simp-beaker-helpers 1.18.8

data/lib/simp/beaker_helpers/ssg.rb

@@ -0,0 +1,383 @@
+module Simp::BeakerHelpers
+  require 'simp/beaker_helpers/constants'
+
+  # Helpers for working with the SCAP Security Guide
+  class SSG
+
+    if ENV['BEAKER_ssg_repo']
+      GIT_REPO = ENV['BEAKER_ssg_repo']
+    else
+      fail('You are offline: Set BEAKER_ssg_repo to point to the git repo that hosts the SSG content') unless ONLINE
+
+      GIT_REPO = 'https://github.com/ComplianceAsCode/content.git'
+    end
+
+    # If this is not set, the closest tag to the default branch will be used
+    GIT_BRANCH = nil
+
+    if ENV['BEAKER_ssg_branch']
+      GIT_BRANCH = ENV['BEAKER_ssg_branch']
+    end
+
+    EL_PACKAGES = [
+      'PyYAML',
+      'cmake',
+      'git',
+      'openscap-python',
+      'openscap-utils',
+      'python-lxml',
+      'python-jinja2'
+    ]
+
+    EL8_PACKAGES = [
+      'python3',
+      'python3-pyyaml',
+      'cmake',
+      'git',
+      'openscap-python3',
+      'openscap-utils',
+      'python3-lxml',
+      'python3-jinja2'
+    ]
+
+    OS_INFO = {
+      'RedHat' => {
+        '6' => {
+          'required_packages' => EL_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'rhel6',
+            'build_target'   => 'rhel6',
+            'datastream'     => 'ssg-rhel6-ds.xml'
+          }
+        },
+        '7' => {
+          'required_packages' => EL_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'rhel7',
+            'build_target'   => 'rhel7',
+            'datastream'     => 'ssg-rhel7-ds.xml'
+          }
+        },
+        '8' => {
+          'required_packages' => EL8_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'rhel8',
+            'build_target'   => 'rhel8',
+            'datastream'     => 'ssg-rhel8-ds.xml'
+          }
+        }
+      },
+      'CentOS' => {
+        '6' => {
+          'required_packages' => EL_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'rhel6',
+            'build_target'   => 'centos6',
+            'datastream'     => 'ssg-centos6-ds.xml'
+          }
+        },
+        '7' => {
+          'required_packages' => EL_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'rhel7',
+            'build_target'   => 'centos7',
+            'datastream'     => 'ssg-centos7-ds.xml'
+          }
+        },
+        '8' => {
+          'required_packages' => EL8_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'rhel8',
+            'build_target'   => 'centos8',
+            'datastream'     => 'ssg-centos8-ds.xml'
+          }
+        }
+      },
+      'OracleLinux' => {
+        '7' => {
+          'required_packages' => EL_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'ol7',
+            'build_target'   => 'ol7',
+            'datastream'     => 'ssg-ol7-ds.xml'
+          },
+        '8' => {
+          'required_packages' => EL8_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'ol8',
+            'build_target'   => 'ol8',
+            'datastream'     => 'ssg-ol8-ds.xml'
+          }
+        }
+        }
+      }
+    }
+
+    attr_accessor :scap_working_dir
+
+    # Create a new SSG helper for the specified host
+    #
+    # @param sut
+    #   The SUT against which to run
+    #
+    def initialize(sut)
+      @sut = sut
+
+      @os = fact_on(@sut, 'operatingsystem')
+      @os_rel = fact_on(@sut, 'operatingsystemmajrelease')
+
+      sut.mkdir_p('scap_working_dir')
+
+      @scap_working_dir = on(sut, 'cd scap_working_dir && pwd').stdout.strip
+
+      unless OS_INFO[@os]
+        fail("Error: The '#{@os}' Operating System is not supported")
+      end
+
+      OS_INFO[@os][@os_rel]['required_packages'].each do |pkg|
+        @sut.install_package(pkg)
+      end
+
+      @output_dir = File.absolute_path('sec_results/ssg')
+
+      unless File.directory?(@output_dir)
+        FileUtils.mkdir_p(@output_dir)
+      end
+
+      @result_file = "#{@sut.hostname}-ssg-#{Time.now.to_i}"
+
+
+      get_ssg_datastream
+    end
+
+    def profile_target
+      OS_INFO[@os][@os_rel]['ssg']['profile_target']
+    end
+
+    def remediate(profile)
+      evaluate(profile, true)
+    end
+
+    def evaluate(profile, remediate=false)
+      cmd = "cd #{@scap_working_dir}; oscap xccdf eval"
+
+      if remediate
+        cmd += ' --remediate'
+      end
+
+      cmd += %( --fetch-remote-resources --profile #{profile} --results #{@result_file}.xml --report #{@result_file}.html #{OS_INFO[@os][@os_rel]['ssg']['datastream']})
+
+      # We accept all exit codes here because there have occasionally been
+      # failures in the SSG content and we're not testing that.
