smart_proxy_openscap 0.4.1 → 0.5.0

data/lib/smart_proxy_openscap/openscap_content_parser.rb

@@ -0,0 +1,56 @@
+require 'openscap/ds/sds'
+require 'openscap/source'
+require 'openscap/xccdf/benchmark'
+
+module Proxy::OpenSCAP
+  class ContentParser
+    def initialize(scap_content)
+      OpenSCAP.oscap_init
+      @source = OpenSCAP::Source.new(:content => scap_content)
+    end
+
+    def extract_policies
+      policies = {}
+      bench = benchmark_profiles
+      bench.profiles.each do |key, profile|
+        policies[key] = profile.title
+      end
+      bench.destroy
+      policies.to_json
+    end
+
+    def validate
+      errors = []
+      allowed_type = 'SCAP Source Datastream'
+      if @source.type != allowed_type
+        errors << "Uploaded file is not #{allowed_type}"
+      end
+
+      begin
+        @source.validate!
+      rescue OpenSCAP::OpenSCAPError
+        errors << "Invalid SCAP file type"
+      end
+      {:errors => errors}.to_json
+    end
+
+    def guide(policy)
+      sds = OpenSCAP::DS::Sds.new @source
+      sds.select_checklist
+      profile_id = policy ? nil : policy
+      html = sds.html_guide profile_id
+      sds.destroy
+      {:html => html.force_encoding('UTF-8')}.to_json
+    end
+
+    private
+
+    def benchmark_profiles
+      sds          = ::OpenSCAP::DS::Sds.new(@source)
+      bench_source = sds.select_checklist!
+      benchmark = ::OpenSCAP::Xccdf::Benchmark.new(bench_source)
+      sds.destroy
+      benchmark
+    end
+  end
+end

data/lib/smart_proxy_openscap/openscap_exception.rb

@@ -1,20 +1,7 @@
 module Proxy::OpenSCAP
-  class OpenSCAPException < Exception
-    attr_accessor :response
-    attr_accessor :message
-    def initialize(response = nil)
-      @response = response
-      @message = response.message if response
-    end
-
-    def http_code
-      @response.code || 500
-    end
-
-    def http_body
-      @response.body if @response
-    end
-  end
-
+  class OpenSCAPException < StandardError; end
+  class StoreReportError < StandardError; end
+  class StoreSpoolError < StandardError; end
+  class StoreFailedError < StandardError; end
   class FileNotFound < StandardError; end
 end

data/lib/smart_proxy_openscap/openscap_lib.rb

@@ -10,32 +10,21 @@
 
 require 'digest'
 require 'fileutils'
+require 'pathname'
 require 'json'
 require 'proxy/error'
 require 'proxy/request'
+require 'smart_proxy_openscap/fetch_scap_content'
+require 'smart_proxy_openscap/foreman_forwarder'
+require 'smart_proxy_openscap/openscap_content_parser'
 require 'smart_proxy_openscap/openscap_exception'
+require 'smart_proxy_openscap/openscap_report_parser'
+require 'smart_proxy_openscap/spool_forwarder'
+require 'smart_proxy_openscap/storage_fs'
 
 module Proxy::OpenSCAP
   extend ::Proxy::Log
 
-  def self.get_policy_content(policy_id)
-    policy_store_dir = File.join(Proxy::OpenSCAP::Plugin.settings.contentdir, policy_id.to_s)
-    policy_scap_file = File.join(policy_store_dir, "#{policy_id}_scap_content.xml")
-    begin
-      FileUtils.mkdir_p(policy_store_dir) # will fail silently if exists
-    rescue Errno::EACCES => e
-      logger.error "No permission to create directory #{policy_store_dir}"
-      raise e
-    rescue StandardError => e
-      logger.error "Could not create '#{policy_store_dir}' directory: #{e.message}"
-      raise e
-    end
-
-    scap_file = policy_content_file(policy_scap_file)
-    scap_file ||= save_or_serve_scap_file(policy_id, policy_scap_file)
-    scap_file
-  end
-
   def self.common_name(request)
     client_cert = request.env['SSL_CLIENT_CERT']
     raise Proxy::Error::Unauthorized, "Client certificate required!" if client_cert.to_s.empty?
@@ -48,162 +37,17 @@ module Proxy::OpenSCAP
     cn = client_cert.subject.to_a.detect { |name, value| name == 'CN' }
     cn = cn[1] unless cn.nil?
     raise Proxy::Error::Unauthorized, "Common Name not found in the certificate" unless cn
-    return cn
-  end
-
-  def self.spool_arf_dir(common_name, policy_id)
-    validate_policy_id(policy_id)
-    date = Time.now.strftime("%Y-%m-%d")
-    dir = Proxy::OpenSCAP::Plugin.settings.spooldir + "/arf/#{common_name}/#{policy_id}/#{date}/"
-    begin
-      FileUtils.mkdir_p dir
-    rescue StandardError => e
-      logger.error "Could not create '#{dir}' directory: #{e.message}"
-      raise e
-    end
-    dir
-  end
-
-  def self.store_arf(spool_arf_dir, data)
-    filename = Digest::SHA256.hexdigest data
-    target_path = spool_arf_dir + filename
-    File.open(target_path,'w') { |f| f.write(data) }
-    return target_path
+    cn
   end
 
