smart_proxy_openscap 0.7.2

data/lib/smart_proxy_openscap/openscap_import_api.rb

@@ -0,0 +1,32 @@
+module Proxy::OpenSCAP
+  class ImportApi < ::Sinatra::Base
+    include ::Proxy::Log
+    helpers ::Proxy::Helpers
+    authorize_with_trusted_hosts
+
+    require 'smart_proxy_openscap/openscap_lib'
+
+    post "/arf/:cname/:policy_id/:date" do
+      cn = params[:cname]
+      date = params[:date]
+      policy = params[:policy_id]
+      log_halt(500, "Insufficient data") if (cn.nil? || date.nil?)
+
+      post_to_foreman = ForemanForwarder.new.post_arf_report(cn, policy, date, request.body.string, Proxy::OpenSCAP::Plugin.settings.timeout)
+      begin
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, cn, post_to_foreman['id'], date).store_archive(request.body.string)
+      rescue Proxy::OpenSCAP::StoreReportError => e
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.failed_dir, cn, post_to_foreman['id'], date).store_failed(request.body.string)
+        logger.error "Failed to save Report in reports directory (#{Proxy::OpenSCAP::Plugin.settings.reportsdir}). Failed with: #{e.message}.
+                        Saving file in #{Proxy::OpenSCAP::Plugin.settings.failed_dir}. Please copy manually to #{Proxy::OpenSCAP::Plugin.settings.reportsdir}"
+      rescue *HTTP_ERRORS => e
+        ### If the upload to foreman fails then store it in the spooldir
+        logger.error "Failed to upload to Foreman, saving in spool. Failed with: #{e.message}"
+        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.spooldir, cn, policy, date).store_spool(request.body.string)
+      rescue Proxy::OpenSCAP::StoreSpoolError => e
+        log_halt 500, e.message
+      end
+      {:success => true, :arf_id => post_to_foreman['id']}.to_json
+    end
+  end
+end

data/lib/smart_proxy_openscap/openscap_lib.rb

@@ -0,0 +1,67 @@
+#
+# Copyright (c) 2014 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+
+require 'digest'
+require 'fileutils'
+require 'pathname'
+require 'json'
+require 'proxy/error'
+require 'yaml'
+require 'ostruct'
+require 'proxy/request'
+require 'smart_proxy_openscap/fetch_scap_content'
+require 'smart_proxy_openscap/foreman_forwarder'
+require 'smart_proxy_openscap/content_parser'
+require 'smart_proxy_openscap/openscap_exception'
+require 'smart_proxy_openscap/arf_parser'
+require 'smart_proxy_openscap/spool_forwarder'
+require 'smart_proxy_openscap/openscap_html_generator'
+require 'smart_proxy_openscap/fetch_tailoring_file'
+require 'smart_proxy_openscap/policy_parser'
+require 'smart_proxy_openscap/profiles_parser'
+
+module Proxy::OpenSCAP
+  extend ::Proxy::Log
+
+  def self.plugin_settings
+    @@settings ||= OpenStruct.new(read_settings)
+  end
+
+  def self.read_settings
+    ::Proxy::OpenSCAP::Plugin.default_settings.merge(
+      YAML.load_file(File.join(::Proxy::SETTINGS.settings_directory, ::Proxy::OpenSCAP::Plugin.settings_file)))
+  end
+
+  def self.common_name(request)
+    client_cert = request.env['SSL_CLIENT_CERT']
+    raise Proxy::Error::Unauthorized, "Client certificate required!" if client_cert.to_s.empty?
+
+    begin
+      client_cert = OpenSSL::X509::Certificate.new(client_cert)
+    rescue OpenSSL::OpenSSLError => e
+      raise Proxy::Error::Unauthorized, e.message
+    end
+    cn = client_cert.subject.to_a.detect { |name, value| name == 'CN' }
+    cn = cn[1] unless cn.nil?
+    raise Proxy::Error::Unauthorized, "Common Name not found in the certificate" unless cn
+    cn
+  end
+
+  def self.send_spool_to_foreman(loaded_settings)
+    arf_dir = File.join(loaded_settings.spooldir, "/arf")
+    return unless File.exist? arf_dir
+    SpoolForwarder.new(loaded_settings).post_arf_from_spool(arf_dir)
+  end
+
+  def self.fullpath(path = Proxy::OpenSCAP::Plugin.settings.contentdir)
+    pathname = Pathname.new(path)
+    pathname.relative? ? pathname.expand_path(Sinatra::Base.root).to_s : path
+  end
+end

