Blame SOURCES/scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch

76240a
From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Fri, 9 Jul 2021 14:41:03 +0200
76240a
Subject: [PATCH 01/12] ensure that higher policy levels can override variables
76240a
 of lower levels
76240a
76240a
---
76240a
 ssg/controls.py | 13 ++++++++++---
76240a
 1 file changed, 10 insertions(+), 3 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 297d80e46c5..165cdf0511a 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id):
76240a
 
76240a
         all_policy_controls = self.get_all_controls(policy_id)
76240a
         eligible_controls = []
76240a
-        for c in all_policy_controls:
76240a
-            if len(level_ids.intersection(c.levels)) > 0:
76240a
-                eligible_controls.append(c)
76240a
+        defined_variables = []
76240a
+        # we will go level by level, from top to bottom
76240a
+        # this is done to enable overriding of variables by higher levels
76240a
+        for lv in level_ids:
76240a
+            for c in all_policy_controls:
76240a
+                if lv in c.levels:
76240a
+                    # if the control has a variable, check if it is not already defined
76240a
+                    if c.variables.keys().isdisjoint(defined_variables):
76240a
+                        eligible_controls.append(c)
76240a
+                        defined_variables += [*c.variables.keys()]
76240a
         return eligible_controls
76240a
 
76240a
     def get_all_controls(self, policy_id):
76240a
76240a
From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Thu, 5 Aug 2021 14:02:25 +0200
76240a
Subject: [PATCH 02/12] use ordered sets emulated by ordereddict
76240a
76240a
because of compatibility with python2
76240a
---
76240a
 ssg/controls.py | 21 ++++++++++++++-------
76240a
 1 file changed, 14 insertions(+), 7 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 165cdf0511a..611a647e125 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -2,6 +2,7 @@
76240a
 import logging
76240a
 import os
76240a
 from glob import glob
76240a
+from collections import OrderedDict
76240a
 
76240a
 import ssg.build_yaml
76240a
 import ssg.yaml
76240a
@@ -152,16 +153,18 @@ def get_level(self, level_id):
76240a
             raise ValueError(msg)
76240a
 
76240a
     def get_level_with_ancestors(self, level_id):
76240a
-        levels = set()
76240a
+        # use OrderedDict for Python2 compatibility instead of ordered set
76240a
+        levels = OrderedDict()
76240a
         level = self.get_level(level_id)
76240a
-        levels.add(level)
76240a
+        levels[level] = ""
76240a
         if level.inherits_from:
76240a
             for lv in level.inherits_from:
76240a
-                levels.update(self.get_level_with_ancestors(lv))
76240a
+                eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
76240a
+                for l in eligible_levels:
76240a
+                    levels[l] = ""
76240a
         return levels
76240a
 
76240a
 
76240a
-
76240a
 class ControlsManager():
76240a
     def __init__(self, controls_dir, env_yaml=None):
76240a
         self.controls_dir = os.path.abspath(controls_dir)
76240a
@@ -198,20 +201,24 @@ def _get_policy(self, policy_id):
76240a
     def get_all_controls_of_level(self, policy_id, level_id):
76240a
         policy = self._get_policy(policy_id)
76240a
         levels = policy.get_level_with_ancestors(level_id)
76240a
-        level_ids = set([lv.id for lv in levels])
76240a
+        # we use OrderedDict here with empty values instead of ordered set
76240a
+        # cause we want to be compatible with python 2
76240a
+        level_ids = OrderedDict()
76240a
+        for lv in levels.keys():
76240a
+            level_ids[lv.id] = ""
76240a
 
76240a
         all_policy_controls = self.get_all_controls(policy_id)
76240a
         eligible_controls = []
76240a
         defined_variables = []
76240a
         # we will go level by level, from top to bottom
76240a
         # this is done to enable overriding of variables by higher levels
76240a
-        for lv in level_ids:
76240a
+        for lv in level_ids.keys():
76240a
             for c in all_policy_controls:
76240a
                 if lv in c.levels:
76240a
                     # if the control has a variable, check if it is not already defined
76240a
                     if c.variables.keys().isdisjoint(defined_variables):
76240a
                         eligible_controls.append(c)
76240a
-                        defined_variables += [*c.variables.keys()]
76240a
+                        defined_variables += list(c.variables.keys())
76240a
         return eligible_controls
76240a
 
