Add platform attribute to Scap class

Newer versions of scap-security-guide (> 0.1.32) add new xccdf files which match our glob pattern, but do not contain the remediations for the rules we want to run. If we edit one of these files rather than the one for our target platform, the rules will not be remediated properly. Specifying the platform allows us to find the file we need. https://bugzilla.redhat.com/show_bug.cgi?id=1493193
ManageIQ · Sep 27, 2017 · 8f90905 · 8f90905
1 parent 7761186
commit 8f90905
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 14 deletions.
diff --git a/lib/linux_admin/scap.rb b/lib/linux_admin/scap.rb
@@ -5,20 +5,30 @@ class Scap
     PROFILE_ID = "linux-admin-scap"
     SSG_XML_PATH = Pathname.new("/usr/share/xml/scap/ssg/content/")
 
+    attr_reader :platform
+
     def self.openscap_available?
       require 'openscap'
       true
     rescue LoadError
       false
     end
 
-    def self.ssg_available?
-      xccdf_file && oval_file
+    def self.ssg_available?(platform = nil)
+      xccdf_file(platform) && oval_file(platform)
+    end
+
+    def initialize(platform = nil)
+      @platform = platform
+    end
+
+    def ssg_available?
+      self.class.ssg_available?(platform)
     end
 
     def lockdown(*args)
       raise "OpenSCAP not available" unless self.class.openscap_available?
-      raise "SCAP Security Guide not available" unless self.class.ssg_available?
+      raise "SCAP Security Guide not available" unless ssg_available?
 
       values = args.last.kind_of?(Hash) ? args.pop : {}
       rules = args
@@ -44,28 +54,29 @@ def lockdown_profile(xccdf_file_path, profile_id)
 
     private
 
-    def self.xccdf_file
-      local_ssg_file("xccdf")
+    def self.xccdf_file(platform)
+      local_ssg_file("xccdf", platform)
     end
 
-    def self.oval_file
-      local_ssg_file("oval")
+    def self.oval_file(platform)
+      local_ssg_file("oval", platform)
     end
 
-    def self.local_ssg_file(type)
-      Dir.glob(SSG_XML_PATH.join("ssg-*-#{type}.xml")).detect { |f| f =~ /ssg-\w+-#{type}.xml/ }
+    def self.local_ssg_file(type, platform)
+      platform ||= "*"
+      Dir.glob(SSG_XML_PATH.join("ssg-#{platform}-#{type}.xml")).detect { |f| f =~ /ssg-\w+-#{type}.xml/ }
     end
 
     def tempdir
       @tempdir ||= Pathname.new(Dir.tmpdir)
     end
 
     def xccdf_file
-      @xccdf_file ||= self.class.xccdf_file
+      @xccdf_file ||= self.class.xccdf_file(platform)
     end
 
     def oval_file
-      @oval_file ||= self.class.oval_file
+      @oval_file ||= self.class.oval_file(platform)
     end
 
     def with_xml_files(rules, values)

diff --git a/spec/data/scap/ssg-rhel6-oval.xml b/spec/data/scap/ssg-rhel6-oval.xml
diff --git a/spec/scap_spec.rb b/spec/scap_spec.rb
@@ -1,4 +1,7 @@
 describe LinuxAdmin::Scap do
+  subject(:rhel7) { described_class.new("rhel7") }
+  subject(:rhel6) { described_class.new("rhel6") }
+
   describe "#lockdown" do
     it "raises if given no rules" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
@@ -10,6 +13,22 @@
     end
   end
 
+  describe "#xccdf_file (private)" do
+    it "uses the platform from the attribute" do
+      stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
+      expect(rhel7.send(:xccdf_file)).to eq("#{data_file_path("scap")}/ssg-rhel7-xccdf.xml")
+      expect(rhel6.send(:xccdf_file)).to eq("#{data_file_path("scap")}/ssg-rhel6-xccdf.xml")
+    end
+  end
+
+  describe "#oval_file (private)" do
+    it "uses the platform from the attribute" do
+      stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
+      expect(rhel7.send(:oval_file)).to eq("#{data_file_path("scap")}/ssg-rhel7-oval.xml")
+      expect(rhel6.send(:oval_file)).to eq("#{data_file_path("scap")}/ssg-rhel6-oval.xml")
+    end
+  end
+
   describe "#profile_xml (private)" do
     it "creates a Profile tag" do
       profile_xml = described_class.new.send(:profile_xml, "test-profile", [], {})
@@ -42,19 +61,19 @@
   describe ".local_ssg_file (private)" do
     it "returns nil if the file doesn't exist" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new("/doesnt/exist/"))
-      file = described_class.send(:local_ssg_file, "type")
+      file = described_class.send(:local_ssg_file, "type", nil)
       expect(file).to be_nil
     end
 
     it "returns a file if there are multiple matches" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
-      file = described_class.send(:local_ssg_file, "xccdf")
+      file = described_class.send(:local_ssg_file, "xccdf", nil)
       expect(file).to match(%r{.*/ssg-\w+-xccdf\.xml})
     end
 
     it "returns a matching file" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
-      file = described_class.send(:local_ssg_file, "oval")
+      file = described_class.send(:local_ssg_file, "oval", nil)
       expect(file).to eq("#{data_file_path("scap")}/ssg-rhel7-oval.xml")
     end
   end