Merge pull request #2339 from ggbecker/fix-autotailor-relative-path-maint-1.3

autotailor: Add --local-path option for layered product compatibility

Author: jan-cerny

.github/workflows/codeql.yml

@@ -12,7 +12,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read
@@ -32,12 +32,12 @@ jobs:
     - name: Install Deps
       run: |
         sudo apt-get update
-        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libglib2.0-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock
+        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libpcre2-dev libyaml-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock python3-pytest
         sudo apt-get -y remove rpm
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
     - name: Build
       working-directory: ./build
       run: |
-        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo ../
+        cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_PCRE2=True ../
         make all
 
     - name: Perform CodeQL Analysis

tests/utils/autotailor_integration_test.sh

@@ -125,3 +125,21 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3" and @severity="unknown"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
 assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @role="unchecked"]'
+
+# test --local-path option with absolute path (should use basename)
+python3 $autotailor --id-namespace "com.example.www" --local-path --select R3 $ds $original_profile > $tailoring
+saved_result=$result
+result=$tailoring
+assert_exists 1 '/*[local-name()="Tailoring"]/*[local-name()="benchmark"][@href="data_stream.xml"]'
+result=$saved_result
+$OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'
+
+# test default behavior (should use file:// URI)
+python3 $autotailor --id-namespace "com.example.www" --select R3 $ds $original_profile > $tailoring
+saved_result=$result
+result=$tailoring
+assert_exists 1 '/*[local-name()="Tailoring"]/*[local-name()="benchmark"][starts-with(@href, "file://")]'
+result=$saved_result
+$OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds
+assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'

tests/utils/test_autotailor.py

@@ -94,3 +94,29 @@ def test_refine_rule():
         "'high'.")
     assert t.rule_refinements(fav, "severity") == "high"
     assert t.rule_refinements(fav, "role") == "full"
+
+def test_get_datastream_uri():
+    t = autotailor.Tailoring()
+
+    # Test default behavior with absolute path (file:// URI)
+    t.original_ds_filename = "/nonexistent/path/test-ds.xml"
+    t.use_local_path = False
+    uri = t._get_datastream_uri()
+    assert uri.startswith("file://")
+    assert uri.endswith("/nonexistent/path/test-ds.xml")
+
+    # Test local path mode with absolute path (basename only)
+    t.use_local_path = True
+    uri = t._get_datastream_uri()
+    assert uri == "test-ds.xml"
+
+    # Test local path mode with relative path (preserved as-is)
+    t.original_ds_filename = "relative/path/to/ds.xml"
+    uri = t._get_datastream_uri()
+    assert uri == "relative/path/to/ds.xml"
+
+    # Test default behavior with relative path (file:// URI)
+    t.use_local_path = False
+    uri = t._get_datastream_uri()
+    assert uri.startswith("file://")
+    assert "relative/path/to/ds.xml" in uri

utils/autotailor

@@ -70,6 +70,7 @@ class Tailoring:
         self.groups_to_unselect = []
         self._rule_refinements = collections.defaultdict(dict)
         self._value_refinements = collections.defaultdict(dict)
+        self.use_local_path = False
 
     @property
     def profile_id(self):
@@ -244,8 +245,7 @@ class Tailoring:
         root.set("id", self.id)
 
         benchmark = ET.SubElement(root, "{%s}benchmark" % NS)
-        datastream_uri = pathlib.Path(
-            self.original_ds_filename).absolute().as_uri()
+        datastream_uri = self._get_datastream_uri()
         benchmark.set("href", datastream_uri)
 
         version = ET.SubElement(root, "{%s}version" % NS)
@@ -304,6 +304,26 @@ class Tailoring:
                     if attr in props:
                         self.change_rule_attribute(rule_id, attr, props[attr])
 
+    def _get_datastream_uri(self):
+        """
+        Determine the datastream URI based on the use_local_path setting.
+
+        Returns:
+            str: The URI/path to use in the benchmark href attribute
+        """
+        if self.use_local_path:
+            # Preserve relative paths as-is, convert absolute paths to basename
+            ds_path = pathlib.Path(self.original_ds_filename)
+            if ds_path.is_absolute():
+                # Convert absolute path to basename for compatibility with layered products
+                return ds_path.name
+            else:
+                # Keep relative paths as provided by the user
+                return self.original_ds_filename
+        else:
+            # Use absolute URI (default behavior for backward compatibility)
+            return pathlib.Path(self.original_ds_filename).absolute().as_uri()
+
     def import_json_tailoring(self, json_tailoring):
         with open(json_tailoring, "r") as jf:
             all_tailorings = json.load(jf)
@@ -402,6 +422,10 @@ def get_parser():
         "-o", "--output", default="-",
         help="Where to save the tailoring file. If not supplied, write to "
         "standard output.")
+    parser.add_argument(
+        "--local-path", action="store_true",
+        help="Use local path for the benchmark href instead of absolute file:// URI. "
+        "Absolute paths are converted to basename, relative paths are preserved.")
     return parser
 
 
@@ -418,6 +442,7 @@ if __name__ == "__main__":
     t = Tailoring()
     t.original_ds_filename = args.datastream
     t.reverse_dns = args.id_namespace
+    t.use_local_path = args.local_path
 
     if args.json_tailoring:
         t.import_json_tailoring(args.json_tailoring)

utils/autotailor.8

@@ -68,6 +68,13 @@ If left out, the new ID will be obtained by appending '_customized' to the tailo
 Import tailoring from a JSON file (https://github.com/ComplianceAsCode/schemas/tree/main/tailoring). This option makes BASE_PROFILE_ID positional argument optional.
 However, data passed in the command line options takes precedence over JSON contents, including the BASE_PROFILE_ID argument.
 .RE
+.TP
+\fB--local-path\fR
+.RS
+Use local path for the benchmark href instead of absolute file:// URI. This option is useful for compatibility with layered products like Red Hat Satellite that cannot resolve local filesystem paths.
+When this option is specified, absolute paths are converted to basename only, while relative paths are preserved as provided.
+By default, the tool uses absolute file:// URIs for backward compatibility.
+.RE
 
 .SH USAGE
 .SS Modify a variable value