Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yamlfilecontent probe #1480

Merged
merged 27 commits into from
Feb 26, 2020
Merged

yamlfilecontent probe #1480

merged 27 commits into from
Feb 26, 2020

Conversation

jan-cerny
Copy link
Member

@jan-cerny jan-cerny commented Feb 14, 2020
edited
Loading

This PR will add new yamlfilecontent probe based on proposal in OVAL-Community/OVAL#91.

This PR contains:

  • basic skeleton
  • finding libyaml.so and libyaml-path.so dependencies
  • extraction of input data from oval object
  • YAML path query
  • produces errors when the yamlpath expression doesn't match scalars or list of scalars but a mapping or something else
  • handling lists of scalars
  • type detection

@evgenyz
Copy link
Contributor

evgenyz commented Feb 14, 2020

Can you please also add the libyaml dependency?

@jan-cerny
Copy link
Member Author

@evgenyz Yes, more patches are coming

@jan-cerny
Copy link
Member Author

@evgenyz We have discussed this with @matejak and we think that at this moment we will expect that yaml-path is a separate .so library. For this I propose a change in OpenSCAP/yaml-filter#1

Also, I have created a new CMake find module in 9715d1d which detects the yaml-path library. Basically it depends on OpenSCAP/yaml-filter#1

@evgenyz
Copy link
Contributor

evgenyz commented Feb 14, 2020

@jan-cerny Hmm, we have to have a .pc file then. And you really think that it has to be a shared library right now?

@jan-cerny jan-cerny force-pushed the yamlfilecontent_probe branch from 9715d1d to ea3b811 Compare February 18, 2020 08:41
@jan-cerny
Copy link
Member Author

I'm struggling with the problem described in OpenSCAP/yaml-filter#2

@evgenyz
Copy link
Contributor

evgenyz commented Feb 18, 2020

I'm struggling with the problem described in OpenSCAP/yaml-filter#2

I'm on it

@jan-cerny jan-cerny force-pushed the yamlfilecontent_probe branch from ea3b811 to 64296cb Compare February 18, 2020 14:52
@jan-cerny
Copy link
Member Author

I have rebased it on the top of maint-13 which now contains XML schemas and tests.

It already works with content from test_probes_yamlfilecontent_key.xml. But when evaluating test_probes_yamlfilecontent_array.xml I get unexpected results. Apart from the correct items in system_data it also generates incorrect items, it seems to somehow "merge" outputs and pipelines keys from openshift-logging.yaml. Hopefully it's related to the issue OpenSCAP/yaml-filter#2

@jan-cerny
Create yamlfilecontent probe skeleton
a629a92 
Adds only CMake, enums and mostly empty .c and .h files.
@jan-cerny
Depend on libyaml
1a22654 
We have to create our own find module bacuse CMake doesn't ship
any find module for libyaml.
@jan-cerny
Extract input data from probe context
6b20c53
@jan-cerny
Find the checked file and collect an item
e90b69e
@jan-cerny
Find and link yaml-path library
4001616
@jan-cerny
Query YAML files using yaml-path
723c46f 
At this moment the raw returned data is directly used to populate
the 'value_of' element.
@jan-cerny
Ensure that YAML path matches only scalar or list of scalars
a63f008
@jan-cerny
Reduce code nesting
821e63a
@jan-cerny
Collect only scalars
7ae58ba 
Instead of emitted YAML document we will gather the scalars that
match the YAML patch expression. We don't produce OVAL items directly
but we use a temporary list to avoid incomplete results if a list
contains non-scalar values. We don't need the yaml_emitter anymore.
@jan-cerny
Add git submodule yaml-filter
59f741f
@jan-cerny
Build yaml-filter submodule
5fa7805 
And include it to the libopenscap.so.
@jan-cerny
Fix file name
bad3a09 
The file was called tests_probes_yamlfilecontent_offline_mode.xml
but the test script expects test_probes_yamlfilecontent_offline_mode.xml.
As all the other files in this directory start with test_ it's better to
be consistent and rename the file.
@jan-cerny
Fix key name in test content
5fc7cd7 
The states expect value of `name` key from openshift-logging.yaml
not `namespace`.
@jan-cerny
Fix sed expression
72c8512 
The purpose of this test is to test if probe doesn't collect data
from the host. The comment in oval:0:def:2 in
test_probes_yamlfilecontent_offline_mode.xml says: "make sure file in
host doesn't match" and the expected result is false. The corresponding
state expects value of value_of to be `outstance`. Based on this,
the sed command should modify the file in host, not in guest, because
if the file in guest is modified the object and state will match and
definition result will be true.
@jan-cerny
Add offline mode in yamlfilecontent probe
ea04516
@jan-cerny jan-cerny force-pushed the yamlfilecontent_probe branch from 64296cb to ea04516 Compare February 19, 2020 08:33
@jan-cerny
Use https in submodule
1027498
@jan-cerny
Add missing bash settings
f412889 
Missing this line caused that the test was not skipped if
oscap-chrootable was not built.
@jan-cerny
Verify the existence of submodule
4b7a7f4
@jan-cerny
Copy link
Member Author

@openscap-ci test this please

@yuumasato
Copy link
Member

Apologies for the bugs in the tests, 😬

jan-cerny added a commit to jan-cerny/jenkins that referenced this pull request Feb 20, 2020
@jan-cerny
Back up Jenkins configuration 2020-02-20
ae0fd43 
Adds submodules in OpenSCAP jobs and adds libyaml-devel due
to new yamlfilecontent probe. See
OpenSCAP/openscap#1480
Also updates whitelist for SSG PRs.
@jan-cerny jan-cerny mentioned this pull request Feb 20, 2020
Merged
@jan-cerny
Update yaml-filter submodule to the latest upstream master
728938b
@jan-cerny
Process lists correctly
42337d4 
Creates multiple value_of elements within a single yamlfilecontent_item
element instead of creating multiple yamlfilecontent_item elements
containing single value_of elements. According to the schema proposal
the value_of element can occur 0 to unbounded times. Also, this behavior
is consistent with xmlfilecontent probe.
@jan-cerny
Set var_check attribute to a sensible value
7dc6684 
It is impossible that a single collected item would have 2 values
at the same time.
@jan-cerny jan-cerny force-pushed the yamlfilecontent_probe branch from c92a14f to 7dc6684 Compare February 21, 2020 09:07
@jan-cerny
Detect YAML types
3972b2a 
We will detect booleans, floats and integers using YAML 1.2 Core
Schema (https://yaml.org/spec/1.2/spec.html#id2804923)
and we will treat every other scalar as string.
@jan-cerny
Change shebang
a5dfd5f
@jan-cerny jan-cerny marked this pull request as ready for review February 24, 2020 15:14
yuumasato
yuumasato requested changes Feb 25, 2020
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good.
Given the fundamentality of the yaml type detection, I have suggested tests for the error code path.

tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml Outdated Show resolved Hide resolved
tests/probes/yamlfilecontent/types.yaml Show resolved Hide resolved
tests/probes/yamlfilecontent/types.yaml Show resolved Hide resolved
tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml Show resolved Hide resolved
tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml Show resolved Hide resolved
tests/probes/yamlfilecontent/types.yaml Show resolved Hide resolved
src/OVAL/probes/independent/yamlfilecontent_probe.c Show resolved Hide resolved
@jan-cerny
Improve test and fix revealed bugs
5bef089 
Adds tests that test explicit typecasts errors, and tests that
quoted strings are always treated as strings.

When using alternatives in regular expression '^' and '$' are part
of the only alternative, therefore groups have to be used to have
these anchors in all alternatives.
@jan-cerny
Copy link
Member Author

@yuumasato Thank you very much for the tests ideas, it helped to discover some issues.

@jan-cerny jan-cerny added this to the 1.3.3 milestone Feb 25, 2020
@jan-cerny
Copy link
Member Author

@evgenyz @yuumasato If the YAML document is empty or if a key specified by yamlpath expression isn't present, it collects <object id="OBJ_ID" version="1" flag="does not exist"/> and from the flag the test result is computed based on the test attributes as usual.

yuumasato
yuumasato approved these changes Feb 26, 2020
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The probe seems to be in good shape to start processing some real yamlfilecontent_tests from CaC.

Also, thank you for adding the type detection, it will really make content writing experience smooth.

@yuumasato yuumasato self-assigned this Feb 26, 2020
@jan-cerny
Copy link
Member Author

@yuumasato SSG will probably have to start generation (pesudo) OVAL 5.11.3 content.

@yuumasato
Copy link
Member

@yuumasato SSG will probably have to start generation (pesudo) OVAL 5.11.3 content.

Well noted. As the yamlfilecontent_test specification is not final, and OVAL 5.11.3 version is not out yet, I'm thinking about adding a variable to turn on/off building content with future standards / features.
I'll create an issue in CaC.

@yuumasato yuumasato mentioned this pull request Feb 26, 2020
Closed
@yuumasato yuumasato merged commit 66e7413 into OpenSCAP:maint-1.3 Feb 26, 2020
@yuumasato yuumasato mentioned this pull request May 21, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels
None yet
Projects
None yet
Milestone
1.3.3
Development

Successfully merging this pull request may close these issues.
3 participants
@jan-cerny @evgenyz @yuumasato