Create openscap formula
This formula allows to install openscap schemas and utils.
Also, here is a simple oscap execution module.
Change-Id: Ib113f9a739deafbc4cf85c97b071636d0161cb54
Closes-PROD: https://mirantis.jira.com/browse/PROD-20392
diff --git a/.kitchen.yml b/.kitchen.yml
new file mode 100644
index 0000000..113b5ba
--- /dev/null
+++ b/.kitchen.yml
@@ -0,0 +1,44 @@
+---
+driver:
+ name: docker
+ hostname: openscap.ci.local
+ use_sudo: false
+
+provisioner:
+ name: salt_solo
+ salt_install: bootstrap
+ salt_bootstrap_url: https://bootstrap.saltstack.com
+ salt_version: latest
+ require_chef: false
+ log_level: error
+ formula: openscap
+ state_top:
+ base:
+ "*":
+ - openscap
+ pillars:
+ top.sls:
+ base:
+ "*":
+ - openscap
+ grains:
+ kitchen-test: True
+
+
+verifier:
+ name: inspec
+ sudo: true
+
+platforms:
+ - name: <%=ENV['PLATFORM'] || 'saltstack-ubuntu-xenial-salt-stable' %>
+ driver_config:
+ image: <%=ENV['PLATFORM'] || 'epcim/salt-formulas:saltstack-ubuntu-xenial-salt-stable'%>
+ platform: ubuntu
+
+suites:
+
+ - name: openscap
+ provisioner:
+ pillars-from-files:
+ openscap.sls: tests/pillar/openscap.sls
+# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..50f0b7b
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,29 @@
+sudo: required
+services:
+ - docker
+
+install:
+ - pip install PyYAML
+ - pip install virtualenv
+ - |
+ test -e Gemfile || cat <<EOF > Gemfile
+ source 'https://rubygems.org'
+ gem 'rake'
+ gem 'test-kitchen'
+ gem 'kitchen-docker'
+ gem 'kitchen-inspec'
+ gem 'inspec'
+ gem 'kitchen-salt', :git => 'https://github.com/salt-formulas/kitchen-salt.git'
+ - bundle install
+
+env:
+ - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=openscap
+ - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=openscap
+
+before_script:
+ - set -o pipefail
+ - make test | tail
+
+script:
+ - test ! -e .kitchen.yml || bundle exec kitchen converge ${SUITE} || true
+ - test ! -e .kitchen.yml || bundle exec kitchen verify ${SUITE} -t tests/integration
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d166862
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,122 @@
+DESTDIR=/
+SALTENVDIR=/usr/share/salt-formulas/env
+RECLASSDIR=/usr/share/salt-formulas/reclass
+FORMULANAME=$(shell grep name: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\-\_]*')
+VERSION=$(shell grep version: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\.\-\_]*')
+VERSION_MAJOR := $(shell echo $(VERSION)|cut -d . -f 1-2)
+VERSION_MINOR := $(shell echo $(VERSION)|cut -d . -f 3)
+
+NEW_MAJOR_VERSION ?= $(shell date +%Y.%m|sed 's,\.0,\.,g')
+NEW_MINOR_VERSION ?= $(shell /bin/bash -c 'echo $$[ $(VERSION_MINOR) + 1 ]')
+
+MAKE_PID := $(shell echo $$PPID)
+JOB_FLAG := $(filter -j%, $(subst -j ,-j,$(shell ps T | grep "^\s*$(MAKE_PID).*$(MAKE)")))
+
+ifneq ($(subst -j,,$(JOB_FLAG)),)
+JOBS := $(subst -j,,$(JOB_FLAG))
+else
+JOBS := 1
+endif
+
+KITCHEN_LOCAL_YAML?=.kitchen.yml
+KITCHEN_OPTS?="--concurrency=$(JOBS)"
+KITCHEN_OPTS_CREATE?=""
+KITCHEN_OPTS_CONVERGE?=""
+KITCHEN_OPTS_VERIFY?=""
+KITCHEN_OPTS_TEST?=""
+
+all:
+ @echo "make install - Install into DESTDIR"
+ @echo "make lint - Run lint tests"
+ @echo "make test - Run tests"
+ @echo "make kitchen - Run Kitchen CI tests (create, converge, verify)"
+ @echo "make clean - Cleanup after tests run"
+ @echo "make release-major - Generate new major release"
+ @echo "make release-minor - Generate new minor release"
+ @echo "make changelog - Show changes since last release"
+
+install:
+ # Formula
+ [ -d $(DESTDIR)/$(SALTENVDIR) ] || mkdir -p $(DESTDIR)/$(SALTENVDIR)
+ cp -a $(FORMULANAME) $(DESTDIR)/$(SALTENVDIR)/
+ [ ! -d _modules ] || cp -a _modules $(DESTDIR)/$(SALTENVDIR)/
+ [ ! -d _states ] || cp -a _states $(DESTDIR)/$(SALTENVDIR)/ || true
+ [ ! -d _grains ] || cp -a _grains $(DESTDIR)/$(SALTENVDIR)/ || true
+ # Metadata
+ [ -d $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME) ] || mkdir -p $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
