Merge pull request #1411 from DominiqueDevinci/contrib_python

python binding (fixes + tests)

Author: jan-cerny

.gitignore

@@ -4,6 +4,7 @@
 .gdb_history
 .libs/
 .*.swp
+*.pyc
 tags
 *.pyc
 

swig/openscap_api.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+# Author:
+#   Dominique Blaze <[email protected]>
+
+import os
+from import_handler import oscap, result2str, get_path
+
+
+'''
+Import and browse benchmark results
+
+'''
+
+benchmark = oscap.xccdf.benchmark_import(get_path("samples/xccdf_sample_results.xml"))
+if benchmark.instance is None:
+    raise Exception("Cannot import the benchmark {0}"
+                    .format(get_path("samples/xccdf_sample_results.xml")))
+else:
+    print("Benchmark id: ", benchmark.get_id())
+    results = benchmark.get_results()
+    test_result = results.pop()
+    print(test_result.get_id())
+
+    for rs in test_result.get_rule_results():
+        idref, result = rs.get_idref(), rs.get_result()
+        print(idref, result2str(result))
+
+        if (idref == "R-SHOULD_PASS" and
+                result != oscap.xccdf.XCCDF_RESULT_PASS):
+
+            raise Exception("Rule result for {0} should be PASS but is currently {1}."
+                            .format(idref,
+                                    result2str(result)))
+
+        elif (idref == "R-SHOULD_FAIL" and
+              result != oscap.xccdf.XCCDF_RESULT_FAIL):
+
+            raise Exception("Rule result for {0} should be FAIL but is currently {1}."
+                            .format(idref,
+                                    result2str(result)))
+
+
+# Now ensure that benchmark_import return None if the file doesn't exists
+
+benchmark = oscap.xccdf.benchmark_import("../../oval_details/file_doesnt_exists.xml")
+if benchmark.instance is not None:
+    raise Exception("benchmark_import should return None if it can't open the file")
+else:
+    print("benchmark_import on a non existing file returns None.")

tests/bindings/python/benchmark_import_results.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+
+# Author:
+#   Dominique Blaze <[email protected]>
+
+import sys
+import os
+import openscap_api as oscap
+
+
+'''
+Ensure that the openscap_api is really imported from the desired install dir
+Python doesn't directly use env(PYTHONPATH), but sys.path which aggregate
+potential paths. So we check that the import path is in PYTHONPATH.
+
+To learn more about sys.path:
+https://stackoverflow.com/questions/897792/where-is-pythons-sys-path-initialized-from/38403654#38403654
+'''
+if os.path.dirname(oscap.__file__) not in os.getenv('PYTHONPATH'):
+    raise Exception("openscap_api is loaded but from the local env "
+                    "instead of the tested environment.\n"
+                    "Loaded module path = {0}".format(oscap.__file__))
+else:
+    print("openscap_api loaded from "+oscap.__file__)
+    pass  # import is loaded from the right env
+
+
+'''
+Return the string corresponding to the oscap result (PASS, FAIL etc.)
+'''
+
+
+def result2str(result):
+    if result == oscap.xccdf.XCCDF_RESULT_PASS:
+        return "PASS"
+    elif result == oscap.xccdf.XCCDF_RESULT_FAIL:
+        return "FAIL"
+    elif result == oscap.xccdf.XCCDF_RESULT_ERROR:
+        return "ERROR"
+    elif result == oscap.xccdf.XCCDF_RESULT_UNKNOWN:
+        return "UNKNOWN"
+    elif result == oscap.xccdf.XCCDF_RESULT_NOT_APPLICABLE:
+        return "NOT_APPLICABLE"
+    elif result == oscap.xccdf.XCCDF_RESULT_NOT_CHECKED:
+        return "NOT_CHECKED"
+    elif result == oscap.xccdf.XCCDF_RESULT_NOT_SELECTED:
+        return "NOT_SELECTED"
+    elif result == oscap.xccdf.XCCDF_RESULT_INFORMATIONAL:
+        return "INFORMATIONAL"
+    elif result == oscap.xccdf.XCCDF_RESULT_FIXED:
+        return "FIXED"
+
+
+'''
+Return the absolute path of a relative path (located in this folder)
+Required because the tests are run from the build directory,
+so you need to use this functions for all relative paths.
+'''
+
+
+def get_path(path_str):
+    return os.path.join(os.path.dirname(__file__), path_str)

