Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #14158 - Add tailoring file for scans
- Loading branch information
Ondrej Prazak
committed
Nov 18, 2016
1 parent
c3d10e2
commit 796d88b
Showing
12 changed files
with
211 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
module Proxy::OpenSCAP | ||
class FetchFile | ||
include ::Proxy::Log | ||
|
||
private | ||
|
||
def create_store_dir(store_dir) | ||
logger.info "Creating directory to store SCAP file: #{store_dir}" | ||
FileUtils.mkdir_p(store_dir) # will fail silently if exists | ||
rescue Errno::EACCES => e | ||
logger.error "No permission to create directory #{store_dir}" | ||
raise e | ||
rescue StandardError => e | ||
logger.error "Could not create '#{store_dir}' directory: #{e.message}" | ||
raise e | ||
end | ||
|
||
def policy_content_file(policy_scap_file) | ||
return nil if !File.file?(policy_scap_file) || File.zero?(policy_scap_file) | ||
File.open(policy_scap_file, 'rb').read | ||
end | ||
|
||
def save_or_serve_scap_file(policy_id, policy_scap_file, file_download_path) | ||
lock = Proxy::FileLock::try_locking(policy_scap_file) | ||
response = fetch_scap_content_xml(policy_id, policy_scap_file, file_download_path) | ||
if lock.nil? | ||
return response | ||
else | ||
begin | ||
File.open(policy_scap_file, 'wb') do |file| | ||
file << response | ||
end | ||
ensure | ||
Proxy::FileLock::unlock(lock) | ||
end | ||
scap_file = policy_content_file(policy_scap_file) | ||
raise FileNotFound if scap_file.nil? | ||
return scap_file | ||
end | ||
end | ||
|
||
def fetch_scap_content_xml(policy_id, policy_scap_file, file_download_path) | ||
foreman_request = Proxy::HttpRequest::ForemanRequest.new | ||
req = foreman_request.request_factory.create_get(file_download_path) | ||
response = foreman_request.send_request(req) | ||
response.value | ||
response.body | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,58 +1,17 @@ | ||
require 'smart_proxy_openscap/fetch_file' | ||
|
||
module Proxy::OpenSCAP | ||
class FetchScapContent | ||
include ::Proxy::Log | ||
class FetchScapContent < FetchFile | ||
|
||
def get_policy_content(policy_id) | ||
policy_store_dir = File.join(Proxy::OpenSCAP.fullpath(Proxy::OpenSCAP::Plugin.settings.contentdir), policy_id.to_s) | ||
policy_scap_file = File.join(policy_store_dir, "#{policy_id}_scap_content.xml") | ||
begin | ||
logger.info "Creating directory to store SCAP file: #{policy_store_dir}" | ||
FileUtils.mkdir_p(policy_store_dir) # will fail silently if exists | ||
rescue Errno::EACCES => e | ||
logger.error "No permission to create directory #{policy_store_dir}" | ||
raise e | ||
rescue StandardError => e | ||
logger.error "Could not create '#{policy_store_dir}' directory: #{e.message}" | ||
raise e | ||
end | ||
|
||
scap_file = policy_content_file(policy_scap_file) | ||
scap_file ||= save_or_serve_scap_file(policy_id, policy_scap_file) | ||
scap_file | ||
end | ||
file_download_path = "api/v2/compliance/policies/#{policy_id}/content" | ||
|
||
private | ||
create_store_dir policy_store_dir | ||
|
||
def policy_content_file(policy_scap_file) | ||
return nil if !File.file?(policy_scap_file) || File.zero?(policy_scap_file) | ||
File.open(policy_scap_file, 'rb').read | ||
end | ||
|
||
def save_or_serve_scap_file(policy_id, policy_scap_file) | ||
lock = Proxy::FileLock::try_locking(policy_scap_file) | ||
response = fetch_scap_content_xml(policy_id, policy_scap_file) | ||
if lock.nil? | ||
return response | ||
else | ||
begin | ||
File.open(policy_scap_file, 'wb') do |file| | ||
file << response | ||
end | ||
ensure | ||
Proxy::FileLock::unlock(lock) | ||
end | ||
scap_file = policy_content_file(policy_scap_file) | ||
raise FileNotFound if scap_file.nil? | ||
return scap_file | ||
end | ||
end | ||
|
||
def fetch_scap_content_xml(policy_id, policy_scap_file) | ||
foreman_request = Proxy::HttpRequest::ForemanRequest.new | ||
policy_content_path = "api/v2/compliance/policies/#{policy_id}/content" | ||
req = foreman_request.request_factory.create_get(policy_content_path) | ||
response = foreman_request.send_request(req) | ||
response.value | ||
response.body | ||
scap_file = policy_content_file(policy_scap_file) | ||
scap_file ||= save_or_serve_scap_file(policy_id, policy_scap_file, file_download_path) | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