+ cp -a metadata/service/* $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
+
+lint:
+ [ ! -d tests ] || (cd tests; ./run_tests.sh lint)
+
+test:
+ [ ! -d tests ] || (cd tests; ./run_tests.sh)
+
+release-major: check-changes
+ @echo "Current version is $(VERSION), new version is $(NEW_MAJOR_VERSION)"
+ @[ $(VERSION_MAJOR) != $(NEW_MAJOR_VERSION) ] || (echo "Major version $(NEW_MAJOR_VERSION) already released, nothing to do. Do you want release-minor?" && exit 1)
+ echo "$(NEW_MAJOR_VERSION)" > VERSION
+ sed -i 's,version: .*,version: "$(NEW_MAJOR_VERSION)",g' metadata.yml
+ [ ! -f debian/changelog ] || dch -v $(NEW_MAJOR_VERSION) -m --force-distribution -D `dpkg-parsechangelog -S Distribution` "New version"
+ make genchangelog-$(NEW_MAJOR_VERSION)
+ (git add -u; git commit -m "Version $(NEW_MAJOR_VERSION)")
+ git tag -s -m $(NEW_MAJOR_VERSION) $(NEW_MAJOR_VERSION)
+
+release-minor: check-changes
+ @echo "Current version is $(VERSION), new version is $(VERSION_MAJOR).$(NEW_MINOR_VERSION)"
+ echo "$(VERSION_MAJOR).$(NEW_MINOR_VERSION)" > VERSION
+ sed -i 's,version: .*,version: "$(VERSION_MAJOR).$(NEW_MINOR_VERSION)",g' metadata.yml
+ [ ! -f debian/changelog ] || dch -v $(VERSION_MAJOR).$(NEW_MINOR_VERSION) -m --force-distribution -D `dpkg-parsechangelog -S Distribution` "New version"
+ make genchangelog-$(VERSION_MAJOR).$(NEW_MINOR_VERSION)
+ (git add -u; git commit -m "Version $(VERSION_MAJOR).$(NEW_MINOR_VERSION)")
+ git tag -s -m $(VERSION_MAJOR).$(NEW_MINOR_VERSION) $(VERSION_MAJOR).$(NEW_MINOR_VERSION)
+
+check-changes:
+ @git log --pretty=oneline --decorate $(VERSION)..HEAD | grep -Eqc '.*' || (echo "No new changes since version $(VERSION)"; exit 1)
+
+changelog:
+ git log --pretty=short --invert-grep --grep="Merge pull request" --decorate $(VERSION)..HEAD
+
+genchangelog: genchangelog-$(VERSION_MAJOR).$(NEW_MINOR_VERSION)
+
+genchangelog-%:
+ $(eval NEW_VERSION := $(patsubst genchangelog-%,%,$@))
+ (echo "=========\nChangelog\n=========\n"; \
+ (echo $(NEW_VERSION);git tag) | sort -r | grep -E '^[0-9\.]+' | while read i; do \
+ cur=$$i; \
+ test $$i = $(NEW_VERSION) && i=HEAD; \
+ prev=`(echo $(NEW_VERSION);git tag)|sort|grep -E '^[0-9\.]+'|grep -B1 "$$cur\$$"|head -1`; \
+ echo "Version $$cur\n=============================\n"; \
+ git log --pretty=short --invert-grep --grep="Merge pull request" --decorate $$prev..$$i; \
+ echo; \
+ done) > CHANGELOG.rst
+
+kitchen-check:
+ @[ -e $(KITCHEN_LOCAL_YAML) ] || (echo "Kitchen tests not available, there's no $(KITCHEN_LOCAL_YAML)." && exit 1)
+
+kitchen: kitchen-check kitchen-create kitchen-converge kitchen-verify kitchen-list
+
+kitchen-create: kitchen-check
+ kitchen create ${KITCHEN_OPTS} ${KITCHEN_OPTS_CREATE}
+ [ "$(shell echo $(KITCHEN_LOCAL_YAML)|grep -Eo docker)" = "docker" ] || sleep 120
+
+kitchen-converge: kitchen-check
+ kitchen converge ${KITCHEN_OPTS} ${KITCHEN_OPTS_CONVERGE} &&\
+ kitchen converge ${KITCHEN_OPTS} ${KITCHEN_OPTS_CONVERGE}
+
+kitchen-verify: kitchen-check
+ [ ! -d tests/integration ] || kitchen verify -t tests/integration ${KITCHEN_OPTS} ${KITCHEN_OPTS_VERIFY}
+ [ -d tests/integration ] || kitchen verify ${KITCHEN_OPTS} ${KITCHEN_OPTS_VERIFY}
+
+kitchen-test: kitchen-check
+ [ ! -d tests/integration ] || kitchen test -t tests/integration ${KITCHEN_OPTS} ${KITCHEN_OPTS_TEST}
+ [ -d tests/integration ] || kitchen test ${KITCHEN_OPTS} ${KITCHEN_OPTS_TEST}
+
+kitchen-list: kitchen-check
+ kitchen list
+
+clean:
+ [ ! -x "$(shell which kitchen)" ] || kitchen destroy
+ [ ! -d .kitchen ] || rm -rf .kitchen
+ [ ! -d tests/build ] || rm -rf tests/build
+ [ ! -d build ] || rm -rf build
diff --git a/README.rst b/README.rst
new file mode 100644
index 0000000..1bc773c
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,32 @@
+
+================
+openscap formula
+================
+
+Openscap is used to install openscap utils.
