module ForemanOpenscap module HostExtensions ::Host::Managed::Jail.allow :policies_enc, :policies_enc_raw def self.prepended(base) base.has_one :asset, :as => :assetable, :class_name => "::ForemanOpenscap::Asset", :dependent => :destroy base.has_many :asset_policies, :through => :asset, :class_name => "::ForemanOpenscap::AssetPolicy" base.has_many :policies, :through => :asset_policies, :class_name => "::ForemanOpenscap::Policy" base.has_many :arf_reports, :class_name => '::ForemanOpenscap::ArfReport', :foreign_key => :host_id base.has_one :compliance_status_object, :class_name => '::ForemanOpenscap::ComplianceStatus', :foreign_key => 'host_id' base.validate :openscap_proxy_in_taxonomy, :if => Proc.new { |host| host.openscap_proxy_id.present? } base.scoped_search :relation => :policies, :on => :name, :complete_value => true, :rename => :compliance_policy, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_policy_name base.scoped_search :relation => :policies, :on => :id, :complete_value => false, :rename => :compliance_policy_id, :only_explicit => true, :operators => ['= ', '!= '], :ext_method => :search_by_policy_id base.scoped_search :relation => :policies, :on => :name, :complete_value => true, :rename => :compliance_report_missing_for, :only_explicit => true, :operators => ['= ', '!= '], :ext_method => :search_by_missing_arf base.scoped_search :relation => :compliance_status_object, :on => :status, :rename => :compliance_status, :complete_value => { :compliant => ::ForemanOpenscap::ComplianceStatus::COMPLIANT, :incompliant => ::ForemanOpenscap::ComplianceStatus::INCOMPLIANT, :inconclusive => ::ForemanOpenscap::ComplianceStatus::INCONCLUSIVE } base.scoped_search :relation => :policies, :on => :name, :complete_value => { :true => true, :false => false }, :only_explicit => true, :rename => :is_compliance_host, :operators => ['= '], :ext_method => :search_for_any_with_policy, :validator => ->(value) { ['true', 'false'].include? value } base.scoped_search :on => :id, :rename => :passes_xccdf_rule, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_passed base.scoped_search :on => :id, :rename => :fails_xccdf_rule, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_failed base.scoped_search :on => :id, :rename => :others_xccdf_rule, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_rule_othered base.scoped_search :on => :id, :rename => :comply_with, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_comply_with base.scoped_search :on => :id, :rename => :not_comply_with, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_not_comply_with base.scoped_search :on => :id, :rename => :inconclusive_with, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_inconclusive_with base.scoped_search :on => :id, :rename => :removed_from_policy, :only_explicit => true, :operators => ['= '], :ext_method => :search_by_removed_from_policy base.scope :comply_with, lambda { |policy| joins(:arf_reports).merge(ArfReport.latest_of_policy(policy)).merge(ArfReport.passed) } base.scope :not_comply_with, lambda { |policy| joins(:arf_reports).merge(ArfReport.latest_of_policy(policy)).merge(ArfReport.failed) } base.scope :inconclusive_with, lambda { |policy| joins(:arf_reports).merge(ArfReport.latest_of_policy(policy)).merge(ArfReport.othered) } base.scope :policy_reports_missing, lambda { |policy| search_for("compliance_report_missing_for = \"#{policy.name}\"") } base.scope :assigned_to_policy, lambda { |policy| search_for("compliance_policy = \"#{policy.name}\"") } base.scope :removed_from_policy, lambda { |policy| joins(:arf_reports).merge(ArfReport.latest_of_policy(policy)).where.not(:id => assigned_to_policy(policy).pluck(:id)) } base.send :extend, ClassMethods base.apipie :class do property :policies_enc, String, desc: 'Returns JSON string containing policies for the host' property :policies_enc_raw, array_of: Hash, desc: 'Returns a list with key:value objects containing policies for the host' end end def inherited_attributes super.concat(%w[openscap_proxy_id]) end def policies=(policies) self.build_asset(:assetable => self) if self.asset.blank? self.asset.policies = policies end def get_asset ForemanOpenscap::Asset.where(:assetable_type => 'Host::Base', :assetable_id => id).first_or_create! end def policies_enc policies_enc_raw.to_json end def policies_enc_raw check = ForemanOpenscap::OpenscapProxyAssignedVersionCheck.new(self).run method = check.pass? ? :to_enc : :to_enc_legacy combined_policies.map(&method) end def combined_policies inc = %i[scap_content scap_content_profile tailoring_file tailoring_file_profile] combined = self.hostgroup ? self.policies.includes(inc) + self.hostgroup.policies.includes(inc) + self.hostgroup.inherited_policies : self.policies.includes(inc) combined.uniq end def scap_status_changed?