Merge pull request #1253 from mpreisler/tailoring_in_arf

Tailoring in arf

Author: jan-cerny

src/DS/rds.c

@@ -38,6 +38,7 @@
 #include "ds_rds_session.h"
 #include "ds_rds_session_priv.h"
 #include "rds_priv.h"
+#include "sds_priv.h"
 #include "source/public/oscap_source.h"
 #include "source/oscap_source_priv.h"
 
@@ -55,6 +56,8 @@ static const char* arf_ns_uri = "http://scap.nist.gov/schema/asset-reporting-for
 static const char* core_ns_uri = "http://scap.nist.gov/schema/reporting-core/1.1";
 static const char* arfvocab_ns_uri = "http://scap.nist.gov/specifications/arf/vocabulary/relationships/1.0#";
 static const char* ai_ns_uri = "http://scap.nist.gov/schema/asset-identification/1.1";
+static const char* xlink_ns_uri = "http://www.w3.org/1999/xlink";
+
 
 xmlNode *ds_rds_lookup_container(xmlDocPtr doc, const char *container_name)
 {
@@ -693,7 +696,7 @@ static void ds_rds_add_xccdf_test_results(xmlDocPtr doc, xmlNodePtr reports,
 	}
 }
 
-static int ds_rds_create_from_dom(xmlDocPtr* ret, xmlDocPtr sds_doc, xmlDocPtr xccdf_result_file_doc, struct oscap_htable* oval_result_sources, struct oscap_htable* oval_result_mapping, struct oscap_htable *arf_report_mapping)
+static int ds_rds_create_from_dom(xmlDocPtr* ret, xmlDocPtr sds_doc, xmlDocPtr tailoring_doc, const char* tailoring_filepath, char *tailoring_doc_timestamp, xmlDocPtr xccdf_result_file_doc, struct oscap_htable* oval_result_sources, struct oscap_htable* oval_result_mapping, struct oscap_htable *arf_report_mapping)
 {
 	*ret = NULL;
 
@@ -730,6 +733,68 @@ static int ds_rds_create_from_dom(xmlDocPtr* ret, xmlDocPtr sds_doc, xmlDocPtr x
 	xmlDOMWrapReconcileNamespaces(sds_wrap_ctxt, sds_res_node, 0);
 	xmlDOMWrapFreeCtxt(sds_wrap_ctxt);
 
+	if (tailoring_doc && strcmp(tailoring_filepath, "NONEXISTENT")) {
+		char *mangled_tailoring_filepath = ds_sds_mangle_filepath(tailoring_filepath);
+		char *tailoring_component_id = oscap_sprintf("scap_org.open-scap_comp_%s_tailoring", mangled_tailoring_filepath);
+		char *tailoring_component_ref_id = oscap_sprintf("scap_org.open-scap_cref_%s_tailoring", mangled_tailoring_filepath);
+
+		// Need unique id (ref_id) - if generated already exists, then create new one
+		int counter = 0;
+		while (lookup_component_in_collection(sds_doc, tailoring_component_id) != NULL) {
+			free(tailoring_component_id);
+			tailoring_component_id = oscap_sprintf("scap_org.open-scap_comp_%s_tailoring%03d", mangled_tailoring_filepath, counter++);
+		}
+
+		counter = 0;
+		while (ds_sds_find_component_ref(xmlDocGetRootElement(sds_res_node)->children, tailoring_component_ref_id) != NULL) {
+			free(tailoring_component_ref_id);
+			tailoring_component_ref_id = oscap_sprintf("scap_org.open-scap_cref_%s_tailoring%03d", mangled_tailoring_filepath, counter++);
+		}
+
+		free(mangled_tailoring_filepath);
+
+		xmlDOMWrapCtxtPtr tailoring_wrap_ctxt = xmlDOMWrapNewCtxt();
+		xmlNodePtr tailoring_res_node = NULL;
+		xmlDOMWrapCloneNode(tailoring_wrap_ctxt, tailoring_doc, xmlDocGetRootElement(tailoring_doc),
+				&tailoring_res_node, doc, NULL, 1, 0);
+		xmlNsPtr sds_ns = sds_res_node->ns;
+		xmlNodePtr tailoring_component = xmlNewNode(sds_ns, BAD_CAST "component");
+		xmlSetProp(tailoring_component, BAD_CAST "id", BAD_CAST tailoring_component_id);
+		xmlSetProp(tailoring_component, BAD_CAST "timestamp", BAD_CAST tailoring_doc_timestamp);
+		xmlAddChild(tailoring_component, tailoring_res_node);
+		xmlAddChild(sds_res_node, tailoring_component);
+
+		xmlNodePtr checklists_element = NULL;
+		xmlNodePtr datastream_element = node_get_child_element(sds_res_node, "data-stream");
+		if (datastream_element == NULL) {
+			datastream_element = xmlNewNode(sds_ns, "data-stream");
+			xmlAddChild(sds_res_node, datastream_element);
+			checklists_element = xmlNewNode(sds_ns, "checklists");
+			xmlAddChild(datastream_element, checklists_element);
+		}
+		else {
+			checklists_element = node_get_child_element(datastream_element, "checklists");
+		}
+
+		xmlNodePtr tailoring_component_ref = xmlNewNode(sds_ns, BAD_CAST "component-ref");
+		xmlSetProp(tailoring_component_ref, BAD_CAST "id", BAD_CAST tailoring_component_ref_id);
+		char *tailoring_cref_href = oscap_sprintf("#%s", tailoring_component_id);
+		xmlNsPtr xlink_ns = xmlSearchNsByHref(doc, sds_res_node, BAD_CAST xlink_ns_uri);
+		if (!xlink_ns) {
+			oscap_seterr(OSCAP_EFAMILY_XML,
+					"Unable to find namespace '%s' in the XML DOM tree. "
+					"This is most likely an internal error!.",
+					xlink_ns_uri);
+			return -1;
+		}
+		xmlSetNsProp(tailoring_component_ref, xlink_ns, BAD_CAST "href", BAD_CAST tailoring_cref_href);
+		free(tailoring_cref_href);
+		xmlAddChild(checklists_element, tailoring_component_ref);
+
+		xmlDOMWrapReconcileNamespaces(tailoring_wrap_ctxt, tailoring_res_node, 0);
+		xmlDOMWrapFreeCtxt(tailoring_wrap_ctxt);
+	}
+
 	xmlAddChild(report_request, arf_content);
 