+
+Sample pillars
+==============
+
+.. code-block:: yaml
+
+ parameters:
+ openscap:
+ service:
+ enabled: True
+ upload:
+ cloud_name: ${_param:cluster_domain}
+ api_url: http://8.8.8.8:12345/
+ tailoring:
+ id:
+ profile: xccdf_org.customer.content_profile_default
+ extends: xccdf_org.mirantis.content_profile_default
+ values:
+ first_value: First
+ second_value: 2
+ external_ip_address: ${_param:single_address}
+
+Read more
+=========
+
+* https://www.open-scap.org/
diff --git a/_modules/oscap/__init__.py b/_modules/oscap/__init__.py
new file mode 100644
index 0000000..88cdcba
--- /dev/null
+++ b/_modules/oscap/__init__.py
@@ -0,0 +1,106 @@
+from __future__ import absolute_import
+from oscap.commands import xccdf, oval
+import logging
+import os
+import salt.utils
+import shutil
+import stat
+
+_OSCAP_XCCDF_EXIT_CODES_MAP = {
+ 0: True, # all rules pass
+ 1: False, # there is an error during evaluation
+ 2: True # there is at least one rule with either fail or unknown result
+}
+
+DIR_MODE = '0750'
+
+log = logging.getLogger(__name__)
+
+def __virtual__():
+ if not salt.utils.which('oscap'):
+ return (False, 'oscap is required.')
+ return 'oscap'
+
+def eval(evaltype,
+ benchmark,
+ profile='default',
+ xccdf_version='1.2',
+ tailoring_id=None,
+ fetch_from_master=False,
+ benchmark_url=None,
+ benchmark_basepath='output',
+ saltenv='base',
+ results_dir=None):
+ '''
+ `oscap eval` wrapper
+ :param evaltype: what to evaluate, can be `xccdf` or `oval`
+ :param profile: xccdf profile (default 'default')
+ :param xccdf_version xccdf benchmark version (default 1.2)
+ :param tailoring_id id of your tailoring data (default None)
+ :param fetch_from_master: fetch oscap input data from the master (default False)
+ :param benchmark_basepath: basepath where the benchmark will be searched (default 'output')
+ :param saltenv: saltenv, used for cached files (default 'base')
+ :param results_dir: directory for storing results (default {{__opts__[cachedir]}}/files/openscap/latest)
+
+ :return: success,returncode,results_dir, optionally stderr
+
+ Usage example:
+
+ salt MINION oscap.eval xccdf /tmp/myxccdf.xml tailoring_id=myenv_oscap_variables profile='anssi_nt28_high'
+ '''
+ success = False
+ stderr = None
+ returncode = None
+ pillar_data = None
+
+ latest_dir = os.path.join(__opts__['cachedir'], 'files', 'openscap', 'latest')
+ results_dir = os.path.normpath(results_dir) if results_dir else latest_dir
+
+ benchmark_url = benchmark_url if benchmark_url else \
+ 'salt://{}/{}'.format(benchmark_basepath,
+ os.path.dirname(benchmark))
+
+ if fetch_from_master:
+ _ret_ = __salt__['cp.cache_dir'](benchmark_url)
+ benchmark = benchmark[1:] if os.path.isabs(benchmark) else benchmark
+ benchmark = os.path.join(__opts__['cachedir'], 'files',
+ saltenv, benchmark_basepath, benchmark)
+
+ if evaltype == 'xccdf':
+ if tailoring_id:
+ pillar_data = __salt__['pillar.get']('openscap:tailoring:{}'\
+ .format(tailoring_id))
+ (stdout, stderr, rc, temp_dir) = xccdf(benchmark,
+ profile=profile,
+ pillar_data=pillar_data,
+ tailoring_id=tailoring_id,
+ xccdf_version=xccdf_version)
+
+ success = _OSCAP_XCCDF_EXIT_CODES_MAP[rc]
+ elif evaltype == 'oval':
+ (stdout, stderr, rc, temp_dir) = oval(benchmark)
+ success = not rc
+ else:
+ raise RuntimeError('Unsupported oscap command "{}"'.format(evaltype))
+
+ ret = {
+ 'success': success,
+ 'returncode': rc,
+ 'results_dir': results_dir
+ }
+
