From dc6d9a7b537669e2518cafc9197b366a736b12e3 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@canonical.com>
Date: Thu, 29 Jul 2021 07:34:21 -0400
Subject: [PATCH] Allow conditional building of SCE content

Introduces the SSG_SCE_ENABLED variable (defaulting to false) to
enable/disable SCE content generation. Note that an empty metadata.json
will still be generated, but no SCE content will be generated.

Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
---
 CMakeLists.txt        |  1 +
 build_config.yml.in   |  2 ++
 cmake/SSGCommon.cmake | 44 ++++++++++++++++++++++++++++---------------
 ssg/build_yaml.py     |  2 +-
 4 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 67aab37ac96..d10fdc280cc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -52,6 +52,7 @@ option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for
 option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
 option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
 option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
+option(SSG_SCE_ENABLED "If enabled, additional SCE audit content will be enabled alongside OVAL-based auditing." FALSE)
 set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
 
 # SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products
diff --git a/build_config.yml.in b/build_config.yml.in
index a5ce19926fa..9b3a9907328 100644
--- a/build_config.yml.in
+++ b/build_config.yml.in
@@ -7,3 +7,5 @@ target_oval_version_str: "@SSG_TARGET_OVAL_VERSION@"
 
 jinja2_cache_enabled: @SSG_JINJA2_CACHE_ENABLED_BOOL@
 jinja2_cache_dir: "@SSG_JINJA2_CACHE_DIR@"
+
+sce_enabled: "@SSG_SCE_ENABLED@"
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 333d3f22719..651b8470cb4 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -393,19 +393,31 @@ macro(ssg_build_sce PRODUCT)
     # in the combine paths below.
     set(SCE_COMBINE_PATHS "${SSG_SHARED}/checks/sce" "${CMAKE_CURRENT_SOURCE_DIR}/checks/sce")
 
-    # Unlike build_oval_unlinked, we don't depend on templated content yet.
-    #
-    # This is for two reasons:
-    # 1. Support for templated SCE isn't yet implemented.
-    # 2. Generating YAML->Shorthand (in ssg_build_shorthand_xml) relies on
-    #    our data, so we need it to occur earlier. However, templating depends
-    #    the Shorthand, so we'd have a dependency circle.
-    add_custom_command(
-        OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
-        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS}
-        DEPENDS "${SSG_BUILD_SCRIPTS}/build_sce.py"
-        COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
-    )
+    if (SSG_SCE_ENABLED)
+        # Unlike build_oval_unlinked, we don't depend on templated content yet.
+        #
+        # This is for two reasons:
+        # 1. Support for templated SCE isn't yet implemented.
+        # 2. Generating YAML->Shorthand (in ssg_build_shorthand_xml) relies on
+        #    our data, so we need it to occur earlier. However, templating depends
+        #    the Shorthand, so we'd have a dependency circle.
+        add_custom_command(
+            OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS}
+            DEPENDS "${SSG_BUILD_SCRIPTS}/build_sce.py"
+            COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
+        )
+    else()
+        # Here we fake generating SCE metadata by creating an empty file.
+        # Because every other step reads data from this metadata file, if
+        # it is empty, no SCE content will actually be generated.
+        add_custom_command(
+            OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMAND ${CMAKE_COMMAND} -E make_directory "${BUILD_CHECKS_DIR}/sce"
+            COMMAND ${CMAKE_COMMAND} -E touch "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
+        )
+    endif()
     add_custom_target(
         generate-internal-${PRODUCT}-sce-metadata.json
         DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json"
@@ -920,8 +932,10 @@ macro(ssg_build_product PRODUCT)
             DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
     endif()
 
-    install(DIRECTORY "${CMAKE_BINARY_DIR}/${PRODUCT}/checks/sce/"
-        DESTINATION "${SSG_CONTENT_INSTALL_DIR}/${PRODUCT}/checks/sce")
+    if (SSG_SCE_ENABLED)
+        install(DIRECTORY "${CMAKE_BINARY_DIR}/${PRODUCT}/checks/sce/"
+            DESTINATION "${SSG_CONTENT_INSTALL_DIR}/${PRODUCT}/checks/sce")
+    endif()
 
     install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
         DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index 47350ff0c1e..34001dc389e 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -1594,7 +1594,7 @@ def __init__(self, profiles_dir, bash_remediation_fns, env_yaml,
             os.mkdir(resolved_rules_dir)
 
         self.sce_metadata = None
-        if sce_metadata_path:
+        if sce_metadata_path and os.path.getsize(sce_metadata_path):
             self.sce_metadata = json.load(open(sce_metadata_path, 'r'))
 
     def _process_values(self):