| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 1 | /** | 
|  | 2 | * | 
|  | 3 | * Run openscap xccdf evaluation on given nodes | 
|  | 4 | * | 
|  | 5 | * Expected parametes: | 
|  | 6 | *  SALT_MASTER_URL             Full Salt API address. | 
|  | 7 | *  SALT_MASTER_CREDENTIALS     Credentials to the Salt API. | 
|  | 8 | * | 
|  | 9 | *  XCCDF_BENCHMARKS_DIR        The XCCDF benchmarks base directory (default /usr/share/xccdf-benchmarks/mirantis/) | 
|  | 10 | *  XCCDF_BENCHMARKS            List of pairs XCCDF benchmark filename and corresponding profile separated with ',' | 
|  | 11 | *                                  these pairs are separated with semicolon. | 
|  | 12 | *                                  (e.g. manila/openstack_manila-xccdf.xml,profilename;horizon/openstack_horizon-xccdf.xml,profile) | 
|  | 13 | *  XCCDF_VERSION               The XCCDF version (default 1.2) | 
|  | 14 | *  XCCDF_TAILORING_ID          The tailoring id (default None) | 
|  | 15 | * | 
|  | 16 | *  TARGET_SERVERS              The target Salt nodes (default *) | 
|  | 17 | * | 
|  | 18 | *  ARTIFACTORY_URL             The artifactory URL | 
|  | 19 | *  ARTIFACTORY_NAMESPACE       The artifactory namespace (default 'mirantis/openscap') | 
|  | 20 | *  ARTIFACTORY_REPO            The artifactory repo (default 'binary-dev-local') | 
|  | 21 | * | 
|  | 22 | *  UPLOAD_TO_DASHBOARD         Boolean. Upload results to the WORP or not | 
|  | 23 | *  DASHBOARD_API_URL           The WORP api base url. Mandatory if UPLOAD_TO_DASHBOARD is true | 
|  | 24 | */ | 
|  | 25 |  | 
|  | 26 |  | 
|  | 27 |  | 
|  | 28 | /** | 
|  | 29 | * Upload results to the `WORP` dashboard | 
|  | 30 | * | 
|  | 31 | * @param apiUrl               The base dashboard api url | 
|  | 32 | * @param cloudName            The cloud name (mostly, the given node's domain name) | 
|  | 33 | * @param nodeName             The node name | 
|  | 34 | * @param results              The scanning results | 
|  | 35 | */ | 
|  | 36 | def uploadResultToDashboard(apiUrl, cloudName, nodeName, results) { | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 37 | def common = new com.mirantis.mk.Common() | 
|  | 38 | def http = new com.mirantis.mk.Http() | 
|  | 39 |  | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 40 | // Yes, we do not care of performance and will create at least 4 requests per each result | 
|  | 41 | def requestData = [:] | 
|  | 42 |  | 
|  | 43 | def cloudId | 
|  | 44 | def nodeId | 
|  | 45 |  | 
|  | 46 | // Let's take a look, may be our minion is already presented on the dashboard | 
|  | 47 | // Get available environments | 
|  | 48 | environments = common.parseJSON(http.sendHttpGetRequest("${apiUrl}/environment/")) | 
|  | 49 | for (environment in environments) { | 
|  | 50 | if (environment['name'] == cloudName) { | 
|  | 51 | cloudId = environment['uuid'] | 
|  | 52 | break | 
|  | 53 | } | 
|  | 54 | } | 
|  | 55 | // Cloud wasn't presented, let's create it | 
|  | 56 | if (! cloudId ) { | 
|  | 57 | // Create cloud | 
|  | 58 | resuestData['name'] = cloudName | 
|  | 59 | cloudId = common.parseJSON(http.sendHttpPostRequest("${apiUrl}/environment/", requestData))['env']['uuid'] | 
|  | 60 |  | 
|  | 61 | // And the node | 
|  | 62 | // It was done here to reduce count of requests to the api. | 
|  | 63 | // Because if there was not cloud presented on the dashboard, then the node was not presented as well. | 
|  | 64 | requestData['nodes'] = [nodeName] | 
|  | 65 | nodeId = common.parseJSON(http.sendHttpPutRequest("${apiUrl}/environment/${cloudId}/nodes/", requestData))['uuid'] | 
|  | 66 | } | 
|  | 67 |  | 
|  | 68 | if (! nodeId ) { | 
|  | 69 | // Get available nodes in our environment | 
|  | 70 | nodes = common.parseJSON(http.sendHttpGetRequest("${apiUrl}/environment/${cloudId}/nodes/")) | 
|  | 71 | for (node in nodes) { | 
|  | 72 | if (node['name'] == nodeName) { | 
|  | 73 | nodeId = node['id'] | 
|  | 74 | break | 
|  | 75 | } | 
|  | 76 | } | 
|  | 77 | } | 
|  | 78 |  | 
|  | 79 | // Node wasn't presented, let's create it | 
|  | 80 | if (! nodeId ) { | 
|  | 81 | // Create node | 
|  | 82 | requestData['nodes'] = [nodeName] | 
|  | 83 | nodeId = common.parseJSON(http.sendHttpPutRequest("${apiUrl}/environment/${cloudId}/nodes/", requestData))['uuid'] | 
|  | 84 | } | 
|  | 85 |  | 
|  | 86 | // Get report_id | 
|  | 87 | requestData['env_uuid'] = cloudId | 
|  | 88 | def reportId = common.parseJSON(http.sendHttpPostRequest("${apiUrl}/reports/openscap/", requestData))['report']['uuid'] | 
|  | 89 |  | 
|  | 90 | // Upload results | 
|  | 91 | requestData['results'] = results | 
|  | 92 | requestData['node_name'] = nodeName | 
|  | 93 | http.sendHttpPutRequest("${apiUrl}/reports/openscap/${reportId}/", requestData) | 
|  | 94 | } | 
|  | 95 |  | 
|  | 96 |  | 
|  | 97 | node('python') { | 
|  | 98 | def pepperEnv = 'pepperEnv' | 
|  | 99 |  | 
|  | 100 | // XCCDF related variables | 
|  | 101 | def benchmarksAndProfilesArray = XCCDF_BENCHMARKS.tokenize(';') | 
|  | 102 | def benchmarksDir = XCCDF_BENCHMARKS_DIR ?: '/usr/share/xccdf-benchmarks/mirantis/' | 
|  | 103 | def xccdfVersion = XCCDF_VERSION ?: '1.2' | 
|  | 104 | def xccdfTailoringId = XCCDF_TAILORING_ID ?: 'None' | 
|  | 105 | def targetServers = TARGET_SERVERS ?: '*' | 
|  | 106 |  | 
|  | 107 | def salt = new com.mirantis.mk.Salt() | 
|  | 108 | def python = new com.mirantis.mk.Python() | 
|  | 109 | def common = new com.mirantis.mk.Common() | 
|  | 110 | def http = new com.mirantis.mk.Http() | 
|  | 111 |  | 
|  | 112 | // To have an ability to work in heavy concurrency conditions | 
|  | 113 | def scanUUID = UUID.randomUUID().toString() | 
|  | 114 |  | 
|  | 115 | def artifactsArchiveName = "openscap-${scanUUID}.zip" | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 116 | def resultsBaseDir = "/var/log/openscap/${scanUUID}" | 
|  | 117 | def artifactsDir = "openscap" | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 118 |  | 
|  | 119 | def liveMinions | 
|  | 120 |  | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 121 |  | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 122 | stage ('Setup virtualenv for Pepper') { | 
|  | 123 | python.setupPepperVirtualenv(pepperEnv, SALT_MASTER_URL, SALT_MASTER_CREDENTIALS) | 
|  | 124 | } | 
|  | 125 |  | 
|  | 126 | stage ('Run openscap xccdf evaluation and attempt to upload the results to a dashboard') { | 
|  | 127 | liveMinions = salt.getMinions(pepperEnv, targetServers) | 
|  | 128 |  | 
|  | 129 | if (liveMinions.isEmpty()) { | 
|  | 130 | throw new Exception('There are no alive minions') | 
