smart_proxy_openscap 0.7.2

data/lib/smart_proxy_openscap/arf_parser.rb

@@ -0,0 +1,39 @@
+require 'smart_proxy_openscap/shell_wrapper'
+
+module Proxy
+  module OpenSCAP
+    class ArfParser < ShellWrapper
+
+      def initialize(cname, policy_id, date)
+        @cname = cname
+        @policy_id = policy_id
+        @date = date
+        @script_name = 'smart-proxy-arf-json'
+      end
+
+      def as_json(arf_data)
+        execute_shell_command arf_data
+      end
+
+      def in_filename
+        "#{super}-#{@cname}-#{@policy_id}-#{@date}-"
+      end
+
+      def out_filename
+        "#{in_filename}json-"
+      end
+
+      def failure_message
+        "Failure when running script which parses reports"
+      end
+
+      def command(in_file, out_file)
+        "#{script_location} " <<
+        "#{in_file.path} " <<
+        "#{out_file.path} " <<
+        "#{Proxy::OpenSCAP::Plugin.settings.registered_proxy_name} " <<
+        "#{Proxy::OpenSCAP::Plugin.settings.registered_proxy_url}"
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/content_parser.rb

@@ -0,0 +1,30 @@
+require 'smart_proxy_openscap/shell_wrapper'
+
+module Proxy::OpenSCAP
+  class ContentParser < ShellWrapper
+    def initialize(type)
+      @type = type
+      @script_name = 'smart-proxy-scap-validation'
+    end
+
+    def validate(scap_file)
+      execute_shell_command scap_file
+    end
+
+    def out_filename
+      "#{in_filename}json-"
+    end
+
+    def in_filename
+      "#{super}-#{@type}-validate-"
+    end
+
+    def failure_message
+      "Failure when running script which validates scap files"
+    end
+
+    def command(in_file, out_file)
+      "#{script_location} #{in_file.path} #{out_file.path} #{@type}"
+    end
+  end
+end

data/lib/smart_proxy_openscap/fetch_file.rb

@@ -0,0 +1,60 @@
+module Proxy::OpenSCAP
+  class FetchFile
+    include ::Proxy::Log
+
+    private
+
+    def create_store_dir(store_dir)
+      logger.info "Creating directory to store SCAP file: #{store_dir}"
+      FileUtils.mkdir_p(store_dir) # will fail silently if exists
+    rescue Errno::EACCES => e
+      logger.error "No permission to create directory #{store_dir}"
+      raise e
+    rescue StandardError => e
+      logger.error "Could not create '#{store_dir}' directory: #{e.message}"
+      raise e
+    end
+
+    def policy_content_file(policy_scap_file)
+      return nil if !File.file?(policy_scap_file) || File.zero?(policy_scap_file)
+      File.open(policy_scap_file, 'rb').read
+    end
+
+    def clean_store_folder(policy_store_dir)
+      FileUtils.rm_f Dir["#{policy_store_dir}/*.xml"]
+    end
+
+    def save_or_serve_scap_file(policy_scap_file, file_download_path)
+      lock = Proxy::FileLock::try_locking(policy_scap_file)
+      response = fetch_scap_content_xml(file_download_path)
+      if lock.nil?
+        return response
+      else
+        begin
+          File.open(policy_scap_file, 'wb') do |file|
+            file << response
+          end
+        ensure
+          Proxy::FileLock::unlock(lock)
+        end
+        scap_file = policy_content_file(policy_scap_file)
+        raise FileNotFound if scap_file.nil?
+        return scap_file
+      end
+    end
+
+    def fetch_scap_content_xml(file_download_path)
+      foreman_request = Proxy::HttpRequest::ForemanRequest.new
+      req = foreman_request.request_factory.create_get(file_download_path)
+      timeout = Proxy::OpenSCAP::Plugin.settings.timeout
+      foreman_request.http.read_timeout = timeout if timeout
+      response = foreman_request.send_request(req)
+      response.value
+      response.body
+    end
+
+    def clean_store_folder(policy_store_dir)
+      FileUtils.rm_f Dir["#{policy_store_dir}/*.xml"]
+    end
+  end
+end