+
+      on(@sut, cmd, :accept_all_exit_codes => true)
+
+      ['xml', 'html'].each do |ext|
+        path = "#{@scap_working_dir}/#{@result_file}.#{ext}"
+        scp_from(@sut, path, @output_dir)
+
+        fail("Could not retrieve #{path} from #{@sut}") unless File.exist?(File.join(@output_dir, "#{@result_file}.#{ext}"))
+      end
+    end
+
+    # Output the report
+    #
+    # @param report
+    #   The results Hash
+    #
+    def write_report(report)
+      File.open(File.join(@output_dir, @result_file) + '.report', 'w') do |fh|
+        fh.puts(report[:report].uncolor)
+      end
+    end
+
+    # Retrieve a subset of test results based on a match to filter
+    #
+    # @param filter [String, Array[String]]
+    #   A 'short name' filter that will be matched against the rule ID name
+    #
+    # @param exclusions [String, Array[String]]
+    #   A 'short name' filter of items that will be removed from the `filter`
+    #   matches
+    #
+    # @return [Hash] A Hash of statistics and a formatted report
+    #
+    # FIXME:
+    # - This is a hack! Should be searching for rules based on a set
+    #   set of STIG ids, but don't see those ids in the oscap results xml.
+    #   Further mapping is required...
+    # - Create the same report structure as inspec
+    def process_ssg_results(filter=nil, exclusions=nil)
+      self.class.process_ssg_results(
+        File.join(@output_dir, @result_file) + '.xml',
+        filter,
+        exclusions
+      )
+    end
+
+    # Process the results of an SSG run
+    #
+    # @param result_file [String]
+    #   The oscap result XML file to process
+    #
+    # @param filter [String, Array[String]]
+    #   A 'short name' filter that will be matched against the rule ID name
+    #
+    # @param exclusions [String, Array[String]]
+    #   A 'short name' filter of items that will be removed from the `filter`
+    #   matches
+    #
+    # @return [Hash] A Hash of statistics and a formatted report
+    #
+    def self.process_ssg_results(result_file, filter=nil, exclusions=nil)
+      require 'highline'
+      require 'nokogiri'
+
+      HighLine.colorize_strings
+
+      fail("Could not find results XML file '#{result_file}'") unless File.exist?(result_file)
+
+      puts "Processing #{result_file}"
+      doc = Nokogiri::XML(File.open(result_file))
+
+      # because I'm lazy
+      doc.remove_namespaces!
+
+      if filter
+        filter = Array(filter)
+
+        xpath_query = [
+          '//rule-result[(',
+        ]
+
+        xpath_query << filter.map do |flt|
+          "contains(@idref,'#{flt}')"
+        end.join(' or ')
+
+        xpath_query << ')' if filter.size > 1
+
+        if exclusions
+          exclusions = Array(exclusions)
+
+          xpath_query << 'and not('
+
+          xpath_query << exclusions.map do |exl|
+            "contains(@idref,'#{exl}')"
+          end.join(' or ')
+
+          xpath_query << ')' if exclusions.size > 1
+        end
+
+        xpath_query << ')]'
+
+        xpath_query = xpath_query.join(' ')
+
+        # XPATH to get the pertinent test results:
+        #   Any node named 'rule-result' for which the attribute 'idref'
+        #   contains any of the `filter` Strings and does not contain any of the
+        #   `exclusions` Strings
+        result_nodes = doc.xpath(xpath_query)
+      else
+        result_nodes = doc.xpath('//rule-result')
+      end
+
+      stats = {
+        :failed  => [],
+        :passed  => [],
+        :skipped => [],
+        :filter  => filter.nil? ? 'No Filter' : filter,
+        :report  => nil,
+        :score   => 0
+      }
+
+      result_nodes.each do |rule_result|
+        # Results are recorded in a child node named 'result'.
+        # Within the 'result' node, the actual result string is
+        # the content of that node's (only) child node.
+
+        result = rule_result.element_children.at('result')
+        result_id = rule_result.attributes['idref'].value.to_s
+        result_value = [
+          'Title: ' + doc.xpath("//Rule[@id='#{result_id}']/title/text()").first.to_s,
+          '  ID: ' + result_id
+        ].join("\n")
+
+        if result.child.content == 'fail'
+          stats[:failed] << result_value.red
+        elsif result.child.content == 'pass'
+          stats[:passed] << result_value.green
+        else
+          stats[:skipped] << result_value.yellow
+        end
+      end
+
+      report = []
+
+      report << '== Skipped =='
+      report << stats[:skipped].join("\n")
+
+      report << '== Passed =='
+      report << stats[:passed].join("\n")
+
+      report << '== Failed =='
+      report << stats[:failed].join("\n")
+
+
+      report << 'OSCAP Statistics:'
+
+      if filter
+        report << "  * Used Filter: 'idref' ~= '#{stats[:filter]}'"
+      end
+
+      report << "  * Passed: #{stats[:passed].count.to_s.green}"
+      report << "  * Failed: #{stats[:failed].count.to_s.red}"
+      report << "  * Skipped: #{stats[:skipped].count.to_s.yellow}"
+
+      score = 0
+
+      if (stats[:passed].count + stats[:failed].count) > 0
+        score = ((stats[:passed].count.to_f/(stats[:passed].count + stats[:failed].count)) * 100.0).round(0)
+      end
+
+      report << "\n Score: #{score}%"
+
+      stats[:score]  = score
+      stats[:report] = report.join("\n")
+
+      return stats
+    end
+
+    private
+
+    def get_ssg_datastream
+      # Allow users to point at a specific SSG release 'tar.bz2' file
+      ssg_release = ENV['BEAKER_ssg_release']
+
+      # Grab the latest SSG release in fixtures if it exists
+      ssg_release ||= Dir.glob('spec/fixtures/ssg_releases/*.bz2').last
+
+      if ssg_release
+        copy_to(@sut, ssg_release, @scap_working_dir)
+
+        on(@sut, %(mkdir -p scap-content && tar -xj -C scap-content --strip-components 1 -f #{ssg_release} && cp scap-content/*ds.xml #{@scap_working_dir}))
+      else
+        on(@sut, %(git clone #{GIT_REPO} scap-content))
+        if GIT_BRANCH
+          on(@sut, %(cd scap-content; git checkout #{GIT_BRANCH}))
+        else
+          on(@sut, %(cd scap-content; git checkout $(git describe --abbrev=0 --tags)))
+        end
+
+        # Work around the issue where the profiles now strip out derivative
+        # content that isn't explicitlly approved for that OS. This means that
+        # we are unable to test CentOS builds against the STIG, etc...
+        #
+        # This isn't 100% correct but it's "good enough" for an automated CI
+        # environment to tell us if something is critically out of alignment.
+        on(@sut, %(cd scap-content/build-scripts; sed -i 's/ssg.build_derivatives.profile_handling/#ssg.build_derivatives.profile_handling/g' enable_derivatives.py))
+
+        on(@sut, %(cd scap-content/build; cmake ../; make -j4 #{OS_INFO[@os][@os_rel]['ssg']['build_target']}-content && cp *ds.xml #{@scap_working_dir}))
+      end
+    end
+  end
+end

data/lib/simp/beaker_helpers/version.rb

@@ -0,0 +1,5 @@
+module Simp; end
+
+module Simp::BeakerHelpers
+  VERSION = '1.18.8'
+end

data/lib/simp/beaker_helpers/windows.rb

@@ -0,0 +1,16 @@
+module Simp; end
+module Simp::BeakerHelpers; end
+
+module Simp::BeakerHelpers::Windows
+  begin
+    require 'beaker-windows'
+  rescue LoadError
+    logger.error(%{You must include 'beaker-windows' in your Gemfile for windows support})
+    exit 1
+  end
+
+  include BeakerWindows::Path
+  include BeakerWindows::Powershell
+  include BeakerWindows::Registry
+  include BeakerWindows::WindowsFeature
+end

data/lib/simp/rake/beaker.rb

@@ -0,0 +1,269 @@
+require 'rake'
+require 'rake/clean'
+require 'rake/tasklib'
+require 'fileutils'
+require 'puppetlabs_spec_helper/tasks/beaker'
+require 'puppetlabs_spec_helper/tasks/fixtures'
+
+module Simp; end
+module Simp::Rake
+  class Beaker < ::Rake::TaskLib
+    def initialize(base_dir)
+
+      @base_dir   = base_dir
+      @clean_list = []
+
+      ::CLEAN.include( %{#{@base_dir}/log} )
+      ::CLEAN.include( %{#{@base_dir}/junit} )
+      ::CLEAN.include( %{#{@base_dir}/sec_results} )
+      ::CLEAN.include( %{#{@base_dir}/spec/fixtures/inspec_deps} )
+
+      yield self if block_given?