76240a
     def get_all_controls(self, policy_id):
76240a
76240a
From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Thu, 5 Aug 2021 16:30:10 +0200
76240a
Subject: [PATCH 03/12] rework handling of variables when returning all
76240a
 controls of a level
76240a
76240a
currently only the top most level variables are kept in the controls
76240a
if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control
76240a
the original control stays in tact
76240a
---
76240a
 ssg/controls.py | 27 +++++++++++++++++++++------
76240a
 1 file changed, 21 insertions(+), 6 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 611a647e125..4ebb8bda3d7 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -1,8 +1,8 @@
76240a
 import collections
76240a
 import logging
76240a
 import os
76240a
+import copy
76240a
 from glob import glob
76240a
-from collections import OrderedDict
76240a
 
76240a
 import ssg.build_yaml
76240a
 import ssg.yaml
76240a
@@ -154,7 +154,7 @@ def get_level(self, level_id):
76240a
 
76240a
     def get_level_with_ancestors(self, level_id):
76240a
         # use OrderedDict for Python2 compatibility instead of ordered set
76240a
-        levels = OrderedDict()
76240a
+        levels = collections.OrderedDict()
76240a
         level = self.get_level(level_id)
76240a
         levels[level] = ""
76240a
         if level.inherits_from:
76240a
@@ -201,24 +201,39 @@ def _get_policy(self, policy_id):
76240a
     def get_all_controls_of_level(self, policy_id, level_id):
76240a
         policy = self._get_policy(policy_id)
76240a
         levels = policy.get_level_with_ancestors(level_id)
76240a
+        print ("getting levels of " + level_id)
76240a
+        print ([ l.id for l in levels.keys()])
76240a
         # we use OrderedDict here with empty values instead of ordered set
76240a
         # cause we want to be compatible with python 2
76240a
-        level_ids = OrderedDict()
76240a
+        level_ids = collections.OrderedDict()
76240a
         for lv in levels.keys():
76240a
             level_ids[lv.id] = ""
76240a
-
76240a
+        print (level_ids.keys())
76240a
         all_policy_controls = self.get_all_controls(policy_id)
76240a
         eligible_controls = []
76240a
         defined_variables = []
76240a
         # we will go level by level, from top to bottom
76240a
         # this is done to enable overriding of variables by higher levels
76240a
         for lv in level_ids.keys():
76240a
+            print ("going through level " +lv)
76240a
             for c in all_policy_controls:
76240a
+                print (c.levels)
76240a
                 if lv in c.levels:
76240a
                     # if the control has a variable, check if it is not already defined
76240a
-                    if c.variables.keys().isdisjoint(defined_variables):
76240a
+                    variables = list(c.variables.keys())
76240a
+                    if len(variables) == 0:
76240a
                         eligible_controls.append(c)
76240a
-                        defined_variables += list(c.variables.keys())
76240a
+                    for var in variables:
76240a
+                        if var in defined_variables:
76240a
+                            # if it is, create new instance of the control and remove the variable
76240a
+                            # we are going from the top level to the bottom
76240a
+                            # so we don't want to overwrite variables
76240a
+                            new_c = copy.deepcopy(c)
76240a
+                            del new_c.variables[var]
76240a
+                            eligible_controls.append(new_c)
76240a
+                        else:
76240a
+                            defined_variables.append(var)
76240a
+                            eligible_controls.append(c)
76240a
         return eligible_controls
76240a
 
76240a
     def get_all_controls(self, policy_id):
76240a
76240a
From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Thu, 5 Aug 2021 16:31:25 +0200
76240a
Subject: [PATCH 04/12] add tests for defining of variables
76240a
76240a
---
76240a
 tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++
76240a
 tests/unit/ssg-module/test_controls.py                  | 5 +++++
76240a
 2 files changed, 11 insertions(+)
76240a
76240a
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
index aded77c12a6..b98a7cd4e19 100644
76240a
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
@@ -19,10 +19,14 @@ controls:
76240a
   - id: S2
76240a
     levels:
76240a
     - low
76240a
+    rules:
76240a
+      - var_password_pam_minlen=1
76240a
 