data/lib/smart_proxy_openscap/fetch_scap_content.rb

@@ -0,0 +1,17 @@
+require 'smart_proxy_openscap/fetch_file'
+
+module Proxy::OpenSCAP
+  class FetchScapContent < FetchFile
+    def get_policy_content(policy_id, digest)
+      policy_store_dir = File.join(Proxy::OpenSCAP.fullpath(Proxy::OpenSCAP::Plugin.settings.contentdir), policy_id.to_s)
+      policy_scap_file = File.join(policy_store_dir, "#{policy_id}_#{digest}.xml")
+      file_download_path = "api/v2/compliance/policies/#{policy_id}/content"
+
+      create_store_dir policy_store_dir
+
+      scap_file = policy_content_file(policy_scap_file)
+      clean_store_folder(policy_store_dir) unless scap_file
+      scap_file ||= save_or_serve_scap_file(policy_scap_file, file_download_path)
+    end
+  end
+end

data/lib/smart_proxy_openscap/fetch_tailoring_file.rb

@@ -0,0 +1,17 @@
+require 'smart_proxy_openscap/fetch_file'
+
+module Proxy::OpenSCAP
+  class FetchTailoringFile < FetchFile
+    def get_tailoring_file(policy_id, digest)
+      store_dir = File.join(Proxy::OpenSCAP.fullpath(Proxy::OpenSCAP::Plugin.settings.tailoring_dir), policy_id.to_s)
+      policy_tailoring_file = File.join(store_dir, "#{policy_id}_#{digest}.xml")
+      file_download_path = "api/v2/compliance/policies/#{policy_id}/tailoring"
+
+      create_store_dir store_dir
+
+      scap_file = policy_content_file(policy_tailoring_file)
+      clean_store_folder(store_dir) unless scap_file
+      scap_file ||= save_or_serve_scap_file(policy_tailoring_file, file_download_path)
+    end
+  end
+end

data/lib/smart_proxy_openscap/foreman_forwarder.rb

@@ -0,0 +1,40 @@
+require 'smart_proxy_openscap/openscap_exception'
+
+module Proxy::OpenSCAP
+  class ForemanForwarder < Proxy::HttpRequest::ForemanRequest
+    include ::Proxy::Log
+
+    def post_arf_report(cname, policy_id, date, data, timeout)
+      begin
+        foreman_api_path = upload_path(cname, policy_id, date)
+        json = Proxy::OpenSCAP::ArfParser.new(cname, policy_id, date).as_json(data)
+        response = send_request(foreman_api_path, json, timeout)
+        # Raise an HTTP error if the response is not 2xx (success).
+        response.value
+        JSON.parse(response.body)
+      rescue Net::HTTPServerException => e
+        logger.debug "Received response: #{response.code} #{response.msg}"
+        logger.debug response.body
+        raise ReportUploadError, e.message if response.code.to_i == 422
+        raise e
+      end
+    end
+
+    private
+
+    def upload_path(cname, policy_id, date)
+      "/api/v2/compliance/arf_reports/#{cname}/#{policy_id}/#{date}"
+    end
+
+    def send_request(path, body, timeout)
+      # Override the parent method to set the right headers
+      path = [uri.path, path].join('/') unless uri.path.empty?
+      req = Net::HTTP::Post.new(URI.join(uri.to_s, path).path)
+      req.add_field('Accept', 'application/json,version=2')
+      req.content_type = 'application/json'
+      req.body = body
+      http.read_timeout = timeout if timeout
+      http.request(req)
+    end
+  end
+end

data/lib/smart_proxy_openscap/http_config.ru

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2014--2015 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+
+require 'smart_proxy_openscap/openscap_api'
+require 'smart_proxy_openscap/openscap_import_api'
+
+map '/compliance' do
+  run Proxy::OpenSCAP::Api
+end
+
+map '/compliance-importer' do
+  run Proxy::OpenSCAP::ImportApi
+end

