move image-builder tailoring to the test

This makes it more consistent with /hardening/kickstart and others. Signed-off-by: Jiri Jaburek <[email protected]>
RHSecurityCompliance · Aug 16, 2024 · 5d51475 · 5d51475
1 parent 79d0df6
commit 5d51475
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 20 deletions.
diff --git a/hardening/image-builder/test.py b/hardening/image-builder/test.py
@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 
 from lib import results, oscap, osbuild, util
+from conf import remediation
 
 
 osbuild.Host.setup()
@@ -9,28 +10,30 @@
 
 profile = util.get_test_name().rpartition('/')[2]
 
-ds = util.get_datastream()
+oscap.unselect_rules(util.get_datastream(), 'remediation-ds.xml', remediation.excludes())
 
-# provide our modified DS via RpmPack to the VM as /root/contest-ds.xml,
+# provide our modified DS via RpmPack to the VM as /root/remediation-ds.xml,
 # tell the 'oscap xccdf eval --remediate' called by osbuild-composer to use it
 rpmpack = util.RpmPack()
-rpmpack.add_file(ds, '/root/contest-ds.xml')
+rpmpack.add_file('remediation-ds.xml', '/root/remediation-ds.xml')
 
 cmd = [
     'oscap', 'xccdf', 'generate', '--profile', profile,
     'fix', '--fix-type', 'blueprint',
-    ds,
+    'remediation-ds.xml',
 ]
 _, lines = util.subprocess_stream(cmd, check=True)
-blueprint = osbuild.translate_oscap_blueprint(lines, profile, '/root/contest-ds.xml')
+blueprint = osbuild.translate_oscap_blueprint(lines, '/root/remediation-ds.xml')
 
 g.create(blueprint=blueprint, rpmpack=rpmpack)
 
 with g.booted():
+    # copy the original DS to the guest
+    g.copy_to(util.get_datastream(), 'scan-ds.xml')
     # scan the remediated system
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml /root/contest-ds.xml'
+        f' --results-arf results-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:

diff --git a/lib/osbuild.py b/lib/osbuild.py
@@ -38,7 +38,6 @@
 from pathlib import Path
 
 from lib import util, dnf, virt
-from conf import remediation
 
 
 class Host:
@@ -214,17 +213,6 @@ def set_openscap_datastream(self, ds_file):
             post,
         ])
 
-    def add_openscap_tailoring(self, *, selected=None, unselected=None):
-        if '[customizations.openscap.tailoring]' in self.assembled:
-            raise SyntaxError("openscap.taioring section already exists")
-        if not selected and not unselected:
-            return
-        self.assembled += '[customizations.openscap.tailoring]\n'
-        for name, vals in [('selected', selected), ('unselected', unselected)]:
-            if vals:
-                strings = ','.join(f'"{x}"' for x in vals)
-                self.assembled += f'{name} = [ {strings} ]\n'
-
     @contextlib.contextmanager
     def to_tmpfile(self):
         bp = self.assembled
@@ -387,7 +375,7 @@ def composer_cli_out(*args, **kwargs):
     return out.stdout.rstrip('\n')
 
 
-def translate_oscap_blueprint(lines, profile, datastream):
+def translate_oscap_blueprint(lines, datastream):
     """
     Parse (and tweak) a blueprint generated via 'oscap xccdf generate fix'.
     """
@@ -406,6 +394,5 @@ def translate_oscap_blueprint(lines, profile, datastream):
 
     # add openscap hardening, honor global excludes
     blueprint.set_openscap_datastream(datastream)
-    blueprint.add_openscap_tailoring(unselected=remediation.excludes())
 
     return blueprint