-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve the autotailor script #2039
Conversation
Instead of repeating the smae string all over the place, let's have a single constant defined and then used.
If the `--new-profile-id` isn't provided by the user, we will create the ID of the customized profile ID by appending the `_customized` suffix to the base profile ID. This change makes the behavior according to the help text of the `--new-profile-id` option: > If left out, the new ID will be obtained by appending '_customized' > to the tailored profile ID.
and fix the failed asserts
We will move the condition that determines the ID of the customized profile into the `Tailoring` class. This move helps encapsulate code and also allows easier unit testing of this feature which we immediately use to write a unit test in this commit as well :)
This patch adds two new command line options `--rule-role` and `--rule-severity` that will allow users to refine rule role and rule seveirty in their customized profile. Using these options will generate `refine-rule` elements within the output tailoring file. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2058168
This patch moves the logic for assigning the XCCDF Values for outer space inside the Tailoring class by defining a method.
Explicitly setting namespaces of elements is the recommended way of using namespaces. It helps prevent namespace errors. Also, it simplifies unit testing of code that works with XML elements.
The new name of the variable better describes its actual contents.
This commit adds an integration test for autotailor. The goal of the test is to verify if the tailoring produced by autotailor can be loaded and consumed by oscap and if the generated tailoring leads to the intended behavior of the profile evaluation.
The result will be that the autotailor unit tests will be executed during the CTest which is run in our CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I approve the changes. Awesome! Thank you.
There are a couple of nitpicks, though. See individual notes.
Also I imagined that a new tool could use little bit more of modern syntax sugar. What do you think, should we embrace f-strings in autotailor?
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R1"]/result[text()="pass"]' | ||
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]' | ||
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]' | ||
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No newline.
utils/autotailor.8
Outdated
@@ -5,7 +5,7 @@ autotailor \- CLI tool for tailoring of SCAP data streams. | |||
autotailor produces tailoring files that SCAP-compliant scanners can use to complement SCAP data streams. | |||
A tailoring file adds a new profile, which is supposed to extend a profile that is already present in the data stream. | |||
|
|||
Tailoring can add or remove rules, and it can redefine contents of XCCDF variables. | |||
Tailoring can add or remove rules, refine rules, and it can redefine contents of XCCDF variables. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tailoring can add or remove rules, refine rules, and it can redefine contents of XCCDF variables. | |
Tailoring can add, remove or refine rules, and it also can redefine contents of XCCDF variables. |
utils/autotailor
Outdated
@staticmethod | ||
def _validate_rule_refinement_params(rule_id, attribute, value): | ||
if not is_valid_xccdf_id(rule_id): | ||
msg = "Rule id '{rule_id}' is invalid!".format(rule_id=rule_id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we operate with Python 3 in 1.3.x we probably can do this:
msg = "Rule id '{rule_id}' is invalid!".format(rule_id=rule_id) | |
msg = f"Rule id '{rule_id}' is invalid!" |
benchmark.set("href", datastream_uri) | ||
|
||
version = ET.SubElement(root, "xccdf-1.2:version") | ||
version = ET.SubElement(root, "{%s}version" % NS) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this:
version = ET.SubElement(root, "{%s}version" % NS) | |
version = ET.SubElement(root, f"{NS}version") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You actually need to escape the braces: f"{{{NS}}}version"
, so here I prefer to use the %
form.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right.
"If left out, the new ID will be obtained " | ||
"The ID of the new profile can be either its full ID, or the suffix, " | ||
"in which case the 'xccdf_<id-namespace>_profile_' prefix will be " | ||
"prepended internally. If left out, the new ID will be obtained " | ||
"by appending '{suffix}' to the tailored profile ID." | ||
.format(suffix=DEFAULT_PROFILE_SUFFIX)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this might not be worthy of converting into a block of f-strings.
utils/autotailor
Outdated
"Can't refine {attribute} of rule '{rule_id}' to '{value}'. " | ||
"Allowed {attribute} values are: {allowed}.".format( | ||
attribute=attribute, rule_id=rule_id, value=value, | ||
allowed=allowed)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this: f"Can't refine {attribute} of rule '{rule_id}' to '{value}'. Allowed {attribute} values are: {allowed}."
.
Test failures are not connected to the autotailor. |
This pull request improves the
autotailor
utility. The goal of the improvements is that theautotailor
can be used for real-world usage and easily extended in future. Specifically, these are the changes made in this PR:--rule-role
and--rule-severity
to refine rules roles and severitiesFor more details, please read commit messages of every commit.
This PR supersedes PR #1877.