puppet_auditor 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9f19c4e65cec6c68311283a645f82a70c5972713a8914998f90980c72ac46d9e
+  data.tar.gz: 2fcfd26e374196b17aae75102910375efa8f32b25672d2d5de2d4f12effce9e9
+SHA512:
+  metadata.gz: 68f90d008056423702b399e106c75518ffe4e5b44f209a708239f557cc460665a96f7bc4fe4d5efce1b0e7368ef1818a6a4a806d7401e7eb6bf2f4d87bdb74dc
+  data.tar.gz: '08c51f70e10d0c21edf941cbb9a9414b0c73e7e8367fdf3f35e18897b25b07550e481243a724334b172e91a0cac12e7ccf48fe2f9765bba925ccd63814b7495e'

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in puppet_auditor.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,58 @@
+PATH
+  remote: .
+  specs:
+    puppet_auditor (0.1.0)
+      puppet-lint (>= 1.1, < 3.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    coderay (1.1.2)
+    diff-lcs (1.3)
+    docile (1.3.0)
+    json (2.1.0)
+    method_source (0.9.0)
+    pry (0.11.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    puppet-lint (2.3.5)
+    rake (10.5.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-collection_matchers (1.1.3)
+      rspec-expectations (>= 2.99.0.beta1)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.1)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  pry
+  puppet_auditor!
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  rspec-collection_matchers (~> 1.0)
+  rspec-its (~> 1.0)
+  simplecov (~> 0.16)
+
+BUNDLED WITH
+   1.16.1

data/README.md

@@ -0,0 +1,89 @@
+# PuppetAuditor
+
+PuppetAuditor is a tool to test Puppet manifests against a set of defined rules.
+
+## Installation
+
+Install PuppetAuditor with the gem command:
+
+```
+$ gem install puppet_auditor
+```
+
+## Usage
+
+After the gem is installed, the tool can be used by calling:
+```
+$ puppet_auditor
+```
+
+Use the `--help` to check usage options.
+
+The tool will check your code against the defined rules and display
+messages if it finds any violation.
+
+## Defining rules
+
+PuppetAuditor will attempt to load rules following this hierarchy:
+
+- Rules defined in the host `/etc/puppet_auditor.yaml`
+- Rules defined in the user home `~/.puppet_auditor.yaml`
+- Rules defined in the project `$(pwd)/.puppet_auditor.yaml`
+
+The yaml file with the rules should follow this format:
+
+```yaml
+puppet_auditor_version: '1'
+rules:
+- name: Dangerous file config
+  resource: file
+  attributes:
+    recurse:
+      equals: true
+    ensure:
+      equals: present
+  message: Dont use recurse or ambiguous ensure
+- name: Cant use latest
+  resource: package
+  attributes:
+    ensure:
+      equals: latest
+  message: Do not use latest
+```
+
+The list of rules should declare individual rules with the following keys:
+
+- `name`: a name for the defined rule
+- `resource`: which resource should this rule verify
+- `attributes`: an array of attributes that should be verified in this resource
+- `message`: text that will appear if the rule is violated
+
+The `attributes` value should follow this structre:
+
+```yaml
+attribute:
+  comparison: value
+```
+
+Where the `attribute` is a valid attribute for the valuated resource like "ensure" or "command", 
+`comparison` is one of the comparison function availables like "equals" or "matches" and the
+`value` is the value that will be compared using the comparison function. 
+
+The following comparison functions are available:
+
+- matches (regex)
+- not_matches (regex)
+- equals
+- not_equal
+- less_than
+- less_or_equal_to
+- greater_than
+- greater_or_equal_to
+
+For some samples check out the `spec/samples` folder.
+
+## How it works
+
+The tool will parse rules defined in the `.puppet_auditor.yaml` files and if all rules are
+valid it will dynamically generate [puppet-lint](https://github.com/rodjek/puppet-lint) plugins
+and run them to check your code.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/puppet_auditor

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+
+require 'puppet_auditor'
+
+exit PuppetAuditor::Cli.new(ARGV).run!