data/lib/smart_proxy_openscap/openscap_plugin.rb

@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2014--2015 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+
+require 'smart_proxy_openscap/version'
+
+module Proxy::OpenSCAP
+  class Plugin < ::Proxy::Plugin
+    plugin :openscap, Proxy::OpenSCAP::VERSION
+
+    http_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
+    https_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
+
+    default_settings :spooldir => '/var/spool/foreman-proxy/openscap',
+                     :openscap_send_log_file => File.join(APP_ROOT, 'logs/openscap-send.log'),
+                     :contentdir => File.join(APP_ROOT, 'openscap/content'),
+                     :reportsdir => File.join(APP_ROOT, 'openscap/reports'),
+                     :failed_dir => File.join(APP_ROOT, 'openscap/failed'),
+                     :tailoring_dir => File.join(APP_ROOT, 'openscap/tailoring')
+  end
+end

data/lib/smart_proxy_openscap/policy_guide.rb

@@ -0,0 +1,23 @@
+require 'openscap'
+require 'openscap/source'
+require 'openscap/ds/sds'
+require 'json'
+
+module Proxy
+  module OpenSCAP
+    class PolicyGuide
+      def generate_guide(in_file, out_file, policy=nil)
+        ::OpenSCAP.oscap_init
+        source = ::OpenSCAP::Source.new in_file
+        sds = ::OpenSCAP::DS::Sds.new source
+        sds.select_checklist
+        html = sds.html_guide policy
+        File.write(out_file, { :html => html.force_encoding('UTF-8') }.to_json)
+      ensure
+        sds.destroy if sds
+        source.destroy if source
+        ::OpenSCAP.oscap_cleanup
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/policy_parser.rb

@@ -0,0 +1,33 @@
+require 'smart_proxy_openscap/shell_wrapper'
+
+module Proxy
+  module OpenSCAP
+    class PolicyParser < ShellWrapper
+
+      def initialize(policy)
+        @script_name = "smart-proxy-policy-guide"
+        @policy = policy
+      end
+
+      def guide(scap_file)
+        execute_shell_command scap_file
+      end
+
+      def in_filename
+        super
+      end
+
+      def out_filename
+        "#{in_filename}json-"
+      end
+
+      def failure_message
+        "Failure when running script which renders policy guide"
+      end
+
+      def command(in_file, out_file)
+        "#{script_location} #{in_file.path} #{out_file.path} #{@policy}"
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/profiles_parser.rb

@@ -0,0 +1,32 @@
+require 'smart_proxy_openscap/shell_wrapper'
+
+module Proxy
+  module OpenSCAP
+    class ProfilesParser < ShellWrapper
+      def initialize(type)
+        @type = type
+        @script_name = 'smart-proxy-scap-profiles'
+      end
+
+      def profiles(scap_file)
+        execute_shell_command scap_file
+      end
+
+      def out_filename
+        "#{in_filename}json-"
+      end
+
+      def in_filename
+        "#{super}-#{@type}-profiles-"
+      end
+
+      def failure_message
+        "Failure when running script which extracts profiles from scap file"
+      end
+
+      def command(in_file, out_file)
+        "#{script_location} #{in_file.path} #{out_file.path} #{@type}"
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/scap_profiles.rb