+ if success:
+ mode = int(str(stat.S_IMODE(int(DIR_MODE))), 8)
+ base_dir = os.path.dirname(results_dir)
+ if os.path.isdir(results_dir):
+ shutil.rmtree(results_dir)
+ if not os.path.isdir(base_dir):
+ os.makedirs(base_dir)
+ os.chmod(base_dir, mode)
+ os.rename(temp_dir, latest_dir)
+ os.chmod(latest_dir, mode)
+
+ if stderr:
+ ret['stderr'] = stderr
+
+ return ret
diff --git a/_modules/oscap/commands.py b/_modules/oscap/commands.py
new file mode 100644
index 0000000..44c703d
--- /dev/null
+++ b/_modules/oscap/commands.py
@@ -0,0 +1,51 @@
+from __future__ import absolute_import
+import tempfile
+import os
+from oscap.utils import build_tailoring, normalize_id, run
+
+def oscap_has_sce():
+ (stdout, _, _) = run('oscap -V')
+ return any([x for x in stdout.splitlines() if x.startswith('SCE Vers')])
+
+def xccdf(benchmark,
+ pillar_data=None,
+ xccdf_version='1.2',
+ profile='default',
+ tailoring_id=None):
+
+ tailoring_file = None
+ profile = normalize_id(profile, xccdf_version=xccdf_version)
+
+ tempdir = tempfile.mkdtemp(prefix='oscap-')
+
+ if pillar_data:
+ if not tailoring_id:
+ raise Exception('Tailoring id must be set!')
+ profile = normalize_id(pillar_data['profile'], typeof='profile')
+ tailoring_file = os.path.join(tempdir, 'tailoring.xml')
+
+ cmd = 'oscap xccdf eval --profile {profile} ' +\
+ '--results results.xml --report report.html'
+ if oscap_has_sce():
+ cmd += ' --sce-results'
+ if tailoring_file:
+ cmd += ' --tailoring-file {tailoring_file}'
+ cmd += ' {benchmark}'
+ cmd = cmd.format(profile=profile,
+ tailoring_file=tailoring_file,
+ benchmark=benchmark)
+
+ if tailoring_file:
+ with open(tailoring_file, 'w') as f:
+ f.write(build_tailoring(pillar_data, tailoring_id))
+
+ stdout, stderr, rc = run(cmd, tempdir)
+ return stdout, stderr, rc, tempdir
+
+def oval(benchmark):
+ tempdir = tempfile.mkdtemp(prefix='oscap-')
+ cmd = 'oscap oval eval --results results.xml --report report.html {}'
+ cmd = cmd.format(benchmark)
+
+ stdout, stderr, rc = run(cmd, tempdir)
+ return stdout, stderr, rc, tempdir
diff --git a/_modules/oscap/utils.py b/_modules/oscap/utils.py
new file mode 100644
index 0000000..164949d
--- /dev/null
+++ b/_modules/oscap/utils.py
@@ -0,0 +1,46 @@
+from lxml.etree import Element, SubElement, tostring
+from subprocess import Popen, PIPE
+import shlex
+import re
+import datetime
+
+import salt.ext.six as six
+
+def normalize_id(id,
+ xccdf_version='1.2',
+ typeof='profile',
+ vendor='mirantis'):
+
+ if xccdf_version == '1.2':
+ if not re.match('^xccdf_[^_]+_{}_.+'.format(typeof), id):
+ return 'xccdf_org.{0}.content_{1}_{2}'.format(vendor, typeof, id)
+ return id
+
+def build_tailoring(data, id):
+ xccdf_version = data.get('xccdf_version', '1.2')
+ ns = {None: 'http://checklists.nist.gov/xccdf/{}'.format(xccdf_version)}
+ tid = normalize_id(id, xccdf_version, typeof='tailoring')
+ pid = normalize_id(data['profile'], xccdf_version, vendor='customer')
+ ext = normalize_id(data['extends'], xccdf_version)
+ tailoring = Element('Tailoring', nsmap=ns, id=tid)
+ tailoring.append(Element('benchmark', {'href': ext}))
+
+ now = datetime.datetime.now().isoformat()
+ version = SubElement(tailoring, 'version', time=now).text = '1'
+
+ profile = SubElement(tailoring, 'Profile', id=pid, extends=ext)
+
+ title = SubElement(profile, 'title').text = \
+ 'Extends {}'.format(ext)
+
+ for key, value in six.iteritems(data.get('values', {})):
