Add --list-vars option to oscap info

The new option `--list-vars` lists all XCCDF values used by the given
profile, including their values.

Resolves: https://issues.redhat.com/browse/RHEL-143569

Author: jan-cerny

docs/manual/manual.adoc

@@ -234,6 +234,22 @@ xccdf_org.ssgproject.content_rule_partition_for_var
 The `--list-rules` option requires `--profile`. Running `--list-rules` without
 `--profile` will produce an error.
 
+=== Listing variables set by a profile
+
+To list the XCCDF Values (variables) and their resolved values for a given
+profile, use the `--list-vars` option together with `--profile`. Each line
+contains a Value ID and its resolved value, separated by a tab character.
+
+----
+$ oscap info --profile ospp --list-vars /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
+xccdf_org.ssgproject.content_value_var_password_minlen	15
+xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions	10
+...
+----
+
+The `--list-vars` option requires `--profile`. Running `--list-vars` without
+`--profile` will produce an error.
+
 === Displaying information about SCAP result data streams
 
 The `oscap info` command is also helpful with other SCAP file types such as

tests/API/XCCDF/unittests/CMakeLists.txt

@@ -114,5 +114,6 @@ add_oscap_test("test_no_newline_between_select_elements.sh")
 add_oscap_test("test_single_line_tailoring.sh")
 add_oscap_test("test_reference.sh")
 add_oscap_test("test_list_rules.sh")
+add_oscap_test("test_list_vars.sh")
 add_oscap_test("test_remediation_bootc.sh")
 add_oscap_test("openscap_2289_regression.sh")

tests/API/XCCDF/unittests/test_list_vars.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+stderr=$(mktemp -t ${name}.err.XXXXXX)
+stdout=$(mktemp -t ${name}.out.XXXXXX)
+
+ds="$srcdir/test_reference_ds.xml"
+p1="xccdf_com.example.www_profile_P1"
+
+# Test 1: --list-vars with --profile prints value IDs and resolved values
+$OSCAP info --profile $p1 --list-vars $ds > $stdout 2> $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+grep -q "xccdf_com.example.www_value_V1	42" $stdout
+grep -q "xccdf_com.example.www_value_V2	custom_val" $stdout
+# Verify output contains exactly 2 lines
+[ "$(wc -l < $stdout)" -eq 2 ]
+:> $stdout
+
+# Test 2: --list-vars without --profile produces an error
+$OSCAP info --list-vars $ds > $stdout 2> $stderr && exit 1 || true
+grep -q "\-\-list-vars option requires \-\-profile" $stderr
+:> $stdout
+:> $stderr
+
+rm -f $stdout $stderr

tests/API/XCCDF/unittests/test_reference_ds.xml

@@ -67,7 +67,19 @@
         <select idref="xccdf_com.example.www_rule_R2" selected="true"/>
         <select idref="xccdf_com.example.www_rule_R3" selected="true"/>
         <select idref="xccdf_com.example.www_rule_R4" selected="true"/>
+        <set-value idref="xccdf_com.example.www_value_V1">42</set-value>
+        <refine-value idref="xccdf_com.example.www_value_V2" selector="custom"/>
       </Profile>
+      <Value id="xccdf_com.example.www_value_V1" type="number">
+        <title>Value V1</title>
+        <value>10</value>
+        <value selector="twenty">20</value>
+      </Value>
+      <Value id="xccdf_com.example.www_value_V2" type="string">
+        <title>Value V2</title>
+        <value>default_val</value>
+        <value selector="custom">custom_val</value>
+      </Value>
       <Rule selected="true" id="xccdf_com.example.www_rule_R1">
         <title>Rule R1</title>
         <description>Description</description>

utils/oscap-info.c

@@ -64,6 +64,7 @@ struct oscap_module OSCAP_INFO_MODULE = {
 	.help = "Options:\n"
 		"   --fetch-remote-resources      - Download remote content referenced by data stream.\n"
 		"   --list-rules                  - Print selected rule IDs for the given profile (requires --profile).\n"
+		"   --list-vars                   - Print XCCDF Value IDs and their resolved values for the given profile (requires --profile).\n"
 		"   --local-files <dir>           - Use locally downloaded copies of remote resources stored in the given directory.\n"
 		"   --profile <id>                - Show info of the profile with the given ID.\n"
 		"   --profiles                    - Show profiles from the input file in the <id>:<title> format, one line per profile.\n"
@@ -418,6 +419,49 @@ static void _print_rules_for_profile(struct xccdf_benchmark *bench, const char *
 	xccdf_policy_model_free(policy_model);
 }
 
+static void _print_vars_for_profile(struct xccdf_benchmark *bench, const char *profile_id)
+{
+	struct xccdf_policy_model *policy_model = xccdf_policy_model_new(bench);
+	struct xccdf_policy *policy = xccdf_policy_model_get_policy_by_id(policy_model, profile_id);
+	if (policy == NULL) {
+		xccdf_policy_model_free(policy_model);
+		return;
+	}
+	struct xccdf_profile *profile = xccdf_policy_get_profile(policy);
+	if (profile == NULL) {
+		xccdf_policy_model_free(policy_model);
+		return;
+	}
+
+	struct xccdf_setvalue_iterator *sv_it = xccdf_profile_get_setvalues(profile);
+	while (xccdf_setvalue_iterator_has_more(sv_it)) {
+		struct xccdf_setvalue *sv = xccdf_setvalue_iterator_next(sv_it);
+		const char *value_id = xccdf_setvalue_get_item(sv);
+		struct xccdf_item *item = xccdf_benchmark_get_item(bench, value_id);
+		if (item != NULL) {
+			const char *resolved = xccdf_policy_get_value_of_item(policy, item);
+			if (resolved != NULL)
+				printf("%s\t%s\n", value_id, resolved);
+		}
+	}
+	xccdf_setvalue_iterator_free(sv_it);
+
+	struct xccdf_refine_value_iterator *rv_it = xccdf_profile_get_refine_values(profile);
+	while (xccdf_refine_value_iterator_has_more(rv_it)) {
+		struct xccdf_refine_value *rv = xccdf_refine_value_iterator_next(rv_it);
+		const char *value_id = xccdf_refine_value_get_item(rv);
+		struct xccdf_item *item = xccdf_benchmark_get_item(bench, value_id);
+		if (item != NULL) {
+			const char *resolved = xccdf_policy_get_value_of_item(policy, item);
+			if (resolved != NULL)
+				printf("%s\t%s\n", value_id, resolved);
+		}
+	}
+	xccdf_refine_value_iterator_free(rv_it);
+
+	xccdf_policy_model_free(policy_model);
+}
+
 static int app_info_single_ds_one_profile(struct ds_stream_index_iterator* sds_it, struct ds_sds_session *session, const struct oscap_action *action)
 {
 	const char *profile_suffix = action->profile;
@@ -426,7 +470,7 @@ static int app_info_single_ds_one_profile(struct ds_stream_index_iterator* sds_i
 	struct ds_stream_index * stream = ds_stream_index_iterator_next(sds_it);
 	struct oscap_string_iterator* checklist_it = ds_stream_index_get_checklists(stream);
 
-	if (!action->list_rules) {
+	if (!action->list_rules && !action->list_vars) {
 		printf("\nStream: %s\n", ds_stream_index_get_id(stream));
 		printf("Generated: %s\n", ds_stream_index_get_timestamp(stream));
 		printf("Version: %s\n", ds_stream_index_get_version(stream));
@@ -458,6 +502,9 @@ static int app_info_single_ds_one_profile(struct ds_stream_index_iterator* sds_i
 				if (action->list_rules) {
 					_print_rules_for_profile(bench, profile_id);
 					// bench is freed by policy_model inside _print_rules_for_profile
+				} else if (action->list_vars) {
+					_print_vars_for_profile(bench, profile_id);
+					// bench is freed by policy_model inside _print_vars_for_profile
 				} else {
 					_print_single_benchmark_one_profile(bench, profile_id);
 					xccdf_benchmark_free(bench);
@@ -541,6 +588,9 @@ static void app_info_single_benchmark(struct xccdf_benchmark *bench, const struc
 			if (action->list_rules) {
 				_print_rules_for_profile(bench, profile_id);
 				// bench is freed by policy_model inside _print_rules_for_profile
+			} else if (action->list_vars) {
+				_print_vars_for_profile(bench, profile_id);
+				// bench is freed by policy_model inside _print_vars_for_profile
 			} else {
 				_print_single_benchmark_one_profile(bench, profile_id);
 				xccdf_benchmark_free(bench);
@@ -805,6 +855,7 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
 	enum oscap_info_opts {
 		OSCAP_INFO_OPT_REMOTE_RESOURCES,
 		OSCAP_INFO_OPT_LIST_RULES,
+		OSCAP_INFO_OPT_LIST_VARS,
 		OSCAP_INFO_OPT_LOCAL_FILES,
 		OSCAP_INFO_OPT_PROFILE,
 		OSCAP_INFO_OPT_PROFILES,
@@ -816,6 +867,7 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
 	const struct option long_options[] = {
 		{"fetch-remote-resources", no_argument, &action->remote_resources, 1},
 		{"list-rules", no_argument, 0, OSCAP_INFO_OPT_LIST_RULES},
+		{"list-vars", no_argument, 0, OSCAP_INFO_OPT_LIST_VARS},
 		{"local-files", required_argument, NULL, OSCAP_INFO_OPT_LOCAL_FILES},
 		{"profile", required_argument, 0, OSCAP_INFO_OPT_PROFILE},
 		{"profiles", no_argument, 0, OSCAP_INFO_OPT_PROFILES},
@@ -834,6 +886,10 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
 				action->list_rules = 1;
 				action->provide_machine_readable_output = 1;
 				break;
+			case OSCAP_INFO_OPT_LIST_VARS:
+				action->list_vars = 1;
+				action->provide_machine_readable_output = 1;
+				break;
 			case OSCAP_INFO_OPT_PROFILE:
 				action->profile = optarg;
 				break;
@@ -862,6 +918,11 @@ bool getopt_info(int argc, char **argv, struct oscap_action *action)
 		return false;
 	}
 
+	if (action->list_vars && action->profile == NULL) {
+		oscap_module_usage(action->module, stderr, "The --list-vars option requires --profile.\n");
+		return false;
+	}
+
 	if (optind >= argc) {
 		oscap_module_usage(action->module, stderr, "SCAP file needs to be specified!\n");
 		return false;

utils/oscap-tool.h

@@ -164,6 +164,7 @@ struct oscap_action {
 	int raw;
 	int show_rule_details;
 	int list_rules;
+	int list_vars;
 };
 
 int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params);

utils/oscap.8

@@ -68,6 +68,11 @@ Allow download of remote components referenced from data stream.
 Print IDs of XCCDF rules that are selected by the given profile, one per line. This option must be used together with \fB\-\-profile\fR. The output is machine-readable and contains only rule IDs with no additional decoration.
 .RE
 .TP
+\fB\-\-list-vars\fR
+.RS
+Print XCCDF Value IDs and their resolved values for the given profile, one per line, tab-separated. This option must be used together with \fB\-\-profile\fR. The output is machine-readable.
+.RE
+.TP
 \fB\-\-local-files DIRECTORY\fR
 .RS
 Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.