76240a
   - id: S3
76240a
     levels:
76240a
     - medium
76240a
+    rules:
76240a
+      - var_password_pam_minlen=2
76240a
 
76240a
   - id: S4
76240a
     title: Configure authentication
76240a
@@ -36,3 +40,5 @@ controls:
76240a
         title: Enforce password quality standards
76240a
         levels:
76240a
         - high
76240a
+        rules:
76240a
+          - var_password_pam_minlen=3
76240a
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
76240a
index ff9b04f26c9..06fcb0c375d 100644
76240a
--- a/tests/unit/ssg-module/test_controls.py
76240a
+++ b/tests/unit/ssg-module/test_controls.py
76240a
@@ -87,6 +87,11 @@ def test_controls_levels():
76240a
     assert len(low_controls) == 4
76240a
     assert len(medium_controls) == 5
76240a
 
76240a
+    # test overriding of variables in levels
76240a
+    assert c_2.variables["var_password_pam_minlen"] == "1"
76240a
+    assert c_3.variables["var_password_pam_minlen"] == "2"
76240a
+    assert c_4b.variables["var_password_pam_minlen"] == "3"
76240a
+
76240a
 
76240a
 def test_controls_load_product():
76240a
     ssg_root = \
76240a
76240a
From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Fri, 6 Aug 2021 09:30:47 +0200
76240a
Subject: [PATCH 05/12] make overriding of variables optional
76240a
76240a
---
76240a
 ssg/controls.py | 38 +++++++++++++++++++-------------------
76240a
 1 file changed, 19 insertions(+), 19 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 4ebb8bda3d7..90639fbe4c7 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -198,42 +198,42 @@ def _get_policy(self, policy_id):
76240a
             raise ValueError(msg)
76240a
         return policy
76240a
 
76240a
-    def get_all_controls_of_level(self, policy_id, level_id):
76240a
+    def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
76240a
+        # if override_vars is enabled, then variables from higher levels will
76240a
+        # override variables efined in controls of lower levels
76240a
         policy = self._get_policy(policy_id)
76240a
         levels = policy.get_level_with_ancestors(level_id)
76240a
-        print ("getting levels of " + level_id)
76240a
-        print ([ l.id for l in levels.keys()])
76240a
         # we use OrderedDict here with empty values instead of ordered set
76240a
         # cause we want to be compatible with python 2
76240a
         level_ids = collections.OrderedDict()
76240a
         for lv in levels.keys():
76240a
             level_ids[lv.id] = ""
76240a
-        print (level_ids.keys())
76240a
         all_policy_controls = self.get_all_controls(policy_id)
76240a
         eligible_controls = []
76240a
         defined_variables = []
76240a
         # we will go level by level, from top to bottom
76240a
         # this is done to enable overriding of variables by higher levels
76240a
         for lv in level_ids.keys():
76240a
-            print ("going through level " +lv)
76240a
             for c in all_policy_controls:
76240a
-                print (c.levels)
76240a
                 if lv in c.levels:
76240a
-                    # if the control has a variable, check if it is not already defined
76240a
-                    variables = list(c.variables.keys())
76240a
-                    if len(variables) == 0:
76240a
+                    if override_vars == False:
76240a
                         eligible_controls.append(c)
76240a
-                    for var in variables:
76240a
-                        if var in defined_variables:
76240a
-                            # if it is, create new instance of the control and remove the variable
76240a
-                            # we are going from the top level to the bottom
76240a
-                            # so we don't want to overwrite variables
76240a
-                            new_c = copy.deepcopy(c)
76240a
-                            del new_c.variables[var]
76240a
-                            eligible_controls.append(new_c)
76240a
-                        else:
76240a
-                            defined_variables.append(var)
76240a
+                    else:
76240a
+                        # if the control has a variable, check if it is not already defined
76240a
+                        variables = list(c.variables.keys())
76240a
+                        if len(variables) == 0:
76240a
                             eligible_controls.append(c)
76240a
+                        for var in variables:
76240a
+                            if var in defined_variables:
76240a
+                                # if it is, create new instance of the control and remove the variable
76240a
+                                # we are going from the top level to the bottom
76240a
+                                # so we don't want to overwrite variables
76240a
+                                new_c = copy.deepcopy(c)
76240a
+                                del new_c.variables[var]
76240a
+                                eligible_controls.append(new_c)
76240a
+                            else:
76240a
+                                defined_variables.append(var)
76240a
+                                eligible_controls.append(c)
76240a
         return eligible_controls
76240a
 
