-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend SSG library to more easily collect profile selections #12797
Extend SSG library to more easily collect profile selections #12797
Conversation
This commits move all profile related rules from variables.py to a new file called profiles.py and update the profile functions to make them more generic and reusable. This also simplifies the variables.py files which is now only used to process variables files, options and respective values. Signed-off-by: Marcus Burghardt <[email protected]>
It was not considering the case when a profile inherits all levels of a control file, which is also a common case. Signed-off-by: Marcus Burghardt <[email protected]>
It may be cases where the integration may or may not benefit of sorted selections, so the capability was included as optional where the default is false, meaning the result will be ordered by the original order they where defined in profiles and control files. Signed-off-by: Marcus Burghardt <[email protected]>
With the introduction of profiles.py, it sounds more straight forward in some cases to collect all profiles selections first and then only work with the variables options and values. So the function get_variables_from_profiles is now external to optmize cases where profiles selections were already obtained. Signed-off-by: Marcus Burghardt <[email protected]>
It was tricky to mock a test scenario for this function without creating a very complex test. That was the reason I opted to use real content taking into account the predictability of the project, which I considered enough for this particular unit test. Signed-off-by: Marcus Burghardt <[email protected]>
The merit of this commit is for @qduanmu. She discovered and fixed this in PR#12792 but I was refactoring the library in the meantime, so it was incorporated here. Signed-off-by: Marcus Burghardt <[email protected]>
Signed-off-by: Marcus Burghardt <[email protected]>
It was broken in smaller functions for a better readability with less complexity. Signed-off-by: Marcus Burghardt <[email protected]>
The product title is also useful to give more context about the product id and the cost to include it in the profile objects is minimal, so it was included to simplify collection of profiles information. Signed-off-by: Marcus Burghardt <[email protected]>
03b81cb
to
4458078
Compare
Signed-off-by: Marcus Burghardt <[email protected]>
For now there are specific functions to return variables options and values but there are more properties in variables files that may be interesting, such as title and description. To avoid multiple reads of the same file, it was introduced a cache for variables yaml content. Signed-off-by: Marcus Burghardt <[email protected]>
Signed-off-by: Marcus Burghardt <[email protected]>
4458078
to
8dd74d8
Compare
Code Climate has analyzed commit 8dd74d8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 93.3% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.8% (0.1% change). View more on Code Climate. |
/packit retest-failed |
Hello @marcusburghardt and thank you for the PR. I don't see problems in most of the PR, but I do not consider using unit test which actually uses the real content as a good idea. It can introduce problems in the future in case we change something in the content. |
Let me check your mock. If you found an easier way to mock this, I would be happy to use. I was not completely in peace using real content, but just considered it to avoid more complexity than necessary. Another point is that this PR is already pretty big. Would you be fine if I open another PR right after these changes only improving this test unit? |
Yes @marcusburghardt I was also concerned about making the PR quite big. I am fine with adjusting the unit test in a separate PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
04c056a
into
ComplianceAsCode:master
""" | ||
parts = control_line.split(":") | ||
if len(parts) == 3: | ||
return parts[0], parts[2] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marcusburghardt Is it necessary to process control_id(the parts[1]) besides the policy and rule level filters here, will this get some extra rules by ignoring this field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not necessary. parts[1]
would be a very special case where only some controls from the control file are picked up.
https://complianceascode.readthedocs.io/en/latest/manual/developer/03_creating_content.html#using-controls-in-profiles
No profiles are using this. Instead, the profiles use all the controls informed in the control file to keep the best coverage as possible. The common use cases are to unselect rules not necessary for a particular product, in case of more generic control files such as PCI-DSS.
for var_file in all_variable_files: | ||
variables_content = {} | ||
|
||
for var_file in get_variable_files(content_dir): | ||
try: | ||
yaml_content = open_and_macro_expand(var_file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I failed to run 'get_variable_values' outside of the content repo. I got error like:
Error processing file /xxx/content/linux_os/guide/auditing/auditd_configure_rules/var_audit_failure_mode.var: cannot access local variable 'filename' where it is not associated with a value
Seems like the error is still caused by loading jinja macros, which is not installed together with the ssg library. In ssg/constants.py:
JINJA_MACROS_DIRECTORY = os.path.abspath(os.path.join(os.path.dirname(os.path.dirname(
__file__)), "shared", "macros"))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are correct. It should be fixed by #12816
Description:
After #12604 and #12717 the SSG library started to be used externally, initially being tested for OSCAL integrations in trestle-bot. During the tests it was noticed an increasing complexity to extract profile information, such as rules and variables.
In order to make it simpler, new functions were introduced to collect a list of profiles for a list of given products.
These profiles are returned with the respective selections of rules and variables and also some ids.
The management of yaml properties, control files and inheritance is done internally to avoid complexity on integrations.
The new functions don't change any other existing functions used by building scripts and therefore brings no risk to break existing code.
Rationale:
Review Hints:
As usual the recommended approach to review the PR is commit by commit since they were organized chronologically.
Most of the functions are not new. They were already implemented in
variables.py
file (#12717) but were now moved to a new file calledprofiles.py
where the moved functions were refactored to be more usable in the project.Unit tests were included for new external functions and can be tested by:
For usability, you can test with this example script: