smart_proxy_openscap 0.7.3 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3ca973805c62a08862ac41ec711531af26d63da27cde44dde331aa4f407d371
-  data.tar.gz: ec270baf1ad3fabebe31f231ae52446bcf2ca0caad6fc1fcca7b5174b82a07c7
+  metadata.gz: b4d1a52c4299cb9828c2cb492622a4cc13f9cd3d234fc6a9940dc9768840761b
+  data.tar.gz: bfa0d9e1444579127bec7bf5f32fe37d73577c99ab803dfd07b59c0ed6f1e15a
 SHA512:
-  metadata.gz: d323a7623a4ecfefb4dbb255e578199abcfa0204b52c073f4400cdfdbe039ced7caab5eba20d420eba266d6e0857b5a7e631046a40849d29240175966263c20c
-  data.tar.gz: 15bc8b4a4960196256b2f176ee59fa63424e45f917fd8d8e66a484bb6eefac6ab43ce7620e30d79ac7853303fea90b3878f160f728c98433c0e132609bf06efc
+  metadata.gz: 49c8ece151fb60cdf31a3c396b22df455d3f653648640f5e6d05505c67c386128bf09970bd9d08b82e94710d493c3ba8dd003d47d584e05819204cd32987ffc3
+  data.tar.gz: 18acfdafceecc4845da3fce3703f7e670d0c991ddda0d6cb542c00ccb6d399cd4090b63cf44dbeb2fef5aa99cfa0fb7710a2a54cf5b6d4b1678f98b70d01678b

data/Gemfile

@@ -4,6 +4,7 @@ gemspec
 group :development do
   gem 'test-unit'
   gem 'pry'
+  gem 'pry-byebug'
   gem 'rubocop'
   gem 'rack', '~> 1.6.8' if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2')
   gem 'smart_proxy', :github => "theforeman/smart-proxy", :branch => 'develop'

data/bin/smart-proxy-openscap-send

@@ -1,3 +1,7 @@
 #!/bin/bash
 
-scl enable tfm smart-proxy-openscap-send-inner
+if command -v scl &>/dev/null;then
+  scl enable tfm smart-proxy-openscap-send-inner
+else
+  smart-proxy-openscap-send-inner
+fi

data/lib/smart_proxy_openscap/arf_parser.rb

@@ -1,38 +1,95 @@
-require 'smart_proxy_openscap/shell_wrapper'
+require 'openscap_parser/test_result_file'
+require 'smart_proxy_openscap/openscap_exception'
 
 module Proxy
   module OpenSCAP
-    class ArfParser < ShellWrapper
+    class ArfParser
+      include Proxy::Log
 
       def initialize(cname, policy_id, date)
         @cname = cname
         @policy_id = policy_id
         @date = date
-        @script_name = 'smart-proxy-arf-json'
       end
 
       def as_json(arf_data)
-        execute_shell_command arf_data
-      end
+        begin
+          file = Tempfile.new
+          file.write(arf_data)
+          file.rewind
+          decompressed = `bunzip2 -dc #{file.path}`
+        rescue => e
+          logger.error e
+          raise Proxy::OpenSCAP::ReportDecompressError, "Failed to decompress received report bzip, cause: #{e.message}"
+        ensure
+          file.close
+          file.unlink
+        end
+        arf_file = ::OpenscapParser::TestResultFile.new(decompressed)
+        rules = arf_file.benchmark.rules.reduce({}) do |memo, rule|
+          memo[rule.id] = rule
+          memo
+        end
 
-      def in_filename
-        "#{super}-#{@cname}-#{@policy_id}-#{@date}-"
+        arf_digest = Digest::SHA256.hexdigest(arf_data)
+        report = parse_results(rules, arf_file.test_result, arf_digest)
+        report[:openscap_proxy_name] = Proxy::OpenSCAP::Plugin.settings.registered_proxy_name
+        report[:openscap_proxy_url] = Proxy::OpenSCAP::Plugin.settings.registered_proxy_url
+        report.to_json
       end
 