 	xmlAddChild(report_requests, report_request);
@@ -758,22 +823,43 @@ static int ds_rds_create_from_dom(xmlDocPtr* ret, xmlDocPtr sds_doc, xmlDocPtr x
 	return 0;
 }
 
-struct oscap_source *ds_rds_create_source(struct oscap_source *sds_source, struct oscap_source *xccdf_result_source, struct oscap_htable *oval_result_sources, struct oscap_htable *oval_result_mapping, struct oscap_htable *arf_report_mapping, const char *target_file)
+struct oscap_source *ds_rds_create_source(struct oscap_source *sds_source, struct oscap_source *tailoring_source, struct oscap_source *xccdf_result_source, struct oscap_htable *oval_result_sources, struct oscap_htable *oval_result_mapping, struct oscap_htable *arf_report_mapping, const char *target_file)
 {
 	xmlDoc *sds_doc = oscap_source_get_xmlDoc(sds_source);
 	if (sds_doc == NULL) {
 		return NULL;
 	}
+
 	xmlDoc *result_file_doc = oscap_source_get_xmlDoc(xccdf_result_source);
 	if (result_file_doc == NULL) {
 		return NULL;
 	}
 
+	xmlDoc *tailoring_doc = NULL;
+	char *tailoring_doc_timestamp = NULL;
+	char *tailoring_filepath = NULL;
+	if (tailoring_source) {
+		tailoring_doc = oscap_source_get_xmlDoc(tailoring_source);
+		if (tailoring_doc == NULL) {
+			return NULL;
+		}
+		tailoring_filepath = oscap_source_get_filepath(tailoring_source);
+		struct stat file_stat;
+		if (stat(tailoring_filepath, &file_stat) == 0) {
+			const size_t max_timestamp_len = 32;
+			tailoring_doc_timestamp = malloc(max_timestamp_len);
+			strftime(tailoring_doc_timestamp, max_timestamp_len, "%Y-%m-%dT%H:%M:%S", localtime(&file_stat.st_mtime));
+		}
+	}
+
 	xmlDocPtr rds_doc = NULL;
-	if (ds_rds_create_from_dom(&rds_doc, sds_doc, result_file_doc,
+
+	if (ds_rds_create_from_dom(&rds_doc, sds_doc, tailoring_doc, tailoring_filepath, tailoring_doc_timestamp, result_file_doc,
 				oval_result_sources, oval_result_mapping, arf_report_mapping) != 0) {
+		free(tailoring_doc_timestamp);
 		return NULL;
 	}
+	free(tailoring_doc_timestamp);
 	return oscap_source_new_from_xmlDoc(rds_doc, target_file);
 }
 
