Accept short profile IDs #107
Conversation
|
This definitely needs a comment. Looking at the line and not being familiar with the short ID feature there is no way you can figure out what it is doing... |
|
Doesn't this break the rest of the API? Like creating and defining tasks and all that? Short profile ID won't work when generating HTML guides. I am leaning NACK on this. |
|
This is in "oscapd-evalaute", not in "oscapd-cli". This condition checks if the ID provided by user is a suffix of some profile ID in SSG for the target platform. I depends on underlying tool eg. oscap or oscap-ssh if it can process the short ID. The case that I solve by this patch is: I have @mpreisler Could you explain connection of this with creating and defining tasks, please? |
|
IMO if we add some paradigm to one part of the API we should add it everywhere. Profile ID meaning different things in different parts of the API leads to confusion. Furthermore, both oscapd-cli and oscapd-evaluate use EvaluationSpec, so I don't see why this should be limited to oscapd-evaluate. |
|
@mpreisler OK, that sounds reasonable. So I think I will rework the fix so that it completes the shortened ID to the full ID by longest suffix match, preferably before EvaluationSpec is created. That way the shortened ID won't be stored in EvaluationSpec, so it won't introduce any paradigm in any API. |
jan-cerny
force-pushed
the
profile_id_check_fix
branch
from
08f7a41
to
a19f7d5
Compare
|
I have reworked it so that it doesn't work with short profile IDs in the API, it completes them instead. |
|
This doesn't solve much and goes contrary to what I said. As a user I
expect to be able to use short IDs in all parts of openscap daemon or
nowhere.
…On Jul 13, 2017 05:47, "Jan Černý" ***@***.***> wrote:
I have reworked it so that it doesn't work with short profile IDs in the
API, it completes them instead.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#107 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAt-ARgHa_fsx_o1xKjSEmRU6P6sFXcEks5sNeexgaJpZM4OMLwX>
.
|
|
@mpreisler Then, please could you explain how do you imagine short IDs in I still think it would be beneficial to support short IDs in If it isn't possible to enable short IDs in |
|
@mpreisler Any idea? |
As I said, if it were me I would do this in a way that adds short profile IDs to both oscapd-evaluate (all subcommands) and oscapd-cli (all subcommands). Perhaps others can chime in. |
|
We discussed this yesterday. I will look into this problem again. I will try to find a solution that works across whole Deamon in all use-cases. It could be done in EvalauationSpec, maybe as a new method of EvaluationSpec. |
|
I looked into this again today. I think that EvaulationSpec doesn't care if the ID is short or long. Only subcommand in oscapd-cli that I found that takes the profile ID is "task-create -i", which is interactive, so user just presses a number, and doesn't type the ID by hand. In oscapd-evaluate, the only subcommand is "oscapd-evaluate scan", which was solved in this PR. I think we I just need the code to evaluation_spec module. |
jan-cerny
force-pushed
the
profile_id_check_fix
branch
from
a19f7d5
to
8e32083
Compare
|
I have created a method in EvaluationSpec and moved the code there. |
openscap_daemon/evaluation_spec.py
Outdated
| @@ -349,6 +349,21 @@ def get_cpe_ids(self, config): | |||
|
|
|||
| return cpe_ids | |||
|
|
|||
| def match_ssg_profile_id(self, ssg_sds, profile): | |||
There was a problem hiding this comment.
suggested name "select_profile_by_suffix". and please change "profile" variable to "profile_suffix".
jan-cerny
force-pushed
the
profile_id_check_fix
branch
from
8e32083
to
d762ef1
Compare
|
I have renamed the method to "select_profile_by_suffix" and changed "profile" variable to "profile_suffix". |
openscap_daemon/evaluation_spec.py
Outdated
| break | ||
| else: | ||
| raise RuntimeError( | ||
| "Profile with id='%s' doesn't exist on target '%s'. " |
There was a problem hiding this comment.
this error is wrong if we are selecting by suffix
There was a problem hiding this comment.
Should it be something like Profile with ID matching suffix '%s' doesn't ?
There was a problem hiding this comment.
The whole thing doesn't make sense in the method in EvaluationSpec, I suggest to make it throw an exception and then you can make a nice message in oscapd-evaluate.
There was a problem hiding this comment.
Can I catch the exception?
There was a problem hiding this comment.
Yeah, throw in EvaluationSpec, then catch it in oscapd-evaluate to make a nice specific message.
jan-cerny
force-pushed
the
profile_id_check_fix
branch
from
d762ef1
to
13802e6
Compare
Recently we implemented short profile IDs in OpenSCAP. However oscapd-evaluate checks if the given profile ID is present in SCAP Security Guide Datastream. We need to apply suffix matching on the list of SSG profiles. Otherwise we will get an error that the profile was not found.
jan-cerny
force-pushed
the
profile_id_check_fix
branch
from
13802e6
to
fdf0f0a
Compare
|
I have improved this patch . The method |
|
@openscap-ci test this please |
openscap_daemon/evaluation_spec.py
Outdated
| for p in profiles: | ||
| if p.endswith(profile_suffix): | ||
| self.profile_id = p | ||
| break |
There was a problem hiding this comment.
We should handle multiple matches of the suffix too.
There was a problem hiding this comment.
I think that we don't have multiple profiles with same ID in SSG. But it still makes sense to check for multiple matches. Thanks for suggestion. It will handle if user types some very short suffix, maybe a single character. I'll do that.
openscap_daemon/evaluation_spec.py
Outdated
| @@ -349,6 +349,16 @@ def get_cpe_ids(self, config): | |||
|
|
|||
| return cpe_ids | |||
|
|
|||
| def select_profile_by_suffix(self, ssg_sds, profile_suffix): | |||
There was a problem hiding this comment.
This shouldn't take ssg_sds. Instead it should use whatever content is already set in the EvaluationSpec. If there is no content set yet it should throw an exception.
There was a problem hiding this comment.
OK, I wouldn't expect that. I'll try to handle it.
openscap_daemon/evaluation_spec.py
Outdated
| self.profile_id = p | ||
| break | ||
| else: | ||
| raise RuntimeError("No profile with suffix %s" % profile_suffix) |
There was a problem hiding this comment.
make this a typed exception if you plan to catch it.
bin/oscapd-evaluate
Outdated
| % (es.profile_id, target, target) | ||
| try: | ||
| args.profile = es.select_profile_by_suffix(ssg_sds, args.profile) | ||
| except RuntimeError: |
There was a problem hiding this comment.
this is quite dangerous, a lot of things can throw RuntimeError, please make this exception typed
An exception will be raised if multiple matches occur.
Instead of providing the SCAP Security Guide source datastream directly to the method select_profile_by_suffix, we will make the datastream available in EvaluationSpec and then we will obtain the datastream filepath from the EvaluationSpec.
This commit creates a new class of exception "ProfileSuffixMatchError", that is thrown by select_profile_by_suffix method in situations when a profile ID could not be matched. Then this exception is caught and then an error message is issued.
|
I have done requested changes. |
|
LGTM. |
|
@yuumasato thank you |
|
I trust you @yuumasato ! :D |
Recently we implemented short profile IDs in OpenSCAP. However
oscapd-evaluate checks if the given profile ID is present
in SCAP Security Guide Datastream. We need to apply
suffix matching on the list of SSG profiles. Otherwise
we will get an error that the profile was not found.