-      def out_filename
-        "#{in_filename}json-"
+      private
+
+      def parse_results(rules, test_result, arf_digest)
+        results = test_result.rule_results
+        set_values = test_result.set_values
+        report = {}
+        report[:logs] = []
+        passed = 0
+        failed = 0
+        othered = 0
+        results.each do |result|
+          next if result.result == 'notapplicable' || result.result == 'notselected'
+          # get rules and their results
+          rule_data = rules[result.id]
+          report[:logs] << populate_result_data(result.id, result.result, rule_data, set_values)
+          # create metrics for the results
+          case result.result
+            when 'pass', 'fixed'
+              passed += 1
+            when 'fail'
+              failed += 1
+            else
+              othered += 1
+          end
+        end
+        report[:digest]  = arf_digest
+        report[:metrics] = { :passed => passed, :failed => failed, :othered => othered }
+        report[:score] = test_result.score
+        report
       end
 
-      def failure_message
-        "Failure when running script which parses reports"
+      def populate_result_data(result_id, rule_result, rule_data, set_values)
+        log               = {}
+        log[:source]      = result_id
+        log[:result]      = rule_result
+        log[:title]       = rule_data.title
+        log[:description] = rule_data.description
+        log[:rationale]   = rule_data.rationale
+        log[:references]  = rule_data.references.map { |ref| { :href => ref.href, :title => ref.label }}
+        log[:fixes]       = populate_fixes rule_data.fixes, set_values
+        log[:severity]    = rule_data.severity
+        log
       end
 
-      def command(in_file, out_file)
-        "#{script_location} " <<
-        "#{in_file.path} " <<
-        "#{out_file.path} " <<
-        "#{Proxy::OpenSCAP::Plugin.settings.registered_proxy_name} " <<
-        "#{Proxy::OpenSCAP::Plugin.settings.registered_proxy_url}"
+      def populate_fixes(fixes, set_values)
+        fixes.map do |fix|
+          {
+            :id => fix.id,
+            :system => fix.system,
+            :full_text => fix.full_text(set_values)
+          }
+        end
       end
     end
   end

data/lib/smart_proxy_openscap/content_parser.rb

@@ -1,30 +1,24 @@
-require 'smart_proxy_openscap/shell_wrapper'
+require 'openscap_parser/datastream_file'
+require 'openscap_parser/tailoring_file'
 
 module Proxy::OpenSCAP
-  class ContentParser < ShellWrapper
-    def initialize(type)
-      @type = type
-      @script_name = 'smart-proxy-scap-validation'
-    end
-
-    def validate(scap_file)
-      execute_shell_command scap_file
-    end
-
-    def out_filename
-      "#{in_filename}json-"
-    end
-
-    def in_filename
-      "#{super}-#{@type}-validate-"
-    end
-
-    def failure_message
-      "Failure when running script which validates scap files"
-    end
-
-    def command(in_file, out_file)
-      "#{script_location} #{in_file.path} #{out_file.path} #{@type}"
+  class ContentParser
+    def validate(file_type, scap_file)
+      msg = 'Invalid SCAP file type'
+      errors = []
+      file = nil
+      begin
+        case file_type
+        when 'scap_content'
+          file = ::OpenscapParser::DatastreamFile.new(scap_file)
+        when 'tailoring_file'
+          file = ::OpenscapParser::TailoringFile.new(scap_file)
+        end
+        errors << msg unless file.valid?
+      rescue Nokogiri::XML::SyntaxError => e
+        errors << msg
+      end
+      { errors: errors }
     end
   end
 end

data/lib/smart_proxy_openscap/fetch_scap_file.rb

@@ -0,0 +1,45 @@
+require 'smart_proxy_openscap/fetch_file'
+
+module Proxy::OpenSCAP
+  class FetchScapFile < FetchFile
+    def initialize(type)
+      raise "Expected one of the following symbols: #{allowed_types.join(', ')}, got: #{type}" unless allowed_types.include? type
+      @type = type
+    end
+
+    def fetch(policy_id, digest, content_dir)
+      store_dir = File.join(Proxy::OpenSCAP.fullpath(content_dir), policy_id.to_s)
+      scap_file = File.join(store_dir, file_name(policy_id, digest))
+
+      file_download_path = download_path.sub(':policy_id', policy_id)
+      create_store_dir store_dir
+      file = policy_content_file scap_file
+      clean_store_folder store_dir unless file
+      file ||= save_or_serve_scap_file scap_file, file_download_path
+    end
+
+    def download_path
+      case @type
+      when :scap_content
+        "api/v2/compliance/policies/:policy_id/content"
+      when :tailoring_file
+        "api/v2/compliance/policies/:policy_id/tailoring"
+      when :oval_content
+        "api/v2/compliance/oval_policies/:policy_id/oval_content"
+      end
+    end
+
+    def file_name(policy_id, digest)
+      case @type
+      when :scap_content, :tailoring_file
+        "#{policy_id}_#{digest}.xml"
+      when :oval_content
+        "#{digest}.oval.xml.bz2"
+      end
+    end
+
+    def allowed_types
+      [:scap_content, :tailoring_file, :oval_content]
+    end
+  end
+end

