smart_proxy_openscap 0.7.3 → 0.9.0

data/lib/smart_proxy_openscap/openscap_exception.rb

@@ -6,4 +6,5 @@ module Proxy::OpenSCAP
   class FileNotFound < StandardError; end
   class StoreCorruptedError < StandardError; end
   class ReportUploadError < StandardError; end
+  class ReportDecompressError < StandardError; end
 end

data/lib/smart_proxy_openscap/openscap_html_generator.rb

@@ -30,7 +30,7 @@ module Proxy
 
       def file_path_in_storage
         path_to_dir = Proxy::OpenSCAP::Plugin.settings.reportsdir
-        storage = Proxy::OpenSCAP::StorageFS.new(path_to_dir, @cname, @id, @date)
+        storage = Proxy::OpenSCAP::StorageFs.new(path_to_dir, @cname, @id, @date)
         storage.get_path(@digest)
       end
     end

data/lib/smart_proxy_openscap/openscap_import_api.rb

@@ -14,15 +14,15 @@ module Proxy::OpenSCAP
 
       post_to_foreman = ForemanForwarder.new.post_arf_report(cn, policy, date, request.body.string, Proxy::OpenSCAP::Plugin.settings.timeout)
       begin
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, cn, post_to_foreman['id'], date).store_archive(request.body.string)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.reportsdir, cn, post_to_foreman['id'], date).store_archive(request.body.string)
       rescue Proxy::OpenSCAP::StoreReportError => e
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.failed_dir, cn, post_to_foreman['id'], date).store_failed(request.body.string)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.failed_dir, cn, post_to_foreman['id'], date).store_failed(request.body.string)
         logger.error "Failed to save Report in reports directory (#{Proxy::OpenSCAP::Plugin.settings.reportsdir}). Failed with: #{e.message}.
                         Saving file in #{Proxy::OpenSCAP::Plugin.settings.failed_dir}. Please copy manually to #{Proxy::OpenSCAP::Plugin.settings.reportsdir}"
       rescue *HTTP_ERRORS => e
         ### If the upload to foreman fails then store it in the spooldir
         logger.error "Failed to upload to Foreman, saving in spool. Failed with: #{e.message}"
-        Proxy::OpenSCAP::StorageFS.new(Proxy::OpenSCAP::Plugin.settings.spooldir, cn, policy, date).store_spool(request.body.string)
+        Proxy::OpenSCAP::StorageFs.new(Proxy::OpenSCAP::Plugin.settings.spooldir, cn, policy, date).store_spool(request.body.string)
       rescue Proxy::OpenSCAP::StoreSpoolError => e
         log_halt 500, e.message
       end

data/lib/smart_proxy_openscap/openscap_lib.rb

@@ -16,16 +16,18 @@ require 'proxy/error'
 require 'yaml'
 require 'ostruct'
 require 'proxy/request'
-require 'smart_proxy_openscap/fetch_scap_content'
-require 'smart_proxy_openscap/foreman_forwarder'
+require 'smart_proxy_openscap/foreman_arf_forwarder'
+require 'smart_proxy_openscap/foreman_oval_forwarder'
 require 'smart_proxy_openscap/content_parser'
 require 'smart_proxy_openscap/openscap_exception'
 require 'smart_proxy_openscap/arf_parser'
 require 'smart_proxy_openscap/spool_forwarder'
 require 'smart_proxy_openscap/openscap_html_generator'
-require 'smart_proxy_openscap/fetch_tailoring_file'
 require 'smart_proxy_openscap/policy_parser'
 require 'smart_proxy_openscap/profiles_parser'
+require 'smart_proxy_openscap/oval_report_storage_fs'
+require 'smart_proxy_openscap/oval_report_parser'
+require 'smart_proxy_openscap/fetch_scap_file'
 
 module Proxy::OpenSCAP
   extend ::Proxy::Log

data/lib/smart_proxy_openscap/openscap_plugin.rb

@@ -22,6 +22,7 @@ module Proxy::OpenSCAP
                      :contentdir => File.join(APP_ROOT, 'openscap/content'),
                      :reportsdir => File.join(APP_ROOT, 'openscap/reports'),
                      :failed_dir => File.join(APP_ROOT, 'openscap/failed'),
-                     :tailoring_dir => File.join(APP_ROOT, 'openscap/tailoring')
+                     :tailoring_dir => File.join(APP_ROOT, 'openscap/tailoring'),
+                     :oval_content_dir => File.join(APP_ROOT, 'openscap/oval_content')
   end
 end

