Class: ComplianceEngine::Data

Inherits:

Object

• Object
• ComplianceEngine::Data

Defined in:

lib/compliance_engine/data.rb

Overview

Work with compliance data

Instance Attribute Summary

• #data ⇒ Object

  Setting any of these should all invalidate any cached data.

• #enforcement_tolerance ⇒ Object

  Setting any of these should all invalidate any cached data.

• #environment_data ⇒ Object

  Setting any of these should all invalidate any cached data.

• #facts ⇒ Object

  Setting any of these should all invalidate any cached data.

• #modulepath ⇒ Object

  Setting any of these should all invalidate any cached data.

Instance Method Summary

• #ces ⇒ ComplianceEngine::CEs

  Return a collection of CEs.

• #check_mapping(profile_or_ce) ⇒ Hash

  Return all checks that map to the requested profile or CE.

• #checks ⇒ ComplianceEngine::Checks

  Return a collection of checks.

• #confines ⇒ Hash

  Return all confines.

• #controls ⇒ ComplianceEngine::Controls

  Return a collection of controls.

• #files ⇒ Array<String>

  Get a list of files with compliance data.

• #get(file) ⇒ Hash

  Get the compliance data for a given file.

• #hiera(requested_profiles = []) ⇒ Hash

  Return all Hiera data from checks that map to the requested profiles.

• #initialize(*paths, facts: nil, enforcement_tolerance: nil) ⇒ Data constructor

  A new instance of Data.

• #initialize_copy(_source) ⇒ NilClass

  Ensure that cloned/duped objects get independent collection instances.

• #invalidate_cache ⇒ NilClass

  Invalidate the cache of computed data.

• #open(*paths, fileclass: File, dirclass: Dir) ⇒ NilClass

  Scan paths for compliance data files.

• #open_environment(*paths) ⇒ NilClass

  Scan a Puppet environment.

• #open_environment_zip(path, name: nil) ⇒ NilClass

  Scan a Puppet environment from a zip file on disk.

• #open_environment_zip_bytes(bytes, name: nil) ⇒ NilClass

  Scan a Puppet environment from a raw zip byte string.

• #profiles ⇒ ComplianceEngine::Profiles

  Return a profile collection.

• #reset_collection ⇒ NilClass

  Discard all parsed data other than the top-level data.

• #update(filename, key: filename.to_s, fileclass: File) ⇒ NilClass

  Update the data for a given file.

Constructor Details

#initialize(*paths, facts: nil, enforcement_tolerance: nil) ⇒ Data

Returns a new instance of Data.

Parameters:

• paths (Array<String>) —

  The paths to the compliance data files

• facts (Hash) (defaults to: nil) —

  The facts to use while evaluating the data

• enforcement_tolerance (Integer) (defaults to: nil) —

  The tolerance to use while evaluating the data

# File 'lib/compliance_engine/data.rb', line 31

def initialize(*paths, facts: nil, enforcement_tolerance: nil)
  @data = {}
  @facts = facts
  @enforcement_tolerance = enforcement_tolerance
  open(*paths) unless paths.nil? || paths.empty?
end

Instance Attribute Details

#data ⇒ Object

Setting any of these should all invalidate any cached data

# File 'lib/compliance_engine/data.rb', line 39

def data
  @data
end

#enforcement_tolerance ⇒ Object

Setting any of these should all invalidate any cached data

# File 'lib/compliance_engine/data.rb', line 39

def enforcement_tolerance
  @enforcement_tolerance
end

#environment_data ⇒ Object

Setting any of these should all invalidate any cached data

# File 'lib/compliance_engine/data.rb', line 39

def environment_data
  @environment_data
end

#facts ⇒ Object

Setting any of these should all invalidate any cached data

# File 'lib/compliance_engine/data.rb', line 39

def facts
  @facts
end

#modulepath ⇒ Object

Setting any of these should all invalidate any cached data

# File 'lib/compliance_engine/data.rb', line 39

def modulepath
  @modulepath
end

Instance Method Details

#ces ⇒ ComplianceEngine::CEs

Return a collection of CEs

Returns:

• (ComplianceEngine::CEs)