+ idref = normalize_id(key, xccdf_version, typeof='value')
+ elem = SubElement(profile, 'set-value', idref=idref)
+ elem.text = str(value)
+ return tostring(tailoring, pretty_print=True)
+
+def run(cmd, cwd=None):
+ # The Popen used here because the __salt__['cmd.run'] returns only stdout
+ proc = Popen(shlex.split(cmd), stdout=PIPE, stderr=PIPE, cwd=cwd)
+ (stdout, stderr) = proc.communicate()
+ return stdout, stderr, proc.returncode
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..1664d17
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+salt-formula-openscap (0.1) trusty; urgency=medium
+
+ * Initial release
+
+ -- Ivan Suzdal <mos-linux@mirantis.com> Wed, 06 Jun 2018 09:14:42 +0000
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..c773ba6
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,14 @@
+Source: salt-formula-openscap
+Maintainer: MOS Linux Team <mos-linux@mirantis.com>
+Section: admin
+Priority: optional
+Build-Depends: python, python-yaml, debhelper (>= 9)
+Standards-Version: 3.9.6
+Vcs-Browser: https://github.com/salt-formulas/salt-formula-openscap
+Vcs-Git: https://github.com/salt-formulas/salt-formula-openscap.git
+
+Package: salt-formula-openscap
+Architecture: all
+Depends: ${misc:Depends}
+Description: openscap salt formula
+ Install openscap with utils
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..77e364f
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,21 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: salt-formula-openscap
+Source: https://github.com/salt-formulas/salt-formula-openscap
+
+Files: *
+Copyright: 2017, MOS Linux Team <mos-linux@mirantis.com>
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..d585829
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,3 @@
+README.rst
+CHANGELOG.rst
+VERSION
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..abde6ef
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,5 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
+
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/metadata.yml b/metadata.yml
new file mode 100644
index 0000000..7faf41e
--- /dev/null
+++ b/metadata.yml
@@ -0,0 +1,4 @@
+name: "openscap"
+version: "0.1"
+source: "https://github.com/salt-formulas/salt-formula-openscap"
+
diff --git a/metadata/service/cis.yml b/metadata/service/cis.yml
new file mode 100644
index 0000000..4ef56e9
--- /dev/null
+++ b/metadata/service/cis.yml
@@ -0,0 +1,6 @@
+applications:
+- openscap
+parameters:
+ openscap:
+ service:
+ enabled: true
diff --git a/metadata/service/init.yml b/metadata/service/init.yml
new file mode 100644
index 0000000..3cde744
--- /dev/null
+++ b/metadata/service/init.yml
@@ -0,0 +1,5 @@
+applications:
+- openscap
+parameters:
+ openscap:
+ enabled: true
diff --git a/metadata/service/support.yml b/metadata/service/support.yml
new file mode 100644
index 0000000..5f3f2ea
--- /dev/null
+++ b/metadata/service/support.yml
@@ -0,0 +1,11 @@
+parameters:
+ openscap:
+ _support:
+ collectd:
+ enabled: false
+ heka:
+ enabled: false
+ sensu:
+ enabled: false
+ sphinx:
+ enabled: false
diff --git a/openscap/init.sls b/openscap/init.sls
new file mode 100644
index 0000000..f4b2125
--- /dev/null
+++ b/openscap/init.sls
@@ -0,0 +1,4 @@
+{%- if pillar.openscap is defined %}
+include:
+- openscap.service
+{%- endif %}
diff --git a/openscap/map.jinja b/openscap/map.jinja
new file mode 100644
index 0000000..1c5fec2
--- /dev/null
+++ b/openscap/map.jinja