+
+      ::CLEAN.include( @clean_list )
+
+      namespace :beaker do
+        desc <<-EOM
+          Run a Beaker test against a specific Nodeset
+            * :nodeset - The nodeset against which you wish to run
+        EOM
+        task :run, [:nodeset] do |t,args|
+          fail "You must pass :nodeset to #{t}" unless args[:nodeset]
+          nodeset = args[:nodeset].strip
+
+          old_stdout = $stdout
+          nodesets = StringIO.new
+          $stdout = nodesets
+
+          Rake::Task['beaker_nodes'].invoke
+
+          $stdout = old_stdout
+
+          nodesets = nodesets.string.split("\n")
+
+          fail "Nodeset '#{nodeset}' not found. Valid Nodesets:\n#{nodesets.map{|x| x = %(  * #{x})}.join(%(\n))}" unless nodesets.include?(nodeset)
+
+          ENV['BEAKER_set'] = nodeset
+
+          Rake::Task['beaker'].invoke
+        end
+
+        desc <<-EOM
+          Run Beaker test suites.
+            * :suite - A specific suite to run
+              * If you set this to `ALL`, all suites will be run
+
+            * :nodeset - A specific nodeset to run on within a specific suite
+              * If you set this to `ALL`, all nodesets will be looped through, starting with 'default'
+              * You may also set this to a colon delimited list of short
+                nodeset names that will be run in that order
+
+            ## Suite Execution
+
+              By default the only suite that will be executed is `default`.
+              Since each suite is executed in a new environment, spin up can
+              take a lot of time. Therefore, the default is to only run the
+              default suite.
+
+              If there is a suite where the metadata contains `default_run` set
+              to the Boolean `true`, then that suite will be part of the
+              default suite execution.
+
+              You can run all suites by setting the passed suite name to `ALL`
+              (case sensitive).
+
+            ## Environment Variables
+
+              * BEAKER_suite_runall
+                * Run all Suites
+
+              * BEAKER_suite_basedir
+                * The base directory where suites will be defined
+                * Default: spec/acceptance
+
+            ## Global Suite Configuration
+              A file `config.yml` can be placed in the `suites` directory to
+              control certain aspects of the suite run.
+
+            ### Supported Config:
+
+              ```yaml
+              ---
+              # Fail the entire suite at the first failure
+              'fail_fast' : <true|false> => Default: true
+              ```
+            ## Individual Suite Configuration
+
+              Each suite may contain a YAML file, metadata.yml, which will be
+              used to provide information to the suite of tests.
+
+            ### Supported Config:
+
+              ```yaml
+              ---
+              'name' :        '<User friendly name for the suite>'
+
+              # Run this suite by default
+              'default_run' : <true|false> => Default: false
+              ```
+        EOM
+        task :suites, [:suite, :nodeset] => ['spec_prep'] do |t,args|
+          suite = args[:suite]
+          nodeset = args[:nodeset]
+
+          # Record Tasks That Fail
+          # Need to figure out how to capture the errors
+          failures = Hash.new
+
+          suite_basedir = File.join(@base_dir, 'spec/acceptance/suites')
+
+          if ENV['BEAKER_suite_basedir']
+            suite_basedir = ENV['BEAKER_suite_basedir']
+          end
+
+          raise("Error: Suites Directory at '#{suite_basedir}'!") unless File.directory?(suite_basedir)
+
+          if suite && (suite != 'ALL')
+            unless File.directory?(File.join(suite_basedir, suite))
+              STDERR.puts("Error: Could not find suite '#{suite}'")
+              STDERR.puts("Available Suites:")
+              STDERR.puts('  * ' + Dir.glob(
+                File.join(suite_basedir, '*')).sort.map{ |x|
+                  File.basename(x)
+                }.join("\n  * ")
+              )
+              exit(1)
+            end
+          end
+
+          suite_config = {
+            'fail_fast' => true
+          }
+          suite_config_metadata_path = File.join(suite_basedir, 'config.yml')
+          if File.file?(suite_config_metadata_path)
+            suite_config.merge!(YAML.load_file(suite_config_metadata_path))
+          end
+
+          suites = Hash.new
+
+          if suite && (suite != 'ALL')
+            suites[suite] = Hash.new
+            # If a suite was set, make sure it runs.