data/lib/puppet_auditor/cli.rb

@@ -0,0 +1,48 @@
+module PuppetAuditor
+  class Cli
+    def initialize(args)
+      @checks = []
+      OptionParser.new do |opts|
+        opts.banner = "Usage: puppet_auditor [options]"
+
+        host_default = true
+        user_default = true
+        project_default = true
+        specific_yaml_rules = nil
+      
+        opts.on("--with-rules FILE", "Supply more rules from a specific yaml file") do |file|
+          specific_yaml_rules = file
+        end
+
+        opts.on("--no-host-defaults", "Do not atempt to load yaml rules from /etc/puppet_auditor.yaml") do
+          host_default = false
+        end
+
+        opts.on("--no-user-defaults", "Do not atempt to load yaml rules from ~/.puppet_auditor.yaml") do
+          user_default = false
+        end
+
+        opts.on("--no-project-defaults", "Do not atempt to load yaml rules from .puppet_auditor.yaml") do
+          project_default = false
+        end
+
+        load_checks('/etc/puppet_auditor.yaml') if host_default
+        load_checks('~/.puppet_auditor.yaml')   if user_default && ENV.key?('HOME')
+        load_checks('.puppet_auditor.yaml')     if project_default
+        load_checks(specific_yaml_rules)        if specific_yaml_rules
+      end.parse!
+    end
+
+    def load_checks(filepath)
+      File.open(filepath) { |file| @checks << Loader.new(file).generate_checks } if File.readable?(filepath)
+    rescue PuppetAuditor::Error => err
+      puts "There was an error parsing rules from #{filepath}"
+      puts err.message
+      exit 1
+    end
+
+    def run!
+      PuppetLint::Bin.new([File.expand_path('.'), "--only-checks=#{@checks.join(',')}"]).run
+    end
+  end
+end

data/lib/puppet_auditor/error.rb

@@ -0,0 +1,4 @@
+module PuppetAuditor
+  class Error < StandardError
+  end
+end

data/lib/puppet_auditor/lint_plugin.rb

@@ -0,0 +1,87 @@
+module PuppetAuditor
+  class LintPlugin < PuppetLint::CheckPlugin
+
+    COMPARISONS = {
+      'matches'             => ->(expected, token) { token =~ expected },
+      'not_matches'         => ->(expected, token) { (token =~ expected).nil? },
+      'equals'              => ->(expected, token) { token == expected },
+      'not_equal'           => ->(expected, token) { token != expected },
+      'less_than'           => ->(expected, token) { token < expected },
+      'less_or_equal_to'    => ->(expected, token) { token <= expected },
+      'greater_than'        => ->(expected, token) { token > expected },
+      'greater_or_equal_to' => ->(expected, token) { token >= expected },
+    }
+
+    def initialize
+      super
+      @resource   = self.class::RESOURCE
+      @attributes = self.class::ATTRIBUTES
+      @message    = self.class::MESSAGE
+    end
+
+    def check
+      resource_indexes.each { |resource| resource_block(resource) if resource[:type].value == @resource }
+    end
+
+    private
+
+    def resource_block(resource)
+      @attributes.each do |attribute_name, comparison_rules|
+        attribute = resource[:tokens].find { |t| t.type == :NAME && t.value == attribute_name && t.next_code_token.type == :FARROW }
+        attribute_block(resource, attribute, comparison_rules) if attribute
+      end
+    end
+
+    def attribute_block(resource, attribute, comparison_rules)
+      token = attribute.next_code_token.next_code_token
+      comparison_rules.each do |rule, value|
+        expected, token_value = cast_expected(rule, value), cast_token(token)
+        violation(resource, token) if COMPARISONS[rule].call(expected, token_value)
+      end
+    end
+
+    def cast_expected(rule, expected)
+      case rule
+      when 'matches', 'not_matches'
+        Regexp.new(expected)
+      else
+        expected
+      end
+    end
+
+    def cast_token(token)
+      case token.type
+      when :NUMBER
+        token.value.to_i
+      when :TRUE
+        true
+      when :FALSE
+        false
+      when :DQPRE # String with variables
+        full_str = token.value
+        next_token = token
+        while next_token.type != :DQPOST
+          next_token = next_token.next_code_token
+          if next_token.type == :VARIABLE
+            full_str += "${#{next_token.value}}"
+          else
+            full_str += next_token.value
+          end
+        end
+        full_str
+      else
+        token.value
+      end
+    end
+
+    def violation(resource, token)
+      notify :error, {
+        message:  @message, 
+        line:     token.line, 
+        column:   token.column, 
+        token:    token, 
+        resource: resource
+      }
+    end
+  end
+end