@@ -0,0 +1,52 @@
+require 'openscap'
+require 'openscap/ds/sds'
+require 'openscap/source'
+require 'openscap/xccdf/benchmark'
+require 'openscap/xccdf/tailoring'
+require 'json'
+
+module Proxy
+  module OpenSCAP
+    class ScapProfiles
+      def profiles(in_file, out_file, type)
+        ::OpenSCAP.oscap_init
+        source = ::OpenSCAP::Source.new(in_file)
+        json = type == 'scap_content' ? scap_content_profiles(source) : tailoring_profiles(source)
+        File.write out_file, json
+      ensure
+        source.destroy if source
+        ::OpenSCAP.oscap_cleanup
+      end
+
+      def scap_content_profiles(source)
+        bench = benchmark_profiles source
+        profiles = collect_profiles bench
+        profiles.to_json
+      ensure
+        bench.destroy if bench
+      end
+
+      def tailoring_profiles(source)
+        tailoring = ::OpenSCAP::Xccdf::Tailoring.new(source, nil)
+        profiles = collect_profiles tailoring
+        profiles.to_json
+      ensure
+        tailoring.destroy if tailoring
+      end
+
+      def collect_profiles(profile_source)
+        profile_source.profiles.inject({}) do |memo, (key, profile)|
+          memo.tap { |hash| hash[key] = profile.title.strip }
+        end
+      end
+
+      def benchmark_profiles(source)
+        sds          = ::OpenSCAP::DS::Sds.new(source)
+        bench_source = sds.select_checklist!
+        benchmark = ::OpenSCAP::Xccdf::Benchmark.new(bench_source)
+      ensure
+        sds.destroy if sds
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/scap_validation.rb

@@ -0,0 +1,35 @@
+require 'json'
+require 'openscap'
+require 'openscap/source'
+
+module Proxy
+  module OpenSCAP
+    class ScapValidation
+      def allowed_types
+        {
+          'tailoring_file' => 'XCCDF Tailoring',
+          'scap_content' => 'SCAP Source Datastream'
+        }
+      end
+
+      def validate(in_file, out_file, type)
+        errors = []
+        ::OpenSCAP.oscap_init
+        source = ::OpenSCAP::Source.new(in_file)
+        if source.type != allowed_types[type]
+          errors << "Uploaded file is #{source.type}, unexpected file type"
+        end
+
+        begin
+          source.validate!
+        rescue ::OpenSCAP::OpenSCAPError
+          errors << "Invalid SCAP file type"
+        end
+        File.write out_file, { :errors => errors }.to_json
+      ensure
+        source.destroy if source
+        ::OpenSCAP.oscap_cleanup
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/shell_wrapper.rb

@@ -0,0 +1,77 @@
+require 'tempfile'
+
+module Proxy
+  module OpenSCAP
+    class ShellWrapper
+      include ::Proxy::Log
+
+      attr_reader :script_name
+
+      def script_location
+        raise NotImplementedError, 'Must have @script_name' unless script_name
+        path = File.join(File.dirname(File.expand_path(__FILE__)), '../../bin', script_name)
+        return path if File.exist? path
+        script_name
+      end
+
+      def execute_shell_command(in_file_content = nil)
+        out_file = Tempfile.new(out_filename, "/var/tmp")
+        in_file = prepare_in_file in_file_content
+        comm = command(in_file, out_file)
+        logger.debug "Executing: #{comm}"
+        output = nil
+        begin
+          `#{comm}`
+          output = out_file.read
+        rescue => e
+          logger.debug failure_message
+          logger.debug e.message
+          logger.debug e.backtrace.join("\n\t")
+        ensure
+          close_unlink out_file, in_file
+        end
+        raise OpenSCAPException, exception_message if output.nil? || output.empty?
+        output
+      end
+
+      def close_unlink(*files)
+        files.compact.each do |file|
+          file.close
+          file.unlink
+        end
+      end
+
+      def prepare_in_file(in_file_content)
+        return unless in_file_content
+        file = Tempfile.new(in_filename, "/var/tmp")
+        file.write in_file_content
+        file.rewind
+        file
+      end
+
+      def in_filename
+        @in_filename ||= unique_filename
+      end
+
+      def out_filename
+        @out_filename ||= unique_filename
+      end
+
+      def unique_filename
+        SecureRandom.uuid
+      end
+
+      def command(in_file, out_file)
+        raise NotImplementedError, "Must be implemented"
+      end
+
+      def failure_message
+        raise NotImplementedError, "Must be implemented"
+      end
+
+      def exception_message
+        failure_message
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/spool_forwarder.rb

