Fixes #16411: Change the packaging to pass via the Rudder api to inst…

…all the plugin
Normation · Dec 17, 2019 · 74f927b · 74f927b
1 parent c666db9
commit 74f927b
Show file tree

Hide file tree

Showing 10 changed files with 282 additions and 83 deletions.
diff --git a/openscap-report/Makefile b/openscap-report/Makefile
@@ -1,24 +1,33 @@
-FILES = ncf techniques
+# Usage: $(GET) <destination_file> <url> <hash>
+PROXY_ENV = $(if $(PROXY), http_proxy=$(PROXY) ftp_proxy=$(PROXY))
+# No accept encoding to prevent the webserver form altering the distributed file
+# Pass an empty string to skip hash check
+# grep 'GET=' */SOURCES/Makefile to patch everywhere
+GET=get() { $(PROXY_ENV) curl -s -L -o "$$1.part" "$$2" && { openssl dgst -sha256 "$$1.part" | grep -q "$$3" || { echo "Wrong checksum, aborting"; exit 1; }; } && mv "$$1.part" "$$1"; }; get
+
+RUDDER_SYNCHRONIZE_SHA256 = fcfd9ea8c574c120424f16b661f8f75696a410e243ee030a79dc8dd3743e6f42
+FILES = remove-configuration rudder-synchronize openscap-policies.json techniques
 SCRIPTS = postinst prerm
 OTHER_ARCHIVES = target/external-report.txz
 
-TECHNIQUES=$(shell ls -1 configuration-repository/ncf/50_techniques)
-
 include ../makefiles/common-plugin.mk
 
-target/ncf:
-	cp -a configuration-repository/ncf target
-
 target/techniques:
-	cp -a configuration-repository/techniques target
-	mkdir -p target/techniques/ncf_techniques
-	for technique in "$(TECHNIQUES)";                                \
-	do                                                               \
-		cd target && mkdir -p techniques/plugin_openscap_report/$$technique && cd -;  \
-		cd target/techniques/ncf_techniques && ln -rs ../plugin_openscap_report/$$technique $$techniques  && cd -;   \
-	done;
+	cp -r configuration/techniques target/techniques
+
+target/remove-configuration:
+	cp packaging/remove-configuration target/remove-configuration
+
+target/openscap-policies.json:
+	tools/openscap-policies
+
+target/rudder-synchronize:
+	$(GET) target/rudder-synchronize https://repository.rudder.io/tools/rudder-synchronize $(RUDDER_SYNCHRONIZE_SHA256)
 
 target/external-report.txz:
 	cp -a src/node-external-reports.properties target/
 	tar cJ -C target -f target/external-report.txz node-external-reports.properties
 
+clean:
+	rm -f $(FULL_NAME)-*.rpkg pom.xml
+	rm -rf target
diff --git a/openscap-report/build.conf b/openscap-report/build.conf
@@ -7,7 +7,7 @@
 #
 
 # Unique identifier of the plugin
-plugin-name=openscap-report
+plugin-name=openscap-policies
 # the full name is derived from rudder-plugin-name
 plugin-fullname=rudder-plugin-${plugin-name}
 