76240a
     def get_all_controls(self, policy_id):
76240a
76240a
From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Wed, 11 Aug 2021 12:38:42 +0200
76240a
Subject: [PATCH 06/12] fix a typo
76240a
76240a
---
76240a
 ssg/controls.py | 2 +-
76240a
 1 file changed, 1 insertion(+), 1 deletion(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 90639fbe4c7..10a304bf8c2 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -200,7 +200,7 @@ def _get_policy(self, policy_id):
76240a
 
76240a
     def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
76240a
         # if override_vars is enabled, then variables from higher levels will
76240a
-        # override variables efined in controls of lower levels
76240a
+        # override variables defined in controls of lower levels
76240a
         policy = self._get_policy(policy_id)
76240a
         levels = policy.get_level_with_ancestors(level_id)
76240a
         # we use OrderedDict here with empty values instead of ordered set
76240a
76240a
From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Wed, 11 Aug 2021 17:02:11 +0200
76240a
Subject: [PATCH 07/12] update tests to check that overriding of variables
76240a
 works
76240a
76240a
---
76240a
 .../ssg-module/data/controls_dir/abcd-levels.yml |  4 +---
76240a
 tests/unit/ssg-module/test_controls.py           | 16 ++++++++++++++--
76240a
 2 files changed, 15 insertions(+), 5 deletions(-)
76240a
76240a
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
index b98a7cd4e19..99efafd832e 100644
76240a
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
@@ -25,8 +25,6 @@ controls:
76240a
   - id: S3
76240a
     levels:
76240a
     - medium
76240a
-    rules:
76240a
-      - var_password_pam_minlen=2
76240a
 
76240a
   - id: S4
76240a
     title: Configure authentication
76240a
@@ -41,4 +39,4 @@ controls:
76240a
         levels:
76240a
         - high
76240a
         rules:
76240a
-          - var_password_pam_minlen=3
76240a
+          - var_password_pam_minlen=2
76240a
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
76240a
index 06fcb0c375d..124b344d141 100644
76240a
--- a/tests/unit/ssg-module/test_controls.py
76240a
+++ b/tests/unit/ssg-module/test_controls.py
76240a
@@ -89,8 +89,20 @@ def test_controls_levels():
76240a
 
76240a
     # test overriding of variables in levels
76240a
     assert c_2.variables["var_password_pam_minlen"] == "1"
76240a
-    assert c_3.variables["var_password_pam_minlen"] == "2"
76240a
-    assert c_4b.variables["var_password_pam_minlen"] == "3"
76240a
+    assert "var_password_pam_minlen" not in c_3.variables.keys()
76240a
+    assert c_4b.variables["var_password_pam_minlen"] == "2"
76240a
+
76240a
+    for c in low_controls:
76240a
+        if "var_password_pam_minlen" in c.variables.keys():
76240a
+            assert c.variables["var_password_pam_minlen"] == "1"
76240a
+
76240a
+    for c in medium_controls:
76240a
+        if "var_password_pam_minlen" in c.variables.keys():
76240a
+            assert c.variables["var_password_pam_minlen"] == "1"
76240a
+
76240a
+    for c in high_controls:
76240a
+        if "var_password_pam_minlen" in c.variables.keys():
76240a
+            assert c.variables["var_password_pam_minlen"] == "2"
76240a
 
76240a
 
76240a
 def test_controls_load_product():
76240a
76240a
From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Wed, 11 Aug 2021 17:02:32 +0200
76240a
Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting
76240a
 controls of a certain level
76240a
76240a
---
76240a
 ssg/controls.py | 34 +++++++++++++++-------------------
76240a
 1 file changed, 15 insertions(+), 19 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 10a304bf8c2..7923f0cb379 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -198,9 +198,7 @@ def _get_policy(self, policy_id):
76240a
             raise ValueError(msg)
76240a
         return policy
76240a
 
76240a
-    def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
76240a
-        # if override_vars is enabled, then variables from higher levels will
76240a
-        # override variables defined in controls of lower levels
76240a
+    def get_all_controls_of_level(self, policy_id, level_id):
76240a
         policy = self._get_policy(policy_id)
76240a
         levels = policy.get_level_with_ancestors(level_id)
76240a
         # we use OrderedDict here with empty values instead of ordered set
76240a
@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
76240a
         for lv in level_ids.keys():
76240a
             for c in all_policy_controls:
76240a
                 if lv in c.levels:
76240a
-                    if override_vars == False:
76240a
+                    # if the control has a variable, check if it is not already defined
76240a
+                    variables = list(c.variables.keys())
76240a
+                    if len(variables) == 0:
76240a
                         eligible_controls.append(c)
76240a
-                    else:
76240a
-                        # if the control has a variable, check if it is not already defined
76240a
-                        variables = list(c.variables.keys())
76240a
-                        if len(variables) == 0:
76240a
+                        continue
76240a
+                    for var in variables:
76240a
+                        if var in defined_variables:
76240a
+                            # if it is, create new instance of the control and remove the variable
76240a
+                            # we are going from the top level to the bottom
76240a
+                            # so we don't want to overwrite variables
76240a
+                            new_c = copy.deepcopy(c)
76240a
+                            del new_c.variables[var]
76240a
+                            eligible_controls.append(new_c)
76240a
+                        else:
76240a
+                            defined_variables.append(var)
76240a
                             eligible_controls.append(c)
76240a
-                        for var in variables:
76240a
-                            if var in defined_variables:
76240a
-                                # if it is, create new instance of the control and remove the variable
76240a
-                                # we are going from the top level to the bottom
76240a
-                                # so we don't want to overwrite variables
76240a
-                                new_c = copy.deepcopy(c)
76240a
-                                del new_c.variables[var]
76240a
-                                eligible_controls.append(new_c)
76240a
-                            else:
76240a
-                                defined_variables.append(var)
76240a
-                                eligible_controls.append(c)
76240a
         return eligible_controls
76240a
 
76240a
     def get_all_controls(self, policy_id):
76240a
76240a
From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Thu, 12 Aug 2021 15:30:39 +0200
76240a
Subject: [PATCH 09/12] get rid of one ordereddict
76240a
76240a
---
76240a
 ssg/controls.py | 9 ++-------
76240a
 1 file changed, 2 insertions(+), 7 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 7923f0cb379..891b13c891c 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -201,19 +201,14 @@ def _get_policy(self, policy_id):
76240a
     def get_all_controls_of_level(self, policy_id, level_id):
76240a
         policy = self._get_policy(policy_id)
76240a
         levels = policy.get_level_with_ancestors(level_id)
76240a
-        # we use OrderedDict here with empty values instead of ordered set
76240a
-        # cause we want to be compatible with python 2
76240a
-        level_ids = collections.OrderedDict()
76240a
-        for lv in levels.keys():
76240a
-            level_ids[lv.id] = ""
76240a
         all_policy_controls = self.get_all_controls(policy_id)
76240a
         eligible_controls = []
76240a
         defined_variables = []
76240a
         # we will go level by level, from top to bottom
76240a
         # this is done to enable overriding of variables by higher levels
76240a
-        for lv in level_ids.keys():
76240a
+        for lv in levels.keys():
76240a
             for c in all_policy_controls:
76240a
-                if lv in c.levels:
76240a
+                if lv.id in c.levels:
76240a
                     # if the control has a variable, check if it is not already defined
76240a
                     variables = list(c.variables.keys())
76240a
                     if len(variables) == 0:
76240a
76240a
From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Thu, 12 Aug 2021 16:44:57 +0200
76240a
Subject: [PATCH 10/12] fix overriding of variables
76240a
76240a
when there were multiple variables overridden, it caused problems by creating multiple copies of controls
76240a
---
76240a
 ssg/controls.py | 16 +++++++++-------
76240a
 1 file changed, 9 insertions(+), 7 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 891b13c891c..8b69676313c 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id):
76240a
                     if len(variables) == 0:
76240a
                         eligible_controls.append(c)
76240a
                         continue
76240a
+                    variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
76240a
                     for var in variables:
76240a
                         if var in defined_variables:
76240a
-                            # if it is, create new instance of the control and remove the variable
76240a
-                            # we are going from the top level to the bottom
76240a
-                            # so we don't want to overwrite variables
76240a
-                            new_c = copy.deepcopy(c)
76240a
-                            del new_c.variables[var]
76240a
-                            eligible_controls.append(new_c)
76240a
+                            variables_to_remove.append(var)
76240a
                         else:
76240a
                             defined_variables.append(var)
76240a
-                            eligible_controls.append(c)
76240a
+                    if len(variables_to_remove) == 0:
76240a
+                        eligible_controls.append(c)
76240a
+                    else:
76240a
+                        new_c = copy.deepcopy(c)
76240a
+                        for var in variables_to_remove:
76240a
+                            del new_c.variables[var]
76240a
+                        eligible_controls.append(new_c)
76240a
         return eligible_controls
76240a
 