tests/bindings/python/import_handler.py

@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+
+# Author:
+#   Dominique Blaze <[email protected]>
+#
+# Description:
+#   Test introspection features of Python API
+#    - Test the presence or the absence of expected builtins functions
+#    - Indentify a constant name by its value and prefix (prefix XCCDF_RESULT
+#       with value 1 (usually) should identify XCCDF_RESULT_PASS
+#    - Check presence of constants filtered by a prefix (XCCDF_RESULT with
+#       value = None should returns all XCCDF_RESULT_* constants).
+#
+
+
+from import_handler import oscap
+from pprint import pprint
+
+oval_funcs = oscap.oval.introspect_functions()
+
+if oval_funcs.get('oval_variable_get_values') is None:
+    raise Exception("method 'oval_variable_get_values' not found in builtins"
+                    "functions of oval object (should be in oscap.oval.introspect_functions())")
+
+if oval_funcs.get('xccdf_check_get_id') is not None:
+    raise Exception("method 'xccdf_check_get_id' should not be found in "
+                    "oscap.oval.introspect_functions(), because the prefix isn't 'oval')")
+
+if oscap.oval.introspect_all().get('xccdf_check_get_id') is None:
+    raise Exception("method 'xccdf_check_get_id' should be present in "
+                    "oscap.oval.introspect_all(), which returns all available builtins functions")
+
+print("Introspection of builtins functions seems working.")
+
+
+# should returns {'XCCDF_RESULT_PASS': 1}
+# but it's not impossible that the numeric value change (in fact we don't care of it)
+pass_val = oscap.oval.XCCDF_RESULT_PASS  # is usually 1
+
+var1 = oscap.oval.introspect_constants(pass_val, "XCCDF_RESULT")
+if len(var1) == 1 and list(var1.keys())[0] == "XCCDF_RESULT_PASS":
+    print("Introspection of oscap.oval.XCCDF_RESULT_PASS ok")
+
+
+xccdf_results = oscap.oval.introspect_constants(None, "XCCDF_RESULT")
+# should returns something like {
+# 'XCCDF_RESULT_ERROR': 3,
+# 'XCCDF_RESULT_FAIL': 2,
+# 'XCCDF_RESULT_FIXED': 9,
+# 'XCCDF_RESULT_INFORMATIONAL': 8,
+# 'XCCDF_RESULT_NOT_APPLICABLE': 5,
+# 'XCCDF_RESULT_NOT_CHECKED': 6,
+# 'XCCDF_RESULT_NOT_SELECTED': 7,
+# 'XCCDF_RESULT_PASS': 1,
+# 'XCCDF_RESULT_UNKNOWN': 4}
+
+expected_constants = ('XCCDF_RESULT_ERROR', 'XCCDF_RESULT_FAIL', 'XCCDF_RESULT_FIXED',
+                      'XCCDF_RESULT_INFORMATIONAL', 'XCCDF_RESULT_NOT_APPLICABLE',
+                      'XCCDF_RESULT_NOT_CHECKED', 'XCCDF_RESULT_PASS',
+                      'XCCDF_RESULT_NOT_SELECTED', 'XCCDF_RESULT_UNKNOWN')
+
+for c in expected_constants:
+    if c not in xccdf_results:
+        raise Exception("oscap.oval.introspect_constants(None, 'XCCDF_RESULT) should"
+                        "contains the constant {0}.".format(c))
+
+print("Introspection of constants ok with prefix XCCDF_RESULT_*")

tests/bindings/python/introspection_features.py

@@ -0,0 +1,119 @@
+#!/usr/bin/env python
+
+# Author:
+#   Dominique Blaze <[email protected]>
+#
+
+'''
+Basic OVAL evaluation:
+
+Import an oval file with oscap.oval.definition_model_import_source
+and run evalutation of some sample checks using a callback
+
+Tested functions:
+    - oscap.oval.definition_model_import_source
+    - oscap.common.source_new_from_file
+    - TODO oscap.oval.import_model
+    - oscap.oval.agent_new_session
+    - oscap.oval.agent_eval_system + associated callback
+    - oval_result_definition.get_id()
+    - oval_result_definition.get_result()
+    - oval_result_definition.get_criteria()
+
+Tested in oval_helpers.browse_criteria:
+    - oval_result_criteria.get_type() + some of associated constants OVAL_NODETYPE_*
+    - oval_result_criteria.get_subnodes()
+    - oval_result_criteria.get_test()
+
+    - oval_result_test.get_test()
+    - oval_result_test.get_result()
+
+    - oval_test.get_subtype() + some of associated constants OVAL_SUBYTPE_*
+    - oval_test.get_family() + some of associated constants
+'''
+
+import os
+import time
+from import_handler import oscap, result2str, get_path
+from oval_helpers import browse_criteria
+
+
+'''
+Intermediate functions
+'''
+
+
+# if you return something in callback else than 0, the current session stops
+def oval_sample_callback(ovdef, usr):
+
+    try:
+        # .eval or .get_result return the same thing
+        usr['results'].append(ovdef.get_id() + " => " + result2str(ovdef.get_result()))
+
+        # retrieve the tests tree and replace test_results by [subtype => result]
+        tests_tree = browse_criteria(ovdef.get_criteria(), 1)
+
+        '''
+        Expected tree for foo_pass: [[(7006, 1)]]
+        = [[(OVAL_INDEPENDENT_TEXT_FILE_CONTENT_54, XCCDF_RESULT_PASS)]]
+        or [[(OVAL_INDEPENDENT_TEXT_FILE_CONTENT_54, XCCDF_RESULT_PASS)]] for foo_fail
+        '''
+
+        expected_trees = {"oval:foo_pass:def:1": [[
+            (oscap.oval.OVAL_FAMILY_INDEPENDENT,
+             oscap.oval.OVAL_INDEPENDENT_TEXT_FILE_CONTENT_54,
+             oscap.oval.XCCDF_RESULT_PASS)]],
+
+            "oval:foo_fail:def:1": [[
+                (oscap.oval.OVAL_FAMILY_INDEPENDENT,
+                 oscap.oval.OVAL_INDEPENDENT_TEXT_FILE_CONTENT_54,
+                 oscap.oval.XCCDF_RESULT_FAIL)]]
+        }
+
+        expected_tree = expected_trees.get(ovdef.get_id())
+
+        if expected_tree is None:
+            raise ValueError("Unexpected oval def : {0}. No expected tests tree defined for it"
+                             .format(ovdef.get_id()))
+
+        elif expected_tree == tests_tree:
+            usr['results'].append("Tests tree of {0} is like expected : {1}".format(ovdef.get_id(),
+                                                                                    tests_tree))
+
+        else:
+            raise ValueError("Tests tree of {0} doesn't match with the expected tree.\n"
+                             "Extracted tree: {1}\nExpected tree: {2}"
+                             .format(ovdef.get_id(), tests_tree, expected_tree))
+
+    except Exception as e:
+        usr['results'].append(e)
+
+    return 0
+
+
+# eval oval defs oval:[foo_pass|fail]:def:1
+def oval_eval_sample(oval_defs):
+    states = {'false': 0, 'true': 0, 'err': 0, 'unknown': 0, 'neval': 0,
+              'na': 0, 'verbose': True, 'results': []}
+
+    sess = oscap.oval.agent_new_session(oval_defs, "")
+    ret = oscap.oval.agent_eval_system(sess, oval_sample_callback, states)
+
+    for tmp in states['results']:
+        if isinstance(tmp, Exception):
+            raise tmp
+        else:
+            print(tmp)
+
+'''
+       ================        MAIN TEST           ====================
+'''
+
+
+print("Opening oval file with original C functions ... ")
+oval_defs = oscap.oval.definition_model_import_source(
+    oscap.common.source_new_from_file(get_path("samples/oval_sample.xml")))
+
+oval_eval_sample(oval_defs)
+
+# TODO: do the same thing with oval_import

tests/bindings/python/oval_eval.py

@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+# Author:
+#   Dominique Blaze <[email protected]>
+#
+# Description:
+#   Helpers functions in order to factorize other tests features
+#   It can potentially be integrated later in the high layer python api
+#   to provide convenience utilities.
+#
+
+from import_handler import oscap
+
+
+def browse_criteria(crit_node, mode=0):
+    '''
+    Browse recursively criteria of an oval test and build a representation of it
+    First list item is the operator, and the next ones are the tests
+    If the item is a list, it's a criteria (else a criterion, or string for an
+    extended defintion , or None for OVAL_NODETYPE_UNKNOWN
+
+    Ex: [operator, "extended def", [operator, test_result2, test_result3]]
+
+    Mode : with mode = 0, test_result is the swig object oval_test_result
+    with mode = 1, test result is a a tuple like (test_subtype, test_result)
+    for instance (oscap.oval.OVAL_LINUX_DPKG_INFO, OVAL_FAMILY_LINUX
+    oscap.xccdf.XCCDF_RESULT_PASS)
+    '''
+
+    # init the critria list
+    rs = list()
+
+    if crit_node.get_type() == oscap.oval.OVAL_NODETYPE_CRITERIA:
+        for c in crit_node.get_subnodes():
+            rs.append(browse_criteria(c, mode))
+
+    elif crit_node.get_type() == oscap.oval.OVAL_NODETYPE_CRITERION:
+        if mode == 0:
+            rs.append(crit_node.get_test())
+        elif mode == 1:
+            rs.append((crit_node.get_test().get_test().get_family(),
+                       crit_node.get_test().get_test().get_subtype(),
+                       crit_node.get_test().get_result()))
+        else:
+            raise ValueError("param mode in browse_criteria should be 0 or 1")
+
+    elif crit_node.get_type() == oscal.oval.OVAL_NODETYPE_EXTENDDEF:  # !!! TODO !!!
+        rs.append("extended def")
+
+    else:
+        rs.append(None)
+
+    return rs