Skip to content

Commit

Permalink
add debian12 automatus workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@a-skr
a-skr committed Jul 4, 2024
1 parent f913f5b commit dc4a60c
Show file tree
Hide file tree
Showing 2 changed files with 200 additions and 0 deletions.
177 changes: 177 additions & 0 deletions .github/workflows/automatus-debian12.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,177 @@
name: Automatus Debian 12
on:
pull_request:
branches: [ master, 'stabilization*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
cancel-in-progress: true
env:
DATASTREAM: ssg-debian12-ds.xml
jobs:
build-content:
name: Build Content
runs-on: ubuntu-22.04
steps:
- name: Install Deps
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip libxml2-utils xsltproc
- name: Install deps python
run: pip3 install gitpython xmldiff compliance-trestle==2.4.0 lxml lxml-stubs requests
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Checkout (CTF)
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
repository: ComplianceAsCode/content-test-filtering
path: ctf
# https://github.com/actions/checkout/issues/766
- name: Set git safe directory
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Find forking point
env:
BASE_BRANCH: ${{ github.base_ref }}
run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT
id: fork_point
- name: Detect content changes in the PR
run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
- name: Test if there are no content changes
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
id: ctf
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: output.json
path: output.json
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'product'
- name: Build product
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ./build_product debian12
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: ${{ env.DATASTREAM }}
path: build/${{ env.DATASTREAM }}
validate-ubuntu:
name: Run Tests
needs: build-content
runs-on: ubuntu-22.04
steps:
- name: Install Deps
run: sudo apt update && sudo apt install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Get cached CTF output
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
id: get_ctf_output
with:
name: output.json
# continue even if the file is unavailable that
# means there are no changes detected by CTF in the previous job
continue-on-error: true
- name: Test if there are no content changes
if: ${{ steps.get_ctf_output.outcome == 'success' }}
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
id: ctf
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
- name: Generate id_rsa key
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa
- name: Build test suite container
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-debian12
working-directory: ./Dockerfiles
- name: Get oscap-ssh
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: |
wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/utils/oscap-ssh
sudo chmod 755 oscap-ssh
sudo mv -v oscap-ssh /usr/local/bin
sudo chown root:root /usr/local/bin/oscap-ssh
rm -f oscap-ssh
- name: Get rule ids to be tested
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: rules
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'rules'
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'product'
- name: Get bash attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: bash
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'bash'
- name: Get ansible attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: ansible
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'ansible'
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: ${{ env.DATASTREAM }}
- name: Run tests in a container - Bash
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}}
env:
ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified"
- name: Check for ERROR in logs
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: grep -q "^ERROR" logs_bash/test_suite.log
id: check_results_bash
# when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file
# and this means tests finished successfully without errors. So the job needs to keep going.
# By using continue-on-error: true the "conclusion" parameter is set to true so it's not possible to use
# it to determine whether the task has failed or succeed. The "outcome" parameter has to be used instead.
# See the step below
continue-on-error: true
- name: Upload logs in case of failure
if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
with:
name: logs_bash
path: logs_bash/
- name: Run tests in a container - Ansible
if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}}
env:
ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified --product debian12"
- name: Check for ERROR in logs
if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: grep -q "^ERROR" logs_ansible/test_suite.log
id: check_results_ansible
continue-on-error: true
- name: Upload logs in case of failure
if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
with:
name: logs_ansible
path: logs_ansible/
- name: Fail in case of ERROR present in logs_bash/test_suite.log or logs_ansible/test_suite.log
if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success') && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: |
[[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - "
[[ -f logs_ansible/test_suite.log ]] && echo "---------Ansible Remediation Logs---------" && cat logs_ansible/test_suite.log | grep -v "DEBUG - "
exit 1
23 changes: 23 additions & 0 deletions Dockerfiles/test_suite-debian12
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# This Dockerfile is a minimal example for a Debian 12 test suite target container.
FROM debian:12

ENV AUTH_KEYS=/root/.ssh/authorized_keys
ENV DEBIAN_FRONTEND=noninteractive

ARG CLIENT_PUBLIC_KEY
ARG ADDITIONAL_PACKAGES

# install additional packages
RUN true \
&& apt update \
&& apt install openssh-server python3 openscap-scanner \
$ADDITIONAL_PACKAGES \
&& true

RUN true \
&& for key_type in rsa ecdsa; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \
&& mkdir -p /root/.ssh \
&& printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \
&& chmod og-rw /root/.ssh "$AUTH_KEYS" \
&& sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \
&& true

0 comments on commit dc4a60c

Please sign in to comment.