Class: InspecPlugins::Artifact::Base

Inherits:

Object

• Object
• InspecPlugins::Artifact::Base

Defined in:

lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb

Constant Summary

KEY_BITS =

2048

KEY_ALG =

OpenSSL::PKey::RSA

INSPEC_PROFILE_VERSION_1 =

'INSPEC-PROFILE-1'.freeze

INSPEC_REPORT_VERSION_1 =

'INSPEC-REPORT-1'.freeze

ARTIFACT_DIGEST =

OpenSSL::Digest::SHA512

ARTIFACT_DIGEST_NAME =

'SHA512'.freeze

VALID_PROFILE_VERSIONS =

Set.new [INSPEC_PROFILE_VERSION_1]

VALID_PROFILE_DIGESTS =

Set.new [ARTIFACT_DIGEST_NAME]

SIGNED_PROFILE_SUFFIX =

'iaf'.freeze

SIGNED_REPORT_SUFFIX =

'iar'.freeze

Class Method Summary

• .keygen(options) ⇒ Object
• .profile_install(options) ⇒ Object
• .profile_sign(options) ⇒ Object
• .profile_verify(options) ⇒ Object

Instance Method Summary

• #profile_compress(path_to_profile, profile_md, workdir) ⇒ Object
• #read_profile_metadata(path_to_profile) ⇒ Object
• #valid_header?(file_alg, file_version, file_keyname) ⇒ Boolean
• #verify(file_to_verifiy, &content_block) ⇒ Object

Class Method Details

.keygen(options) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 26

def self.keygen(options)
  key = KEY_ALG.new KEY_BITS
  puts 'Generating private key'
  open "#{options['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end
  puts 'Generating public key'
  open "#{options['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end
end

.profile_install(options) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 70

def self.profile_install(options)
  artifact = new
  puts 'Installing profile'
  file_to_verifiy = options['infile']
  dest_dir = options['destdir']
  artifact.verify(file_to_verifiy) do |content|
    Dir.mktmpdir do |workdir|
      tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz')
      File.write(tmpfile, content)
      puts "Installing to #{dest_dir}"
      `tar xzf #{tmpfile} -C #{dest_dir}`
    end
  end
end

.profile_sign(options) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 34

def self.profile_sign(options)
  artifact = new
  Dir.mktmpdir do |workdir|
    puts "Signing #{options['profile']} with key #{options['keyname']}"
    path_to_profile = options['profile']
    profile_md = artifact.read_profile_metadata(path_to_profile)
    artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}"
    tarfile = artifact.profile_compress(path_to_profile, profile_md, workdir)
    content = IO.binread(tarfile)
    signing_key = KEY_ALG.new File.read "#{options['keyname']}.pem.key"
    sha = ARTIFACT_DIGEST.new
    signature = signing_key.sign sha, content
    # convert the signature to Base64
    signature_base64 = Base64.encode64(signature)
    tar_content = IO.binread(tarfile)
    File.open(artifact_filename, 'wb') do |f|
      f.puts(INSPEC_PROFILE_VERSION_1)
      f.puts(options['keyname'])
      f.puts(ARTIFACT_DIGEST_NAME)
      f.puts(signature_base64)
      f.puts('') # newline separates artifact header with body
      f.write(tar_content)
    end
    puts "Successfully generated #{artifact_filename}"
  end
end

.profile_verify(options) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 61

def self.profile_verify(options)
  artifact = new
  file_to_verifiy = options['infile']
  puts "Verifying #{file_to_verifiy}"
  artifact.verify(file_to_verifiy) do ||
    puts 'Artifact is valid'
  end
end

Instance Method Details

#profile_compress(path_to_profile, profile_md, workdir) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 110

def profile_compress(path_to_profile, profile_md, workdir)
  profile_name = profile_md['name']
  profile_version = profile_md['version']
  outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
  `tar czf #{outfile_name} -C #{path_to_profile} .`
  outfile_name
end

#read_profile_metadata(path_to_profile) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 85

def read_profile_metadata(path_to_profile)
  begin
    p = Pathname.new(path_to_profile)
    p = p.join('inspec.yml')
    if not p.exist?
      raise "#{path_to_profile} doesn't appear to be a valid InSpec profile"
    end
    yaml = YAML.load_file(p.to_s)
    yaml = yaml.to_hash

    if not yaml.key? 'name'
      raise 'Profile is invalid, name is not defined'
    end

    if not yaml.key? 'version'
      raise 'Profile is invalid, version is not defined'
    end
  rescue => e
    # rewrap it and pass it up to the CLI
    raise "Error reading InSpec profile metadata: #{e}"
  end

  yaml
end

#valid_header?(file_alg, file_version, file_keyname) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 118

def valid_header?(file_alg, file_version, file_keyname)
  public_keyfile = "#{file_keyname}.pem.pub"
  puts "Looking for #{public_keyfile} to verify artifact"
  if !File.exist? public_keyfile
    raise "Can't find #{public_keyfile}"
  end

  raise 'Invalid artifact digest algorithm detected' if !VALID_PROFILE_DIGESTS.member?(file_alg)
  raise 'Invalid artifact version detected' if !VALID_PROFILE_VERSIONS.member?(file_version)
end

#verify(file_to_verifiy, &content_block) ⇒ Object

# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 129

def verify(file_to_verifiy, &content_block)
  f = File.open(file_to_verifiy, 'r')
  file_version = f.readline.strip!
  file_keyname = f.readline.strip!
  file_alg = f.readline.strip!

  file_sig = ''
  # the signature is multi-line
  while (line = f.readline) != "\n"
    file_sig += line
  end
  file_sig.strip!
  f.close

  valid_header?(file_alg, file_version, file_keyname)

  public_keyfile = "#{file_keyname}.pem.pub"
  verification_key = KEY_ALG.new File.read public_keyfile

  f = File.open(file_to_verifiy, 'r')
  while f.readline != "\n" do end
  content = f.read

  signature = Base64.decode64(file_sig)
  digest = ARTIFACT_DIGEST.new
  if verification_key.verify digest, signature, content
    content_block.yield(content)
  else
    puts 'Artifact is invalid'
  end
end