|  | 131 | } | 
|  | 132 |  | 
|  | 133 | common.infoMsg("Scan UUID: ${scanUUID}") | 
|  | 134 |  | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 135 | // Clean all results before proceeding with results from every minion | 
|  | 136 | dir(artifactsDir) { | 
|  | 137 | deleteDir() | 
|  | 138 | } | 
|  | 139 |  | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 140 | for (minion in liveMinions) { | 
|  | 141 |  | 
|  | 142 | // Iterate oscap evaluation over the benchmarks | 
|  | 143 | for (benchmark in benchmarksAndProfilesArray) { | 
|  | 144 | def (benchmarkFilePath, profile) = benchmark.tokenize(',').collect({it.trim()}) | 
|  | 145 |  | 
|  | 146 | // Remove extension from the benchmark name | 
|  | 147 | def benchmarkPathWithoutExtension = benchmarkFilePath.replaceFirst('[.][^.]+$', '') | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 148 |  | 
|  | 149 | // Get benchmark name | 
|  | 150 | def benchmarkName = benchmarkPathWithoutExtension.tokenize('/')[-1] | 
|  | 151 |  | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 152 | // And build resultsDir based on this path | 
|  | 153 | def resultsDir = "${resultsBaseDir}/${benchmarkPathWithoutExtension}" | 
|  | 154 |  | 
|  | 155 | def benchmarkFile = "${benchmarksDir}${benchmarkFilePath}" | 
|  | 156 |  | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 157 | def nodeShortName = minion.tokenize('.')[0] | 
|  | 158 |  | 
|  | 159 | def archiveName = "${scanUUID}_${nodeShortName}_${benchmarkName}.tar" | 
|  | 160 |  | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 161 | // Evaluate the benchmark | 
|  | 162 | salt.runSaltProcessStep(pepperEnv, minion, 'oscap.eval', [ | 
|  | 163 | 'xccdf', benchmarkFile, "results_dir=${resultsDir}", | 
|  | 164 | "profile=${profile}", "xccdf_version=${xccdfVersion}", | 
|  | 165 | "tailoring_id=${xccdfTailoringId}" | 
|  | 166 | ]) | 
|  | 167 |  | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 168 | salt.cmdRun(pepperEnv, minion, "tar -cf /tmp/${archiveName} -C ${resultsBaseDir} .") | 
|  | 169 | fileContents = salt.cmdRun(pepperEnv, minion, "cat /tmp/${archiveName}", true, null, false)['return'][0].values()[0].replaceAll('Salt command execution success', '') | 
|  | 170 |  | 
|  | 171 | sh "mkdir -p ${artifactsDir}/${scanUUID}/${nodeShortName}" | 
|  | 172 | writeFile file: "${archiveName}", text: fileContents | 
|  | 173 | sh "tar --strip-components 1 -xf ${archiveName} --directory ${artifactsDir}/${scanUUID}/${nodeShortName}; rm -f ${archiveName}" | 
|  | 174 |  | 
|  | 175 | // Remove archive which is not needed anymore | 
|  | 176 | salt.runSaltProcessStep(pepperEnv, minion, 'file.remove', "/tmp/${archiveName}") | 
|  | 177 |  | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 178 | // Attempt to upload the scanning results to the dashboard | 
|  | 179 | if (UPLOAD_TO_DASHBOARD.toBoolean()) { | 
|  | 180 | if (common.validInputParam('DASHBOARD_API_URL')) { | 
|  | 181 | def cloudName = salt.getGrain(pepperEnv, minion, 'domain')['return'][0].values()[0].values()[0] | 
|  | 182 | uploadResultToDashboard(DASHBOARD_API_URL, cloudName, minion, salt.getFileContent(pepperEnv, minion, "${resultsDir}/results.json")) | 
|  | 183 | } else { | 