   def self.send_spool_to_foreman
     arf_dir = File.join(Proxy::OpenSCAP::Plugin.settings.spooldir, "/arf")
-    return unless File.exists? arf_dir
-    ForemanForwarder.new.do(arf_dir)
-  end
-
-  private
-  def self.validate_policy_id(id)
-    unless /[\d]+/ =~ id
-      raise Proxy::Error::BadRequest, "Malformed policy ID"
-    end
-  end
-
-  def self.fetch_scap_content_xml(policy_id, policy_scap_file)
-    foreman_request = Proxy::HttpRequest::ForemanRequest.new
-    policy_content_path = "/api/v2/compliance/policies/#{policy_id}/content"
-    req = foreman_request.request_factory.create_get(policy_content_path)
-    response = foreman_request.send_request(req)
-    unless response.is_a? Net::HTTPSuccess
-      raise OpenSCAPException.new(response)
-    end
-    response.body
-  end
-
-
-  def self.policy_content_file(policy_scap_file)
-    return nil if !File.file?(policy_scap_file) || File.zero?(policy_scap_file)
-    File.open(policy_scap_file, 'rb').read
+    return unless File.exist? arf_dir
+    SpoolForwarder.new.post_arf_from_spool(arf_dir)
   end
 
-  def self.save_or_serve_scap_file(policy_id, policy_scap_file)
-    lock = Proxy::FileLock::try_locking(policy_scap_file)
-    response = fetch_scap_content_xml(policy_id, policy_scap_file)
-    if lock.nil?
-      return response
-    else
-      begin
-        File.open(policy_scap_file, 'wb') do |file|
-          file << response
-        end
-      ensure
-        Proxy::FileLock::unlock(lock)
-      end
-      scap_file = policy_content_file(policy_scap_file)
-      raise FileNotFound if scap_file.nil?
-      return scap_file
-    end
-  end
-
-  class ForemanForwarder < Proxy::HttpRequest::ForemanRequest
-    def do(arf_dir)
-      Dir.foreach(arf_dir) { |cname|
-        cname_dir = File.join(arf_dir, cname)
-        if File.directory? cname_dir and !(cname == '.' || cname == '..')
-          forward_cname_dir(cname, cname_dir)
-        end
-      }
-    end
-
-    private
-    def forward_cname_dir(cname, cname_dir)
-      Dir.foreach(cname_dir) { |policy_id|
-        policy_dir = File.join(cname_dir, policy_id)
-        if File.directory? policy_dir and !(policy_id == '.' || policy_id == '..')
-          forward_policy_dir(cname, policy_id, policy_dir)
-        end
-      }
-      remove(cname_dir)
-    end
-
-    def forward_policy_dir(cname, policy_id, policy_dir)
-      Dir.foreach(policy_dir) { |date|
-        date_dir = File.join(policy_dir, date)
-        if File.directory? date_dir and !(date == '.' || date == '..')
-          forward_date_dir(cname, policy_id, date, date_dir)
-        end
-      }
-      remove(policy_dir)
-    end
-
-    def forward_date_dir(cname, policy_id, date, date_dir)
-      path = upload_path(cname, policy_id, date)
-      Dir.foreach(date_dir) { |arf|
-        arf_path = File.join(date_dir, arf)
-        if File.file? arf_path and !(arf == '.' || arf == '..')
-          logger.debug("Uploading #{arf} to #{path}")
-          forward_arf_file(path, arf_path)
-        end
-      }
-      remove(date_dir)
-    end
-
-    def upload_path(cname, policy_id, date)
-      return "/api/v2/compliance/arf_reports/#{cname}/#{policy_id}/#{date}"
-    end
-
-    def forward_arf_file(foreman_api_path, arf_file_path)
-      begin
-        data = File.read(arf_file_path)
-        response = send_request(foreman_api_path, data)
-        # Raise an HTTP error if the response is not 2xx (success).
-        response.value
-        res = JSON.parse(response.body)
-        raise StandardError, "Received result: #{res['result']}" unless res['result'] == 'OK'
-        File.delete arf_file_path
-      rescue StandardError => e
-        logger.debug response.body if response
-        raise e
-      end
-    end
-
-    def remove(dir)
-      begin
-        Dir.delete dir
-      rescue StandardError => e
-        logger.error "Could not remove directory: #{e.message}"
-      end
-    end
-
-    def send_request(path, body)
-      # Override the parent method to set the right headers
-      path = [uri.path, path].join('/') unless uri.path.empty?
-      req = Net::HTTP::Post.new(URI.join(uri.to_s, path).path)
-      # Well, this is unfortunate. We want to have content-type text/xml. We
-      # also need the content-encoding to equal with x-bzip2. However, when
-      # the Foreman's framework sees text/xml, it will rewrite it to application/xml.
-      # What's worse, a framework will try to parse body as an utf8 string,
-      # no matter what content-encoding says. Oh my.
-      # Let's pass content-type arf-bzip2 and move forward.
-      req.content_type = 'application/arf-bzip2'
-      req['Content-Encoding'] = 'x-bzip2'
-      req.body = body
-      http.request(req)
-    end
+  def self.fullpath(path = Proxy::OpenSCAP::Plugin.settings.contentdir)
+    pathname = Pathname.new(path)
+    pathname.relative? ? pathname.expand_path(Sinatra::Base.root).to_s : path
   end
 end

