Enable autotailor to process multi-profile JSON Tailorings

The script will now accept multiple profiles in JSON Tailorings
and also will use command-line options to update existing
profiles or will create a new profile in the XCCDF tailoring.

tests/utils/autotailor_integration_test.sh

@@ -70,7 +70,6 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @severity="high"]'
 
-
 # select additional rule R4 and change its role to "unchecked"
 python3 $autotailor --id-namespace "com.example.www" --select R4 --rule-role R4=unchecked $ds $original_profile > $tailoring
 $OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds
@@ -83,7 +82,6 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notchecked"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @role="unchecked"]'
 
-
 # select additional rule R3; the customized profile will have a special profile ID
 customized_profile="xccdf_com.pink.elephant_profile_pineapple"
 python3 $autotailor --new-profile-id $customized_profile --id-namespace "com.example.www" --select R3 $ds $original_profile > $tailoring
@@ -113,7 +111,7 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 
-# use JSON tailoring
+# use JSON tailoring (P1)
 python3 $autotailor $ds --id-namespace "com.example.www" --json-tailoring $json_tailoring > $tailoring
 $OSCAP xccdf eval --profile JSON_P1 --progress --tailoring-file $tailoring --results $result $ds
 assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="New Value"]'
@@ -124,3 +122,18 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3" and @severity="unknown"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @role="unchecked"]'
+
+# use JSON tailoring (P11)
+python3 $autotailor --id-namespace "com.example.www" --json-tailoring $json_tailoring $ds > $tailoring
+$OSCAP xccdf eval --profile JSON_P11 --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'
+
+# use JSON tailoring (P11) with command-line override
+python3 $autotailor --id-namespace "com.example.www" --json-tailoring $json_tailoring --tailored-profile-id=JSON_P11 --unselect R3 $ds > $tailoring
+$OSCAP xccdf eval --profile JSON_P11 --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
+
+# use JSON tailoring (P11) with a new profile from the command line
+python3 $autotailor --id-namespace "com.example.www" --json-tailoring $json_tailoring --tailored-profile-id=CMDL_P --select R3 $ds $original_profile > $tailoring
+$OSCAP xccdf eval --profile CMDL_P --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'

tests/utils/custom.json

@@ -30,6 +30,16 @@
  "option_id": "some"
  }
  }
+ },
+ {
+ "id": "JSON_P11",
+ "title": "JSON Tailored Profile P11",
+ "base_profile_id": "P1",
+ "rules": {
+ "R3": {
+ "evaluate": true
+ }
+ }
  }
  ]
 }

tests/utils/test_autotailor.py

@@ -29,68 +29,68 @@ def test_is_valid_xccdf_id():
 
 
 def test_full_id():
- t = autotailor.Tailoring()
- assert t._full_rule_id("accounts_tmout") == \
+ p = autotailor.Profile()
+ assert p._full_rule_id("accounts_tmout") == \
  "xccdf_org.ssgproject.content_rule_accounts_tmout"
- assert t._full_rule_id(
+ assert p._full_rule_id(
  "xccdf_org.ssgproject.content_rule_accounts_tmout") == \
  "xccdf_org.ssgproject.content_rule_accounts_tmout"
- assert t._full_profile_id("stig") == \
+ assert p._full_profile_id("stig") == \
  "xccdf_org.ssgproject.content_profile_stig"
- assert t._full_profile_id(
+ assert p._full_profile_id(
  "xccdf_org.ssgproject.content_profile_stig") == \
  "xccdf_org.ssgproject.content_profile_stig"
- assert t._full_var_id("var_crypto_policy") == \
+ assert p._full_var_id("var_crypto_policy") == \
  "xccdf_org.ssgproject.content_value_var_crypto_policy"
- assert t._full_var_id(
+ assert p._full_var_id(
  "xccdf_org.ssgproject.content_value_var_crypto_policy") == \
  "xccdf_org.ssgproject.content_value_var_crypto_policy"
 
 
 def test_customized_profile_id():
- t = autotailor.Tailoring()
- t.extends = "stig"
- assert t.profile_id == "stig_customized"
- t.profile_id = "my_cool_profile"
- assert t.profile_id == "my_cool_profile"
+ p = autotailor.Profile()
+ p.extends = "stig"
+ assert p.profile_id == "stig_customized"
+ p.profile_id = "my_cool_profile"
+ assert p.profile_id == "my_cool_profile"
 
 
 def test_refine_rule():
- t = autotailor.Tailoring()
+ p = autotailor.Profile()
  with pytest.raises(ValueError) as e:
- t.refine_rule("selinux_state", "severity", "high")
+ p.refine_rule("selinux_state", "severity", "high")
  assert str(e.value) == "Rule id 'selinux_state' is invalid!"
  with pytest.raises(ValueError) as e:
- t.refine_rule(
+ p.refine_rule(
  "xccdf_org.ssgproject.content_rule_accounts_tmout", "foo", "bar")
  assert str(e.value) == "Unsupported refine-rule attribute foo"
  with pytest.raises(ValueError) as e:
- t.refine_rule(
+ p.refine_rule(
  "xccdf_org.ssgproject.content_rule_accounts_tmout",
  "role", "mnau")
  assert str(e.value) == (
  "Can't refine role of rule 'xccdf_org.ssgproject.content_rule_accounts"
  "_tmout' to 'mnau'. Allowed role values are: \"full\", \"unscored\", "
  "\"unchecked\".")
  with pytest.raises(ValueError) as e:
- t.refine_rule(
+ p.refine_rule(
  "xccdf_org.ssgproject.content_rule_accounts_tmout",
  "severity", "mnau")
  assert str(e.value) == (
  "Can't refine severity of rule 'xccdf_org.ssgproject.content_rule_"
  "accounts_tmout' to 'mnau'. Allowed severity values are: \"unknown\", "
  "\"info\", \"low\", \"medium\", \"high\".")
  fav = "xccdf_org.ssgproject.content_rule_accounts_tmout"
- t.refine_rule(fav, "severity", "high")
- assert t.rule_refinements(fav, "severity") == "high"
- t.refine_rule(fav, "role", "full")
- assert t.rule_refinements(fav, "severity") == "high"
- assert t.rule_refinements(fav, "role") == "full"
+ p.refine_rule(fav, "severity", "high")
+ assert p.rule_refinements(fav, "severity") == "high"
+ p.refine_rule(fav, "role", "full")
+ assert p.rule_refinements(fav, "severity") == "high"
+ assert p.rule_refinements(fav, "role") == "full"
  with pytest.raises(ValueError) as e:
- t.refine_rule(fav, "severity", "low")
+ p.refine_rule(fav, "severity", "low")
  assert str(e.value) == (
  "Can't refine severity of rule 'xccdf_org.ssgproject.content_rule_"
  "accounts_tmout' to 'low'. This rule severity is already refined to "
  "'high'.")
- assert t.rule_refinements(fav, "severity") == "high"
- assert t.rule_refinements(fav, "role") == "full"
+ assert p.rule_refinements(fav, "severity") == "high"
+ assert p.rule_refinements(fav, "role") == "full"