+email: ploubser@gmail.com
+executables:
+- probium
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/probium
+- lib/command_line.rb
+- lib/extensions.rb
+- lib/extensions/port.rb
+- lib/log.rb
+- lib/policy.rb
+- lib/resource.rb
+- lib/result_viewer.rb
+- lib/rule.rb
+- lib/runner.rb
+homepage: https://github.com/ploubser/probium
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.8
+signing_key:
+specification_version: 4
+summary: CLI policy checking tool
+test_files: []