#!/usr/bin/env python3
#
# Copyright (c) 2018 by Cisco Systems, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#

""" Generate CVE report for the given Linux kernel GIT branch
"""

import re
import sys
import argparse
import textwrap
import subprocess
import logging
import logging.config
import cvert


def report_kernel():
    """Generate Linux kernel CVE report"""

    parser = argparse.ArgumentParser(
        formatter_class=argparse.RawDescriptionHelpFormatter,
        description=textwrap.dedent("""
        Generate CVE report for the Linux kernel.
        Inspect Linux kernel GIT tree and find all CVE patches commits.
        """),
        epilog=textwrap.dedent("""
        @ run examples:

        # Download (update) NVD feeds in "nvdfeed" directory
        # and prepare the report for the "kernel-sources" directory
        %% %(prog)s --feed-dir nvdfeed --output report-kernel.txt kernel-sources

        # Use existed NVD feeds in "nvdfeed" directory
        # and prepare the report for the "kernel-sources" directory
        %% %(prog)s --offline --feed-dir nvdfeed --output report-kernel.txt kernel-sources

        # (faster) Restore CVE dump from "cvedump" (must exist)
        # and prepare the report for the "kernel-sources" directory
        %% %(prog)s --restore cvedump --output report-kernel.txt kernel-sources

        # Restore CVE dump from "cvedump" (must exist)
        # and prepare the extended report for the "kernel-sources" directory
        %% %(prog)s --restore cvedump --show-description --show-reference --output report-kernel.txt kernel-sources

        @ report example output (NVD resource):

        # 2018-10-10 15:41:52,213 %% CVERT %% INFO     %% kernel version: 4.9.132
        . patched |  3.3 | CVE-2017-17807     | nvd: KEYS: add missing permission check for request_key() destination
        unpatched |  3.3 | CVE-2017-17864     | 
        unpatched |  4.4 | CVE-2016-9604      | 
        unpatched |  4.4 | CVE-2017-12153     | 
        unpatched |  4.4 | CVE-2017-14051     | 
        . patched |  4.6 | CVE-2017-8924      | nvd: USB: serial: io_ti: fix information leak in completion handler
        unpatched |  4.7 | CVE-2017-17449     | 
        . patched |  4.7 | CVE-2017-18203     | nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
        . patched |  4.7 | CVE-2017-18224     | nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
        . patched |  4.7 | CVE-2018-1065      | nvd: netfilter: add back stackpointer size checks
        ...

        @ report example output (NVD+LKC resource):

        # 2018-10-10 15:46:05,902 %% CVERT %% INFO     %% kernel version: 4.9.132
        . patched |  3.3 | CVE-2017-17807     | nvd: KEYS: add missing permission check for request_key() destination
        unpatched |  3.3 | CVE-2017-17864     | 
        . patched |  4.4 | CVE-2016-9604      | lkc: a5c6e0a76817a3751f58d761aaff7c0b0c4001ff
        . patched |  4.4 | CVE-2017-12153     | lkc: c820441a7a52e3626aede8df94069a50a9e4efdb
        . patched |  4.4 | CVE-2017-14051     | lkc: 2a913aecc4f746ce15eb1bec98b134aff4190ae2
        . patched |  4.6 | CVE-2017-8924      | nvd: USB: serial: io_ti: fix information leak in completion handler
        . patched |  4.7 | CVE-2017-17449     | lkc: 0b18782288a2f1c2a25e85d2553c15ea83bb5802
        . patched |  4.7 | CVE-2017-18203     | nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
        . patched |  4.7 | CVE-2017-18224     | nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
        . patched |  4.7 | CVE-2018-1065      | nvd: netfilter: add back stackpointer size checks
        ...
        """))