@@ -0,0 +1,12 @@
+{% set openscap = salt['grains.filter_by']({
+ 'Debian': {
+ 'packages': ['libopenscap8',
+ 'xccdf-benchmarks-mirantis'],
+ },
+ 'RedHat': {
+ 'packages': ['openscap',
+ 'openscap-scanner',
+ 'openscap-engine-sce',
+ ],
+ },
+}, grain='os_family', merge=salt['pillar.get']('openscap')) %}
diff --git a/openscap/service.sls b/openscap/service.sls
new file mode 100644
index 0000000..2ef2a08
--- /dev/null
+++ b/openscap/service.sls
@@ -0,0 +1,10 @@
+{% from "openscap/map.jinja" import openscap with context %}
+
+{%- if openscap.get('service', {}).get('enabled', False) %}
+openscap_packages:
+ pkg.installed:
+ - names: {{ openscap.packages }}
+ {%- if grains.get('kitchen-test') %}
+ - onlyif: /bin/false
+ {%- endif %}
+{%- endif %}
diff --git a/tests/pillar/openscap.sls b/tests/pillar/openscap.sls
new file mode 100644
index 0000000..111b5da
--- /dev/null
+++ b/tests/pillar/openscap.sls
@@ -0,0 +1,3 @@
+openscap:
+ service:
+ enabled: true
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
new file mode 100755
index 0000000..ad30dd9
--- /dev/null
+++ b/tests/run_tests.sh
@@ -0,0 +1,297 @@
+#!/usr/bin/env bash
+
+###
+# Script requirments:
+#apt-get install -y python-yaml virtualenv git
+
+__ScriptVersion="2018.08.16"
+__ScriptName="run_tests.sh"
+__ScriptFullName="$0"
+__ScriptArgs="$*"
+
+set -e
+[ -n "$DEBUG" ] && set -x
+
+CURDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+METADATA=${CURDIR}/../metadata.yml
+FORMULA_NAME=$(cat $METADATA | python -c "import sys,yaml; print yaml.load(sys.stdin)['name']")
+FORMULA_META_DIR=${CURDIR}/../${FORMULA_NAME}/meta
+
+## Overrideable parameters
+PILLARDIR=${PILLARDIR:-${CURDIR}/pillar}
+BUILDDIR=${BUILDDIR:-${CURDIR}/build}
+VENV_DIR=${VENV_DIR:-${BUILDDIR}/virtualenv}
+MOCK_BIN_DIR=${MOCK_BIN_DIR:-${CURDIR}/mock_bin}
+DEPSDIR=${BUILDDIR}/deps
+SCHEMARDIR=${SCHEMARDIR:-"${CURDIR}/../${FORMULA_NAME}/schemas/"}
+
+SALT_FILE_DIR=${SALT_FILE_DIR:-${BUILDDIR}/file_root}
+SALT_PILLAR_DIR=${SALT_PILLAR_DIR:-${BUILDDIR}/pillar_root}
+SALT_CONFIG_DIR=${SALT_CONFIG_DIR:-${BUILDDIR}/salt}
+SALT_CACHE_DIR=${SALT_CACHE_DIR:-${SALT_CONFIG_DIR}/cache}
+SALT_CACHE_EXTMODS_DIR=${SALT_CACHE_EXTMODS_DIR:-${SALT_CONFIG_DIR}/cache_master_extmods}
+
+SALT_OPTS="${SALT_OPTS} --retcode-passthrough --local -c ${SALT_CONFIG_DIR} --log-file=/dev/null"
+
+IGNORE_MODELVALIDATE_MASK=${IGNORE_MODELVALIDATE_MASK:-"novalidate"}
+
+if [ "x${SALT_VERSION}" != "x" ]; then
+ PIP_SALT_VERSION="==${SALT_VERSION}"
+fi
+
+## Functions
+log_info() {
+ echo -e "[INFO] $*"
+}
+
+log_err() {
+ echo -e "[ERROR] $*" >&2
+}
+
+setup_virtualenv() {
+ log_info "Setting up Python virtualenv"
+ dependency_check virtualenv
+ virtualenv $VENV_DIR
+ source ${VENV_DIR}/bin/activate
+ python -m pip install salt${PIP_SALT_VERSION}
+ if [[ -f ${CURDIR}/test-requirements.txt ]]; then
+ python -m pip install -r ${CURDIR}/test-requirements.txt
+ fi
+}
+
+setup_mock_bin() {
+ # If some state requires a binary, a lightweight replacement for
+ # such binary can be put into MOCK_BIN_DIR for test purposes
+ if [ -d "${MOCK_BIN_DIR}" ]; then
+ PATH="${MOCK_BIN_DIR}:$PATH"
+ export PATH
+ fi
+}
+
+setup_pillar() {
+ [ ! -d ${SALT_PILLAR_DIR} ] && mkdir -p ${SALT_PILLAR_DIR}
+ echo "base:" > ${SALT_PILLAR_DIR}/top.sls
+ for pillar in ${PILLARDIR}/*; do
+ grep ${FORMULA_NAME}: ${pillar} &>/dev/null || continue
+ state_name=$(basename ${pillar%.sls})
