Fixes #17742: remove openscap sanitization

openscap-policies/README.adoc

@@ -28,9 +28,11 @@ The technique comes with two parameters:
 * `profile` which is the profile name you want to audit
 * `scap_file` which is the absolute path (on the node) of the SCAP content from which you will base the audit on
 
+image:openscap-policies/openscap-directive.png[OpenSCAP directive example]
+
 SCAP content refers to document in the XCCDF, OVAL and Source DataStream formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. You can find more informations on the https://github.com/ComplianceAsCode/content[ComplianceAsCode]  GitHub project.
 
-By default, available `scap_files` are located on `/usr/share/xml/scap/ssg/content/` after install of the openSCAP agent on the nodes. Given profiles for specific scap_files can be obtain with the command:
+By default, available `scap_files` are located on `/usr/share/xml/scap/ssg/content/` after installation of the openSCAP agent on the nodes. Given profiles for specific scap_files can be obtain with the command:
 
 ----
 oscap info <scap_file>
@@ -45,9 +47,11 @@ The technique will take care of the openSCAP agent installation and will by defa
 
 == Rudder Webapp integration
 
-A new tab in Node Details called OpenSCAP is added by this plugin for nodes configured to have the OpenSCAP Technique running. It displays the report in an iframe in this tab, in a sanitized version (no scripts)
+A new tab in Node Details called OpenSCAP is added by this plugin for nodes configured to have the OpenSCAP Technique running. It displays the report in an iframe in this tab, as it is sent by the node, without any sanitization yet.
+
+image:openscap-policies/openscap-tab.png[OpenSCAP tab in node details]
 
-Two news API endpoints are also available:
+A new API endpoint is also available:
 
 * /latest/openscap/report/{nodeId}    : the OpenSCAP report
-* /latest/openscap/sanitized/{nodeId} : the OpenSCAP report as displayed in the web interface (sanitized)
+

openscap-policies/src/main/resources/template/OpenScapPoliciesManagement.html

@@ -16,15 +16,15 @@ <h2>OpenSCAP Policies</h2>
       on the Node Details page, on the OpenSCAP tab.
     </p>
     <p>
-      It also add two API endpoints to get the OpenSCAP report, either as raw, or sanitized (without any JS).
+      It also add an API endpoints to get the raw OpenSCAP report.
     </p>
 
     <h3>API endpoint and format</h3>
 
-    <p>The API has two endpoints:
+    <p>The API has one endpoint:
       <ul>
         <li><span style="font-family: monospace;">GET /latest/openscap/report/{nodeId}</span></p></li>
-        <li><span style="font-family: monospace;">GET /latest/openscap/sanitized/{nodeId}</span></p></li>
+       <!-- <li><span style="font-family: monospace;">GET /latest/openscap/sanitized/{nodeId}</span></p></li> -->
       </ul>
     <p>So for example, with curl: <span style="font-family: monospace;">curl -k -H "X-API-Token: 5YJnb4EenqDHzwx0U0eTPWWhgjTJ8mkk" -X GET 'https://your-server/rudder/api/latest/openscap/report/e2ba6527-936d-48b7-b2e8-73167ebdd783'</span></p>
     <p>It returns, if it exists, the OpenSCAP report generated for node e2ba6527-936d-48b7-b2e8-73167ebdd783</p>

openscap-policies/src/main/scala/com/normation/plugins/openscappolicies/api/OpenScapApi.scala

@@ -84,9 +84,7 @@ class OpenScapApiImpl(
           logger.trace("doing in memory response")
           InMemoryResponse(
               report.content.getBytes()
-            , ("Content-Type" -> "text/html") ::
-              ("Content-Disposition","""attachment;filename="rudder-openscap-%s.html"""".format(nodeId)) ::
-              Nil
+            , ("Content-Type", "text/html") :: ("Content-Disposition", "inline")  :: Nil
             , Nil
             , 200)
         case Full(None) =>
@@ -127,7 +125,6 @@ class OpenScapApiImpl(
           logger.trace("Doing in memory response")
           InMemoryResponse(
             sanitizedReport.toString().getBytes()
-            // somehow, the X-FRAME-OPTIONS get rewrote to DENY here
             ,  ("Content-Type", "text/html") :: ("Content-Disposition", "inline") :: Nil
             , Nil
             , 200)

openscap-policies/src/main/scala/com/normation/plugins/openscappolicies/extension/OpenScapNodeDetailsExtension.scala

@@ -81,8 +81,8 @@ class OpenScapNodeDetailsExtension(
 
   def frameContent(nodeId : NodeId): CssSel = {
 
-        "iframe [src]"      #> s"/secure/api/openscap/sanitized/${nodeId.value}" &
-          "a [href]"      #> s"/secure/api/openscap/report/${nodeId.value}"
+        "iframe [src]"      #> s"/secure/api/openscap/report/${nodeId.value}" &
+        "a [href]"      #> s"/secure/api/openscap/report/${nodeId.value}"
 
   }
 
@@ -94,10 +94,9 @@ class OpenScapNodeDetailsExtension(
             <div class="marker">
               <span class="glyphicon glyphicon-info-sign"></span>
             </div>
-            <p>That tab gives access to OpenSCAP report configured for that node. Below is a sanitized version of the
-            report (without any scripts or specific scripts).</p>
+            <p>That tab gives access to OpenSCAP report configured for that node. Below is the raw report as sent by the node.</p>
             <br/>
-            <p><b><a href="">Original version of the report can be downloaded here</a></b></p>
+            <p><b><a href="">You can also download this report here</a></b></p>
           </div>
           <iframe width="100%" height="800"></iframe>
         </div>