diff --git a/...nfiguration-repository/ncf/50_techniques/plugin_openscap_report/plugin_openscap_report.cf b/...nfiguration-repository/ncf/50_techniques/plugin_openscap_report/plugin_openscap_report.cf
diff --git a/openscap-report/configuration-repository/techniques/plugin_openscap_report/category.xml b/openscap-report/configuration-repository/techniques/plugin_openscap_report/category.xml
diff --git a/openscap-report/configuration/techniques/plugin_openscap_report.json b/openscap-report/configuration/techniques/plugin_openscap_report.json
@@ -0,0 +1,97 @@
+{
+  "type": "ncf_technique",
+  "version": 1,
+  "data": {
+    "bundle_args": [
+      "profile",
+      "scap_file"
+    ],
+    "bundle_name": "plugin_openscap_report",
+    "description": "This technique will trigger an openscap audit every hour on the agent.",
+    "name": "plugin_openscap_report",
+    "version": "1.0",
+    "parameter": [
+      {
+        "constraints": {
+          "allow_empty_string": false,
+          "allow_whitespace_string": false,
+          "max_length": 16384
+        },
+        "id": "0bad6c1e-59c9-44ca-a935-210af4188643",
+        "name": "profile"
+      },
+      {
+        "constraints": {
+          "allow_empty_string": false,
+          "allow_whitespace_string": false,
+          "max_length": 16384
+        },
+        "id": "182dffe7-4310-4e01-bdd0-3f7db8272e2f",
+        "name": "scap_file"
+      }
+    ],
+    "method_calls": [
+      {
+        "args": [
+          "openscap",
+          "5",
+          "5",
+          "0",
+          "10",
+          "15",
+          "1",
+          "0",
+          "1",
+          "0",
+          "nodups"
+        ],
+        "class_context": "any",
+        "method_name": "schedule_simple",
+        "component": "Schedule Simple"
+      },
+      {
+        "args": [
+          "openscap-scanner",
+          "",
+          "",
+          ""
+        ],
+        "class_context": "any",
+        "method_name": "package_present",
+        "component": "Package present"
+      },
+      {
+        "args": [
+          "scap-security-guide",
+          "",
+          "",
+          ""
+        ],
+        "class_context": "any",
+        "method_name": "package_present",
+        "component": "Package present"
+      },
+      {
+        "args": [
+          "oscap xccdf eval --profile ${profile} --report /var/rudder/tmp/openscap_report.html ${scap_file}",
+          "0,2",
+          "254"
+        ],
+        "class_context": "any.(schedule_simple_openscap_repaired)",
+        "method_name": "command_execution_result",
+        "component": "run scan Openscap"
+      },
+      {
+        "args": [
+          "root",
+          "report.html",
+          "/var/rudder/tmp/openscap_report.html",
+          "1d"
+        ],
+        "class_context": "any",
+        "method_name": "sharedfile_to_node",
+        "component": "send report to server"
+      }
+    ]
+  }
+}
diff --git a/openscap-report/packaging/metadata b/openscap-report/packaging/metadata
@@ -5,7 +5,7 @@
   "build-date": "${maven.build.timestamp}",
   "build-commit": "${commit-id}",
   "content": {
-    "files.txz": "/var/rudder/configuration-repository",
-    "external-report.txz": "/var/rudder/packages/rudder-plugin-openscap-report"
+    "files.txz": "/var/rudder/packages/${plugin-id}",
+    "external-report.txz": "/var/rudder/packages/${plugin-id}"
   }
 }
diff --git a/openscap-report/packaging/postinst b/openscap-report/packaging/postinst
@@ -1,16 +1,50 @@
 #!/bin/bash
 set -x
+PLUGIN_FULL_NAME="rudder-plugin-openscap-policies"
+PLUGIN_NAME="openscap-policies"
+PRETTY_NAME="OpenSCAP Policies"
+CONFIGURATION_PATH=/var/rudder/packages/$PLUGIN_FULL_NAME
 
-# Import Ansible Technique
-FOLDERS="ncf/50_techniques/plugin_openscap_report techniques/plugin_openscap_report techniques/ncf_techniques"
-cd /var/rudder/configuration-repository/
+# Code below should be mostly comon between the plugins
+SOURCE_DIR=${CONFIGURATION_PATH}/techniques
+CONFIG_REPO=/var/rudder/configuration-repository
+
+CATEGORY="$PRETTY_NAME plugin"
+C_CATEGORY=$(echo $CATEGORY | sed "s/[^a-zA-Z0-9_]/_/g")
+FOLDERS="techniques/$C_CATEGORY techniques/ncf_techniques"
+
+mkdir -p $CONFIG_REPO/techniques/$C_CATEGORY
+
+cat <<EOT > $CONFIG_REPO/techniques/$C_CATEGORY/category.xml
+<xml>
+  <name>$CATEGORY</name>
+  <description>
+    Techniques from the $PRETTY_NAME plugin
+  </description>
+</xml>
+EOT
+
+
+for file in $SOURCE_DIR/*; do
+  BASE=$(echo $file | sed "s/.*\///" | sed "s/\.[^.]*$//")
+  C_BASE=$(echo $BASE | sed "s/[^a-zA-Z0-9_]/_/g")
+  mkdir -p $CONFIG_REPO/techniques/$C_CATEGORY/$C_BASE
+  cd $CONFIG_REPO/techniques/ncf_techniques && ln -nrs $CONFIG_REPO/techniques/$C_CATEGORY/$C_BASE && cd -
+done
+
+cd $CONFIG_REPO
 git reset
-for folder in $FOLDERS
+for file in $FOLDERS
 do
-  chown -R ncf-api-venv:rudder $folder
-  chmod 664 -R $folder
-  chmod -R +X $folder
-  git add $folder
+  git add $file
 done
-git commit -m "OpenSCAP-report plugin installation"
+/opt/rudder/bin/rudder-fix-repository-permissions
+git commit -m "$CATEGORY start installation"
+
+# Make extra scripts executables
+chmod +x $CONFIGURATION_PATH/rudder-synchronize
+
+# Import Techniques
+${CONFIGURATION_PATH}/rudder-synchronize import technique ${CONFIGURATION_PATH}/techniques
+git add techniques/$C_CATEGORY && git commit -m "$CATEGORY end installation"
 rudder server reload-techniques
diff --git a/openscap-report/packaging/prerm b/openscap-report/packaging/prerm
@@ -1,18 +1,29 @@
 #!/bin/bash
 set -x
+PLUGIN_FULL_NAME="rudder-plugin-openscap-policies"
+PLUGIN_NAME="openscap-policies"
+PRETTY_NAME="OpenSCAP Policies"
+CONFIGURATION_PATH=/var/rudder/packages/$PLUGIN_FULL_NAME
+CATEGORY="$PRETTY_NAME plugin"
+C_CATEGORY=$(echo $CATEGORY | sed "s/[^a-zA-Z0-9_]/_/g")
 
