1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
|
#!/usr/bin/env bash
# Author:
# Martin Preisler <mpreisle@redhat.com>
set -e -o pipefail
. ${srcdir}/../test_common.sh
# Test Cases.
function assert_correct_xlinks()
{
local DS=$1
local stderr=$(mktemp)
$OSCAP info $DS 2> $stderr
diff $stderr /dev/null
rm $stderr
# First of all make sure that there is at least one ds:component-ref.
[ "$($XPATH $DS 'count(//*[local-name()="component-ref"])')" != "0" ]
# We want to catch cases when this element has different namespace.
local ns=$($XPATH $DS 'name(//*[local-name()="component-ref"][1])' | sed 's/:.*$/:/')
[ "$ns" != "component-ref" ] || ns=""
# Ensure there is at least some xlink.
[ "`$XPATH $DS \"count(//${ns}component-ref/@xlink:href)\"`" != "0" ]
# This asserts that there is none component-ref/xlink:href broken.
# Previously, we have seen datastreams with broken xlinks (see trac#286).
[ "`$XPATH $DS \"count(//${ns}component-ref[substring(@xlink:href, 2, 10000) != (//${ns}component/@${ns}id | //${ns}extended-component/@${ns}id)])\"`" == "0" ]
}
sds_add_multiple_twice(){
local DIR="${srcdir}/sds_multiple_oval"
local XCCDF_FILE="multiple-oval-xccdf.xml"
local DS_TARGET_DIR="$(mktemp -d)"
local DS_FILE="$DS_TARGET_DIR/sds.xml"
local stderr=$(mktemp -t sds_add.out.XXXXXX)
# Create DS from scratch
pushd "$DIR"
$OSCAP ds sds-compose "$XCCDF_FILE" "$DS_FILE" 2>&1 > $stderr
diff $stderr /dev/null
popd
# Add the very same XXCDF file again with two OVAL files
local ADD_DIR="$(mktemp -d)"
cp ${DIR}/*.xml ${ADD_DIR}
chmod u+w ${ADD_DIR}/* # distcheck shall be able to unlink these files (without --force)
local XCCDF2="$ADD_DIR/$XCCDF_FILE"
pushd ${ADD_DIR}
$OSCAP ds sds-add "$XCCDF2" "$DS_FILE" 2>&1 > $stderr
local ifiles=$(ls *.xml)
popd
diff $stderr /dev/null
rm $XCCDF2 ${ADD_DIR}/*-oval.xml
rm -f ${ADD_DIR}/oscap_debug.log.*
rmdir ${ADD_DIR}
$OSCAP ds sds-validate "$DS_FILE" 2>&1 > $stderr
diff $stderr /dev/null
assert_correct_xlinks "$DS_FILE"
$OSCAP info "$DS_FILE" 2> $stderr
diff $stderr /dev/null
local result=$DS_FILE
assert_exists 1 '/ds:data-stream-collection/ds:data-stream'
assert_exists 2 '/ds:data-stream-collection/ds:data-stream/*'
assert_exists 1 '/ds:data-stream-collection/ds:data-stream/ds:checklists'
assert_exists 2 '/ds:data-stream-collection/ds:data-stream/ds:checklists/*'
assert_exists 2 '/ds:data-stream-collection/ds:data-stream/ds:checklists/ds:component-ref'
assert_exists 1 '/ds:data-stream-collection/ds:data-stream/ds:checks'
assert_exists 4 '/ds:data-stream-collection/ds:data-stream/ds:checks/*'
assert_exists 4 '/ds:data-stream-collection/ds:data-stream/ds:checks/ds:component-ref'
assert_exists 6 '/ds:data-stream-collection/ds:component'
assert_exists 4 '/ds:data-stream-collection/ds:component/oval_definitions'
assert_exists 2 '/ds:data-stream-collection/ds:component/xccdf:Benchmark'
# split the SDS and verify the content
pushd "$DS_TARGET_DIR"
$OSCAP ds sds-split "`basename $DS_FILE`" "$DS_TARGET_DIR"
[ ! -f multiple-oval-xccdf.xml ]
mv scap_org.open-scap_cref_multiple-oval-xccdf.xml multiple-oval-xccdf.xml
popd
local f
for f in second-oval.xml first-oval.xml multiple-oval-xccdf.xml; do
$OSCAP info ${DS_TARGET_DIR}/$f 2> $stderr
diff $stderr /dev/null
diff ${DS_TARGET_DIR}/$f ${DIR}/$f
rm ${DS_TARGET_DIR}/$f
done
rm $DS_FILE
rmdir $DS_TARGET_DIR
rm $stderr
}
function test_sds {
local ret_val=0;
local DIR="${srcdir}/$1"
local XCCDF_FILE="$2"
local SKIP_DIFF="$3"
local DS_TARGET_DIR="`mktemp -d`"
local DS_FILE="$DS_TARGET_DIR/sds.xml"
pushd "$DIR"
$OSCAP ds sds-compose "$XCCDF_FILE" "$DS_FILE"
assert_correct_xlinks $DS_FILE
popd
pushd "$DS_TARGET_DIR"
$OSCAP ds sds-split "`basename $DS_FILE`" "$DS_TARGET_DIR"
rm "$DS_FILE"
# get rid of filler prefix to make the diff work
for file in scap_org.open-scap_cref_*;
do
mv "$file" "${file#scap_org.open-scap_cref_}"
done
popd
if [ "$SKIP_DIFF" != "1" ]; then
DIFFERENCE=$(diff --exclude "oscap_debug.log.*" "$DIR" "$DS_TARGET_DIR")
if [ $? -ne 0 ]; then
echo "The files are different after going through source data stream! diff follows:"
echo "$DIFFERENCE"
echo
ret_val=1
fi
fi
rm -r "$DS_TARGET_DIR"
return "$ret_val"
}
function test_eval {
$OSCAP xccdf eval "${srcdir}/$1"
}
function test_invalid_eval {
local ret=0
$OSCAP xccdf eval "${srcdir}/$1" || ret=$?