data/lib/smart_proxy_openscap/oval_report_parser.rb

@@ -0,0 +1,54 @@
+require 'smart_proxy_openscap/openscap_exception'
+require 'openscap_parser/oval_report'
+
+module Proxy::OpenSCAP
+  class OvalReportParser
+    include Proxy::Log
+
+    def parse_cves(report_data)
+      report = oval_report report_data
+      results = report.definition_results.reduce({}) do |memo, result|
+        memo.tap { |acc| acc[result.definition_id] = parse_cve_res result }
+      end
+
+      report.definitions.map do |definition|
+        results[definition.id].merge(parse_cve_def definition)
+      end
+    end
+
+    private
+
+    def parse_cve_def(definition)
+      refs = definition.references.reduce([]) do |memo, ref|
+        memo.tap { |acc| acc << { :ref_id => ref.ref_id, :ref_url => ref.ref_url } }
+      end
+
+      { :references => refs, :definition_id => definition.id }
+    end
+
+    def parse_cve_res(result)
+      { :result => result.result }
+    end
+
+    def oval_report(report_data)
+      decompressed = decompress report_data
+      ::OpenscapParser::OvalReport.new(decompressed)
+    end
+
+    def decompress(report_data)
+      begin
+        file = Tempfile.new
+        file.write report_data
+        file.rewind
+        decompressed = `bunzip2 -dc #{file.path}`
+      rescue => e
+        logger.error e
+        raise Proxy::OpenSCAP::ReportDecompressError, "Failed to decompress received report bzip, cause: #{e.message}"
+      ensure
+        file.close
+        file.unlink
+      end
+      decompressed
+    end
+  end
+end

data/lib/smart_proxy_openscap/oval_report_storage_fs.rb

@@ -0,0 +1,26 @@
+require 'smart_proxy_openscap/storage_fs_common'
+require 'smart_proxy_openscap/openscap_exception'
+
+module Proxy::OpenSCAP
+  class OvalReportStorageFs
+    include StorageFsCommon
+
+    def initialize(path_to_dir, oval_policy_id, cname, reported_at)
+      @namespace = 'oval'
+      @reported_at = reported_at
+      @path = "#{path_to_dir}/#{@namespace}/#{oval_policy_id}/#{cname}/"
+    end
+
+    def store_report(report_data)
+      store(report_data, StoreReportError)
+    end
+
+    private
+
+    def store_file(path_to_store, report_data)
+      target_path = "#{path_to_store}#{@reported_at}"
+      File.open(target_path, 'w') { |f| f.write(report_data) }
+      target_path
+    end
+  end
+end

data/lib/smart_proxy_openscap/profiles_parser.rb

@@ -1,31 +1,30 @@
-require 'smart_proxy_openscap/shell_wrapper'
+require 'openscap_parser/datastream_file'
+require 'openscap_parser/tailoring_file'
 
 module Proxy
   module OpenSCAP
-    class ProfilesParser < ShellWrapper
-      def initialize(type)
-        @type = type
-        @script_name = 'smart-proxy-scap-profiles'
-      end
-
-      def profiles(scap_file)
-        execute_shell_command scap_file
-      end
-
-      def out_filename
-        "#{in_filename}json-"
-      end
-
-      def in_filename
-        "#{super}-#{@type}-profiles-"
-      end
+    class ProfilesParser
+      def profiles(file_type, scap_file)
+        profiles = []
+        error_msg = 'Failed to parse profiles'
+        begin
+          case file_type
+          when 'scap_content'
+            profiles = ::OpenscapParser::DatastreamFile.new(scap_file).benchmark.profiles
+          when 'tailoring_file'
+            profiles = ::OpenscapParser::TailoringFile.new(scap_file).tailoring.profiles
+          else
+            raise OpenSCAPException, "Unknown file type, expected 'scap_content' or 'tailoring_file'"
+          end
+        rescue Nokogiri::XML::SyntaxError
+          raise OpenSCAPException, error_msg
+        end
 
-      def failure_message
-        "Failure when running script which extracts profiles from scap file"
-      end
+        raise OpenSCAPException, error_msg if profiles.empty?
 
-      def command(in_file, out_file)
-        "#{script_location} #{in_file.path} #{out_file.path} #{@type}"
+        result = profiles.reduce({}) do |memo, profile|
+          memo.tap { |acc| acc[profile.id] = profile.title }
+        end.to_json
       end
     end
   end