# File 'lib/compliance_engine/data.rb', line 303

def ces
  @ces ||= ComplianceEngine::Ces.new(self)
end

#check_mapping(profile_or_ce) ⇒ Hash

Return all checks that map to the requested profile or CE

Parameters:

• profile_or_ce (ComplianceEngine::Profile, ComplianceEngine::Ce) —

  The requested profile or CE

Returns:

• (Hash)

Raises:

• (ArgumentError)

# File 'lib/compliance_engine/data.rb', line 402

def check_mapping(profile_or_ce)
  raise ArgumentError, 'Argument must be a ComplianceEngine::Profile object' unless profile_or_ce.is_a?(ComplianceEngine::Profile) || profile_or_ce.is_a?(ComplianceEngine::Ce)

  cache_key = "#{profile_or_ce.class}:#{profile_or_ce.key}"

  @check_mapping ||= {}

  return @check_mapping[cache_key] if @check_mapping.key?(cache_key)

  @check_mapping[cache_key] = checks.select do |_, check|
    mapping?(check, profile_or_ce)
  end
end

#checks ⇒ ComplianceEngine::Checks

Return a collection of checks

Returns:

• (ComplianceEngine::Checks)

# File 'lib/compliance_engine/data.rb', line 310

def checks
  @checks ||= ComplianceEngine::Checks.new(self)
end

#confines ⇒ Hash

Return all confines

Returns:

• (Hash)

# File 'lib/compliance_engine/data.rb', line 324

def confines
  return @confines unless @confines.nil?

  @confines ||= {}

  [profiles, ces, checks, controls].each do |collection|
    collection.each_value do |v|
      v.to_a.each do |component|
        next unless component.key?('confine')

        confine = component['confine'].transform_values { |val| val.is_a?(Array) ? val.dup : Array(val) }
        @confines = DeepMerge.deep_merge!(confine, @confines, knockout_prefix: '--')
      end
    end
  end

  @confines
end

#controls ⇒ ComplianceEngine::Controls

Return a collection of controls

Returns:

• (ComplianceEngine::Controls)

# File 'lib/compliance_engine/data.rb', line 317

def controls
  @controls ||= ComplianceEngine::Controls.new(self)
end

#files ⇒ Array<String>

Get a list of files with compliance data

Returns:

• (Array<String>)

# File 'lib/compliance_engine/data.rb', line 277

def files
  return @files unless @files.nil?

  @files = data.select { |_, file| file.key?(:content) }.keys
end

#get(file) ⇒ Hash

Get the compliance data for a given file

Parameters:

• file (String) —

  The path to the compliance data file

Returns:

• (Hash)

# File 'lib/compliance_engine/data.rb', line 287

def get(file)
  data[file][:content]
rescue StandardError
  nil
end

#hiera(requested_profiles = []) ⇒ Hash

Return all Hiera data from checks that map to the requested profiles

Parameters:

• requested_profiles (Array<String>) (defaults to: []) —

  The requested profiles

Returns:

• (Hash)

# File 'lib/compliance_engine/data.rb', line 347

def hiera(requested_profiles = [])
  # If we have no valid profiles, we won't have any hiera data.
  return {} if requested_profiles.empty?

  cache_key = requested_profiles.to_s

  @hiera ||= {}

  return @hiera[cache_key] if @hiera.key?(cache_key)

  valid_profiles = []
  requested_profiles.each do |profile|
    if profiles[profile].nil?
      ComplianceEngine.log.error "Requested profile '#{profile}' not defined"
      next
    end

    valid_profiles << profiles[profile]
  end

  # If we have no valid profiles, we won't have any hiera data.
  if valid_profiles.empty?
    @hiera[cache_key] = {}
    return @hiera[cache_key]
  end

  parameters = {}

  valid_profiles.reverse_each do |profile|
    check_mapping(profile).each_value do |check|
      hiera_data = check.hiera
      next if hiera_data.nil?

      parameters = DeepMerge.deep_merge!(Marshal.load(Marshal.dump(hiera_data)), parameters)
    end
  end

  # deep_merge does not support hash-key knockout via knockout_prefix.
  # Handle parameter-name knockout explicitly: any key starting with '--'
  # signals that the matching key without the prefix should be suppressed
  # (mirrors compliance_markup behavior).
  parameters.each_key do |key|
    next unless key.start_with?('--')

    parameters.delete(key.delete_prefix('--'))
    parameters.delete(key)
  end

  @hiera[cache_key] = parameters
end

#initialize_copy(_source) ⇒ NilClass

Ensure that cloned/duped objects get independent collection instances.

