Merge pull request #2146 from evgenyz/add-multiprofile-tailoring

Enable autotailor to process multi-profile JSON Tailorings

Author: jan-cerny

tests/utils/autotailor_integration_test.sh

@@ -70,7 +70,6 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @severity="high"]'
 
-
 # select additional rule R4 and change its role to "unchecked"
 python3 $autotailor --id-namespace "com.example.www" --select R4 --rule-role R4=unchecked $ds $original_profile > $tailoring
 $OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds
@@ -83,7 +82,6 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notchecked"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @role="unchecked"]'
 
-
 # select additional rule R3; the customized profile will have a special profile ID
 customized_profile="xccdf_com.pink.elephant_profile_pineapple"
 python3 $autotailor --new-profile-id $customized_profile --id-namespace "com.example.www" --select R3 $ds $original_profile > $tailoring
@@ -113,7 +111,7 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 
-# use JSON tailoring
+# use JSON tailoring (P1)
 python3 $autotailor $ds --id-namespace "com.example.www" --json-tailoring $json_tailoring > $tailoring
 $OSCAP xccdf eval --profile JSON_P1 --progress --tailoring-file $tailoring --results $result $ds
 assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="New Value"]'
@@ -124,3 +122,18 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3" and @severity="unknown"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @role="unchecked"]'
+
+# use JSON tailoring (P11)
+python3 $autotailor --id-namespace "com.example.www" --json-tailoring $json_tailoring $ds > $tailoring
+$OSCAP xccdf eval --profile JSON_P11 --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'
+
+# use JSON tailoring (P11) with command-line override
+python3 $autotailor --id-namespace "com.example.www" --json-tailoring $json_tailoring --tailored-profile-id=JSON_P11 --unselect R3 $ds > $tailoring
+$OSCAP xccdf eval --profile JSON_P11 --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
+
+# use JSON tailoring (P11) with a new profile from the command line
+python3 $autotailor --id-namespace "com.example.www" --json-tailoring $json_tailoring --tailored-profile-id=CMDL_P --select R3 $ds $original_profile > $tailoring
+$OSCAP xccdf eval --profile CMDL_P --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'

tests/utils/custom.json

@@ -30,6 +30,16 @@
           "option_id": "some"
         }
       }
+    },
+    {
+      "id": "JSON_P11",
+      "title": "JSON Tailored Profile P11",
+      "base_profile_id": "P1",
+      "rules": {
+        "R3": {
+          "evaluate": true
+        }
+      }
     }
   ]
 }

tests/utils/test_autotailor.py

@@ -29,68 +29,68 @@ def test_is_valid_xccdf_id():
 
 
 def test_full_id():
-    t = autotailor.Tailoring()
-    assert t._full_rule_id("accounts_tmout") == \
+    p = autotailor.Profile()
+    assert p._full_rule_id("accounts_tmout") == \
         "xccdf_org.ssgproject.content_rule_accounts_tmout"
-    assert t._full_rule_id(
+    assert p._full_rule_id(
         "xccdf_org.ssgproject.content_rule_accounts_tmout") == \
         "xccdf_org.ssgproject.content_rule_accounts_tmout"
-    assert t._full_profile_id("stig") == \
+    assert p._full_profile_id("stig") == \
         "xccdf_org.ssgproject.content_profile_stig"
-    assert t._full_profile_id(
+    assert p._full_profile_id(
         "xccdf_org.ssgproject.content_profile_stig") == \
         "xccdf_org.ssgproject.content_profile_stig"
-    assert t._full_var_id("var_crypto_policy") == \
+    assert p._full_var_id("var_crypto_policy") == \
         "xccdf_org.ssgproject.content_value_var_crypto_policy"
-    assert t._full_var_id(
+    assert p._full_var_id(
         "xccdf_org.ssgproject.content_value_var_crypto_policy") == \
         "xccdf_org.ssgproject.content_value_var_crypto_policy"
 
 
 def test_customized_profile_id():
-    t = autotailor.Tailoring()
-    t.extends = "stig"
-    assert t.profile_id == "stig_customized"
-    t.profile_id = "my_cool_profile"
-    assert t.profile_id == "my_cool_profile"
+    p = autotailor.Profile()
+    p.extends = "stig"
+    assert p.profile_id == "stig_customized"
+    p.profile_id = "my_cool_profile"
+    assert p.profile_id == "my_cool_profile"
 
 
 def test_refine_rule():
-    t = autotailor.Tailoring()
+    p = autotailor.Profile()
     with pytest.raises(ValueError) as e:
-        t.refine_rule("selinux_state", "severity", "high")
+        p.refine_rule("selinux_state", "severity", "high")
     assert str(e.value) == "Rule id 'selinux_state' is invalid!"
     with pytest.raises(ValueError) as e:
-        t.refine_rule(
+        p.refine_rule(
             "xccdf_org.ssgproject.content_rule_accounts_tmout", "foo", "bar")
     assert str(e.value) == "Unsupported refine-rule attribute foo"
     with pytest.raises(ValueError) as e:
-        t.refine_rule(
+        p.refine_rule(
             "xccdf_org.ssgproject.content_rule_accounts_tmout",
             "role", "mnau")
     assert str(e.value) == (
         "Can't refine role of rule 'xccdf_org.ssgproject.content_rule_accounts"
         "_tmout' to 'mnau'. Allowed role values are: \"full\", \"unscored\", "
         "\"unchecked\".")
     with pytest.raises(ValueError) as e:
-        t.refine_rule(
+        p.refine_rule(
             "xccdf_org.ssgproject.content_rule_accounts_tmout",
             "severity", "mnau")
     assert str(e.value) == (
         "Can't refine severity of rule 'xccdf_org.ssgproject.content_rule_"
         "accounts_tmout' to 'mnau'. Allowed severity values are: \"unknown\", "
         "\"info\", \"low\", \"medium\", \"high\".")
     fav = "xccdf_org.ssgproject.content_rule_accounts_tmout"
-    t.refine_rule(fav, "severity", "high")
-    assert t.rule_refinements(fav, "severity") == "high"
-    t.refine_rule(fav, "role", "full")
-    assert t.rule_refinements(fav, "severity") == "high"
-    assert t.rule_refinements(fav, "role") == "full"
+    p.refine_rule(fav, "severity", "high")
+    assert p.rule_refinements(fav, "severity") == "high"
+    p.refine_rule(fav, "role", "full")
+    assert p.rule_refinements(fav, "severity") == "high"
+    assert p.rule_refinements(fav, "role") == "full"
     with pytest.raises(ValueError) as e:
-        t.refine_rule(fav, "severity", "low")
+        p.refine_rule(fav, "severity", "low")
     assert str(e.value) == (
         "Can't refine severity of rule 'xccdf_org.ssgproject.content_rule_"
         "accounts_tmout' to 'low'. This rule severity is already refined to "
         "'high'.")
-    assert t.rule_refinements(fav, "severity") == "high"
-    assert t.rule_refinements(fav, "role") == "full"
+    assert p.rule_refinements(fav, "severity") == "high"
+    assert p.rule_refinements(fav, "role") == "full"