# frozen_string_literal: true require 'thor' require 'git' require 'docker' require 'norad_cli/support/api_security_container_seed_script' require 'rspec' class Sectest < Thor include Thor::Actions def self.source_root File.join(File.dirname(File.expand_path(__FILE__)), '../templates/') end desc 'scaffold TESTNAME', 'Create a new security test with standard files + testing' option :test_type, default: 'whole_host', desc: 'The security test type, Options: [authenticated|web_application|brute_force|ssl_crypto|ssh_crypto|whole_host]' option :registry, default: 'norad-registry.cisco.com:5000', desc: 'The Docker registry to store docker images' option :version, default: 'latest', desc: 'The version of the security test' option :base_image, default: 'norad-registry.cisco.com:5000/norad:0.0.1', desc: 'Base Docker image to use (i.e. FROM field in the DOckerfile)' option :authenticated, type: :boolean, default: false, desc: 'Does the security test require authenticating to the unit under test' option :configurable, type: :boolean, default: false, desc: 'Is the security test configurable (e.g. Qualys username and password)' def scaffold(sectest_name) # Grab the current directory repo_dir = Dir.pwd # Set options for templates options[:name] = sectest_name options[:spec_class_name] = sectest_name.split('-').map { |t| t =~ /\d+/ ? t : t.capitalize! }.join # Error check to ensure this is a norad security test repository # Create the security tests standard files template('tool/Dockerfile.erb', "#{repo_dir}/#{sectest_name}/Dockerfile") template('tool/README.md.erb', "#{repo_dir}/#{sectest_name}/README.md") template('tool/manifest.yml.erb', "#{repo_dir}/#{sectest_name}/manifest.yml") # Create a starter wrapper script template('tool/wrapper.rb.erb', "#{repo_dir}/#{sectest_name}/#{sectest_name}-wrapper.rb") # Create the spec files template('tool/tool_spec.rb.erb', "#{repo_dir}/spec/#{sectest_name}/#{sectest_name}_spec.rb") if options[:authenticated] template('tool/Dockerfile.auth.target.erb', "#{repo_dir}/spec/#{sectest_name}/targets/Dockerfile.secure") template('tool/Dockerfile.auth.target.erb', "#{repo_dir}/spec/#{sectest_name}/targets/Dockerfile.vulnerable") else template('tool/Dockerfile.unauth.target.erb', "#{repo_dir}/spec/#{sectest_name}/targets/Dockerfile.secure") template('tool/Dockerfile.unauth.target.erb', "#{repo_dir}/spec/#{sectest_name}/targets/Dockerfile.vulnerable") end end # Define arguments and options desc 'build SECTESTNAME', 'Builds the docker image for the security test SECTESTNAME' option :registry, default: 'norad-registry.cisco.com:5000', desc: 'The Docker registry for Docker images' option :version, default: 'latest', desc: 'The version of the sectest container to build' def build(name) imgs_to_build = {} imgs_to_build[name.to_s] = "#{options[:registry]}/#{name}:#{options[:version]}" # Check for the Dockerfile if !dockerfile?(imgs_to_build.keys[0]) say("Missing #{imgs_to_build.keys[0]}/Dockerfile", :red) exit(1) end # Determine if base image needs to be built base_img = extract_base_img(imgs_to_build.keys[0]) while dockerfile?("base/#{base_img[0]}") imgs_to_build["base/#{base_img[0]}"] = base_img[1] base_img = extract_base_img(imgs_to_build.keys[-1]) end # Build the images in reverse (Note: Hashes enumerate their values in insertion order.) Docker.options[:read_timeout] = 36_000 imgs_to_build.keys.reverse_each do |img_dir| say("Building image #{img_dir}...", :green) Docker::Image.build_from_dir(img_dir, t: imgs_to_build[img_dir]) do |v| $stdout.puts v end end end # Define arguments and options desc 'build:specs SECTESTNAME', 'Builds the spec images for the security test SECTESTNAME' option :registry, default: 'norad-registry.cisco.com:5000', desc: 'The Docker registry for Docker images' option :version, default: 'latest', desc: 'The version of the sectest container to build' define_method 'build:specs' do |name| imgs_to_build = {} imgs_to_build["#{File.expand_path(File.dirname(__FILE__))}/../templates/spec/support/Dockerfile.testserver"] = 'docker-images-test-results-server:latest' imgs_to_build["#{File.expand_path(File.dirname(__FILE__))}/../templates/spec/support/Dockerfile.ubuntu_ssh"] = 'docker-images-test-ubuntu-ssh-server:latest' # Determine the Dockerfiles in the assessment spec dir Dir.glob("spec/#{name}/targets/Dockerfile*").each do |entry| entry_components = entry.split('.') imgs_to_build[entry] = "#{name}-#{entry_components[-1]}:latest" end # Build the images Docker.options[:read_timeout] = 36_000 imgs_to_build.keys.each do |img_dir| say("Building image #{img_dir}...", :green) docker_file = img_dir.split('/')[-1] Docker::Image.build_from_dir(img_dir.gsub(docker_file, ''), dockerfile: docker_file, t: imgs_to_build[img_dir]) do |v| $stdout.puts v end end # Pull the apline image for base testing Docker::Image.create('fromImage' => 'alpine:3.4') end # Define arguments and options desc 'build:all SECTESTNAME', 'Builds all images for security test SECTESTNAME' option :registry, default: 'norad-registry.cisco.com:5000', desc: 'The Docker registry for Docker images' option :version, default: 'latest', desc: 'The version of the sectest container to build' define_method 'build:all' do |name| # Build the tool build(name) # Build the specs for testing send('build:specs', name) end # Define arguments and options desc 'execute SECTESTNAME ARGUMENTS', 'Executes the specified security test SECTESTNAME w/ ARGUMENTS' option :registry, default: 'norad-registry.cisco.com:5000', desc: 'The Docker registry for Docker images' option :version, default: 'latest', desc: 'The version of the tools docker container to build' def execute(name, arguments) # Ensure container exists if !Docker::Image.exist?("#{options[:registry]}/#{name}:#{options[:version]}") say("Requested image #{options[:registry]}/#{name}:#{options[:version]} does not exist!", :red) exit(1) end # Setup and run the container env = ['NORAD_ROOT=', %(ASSESSMENT_PATHS=[{"id":"1", "assessment": "1"}]), 'NORAD_SECRET=1234'] container = Docker::Container.create(Image: "#{options[:registry]}/#{name}:#{options[:version]}", Env: env, Cmd: arguments) # Start the container, watch stdout container.tap(&:start).attach { |stream, chunk| puts "#{stream}: #{chunk}" } end desc 'spec SECTESTNAME', 'Run the rspec tests for SECTESTNAME' option :verbose, type: :boolean, default: false, desc: 'Turn on verbose logging' option :scan_assessment, type: :boolean, default: true, desc: 'Fix me' define_method 'spec' do |name| # Set environment variables ENV['ENABLE_LOGS'] = options[:verbose] ? 'true' : 'false' ENV['SCAN_ASSESSMENT'] = options[:scan_assessment] ? 'true' : 'false' ENV['TEST_RESULTS_SERVER_IMAGE'] = 'docker-images-test-results-server' ENV['UBUNTU_SSH_SERVER_IMAGE'] = 'docker-images-test-ubuntu-ssh-server' # Run the tests RSpec::Core::Runner.run(["spec/#{name}/#{name}_spec.rb"], $stderr, $stdout) end desc 'seed', 'Create the containers.rb seed to import into the api' option :seedfile, type: :string, default: './containers.rb', desc: 'The name of the seed file to generate' option :docsite, type: :string, default: 'https://norad.gitlab.io/docs/', desc: 'Set the documentation site' def seed # Error check to ensure this is a plugin directory # Generate the seed file SeedGenerator.process_manifests(options[:seedfile], options[:docsite]) end no_tasks do def dockerfile?(img_dir) # Ensure the Dockerfile exists for the new tool File.file?("#{img_dir}/Dockerfile") end # Check for a base image def extract_base_img(img_dir) from_line = File.readlines("#{img_dir}/Dockerfile").select { |line| line =~ /^FROM/ } # Check for multiple from lines? from_line_arr = from_line[0].split(' ') from_image = from_line[0][%r{\AFROM\s+(.*?\/)?(.*?)(:.*?)?\Z}i, 2] || raise('bad from') [from_image, from_line_arr[1]] end end end