Use only library calls to generate remediation

jan-cerny · jan-cerny · commit e97539b82420 · 2020-03-02T14:14:49.000+01:00
Removes CMake option
SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
and removes the code that is used when this option is not set.
That means the remediations will be generated using libopenscap
library calls. The removed code executed "oscap" command to
do the same thing.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -49,12 +49,8 @@ endif()
 # Local scanning tools
 option(SCAP_WORKBENCH_LOCAL_SCAN_ENABLED "If enabled, scanning of local machine is possible from workbench. Else the option is disabled in the GUI." TRUE)
 
-option(SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION "If enabled, result-based remediation roles will be generated by calls to the libopenscap library (instead of being generated by the oscap subprocess). Requires openscap>=1.2.16" FALSE)
-
-if (SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION)
-    if(${OPENSCAP_VERSION_MAJOR} LESS 2 AND ${OPENSCAP_VERSION_MINOR} LESS 3 AND ${OPENSCAP_VERSION_PATCH} LESS 16)  # i.e. oscap<1.2.16
-        message(FATAL_ERROR "Library-powered generation of result-based remediation roles is supported only if you have oscap>=1.2.16, whereas you have oscap==${OPENSCAP_VERSION}")
-    endif()
+if(${OPENSCAP_VERSION_MAJOR} LESS 2 AND ${OPENSCAP_VERSION_MINOR} LESS 3 AND ${OPENSCAP_VERSION_PATCH} LESS 16)  # i.e. oscap<1.2.16
+    message(FATAL_ERROR "Library-powered generation of result-based remediation roles is supported only if you have oscap>=1.2.16, whereas you have oscap==${OPENSCAP_VERSION}")
 endif()
 
 find_program(NICE_EXECUTABLE NAMES nice) # fully optional, local scan still available when missing
diff --git a/include/Config.h.in b/include/Config.h.in
@@ -40,7 +40,6 @@
 #define SCAP_WORKBENCH_LOCAL_PKEXEC_OSCAP_PATH "@CMAKE_INSTALL_FULL_LIBEXECDIR@/scap-workbench-pkexec-oscap.sh"
 #define SCAP_WORKBENCH_LOCAL_RPM_EXTRACT_PATH "@CMAKE_INSTALL_FULL_LIBEXECDIR@/scap-workbench-rpm-extract.sh"
 #define SCAP_WORKBENCH_REMOTE_OSCAP_PATH "oscap"
-#cmakedefine SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
 #cmakedefine SCAP_WORKBENCH_LOCAL_SSH_FOUND
 #define SCAP_WORKBENCH_LOCAL_SSH_PATH "@SSH_EXECUTABLE@"
 #cmakedefine SCAP_WORKBENCH_LOCAL_SETSID_FOUND
diff --git a/include/RemediationRoleSaver.h b/include/RemediationRoleSaver.h
@@ -93,45 +93,6 @@ class PuppetProfileRemediationSaver : public ProfileBasedRemediationSaver
 };
 
 
-#ifndef SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
-/// Base for all result-based remediation generators that uses oscap process
-class ResultBasedProcessRemediationSaver : public RemediationSaverBase
-{
-    public:
-        ResultBasedProcessRemediationSaver(
-                QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath,
-                const QString& saveMessage, const QString& filetypeExtension, const QString& filetypeTemplate, const QString& fixType);
-
-    private:
-        virtual void saveToFile(const QString& filename);
-        SpacelessQTemporaryFile mArfFile;
-        QString tailoring;
-};
-
-
-class BashResultRemediationSaver : public ResultBasedProcessRemediationSaver
-{
-    public:
-        BashResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath);
-};
-
-
-class AnsibleResultRemediationSaver : public ResultBasedProcessRemediationSaver
-{
-    public:
-        AnsibleResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath);
-};
-
-
-class PuppetResultRemediationSaver : public ResultBasedProcessRemediationSaver
-{
-    public:
-        PuppetResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath);
-};
-
-#else  // i.e. SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION is defined
-
-/// Base for all result-based remediation generators that uses the openscap library
 class ResultBasedLibraryRemediationSaver : public RemediationSaverBase
 {
     public:
@@ -165,7 +126,5 @@ class PuppetResultRemediationSaver : public ResultBasedLibraryRemediationSaver
         PuppetResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath);
 };
 
-#endif  // SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
-
 
 #endif // SCAP_WORKBENCH_REMEDIATION_ROLE_SAVER_H_
diff --git a/src/RemediationRoleSaver.cpp b/src/RemediationRoleSaver.cpp
@@ -35,11 +35,7 @@ extern "C"
 #include <xccdf_benchmark.h>
 #include <xccdf_policy.h>
 #include <xccdf_session.h>
-#ifdef SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
-    // vvv This include is used only for library-based generation of result-base remediation roles
-    // vvv and it requires (relatively recent) openscap 1.2.16
 #include <ds_rds_session.h>
-#endif
 }
 
 
@@ -163,88 +159,6 @@ PuppetProfileRemediationSaver::PuppetProfileRemediationSaver(QWidget* parentWind
             puppetSaveMessage, puppetFiletypeExtension, puppetFiletypeTemplate, puppetFixType)
 {}
 
-#ifndef SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
-ResultBasedProcessRemediationSaver::ResultBasedProcessRemediationSaver(
-        QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath,
-        const QString& saveMessage, const QString& filetypeExtension, const QString& filetypeTemplate, const QString& fixType):
-    RemediationSaverBase(parentWindow, saveMessage, filetypeExtension, filetypeTemplate, fixType)
-{
-    mArfFile.setAutoRemove(true);
-    mArfFile.open();
-    mArfFile.write(arfContents);
-    mArfFile.close();
-    tailoring = tailoringFilePath;
-}
-
-void ResultBasedProcessRemediationSaver::saveToFile(const QString& filename)
-{
-    QStringList args;
-    args.append("xccdf");
-    args.append("generate");
-    args.append("fix");
-
-    args.append("--template");
-    args.append(mTemplateString);
-    args.append("--output");
-    args.append(filename);
-
-    // vvv This will work, if there is only one result ID in the ARF file, it will be picked no matter what the argument value is.
-    // However, ommitting --result-id "" won't work.
-    args.append("--result-id");
-    args.append("");
-
-    if (!tailoring.isNull()) {
-        args.append("--tailoring-file");
-        args.append(tailoring.toUtf8().constData());
-    }
-
-    args.append(mArfFile.fileName());
-
-    // Launching a process and going through its output is something we do already in OscapScannerLocal::evaluate()
-    // This is a lightweight launch though.
-    QProcess process(mParentWindow);
-
-    SpacelessQTemporaryDir workingDir;
-    process.setWorkingDirectory(workingDir.path());
-    QString program(SCAP_WORKBENCH_LOCAL_OSCAP_PATH);
-
-    process.start(program, args);
-    process.waitForStarted();
-
-    const unsigned int remediationGenerationTimeout = 10000;
-
-    const int process_finished_on_time = process.waitForFinished(remediationGenerationTimeout);
-
-    if (!process_finished_on_time)
-    {
-        QString message = QObject::tr("The process that was supposed to generate remediations didn't finish on time (i.e. within %1 secs), so it was terminated.").arg(remediationGenerationTimeout / 1000);
-        process.kill();
-        throw std::runtime_error(message.toUtf8().constData());
-    }
-
-    if (process.exitCode() != 0)
-    {
-        QString completeErrorMessage(QObject::tr("Exit code of 'oscap' was %1: %2"));
-        throw std::runtime_error(completeErrorMessage.arg(process.exitCode()).arg(QString(process.readAllStandardError())).toUtf8().constData());
-    }
-}
-
-BashResultRemediationSaver::BashResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath):
-    ResultBasedProcessRemediationSaver(parentWindow, arfContents, tailoringFilePath,
-            bashSaveMessage, bashFiletypeExtension, bashFiletypeTemplate, bashFixTemplate)
-{}
-
-AnsibleResultRemediationSaver::AnsibleResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath):
-    ResultBasedProcessRemediationSaver(parentWindow, arfContents, tailoringFilePath,
-            ansibleSaveMessage, ansibleFiletypeExtension, ansibleFiletypeTemplate, ansibleFixType)
-{}
-
-PuppetResultRemediationSaver::PuppetResultRemediationSaver(QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath):
-    ResultBasedProcessRemediationSaver(parentWindow, arfContents, tailoringFilePath,
-            puppetSaveMessage, puppetFiletypeExtension, puppetFiletypeTemplate, puppetFixType)
-{}
-
-#else  // i.e. SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION is defined
 ResultBasedLibraryRemediationSaver::ResultBasedLibraryRemediationSaver(
         QWidget* parentWindow, const QByteArray& arfContents, const QString& tailoringFilePath,
         const QString& saveMessage, const QString& filetypeExtension, const QString& filetypeTemplate, const QString& fixType):
@@ -343,4 +257,3 @@ PuppetResultRemediationSaver::PuppetResultRemediationSaver(QWidget* parentWindow
             puppetSaveMessage, puppetFiletypeExtension, puppetFiletypeTemplate, puppetFixType)
 {}
 
-#endif  // SCAP_WORKBENCH_USE_LIBRARY_FOR_RESULT_BASED_REMEDIATION_ROLES_GENERATION