+ echo -e " ${state_name}:\n - ${state_name}" >> ${SALT_PILLAR_DIR}/top.sls
+ done
+}
+
+setup_salt() {
+ [ ! -d ${SALT_FILE_DIR} ] && mkdir -p ${SALT_FILE_DIR}
+ [ ! -d ${SALT_CONFIG_DIR} ] && mkdir -p ${SALT_CONFIG_DIR}
+ [ ! -d ${SALT_CACHE_DIR} ] && mkdir -p ${SALT_CACHE_DIR}
+ [ ! -d ${SALT_CACHE_EXTMODS_DIR} ] && mkdir -p ${SALT_CACHE_EXTMODS_DIR}
+
+ echo "base:" > ${SALT_FILE_DIR}/top.sls
+ for pillar in ${PILLARDIR}/*.sls; do
+ grep ${FORMULA_NAME}: ${pillar} &>/dev/null || continue
+ state_name=$(basename ${pillar%.sls})
+ echo -e " ${state_name}:\n - ${FORMULA_NAME}" >> ${SALT_FILE_DIR}/top.sls
+ done
+
+ cat << EOF > ${SALT_CONFIG_DIR}/minion
+file_client: local
+cachedir: ${SALT_CACHE_DIR}
+extension_modules: ${SALT_CACHE_EXTMODS_DIR}
+verify_env: False
+minion_id_caching: False
+
+file_roots:
+ base:
+ - ${SALT_FILE_DIR}
+ - ${CURDIR}/..
+
+pillar_roots:
+ base:
+ - ${SALT_PILLAR_DIR}
+ - ${PILLARDIR}
+EOF
+}
+
+fetch_dependency() {
+ # example: fetch_dependency "linux:https://github.com/salt-formulas/salt-formula-linux"
+ dep_name="$(echo $1|cut -d : -f 1)"
+ dep_source="$(echo $1|cut -d : -f 2-)"
+ dep_root="${DEPSDIR}/$(basename $dep_source .git)"
+ dep_metadata="${dep_root}/metadata.yml"
+
+ dependency_check git
+ [ -d $dep_root ] && { log_info "Dependency $dep_name already fetched"; return 0; }
+
+ log_info "Fetching dependency $dep_name"
+ [ ! -d ${DEPSDIR} ] && mkdir -p ${DEPSDIR}
+ git clone $dep_source ${DEPSDIR}/$(basename $dep_source .git)
+ ln -s ${dep_root}/${dep_name} ${SALT_FILE_DIR}/${dep_name}
+
+ METADATA="${dep_metadata}" install_dependencies
+}
+
+link_modules(){
+ # Link modules *.py files to temporary salt-root
+ local SALT_ROOT=${1:-$SALT_FILE_DIR}
+ local SALT_ENV=${2:-$DEPSDIR}
+
+ mkdir -p "${SALT_ROOT}/_modules/"
+ # from git, development versions
+ find ${SALT_ENV} -maxdepth 3 -mindepth 3 -path '*_modules*' -iname "*.py" -type f -print0 | while read -d $'\0' file; do
+ ln -fs $(readlink -e ${file}) "$SALT_ROOT"/_modules/$(basename ${file}) ;
+ done
+ salt_run saltutil.sync_all
+}
+
+install_dependencies() {
+ grep -E "^dependencies:" ${METADATA} >/dev/null || return 0
+ (python - | while read dep; do fetch_dependency "$dep"; done) << EOF
+import sys,yaml
+for dep in yaml.load(open('${METADATA}', 'ro'))['dependencies']:
+ print '%s:%s' % (dep["name"], dep["source"])
+EOF
+}
+
+clean() {
+ log_info "Cleaning up ${BUILDDIR}"
+ [ -d ${BUILDDIR} ] && rm -rf ${BUILDDIR} || exit 0
+}
+
+salt_run() {
+ [ -e ${VENV_DIR}/bin/activate ] && source ${VENV_DIR}/bin/activate
+ python $(which salt-call) ${SALT_OPTS} $*
+}
+
+prepare() {
+ if [[ -f ${BUILDDIR}/.prepare_done ]]; then
+ log_info "${BUILDDIR}/.prepare_done exist, not rebuilding BUILDDIR"
+ return
+ fi
+ [[ -d ${BUILDDIR} ]] && mkdir -p ${BUILDDIR}
+
+ [[ ! -f "${VENV_DIR}/bin/activate" ]] && setup_virtualenv
+ setup_mock_bin
+ setup_pillar
+ setup_salt
+ install_dependencies
+ link_modules
+ touch ${BUILDDIR}/.prepare_done
+}
+
+lint_releasenotes() {
+ [[ ! -f "${VENV_DIR}/bin/activate" ]] && setup_virtualenv
+ source ${VENV_DIR}/bin/activate
+ reno lint ${CURDIR}/../
+}
+
+lint() {
+# lint_releasenotes
+ log_err "TODO: lint_releasenotes"
+}
+
+run() {
+ for pillar in ${PILLARDIR}/*.sls; do
+ grep ${FORMULA_NAME}: ${pillar} &>/dev/null || continue
+ state_name=$(basename ${pillar%.sls})
+ salt_run grains.set 'noservices' False force=True
+
+ echo "Checking state ${FORMULA_NAME}.${state_name} ..."
