diff --git a/.gitpod.launch.json b/.gitpod.launch.json index 2b11d1fecd4..eb40ce066e2 100644 --- a/.gitpod.launch.json +++ b/.gitpod.launch.json @@ -61,8 +61,7 @@ "--remove-ocp4-only", "--add-product-to-fips-certified", "fedora", - "--add-platform", - "&&CPE&&", + "--remove-platforms", "${command:content-navigator.getRuleId}" ], "env": { diff --git a/.gitpod.yml b/.gitpod.yml index 0430ec43e18..9b93b444ea3 100644 --- a/.gitpod.yml +++ b/.gitpod.yml @@ -21,13 +21,11 @@ tasks: git+https://github.com/ggbecker/sphinxcontrib.jinjadomain.git#egg=sphinxcontrib-jinjadomain [ -z "$PRODUCT" ] && PRODUCT="fedora" [ -z "$CONTAINER" ] && CONTAINER=$PRODUCT - [ -z "$CONTAINER_VERSION" ] && CONTAINER_VERSION="$CONTAINER:34" - [ -z "$CPE" ] && CPE="cpe:/o:fedoraproject:fedora:34" + [ -z "$CONTAINER_VERSION" ] && CONTAINER_VERSION="$CONTAINER" mkdir -p .vscode && cp .gitpod.launch.json .vscode/launch.json CONTAINER_NAME=${CONTAINER}_container sed -i "s/&&CONTAINER_NAME&&/$CONTAINER_NAME/g" .vscode/launch.json sed -i "s/&&DEFAULT_PRODUCT&&/$PRODUCT/g" .vscode/launch.json - sed -i "s,&&CPE&&,$CPE,g" .vscode/launch.json PRIVATE_KEY_FOLDER=.ssh PRIVATE_KEY_FILEPATH=$PRIVATE_KEY_FOLDER/id_rsa sed -i "s,&&PRIVATE_KEY_FILEPATH&&,$PRIVATE_KEY_FILEPATH,g" .vscode/launch.json diff --git a/docs/workshop/lab3_profiles.adoc b/docs/workshop/lab3_profiles.adoc index 9c7d324775d..1092ef20b3e 100644 --- a/docs/workshop/lab3_profiles.adoc +++ b/docs/workshop/lab3_profiles.adoc @@ -6,7 +6,6 @@ // Variables :container_name: fedora_container -:cpe_identifier: cpe:/o:fedoraproject:fedora:34 == Introduction @@ -647,7 +646,7 @@ You also add arguments to turn on full reporting, which generates XML and HTML r --datastream build/ssg-rhel8-ds.xml \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ --logdir profile-log \ travel ---- diff --git a/docs/workshop/lab5_oval.adoc b/docs/workshop/lab5_oval.adoc index 80398d2ffca..2bfcfc173ea 100644 --- a/docs/workshop/lab5_oval.adoc +++ b/docs/workshop/lab5_oval.adoc @@ -6,7 +6,6 @@ // Variables :container_name: fedora_container -:cpe_identifier: cpe:/o:fedoraproject:fedora:34 == Introduction @@ -277,7 +276,7 @@ With that in mind, execute the test suite: --datastream build/ssg-rhel8-ds.xml \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + @@ -307,7 +306,7 @@ The alternative mode is `profile` mode, which is simpler--there are no test scen * Finally, you specify what to test--a rule regular expression: `accounts_tmout` or `^accounts_tmout$`. -* Other parameters are also used for supporting running tests in this kind of environment. For example, you use `--add-platform "{cpe_identifier}"` to make the RHEL8 content applicable to Fedora images. +* Other parameters are also used for supporting running tests in this kind of environment. For example, you use `--remove-platforms` to make the RHEL8 content applicable to Fedora images. ==== The output tells you the following: @@ -433,7 +432,7 @@ TIP: You can use the `Up` arrow key to browse the command history so you do not --datastream build/ssg-rhel8-ds.xml \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + @@ -573,7 +572,7 @@ This way, you do not have to worry about possibly introducing those link:https:/ --docker {container_name} \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + @@ -656,7 +655,7 @@ fi --docker {container_name} \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + @@ -705,7 +704,7 @@ This time, when rebuilt and executed again, the tests pass: --docker {container_name} \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + @@ -757,7 +756,7 @@ Execute the test suite again and expect the `ERROR - Script correct_value.pass.s --docker {container_name} \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + @@ -804,7 +803,7 @@ The non-capturing group that consists of `export` followed by at least one white --docker {container_name} \ --remediate-using bash \ --remove-machine-only \ - --add-platform "{cpe_identifier}" \ + --remove-platforms \ accounts_tmout ---- + diff --git a/tests/README.md b/tests/README.md index f4672d9c30e..365a857e31b 100644 --- a/tests/README.md +++ b/tests/README.md @@ -398,7 +398,7 @@ Using Podman: ``` or just call the `test_rule_in_container.sh` script that passes the backend options for you -in addition to `--remove-machine-only` and `--add-platform` +in addition to `--remove-machine-only` and `--remove-platforms` that remove some testing limitations of the container backend. Using Docker: diff --git a/tests/automatus.py b/tests/automatus.py index 98ba56a2599..1e3abed33e5 100755 --- a/tests/automatus.py +++ b/tests/automatus.py @@ -70,7 +70,8 @@ def parse_args(): "--add-platform", metavar="", default=None, - help="Find all CPEs that are present in local OpenSCAP's CPE dictionary " + help="DEPRECATED: Use --remove-platforms instead; " + "Find all CPEs that are present in local OpenSCAP's CPE dictionary " "that match the provided regex, " "and add them as platforms to all datastream benchmarks. " "If the regex doesn't match anything, it will be treated " @@ -81,6 +82,14 @@ def parse_args(): default=None, help="Add installed_OS_is_$product extend_definition to the " "installed_OS_is_FIPS_certified OVAL criteria definition.") + common_parser.add_argument( + "--remove-platforms", + default=False, + action="store_true", + help="Remove any platforms from the Benchmark XML elements and Profile " + "XML elements, essentially making the content applicable to any platform. " + "Although more low level platforms such as packages or container/machine " + "CPE are still applicable.") common_parser.add_argument( "--remove-machine-only", default=False, @@ -484,6 +493,8 @@ def main(): options.datastream = stashed_datastream with xml_operations.datastream_root(stashed_datastream, stashed_datastream) as root: + if options.remove_platforms: + xml_operations.remove_platforms(root) if options.remove_machine_only: xml_operations.remove_machine_platform(root) xml_operations.remove_machine_remediation_condition(root) diff --git a/tests/ssg_test_suite/xml_operations.py b/tests/ssg_test_suite/xml_operations.py index 60448be1be6..95d34f2cedb 100644 --- a/tests/ssg_test_suite/xml_operations.py +++ b/tests/ssg_test_suite/xml_operations.py @@ -81,13 +81,19 @@ def datastream_root(ds_location, save_location=None): tree.write(save_location) -def remove_platforms_from_element(root, element_spec, platforms): - query = BENCHMARK_QUERY + "//{0}".format(element_spec) - elements = root.findall(query, PREFIX_TO_NS) +def find_elements(root, element_spec=None): + query = BENCHMARK_QUERY + if element_spec is not None: + query = query + "//{0}".format(element_spec) + return root.findall(query, PREFIX_TO_NS) + + +def remove_platforms_from_element(root, element_spec=None, platforms=None): + elements = find_elements(root, element_spec) for el in elements: platforms_xml = el.findall("./xccdf-1.2:platform", PREFIX_TO_NS) for p in platforms_xml: - if instance_in_platforms(p, platforms): + if platforms is None or instance_in_platforms(p, platforms): el.remove(p) @@ -103,6 +109,11 @@ def remove_machine_platform(root): remove_platforms_from_element(root, "xccdf-1.2:Group", "#machine") +def remove_platforms(root): + remove_platforms_from_element(root) + remove_platforms_from_element(root, "xccdf-1.2:Profile") + + def remove_ocp4_platforms(root): remove_platforms_from_element( root, "xccdf-1.2:Rule", diff --git a/tests/test_rule_in_container.sh b/tests/test_rule_in_container.sh index c6c37b3a74a..3e6dc68b420 100755 --- a/tests/test_rule_in_container.sh +++ b/tests/test_rule_in_container.sh @@ -227,8 +227,6 @@ if test "$_arg_docker" = on; then fi $CONTAINER_BACKEND images | grep -q "$_arg_name" || die "Couldn't find the $CONTAINER_BACKEND image '$_arg_name'" -test_image_cpe_product=$($CONTAINER_BACKEND run --rm "$_arg_name" sh -c '. /etc/os-release && echo "$CPE_NAME"') -test -n "$test_image_cpe_product" || die "Unable to deduce the product CPE from the container's /etc/os-release file." additional_args=() test "$_arg_dontclean" = on && additional_args+=(--dontclean) @@ -248,7 +246,7 @@ if test -n "$ADDITIONAL_SSGTS_OPTIONS"; then ADDITIONAL_TEST_OPTIONS="$ADDITIONAL_SSGTS_OPTIONS" fi -command=(python3 "${script_dir}/automatus.py" rule ${ADDITIONAL_TEST_OPTIONS} --remove-machine-only --remove-ocp4-only "${additional_args[@]}" --add-platform "$test_image_cpe_product" "$CONTAINER_OPT" "$_arg_name" -- "${_arg_rule[@]}") +command=(python3 "${script_dir}/automatus.py" rule ${ADDITIONAL_TEST_OPTIONS} --remove-platforms --remove-machine-only --remove-ocp4-only "${additional_args[@]}" "$CONTAINER_OPT" "$_arg_name" -- "${_arg_rule[@]}") if test "$_arg_dry_run" = on; then printf '%s\n' "${command[*]}" else