From 26d046ee988a632307b7ef6d4c8603b5de10c9ca Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 12 Jun 2024 08:38:21 -0500 Subject: [PATCH 1/8] Added validate_automatus_metadata Validate metadata used by Automatus. --- tests/validate_automatus_metadata.py | 59 ++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100755 tests/validate_automatus_metadata.py diff --git a/tests/validate_automatus_metadata.py b/tests/validate_automatus_metadata.py new file mode 100755 index 00000000000..1284144eadb --- /dev/null +++ b/tests/validate_automatus_metadata.py @@ -0,0 +1,59 @@ +#!/usr/bin/python3 + +import argparse +import os +import glob +import sys + +SSG_ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), "..")) +VALID_FIELDS = ['check', 'packages', 'platform', 'profiles', 'remediation', 'templates', + 'variables'] +VALID_STATES = ['pass', 'fail', 'notapplicable'] + + +def _parse_args() -> argparse.Namespace: + parser = argparse.ArgumentParser() + parser.add_argument("-r", "--root", required=False, default=SSG_ROOT, + help="Root directory of the project") + return parser.parse_args() + + +def get_files(root: str): + result = glob.glob("linux_os/**/tests/*.sh", recursive=True, root_dir=root) + return result + + +def _test_filename_valid(test_file: str) -> bool: + filename = os.path.basename(test_file) + end_state = filename.split('.') + if len(end_state) == 3 and end_state[1] not in VALID_STATES: + print(f"Invalid expected state '{end_state[1]}' in {test_file}", file=sys.stderr) + return False + return True + + +def main() -> int: + args = _parse_args() + test_files = get_files(args.root) + return_value = 0 + for test_file in test_files: + if not _test_filename_valid(test_file) != 0: + return_value = 1 + with open(test_file, "r") as f: + for line in f: + if not line.startswith("#"): + break + line = line.removeprefix('#') + line = line.strip() + parts = line.split('=') + if len(parts) != 2: + continue + if parts[0].strip() not in VALID_FIELDS: + print(f"Invalid field '{parts[0].strip()}' in {test_file}", file=sys.stderr) + return_value = 1 + + return return_value + + +if __name__ == "__main__": + raise SystemExit(main()) From 9f168ea7c8cc6550ada3f6cf63c2db181c8b0992 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 12 Jun 2024 08:51:21 -0500 Subject: [PATCH 2/8] Add validate_automatus_metadata to ctest --- tests/CMakeLists.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 5b1778f92d3..647b99b0154 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -376,3 +376,10 @@ if(PYTHON_VERSION_MAJOR GREATER 2) set_tests_properties("utils-build_control_from_reference_sanity" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") set_tests_properties("utils-build_control_from_reference_sanity" PROPERTIES DEPENDS "test-rule-dir-json") endif() + +if(PYTHON_VERSION_MAJOR GREATER 2) + add_test( + NAME "validate_automatus_metadata" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/validate_automatus_metadata.py" "--root" "${CMAKE_SOURCE_DIR}" + ) +endif() From 122dafa5e4bbbab243e796a1879e4256d6030e5c Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 12 Jun 2024 08:51:31 -0500 Subject: [PATCH 3/8] Fix findings from validate_automatus_metadata --- .../smartcard_configure_crl/tests/missing_crl.fail.sh | 2 +- .../network/network-ufw/check_ufw_active/tests/correct.pass.sh | 2 +- .../network-ufw/check_ufw_active/tests/incorrect.fail.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh index e6b5f4db001..31667b9cd2b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platfrom = multi_platfrom_ubuntu +# platform = multi_platfrom_ubuntu # packages = libpam-pkcs11 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh index 5ee51b0f77e..9a2f8090b6e 100644 --- a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh +++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/correct.pass.sh @@ -1,4 +1,4 @@ -# package = ufw +# packages = ufw systemctl enable --now ufw ufw allow ssh diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh index fb77c940da1..b82e43401e5 100644 --- a/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh +++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/tests/incorrect.fail.sh @@ -1,4 +1,4 @@ -# package = ufw +# packages = ufw # remediation = none systemctl enable --now ufw From 0fa0f876f88019efc1893a5a340a2696f21fa296 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 12 Jun 2024 09:23:04 -0500 Subject: [PATCH 4/8] Only run validate_automatus_metadata on Python 3.9+ The script uses root_dir which is in 3.10+ --- tests/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 647b99b0154..e7812492278 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -377,7 +377,7 @@ if(PYTHON_VERSION_MAJOR GREATER 2) set_tests_properties("utils-build_control_from_reference_sanity" PROPERTIES DEPENDS "test-rule-dir-json") endif() -if(PYTHON_VERSION_MAJOR GREATER 2) +if(PYTHON_VERSION_MAJOR GREATER 2 AND PYTHON_VERSION_MINOR GREATER 9) add_test( NAME "validate_automatus_metadata" COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/validate_automatus_metadata.py" "--root" "${CMAKE_SOURCE_DIR}" From b9d61b5772fca76cab914ae05cb400ac6a679385 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 12 Jun 2024 09:23:28 -0500 Subject: [PATCH 5/8] Open the full path for tests/validate_automatus_metadata.py --- tests/validate_automatus_metadata.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/validate_automatus_metadata.py b/tests/validate_automatus_metadata.py index 1284144eadb..c42ca0e7cca 100755 --- a/tests/validate_automatus_metadata.py +++ b/tests/validate_automatus_metadata.py @@ -39,7 +39,8 @@ def main() -> int: for test_file in test_files: if not _test_filename_valid(test_file) != 0: return_value = 1 - with open(test_file, "r") as f: + full_path = os.path.join(args.root, test_file) + with open(full_path, "r") as f: for line in f: if not line.startswith("#"): break From 2519aa291a239702ecdb8bb4ec706a24f8dcebfb Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 12 Jun 2024 13:21:34 -0500 Subject: [PATCH 6/8] Clean up Code Climate Issues --- tests/validate_automatus_metadata.py | 36 ++++++++++++++++------------ 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/tests/validate_automatus_metadata.py b/tests/validate_automatus_metadata.py index c42ca0e7cca..47f5a5671e0 100755 --- a/tests/validate_automatus_metadata.py +++ b/tests/validate_automatus_metadata.py @@ -32,27 +32,33 @@ def _test_filename_valid(test_file: str) -> bool: return True +def _has_invalid_param(root: str, test_file: str) -> bool: + full_path = os.path.join(root, test_file) + with open(full_path, "r") as f: + for line in f: + if not line.startswith("#"): + break + line = line.removeprefix('#') + line = line.strip() + parts = line.split('=') + if len(parts) != 2: + continue + param_name = parts[0].strip() + if param_name not in VALID_FIELDS: + print(f"Invalid field '{param_name}' in {test_file}", file=sys.stderr) + return False + return True + + def main() -> int: args = _parse_args() test_files = get_files(args.root) return_value = 0 for test_file in test_files: - if not _test_filename_valid(test_file) != 0: + if not _test_filename_valid(test_file): + return_value = 1 + if not _has_invalid_param(args.root, test_file): return_value = 1 - full_path = os.path.join(args.root, test_file) - with open(full_path, "r") as f: - for line in f: - if not line.startswith("#"): - break - line = line.removeprefix('#') - line = line.strip() - parts = line.split('=') - if len(parts) != 2: - continue - if parts[0].strip() not in VALID_FIELDS: - print(f"Invalid field '{parts[0].strip()}' in {test_file}", file=sys.stderr) - return_value = 1 - return return_value From cd8e120627617367997b42d75ffc0cb47fe9f2e8 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 14 Jun 2024 15:24:10 -0500 Subject: [PATCH 7/8] Add tests/validate_automatus_metadata.py to mypy testing --- tests/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index e7812492278..b819203fcbf 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -382,4 +382,5 @@ if(PYTHON_VERSION_MAJOR GREATER 2 AND PYTHON_VERSION_MINOR GREATER 9) NAME "validate_automatus_metadata" COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/validate_automatus_metadata.py" "--root" "${CMAKE_SOURCE_DIR}" ) +mypy_test("tests/validate_automatus_metadata.py" "normal") endif() From e65fccbe5b0ec8766ee6a4057794b0b5b42b9458 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 20 Jun 2024 13:44:24 -0500 Subject: [PATCH 8/8] Update linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jan Černý --- .../smartcard_configure_crl/tests/missing_crl.fail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh index 31667b9cd2b..d84aa2d49d6 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/missing_crl.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platfrom_ubuntu +# platform = multi_platform_ubuntu # packages = libpam-pkcs11 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then