@@ -803,7 +889,7 @@ int ds_rds_create(const char* sds_file, const char* xccdf_result_file, const cha
 		}
 	}
 	if (result == 0) {
-		struct oscap_source *target_rds = ds_rds_create_source(sds_source, xccdf_result_source, oval_result_sources, oval_result_mapping, arf_report_mapping, target_file);
+		struct oscap_source *target_rds = ds_rds_create_source(sds_source, NULL, xccdf_result_source, oval_result_sources, oval_result_mapping, arf_report_mapping, target_file);
 		result = target_rds == NULL;
 		if (result == 0) {
 			result = oscap_source_save_as(target_rds, NULL);

src/DS/rds_priv.h

@@ -37,7 +37,7 @@ OSCAP_HIDDEN_START;
 xmlNode *ds_rds_lookup_container(xmlDocPtr doc, const char *container_name);
 xmlNode *ds_rds_lookup_component(xmlDocPtr doc, const char *container_name, const char *component_name, const char *id);
 int ds_rds_dump_arf_content(struct ds_rds_session *session, const char *container_name, const char *component_name, const char *content_id);
-struct oscap_source *ds_rds_create_source(struct oscap_source *sds_source, struct oscap_source *xccdf_result_source, struct oscap_htable *oval_result_sources, struct oscap_htable *oval_result_mapping, struct oscap_htable *arf_report_mapping, const char *target_file);
+struct oscap_source *ds_rds_create_source(struct oscap_source *sds_source, struct oscap_source *tailoring_source, struct oscap_source *xccdf_result_source, struct oscap_htable *oval_result_sources, struct oscap_htable *oval_result_mapping, struct oscap_htable *arf_report_mapping, const char *target_file);
 xmlNodePtr ds_rds_create_report(xmlDocPtr target_doc, xmlNodePtr reports_node, xmlDocPtr source_doc, const char* report_id);
 
 OSCAP_HIDDEN_END;

src/DS/sds.c

@@ -113,7 +113,7 @@ xmlNode *containter_get_component_ref_by_id(xmlNode *container, const char *comp
 	return NULL;
 }
 
-static xmlNodePtr ds_sds_find_component_ref(xmlNodePtr datastream, const char* id)
+xmlNodePtr ds_sds_find_component_ref(xmlNodePtr datastream, const char* id)
 {
 	/* This searches for a ds:component-ref (XLink) element with a given id.
 	 * It returns a first such element in a given ds:data-stream.
@@ -133,7 +133,7 @@ static xmlNodePtr ds_sds_find_component_ref(xmlNodePtr datastream, const char* i
 	return NULL;
 }
 
-static xmlNodePtr _lookup_component_in_collection(xmlDocPtr doc, const char *component_id)
+xmlNodePtr lookup_component_in_collection(xmlDocPtr doc, const char *component_id)
 {
 	xmlNodePtr root = xmlDocGetRootElement(doc);
 	xmlNodePtr component = NULL;
@@ -271,7 +271,7 @@ static xmlNodePtr ds_sds_get_component_root_by_id(xmlDoc *doc, const char* compo
 	if (component_id == NULL) {
 		component = (xmlNodePtr)doc;
 	} else {
-		component = _lookup_component_in_collection(doc, component_id);
+		component = lookup_component_in_collection(doc, component_id);
 		if (component == NULL)
 		{
 			oscap_seterr(OSCAP_EFAMILY_XML, "Component of given id '%s' was not found in the document.", component_id);
@@ -774,7 +774,7 @@ static int ds_sds_compose_catalog_has_uri(xmlDocPtr doc, xmlNodePtr catalog, con
 
 // takes given relative filepath and mangles it so that it's acceptable
 // as a component id
-static char* ds_sds_mangle_filepath(const char* filepath)
+char* ds_sds_mangle_filepath(const char* filepath)
 {
 	if (filepath == NULL)
 		return NULL;
@@ -1063,7 +1063,7 @@ static int ds_sds_compose_add_component_source_with_ref(xmlDocPtr doc, xmlNodePt
 		extended_component ? "e" : "", mangled_filepath);
 
 	int counter = 0;
-	while (_lookup_component_in_collection(doc, comp_id) != NULL) {
+	while (lookup_component_in_collection(doc, comp_id) != NULL) {
 		// While a component of the given ID already exists, generate a new one
 		free(comp_id);
 		comp_id = oscap_sprintf("scap_org.open-scap_%scomp_%s%03d",

src/DS/sds_priv.h

@@ -45,5 +45,10 @@ int ds_sds_dump_component_ref_as(const xmlNodePtr component_ref, struct ds_sds_s
 xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf(const char *xccdf_file);
 xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf_source(struct oscap_source *xccdf_source);
 
+xmlNodePtr lookup_component_in_collection(xmlDocPtr doc, const char *component_id);
+xmlNodePtr ds_sds_find_component_ref(xmlNodePtr datastream, const char *id);
+
+char *ds_sds_mangle_filepath(const char *filepath);
+
 OSCAP_HIDDEN_END;
 #endif

src/XCCDF/xccdf_session.c

@@ -234,7 +234,7 @@ static struct oscap_source* xccdf_session_create_arf_source(struct xccdf_session
 		sds_source = oscap_source_new_from_xmlDoc(sds_doc, NULL);
 	}
 
-	session->oval.arf_report = ds_rds_create_source(sds_source, session->xccdf.result_source, session->oval.result_sources, session->oval.results_mapping, session->oval.arf_report_mapping, session->export.arf_file);
+	session->oval.arf_report = ds_rds_create_source(sds_source, session->tailoring.user_file, session->xccdf.result_source, session->oval.result_sources, session->oval.results_mapping, session->oval.arf_report_mapping, session->export.arf_file);
 	if (!xccdf_session_is_sds(session)) {
 		oscap_source_free(sds_source);
 	}

tests/API/XCCDF/tailoring/Makefile.am

@@ -15,4 +15,7 @@ EXTRA_DIST = \
 	simple-tailoring.xml \
 	simple-tailoring11.xml \
 	simple-tailoring-autonegotiation.xml \
-	simple-ds.xml
+	simple-ds.xml \
+	baseline.xccdf.xml \
+	baseline.oval.xml \
+	baseline.tailoring.xml

tests/API/XCCDF/tailoring/all.sh

@@ -5,7 +5,7 @@
 
 . ../../../test_common.sh
 
-#set -e -o pipefail
+set -e -o pipefail
 
 function test_api_xccdf_tailoring {
     local INPUT=$srcdir/$1
@@ -84,6 +84,56 @@ function test_api_xccdf_tailoring_autonegotiation {
     rm -f $result
 }
 
+function test_api_xccdf_tailoring_simple_include_in_arf {
+    local INPUT=$srcdir/$1
+    local TAILORING=$srcdir/$2
+
+    result=`mktemp`
+    $OSCAP xccdf eval --tailoring-file $TAILORING --results-arf $result $INPUT
+    if [ "$?" != "0" ]; then
+        return 1
+    fi
+
+    assert_exists 1 '/arf:asset-report-collection/arf:report-requests/arf:report-request/arf:content/ds:data-stream-collection/ds:component/Tailoring'
+    rm -f $result
+}
+
+function test_api_xccdf_tailoring_profile_include_in_arf {
+    local INPUT=$srcdir/$1
+    local TAILORING=$srcdir/$2
+
+    result=`mktemp`
+    # "xccdf_com.example.www_profile_customized" customizes "xccdf_com.example.www_profile_baseline1"
+    $OSCAP xccdf eval --tailoring-file $TAILORING --profile "xccdf_com.example.www_profile_customized" --results-arf $result $INPUT || [ "$?" == "2" ]
+
+    component_xpath='/arf:asset-report-collection/arf:report-requests/arf:report-request/arf:content/ds:data-stream-collection/ds:component'
+    assert_exists 3 $component_xpath
+    assert_exists 3 $component_xpath'/@timestamp'
+    assert_exists 1 $component_xpath'/xccdf:Tailoring'
+    assert_exists 1 $component_xpath'/xccdf:Tailoring/xccdf:Profile'
+    assert_exists 1 $component_xpath'/xccdf:Tailoring/xccdf:Profile[@id="xccdf_com.example.www_profile_customized"]'
+    assert_exists 1 $component_xpath'/xccdf:Tailoring/xccdf:Profile[@extends="xccdf_com.example.www_profile_baseline1"]'
+    rm -f $result
+}
+
+function test_api_xccdf_tailoring_profile_generate_fix {
+    local INPUT=$srcdir/$1
+    local TAILORING=$srcdir/$2
+
+    tailoring_result=`mktemp`
+    fix_result=`mktemp`
+    # tailoring profile only with "always fail" rule and generate bash fix
+    $OSCAP xccdf eval --tailoring-file $TAILORING --profile "xccdf_com.example.www_profile_customized" --results-arf $tailoring_result $INPUT || [ "$?" == "2" ]
+    tailoring_id=$($XPATH $tailoring_result 'string(//ds:component-ref[contains(@id, "_tailoring")]/@id)')
+    $OSCAP xccdf generate fix --tailoring-id $tailoring_id --result-id xccdf_org.open-scap_test-result_xccdf-com.example.www_profile_customized --results $fix_result $tailoring_result
+
+    if ! grep -q "echo \"Fix the first rule\"" $fix_result; then
+        return 1
+    fi
+
+    rm -f $tailoring_result $fix_result
+}
+
 # Testing.
 
 test_init "test_api_xccdf_tailoring.log"
@@ -101,5 +151,9 @@ test_run "test_api_xccdf_tailoring_ds_hybrid_override" test_api_xccdf_tailoring_
 test_run "test_api_xccdf_tailoring_oscap_info_11" test_api_xccdf_tailoring_oscap_info simple-tailoring11.xml 1
 test_run "test_api_xccdf_tailoring_oscap_info_12" test_api_xccdf_tailoring_oscap_info simple-tailoring.xml 1
 test_run "test_api_xccdf_tailoring_autonegotiation" test_api_xccdf_tailoring_autonegotiation simple-tailoring-autonegotiation.xml xccdf_org.open-scap_profile_default 1
+test_run "test_api_xccdf_tailoring_simple_include_in_arf" test_api_xccdf_tailoring_simple_include_in_arf simple-xccdf.xml simple-tailoring.xml
+test_run "test_api_xccdf_tailoring_profile_include_in_arf" test_api_xccdf_tailoring_profile_include_in_arf baseline.xccdf.xml baseline.tailoring.xml
+test_run "test_api_xccdf_tailoring_profile_generate_fix" test_api_xccdf_tailoring_profile_generate_fix baseline.xccdf.xml baseline.tailoring.xml
+
 
 test_exit

tests/API/XCCDF/tailoring/baseline.oval.xml

@@ -0,0 +1,54 @@
+<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd    http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
+    <generator>
+        <oval:schema_version>5.11</oval:schema_version>
+        <oval:timestamp>2018-01-12T10:41:00-05:00</oval:timestamp>
+    </generator>
+    <definitions>
+        <definition class="compliance" id="oval:x:def:1" version="1">
+            <metadata>
+                <title>FAIL</title>
+                <description>always fail</description>
+            </metadata>
+            <criteria>
+                <criterion comment="always failing test" test_ref="oval:x:tst:1"/>
+            </criteria>
+        </definition>
+        <definition class="compliance" id="oval:x:def:2" version="1">
+            <metadata>
+                <title>PASS</title>
+                <description>always pass</description>
+            </metadata>
+            <criteria>
+                <criterion comment="always passing test" test_ref="oval:x:tst:2"/>
+            </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <variable_test id="oval:x:tst:1" check="all" comment="always fail" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
+            <object object_ref="oval:x:obj:1"/>
+            <state state_ref="oval:x:ste:1"/>
+        </variable_test>
+        <variable_test id="oval:x:tst:2" check="all" comment="always pass" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
+            <object object_ref="oval:x:obj:1"/>
+            <state state_ref="oval:x:ste:2"/>
+        </variable_test>
+    </tests>
+    <objects>
+        <variable_object id="oval:x:obj:1" version="1" comment="x" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
+            <var_ref>oval:x:var:1</var_ref>
+        </variable_object>
+    </objects>
+    <states>
+        <variable_state id="oval:x:ste:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
+            <value datatype="int" operation="equals">0</value>
+        </variable_state>
+        <variable_state id="oval:x:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
+            <value datatype="int" operation="equals">100</value>
+        </variable_state>
+    </states>
+    <variables>
+        <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
+            <value>100</value>
+        </constant_variable>
+    </variables>
+</oval_definitions>

tests/API/XCCDF/tailoring/baseline.tailoring.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
+  <xccdf:benchmark href="/tmp/SCAP Workbench-cpJkKp/baseline.xccdf.xml"/>
+  <xccdf:version time="2018-12-13T10:02:12">1</xccdf:version>
+  <xccdf:Profile id="xccdf_com.example.www_profile_customized" extends="xccdf_com.example.www_profile_baseline1">
+    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Baseline Testing Profile 1 [CUSTOMIZED]</xccdf:title>
+    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile customizes 'xccdf_com.example.www_profile_baseline1'. This profile selects only the first rule.</xccdf:description>
+    <xccdf:select idref="xccdf_com.example.www_rule_second" selected="false"/>
+  </xccdf:Profile>
+</xccdf:Tailoring>