76240a
     def get_all_controls(self, policy_id):
76240a
76240a
From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001
76240a
From: Vojtech Polasek <vpolasek@redhat.com>
76240a
Date: Thu, 12 Aug 2021 16:45:38 +0200
76240a
Subject: [PATCH 11/12] extended tests to test for multiple overridden
76240a
 variables
76240a
76240a
---
76240a
 .../data/controls_dir/abcd-levels.yml         |  2 ++
76240a
 tests/unit/ssg-module/test_controls.py        | 19 +++++++++++++++++++
76240a
 2 files changed, 21 insertions(+)
76240a
76240a
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
index 99efafd832e..2e60ec43532 100644
76240a
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
76240a
@@ -21,6 +21,7 @@ controls:
76240a
     - low
76240a
     rules:
76240a
       - var_password_pam_minlen=1
76240a
+      - var_some_variable=1
76240a
 
76240a
   - id: S3
76240a
     levels:
76240a
@@ -40,3 +41,4 @@ controls:
76240a
         - high
76240a
         rules:
76240a
           - var_password_pam_minlen=2
76240a
+          - var_some_variable=3
76240a
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
76240a
index 124b344d141..1465661b04a 100644
76240a
--- a/tests/unit/ssg-module/test_controls.py
76240a
+++ b/tests/unit/ssg-module/test_controls.py
76240a
@@ -104,6 +104,25 @@ def test_controls_levels():
76240a
         if "var_password_pam_minlen" in c.variables.keys():
76240a
             assert c.variables["var_password_pam_minlen"] == "2"
76240a
 
76240a
+    # now test if controls of lower level has the variable definition correctly removed
76240a
+    # because it is overriden by higher level controls
76240a
+    s2_high = [c for c in high_controls if c.id == "S2"]
76240a
+    assert len(s2_high) == 1
76240a
+    assert "var_some_variable" not in s2_high[0].variables.keys()
76240a
+    assert "var_password_pam_minlen" not in s2_high[0].variables.keys()
76240a
+    s4b_high = [c for c in high_controls if c.id == "S4.b"]
76240a
+    assert len(s4b_high) == 1
76240a
+    assert s4b_high[0].variables["var_some_variable"] == "3"
76240a
+    assert s4b_high[0].variables["var_password_pam_minlen"] == "2"
76240a
+
76240a
+    # check that in low level the variable is correctly placed there in S2
76240a
+    s2_low = [c for c in low_controls if c.id == "S2"]
76240a
+    assert len(s2_low) == 1
76240a
+    assert s2_low[0].variables["var_some_variable"] == "1"
76240a
+    assert s2_low[0].variables["var_password_pam_minlen"] == "1"
76240a
+
76240a
+
76240a
+
76240a
 