data/lib/smart_proxy_openscap/foreman_arf_forwarder.rb

@@ -0,0 +1,15 @@
+require 'smart_proxy_openscap/foreman_forwarder'
+
+module Proxy::OpenSCAP
+  class ForemanArfForwarder < ForemanForwarder
+    private
+
+    def parse_report(cname, policy_id, date, report_data)
+      Proxy::OpenSCAP::ArfParser.new(cname, policy_id, date).as_json(report_data)
+    end
+
+    def report_upload_path(cname, policy_id, date)
+      upload_path "arf_reports", cname, policy_id, date
+    end
+  end
+end

data/lib/smart_proxy_openscap/foreman_forwarder.rb

@@ -4,26 +4,29 @@ module Proxy::OpenSCAP
   class ForemanForwarder < Proxy::HttpRequest::ForemanRequest
     include ::Proxy::Log
 
-    def post_arf_report(cname, policy_id, date, data, timeout)
-      begin
-        foreman_api_path = upload_path(cname, policy_id, date)
-        json = Proxy::OpenSCAP::ArfParser.new(cname, policy_id, date).as_json(data)
-        response = send_request(foreman_api_path, json, timeout)
-        # Raise an HTTP error if the response is not 2xx (success).
-        response.value
-        JSON.parse(response.body)
-      rescue Net::HTTPServerException => e
-        logger.debug "Received response: #{response.code} #{response.msg}"
-        logger.debug response.body
-        raise ReportUploadError, e.message if response.code.to_i == 422
-        raise e
-      end
+    def post_report(cname, policy_id, date, data, timeout)
+      foreman_api_path = report_upload_path(cname, policy_id, date)
+
+      json = parse_report(cname, policy_id, date, data)
+      response = send_request(foreman_api_path, json, timeout)
+      # Raise an HTTP error if the response is not 2xx (success).
+      response.value
+      JSON.parse(response.body)
+    rescue Net::HTTPServerException => e
+      logger.debug "Received response: #{response.code} #{response.msg}"
+      logger.debug response.body
+      raise ReportUploadError, e.message if response.code.to_i == 422
+      raise e
     end
 
     private
 
-    def upload_path(cname, policy_id, date)
-      "/api/v2/compliance/arf_reports/#{cname}/#{policy_id}/#{date}"
+    def upload_path(resource, cname, policy_id, date)
+      "/api/v2/compliance/#{resource}/#{cname}/#{policy_id}/#{date}"
+    end
+
+    def parse_report(cname, policy_id, date, data)
+      raise NotImplementedError
     end
 
     def send_request(path, body, timeout)

data/lib/smart_proxy_openscap/foreman_oval_forwarder.rb

@@ -0,0 +1,19 @@
+require 'smart_proxy_openscap/foreman_forwarder'
+
+module Proxy::OpenSCAP
+  class ForemanOvalForwarder < ForemanForwarder
+    private
+
+    def parse_report(cname, policy_id, date, report_data)
+      {
+        :oval_results => OvalReportParser.new.parse_cves(report_data),
+        :oval_policy_id => policy_id,
+        :cname => cname
+      }.to_json
+    end
+
+    def report_upload_path(cname, policy_id, date)
+      upload_path "oval_reports", cname, policy_id, date
+    end
+  end
+end

data/lib/smart_proxy_openscap/openscap_api.rb

@@ -25,48 +25,73 @@ module Proxy::OpenSCAP
     include ::Proxy::Log
     helpers ::Proxy::Helpers
     authorize_with_ssl_client
+    CLIENT_PATHS = Regexp.compile(%r{^(/arf/\d+|/policies/\d+/content/|/policies/\d+/tailoring/)})
 