+ salt_run --id=${state_name} state.show_sls ${FORMULA_NAME} || (log_err "Execution of ${FORMULA_NAME}.${state_name} failed"; exit 1)
+
+ # Check that all files in 'meta' folder can be rendered using any valid pillar
+ for meta in `find ${FORMULA_META_DIR} -type f`; do
+ meta_name=$(basename ${meta})
+ echo "Checking meta ${meta_name} ..."
+ salt_run --out=quiet --id=${state_name} cp.get_template ${meta} ${SALT_CACHE_DIR}/${meta_name} \
+ || { log_err "Failed to render meta ${meta} using pillar ${FORMULA_NAME}.${state_name}"; exit 1; }
+ cat ${SALT_CACHE_DIR}/${meta_name}
+ done
+ done
+}
+
+real_run() {
+ for pillar in ${PILLARDIR}/*.sls; do
+ state_name=$(basename ${pillar%.sls})
+ salt_run --id=${state_name} state.sls ${FORMULA_NAME} || { log_err "Execution of ${FORMULA_NAME}.${state_name} failed"; exit 1; }
+ done
+}
+
+run_model_validate(){
+ # Run modelschema.model_validate validation.
+ # TEST iterateble, run for `each formula ROLE against each ROLE_PILLARNAME`
+ # Pillars should be named in conviend ROLE_XXX.sls or ROLE.sls
+ # Example:
+ # client.sls client_auth.sls server.sls server_auth.sls
+ if [ -d ${SCHEMARDIR} ]; then
+ # model validator require py modules
+ fetch_dependency "salt:https://github.com/salt-formulas/salt-formula-salt"
+ link_modules
+ salt_run saltutil.clear_cache; salt_run saltutil.refresh_pillar; salt_run saltutil.sync_all;
+ for role in ${SCHEMARDIR}/*.yaml; do
+ role_name=$(basename "${role%*.yaml}")
+ for pillar in $(ls pillar/${role_name}*.sls | grep -v ${IGNORE_MODELVALIDATE_MASK} ); do
+ pillar_name=$(basename "${pillar%*.sls}")
+ local _message="FORMULA:${FORMULA_NAME} ROLE:${role_name} against PILLAR:${pillar_name}"
+ log_info "model_validate ${_message}"
+ # Rendered Example:
+ # python $(which salt-call) --local -c /test1/maas/tests/build/salt --id=maas_cluster modelschema.model_validate maas cluster
+ salt_run -m ${DEPSDIR}/salt-formula-salt --id=${pillar_name} modelschema.model_validate ${FORMULA_NAME} ${role_name} || { log_err "Execution of model_validate ${_message} failed"; exit 1 ; }
+ done
+ done
+ else
+ log_info "${SCHEMARDIR} not found!";
+ fi
+}
+
+dependency_check() {
+ local DEPENDENCY_COMMANDS=$*
+
+ for DEPENDENCY_COMMAND in $DEPENDENCY_COMMANDS; do
+ which $DEPENDENCY_COMMAND > /dev/null || ( log_err "Command \"$DEPENDENCY_COMMAND\" can not be found in default path."; exit 1; )
+ done
+}
+
+_atexit() {
+ RETVAL=$?
+ trap true INT TERM EXIT
+
+ if [ $RETVAL -ne 0 ]; then
+ log_err "Execution failed"
+ else
+ log_info "Execution successful"
+ fi
+ return $RETVAL
+}
+
+## Main
+
+log_info "Running version: ${__ScriptVersion}"
+log_info "Command line: '${__ScriptFullName} ${__ScriptArgs}'"
+
+trap _atexit INT TERM EXIT
+
+case $1 in
+ clean)
+ clean
+ ;;
+ prepare)
+ prepare
+ ;;
+ lint)
+ lint
+ ;;
+ run)
+ run
+ ;;
+ real-run)
+ real_run
+ ;;
+ model-validate)
+ prepare
+ run_model_validate
+ ;;
+ *)
+ prepare
+# lint
+ run
+ run_model_validate
+ ;;
+esac