@@ -0,0 +1,79 @@
+module Proxy::OpenSCAP
+  class SpoolForwarder
+    include ::Proxy::Log
+
+    def initialize(loaded_settings)
+      @loaded_settings = loaded_settings
+    end
+
+    def post_arf_from_spool(arf_dir)
+      Dir.foreach(arf_dir) do |cname|
+        next if cname == '.' || cname == '..'
+        cname_dir = File.join(arf_dir, cname)
+        forward_cname_dir(cname, cname_dir) if File.directory?(cname_dir)
+      end
+    end
+
+    private
+
+    def forward_cname_dir(cname, cname_dir)
+      Dir.foreach(cname_dir) do |policy_id|
+        next if policy_id == '.' || policy_id == '..'
+        policy_dir = File.join(cname_dir, policy_id)
+        if File.directory?(policy_dir)
+          forward_policy_dir(cname, policy_id, policy_dir)
+        end
+      end
+      remove_if_empty(cname_dir)
+    end
+
+    def forward_policy_dir(cname, policy_id, policy_dir)
+      Dir.foreach(policy_dir) do |date|
+        next if date == '.' || date == '..'
+        date_dir = File.join(policy_dir, date)
+        if File.directory?(date_dir)
+          forward_date_dir(cname, policy_id, date, date_dir)
+        end
+      end
+      remove_if_empty(policy_dir)
+    end
+
+    def forward_date_dir(cname, policy_id, date, date_dir)
+      Dir.foreach(date_dir) do |arf|
+        next if arf == '.' || arf == '..'
+        arf_path = File.join(date_dir, arf)
+        if File.file?(arf_path)
+          logger.debug("Uploading #{arf} to Foreman")
+          forward_arf_file(cname, policy_id, date, arf_path)
+        end
+      end
+      remove_if_empty(date_dir)
+    end
+
+    def forward_arf_file(cname, policy_id, date, arf_file_path)
+      data = File.open(arf_file_path, 'rb') { |io| io.read }
+      post_to_foreman = ForemanForwarder.new.post_arf_report(cname, policy_id, date, data, @loaded_settings.timeout)
+      Proxy::OpenSCAP::StorageFS.new(@loaded_settings.reportsdir, cname, post_to_foreman['id'], date).store_archive(data)
+      File.delete arf_file_path
+    rescue Proxy::OpenSCAP::OpenSCAPException => e
+      logger.error "Failed to parse Arf Report at #{arf_file_path}, moving to #{@loaded_settings.corrupted_dir}"
+
+      Proxy::OpenSCAP::StorageFS.new(@loaded_settings.corrupted_dir, cname, policy_id, date).
+        move_corrupted(arf_file_path.split('/').last, @loaded_settings.spooldir)
+    rescue Proxy::OpenSCAP::ReportUploadError => e
+      logger.error "Failed to upload Arf Report at #{arf_file_path}, cause: #{e.message}, the report will be deleted."
+      File.delete arf_file_path
+    rescue StandardError => e
+      logger.error "smart-proxy-openscap-send failed to upload Compliance report for #{cname}, generated on #{Time.at date.to_i}. Cause: #{e}"
+    end
+
+    def remove_if_empty(dir)
+      begin
+        Dir.delete dir if Dir["#{dir}/*"].empty?
+        logger.debug "Removing directory: #{dir}"
+      rescue StandardError => e
+        logger.error "Could not remove directory: #{e.message}"
+      end
+    end
+  end
+end