data/lib/smart_proxy_openscap/openscap_api.rb

@@ -0,0 +1,187 @@
+#
+# Copyright (c) 2014--2015 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+require 'smart_proxy_openscap/openscap_lib'
+
+module Proxy::OpenSCAP
+  HTTP_ERRORS = [
+    EOFError,
+    Errno::ECONNRESET,
+    Errno::EINVAL,
+    Errno::ECONNREFUSED,
+    Net::HTTPBadResponse,
+    Net::HTTPHeaderSyntaxError,
+    Net::ProtocolError,
+    Timeout::Error
+  ]
+
+  class Api < ::Sinatra::Base
+    include ::Proxy::Log
+    helpers ::Proxy::Helpers
+    authorize_with_ssl_client
+
+    post "/arf/:policy" do
+      # first let's verify client's certificate
+      begin
+        cn = Proxy::OpenSCAP::common_name request
+      rescue Proxy::Error::Unauthorized => e
+        log_halt 403, "Client authentication failed: #{e.message}"
+      end
+      date = Time.now.to_i
+      policy = params[:policy]
+
+      begin
+        post_to_foreman = ForemanForwarder.new.post_arf_report(cn, policy, date, request.body.string, Proxy::OpenSCAP::Plugin.settings.timeout)
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, cn, post_to_foreman['id'], date).store_archive(request.body.string)
+        post_to_foreman.to_json
+      rescue Proxy::OpenSCAP::StoreReportError => e
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.failed_dir, cn, post_to_foreman['id'], date).store_failed(request.body.string)
+        logger.error "Failed to save Report in reports directory (#{Proxy::OpenSCAP::Plugin.settings.reportsdir}). Failed with: #{e.message}.
+                      Saving file in #{Proxy::OpenSCAP::Plugin.settings.failed_dir}. Please copy manually to #{Proxy::OpenSCAP::Plugin.settings.reportsdir}"
+        { :result => 'Storage failure on proxy, see proxy logs for details' }.to_json
+      rescue Proxy::OpenSCAP::OpenSCAPException => e
+        error = "Failed to parse Arf Report, moving to #{Proxy::OpenSCAP::Plugin.settings.corrupted_dir}"
+        logger.error error
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.corrupted_dir, cn, policy, date).store_corrupted(request.body.string)
+        { :result => (error << ' on proxy') }.to_json
+      rescue *HTTP_ERRORS => e
+        ### If the upload to foreman fails then store it in the spooldir
+        msg = "Failed to upload to Foreman, saving in spool. Failed with: #{e.message}"
+        logger.error msg
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.spooldir, cn, policy, date).store_spool(request.body.string)
+        { :result => msg }.to_json
+      rescue Proxy::OpenSCAP::StoreSpoolError => e
+        log_halt 500, e.message
+      rescue Proxy::OpenSCAP::ReportUploadError => e
+        { :result => e.message }.to_json
+      end
+    end
+
+    get "/arf/:id/:cname/:date/:digest/xml" do
+      content_type 'application/x-bzip2'
+      begin
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, params[:cname], params[:id], params[:date]).get_arf_xml(params[:digest])
+      rescue FileNotFound => e
+        log_halt 500, "Could not find requested file, #{e.message}"
+      end
+    end
+
+    delete "/arf/:id/:cname/:date/:digest" do
+      begin
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, params[:cname], params[:id], params[:date]).delete_arf_file
+      rescue FileNotFound => e
+        logger.debug "Could not find requested file, #{e.message} - Assuming deleted"
+      end
+    end
+
+    get "/arf/:id/:cname/:date/:digest/html" do
+      begin
+        Proxy::OpenSCAP::OpenscapHtmlGenerator.new(params[:cname], params[:id], params[:date], params[:digest]).get_html
+      rescue FileNotFound => e
+        log_halt 500, "Could not find requested file, #{e.message}"
+      rescue OpenSCAPException => e
+        log_halt 500, "Could not generate report in HTML"
+      end
+    end
+
+    get "/policies/:policy_id/content/:digest" do
+      content_type 'application/xml'
+      begin
+        Proxy::OpenSCAP::FetchScapContent.new.get_policy_content(params[:policy_id], params[:digest])
+      rescue *HTTP_ERRORS => e
+        log_halt e.response.code.to_i, "File not found on Foreman. Wrong policy id?"
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    get "/policies/:policy_id/content" do
+      content_type 'application/xml'
+      logger.warn 'DEPRECATION WARNING: /policies/:policy_id/content/:digest should be used, please update foreman_openscap'
+      begin
+        Proxy::OpenSCAP::FetchScapContent.new.get_policy_content(params[:policy_id], 'scap_content')
+      rescue *HTTP_ERRORS => e
+        log_halt e.response.code.to_i, "File not found on Foreman. Wrong policy id?"
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    get "/policies/:policy_id/tailoring/:digest" do
+      content_type 'application/xml'
+      begin
+        Proxy::OpenSCAP::FetchTailoringFile.new.get_tailoring_file(params[:policy_id], params[:digest])
+      rescue *HTTP_ERRORS => e
+        log_halt e.response.code.to_i, "File not found on Foreman. Wrong policy id?"
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    post "/scap_content/policies" do
+      begin
+        Proxy::OpenSCAP::ProfilesParser.new('scap_content').profiles(request.body.string)
+      rescue *HTTP_ERRORS => e
+        log_halt 500, e.message
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    post "/tailoring_file/profiles" do
+      begin
+        Proxy::OpenSCAP::ProfilesParser.new('tailoring_file').profiles(request.body.string)
+      rescue *HTTP_ERRORS => e
+        log_halt 500, e.message
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    post "/scap_file/validator/:type" do
+      validate_scap_file params
+    end
+
+    post "/scap_content/validator" do
+      logger.warn "DEPRECATION WARNING: '/scap_content/validator' will be removed in the future. Use '/scap_file/validator/scap_content' instead"
+      params[:type] = 'scap_content'
+      validate_scap_file params
+    end
+
+    post "/scap_content/guide/?:policy?" do
+      begin
+        Proxy::OpenSCAP::PolicyParser.new(params[:policy]).guide(request.body.string)
+      rescue *HTTP_ERRORS => e
+        log_halt 500, e.message
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    get "/spool_errors" do
+      begin
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.corrupted_dir, nil, nil, nil).spool_errors.to_json
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+
+    private
+
+    def validate_scap_file(params)
+      begin
+        Proxy::OpenSCAP::ContentParser.new(params[:type]).validate(request.body.string)
+      rescue *HTTP_ERRORS => e
+        log_halt 500, e.message
+      rescue StandardError => e
+        log_halt 500, "Error occurred: #{e.message}"
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/openscap_exception.rb

