OPENSCAP-4118 - Add script to build tests

[Mab879]

Description:

This is a very rough draft a script that renders the Automatus tests for a given product. The script will be clean up once the general form is agreed upon.

Rationale:

Make running the Automatus tests possible with out Automatus script.

Review Hints:

1. export ADDITIONAL_CMAKE_OPTION="-DSSG_BUILT_TESTS_ENABLED:BOOL=ON"
2. ./build_product rhel10

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[Mab879]

Things left to do:

1. Check on Automatus runs. They seem to be broken.
   Commands like ./automatus.py rule --datastream ../build/ssg-rhel10-ds.xml --libvirt qemu:///system automatus_rhel10 root_permissions_syslibrary_files are failing.

2. I need to doc how to turn it on.

3. Possible turn down the jobs number when building many products

4. Verify the correct tests are being ran

[comps]

str.endswith() takes a tuple, so you can probably just

Suggested change

	return (filename.endswith('.pass.sh')
	or filename.endswith('.fail.sh') or
	filename.endswith('.notapplicable.sh'))
	return filename.endswith(('.pass.sh', '.fail.sh', '.notapplicable.sh'))

[comps]

If you don't mind interleaving the split, you could use python's array slicing "step" property.

Given 3 workers and a total of 10 rules, you can assign rules to them like this:

>>> a = [1,2,3,4,5,6,7,8,9,10]
>>> a[0::3]
[1, 4, 7, 10]
>>> a[1::3]
[2, 5, 8]
>>> a[2::3]
[3, 6, 9]

where the first (start) number is worker index, and the second (step) number is the total number of workers.

This is what we use in Contest to avoid any off-by-one problems and ensure no rule is left behind, while making things just simpler and evenly distributing rule complexity across all workers (as complex/simple rules tend to alphabetically bunch up).

https://github.com/RHSecurityCompliance/contest/blob/1204f812956a855eb15d26b1014cb28e5306ee05/per-rule/test.py#L93-L97

[comps]

I left some limited comments on the python code (as I am not familiar with the build system overall). Feel free to ignore any of them, as I don't know what is the level of code quality you want to maintain in this project.

Aside from the comments, consider (for an extra pedantic exercise):

• typing consistency - most of the code seems untyped, but some functions have types despite being _ (a.k.a. internal, not part of API). I'm also not sure if done_file: pathlib.Path = output_path / ".test_done" does anything (with the inlined type)
• Overall " vs ' consistency, they seem to be intermixed randomly
• Lack of comments (especially in big functions like _process_rules()
• Inconsistent indent (ssg.jinja.process_file_with_macros in _process_shared_file() seems to squash two arguments at the end, ssg.environment.open_environment in main() uses a different multi-line function call syntax.
• f-strings for logger.* calls - note that you don't have to use the prehistoric %s syntax, if you pass only one argument, logging takes it as verbatim, so it can be an f-string like one of those you use for exceptions.

I'll test the functionality tomorrow, looking forward to it. 🙂

[comps]

Maybe

Suggested change

	def _get_deny_templated_scenarios(test_config_path):
	deny_templated_scenarios = list()
	if test_config_path.exists():
	test_config = ssg.yaml.open_raw(str(test_config_path.absolute()))
	if 'deny_templated_scenarios' in test_config:
	deny_templated_scenarios = test_config['deny_templated_scenarios']
	return deny_templated_scenarios
	def _get_deny_templated_scenarios(test_config_path):
	if test_config_path.exists():
	test_config = ssg.yaml.open_raw(str(test_config_path.absolute()))
	if 'deny_templated_scenarios' in test_config:
	return set(test_config['deny_templated_scenarios'])
	return set()

?

[evgenyz]

The .get() method is always shorter and in most of the cases faster:

Suggested change

	def _get_deny_templated_scenarios(test_config_path):
	deny_templated_scenarios = list()
	if test_config_path.exists():
	test_config = ssg.yaml.open_raw(str(test_config_path.absolute()))
	if 'deny_templated_scenarios' in test_config:
	deny_templated_scenarios = test_config['deny_templated_scenarios']
	return deny_templated_scenarios
	def _get_deny_templated_scenarios(test_config_path):
	deny_templated_scenarios = set()
	if test_config_path.exists():
	test_config = ssg.yaml.open_raw(str(test_config_path.absolute()))
	deny_templated_scenarios |= test_config.get('deny_templated_scenarios', [])
	return deny_templated_scenarios

[comps]

Suggested change

	with open(shared_script_path, 'w') as file:
	file.write(file_contents)
	file.write('\n')
	_write_path(file_contents, shared_script_path)

?

(And in other similar cases.)

[comps]

.resolve() already makes the path absolute:

$ pydoc3 pathlib.Path.resolve | cat
Help on function resolve in pathlib.Path:

pathlib.Path.resolve = resolve(self, strict=False)
    Make the path absolute, resolving all symlinks on the way and also
    normalizing it.

[Mab879]

I can clean that up.

[comps]

I would honestly just let python interpreter defaults handle exit code - raise an exception if something bad happens, otherwise let it finish cleanly.

If you really want an exception-less exit on resolved_rules_dir not existing (seems like an arbitrary choice?), just do sys.exit(1) in that one case. sys will take care of the exit-related exception handling.

[Mab879]

I can move to sys.exit. However, under the covers this is how sys.exit works.

[comps]

I guess either way works. I remember some problems with raising SystemExit() with non-CPython intepreters, but we don't use those here, and those problems are probably fixed by now anyway. I would still leave the 0 exit to be done by default instead of SystemExit(0), but that's probably bikeshedding.

[jan-cerny]

I don't like that the PR description says in rationale "Make testing with thin data streams possible." because testing with thin data stream has been possible for many months and people are testing with thin data streams daily. Please reword the rationale.

[Mab879]

I have updated it.

[jan-cerny]

This script is slow, it takes more than 2 minutes to build scenarios for RHEL 9. We need to think to speed up.

[jan-cerny]

This should be a set because many rules are present in more than 1 profile so you have a lot of duplicates in this list. Converting to a set will automatically eliminate duplicates because each item can be only once in a set.

[jan-cerny]

You don't have to open the resolved rule yaml file if it is skipped. You can get the rule id from the file name. It will save some time if you don't open resolved rules that aren't going to be processed.

[jan-cerny]

I would split the rules_in_profiles into chunks instead of all_resolved_rules because the all_resolved_rules contain rules that aren't going to be processed because they are not present in the built content so the subprocesses won't be load balanced. If you split rules_in_profiles to chunks each subprocess would get the same amout of rules to be processed, which would be better load balancing.

[jan-cerny]

This is very inefficient.

The method "matches_platform" loads all CPEs for all platforms. It calls common.matches_platform which calls common._get_platform_cpes which iterates over all matched products and loads all CPEs for these products.

Therefore for many test scenarios we load many CPEs, including CPEs for other products and we repeat the loading for each test scenario. The result is that this script spends most of the time in loading CPEs.

We need to create a different and simplified way for test scenarios platform matching here.

[jan-cerny]

here we also use the problematic method

[jan-cerny]

This will skip files like for example linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules which are needed for the test scenarios to work.

[jan-cerny]

The test scenario linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.fail.sh which is marked as # platform = multi_platform_sle gets build when I build RHEL 9 content. It shouldn't be there, it's for SUSE. The reason seems to be that this test scenario has empty line before the # platform = multi_platform_sle line and therefore it's skipped by this code here.

[jan-cerny]

Now it's really fast! It takes me less than 3 seconds on my laptop to build RHEL 9 tests. Great improvement!

[jan-cerny]

missing space after YAMLs

[jan-cerny]

Code Climate complains about code complexity of this function. Please split it to multiple functions. You can for example extract code related to templated tests to a new function _process_templated_tests which would be consistent with _process_local_tests.

[jan-cerny]

logger

[jan-cerny]

works fine for me 👍

[codeclimate]

Code Climate has analyzed commit fd08c5a and detected 3 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Complexity	3

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 62.0% (0.0% change).

View more on Code Climate.

[jan-cerny]

Looks good to me now. It works for me as I expect.

@comps please check it if it's good for you

[comps]

Looks good to me, builds (at least on my RHEL-9) as intended.

I don't see any empty rule directories anymore (so I'm assuming rules without tests are not present inside build/rhel9/tests/), non-sh files are also included, no {{ or }} found via greps, it all looks legit.

I already used it to find quite a lot of "broken" tests, .sh scripts that don't have a shebang at the top (presumably Automatus calls them via bash script.pass.sh explicitly).

$ cd build/rhel9/tests/
$ (IFS=$'\n'; for f in $(find . -type f -name '*.sh'); do h=$(head -n1 "$f"); [[ $h != '#!/bin/bash' ]] && echo $f; done) | wc -l
266