Class: InspecPlugins::Artifact::Base
- Inherits:
-
Object
- Object
- InspecPlugins::Artifact::Base
- Defined in:
- lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb
Constant Summary collapse
- KEY_BITS =
2048
- KEY_ALG =
OpenSSL::PKey::RSA
- INSPEC_PROFILE_VERSION_1 =
'INSPEC-PROFILE-1'.freeze
- INSPEC_REPORT_VERSION_1 =
'INSPEC-REPORT-1'.freeze
- ARTIFACT_DIGEST =
OpenSSL::Digest::SHA512
- ARTIFACT_DIGEST_NAME =
'SHA512'.freeze
- VALID_PROFILE_VERSIONS =
Set.new [INSPEC_PROFILE_VERSION_1]
- VALID_PROFILE_DIGESTS =
Set.new [ARTIFACT_DIGEST_NAME]
- SIGNED_PROFILE_SUFFIX =
'iaf'.freeze
- SIGNED_REPORT_SUFFIX =
'iar'.freeze
Class Method Summary collapse
- .keygen(options) ⇒ Object
- .profile_install(options) ⇒ Object
- .profile_sign(options) ⇒ Object
- .profile_verify(options) ⇒ Object
Instance Method Summary collapse
- #profile_compress(path_to_profile, profile_md, workdir) ⇒ Object
- #read_profile_metadata(path_to_profile) ⇒ Object
- #valid_header?(file_alg, file_version, file_keyname) ⇒ Boolean
- #verify(file_to_verifiy, &content_block) ⇒ Object
Class Method Details
.keygen(options) ⇒ Object
26 27 28 29 30 31 32 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 26 def self.keygen() key = KEY_ALG.new KEY_BITS puts 'Generating private key' open "#{['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end puts 'Generating public key' open "#{['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end end |
.profile_install(options) ⇒ Object
70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 70 def self.profile_install() artifact = new puts 'Installing profile' file_to_verifiy = ['infile'] dest_dir = ['destdir'] artifact.verify(file_to_verifiy) do |content| Dir.mktmpdir do |workdir| tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz') File.write(tmpfile, content) puts "Installing to #{dest_dir}" `tar xzf #{tmpfile} -C #{dest_dir}` end end end |
.profile_sign(options) ⇒ Object
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 34 def self.profile_sign() artifact = new Dir.mktmpdir do |workdir| puts "Signing #{['profile']} with key #{['keyname']}" path_to_profile = ['profile'] profile_md = artifact.(path_to_profile) artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}" tarfile = artifact.profile_compress(path_to_profile, profile_md, workdir) content = IO.binread(tarfile) signing_key = KEY_ALG.new File.read "#{['keyname']}.pem.key" sha = ARTIFACT_DIGEST.new signature = signing_key.sign sha, content # convert the signature to Base64 signature_base64 = Base64.encode64(signature) tar_content = IO.binread(tarfile) File.open(artifact_filename, 'wb') do |f| f.puts(INSPEC_PROFILE_VERSION_1) f.puts(['keyname']) f.puts(ARTIFACT_DIGEST_NAME) f.puts(signature_base64) f.puts('') # newline separates artifact header with body f.write(tar_content) end puts "Successfully generated #{artifact_filename}" end end |
.profile_verify(options) ⇒ Object
61 62 63 64 65 66 67 68 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 61 def self.profile_verify() artifact = new file_to_verifiy = ['infile'] puts "Verifying #{file_to_verifiy}" artifact.verify(file_to_verifiy) do || puts 'Artifact is valid' end end |
Instance Method Details
#profile_compress(path_to_profile, profile_md, workdir) ⇒ Object
110 111 112 113 114 115 116 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 110 def profile_compress(path_to_profile, profile_md, workdir) profile_name = profile_md['name'] profile_version = profile_md['version'] outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz" `tar czf #{outfile_name} -C #{path_to_profile} .` outfile_name end |
#read_profile_metadata(path_to_profile) ⇒ Object
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 85 def (path_to_profile) begin p = Pathname.new(path_to_profile) p = p.join('inspec.yml') if not p.exist? raise "#{path_to_profile} doesn't appear to be a valid InSpec profile" end yaml = YAML.load_file(p.to_s) yaml = yaml.to_hash if not yaml.key? 'name' raise 'Profile is invalid, name is not defined' end if not yaml.key? 'version' raise 'Profile is invalid, version is not defined' end rescue => e # rewrap it and pass it up to the CLI raise "Error reading InSpec profile metadata: #{e}" end yaml end |
#valid_header?(file_alg, file_version, file_keyname) ⇒ Boolean
118 119 120 121 122 123 124 125 126 127 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 118 def valid_header?(file_alg, file_version, file_keyname) public_keyfile = "#{file_keyname}.pem.pub" puts "Looking for #{public_keyfile} to verify artifact" if !File.exist? public_keyfile raise "Can't find #{public_keyfile}" end raise 'Invalid artifact digest algorithm detected' if !VALID_PROFILE_DIGESTS.member?(file_alg) raise 'Invalid artifact version detected' if !VALID_PROFILE_VERSIONS.member?(file_version) end |
#verify(file_to_verifiy, &content_block) ⇒ Object
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 |
# File 'lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb', line 129 def verify(file_to_verifiy, &content_block) f = File.open(file_to_verifiy, 'r') file_version = f.readline.strip! file_keyname = f.readline.strip! file_alg = f.readline.strip! file_sig = '' # the signature is multi-line while (line = f.readline) != "\n" file_sig += line end file_sig.strip! f.close valid_header?(file_alg, file_version, file_keyname) public_keyfile = "#{file_keyname}.pem.pub" verification_key = KEY_ALG.new File.read public_keyfile f = File.open(file_to_verifiy, 'r') while f.readline != "\n" do end content = f.read signature = Base64.decode64(file_sig) digest = ARTIFACT_DIGEST.new if verification_key.verify digest, signature, content content_block.yield(content) else puts 'Artifact is invalid' end end |