return $([ $ret -eq 1 ])
}
function test_invalid_oval_eval {
local ret=0
$OSCAP oval eval "${srcdir}/$1" || ret=$?
return $([ $ret -eq 1 ])
}
function test_eval_id {
OUT=$($OSCAP xccdf eval --datastream-id $2 --xccdf-id $3 "${srcdir}/$1")
local RET=$?
if [ $RET -ne 0 ]; then
return 1
fi
echo "$OUT" | grep $4 > /dev/null
}
function test_eval_benchmark_id {
OUT=$($OSCAP xccdf eval --benchmark-id $2 "${srcdir}/$1")
local RET=$?
if [ $RET -ne 0 ]; then
return 1
fi
echo "$OUT" | grep $3 > /dev/null
}
function test_eval_complex()
{
local name=${FUNCNAME}
local arf=$(mktemp -t ${name}.arf.XXXXXX)
local stderr=$(mktemp -t ${name}.err.XXXXXX)
local stdout=$(mktemp -t ${name}.out.XXXXXX)
$OSCAP xccdf eval \
--results-arf $arf \
--datastream-id scap_org.open-scap_datastream_tst2 \
--xccdf-id scap_org.open-scap_cref_second-xccdf.xml2 \
--profile xccdf_moc.elpmaxe.www_profile_2 \
$srcdir/eval_xccdf_id/sds-complex.xml 2> $stderr > $stdout
# Ensure the sanity of the output.
[ -f $stderr ]; [ ! -s $stderr ]
[ "`grep ^Rule $stdout | wc -l`" == "1" ]
grep ^Rule $stdout | grep xccdf_moc.elpmaxe.www_rule_secon
rm $stdout
# Ensure basic correctness of the ARF
$OSCAP ds rds-validate $arf 2>&1 > $stderr
[ -f $srderr ]; [ ! -s $stderr ]; rm $stderr
assert_correct_xlinks $arf
# Ensure that results are there
local result="$arf"
assert_exists 1 '//rule-result'
assert_exists 1 '//rule-result[@idref="xccdf_moc.elpmaxe.www_rule_second"]'
assert_exists 1 '//rule-result/result'
assert_exists 1 '//rule-result/result[text()="pass"]'
rm $arf
}
function test_oval_eval {
$OSCAP oval eval "${srcdir}/$1"
}
function test_oval_eval_id {
OUT=$($OSCAP oval eval --datastream-id $2 --oval-id $3 "${srcdir}/$1")
local RET=$?
if [ $RET -ne 0 ]; then
return 1
fi
echo "out: $OUT"
echo "$OUT" | grep $4 > /dev/null
}
function test_rds
{
local ret_val=0;
local SDS_FILE="${srcdir}/$1"
local XCCDF_RESULT_FILE="${srcdir}/$2"
local OVAL_RESULT_FILE="${srcdir}/$3"
local DS_TARGET_DIR="`mktemp -d`"
local DS_FILE="$DS_TARGET_DIR/rds.xml"
$OSCAP ds rds-create "$SDS_FILE" "$DS_FILE" "$XCCDF_RESULT_FILE" "$OVAL_RESULT_FILE"
if [ $? -ne 0 ]; then
ret_val=1
fi
assert_correct_xlinks $DS_FILE
#pushd "$DS_TARGET_DIR"
#$OSCAP ds sds_split "`basename $DS_FILE`" "$DS_TARGET_DIR"
#rm sds.xml
#popd
rm -r "$DS_TARGET_DIR"
return "$ret_val"
}
function test_rds_index
{
local ret_val=0;
local RDS_FILE="${srcdir}/$1"
local ASSETS="$2"
local REPORTS="$3"
local REQUESTS="$4"
INDEX=$($OSCAP info "$RDS_FILE")
for asset in "$ASSETS"; do
if ! echo $INDEX | grep --quiet "$asset"; then
ret_val=1
echo "Asset $asset expected in index"
fi
done
for report in "$REPORTS"; do
if ! echo $INDEX | grep --quiet "$report"; then
ret_val=1
echo "Report $report expected in index"
fi
done
for requests in "$REQUESTS"; do
if ! echo $INDEX | grep --quiet "$request"; then
ret_val=1
echo "Report request $request expected in index"
fi
done
return "$ret_val"
}
function test_rds_split {
local ret_val=0;
local DIR="${srcdir}/$1"
local SDS_FILE="$2"
local REPORT_FILE="$3"
local SKIP_DIFF="$4"
local DS_TARGET_DIR="`mktemp -d`"
local DS_FILE="$DS_TARGET_DIR/arf.xml"
pushd "$DIR"
$OSCAP ds rds-create "$SDS_FILE" "$DS_FILE" "$REPORT_FILE"
assert_correct_xlinks $DS_FILE
popd
pushd "$DS_TARGET_DIR"
$OSCAP ds rds-split "`basename $DS_FILE`" "$DS_TARGET_DIR"
rm "$DS_FILE"
popd
if [ "$SKIP_DIFF" != "1" ]; then
DIFFERENCE=$(diff --exclude "oscap_debug.log.*" "$DIR" "$DS_TARGET_DIR")
if [ $? -ne 0 ]; then
echo "The files are different after going through result data stream! diff follows:"
echo "$DIFFERENCE"
echo
ret_val=1
fi
fi
rm -r "$DS_TARGET_DIR"
return "$ret_val"
}
# Testing.
test_init "test_ds.log"
test_run "sds_simple" test_sds sds_simple scap-fedora14-xccdf.xml 0
test_run "sds_multiple_oval" test_sds sds_multiple_oval multiple-oval-xccdf.xml 0
test_run "sds_missing_oval-prepare" [ ! -f sds_missing_oval/second-oval.xml ]
test_run "sds_missing_oval" test_sds sds_missing_oval multiple-oval-xccdf.xml 0
test_run "sds_subdir" test_sds sds_subdir subdir/scap-fedora14-xccdf.xml 1
test_run "sds_extended_component" test_sds sds_extended_component fake-check-xccdf.xml 0
test_run "sds_extended_component_plain_text" test_sds sds_extended_component_plain_text fake-check-xccdf.xml 0
test_run "sds_extended_component_plain_text_entities" test_sds sds_extended_component_plain_text_entities fake-check-xccdf.xml 0
test_run "sds_extended_component_plain_text_whitespace" test_sds sds_extended_component_plain_text_whitespace fake-check-xccdf.xml 0
test_run "eval_simple" test_eval eval_simple/sds.xml
test_run "eval_invalid" test_invalid_eval eval_invalid/sds.xml
test_run "eval_invalid_oval" test_invalid_oval_eval eval_invalid/sds-oval.xml
test_run "eval_xccdf_id1" test_eval_id eval_xccdf_id/sds.xml scap_org.open-scap_datastream_tst scap_org.open-scap_cref_first-xccdf.xml first
test_run "eval_xccdf_id2" test_eval_id eval_xccdf_id/sds.xml scap_org.open-scap_datastream_tst scap_org.open-scap_cref_second-xccdf.xml second
test_run "eval_benchmark_id1" test_eval_benchmark_id eval_xccdf_id/sds.xml xccdf_moc.elpmaxe.www_benchmark_first first
test_run "eval_benchmark_id2" test_eval_benchmark_id eval_xccdf_id/sds.xml xccdf_moc.elpmaxe.www_benchmark_second second
test_run "eval_benchmark_id_conflict" test_eval_benchmark_id eval_benchmark_id_conflict/sds.xml xccdf_moc.elpmaxe.www_benchmark_first first
test_run "eval_just_oval" test_oval_eval eval_just_oval/sds.xml
test_run "eval_oval_id1" test_oval_eval_id eval_oval_id/sds.xml scap_org.open-scap_datastream_just_oval scap_org.open-scap_cref_scap-oval1.xml "oval:x:def:1"
test_run "eval_oval_id2" test_oval_eval_id eval_oval_id/sds.xml scap_org.open-scap_datastream_just_oval scap_org.open-scap_cref_scap-oval2.xml "oval:x:def:2"
test_run "eval_cpe" test_eval eval_cpe/sds.xml
test_run "rds_simple" test_rds rds_simple/sds.xml rds_simple/results-xccdf.xml rds_simple/results-oval.xml
test_run "rds_testresult" test_rds rds_testresult/sds.xml rds_testresult/results-xccdf.xml rds_testresult/results-oval.xml
test_run "rds_index_simple" test_rds_index rds_index_simple/arf.xml "asset0 asset1" "report0" "collection0"
test_run "rds_split_simple" test_rds_split rds_split_simple report-request.xml report.xml 0
test_run "test_eval_complex" test_eval_complex
test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice
test_exit
|
