Merge 9c815bd into 067071a

package/yast2-security.spec

@@ -43,6 +43,8 @@ BuildRequires:  yast2 >= 4.4.47
 BuildRequires:  augeas-lenses
 # Y2Storage::StorageManager
 BuildRequires:  yast2-storage-ng
+# Yast::Lan and Y2Network
+BuildRequires:  yast2-network
 # Unfortunately we cannot move this to macros.yast,
 # bcond within macros are ignored by osc/OBS.
 %bcond_with yast_run_ci_tests
@@ -63,6 +65,8 @@ Requires:       yast2-bootloader
 Requires:       augeas-lenses
 # Y2Storage::StorageManager
 Requires:       yast2-storage-ng
+# Yast::Lan and Y2Network
+Requires:       yast2-network
 
 Provides:       y2c_sec yast2-config-security
 Provides:       yast2-trans-security y2t_sec

src/clients/security_policy_proposal.rb

@@ -0,0 +1,22 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "y2security/clients/security_policy_proposal"
+
+Y2Security::Clients::SecurityPolicyProposal.new.run

src/lib/y2security/clients/security_policy_proposal.rb

@@ -0,0 +1,117 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+#
+require "installation/proposal_client"
+require "y2security/security_policy"
+require "y2security/security_policy_issues"
+
+module Y2Security
+  module Clients
+    # Proposal client to enable/disable security policies
+    class SecurityPolicyProposal < ::Installation::ProposalClient
+      include Yast::I18n
+      include Yast::Logger
+
+      LINKS = [
+        LINK_ENABLE = "security-policy--enable".freeze,
+        LINK_DISABLE = "security-policy--disable".freeze
+      ].freeze
+
+      LINK_DIALOG = "security_policy".freeze
+
+      def initialize
+        super
+        Yast.import "UI"
+        Yast.import "HTML"
+        textdomain "security"
+      end
+
+      def description
+        {
+          # Proposal title
+          "rich_text_title" => _("Security Policy"),
+          # Menu entry label
+          "menu_title"      => _("&Security Policy"),
+          "id"              => LINK_DIALOG
+        }
+      end
+
+      def make_proposal(_attrs)
+        {
+          "preformatted_proposal" => preformatted_proposal,
+          "warning_level"         => warning_level,
+          "links"                 => LINKS,
+          "warning"               => warning_message
+        }
+      end
+
+      def preformatted_proposal
+        link = if stig_policy.enabled?
+          _(
+            "STIG is enabled (<a href=\"%s\">disable</a>)"
+          ) % LINK_DISABLE
+        else
+          _(
+            "STIG is not enabled (<a href=\"%s\">enable</a>)"
+          ) % LINK_ENABLE
+        end
+        Yast::HTML.List([link])
+      end
+
+      def ask_user(param)
+        chosen_link = param["chosen_id"]
+        case chosen_link
+        when LINK_DISABLE
+          stig_policy.disable
+        when LINK_ENABLE
+          stig_policy.enable
+        end
+
+        { "workflow_result" => :again }
+      end
+
+    private
+
+      def enable_stig
+        stig_policy.enable
+      end
+
+      def disable_stig
+        stig_policy.disable
+      end
+
+      def warning_message
+        return nil unless stig_policy.enabled?
+
+        issues = stig_policy.issues
+        return nil if issues.empty?
+
+        Yast::HTML.List(issues.map(&:message))
+      end
+
+      def warning_level
+        :error
+      end
+
+      def stig_policy
+        @stig_policy ||= Y2Security::SecurityPolicy.find(:stig)
+      end
+    end
+  end
+end