data/lib/smart_proxy_openscap/openscap_plugin.rb

@@ -19,6 +19,8 @@ module Proxy::OpenSCAP
 
     default_settings :spooldir => '/var/spool/foreman-proxy/openscap',
                      :openscap_send_log_file => 'logs/openscap-send.log',
-                     :contentdir => 'openscap/content'
+                     :contentdir => 'openscap/content',
+                     :reportsdir => 'openscap/reports',
+                     :failed_dir => 'openscap/failed'
   end
 end

data/lib/smart_proxy_openscap/openscap_report_parser.rb

@@ -0,0 +1,93 @@
+# encoding=utf-8
+require 'openscap'
+require 'openscap/ds/arf'
+require 'openscap/xccdf/testresult'
+require 'openscap/xccdf/ruleresult'
+require 'openscap/xccdf/rule'
+require 'openscap/xccdf/fix'
+require 'openscap/xccdf/benchmark'
+require 'json'
+module Proxy::OpenSCAP
+  class Parse
+    def initialize(arf_data)
+      OpenSCAP.oscap_init
+      size         = arf_data.size
+      @arf_digest  = Digest::SHA256.hexdigest(arf_data)
+      @arf         = OpenSCAP::DS::Arf.new(:content => arf_data, :path => 'arf.xml.bz2', :length => size)
+      @results     = @arf.test_result.rr
+      sds          = @arf.report_request
+      bench_source = sds.select_checklist!
+      @bench       = OpenSCAP::Xccdf::Benchmark.new(bench_source)
+      @items       = @bench.items
+    end
+
+    def as_json
+      parse_report.to_json
+    end
+
+    private
+
+    def parse_report
+      report        = {}
+      report[:logs] = []
+      passed        = 0
+      failed        = 0
+      othered         = 0
+      @results.each do |rr_id, result|
+        next if result.result == 'notapplicable' || result.result == 'notselected'
+        # get rules and their results
+        rule_data = @items[rr_id]
+        report[:logs] << populate_result_data(rr_id, result.result, rule_data)
+        # create metrics for the results
+        case result.result
+          when 'pass', 'fixed'
+            passed += 1
+          when 'fail'
+            failed += 1
+          else
+            othered += 1
+        end
+      end
+      report[:digest]  = @arf_digest
+      report[:metrics] = { :passed => passed, :failed => failed, :othered => othered }
+      report
+    end
+
+    def populate_result_data(result_id, rule_result, rule_data)
+      log               = {}
+      log[:source]      = ascii8bit_to_utf8(result_id)
+      log[:result]      = ascii8bit_to_utf8(rule_result)
+      log[:title]       = ascii8bit_to_utf8(rule_data.title)
+      log[:description] = ascii8bit_to_utf8(rule_data.description)
+      log[:rationale]   = ascii8bit_to_utf8(rule_data.rationale)
+      log[:references]  = hash_a8b(rule_data.references.map(&:to_hash))
+      log[:fixes]       = hash_a8b(rule_data.fixes.map(&:to_hash))
+      log[:severity]    = ascii8bit_to_utf8(rule_data.severity)
+      log
+    end
+
+    # Unfortunately openscap in ruby 1.9.3 outputs data in Ascii-8bit.
+    # We transform it to UTF-8 for easier json integration.
+
+    # :invalid ::
+    #   If the value is invalid, #encode replaces invalid byte sequences in
+    #   +str+ with the replacement character.  The default is to raise the
+    #   Encoding::InvalidByteSequenceError exception
+    # :undef ::
+    #   If the value is undefined, #encode replaces characters which are
+    #   undefined in the destination encoding with the replacement character.
+    #   The default is to raise the Encoding::UndefinedConversionError.
+    # :replace ::
+    #   Sets the replacement string to the given value. The default replacement
+    #   string is "\uFFFD" for Unicode encoding forms, and "?" otherwise.
+    def ascii8bit_to_utf8(string)
+      string.to_s.encode('utf-8', :invalid => :replace, :undef => :replace, :replace => '_')
+    end
+
+    def hash_a8b(ary)
+      ary.map do |hash|
+        Hash[hash.map { |key, value| [ascii8bit_to_utf8(key), ascii8bit_to_utf8(value)] }]
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/openscap_version.rb

@@ -10,6 +10,6 @@
 
 module Proxy
   module OpenSCAP
-    VERSION = '0.4.1'
+    VERSION = '0.5.0'
   end
 end

data/lib/smart_proxy_openscap/spool_forwarder.rb

@@ -0,0 +1,64 @@
+module Proxy::OpenSCAP
+  class SpoolForwarder
+    include ::Proxy::Log
+
+    def post_arf_from_spool(arf_dir)
+      Dir.foreach(arf_dir) do |cname|
+        next if cname == '.' || cname == '..'
+        cname_dir = File.join(arf_dir, cname)
+        forward_cname_dir(cname, cname_dir) if File.directory?(cname_dir)
+      end
+    end
+
+    private
+
+    def forward_cname_dir(cname, cname_dir)
+      Dir.foreach(cname_dir) do |policy_id|
+        next if policy_id == '.' || policy_id == '..'
+        policy_dir = File.join(cname_dir, policy_id)
+        if File.directory?(policy_dir)
+          forward_policy_dir(cname, policy_id, policy_dir)
+        end
+      end
+      remove(cname_dir)
+    end
+
+    def forward_policy_dir(cname, policy_id, policy_dir)
+      Dir.foreach(policy_dir) do |date|
+        next if date == '.' || date == '..'
+        date_dir = File.join(policy_dir, date)
+        if File.directory?(date_dir)
+          forward_date_dir(cname, policy_id, date, date_dir)
+        end
+      end
+      remove(policy_dir)
+    end
+
+    def forward_date_dir(cname, policy_id, date, date_dir)
+      Dir.foreach(date_dir) do |arf|
+        next if arf == '.' || arf == '..'
+        arf_path = File.join(date_dir, arf)
+        if File.file?(arf_path)
+          logger.debug("Uploading #{arf} to Foreman")
+          forward_arf_file(cname, policy_id, date, arf_path)
+        end
+      end
+      remove(date_dir)
+    end
+
+    def forward_arf_file(cname, policy_id, date, arf_file_path)
+      data = File.open(arf_file_path, 'rb') { |io| io.read }
+      post_to_foreman = ForemanForwarder.new.post_arf_report(cname, policy_id, date, data)
+      Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, cname, post_to_foreman['id'], date).store_archive(data)
+      File.delete arf_file_path
+    end
+
+    def remove(dir)
+      begin
+        Dir.delete dir
+      rescue StandardError => e
+        logger.error "Could not remove directory: #{e.message}"
+      end
+    end
+  end
+end