|  | 184 | throw new Exception('Uploading to the dashboard is enabled but the DASHBOARD_API_URL was not set') | 
|  | 185 | } | 
|  | 186 | } | 
|  | 187 | } | 
|  | 188 | } | 
| Ivan Udovichenko | d1bd28c | 2018-10-02 12:41:04 +0300 | [diff] [blame] | 189 |  | 
|  | 190 | // Prepare archive | 
|  | 191 | sh "tar -cJf ${artifactsDir}.tar.xz ${artifactsDir}" | 
|  | 192 |  | 
|  | 193 | // Archive the build output artifacts | 
|  | 194 | archiveArtifacts artifacts: "*.xz" | 
| Vasyl Saienko | 4e8ec64 | 2018-09-17 10:08:08 +0000 | [diff] [blame] | 195 | } | 
|  | 196 |  | 
|  | 197 | /*  // Will be implemented later | 
|  | 198 | stage ('Attempt to upload results to an artifactory') { | 
|  | 199 | if (common.validInputParam('ARTIFACTORY_URL')) { | 
|  | 200 | for (minion in liveMinions) { | 
|  | 201 | def destDir = "${artifactsDir}/${minion}" | 
|  | 202 | def archiveName = "openscap-${scanUUID}.tar.gz" | 
|  | 203 | def tempArchive = "/tmp/${archiveName}" | 
|  | 204 | def destination = "${destDir}/${archiveName}" | 
|  | 205 |  | 
|  | 206 | dir(destDir) { | 
|  | 207 | // Archive scanning results on the remote target | 
|  | 208 | salt.runSaltProcessStep(pepperEnv, minion, 'archive.tar', ['czf', tempArchive, resultsBaseDir]) | 
|  | 209 |  | 
|  | 210 | // Get it content and save it | 
|  | 211 | writeFile file: destination, text: salt.getFileContent(pepperEnv, minion, tempArchive) | 
|  | 212 |  | 
|  | 213 | // Remove scanning results and the temp archive on the remote target | 
|  | 214 | salt.runSaltProcessStep(pepperEnv, minion, 'file.remove', resultsBaseDir) | 
|  | 215 | salt.runSaltProcessStep(pepperEnv, minion, 'file.remove', tempArchive) | 
|  | 216 | } | 
|  | 217 | } | 
|  | 218 |  | 
|  | 219 | def artifactory = new com.mirantis.mcp.MCPArtifactory() | 
|  | 220 | def artifactoryName = 'mcp-ci' | 
|  | 221 | def artifactoryRepo = ARTIFACTORY_REPO ?: 'binary-dev-local' | 
|  | 222 | def artifactoryNamespace = ARTIFACTORY_NAMESPACE ?: 'mirantis/openscap' | 
|  | 223 | def artifactoryServer = Artifactory.server(artifactoryName) | 
|  | 224 | def publishInfo = true | 
|  | 225 | def buildInfo = Artifactory.newBuildInfo() | 
|  | 226 | def zipName = "${env.WORKSPACE}/openscap/${scanUUID}/results.zip" | 
|  | 227 |  | 
|  | 228 | // Zip scan results | 
|  | 229 | zip zipFile: zipName, archive: false, dir: artifactsDir | 
|  | 230 |  | 
|  | 231 | // Mandatory and additional properties | 
|  | 232 | def properties = artifactory.getBinaryBuildProperties([ | 
|  | 233 | "scanUuid=${scanUUID}", | 
|  | 234 | "project=openscap" | 
|  | 235 | ]) | 
|  | 236 |  | 
|  | 237 | // Build Artifactory spec object | 
|  | 238 | def uploadSpec = """{ | 
|  | 239 | "files": | 
|  | 240 | [ | 
|  | 241 | { | 
|  | 242 | "pattern": "${zipName}", | 
|  | 243 | "target": "${artifactoryRepo}/${artifactoryNamespace}/openscap", | 
|  | 244 | "props": "${properties}" | 
|  | 245 | } | 
|  | 246 | ] | 
|  | 247 | }""" | 
|  | 248 |  | 
|  | 249 | // Upload artifacts to the given Artifactory | 
|  | 250 | artifactory.uploadBinariesToArtifactory(artifactoryServer, buildInfo, uploadSpec, publishInfo) | 
|  | 251 |  | 
|  | 252 | } else { | 
|  | 253 | common.warningMsg('ARTIFACTORY_URL was not given, skip uploading to artifactory') | 
|  | 254 | } | 
|  | 255 | } | 
|  | 256 | */ | 
|  | 257 |  | 
|  | 258 | } |