+            suites[suite]['default_run'] = true
+          else
+            Dir.glob(File.join(suite_basedir,'*')) do |file|
+              if File.directory?(file)
+                suites[File.basename(file)] = Hash.new
+
+                if suite == 'ALL'
+                  suites[File.basename(file)]['default_run'] = true
+                end
+              end
+            end
+          end
+
+          suites.keys.each do |ste|
+            suites[ste]['name']  = ste
+            suites[ste]['path']  = File.join(suite_basedir, ste)
+
+            metadata_path = File.join(suites[ste]['path'], 'metadata.yml')
+            if File.file?(metadata_path)
+              suites[ste]['metadata'] = YAML.load_file(metadata_path)
+            end
+
+            unless File.directory?(File.join(suites[ste]['path'],'nodesets'))
+              Dir.chdir(suites[ste]['path']) do
+                if File.directory?('../../nodesets')
+                  FileUtils.ln_s('../../nodesets', 'nodesets')
+                end
+              end
+            end
+
+            suites[ste].merge!(suites[ste]['metadata']) if suites[ste]['metadata']
+
+            # Ensure that the 'default' suite runs unless explicitly disabled.
+            if suites['default']
+              if ( suites['default']['default_run'].nil? ) || ( suites['default']['default_run'] == true )
+                suites['default']['default_run'] = true
+              end
+            end
+          end
+
+          raise("Error: No Suites Found in '#{suite_basedir}'!") if suites.empty?
+
+          # Need to ensure that 'default' is first
+          ordered_suites = suites.keys.sort
+          default_suite = ordered_suites.delete('default')
+          ordered_suites.unshift(default_suite) if default_suite
+
+          ordered_suites.each do |ste|
+
+            next unless (suites[ste]['default_run'] == true)
+
+            name = suites[ste]['name']
+
+            $stdout.puts("\n\n=== Suite '#{name}' Starting ===\n\n")
+
+            nodesets = Array.new
+            nodeset_path = File.join(suites[ste]['path'],'nodesets')
+
+            if nodeset
+              if nodeset == 'ALL'
+                nodesets = Dir.glob(File.join(nodeset_path, '*.yml'))
+
+                # Make sure we run the default set first
+                default_set = nodesets.delete(File.join(nodeset_path, 'default.yml'))
+                nodesets.unshift(default_set) if default_set
+              else
+                nodeset.split(':').each do |tgt_nodeset|
+                  nodesets << File.join(nodeset_path, "#{tgt_nodeset.strip}.yml")
+                end
+              end
+            else
+              nodesets << File.join(nodeset_path, 'default.yml')
+            end
+
+            nodesets.each do |nodeset_yml|
+              unless File.file?(nodeset_yml)
+                $stdout.puts("=== Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found, Skipping ===")
+                next
+              end
+
+              ENV['BEAKER_setfile'] = nodeset_yml
+
+              Rake::Task[:beaker].clear
+              RSpec::Core::RakeTask.new(:beaker) do |tsk|
+                tsk.rspec_opts = ['--color']
+                tsk.pattern = File.join(suites[ste]['path'])
+              end
+
+              current_suite_task = Rake::Task[:beaker]
+
+              if suite_config['fail_fast'] == true
+                current_suite_task.execute
+              else
+                begin
+                  current_suite_task.execute
+                rescue SystemExit
+                  failures[suites[ste]['name']] = {
+                    'path'    => suites[ste]['path'],
+                    'nodeset' => File.basename(nodeset_yml, '.yml')
+                  }
+                end
+              end
+
+              $stdout.puts("\n\n=== Suite '#{name}' Complete ===\n\n")
+            end
+          end
+
+          unless failures.keys.empty?
+            $stdout.puts("The following tests had failures:")
+            failures.keys.sort.each do |ste|
+              $stdout.puts("  * #{ste} => #{failures[ste]['path']} on #{failures[ste]['nodeset']}")
+            end
+          end
+        end
+      end
+    end
+  end
+end