    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument("-f", "--feed-dir", help="feeds directory")
    group.add_argument("-d", "--restore", help="load CVE data structures from file",
                       metavar="FILENAME")
    parser.add_argument("--offline", help="do not update from NVD site",
                        action="store_true")
    parser.add_argument("-o", "--output", help="save report to the file")
    parser.add_argument("-k", "--kernel-ver", help='overwrite kernel version, '
                                                   'default is "make kernelversion"',
                        metavar="VERSION")
    parser.add_argument("--show-description", help='show "Description" in the report',
                        action="store_true")
    parser.add_argument("--show-reference", help='show "Reference" in the report',
                        action="store_true")
    parser.add_argument("-r", "--resource", help='resources: e.g.: "--resource nvd lkc"',
                        nargs="+", default=["nvd"])
    parser.add_argument("--patched", help="patched CVE IDs",
                        nargs="+", default=[])
    parser.add_argument("--debug", help="print debug messages",
                        action="store_true")

    parser.add_argument("kernel_dir", help="kernel GIT directory",
                        metavar="kernel-dir")

    args = parser.parse_args()

    logging.config.dictConfig(cvert.logconfig(args.debug))

    kernel_dir = args.kernel_dir

    if args.restore:
        cve_struct = cvert.load_cve(args.restore)
    elif args.feed_dir:
        cve_struct = cvert.update_feeds(args.feed_dir, args.offline)

    if not cve_struct and args.offline:
        parser.error("No CVEs found. Try to turn off offline mode or use other file to restore.")

    if args.output:
        output = open(args.output, "w")
    else:
        output = sys.stdout

    if args.kernel_ver:
        kernel_ver = args.kernel_ver
    else:
        kernel_ver = get_version(kernel_dir)

    logging.info("kernel version: %s", kernel_ver)

    if "lkc" in args.resource:
        lkc_ctx = prepare_lkc()

    commits = get_commits(kernel_dir)
    report = cvert.generate_report({"linux_kernel": {kernel_ver: list(args.patched)}}, cve_struct)

    for cve in report:
        cve["comment"] = ""

        if "nvd" in args.resource and cve["status"] == "unpatched":
            process_nvd(cve, kernel_dir, commits)

        if "lkc" in args.resource and cve["status"] == "unpatched":
            process_lkc(cve, kernel_dir, commits, lkc_ctx)

    print_report(report,
                 show_description=args.show_description,
                 show_reference=args.show_reference,
                 output=output)

    if args.output:
        output.close()


def process_nvd(cve, kernel_dir, commits):
    """Process NVD references.

    Sometimes NVD "Reference" contains a link to the commit in the GIT
    upstream mainline.

    First, look if we have that commit ID in the current local GIT
    branch. It happens if you created local branch after CVE has been
    fixed in mainline.

    Otherwise, don't give up, and try to find the same headline
    commit. It works if local GIT tree has up-to-date mainline branch
    fetched.

    That is all we can do having only mainline commit ID.

    """

    for url in cve["reference"]:
        iden = get_iden(url)

        if iden and iden in commits["iden"]:
            mark_patched(cve, "nvd: {0}".format(iden.decode()))
            return

        head = get_headline(kernel_dir, iden)

        if head and head in commits["head"]:
            mark_patched(cve, "nvd: {0}".format(head.decode()))
            return


def process_lkc(cve, kernel_dir, commits, ctx):
    """Process Linux Kernel CVEs approach

    [https://github.com/nluedtke/linux_kernel_cves]

    "kernel" context contains mainline "fixes" commit ID. So, check
    with that first.

    "stream" context contains backported "cmd_id" for other upstream
    branches. Check accordingly.

    If no commit ID found in local current branch, than look for the
    same headline commits. Rarely backported commit has different
    headline, so look at the "cmt_msg" first.