src/lib/y2security/security_policy.rb

@@ -0,0 +1,123 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "y2security/security_policy_validator"
+require "y2security/security_policy_issues"
+
+module Y2Security
+  # This class represents a security policy
+  #
+  # It offers an API to get the security policies and run validations.
+  #
+  # @example Get all known security policies
+  #   SecurityPolicy.all #=> [#<Y2Security::SecurityPolicy...>]
+  #   SecurityPolicy.all.map(&:name) #=> ["STIG"]
+  #
+  # @example Run STIG networking validation
+  #   policy = SecurityPolicy.find(:stig)
+  #   policy.validate(:network)
+  #   policy.issues.map(&:to_message) #=> ["Wireless devices are not allowed"]
+  class SecurityPolicy
+    # @return [Symbol] Security policy ID
+    attr_reader :id
+    # @return [String] Security policy name
+    attr_reader :name
+
+    class << self
+      # Returns the list of known security policies
+      #
+      # @return [Array<SecurityPolicy>]
+      def all
+        @all ||= [STIG]
+      end
+
+      # Returns the security policy with the given ID
+      #
+      # @param id [Symbol] Security policy ID
+      def find(id)
+        all.find { |a| a.id == id }
+      end
+
+      # Returns the enabled policies
+      #
+      # @return [Array<SecurityPolicy>] List of enabled security policies
+      def enabled
+        all.select(&:enabled?)
+      end
+    end
+
+    # @param id [String] Security policy ID (kind of internal identifier)
+    # @param name [String] Security policy name
+    def initialize(id, name)
+      @id = id
+      @name = name
+      @enabled = false
+    end
+
+    # Runs the validation for the given scope
+    #
+    # It updates the list of issues with the results from validating
+    # the given scope.
+    #
+    # @example Run validation for the storage settings
+    #   policy = SecurityPolicy.find(:stig)
+    #   policy.validate(:storage)
+    #   policy.issues.map(&:to_message) #=> ["root device should be encrypted"]
+    #
+    # @param scope [Symbol] Scope to validate (:network, :storage, :bootloader, etc.)
+    def validate(scope)
+      issues.update(validator.issues(scope))
+    end
+
+    # Return the list of validation issues
+    #
+    # @return [SecurityPolicyIssues] List of validation issues
+    def issues
+      @issues ||= SecurityPolicyIssues.new
+    end
+
+    # Enables the policy
+    def enable
+      @enabled = true
+    end
+
+    # Disables the policy
+    def disable
+      @enabled = false
+    end
+
+    # Determines whether the policy is enabled or not
+    #
+    # @return [Boolean] true if it is enabled; false otherwise
+    def enabled?
+      @enabled
+    end
+
+  private
+
+    # Returns the associated validator
+    #
+    # @return [SecurityPolicyValidator]
+    def validator
+      @validator ||= SecurityPolicyValidator.for(self)
+    end
+
+    STIG = new(:stig, "STIG")
+  end
+end

src/lib/y2security/security_policy_issues.rb

@@ -0,0 +1,36 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+require "y2issues/list"
+require "singleton"
+
+module Y2Security
+  # List of security policy issues
+  class SecurityPolicyIssues < Y2Issues::List
+    def update(issues)
+      scopes = issues.map { |i| i.location&.path }.compact
+      other_issues = @items.reject do |item|
+        scopes.include?(item.location&.path)
+      end
+
+      @items = other_issues + issues.to_a
+    end
+  end
+end

src/lib/y2security/security_policy_validator.rb

@@ -0,0 +1,43 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+
+module Y2Security
+  # Base class for security policies validators
+  class SecurityPolicyValidator
+    class << self
+      # Returns a validator for the given policy
+      #
+      # @param policy [SecurityPolicy] Security policy to build the validator for
+      def for(policy)
+        require "y2security/#{policy.id}_validator"
+        klass = Module.const_get("Y2Security::#{policy.id.capitalize}Validator")
+        klass.new
+      rescue LoadError, NameError => e
+        log.info "Could not load a validator for #{policy}: #{e.message}"
+      end
+    end
+
+    # Returns the issues found for the given scope
+    #
+    # @param _scope [Symbol] Scope to validate (:network, :storage, :bootloader, etc.)
+    def issues(_scope); end
+  end
+end