-    post "/arf/:policy" do
-      # first let's verify client's certificate
+    # authorize via trusted hosts but let client paths in without such authorization
+    before do
+      pass if request.path_info =~ CLIENT_PATHS
+      do_authorize_with_trusted_hosts
+    end
+
+    before '(/arf/*|/oval_reports/*)' do
       begin
-        cn = Proxy::OpenSCAP::common_name request
+        @cn = Proxy::OpenSCAP::common_name request
       rescue Proxy::Error::Unauthorized => e
         log_halt 403, "Client authentication failed: #{e.message}"
       end
-      date = Time.now.to_i
+      @reported_at = Time.now.to_i
+    end
+
+    post "/arf/:policy" do
       policy = params[:policy]
 
       begin
-        post_to_foreman = ForemanForwarder.new.post_arf_report(cn, policy, date, request.body.string, Proxy::OpenSCAP::Plugin.settings.timeout)
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, cn, post_to_foreman['id'], date).store_archive(request.body.string)
+        post_to_foreman = ForemanArfForwarder.new.post_report(@cn, policy, @reported_at, request.body.string, Proxy::OpenSCAP::Plugin.settings.timeout)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, @cn, post_to_foreman['id'], @reported_at).store_archive(request.body.string)
         post_to_foreman.to_json
       rescue Proxy::OpenSCAP::StoreReportError => e
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.failed_dir, cn, post_to_foreman['id'], date).store_failed(request.body.string)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.failed_dir, @cn, post_to_foreman['id'], @reported_at).store_failed(request.body.string)
         logger.error "Failed to save Report in reports directory (#{Proxy::OpenSCAP::Plugin.settings.reportsdir}). Failed with: #{e.message}.
                       Saving file in #{Proxy::OpenSCAP::Plugin.settings.failed_dir}. Please copy manually to #{Proxy::OpenSCAP::Plugin.settings.reportsdir}"
         { :result => 'Storage failure on proxy, see proxy logs for details' }.to_json
-      rescue Proxy::OpenSCAP::OpenSCAPException => e
+      rescue Nokogiri::XML::SyntaxError => e
         error = "Failed to parse Arf Report, moving to #{Proxy::OpenSCAP::Plugin.settings.corrupted_dir}"
         logger.error error
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.corrupted_dir, cn, policy, date).store_corrupted(request.body.string)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.corrupted_dir, @cn, policy, @reported_at).store_corrupted(request.body.string)
         { :result => (error << ' on proxy') }.to_json
       rescue *HTTP_ERRORS => e
         ### If the upload to foreman fails then store it in the spooldir
         msg = "Failed to upload to Foreman, saving in spool. Failed with: #{e.message}"
         logger.error msg
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.spooldir, cn, policy, date).store_spool(request.body.string)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.spooldir, @cn, policy, @reported_at).store_spool(request.body.string)
         { :result => msg }.to_json
       rescue Proxy::OpenSCAP::StoreSpoolError => e
         log_halt 500, e.message
-      rescue Proxy::OpenSCAP::ReportUploadError => e
+      rescue Proxy::OpenSCAP::ReportUploadError, Proxy::OpenSCAP::ReportDecompressError => e
         { :result => e.message }.to_json
       end
     end
 
+    post "/oval_reports/:oval_policy_id" do
+      ForemanOvalForwarder.new.post_report(@cn, params[:oval_policy_id], @reported_at, request.body.string, Plugin.settings.timeout)
+
+      { :reported_at => Time.at(@reported_at) }.to_json
+    rescue *HTTP_ERRORS => e
+      msg = "Failed to upload to Foreman, failed with: #{e.message}"
+      logger.error e
+      { :result => msg }.to_json
+    rescue Nokogiri::XML::SyntaxError => e
+      logger.error e
+      { :result => 'Failed to parse OVAL report, see proxy logs for details' }.to_json
+    rescue Proxy::OpenSCAP::ReportUploadError, Proxy::OpenSCAP::ReportDecompressError => e
+      { :result => e.message }.to_json
+    end
+
+
     get "/arf/:id/:cname/:date/:digest/xml" do
       content_type 'application/x-bzip2'
       begin
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, params[:cname], params[:id], params[:date]).get_arf_xml(params[:digest])
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, params[:cname], params[:id], params[:date]).get_arf_xml(params[:digest])
       rescue FileNotFound => e
         log_halt 500, "Could not find requested file, #{e.message}"
       end
@@ -74,7 +99,7 @@ module Proxy::OpenSCAP
 
     delete "/arf/:id/:cname/:date/:digest" do
       begin
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, params[:cname], params[:id], params[:date]).delete_arf_file
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, params[:cname], params[:id], params[:date]).delete_arf_file
       rescue FileNotFound => e
         logger.debug "Could not find requested file, #{e.message} - Assuming deleted"
       end
@@ -93,32 +118,34 @@ module Proxy::OpenSCAP
     get "/policies/:policy_id/content/:digest" do
       content_type 'application/xml'
       begin
-        Proxy::OpenSCAP::FetchScapContent.new.get_policy_content(params[:policy_id], params[:digest])
+        Proxy::OpenSCAP::FetchScapFile.new(:scap_content)
+          .fetch(params[:policy_id], params[:digest], Proxy::OpenSCAP::Plugin.settings.contentdir)
       rescue *HTTP_ERRORS => e
-        log_halt e.response.code.to_i, "File not found on Foreman. Wrong policy id?"
+        log_halt e.response.code.to_i, file_not_found_msg
       rescue StandardError => e
         log_halt 500, "Error occurred: #{e.message}"
       end
     end
 
-    get "/policies/:policy_id/content" do
+    get "/policies/:policy_id/tailoring/:digest" do
       content_type 'application/xml'
-      logger.warn 'DEPRECATION WARNING: /policies/:policy_id/content/:digest should be used, please update foreman_openscap'
       begin
-        Proxy::OpenSCAP::FetchScapContent.new.get_policy_content(params[:policy_id], 'scap_content')
+        Proxy::OpenSCAP::FetchScapFile.new(:tailoring_file)
+          .fetch(params[:policy_id], params[:digest], Proxy::OpenSCAP::Plugin.settings.tailoring_dir)
       rescue *HTTP_ERRORS => e
-        log_halt e.response.code.to_i, "File not found on Foreman. Wrong policy id?"
+        log_halt e.response.code.to_i, file_not_found_msg
       rescue StandardError => e
         log_halt 500, "Error occurred: #{e.message}"
       end
     end
 
-    get "/policies/:policy_id/tailoring/:digest" do
-      content_type 'application/xml'
+    get "/oval_policies/:oval_policy_id/oval_content/:digest" do
+      content_type 'application/x-bzip2'
       begin
-        Proxy::OpenSCAP::FetchTailoringFile.new.get_tailoring_file(params[:policy_id], params[:digest])
-      rescue *HTTP_ERRORS => e
-        log_halt e.response.code.to_i, "File not found on Foreman. Wrong policy id?"
+        Proxy::OpenSCAP::FetchScapFile.new(:oval_content)
+          .fetch(params[:oval_policy_id], params[:digest], Proxy::OpenSCAP::Plugin.settings.oval_content_dir)
+      rescue *HTTP => e
+        log_halt e.response.code.to_i, file_not_found_msg
       rescue StandardError => e
         log_halt 500, "Error occurred: #{e.message}"
       end
@@ -126,7 +153,7 @@ module Proxy::OpenSCAP
 
     post "/scap_content/policies" do
       begin
-        Proxy::OpenSCAP::ProfilesParser.new('scap_content').profiles(request.body.string)
+        Proxy::OpenSCAP::ProfilesParser.new.profiles('scap_content', request.body.string)
       rescue *HTTP_ERRORS => e
         log_halt 500, e.message
       rescue StandardError => e
@@ -136,7 +163,7 @@ module Proxy::OpenSCAP
 
     post "/tailoring_file/profiles" do
       begin
-        Proxy::OpenSCAP::ProfilesParser.new('tailoring_file').profiles(request.body.string)
+        Proxy::OpenSCAP::ProfilesParser.new.profiles('tailoring_file', request.body.string)
       rescue *HTTP_ERRORS => e
         log_halt 500, e.message
       rescue StandardError => e
@@ -166,7 +193,7 @@ module Proxy::OpenSCAP
 
     get "/spool_errors" do
       begin
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.corrupted_dir, nil, nil, nil).spool_errors.to_json
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.corrupted_dir, nil, nil, nil).spool_errors.to_json
       rescue StandardError => e
         log_halt 500, "Error occurred: #{e.message}"
       end
@@ -176,12 +203,16 @@ module Proxy::OpenSCAP
 
     def validate_scap_file(params)
       begin
-        Proxy::OpenSCAP::ContentParser.new(params[:type]).validate(request.body.string)
+        Proxy::OpenSCAP::ContentParser.new.validate(params[:type], request.body.string).to_json
       rescue *HTTP_ERRORS => e
         log_halt 500, e.message
       rescue StandardError => e
         log_halt 500, "Error occurred: #{e.message}"
       end
     end
+
+    def file_not_found_msg
+      "File not found on Foreman. Wrong policy id?"
+    end
   end
 end