From 5dcde8430062ed009548b3e5e0701d72f4218575 Mon Sep 17 00:00:00 2001
From: Marley Stipich <mstipich@redhat.com>
Date: Thu, 24 Mar 2022 16:08:07 -0500
Subject: [PATCH] RHICOMPL-2833: Parse selected groups and selected rules
 separately in Profile

---
 lib/openscap_parser/profile.rb                | 24 ++++++++++-
 lib/openscap_parser/regex_handler.rb          |  9 ++++
 ...cdf_report_with_conflicts_and_requires.xml | 23 ++++++----
 test/openscap_parser/test_result_file_test.rb | 42 +++++++++++++++++++
 4 files changed, 90 insertions(+), 8 deletions(-)
 create mode 100644 lib/openscap_parser/regex_handler.rb

diff --git a/lib/openscap_parser/profile.rb b/lib/openscap_parser/profile.rb
index a448096..4e87f8f 100644
--- a/lib/openscap_parser/profile.rb
+++ b/lib/openscap_parser/profile.rb
@@ -1,3 +1,5 @@
+require 'openscap_parser/regex_handler'
+
 module OpenscapParser
   class Profile < XmlNode
     def id
@@ -20,7 +22,27 @@ def description
     end
 
     def selected_rule_ids
-      @selected_rule_ids ||= @parsed_xml.xpath("select[@selected='true']/@idref") &&
+      # Look for selected rule ids where the idref contains '_rule_' that is not preceded by 'group'
+      @selected_rule_ids ||= @parsed_xml.xpath("select[@selected='true']
+                                                      [regex(@idref, '^((?!_group_).)*?(_rule_).*$')]
+                                                      /@idref", RegexHandler) &&
+                             @parsed_xml.xpath("select[@selected='true']
+                                                      [regex(@idref, '^((?!_group_).)*?(_rule_).*$')]
+                                                      /@idref", RegexHandler).map(&:text)
+    end
+
+    def selected_group_ids
+      # Look for selected group ids where the idref contains '_group_' that is not preceded by 'rule'
+      @selected_group_ids ||= @parsed_xml.xpath("select[@selected='true']
+                                                       [regex(@idref, '^((?!_rule_).)*?(_group_).*$')]
+                                                       /@idref", RegexHandler) &&
+                              @parsed_xml.xpath("select[@selected='true']
+                                                       [regex(@idref, '^((?!_rule_).)*?(_group_).*$')]
+                                                       /@idref", RegexHandler).map(&:text)
+    end
+
+    def selected_entity_ids
+      @selected_entity_ids ||= @parsed_xml.xpath("select[@selected='true']/@idref") &&
         @parsed_xml.xpath("select[@selected='true']/@idref").map(&:text)
     end
 
diff --git a/lib/openscap_parser/regex_handler.rb b/lib/openscap_parser/regex_handler.rb
new file mode 100644
index 0000000..d694ada
--- /dev/null
+++ b/lib/openscap_parser/regex_handler.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module OpenscapParser
+  class RegexHandler < XmlNode
+    def self.regex node_set, regex
+      node_set.find_all { |node| node.to_s =~ /#{regex}/ }
+    end
+  end
+end
diff --git a/test/fixtures/files/xccdf_report_with_conflicts_and_requires.xml b/test/fixtures/files/xccdf_report_with_conflicts_and_requires.xml
index b44af0f..a6fed81 100644
--- a/test/fixtures/files/xccdf_report_with_conflicts_and_requires.xml
+++ b/test/fixtures/files/xccdf_report_with_conflicts_and_requires.xml
@@ -298,9 +298,13 @@ CIS' terms and conditions, specifically Restrictions(8), note
 there is no representation or claim that the C2S profile will
 ensure a system is in compliance or consistency with the CIS
 baseline.</description>
+    <select idref="xccdf_org.ssgproject.contentgroup_rule_account_disable_post_pw_expiration" selected="true"/>
+    <select idref="xccdf_org.ssgproject_groups.content_rule_account_disable_post_pw_expiration" selected="true"/>
+    <select idref="xccdf_org.ssgproject.groups_rule_account_disable_post_pw_expiration" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_group_rule_accounts_minimum_age_login_defs" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/>
@@ -528,15 +532,20 @@ baseline.</description>
     <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/>
-    <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_group_ipv6_conf_all_accept_redirects" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/>
-    <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_group_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
+    <select idref="xccdf_org.ssgproject.rules_group_crypto" selected="true"/>
+    <select idref="xccdf_org.ssgproject_rules.content_group_crypto" selected="true"/>
+    <select idref="xccdf_org.ssgproject.contentrule_group_crypto" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_group_rule_crypto" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_group_rule_group_crypto" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-    <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
+    <select idref="xccdf_org.ssgproject.content_group_endpoint_rule_security_software" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
@@ -643,10 +652,10 @@ baseline.</description>
     <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-    <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-    <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-    <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-    <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
+    <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="true"/>
     <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
     <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
diff --git a/test/openscap_parser/test_result_file_test.rb b/test/openscap_parser/test_result_file_test.rb
index 8c86374..2d37e3c 100644
--- a/test/openscap_parser/test_result_file_test.rb
+++ b/test/openscap_parser/test_result_file_test.rb
@@ -29,6 +29,39 @@ def setup
     end
 
     context 'profiles' do
+      test 'profile_id' do
+        assert_match(/^xccdf_org.ssgproject.content_profile_C2S/,
+                     @test_result_file2.benchmark.profiles.first.id)
+      end
+
+      test 'profile_selected_rule_ids' do
+        assert_equal(238, @test_result_file2.benchmark.profiles.first.selected_rule_ids.length)
+        refute_includes(@test_result_file2.benchmark.profiles.first.selected_rule_ids, "xccdf_org.ssgproject.rules_group_crypto")
+        refute_includes(@test_result_file2.benchmark.profiles.first.selected_rule_ids, "xccdf_org.ssgproject.content_group_rule_crypto")
+        refute_includes(@test_result_file2.benchmark.profiles.first.selected_rule_ids, "xccdf_org.ssgproject.contentrule_group_crypto")
+        refute_includes(@test_result_file2.benchmark.profiles.first.selected_rule_ids, "xccdf_org.ssgproject.content_group_rule_group_crypto")
+      end
+
+      test 'profile_selected_group_ids' do
+        assert_equal(["xccdf_org.ssgproject.rules_group_crypto",
+                      "xccdf_org.ssgproject_rules.content_group_crypto",
+                      "xccdf_org.ssgproject.contentrule_group_crypto",
+                      "xccdf_org.ssgproject.content_group_rule_crypto",
+                      "xccdf_org.ssgproject.content_group_rule_group_crypto",
+                      "xccdf_org.ssgproject.content_group_endpoint_rule_security_software",
+                      "xccdf_org.ssgproject.content_group_nfs_configuring_all_machines",
+                      "xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both",
+                      "xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports",
+                      "xccdf_org.ssgproject.content_group_mounting_remote_filesystems"],
+                     @test_result_file2.benchmark.profiles.first.selected_group_ids)
+      end
+
+      test 'profile_selected_entity_ids' do
+        all_selected_ids = @test_result_file2.benchmark.profiles.first.selected_rule_ids +
+                           @test_result_file2.benchmark.profiles.first.selected_group_ids
+        assert_equal(248, @test_result_file2.benchmark.profiles.first.selected_entity_ids.length)
+        assert_equal(all_selected_ids.sort, @test_result_file2.benchmark.profiles.first.selected_entity_ids.sort)
+      end
     end
 
     context 'groups' do
@@ -36,36 +69,45 @@ def setup
         assert_match(/^xccdf_org.ssgproject.content_group_system/,
                      @test_result_file2.benchmark.groups.first.id)
       end
+
       test 'group_no_conflicts' do
         assert_equal([], @test_result_file2.benchmark.groups.first.conflicts)
       end
+
       test 'group_with_conflicts' do
         assert_equal(["xccdf_org.ssgproject.content_rule_selinux_state",
                       "xccdf_org.ssgproject.content_group_mcafee_security_software"],
                      @test_result_file2.benchmark.groups[1].conflicts)
       end
+
       test 'group_no_requires' do
         assert_equal([], @test_result_file2.benchmark.groups[1].requires)
       end
+
       test 'group_with_requires' do
         assert_equal(['A', 'B', 'C'], @test_result_file2.benchmark.groups.first.requires)
       end
+
       test 'group_description' do
         assert_match(/^Contains rules that check correct system settings./,
                      @test_result_file2.benchmark.groups.first.description)
       end
+
       test 'group_parent_id_benchmark' do
         assert_match(/^xccdf_org.ssgproject.content_benchmark_RHEL-7/,
                      @test_result_file2.benchmark.groups.first.parent_id)
       end
+
       test 'group_parent_id_group' do
         assert_match(/^xccdf_org.ssgproject.content_group_system/,
                      @test_result_file2.benchmark.groups[1].parent_id)
       end
+
       test 'group_parent_type_with_benchmark_parent' do
         assert_match(/^Benchmark/,
                      @test_result_file2.benchmark.groups.first.parent_type)
       end
+
       test 'group_parent_type_with_group_parent' do
         assert_match(/^Group/,
                      @test_result_file2.benchmark.groups[1].parent_type)