Ruby’s default clone/dup is a shallow copy, so the collection instance variables (@ces, @profiles, @checks, @controls) would otherwise point to the same objects as the source. When facts= is later called on either the source or the clone, invalidate_cache propagates facts into the shared collection, causing the other object to silently adopt the wrong facts.

Nilling the collection variables here forces each clone to lazily rebuild its own collections the first time they are accessed, using its own context (facts, enforcement_tolerance, etc.). Cache variables that depend on those collections are cleared for the same reason.

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 106

def initialize_copy(_source)
  super
  # Give each clone its own outer @data hash and its own per-file inner
  # hashes so that new files opened on one clone (via open/update) are not
  # visible to other clones or the source, and so that a loader refresh on
  # the source (which mutates the inner hash in-place via Data#update) does
  # not silently affect a clone that has not yet built its lazy collections.
  # The inner per-file content values (read-only parsed data) stay shared.
  #
  # :loader is additionally cleared (set to nil) so the copy does not hold
  # a reference to the source's DataLoader object.  If it did, the copy
  # calling update(key_string) for an already-known file would invoke
  # loader.refresh, which notifies the source (the registered Observable
  # observer) and overwrites source.data[key][:content] while the copy's
  # inner hash stays stale.  With :loader nil the copy creates its own
  # independent loader (and registers itself as observer) on next access.
  @data = @data.transform_values { |entry| entry.merge(loader: nil) }
  collection_variables.each { |var| instance_variable_set(var, nil) }
  cache_variables.each { |var| instance_variable_set(var, nil) }
  nil
end

#invalidate_cache ⇒ NilClass

Invalidate the cache of computed data

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 79

def invalidate_cache
  collection_variables.each { |var| instance_variable_get(var)&.invalidate_cache(self) }
  cache_variables.each { |var| instance_variable_set(var, nil) }
end

#open(*paths, fileclass: File, dirclass: Dir) ⇒ NilClass

Scan paths for compliance data files

Parameters:

• paths (Array<String>) —

  The paths to the compliance data files

• fileclass (Class) (defaults to: File) —

  The class to use for reading files

• dirclass (Class) (defaults to: Dir) —

  The class to use for reading directories

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 170

def open(*paths, fileclass: File, dirclass: Dir)
  modules = {}

  paths.each do |path|
    if path.is_a?(ComplianceEngine::EnvironmentLoader)
      open(*path.modules)
      next
    end

    if path.is_a?(ComplianceEngine::ModuleLoader)
      modules[path.name] = path.version unless path.name.nil?
      new_keys = path.files.to_set(&:key)
      module_root = if path.zipfile_path
                      ::File.join(path.zipfile_path, '.', path.path.sub(%r{^/+}, ''))
                    else
                      path.path
                    end
      module_prefix = ::File.join(module_root, '')
      stale_keys = data.keys.select { |k| (k == module_root || k.start_with?(module_prefix)) && !new_keys.include?(k) }
      stale_keys.each { |k| data.delete(k) }
      path.files.each { |file_loader| update(file_loader) }
      reset_collection if path.files.empty? && !stale_keys.empty?
      next
    end

    if path.is_a?(ComplianceEngine::DataLoader)
      update(path, key: path.key, fileclass: fileclass)
      next
    end

    if fileclass.file?(path)
      update(path, key: path.to_s, fileclass: fileclass)
      next
    end

    if fileclass.directory?(path)
      open(ComplianceEngine::ModuleLoader.new(path, fileclass: fileclass, dirclass: dirclass))
      next
    end

    raise ComplianceEngine::Error, "Invalid path or object '#{path}'"
  end

  self.environment_data ||= {}
  self.environment_data = self.environment_data.merge(modules)

  nil
end

#open_environment(*paths) ⇒ NilClass

Scan a Puppet environment

Parameters:

• paths (Array<String>) —

  The Puppet modulepath components

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 158

def open_environment(*paths)
  environment = ComplianceEngine::EnvironmentLoader.new(*paths)
  self.modulepath = environment.modulepath
  open(environment)
end

#open_environment_zip(path, name: nil) ⇒ NilClass

Scan a Puppet environment from a zip file on disk

Parameters:

• path (String) —

  filesystem path to the zip archive

• name (String, nil) (defaults to: nil) —

  stable string identifier used as the modulepath and cache-key prefix; defaults to the full path string passed as path.

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 133

def open_environment_zip(path, name: nil)
  require 'compliance_engine/environment_loader/zip'

  environment = ComplianceEngine::EnvironmentLoader::Zip.new(path, name: name)
  self.modulepath = environment.modulepath
  open(environment)
end

#open_environment_zip_bytes(bytes, name: nil) ⇒ NilClass

Scan a Puppet environment from a raw zip byte string

Parameters:

• bytes (String) —

  raw binary zip data (e.g. from File.binread or an HTTP body)

• name (String, nil) (defaults to: nil) —

  stable string identifier used as the modulepath and cache-key prefix; defaults to “-” when no filename is available.

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 147

def open_environment_zip_bytes(bytes, name: nil)
  require 'compliance_engine/environment_loader/zip_bytes'

  environment = ComplianceEngine::EnvironmentLoader::ZipBytes.new(bytes, name: name)
  self.modulepath = environment.modulepath
  open(environment)
end

#profiles ⇒ ComplianceEngine::Profiles

Return a profile collection

Returns:

• (ComplianceEngine::Profiles)

# File 'lib/compliance_engine/data.rb', line 296

def profiles
  @profiles ||= ComplianceEngine::Profiles.new(self)
end

#reset_collection ⇒ NilClass

Discard all parsed data other than the top-level data

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 87

def reset_collection
  # Discard any cached objects
  (instance_variables - (data_variables + context_variables)).each { |var| instance_variable_set(var, nil) }
end

#update(filename, key: filename.to_s, fileclass: File) ⇒ NilClass

Update the data for a given file

Parameters:

• file (String) —

  The path to the compliance data file

• key (String) (defaults to: filename.to_s) —

  The key to use for the data

• fileclass (Class) (defaults to: File) —

  The class to use for reading files

• size (Integer) —

  The size of the file

• mtime (Time) —

  The modification time of the file

Returns:

• (NilClass)

# File 'lib/compliance_engine/data.rb', line 227

def update(
  filename,
  key: filename.to_s,
  fileclass: File
)
  if filename.is_a?(String)
    data[key] ||= {}

    if data[key]&.key?(:loader) && data[key][:loader]
      data[key][:loader].refresh if data[key][:loader].respond_to?(:refresh)
      return
    end

    loader = if File.extname(filename) == '.json'
               ComplianceEngine::DataLoader::Json.new(filename, fileclass: fileclass, key: key)
             else
               ComplianceEngine::DataLoader::Yaml.new(filename, fileclass: fileclass, key: key)
             end

    loader.add_observer(self, :update)
    data[key] = {
      loader: loader,
      version: ComplianceEngine::DataVersion.new(loader.data['version']),
      content: loader.data,
    }
  else
    data[filename.key] ||= {}

    # Register as an observer only when no loader is currently attached.
    # Checking the :loader value (rather than key presence) is important
    # after clone/dup: initialize_copy sets :loader to nil so the copy does
    # not share the source's loader, but the key still exists.  Checking
    # key presence would see the nil as "already registered" and skip
    # add_observer, leaving the copy deaf to future loader refreshes.
    unless data[filename.key][:loader]
      data[filename.key][:loader] = filename
      data[filename.key][:loader].add_observer(self, :update)
    end
    data[filename.key][:version] = ComplianceEngine::DataVersion.new(filename.data['version'])
    data[filename.key][:content] = filename.data
  end

  reset_collection
rescue StandardError => e
  ComplianceEngine.log.error e.message
end