require 'smart_proxy_openscap/fetch_file' | ||
|
||
module Proxy::OpenSCAP | ||
class FetchTailoringFile < FetchFile | ||
def get_tailoring_file(policy_id) | ||
store_dir = File.join(Proxy::OpenSCAP.fullpath(Proxy::OpenSCAP::Plugin.settings.tailoringdir), policy_id.to_s) | ||
policy_tailoring_file = File.join(store_dir, "#{policy_id}_tailoring_file.xml") | ||
file_download_path = "api/v2/compliance/policies/#{policy_id}/tailoring" | ||
|
||
create_store_dir store_dir | ||
|
||
scap_file = policy_content_file(policy_tailoring_file) | ||
scap_file ||= save_or_serve_scap_file(policy_id, policy_tailoring_file, file_download_path) | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default"> | ||
<xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml"/> | ||
<xccdf:version time="2016-11-10T11:24:26">1</xccdf:version> | ||
<xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig-firefox-upstream_customized" extends="xccdf_org.ssgproject.content_profile_stig-firefox-upstream"> | ||
<xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Upstream Firefox STIG [CUSTOMIZED]</xccdf:title> | ||
<xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, | ||
serving as the upstream development environment for the Firefox STIG. | ||
|
||
As a result of the upstream/downstream relationship between the SCAP Security Guide project | ||
and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. | ||
For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. | ||
|
||
While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note | ||
that commercial support of this SCAP content is NOT available. This profile is provided as example | ||
SCAP content with no endorsement for suitability or production readiness. Support for this | ||
profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The | ||
upstream project homepage is https://fedorahosted.org/scap-security-guide/. | ||
</xccdf:description> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-non-secure_page_warning" selected="true"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_text" selected="true"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_context_menus" selected="true"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_changes" selected="true"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing" selected="true"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes" selected="true"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-auto-update_of_firefox" selected="false"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords" selected="false"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms" selected="false"/> | ||
<xccdf:select idref="xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates" selected="false"/> | ||
</xccdf:Profile> | ||
</xccdf:Tailoring> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
require 'test_helper' | ||
require 'smart_proxy_openscap' | ||
require 'smart_proxy_openscap/openscap_api' | ||
|
||
ENV['RACK_ENV'] = 'test' | ||
|
||
class FetchTailoringApiTest < Test::Unit::TestCase | ||
include Rack::Test::Methods | ||
|
||
def setup | ||
@foreman_url = 'https://foreman.example.com' | ||
Proxy::SETTINGS.stubs(:foreman_url).returns(@foreman_url) | ||
@results_path = ("#{Dir.getwd}/test/test_run_files") | ||
FileUtils.mkdir_p(@results_path) | ||
Proxy::OpenSCAP::Plugin.settings.stubs(:tailoringdir).returns(@results_path) | ||
@tailoring_file = File.new("#{Dir.getwd}/test/data/tailoring.xml").read | ||
@policy_id = 1 | ||
end | ||
|
||
def teardown | ||
FileUtils.rm_rf(Dir.glob("#{@results_path}/*")) | ||
end | ||
|
||
def app | ||
::Proxy::OpenSCAP::Api.new | ||
end | ||
|
||
def test_get_tailoring_file_from_file | ||
FileUtils.mkdir("#{@results_path}/#{@policy_id}") | ||
FileUtils.cp("#{Dir.getwd}/test/data/tailoring.xml", "#{@results_path}/#{@policy_id}/#{@policy_id}_tailoring_file.xml") | ||
get "/policies/#{@policy_id}/tailoring" | ||
assert_equal("application/xml;charset=utf-8", last_response.header["Content-Type"], "Response header should be application/xml") | ||
assert_equal(@tailoring_file.length, last_response.length, "Scap content should be equal") | ||
assert(last_response.successful?, "Response should be success") | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters