Support XCCDF Tailoring files in oscap info --list-rules and --list-vars

Refactor _print_rules_for_profile and _print_vars_for_profile to accept
a pre-configured xccdf_policy_model instead of a raw benchmark. This
enables callers to set tailoring on the policy model before printing,
so that profile inheritance and overrides are properly resolved.

Add support for two tailoring scenarios:
- Standalone XCCDF Tailoring files: resolve the referenced benchmark
  from the tailoring file's benchmark href, load it, create a policy
  model with tailoring set, then print the resolved profile's rules
  or variables.
- Source data streams with tailoring components: find the XCCDF benchmark
  component in the stream, re-import the tailoring with benchmark
  context, then print via the policy model.

Author: jan-cerny

tests/API/XCCDF/unittests/test_list_rules.sh

@@ -27,4 +27,28 @@ grep -q "\-\-list-rules option requires \-\-profile" $stderr
 :> $stdout
 :> $stderr
 
+# Test 3: --list-rules with standalone XCCDF tailoring file
+tailoring="$srcdir/test_tailoring_file.xml"
+tp="xccdf_com.example.www_profile_P1_tailored"
+$OSCAP info --profile $tp --list-rules $tailoring > $stdout 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+grep -q "xccdf_com.example.www_rule_R1" $stdout
+grep -q "xccdf_com.example.www_rule_R2" $stdout
+# R3 and R4 are deselected by tailoring
+! grep -q "xccdf_com.example.www_rule_R3" $stdout
+! grep -q "xccdf_com.example.www_rule_R4" $stdout
+[ "$(wc -l < $stdout)" -eq 2 ]
+:> $stdout
+
+# Test 4: --list-rules with SDS containing tailoring
+ds_tailoring="$srcdir/test_reference_ds_with_tailoring.xml"
+$OSCAP info --profile $tp --list-rules $ds_tailoring > $stdout 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+grep -q "xccdf_com.example.www_rule_R1" $stdout
+grep -q "xccdf_com.example.www_rule_R2" $stdout
+! grep -q "xccdf_com.example.www_rule_R3" $stdout
+! grep -q "xccdf_com.example.www_rule_R4" $stdout
+[ "$(wc -l < $stdout)" -eq 2 ]
+:> $stdout
+
 rm -f $stdout $stderr

tests/API/XCCDF/unittests/test_list_vars.sh

@@ -31,4 +31,24 @@ grep -q "The \-\-list-rules and \-\-list-vars options can't be used at the same
 :> $stdout
 :> $stderr
 
+# Test 4: --list-vars with standalone XCCDF tailoring file
+tailoring="$srcdir/test_tailoring_file.xml"
+tp="xccdf_com.example.www_profile_P1_tailored"
+$OSCAP info --profile $tp --list-vars $tailoring > $stdout 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+# V1 is overridden to 99 by tailoring, V2 is inherited from base profile
+grep -q "xccdf_com.example.www_value_V1	99" $stdout
+grep -q "xccdf_com.example.www_value_V2	custom_val" $stdout
+[ "$(wc -l < $stdout)" -eq 2 ]
+:> $stdout
+
+# Test 5: --list-vars with SDS containing tailoring
+ds_tailoring="$srcdir/test_reference_ds_with_tailoring.xml"
+$OSCAP info --profile $tp --list-vars $ds_tailoring > $stdout 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+grep -q "xccdf_com.example.www_value_V1	99" $stdout
+grep -q "xccdf_com.example.www_value_V2	custom_val" $stdout
+[ "$(wc -l < $stdout)" -eq 2 ]
+:> $stdout
+
 rm -f $stdout $stderr

tests/API/XCCDF/unittests/test_reference_ds_with_tailoring.xml

@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.3" xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 https://scap.nist.gov/schema/scap/1.3/scap-source-data-stream_1.3.xsd">
+  <ds:data-stream id="scap_org.open-scap_datastream_simple" scap-version="1.3" use-case="OTHER">
+    <ds:checklists>
+      <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
+        <cat:catalog>
+          <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
+        </cat:catalog>
+      </ds:component-ref>
+      <ds:component-ref id="scap_org.open-scap_cref_tailoring.xml" xlink:href="#scap_org.open-scap_comp_tailoring.xml"/>
+    </ds:checklists>
+    <ds:checks>
+      <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
+    </ds:checks>
+  </ds:data-stream>
+  <ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2021-02-01T08:07:06+01:00">
+    <oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd    http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
+      <generator>
+        <oval:schema_version>5.11.2</oval:schema_version>
+        <oval:timestamp>2021-02-01T08:07:06+01:00</oval:timestamp>
+      </generator>
+      <definitions>
+        <definition class="compliance" id="oval:x:def:1" version="1">
+          <metadata>
+            <title>PASS</title>
+            <description>pass</description>
+          </metadata>
+          <criteria>
+            <criterion comment="PASS test" test_ref="oval:x:tst:1"/>
+          </criteria>
+        </definition>
+      </definitions>
+      <tests>
+        <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
+          <object object_ref="oval:x:obj:1"/>
+        </variable_test>
+      </tests>
+      <objects>
+        <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
+          <var_ref>oval:x:var:1</var_ref>
+        </variable_object>
+      </objects>
+      <variables>
+        <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
+          <value>100</value>
+        </constant_variable>
+      </variables>
+    </oval_definitions>
+  </ds:component>
+  <ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2021-02-01T08:07:06+01:00">
+    <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
+      <status date="2021-01-21">accepted</status>
+      <title>Test Benchmark</title>
+      <description>Description</description>
+      <reference href="https://www.animals.com">animals</reference>
+      <reference href="https://www.fruit.com">fruit</reference>
+      <version>1.0</version>
+      <metadata>
+        <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">OpenSCAP</dc:contributor>
+        <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">OpenSCAP</dc:publisher>
+        <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">OpenSCAP</dc:creator>
+        <dc:source xmlns:dc="http://purl.org/dc/elements/1.1/">http://scap.nist.gov</dc:source>
+      </metadata>
+      <Profile id="xccdf_com.example.www_profile_P1">
+        <title>xccdf_test_profile</title>
+        <description>This profile is for testing.</description>
+        <select idref="xccdf_com.example.www_rule_R1" selected="true"/>
+        <select idref="xccdf_com.example.www_rule_R2" selected="true"/>
+        <select idref="xccdf_com.example.www_rule_R3" selected="true"/>
+        <select idref="xccdf_com.example.www_rule_R4" selected="true"/>
+        <set-value idref="xccdf_com.example.www_value_V1">42</set-value>
+        <refine-value idref="xccdf_com.example.www_value_V2" selector="custom"/>
+      </Profile>
+      <Value id="xccdf_com.example.www_value_V1" type="number">
+        <title>Value V1</title>
+        <value>10</value>
+        <value selector="twenty">20</value>
+      </Value>
+      <Value id="xccdf_com.example.www_value_V2" type="string">
+        <title>Value V2</title>
+        <value>default_val</value>
+        <value selector="custom">custom_val</value>
+      </Value>
+      <Rule selected="true" id="xccdf_com.example.www_rule_R1">
+        <title>Rule R1</title>
+        <description>Description</description>
+        <reference href="https://www.animals.com">3.14</reference>
+        <reference href="https://www.fruit.com">42.42</reference>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+        </check>
+      </Rule>
+      <Rule selected="true" id="xccdf_com.example.www_rule_R2">
+        <title>Rule R2</title>
+        <description>Description</description>
+        <reference href="https://www.animals.com">17.71.777</reference>
+        <reference href="https://www.fruit.com">88888888</reference>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+        </check>
+      </Rule>
+      <Rule selected="true" id="xccdf_com.example.www_rule_R3">
+        <title>Rule R3</title>
+        <description>Description</description>
+        <reference href="https://www.animals.com">17.71.777</reference>
+        <reference href="https://www.fruit.com">666</reference>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+        </check>
+      </Rule>
+      <Rule selected="true" id="xccdf_com.example.www_rule_R4">
+        <title>Rule R4</title>
+        <description>Description</description>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+        </check>
+      </Rule>
+    </Benchmark>
+  </ds:component>
+  <ds:component id="scap_org.open-scap_comp_tailoring.xml" timestamp="2021-02-01T08:07:06+01:00">
+    <Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_com.example.www_tailoring_test">
+      <benchmark href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml"/>
+      <version>1.0</version>
+      <Profile id="xccdf_com.example.www_profile_P1_tailored" extends="xccdf_com.example.www_profile_P1">
+        <title>Tailored P1</title>
+        <select idref="xccdf_com.example.www_rule_R3" selected="false"/>
+        <select idref="xccdf_com.example.www_rule_R4" selected="false"/>
+        <set-value idref="xccdf_com.example.www_value_V1">99</set-value>
+      </Profile>
+    </Tailoring>
+  </ds:component>
+</ds:data-stream-collection>

tests/API/XCCDF/unittests/test_tailoring_benchmark.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
+  <status date="2021-01-21">accepted</status>
+  <title>Test Benchmark</title>
+  <description>Description</description>
+  <version>1.0</version>
+  <Profile id="xccdf_com.example.www_profile_P1">
+    <title>xccdf_test_profile</title>
+    <description>This profile is for testing.</description>
+    <select idref="xccdf_com.example.www_rule_R1" selected="true"/>
+    <select idref="xccdf_com.example.www_rule_R2" selected="true"/>
+    <select idref="xccdf_com.example.www_rule_R3" selected="true"/>
+    <select idref="xccdf_com.example.www_rule_R4" selected="true"/>
+    <set-value idref="xccdf_com.example.www_value_V1">42</set-value>
+    <refine-value idref="xccdf_com.example.www_value_V2" selector="custom"/>
+  </Profile>
+  <Value id="xccdf_com.example.www_value_V1" type="number">
+    <title>Value V1</title>
+    <value>10</value>
+    <value selector="twenty">20</value>
+  </Value>
+  <Value id="xccdf_com.example.www_value_V2" type="string">
+    <title>Value V2</title>
+    <value>default_val</value>
+    <value selector="custom">custom_val</value>
+  </Value>
+  <Rule selected="true" id="xccdf_com.example.www_rule_R1">
+    <title>Rule R1</title>
+    <description>Description</description>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_com.example.www_rule_R2">
+    <title>Rule R2</title>
+    <description>Description</description>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_com.example.www_rule_R3">
+    <title>Rule R3</title>
+    <description>Description</description>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_com.example.www_rule_R4">
+    <title>Rule R4</title>
+    <description>Description</description>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+    </check>
+  </Rule>
+</Benchmark>

tests/API/XCCDF/unittests/test_tailoring_file.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_com.example.www_tailoring_test">
+  <benchmark href="test_tailoring_benchmark.xml"/>
+  <version>1.0</version>
+  <Profile id="xccdf_com.example.www_profile_P1_tailored" extends="xccdf_com.example.www_profile_P1">
+    <title>Tailored P1</title>
+    <select idref="xccdf_com.example.www_rule_R3" selected="false"/>
+    <select idref="xccdf_com.example.www_rule_R4" selected="false"/>
+    <set-value idref="xccdf_com.example.www_value_V1">99</set-value>
+  </Profile>
+</Tailoring>