From 8f90905cd47cefedddbb25b2478bced77ae7b880 Mon Sep 17 00:00:00 2001
From: Nick Carboni <ncarboni@redhat.com>
Date: Tue, 26 Sep 2017 17:12:23 -0400
Subject: [PATCH] Add platform attribute to Scap class

Newer versions of scap-security-guide (> 0.1.32) add new xccdf
files which match our glob pattern, but do not contain the
remediations for the rules we want to run.

If we edit one of these files rather than the one for our
target platform, the rules will not be remediated properly.

Specifying the platform allows us to find the file we need.

https://bugzilla.redhat.com/show_bug.cgi?id=1493193
---
 lib/linux_admin/scap.rb           | 33 ++++++++++++++++++++-----------
 spec/data/scap/ssg-rhel6-oval.xml |  0
 spec/scap_spec.rb                 | 25 ++++++++++++++++++++---
 3 files changed, 44 insertions(+), 14 deletions(-)
 create mode 100644 spec/data/scap/ssg-rhel6-oval.xml

diff --git a/lib/linux_admin/scap.rb b/lib/linux_admin/scap.rb
index 433da1d..16bcc26 100644
--- a/lib/linux_admin/scap.rb
+++ b/lib/linux_admin/scap.rb
@@ -5,6 +5,8 @@ class Scap
     PROFILE_ID = "linux-admin-scap"
     SSG_XML_PATH = Pathname.new("/usr/share/xml/scap/ssg/content/")
 
+    attr_reader :platform
+
     def self.openscap_available?
       require 'openscap'
       true
@@ -12,13 +14,21 @@ def self.openscap_available?
       false
     end
 
-    def self.ssg_available?
-      xccdf_file && oval_file
+    def self.ssg_available?(platform = nil)
+      xccdf_file(platform) && oval_file(platform)
+    end
+
+    def initialize(platform = nil)
+      @platform = platform
+    end
+
+    def ssg_available?
+      self.class.ssg_available?(platform)
     end
 
     def lockdown(*args)
       raise "OpenSCAP not available" unless self.class.openscap_available?
-      raise "SCAP Security Guide not available" unless self.class.ssg_available?
+      raise "SCAP Security Guide not available" unless ssg_available?
 
       values = args.last.kind_of?(Hash) ? args.pop : {}
       rules = args
@@ -44,16 +54,17 @@ def lockdown_profile(xccdf_file_path, profile_id)
 
     private
 
-    def self.xccdf_file
-      local_ssg_file("xccdf")
+    def self.xccdf_file(platform)
+      local_ssg_file("xccdf", platform)
     end
 
-    def self.oval_file
-      local_ssg_file("oval")
+    def self.oval_file(platform)
+      local_ssg_file("oval", platform)
     end
 
-    def self.local_ssg_file(type)
-      Dir.glob(SSG_XML_PATH.join("ssg-*-#{type}.xml")).detect { |f| f =~ /ssg-\w+-#{type}.xml/ }
+    def self.local_ssg_file(type, platform)
+      platform ||= "*"
+      Dir.glob(SSG_XML_PATH.join("ssg-#{platform}-#{type}.xml")).detect { |f| f =~ /ssg-\w+-#{type}.xml/ }
     end
 
     def tempdir
@@ -61,11 +72,11 @@ def tempdir
     end
 
     def xccdf_file
-      @xccdf_file ||= self.class.xccdf_file
+      @xccdf_file ||= self.class.xccdf_file(platform)
     end
 
     def oval_file
-      @oval_file ||= self.class.oval_file
+      @oval_file ||= self.class.oval_file(platform)
     end
 
     def with_xml_files(rules, values)
diff --git a/spec/data/scap/ssg-rhel6-oval.xml b/spec/data/scap/ssg-rhel6-oval.xml
new file mode 100644
index 0000000..e69de29
diff --git a/spec/scap_spec.rb b/spec/scap_spec.rb
index 27d6873..a066c5f 100644
--- a/spec/scap_spec.rb
+++ b/spec/scap_spec.rb
@@ -1,4 +1,7 @@
 describe LinuxAdmin::Scap do
+  subject(:rhel7) { described_class.new("rhel7") }
+  subject(:rhel6) { described_class.new("rhel6") }
+
   describe "#lockdown" do
     it "raises if given no rules" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
@@ -10,6 +13,22 @@
     end
   end
 
+  describe "#xccdf_file (private)" do
+    it "uses the platform from the attribute" do
+      stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
+      expect(rhel7.send(:xccdf_file)).to eq("#{data_file_path("scap")}/ssg-rhel7-xccdf.xml")
+      expect(rhel6.send(:xccdf_file)).to eq("#{data_file_path("scap")}/ssg-rhel6-xccdf.xml")
+    end
+  end
+
+  describe "#oval_file (private)" do
+    it "uses the platform from the attribute" do
+      stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
+      expect(rhel7.send(:oval_file)).to eq("#{data_file_path("scap")}/ssg-rhel7-oval.xml")
+      expect(rhel6.send(:oval_file)).to eq("#{data_file_path("scap")}/ssg-rhel6-oval.xml")
+    end
+  end
+
   describe "#profile_xml (private)" do
     it "creates a Profile tag" do
       profile_xml = described_class.new.send(:profile_xml, "test-profile", [], {})
@@ -42,19 +61,19 @@
   describe ".local_ssg_file (private)" do
     it "returns nil if the file doesn't exist" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new("/doesnt/exist/"))
-      file = described_class.send(:local_ssg_file, "type")
+      file = described_class.send(:local_ssg_file, "type", nil)
       expect(file).to be_nil
     end
 
     it "returns a file if there are multiple matches" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
-      file = described_class.send(:local_ssg_file, "xccdf")
+      file = described_class.send(:local_ssg_file, "xccdf", nil)
       expect(file).to match(%r{.*/ssg-\w+-xccdf\.xml})
     end
 
     it "returns a matching file" do
       stub_const("LinuxAdmin::Scap::SSG_XML_PATH", Pathname.new(data_file_path("scap")))
-      file = described_class.send(:local_ssg_file, "oval")
+      file = described_class.send(:local_ssg_file, "oval", nil)
       expect(file).to eq("#{data_file_path("scap")}/ssg-rhel7-oval.xml")
     end
   end