data/lib/smart_proxy_openscap/spool_forwarder.rb

@@ -52,13 +52,13 @@ module Proxy::OpenSCAP
 
     def forward_arf_file(cname, policy_id, date, arf_file_path)
       data = File.open(arf_file_path, 'rb') { |io| io.read }
-      post_to_foreman = ForemanForwarder.new.post_arf_report(cname, policy_id, date, data, @loaded_settings.timeout)
-      Proxy::OpenSCAP::StorageFS.new(@loaded_settings.reportsdir, cname, post_to_foreman['id'], date).store_archive(data)
+      post_to_foreman = ForemanArfForwarder.new.post_report(cname, policy_id, date, data, @loaded_settings.timeout)
+      Proxy::OpenSCAP::StorageFs.new(@loaded_settings.reportsdir, cname, post_to_foreman['id'], date).store_archive(data)
       File.delete arf_file_path
-    rescue Proxy::OpenSCAP::OpenSCAPException => e
+    rescue Nokogiri::XML::SyntaxError, Proxy::OpenSCAP::ReportDecompressError => e
       logger.error "Failed to parse Arf Report at #{arf_file_path}, moving to #{@loaded_settings.corrupted_dir}"
 
-      Proxy::OpenSCAP::StorageFS.new(@loaded_settings.corrupted_dir, cname, policy_id, date).
+      Proxy::OpenSCAP::StorageFs.new(@loaded_settings.corrupted_dir, cname, policy_id, date).
         move_corrupted(arf_file_path.split('/').last, @loaded_settings.spooldir)
     rescue Proxy::OpenSCAP::ReportUploadError => e
       logger.error "Failed to upload Arf Report at #{arf_file_path}, cause: #{e.message}, the report will be deleted."

data/lib/smart_proxy_openscap/storage.rb

@@ -2,8 +2,6 @@ require 'smart_proxy_openscap/openscap_exception'
 
 module Proxy::OpenSCAP
   class Storage
-    include ::Proxy::Log
-
     def initialize(path_to_dir, cname, id, date)
       @namespace = 'arf'
       @cname = cname

data/lib/smart_proxy_openscap/storage_fs.rb

@@ -1,8 +1,11 @@
 require 'pathname'
 require 'smart_proxy_openscap/storage'
+require 'smart_proxy_openscap/storage_fs_common'
 
 module Proxy::OpenSCAP
-  class StorageFS < Storage
+  class StorageFs < Storage
+    include StorageFsCommon
+
     def store_archive(data)
       store(data, StoreReportError)
     end
@@ -57,9 +60,9 @@ module Proxy::OpenSCAP
 
     private
 
-    def store_arf(spool_arf_dir, data)
+    def store_file(path_to_store, data)
       filename = Digest::SHA256.hexdigest data
-      target_path = spool_arf_dir + filename
+      target_path = path_to_store + filename
       File.open(target_path,'w') { |f| f.write(data) }
       target_path
     end
@@ -91,7 +94,7 @@ module Proxy::OpenSCAP
       end
 
       begin
-        target_path = store_arf(@path, data)
+        target_path = store_file(@path, data)
       rescue StandardError => e
         raise error_type, "Could not store file: #{e.message}"
       end

data/lib/smart_proxy_openscap/storage_fs_common.rb

@@ -0,0 +1,42 @@
+module Proxy::OpenSCAP
+  module StorageFsCommon
+    include ::Proxy::Log
+
+    private
+
+    def create_directory
+      begin
+        FileUtils.mkdir_p @path
+      rescue StandardError => e
+        logger.error "Could not create '#{@path}' directory: #{e.message}"
+        raise e
+      end
+      @path
+    end
+
+    def move(source, error_type)
+      begin
+        create_directory
+        FileUtils.mv source, @path
+      rescue StandardError => e
+        raise error_type, "Could not move file: #{e.message}"
+      end
+    end
+
+    def store(data, error_type)
+      begin
+        create_directory
+      rescue StandardError => e
+        raise error_type, "Could not fulfill request: #{e.message}"
+      end
+
+      begin
+        target_path = store_file(@path, data)
+      rescue StandardError => e
+        raise error_type, "Could not store file: #{e.message}"
+      end
+
+      logger.debug "File #{target_path} stored in reports dir."
+    end
+  end
+end

data/lib/smart_proxy_openscap/version.rb

@@ -10,6 +10,6 @@
 
 module Proxy
   module OpenSCAP
-    VERSION = '0.7.3'
+    VERSION = '0.9.0'
   end
 end

data/settings.d/openscap.yml.example

@@ -31,3 +31,6 @@
 # Affects sending reports to Foreman (directly and from spool) and fetching scap content or tailoring file
 # for distribution to clients
 #:timeout: 60
+
+# Directory where OpenSCAP OVAL content bzipped XML are stored
+#:oval_content_dir: /var/lib/openscap/oval_content

data/smart_proxy_openscap.gemspec

@@ -14,10 +14,12 @@ Gem::Specification.new do |s|
 
   s.files = `git ls-files`.split("\n") - ['.gitignore']
   s.executables = ['smart-proxy-openscap-send']
+  s.requirements = 'bzip2'
 
   s.add_development_dependency('rake')
   s.add_development_dependency('rack-test')
   s.add_development_dependency('mocha')
   s.add_development_dependency('webmock')
   s.add_dependency 'openscap', '~> 0.4.7'
+  s.add_dependency 'openscap_parser', '~> 1.0.2'
 end

data/test/fetch_oval_content_api_test.rb

@@ -0,0 +1,38 @@
+require 'test_helper'
+require 'smart_proxy_openscap'
+require 'smart_proxy_openscap/openscap_api'
+
+ENV['RACK_ENV'] = 'test'
+
+class FetchOvalContentApiTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def setup
+    @foreman_url = 'https://foreman.example.com'
+    @fixture_path = "/test/data/rhel-7-including-unpatched.oval.xml.bz2"
+    @fixture_full_path = File.join(Dir.getwd, @fixture_path)
+    Proxy::SETTINGS.stubs(:foreman_url).returns(@foreman_url)
+    @results_path = ("#{Dir.getwd}/test/test_run_files")
+    FileUtils.mkdir_p(@results_path)
+    Proxy::OpenSCAP::Plugin.settings.stubs(:oval_content_dir).returns(@results_path)
+    @oval_content = File.new(@fixture_full_path).read
+    @digest = Digest::SHA256.hexdigest @oval_content
+    @policy_id = 1
+  end
+
+  def teardown
+    FileUtils.rm_rf(Dir.glob("#{@results_path}/*"))
+  end
+
+  def app
+    ::Proxy::OpenSCAP::Api.new
+  end
+
+  def test_get_oval_content_from_file
+    FileUtils.mkdir("#{@results_path}/#{@policy_id}")
+    FileUtils.cp(@fixture_full_path, "#{@results_path}/#{@policy_id}/#{@digest}.oval.xml.bz2")
+    get "/oval_policies/#{@policy_id}/oval_content/#{@digest}"
+    assert_equal("application/x-bzip2", last_response.header["Content-Type"], "Response header should be application/x-bzip2")
+    assert(last_response.successful?, "Response should be success")
+  end
+end

data/test/fetch_scap_api_test.rb

@@ -54,7 +54,7 @@ class FetchScapApiTest < Test::Unit::TestCase
   end
 
   def test_get_scap_content_permissions
-    Proxy::OpenSCAP::FetchScapContent.any_instance.stubs(:get_policy_content).raises(Errno::EACCES)
+    Proxy::OpenSCAP::FetchScapFile.any_instance.stubs(:fetch).raises(Errno::EACCES)
     stub_request(:get, "#{@foreman_url}/api/v2/compliance/policies/#{@policy_id}/content").to_return(:body => @scap_content)
     get "/policies/#{@policy_id}/content/#{@digest}"
     assert_equal(500, last_response.status, "No permissions should raise error 500")

data/test/oval_report_parser_test.rb

@@ -0,0 +1,14 @@
+require 'test_helper'
+require 'smart_proxy_openscap'
+require 'smart_proxy_openscap/oval_report_parser'
+
+class OvalReportParserTest < Test::Unit::TestCase
+
+  def test_oval_report_parsing
+    oval_report = File.open("#{Dir.getwd}/test/data/oval-results.xml.bz2").read
+    res = Proxy::OpenSCAP::OvalReportParser.new.parse_cves oval_report
+    refute res.empty?
+    assert res.first[:result]
+    refute res.first[:references].empty?
+  end
+end

data/test/post_oval_report_api_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+require 'smart_proxy_openscap'
+require 'smart_proxy_openscap/openscap_api'
+
+ENV['RACK_ENV'] = 'test'
+
+class PostOvalReportApiTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  setup do
+    @foreman_url = 'https://foreman.example.com'
+    Proxy::SETTINGS.stubs(:foreman_url).returns(@foreman_url)
+    @oval_report = File.open("#{Dir.getwd}/test/data/oval-results.xml.bz2").read
+    @cname = 'node.example.org'
+    @date = Time.now.to_i
+    @policy_id = 1
+    Proxy::OpenSCAP.stubs(:common_name).returns(@cname)
+  end
+
+  def app
+    ::Proxy::OpenSCAP::Api.new
+  end
+
+  def test_post_oval_report_to_foreman
+    stub_request(:post, "#{@foreman_url}/api/v2/compliance/oval_reports/#{@cname}/#{@policy_id}/#{@date}")
+      .to_return(:status => 200, :body => '{ "result": "ok" }')
+    post "/oval_reports/#{@policy_id}", @oval_report, 'CONTENT_TYPE' => 'text/xml', 'CONTENT_ENCODING' => 'x-bzip2'
+    assert(last_response.successful?, "Should be a success")
+  end
+end