    """

    iden_candidats = []

    try:
        iden = ctx["kernel"][cve["CVE"]]["fixes"].encode()
    except KeyError:
        logging.debug("%s: commit ID not found", cve["CVE"])
        iden = None

    if iden:
        iden_candidats.append(iden)

        if iden in commits["iden"]:
            mark_patched(cve, "lkc: {0}".format(iden.decode()))
            return

    if cve["CVE"] in ctx["stream"]:
        for kver in ctx["stream"][cve["CVE"]]:
            try:
                iden = ctx["stream"][cve["CVE"]][kver]["cmt_id"].encode()
            except KeyError:
                logging.debug("%s: commit ID not found", cve["CVE"])
                iden = None

            if iden:
                iden_candidats.append(iden)

                if iden in commits["iden"]:
                    mark_patched(cve, "lkc: {0}".format(iden.decode()))
                    return

    try:
        head = ctx["kernel"][cve["CVE"]]["cmt_msg"].encode()
    except KeyError:
        logging.debug("%s: commit message header not found", cve["CVE"])
        head = None

    if head and head in commits["head"]:
        mark_patched(cve, "lkc: {0}".format(head.decode()))
        return

    # last chance
    for iden in iden_candidats:
        head = get_headline(kernel_dir, iden)

        if head and head in commits["head"]:
            mark_patched(cve, "lkc: {0}".format(head.decode()))
            return


def prepare_lkc():
    """Prepare LKC context."""

    import urllib.request
    import json

    ctx = {}
    url_base = "https://github.com/nluedtke/linux_kernel_cves/raw/master"

    with urllib.request.urlopen(url_base + "/kernel_cves.json") as url:
        ctx["kernel"] = json.loads(url.read().decode())

    with urllib.request.urlopen(url_base + "/stream_fixes.json") as url:
        ctx["stream"] = json.loads(url.read().decode())

    return ctx


def mark_patched(cve, comment=""):
    """Put a "patched" mark for the CVE."""

    cve["status"] = "patched"
    cve["comment"] = comment


def get_version(kernel_dir):
    """Return kernel version."""

    return subprocess.check_output(
        ["make", "kernelversion"],
        cwd=kernel_dir,
        stderr=subprocess.DEVNULL
    ).decode().rstrip()


def get_commits(kernel_dir):
    """Return GIT commits dict."""

    commits = {"iden": [], "head": []}

    for gitlog in subprocess.check_output(["git", "log", "--format=%H %s"],
                                          cwd=kernel_dir,
                                          stderr=subprocess.DEVNULL
                                         ).splitlines():
        oneline = gitlog.split(maxsplit=1)

        if len(oneline) > 1:
            commits["head"].append(oneline[1])
        else:
            commits["head"].append(b"")

        commits["iden"].append(oneline[0])

    return commits


def get_iden(url):
    """Return kernel commit ID from URL."""

    commit_re = [
        r"^http://git\.kernel\.org/cgit/linux/kernel/git/torvalds/linux\.git/commit/\?id=(.+)$",
        r"^https?://github\.com/torvalds/linux/commit/(.+)$"
    ]

    for regexp in commit_re:
        matched = re.match(regexp, url)

        if matched:
            return matched.group(1)

    return None


def get_headline(kernel_dir, iden):
    """Return commit headline."""

    if not iden:
        return None

    try:
        head = subprocess.check_output(["git", "show",
                                        "--no-patch",
                                        "--format=%s",
                                        iden],
                                       cwd=kernel_dir,
                                       stderr=subprocess.DEVNULL
                                      ).rstrip()
    except subprocess.CalledProcessError:
        logging.debug("%s: commit ID not found", iden)
        head = None

    return head


def print_report(report, width=70, show_description=False, show_reference=False, output=sys.stdout):
    """Output kernel report."""

    for cve in report:
        print("{0:>9s} | {1:>4s} | {2:18s} | {3}".format(cve["status"], cve["CVSS"],
                                                         cve["CVE"], cve["comment"]),
              file=output)

        if show_description:
            print("{0:>9s} + {1}".format(" ", "Description"), file=output)

            for lin in textwrap.wrap(cve["description"], width=width):
                print("{0:>9s}   {1}".format(" ", lin), file=output)

        if show_reference:
            print("{0:>9s} + {1}".format(" ", "Reference"), file=output)

            for url in cve["reference"]:
                print("{0:>9s}   {1}".format(" ", url), file=output)


if __name__ == "__main__":
    report_kernel()
