Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/improve pre commit #119

Merged
merged 9 commits into from
Dec 14, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 0 additions & 17 deletions .github/workflows/ansible-lint.yml

This file was deleted.

50 changes: 0 additions & 50 deletions .github/workflows/linter.yml.old

This file was deleted.

17 changes: 17 additions & 0 deletions .github/workflows/pre-commit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
name: pre-commit
on:
- push
- pull_request_target

env:
ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }}

jobs:
pre-commit:
name: pre-commit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v3
- uses: pre-commit/[email protected]
15 changes: 14 additions & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,25 @@ repos:
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace

- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
args: [--unsafe] # see https://github.com/pre-commit/pre-commit-hooks/issues/273

- id: check-toml
- id: check-json
- id: check-symlinks

- repo: https://github.com/ansible/ansible-lint.git
# get latest release tag from https://github.com/ansible/ansible-lint/releases/
rev: v6.18.0
rev: v6.20.3
hooks:
- id: ansible-lint
additional_dependencies:
- jmespath

- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.11.0
hooks:
- id: black
...
19 changes: 17 additions & 2 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,21 @@ This document aims to outline the requirements for the various forms of contribu
3) Include a README.md in the subdirectory

## Testing
To run `ansible-lint` you will need to set an environment variable for the token to connect to Automation Hub. You can get a token from [here](https://console.redhat.com/ansible/automation-hub/token).

Copy the value of the token and run `export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>`
We utilize pre-commit to handle Git hooks, initiating a pre-commit check with each commit, both locally and on CI.

To install pre-commit, use the following commands:
```bash
pip install pre-commit
pre-commit install
```

For further details, refer to the [pre-commit installation documentation](https://pre-commit.com/#installation).

To execute ansible-lint (whether within pre-commit or independently), you must configure an environment variable for the token required to connect to Automation Hub. Obtain the token [here](https://console.redhat.com/ansible/automation-hub/token).

Copy the token value and execute the following command:

```bash
export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
```
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ This project is tested for compatibility with the [demo.redhat.com Product Demos
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.

1. First you must create a credential for [Automation Hub](https://console.redhat.com/ansible/automation-hub/) to successfully sync collections used by this project.

1. In the Credentials section of the Controller UI, add a new Credential called `Automation Hub` with the type `Ansible Galaxy/Automation Hub API Token`
2. You can obtain a token [here](https://console.redhat.com/ansible/automation-hub/token). This page will also provide the Server URL and Auth Server URL.
3. Next, click on Organizations and edit the `Default` organization. Add your `Automation Hub` credential to the `Galaxy Credentials` section. Don't forget to click **Save**!!
Expand All @@ -34,7 +34,7 @@ This project is tested for compatibility with the [demo.redhat.com Product Demos
2. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.

3. Finally, Create a Job Template called `Setup` with the following configuration:

- Name: Setup
- Inventory: Demo Inventory
- Exec Env: Control Plane EE
Expand Down
4 changes: 3 additions & 1 deletion ansible.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ roles_path=./roles
server_list = ah,galaxy

[galaxy_server.ah]
#url=https://cloud.redhat.com/api/automation-hub/
# Grab a token at https://console.redhat.com/ansible/automation-hub/token
# Then define it using ANSIBLE_GALAXY_SERVER_AH_TOKEN=""

url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token

Expand Down
2 changes: 1 addition & 1 deletion cloud/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,4 @@ After running the setup job template, there are a few steps required to make the
**Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.

## Known Issues
Azure does not work without a custom execution environment that includes the Azure dependencies.
Azure does not work without a custom execution environment that includes the Azure dependencies.
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password
Add-LocalGroupMember -Group "Administrators" -Member "ec2-user"

Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart
</powershell>
</powershell>
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function

__metaclass__ = type

from ansible.plugins.callback import CallbackBase
Expand All @@ -14,61 +15,65 @@

role = "iosxeSTIG"


class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"

CALLBACK_NEEDS_WHITELIST = True

def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = os.path.join(os.getcwd(), "roles", role, "files")
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = os.getcwd()
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))

print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()

def __get_rev(self, nid):
rev = '0'
rev = "0"
# Check all files for the rule number.
for file in os.listdir(self.stig_path):
with open(os.path.join(self.stig_path, file), 'r') as f:
r = 'SV-{}r(?P<rev>\d)_rule'.format(nid)
with open(os.path.join(self.stig_path, file), "r") as f:
r = "SV-{}r(?P<rev>\d)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
break
return rev

def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self.__get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()

def __set_duplicates(self):
with open(os.path.join(self.stig_path, 'duplicates.json')) as f:
with open(os.path.join(self.stig_path, "duplicates.json")) as f:
dups = json.load(f)
for d in dups:
dup_of = str(dups[d][0])
Expand All @@ -82,17 +87,19 @@ def __set_duplicates(self):
def v2_playbook_on_stats(self, stats):
self.__set_duplicates()
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(os.path.join(self.XML_path, "xccdf-results.xml"), 'w') as f:
with open(os.path.join(self.XML_path, "xccdf-results.xml"), "w") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG)

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and

counterintelligence (CI) investigations.

Expand All @@ -36,7 +36,7 @@ counterintelligence (CI) investigations.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,
-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,

psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
# R-215815 CISC-ND-000210
Expand Down
Loading
Loading