(policy) last_reports = reports_for_policy(policy, 2) return false if last_reports.length != 2 !last_reports.first.equal? last_reports.last end def last_report_for_policy(policy) reports_for_policy(policy, 1) end def reports_for_policy(policy, limit = nil) report_scope = ForemanOpenscap::ArfReport.unscoped.joins(:policy_arf_report) .merge(ForemanOpenscap::PolicyArfReport.of_policy(policy.id)).where(:host_id => id) .order("#{ForemanOpenscap::ArfReport.table_name}.created_at DESC") report_scope = report_scope.limit(limit) if limit report_scope end def compliance_status(options = {}) @compliance_status ||= get_status(ForemanOpenscap::ComplianceStatus).to_status(options) end def compliance_status_label(options = {}) @compliance_status_label ||= get_status(ForemanOpenscap::ComplianceStatus).to_label(options) end def openscap_proxy_in_taxonomy validate_association_taxonomy(:openscap_proxy) end module ClassMethods def search_by_removed_from_policy(key, operator, policy_name) policy = ForemanOpenscap::Policy.find_by :name => policy_name host_ids = policy ? removed_from_policy(policy).pluck(:id) : [] { :conditions => ::Host::Managed.arel_table[:id].in(host_ids).to_sql } end def search_by_compliance(key, operator, policy_name, method) policy = ForemanOpenscap::Policy.find_by :name => policy_name host_ids = policy ? public_send(method, policy).pluck(:id) : [] { :conditions => ::Host::Managed.arel_table[:id].in(host_ids).to_sql } end def search_by_comply_with(key, operator, policy_name) search_by_compliance key, operator, policy_name, :comply_with end def search_by_not_comply_with(key, operator, policy_name) search_by_compliance key, operator, policy_name, :not_comply_with end def search_by_inconclusive_with(key, operator, policy_name) search_by_compliance key, operator, policy_name, :inconclusive_with end def search_by_rule_passed(key, operator, rule_name) search_by_rule rule_name, 'pass' end def search_by_rule_failed(key, operator, rule_name) search_by_rule rule_name, 'fail' end def search_by_rule_othered(key, operator, rule_name) search_by_rule rule_name, LogExtensions.othered_result_constants end def search_by_rule(rule_name, rule_result) query = ::Host.joins(:arf_reports) .merge(ArfReport.latest .by_rule_result(rule_name, rule_result) .unscope(:order)) .distinct .select(::Host.arel_table[:id]).to_sql query_conditions query end def query_conditions(query) { :conditions => "hosts.id IN (#{query})" } end def search_by_policy_name(key, operator, policy_name) cond = sanitize_sql_for_conditions(["foreman_openscap_policies.name #{operator} ?", value_to_sql(operator, policy_name)]) host_group_host_ids = policy_assigned_using_hostgroup_host_ids cond, [] host_group_cond = if host_group_host_ids.any? ' OR ' + sanitize_sql_for_conditions("hosts.id IN (#{host_group_host_ids.join(',')})") else '' end { :conditions => ::Host::Managed.arel_table[:id].in(::Host::Managed.select(::Host::Managed.arel_table[:id]).joins(:policies).where(cond).pluck(:id)).to_sql + host_group_cond } end def search_by_policy_id(key, operator, policy_id) cond = sanitize_sql_for_conditions(["foreman_openscap_policies.id #{operator} ?", value_to_sql(operator, policy_id)]) search_assigned_all cond, [] end def search_by_missing_arf(key, operator, policy_name) cond = sanitize_sql_for_conditions(["foreman_openscap_policies.name #{operator} ?", value_to_sql(operator, policy_name)]) host_ids_from_arf_of_policy = ForemanOpenscap::ArfReport.joins(:policy).where(cond).pluck(:host_id).uniq search_assigned_all cond, host_ids_from_arf_of_policy end def search_for_any_with_policy(key, operator, value) search_assigned_all nil, [], (value == "false") end def search_assigned_all(condition, not_in_host_ids, negate = false) sql_not = negate ? "NOT" : "" direct_result = policy_assigned_directly_host_ids condition, not_in_host_ids hg_result = policy_assigned_using_hostgroup_host_ids condition, not_in_host_ids result = (direct_result + hg_result).uniq { :conditions => "hosts.id #{sql_not} IN (#{result.empty? ? 'NULL' : result.join(',')})" } end def policy_assigned_directly_host_ids(condition, host_ids_from_arf) ForemanOpenscap::Asset.where(:assetable_type => 'Host::Base') .joins(:policies) .where(condition) .where.not(:assetable_id => host_ids_from_arf) .pluck(:assetable_id) end def policy_assigned_using_hostgroup_host_ids(condition, host_ids_from_arf) hostgroup_with_policy_ids = ForemanOpenscap::Asset.where(:assetable_type => 'Hostgroup') .joins(:policies) .where(condition) .pluck(:assetable_id) subtree_ids = ::Hostgroup.where(:id => hostgroup_with_policy_ids).flat_map(&:subtree_ids).uniq ::Host.where(:hostgroup_id => subtree_ids).where.not(:id => host_ids_from_arf).pluck(:id) end end end end