data/lib/puppet_auditor/loader.rb

@@ -0,0 +1,46 @@
+module PuppetAuditor
+  class Loader
+
+    REQUIRED_KEYS     = ['resource', 'attributes', 'message']
+    VALID_COMPARISONS = LintPlugin::COMPARISONS.keys()
+
+    MUST_HAVE_RULES     = "The rules yaml must have a rules key"
+    MUST_HAVE_NAME      = "All rules must have the 'name' key"
+    RULE_WITHOUT_KEY    = ->(name, key) { "Rule '#{name}' must have the '#{key}' key" }
+    INVALID_COMPARISON  = ->(name, key) { "Rule '#{name}' have an invalid comparison: '#{key}'" }
+
+
+    def initialize(yaml_str, validate=true)
+      @spec = YAML.load(yaml_str)
+      validate! if validate
+    end
+
+    def validate!
+      raise Error.new(MUST_HAVE_RULES) unless @spec.include?('rules')
+      @spec['rules'].each do |rule|
+        raise Error.new(MUST_HAVE_NAME) unless rule.include?('name')
+        name = rule['name']
+        REQUIRED_KEYS.each { |key| raise Error.new(RULE_WITHOUT_KEY.call(name, key)) unless rule.include?(key) }
+        rule['attributes'].each do |attribute, comparisons|
+          comparisons.keys.each { |key| raise Error.new(INVALID_COMPARISON.call(name, key)) unless VALID_COMPARISONS.include?(key) }
+        end
+      end
+    end
+
+    def generate_checks
+      @spec['rules'].map do |rule|
+        rule_name = rule['name'].downcase.gsub(/[^a-z0-9\-_]+/i, '_')
+        rule_sym = rule_name.to_sym
+        class_name = rule_sym.to_s.split('_').map(&:capitalize).join
+        klass = PuppetLint.const_set("Check#{class_name}", Class.new(PuppetAuditor::LintPlugin))
+        klass.const_set('NAME', rule_sym)
+        klass.const_set('RESOURCE', rule['resource'])
+        klass.const_set('ATTRIBUTES', rule['attributes'])
+        klass.const_set('MESSAGE', rule['message'])
+        PuppetLint.configuration.add_check(rule_sym, klass)
+        PuppetLint::Data.ignore_overrides[rule_sym] ||= {}
+        rule_name
+      end
+    end
+  end
+end

data/lib/puppet_auditor/version.rb

@@ -0,0 +1,3 @@
+module PuppetAuditor
+  VERSION = "0.1.0"
+end

data/lib/puppet_auditor.rb

@@ -0,0 +1,7 @@
+require "yaml"
+require "optparse"
+require "puppet-lint"
+require "puppet_auditor/error"
+require "puppet_auditor/lint_plugin"
+require "puppet_auditor/loader"
+require "puppet_auditor/cli"

data/puppet_auditor.gemspec

@@ -0,0 +1,36 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "puppet_auditor/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "puppet_auditor"
+  spec.version       = PuppetAuditor::VERSION
+  spec.authors       = ["Oscar Esgalha"]
+  spec.email         = ["oscar@instruct.com.br"]
+  spec.licenses      = ['MIT']
+
+  spec.summary       = %q{A tool to audit puppet manifests against a set of defined rules}
+  # spec.description   = %q{TODO: Write a longer description or delete this line.}
+  spec.homepage      = "https://github.com/instruct-br/puppet_auditor"
+
+  # `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^((test|spec|features)/|\..*|Jenkinsfile)}) }
+  spec.files          = [
+    "Gemfile", "Gemfile.lock", "README.md", "Rakefile", "bin/puppet_auditor",
+    "lib/puppet_auditor.rb", "lib/puppet_auditor/cli.rb", "lib/puppet_auditor/error.rb",
+    "lib/puppet_auditor/lint_plugin.rb", "lib/puppet_auditor/loader.rb", "lib/puppet_auditor/version.rb",
+    "puppet_auditor.gemspec"
+  ]
+  spec.bindir         = "bin"
+  spec.executables    = ["puppet_auditor"]
+  spec.require_paths  = ["lib"]
+
+  spec.add_dependency 'puppet-lint', '>= 1.1', '< 3.0'
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'rspec-its', '~> 1.0'
+  spec.add_development_dependency 'rspec-collection_matchers', '~> 1.0'
+  spec.add_development_dependency "simplecov", "~> 0.16"
+end

metadata

@@ -0,0 +1,161 @@
+--- !ruby/object:Gem::Specification
+name: puppet_auditor
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Oscar Esgalha
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-04-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: puppet-lint
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-collection_matchers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
+description: 
+email:
+- oscar@instruct.com.br
+executables:
+- puppet_auditor
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/puppet_auditor
+- lib/puppet_auditor.rb
+- lib/puppet_auditor/cli.rb
+- lib/puppet_auditor/error.rb
+- lib/puppet_auditor/lint_plugin.rb
+- lib/puppet_auditor/loader.rb
+- lib/puppet_auditor/version.rb
+- puppet_auditor.gemspec
+homepage: https://github.com/instruct-br/puppet_auditor
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: A tool to audit puppet manifests against a set of defined rules
+test_files: []