@@ -0,0 +1,9 @@
+module Proxy::OpenSCAP
+  class OpenSCAPException < StandardError; end
+  class StoreReportError < StandardError; end
+  class StoreSpoolError < StandardError; end
+  class StoreFailedError < StandardError; end
+  class FileNotFound < StandardError; end
+  class StoreCorruptedError < StandardError; end
+  class ReportUploadError < StandardError; end
+end

data/lib/smart_proxy_openscap/openscap_html_generator.rb

@@ -0,0 +1,38 @@
+require 'smart_proxy_openscap/storage_fs'
+require 'smart_proxy_openscap/shell_wrapper'
+
+module Proxy
+  module OpenSCAP
+    class OpenscapHtmlGenerator < ShellWrapper
+      def initialize(cname, id, date, digest)
+        @cname = cname
+        @id = id
+        @date = date
+        @digest = digest
+        @script_name = 'smart-proxy-arf-html'
+      end
+
+      def get_html
+        execute_shell_command
+      end
+
+      def out_filename
+        "#{super}-#{@cname}-#{@id}-#{@date}-#{@digest}-"
+      end
+
+      def command(in_file, out_file)
+        "#{script_location} #{file_path_in_storage} #{out_file.path}"
+      end
+
+      def failure_message
+        "Failure when running script which generates html reports"
+      end
+
+      def file_path_in_storage
+        path_to_dir = Proxy::OpenSCAP::Plugin.settings.reportsdir
+        storage = Proxy::OpenSCAP::StorageFS.new(path_to_dir, @cname, @id, @date)
+        storage.get_path(@digest)
+      end
+    end
+  end
+end