76240a
 def test_controls_load_product():
76240a
     ssg_root = \
76240a
76240a
From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001
76240a
From: Matej Tyc <matyc@redhat.com>
76240a
Date: Mon, 16 Aug 2021 10:39:22 +0200
76240a
Subject: [PATCH 12/12] Style improvements
76240a
76240a
- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence,
76240a
  and made it return a list - a dictionary result is quite confusing.
76240a
- Removed some optimization in the variable deletion loops.
76240a
- Extracted functionality to a _get_control_without_variables static
76240a
  method.
76240a
- Defined variable removal steps using set operations.
76240a
---
76240a
 ssg/controls.py | 54 +++++++++++++++++++++++++------------------------
76240a
 1 file changed, 28 insertions(+), 26 deletions(-)
76240a
76240a
diff --git a/ssg/controls.py b/ssg/controls.py
76240a
index 8b69676313c..ca3187d5b16 100644
76240a
--- a/ssg/controls.py
76240a
+++ b/ssg/controls.py
76240a
@@ -152,17 +152,17 @@ def get_level(self, level_id):
76240a
             )
76240a
             raise ValueError(msg)
76240a
 
76240a
-    def get_level_with_ancestors(self, level_id):
76240a
+    def get_level_with_ancestors_sequence(self, level_id):
76240a
         # use OrderedDict for Python2 compatibility instead of ordered set
76240a
         levels = collections.OrderedDict()
76240a
         level = self.get_level(level_id)
76240a
         levels[level] = ""
76240a
         if level.inherits_from:
76240a
             for lv in level.inherits_from:
76240a
-                eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
76240a
+                eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()]
76240a
                 for l in eligible_levels:
76240a
                     levels[l] = ""
76240a
-        return levels
76240a
+        return list(levels.keys())
76240a
 
76240a
 
76240a
 class ControlsManager():
76240a
@@ -200,35 +200,37 @@ def _get_policy(self, policy_id):
76240a
 
76240a
     def get_all_controls_of_level(self, policy_id, level_id):
76240a
         policy = self._get_policy(policy_id)
76240a
-        levels = policy.get_level_with_ancestors(level_id)
76240a
+        levels = policy.get_level_with_ancestors_sequence(level_id)
76240a
         all_policy_controls = self.get_all_controls(policy_id)
76240a
         eligible_controls = []
76240a
-        defined_variables = []
76240a
+        already_defined_variables = set()
76240a
         # we will go level by level, from top to bottom
76240a
         # this is done to enable overriding of variables by higher levels
76240a
-        for lv in levels.keys():
76240a
-            for c in all_policy_controls:
76240a
-                if lv.id in c.levels:
76240a
-                    # if the control has a variable, check if it is not already defined
76240a
-                    variables = list(c.variables.keys())
76240a
-                    if len(variables) == 0:
76240a
-                        eligible_controls.append(c)
76240a
-                        continue
76240a
-                    variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
76240a
-                    for var in variables:
76240a
-                        if var in defined_variables:
76240a
-                            variables_to_remove.append(var)
76240a
-                        else:
76240a
-                            defined_variables.append(var)
76240a
-                    if len(variables_to_remove) == 0:
76240a
-                        eligible_controls.append(c)
76240a
-                    else:
76240a
-                        new_c = copy.deepcopy(c)
76240a
-                        for var in variables_to_remove:
76240a
-                            del new_c.variables[var]
76240a
-                        eligible_controls.append(new_c)
76240a
+        for lv in levels:
76240a
+            for control in all_policy_controls:
76240a
+                if lv.id not in control.levels:
76240a
+                    continue
76240a
+
76240a
+                variables = set(control.variables.keys())
76240a
+
76240a
+                variables_to_remove = variables.intersection(already_defined_variables)
76240a
+                already_defined_variables.update(variables)
76240a
+
76240a
+                new_c = self._get_control_without_variables(variables_to_remove, control)
76240a
+                eligible_controls.append(new_c)
76240a
+
76240a
         return eligible_controls
76240a
 
76240a
+    @staticmethod
76240a
+    def _get_control_without_variables(variables_to_remove, control):
76240a
+        if not variables_to_remove:
76240a
+            return control
76240a
+
76240a
+        new_c = copy.deepcopy(control)
76240a
+        for var in variables_to_remove:
76240a
+            del new_c.variables[var]
76240a
+        return new_c
76240a
+
76240a
     def get_all_controls(self, policy_id):
76240a
         policy = self._get_policy(policy_id)
76240a
         return policy.controls_by_id.values()