-# Import Ansible Technique
-NAME=plugin_openscap_report
-FOLDERS="ncf/50_techniques techniques dsc/ncf/50_techniques techniques/ncf_techniques"
-cd /var/rudder/configuration-repository/
 git reset
-for folder in $FOLDERS
-do
-  git rm -r $folder/$NAME
-done
+# Remove technique
+$CONFIGURATION_PATH/remove-configuration
+
+# Remove techniques symlink and ncf ones
+cd /var/rudder/configuration-repository
+
+TECHNIQUES=$(jq -r '.techniques[]' $CONFIGURATION_PATH/$PLUGIN_NAME.json | sed "s%^%$CONFIGURATION_PATH/techniques/%" | xargs jq -r '.data.bundle_name')
+for file in $TECHNIQUES; do
+  git rm -rf --ignore-unmatch techniques/ncf_techniques/$file
+  git rm -rf --ignore-unmatch ncf/50_techniques/$file
+done;
+
+# Remove category
+cd /var/rudder/configuration-repository/techniques
+git rm -rf $C_CATEGORY
 git commit -m "OpenSCAP-report plugin uninstallation"
-# need to be run 2 times to be updated, first one will fail
-# TODO #16053
-rudder server reload-techniques || /bin/true
+
 rudder server reload-techniques
 
diff --git a/openscap-report/packaging/remove-configuration b/openscap-report/packaging/remove-configuration
@@ -0,0 +1,53 @@
+#!/usr/bin/python
+import sys, json, re
+# Hack to import rudder lib, remove, some day ...
+sys.path.insert(0, "/usr/share/rudder-api-client/")
+from rudder import RudderEndPoint, RudderError
+
+def canonify(string):
+  string = string.encode("utf-8").decode("iso-8859-1")
+  regex = re.compile("[^a-zA-Z0-9_]")
+  return regex.sub("_", string)
+
+PLUGIN_NAME="openscap-policies"
+PLUGIN_FULLNAME="rudder-plugin-" + PLUGIN_NAME
+PLUGIN_PRETTY_NAME="OpenSCAP Policies"
+CATEGORY_NAME=canonify(PLUGIN_PRETTY_NAME + " plugin")
+
+with open('/var/rudder/run/api-token') as ftoken:
+    TOKEN = ftoken.read()
+RUDDER_URL="https://localhost/rudder"
+TRACK_FILE_PATH="/var/rudder/packages/" + PLUGIN_FULLNAME + "/" + PLUGIN_NAME + ".json"
+
+endpoint = RudderEndPoint(RUDDER_URL, TOKEN, verify=False)
+RED = '\033[91m'
+ENDC = '\033[0m'
+GREEN = '\033[92m'
+
+def removeTechniques(techniques):
+    techniquesEndpoint = RudderEndPoint("https://localhost/ncf", TOKEN, verify=False)
+    for iTechnique in techniques:
+        try:
+            with open("/var/rudder/packages/" + PLUGIN_FULLNAME + "/techniques/" + iTechnique) as f:
+                data = json.load(f)["data"]
+            techniqueName = data["name"]
+            if canonify(techniqueName) in TECHNIQUES:
+                delete = techniquesEndpoint.request("DELETE", "/api/techniques/" + canonify(techniqueName) + "?path=/var/rudder/configuration-repository/ncf")
+                print(GREEN + "Successfully removed technique %s"%techniqueName + ENDC)
+            else:
+                print(GREEN + "Could not find technique %s"%techniqueName + ENDC)
+        except RudderError as e:
+            print(RED + e.message + ENDC)
+
+try:
+    with open(TRACK_FILE_PATH) as f:
+        data = json.load(f)
+except Exception as e:
+    print("Could not open %s"%TRACK_FILE_PATH)
+    print(e)
+    exit(1)
+
+TECHNIQUES = [iTechnique["name"] for iTechnique in endpoint.list_techniques()["techniques"]]
+
+removeTechniques(data["techniques"])
+