Correctly process templated Ansible conditionals and introduce os_linux platform #9959
Conversation
vojtapolasek
added
Infrastructure
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
| "e.g.: ~/scap-security-guide/rhel7/product.yml" | ||
| ) | ||
| p.add_argument( | ||
| "--remediation-type", required=True, action="append", |
There was a problem hiding this comment.
It probably should have a dest with remediation_types with s at the end because it's a list and it can hold multiple values. Later, it looks confusing when you iterate over something that suggests that is a single value, ie. for language in args.remediation_type looks worse than for language in args.remediation_types.
Then, you have an inconsistency - it's a "Remediation type" for the user but a "language" internally.
There was a problem hiding this comment.
Fixed in 64ce401
| return p.parse_args() | ||
|
|
||
|
|
||
| def main(): |
There was a problem hiding this comment.
please split the main into multiple smaller functions
There was a problem hiding this comment.
fixed in: c198cc2
| ansible_distribution_version is version("{{{ spec.ver }}}", "{{{ spec.op }}}") | ||
| {{% endfor %}} | ||
| {{%- endmacro -%}} | ||
| {{%- if SPECS|length() >= 1 -%}} |
There was a problem hiding this comment.
What is SPECS and where is it defined?
There was a problem hiding this comment.
I am sorry for confusion, I removed this part of the code. It will be brought in later when the support for versions is implemented.
| for language in args.remediation_type: | ||
| for platform_file in os.listdir(args.platforms_dir): |
There was a problem hiding this comment.
Is it possible to swap the loops so that the YAML file is loaded only once?
There was a problem hiding this comment.
fixed in c198cc2
| import ssg.build_remediations as remediations | ||
| from ssg.build_cpe import ProductCPEs, CPEALFactRef | ||
| import ssg.environment | ||
|
|
There was a problem hiding this comment.
The script looks like the logic could be integrated into other build scripts. Have you considered that? For example, you could load the bash/ansible conditional into platforms at the moment in which these are resolved.
There was a problem hiding this comment.
I am currently exploring a possibility to merge it into build_templated_content.py build script.
| {{%- set ansible_os_release_name_cond = 'ansible_distribution == "' + OS_ID_ANSIBLE + '"' -%}} | ||
| {{%- macro ansible_os_release_conditional(specs) -%}} | ||
| {{%- for spec in specs -%}} | ||
| ansible_distribution_version is version("{{{ spec.ver }}}", "{{{ spec.op }}}") |
There was a problem hiding this comment.
I assume that this means that this PR depends on the versions feature introduced in #9945. Is that correct?
There was a problem hiding this comment.
No, sorry for confusion. I force pushed the last commit and removed version support from Ansible remediation.
vojtapolasek
force-pushed
the
cpe_os_linux_template
branch
2 times, most recently
from
910f88b
to
096ad52
Compare
vojtapolasek
force-pushed
the
cpe_os_linux_template
branch
from
c198cc2
to
54afd39
Compare
|
@jan-cerny I have rewritten the PR. There is no additional build phase now, everything happens while templating content in template.py. |
There was a problem hiding this comment.
I have tried to use the os_linux platform in multiple rules in Fedora content and various combinations of it and it all works.
The changes look good to me.
Unfortunately, we have some CI problem with testing farm CS 9 job, but it's clearly unrelated to this PR and the problem appears also in other PRs that are recently triggered CI, eg. #9968.
|
/test e2e-aws-ocp4-high-node |
…rameters passed to platform up to now the creation of new CPE items was unconditional it means that even if resolved CPE items already existed, they got rewritten whenever the platform was being loaded. This is not desired - each CPE item should get resolved just once.
…ciated CPE items This conditional is later used when creating remediations.
previously, the representation was sometimes stored as string, sometimes as XML ElementTree. Platforms need to be saved and loaded as needed and so this needs to be unified.
originally, the function did also the file writing but I need to split it so that I can better influence what to do with the result of templating. In case of platforms and CPE items, I do not want the filled template to be written into a file, I want to incorporate it into the CPE item / template and save them to disk as needed. This commit changes tthe function and adapt templating of rules to the new API. Templating of platforms and CPEs will be handled in separate commit.
make sure that as soon as the template is filled, it is inserted into the CPE item at runtime and also the CPE item is stored to disk.
…items update their templated conditionals This ensures that changes to conditionals of templated CPE items propagate to platforms. Platforms are also stored to disk because they are loaded in later build stages.
add associated template together with Ansible remediation. Currently, only the OS name can be specified.
result of rebase against master which brings support for versions
vojtapolasek
force-pushed
the
cpe_os_linux_template
branch
from
54afd39
to
3469d5e
Compare
|
Rebased against master after the support for specifying versions within platforms has been merged. |
|
Code Climate has analyzed commit 3469d5e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 40.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.8% (-0.1% change). View more on Code Climate. |
|
/retest |
|
@vojtapolasek: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
I have tried to use the os_release platform in multiple rules in Fedora content and then I tried to run the scan and I also use it in some of the complex platform expression together with the platform expressions. The applicability evaluation always ended as I expected.
Description:
Rationale:
Review hints: