cem_acpt 0.11.2 → 0.12.1

data/specifications/CEM-6798.md

@@ -0,0 +1,170 @@
+# CEM-6798 — Per-OS OpenSCAP datastream config (required, with DatastreamNotFoundError)
+
+## Summary
+
+`scan_post_processing!` in `lib/cem_acpt/test_data.rb` never populates a `datastream` key in
+the `:scan` hash it builds for each OpenSCAP test case. The on-node scan daemon's
+`perform_scan` in `lib/terraform/gcp/linux/scan/scan_service.rb` fills the gap with a
+hardcoded `|| '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml'` fallback, which silently
+uses the wrong datastream on every non-RHEL 8 OS — confirmed when RHEL 9 provisioning failed
+because `ssg-rhel8-ds.xml` does not exist on that OS.
+
+Remove the hardcoded fallback. Add a `cem_acpt_scan.datastreams.openscap` config map (keyed
+by test-case name, same pattern as `cem_acpt_scan.profiles.openscap`) and raise a new
+`DatastreamNotFoundError` in `scan_post_processing!` when an OpenSCAP test case has no
+datastream configured. CIS-CAT test cases are unaffected; their `datastream` key remains
+`nil`.
+
+## Goals
+
+- OpenSCAP scans receive the correct per-OS datastream file path from operator-supplied config.
+- Misconfiguration is caught before any node is provisioned (early error in `scan_post_processing!`).
+- The `ssg-rhel8-ds.xml` fallback is removed so it can never silently produce wrong scan results on non-RHEL 8 nodes.
+
+## Non-goals
+
+- Automatic discovery or lookup of datastream paths by OS family or version at runtime.
+- Changing the on-node `run_openscap` invocation or any OpenSCAP flags.
+- Any changes to the CIS-CAT scan path.
+- Removing the `level` key from `test_data[:scan]` or `scan_config.json`.
+
+## Proposed Design
+
+### `lib/cem_acpt/config/cem_acpt_scan.rb`
+
+Add `datastreams: { openscap: {} }` alongside the existing `benchmarks` entry in `defaults`:
+
+```ruby
+# before
+benchmarks: {
+  cis_cat: {},
+},
+
+# after
+benchmarks: {
+  cis_cat: {},
+},
+datastreams: {
+  openscap: {},
+},
+```
+
+### `lib/cem_acpt/scan/errors.rb`
+
+Add `DatastreamNotFoundError` following the same shape as `BenchmarkNotFoundError`:
+
+```ruby
+# Raised when a test case has no entry in `cem_acpt_scan.datastreams.openscap`
+# and so no datastream path can be resolved. The message carries the missing
+# config key so the operator can fix it without re-running.
+class DatastreamNotFoundError < StandardError
+  def initialize(test_case, scanner, config_key)
+    super("No datastream configured for test case '#{test_case}' (scanner: #{scanner}). Set '#{config_key}' in cem_acpt config.")
+  end
+end
+```
+
+### `lib/cem_acpt/test_data.rb` — `scan_post_processing!`
+
+After the `benchmark` lookup block (which is already gated to `scanner == :ciscat`), add a
+symmetric `datastream` lookup gated to `scanner == :openscap`. Raise `DatastreamNotFoundError`
+when the mapping is missing or empty. Pass `datastream` as a new key in `test_data[:scan]`.
+
+```ruby
+datastream = nil
+if scanner == :openscap
+  datastreams = @config.get('cem_acpt_scan.datastreams.openscap') || {}
+  datastream  = datastreams[test_data[:test_name]] || datastreams[test_data[:test_name].to_sym]
+  if datastream.nil? || datastream.to_s.empty?
+    raise CemAcpt::Scan::DatastreamNotFoundError.new(
+      test_data[:test_name], scanner,
+      "cem_acpt_scan.datastreams.openscap.#{test_data[:test_name]}"
+    )
+  end
+end
+
+test_data[:scan] = {
+  scanner:    scanner,
+  profile:    profile,
+  level:      test_data[:level] || test_data['level'],
+  benchmark:  benchmark,
+  datastream: datastream,
+}
+```
+
+### `lib/terraform/gcp/linux/scan/scan_service.rb` — `perform_scan`
+
+Remove the hardcoded `|| '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml'` fallback:
+
+```ruby
+# before
+run_openscap(cfg['profile'], cfg['datastream'] || '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml')
+
+# after
+run_openscap(cfg['profile'], cfg['datastream'])
+```
+
+The fixture mirror at `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb`
+is updated identically. `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt`
+is regenerated.
+
+## Edge Cases
+
+- **`datastream` is `nil` for CIS-CAT test cases** — `run_ciscat` does not receive a datastream argument; the `nil` assignment is harmless.
+- **`datastream` key present but empty string** — treated as missing; `DatastreamNotFoundError` is raised.
+- **`cem_acpt_scan.datastreams.openscap` key absent from config** — `@config.get(...)` returns `nil`; the `|| {}` guard prevents a `NoMethodError` on the subsequent lookup.
+
+## Constraints / Invariants
+
+- `test_data[:scan]` hash shape gains one key (`datastream`) but is otherwise unchanged. All
+  existing callers that read `scanner`, `profile`, `level`, `benchmark` are unaffected.
+- `DatastreamNotFoundError` is raised in `scan_post_processing!`, before any Terraform
+  provisioning begins — same as `ProfileNotFoundError` and `BenchmarkNotFoundError`.
+- The on-node `scan_config.json` payload already passes `cfg['datastream']` through to
+  `run_openscap`; no change to `lib/cem_acpt/provision/terraform.rb` or the scan-config
+  serialization is needed.
+
+## Test Plan
+
+### `spec/cem_acpt/scan/errors_spec.rb`
+
+Add a `DatastreamNotFoundError` describe block mirroring the existing `BenchmarkNotFoundError`
+block: assert the message includes the test-case name and the config key path.
+
+### `spec/cem_acpt/scan/test_data_scan_spec.rb`
+
+1. Update the existing "does not require a benchmark for openscap test cases" example to
+   also supply a `datastreams` map and assert `scan[:datastream]` equals the configured value.
+2. Add a test that `DatastreamNotFoundError` is raised when the datastream mapping is absent
+   for an OpenSCAP test case, and that the error message includes the missing config key path.
+3. Add a test that CIS-CAT test cases still have `scan[:datastream]` set to `nil`.
+
+### `spec/terraform/gcp/linux/scan/scan_service_spec.rb`
+
+Add a text-grep assertion that the hardcoded `ssg-rhel8-ds.xml` fallback string is absent
+from `scan_service.rb` (mirrors the `-l` absence test added for CEM-6765).
+
+## Acceptance Criteria
+
+- [ ] `cem_acpt_scan.datastreams.openscap` is a recognized config key with a default of `{}`.
+- [ ] `DatastreamNotFoundError` is defined in `lib/cem_acpt/scan/errors.rb`; its message includes the test-case name and the missing config key path.
+- [ ] `scan_post_processing!` populates `test_data[:scan][:datastream]` from the config map for OpenSCAP test cases.
+- [ ] `scan_post_processing!` raises `DatastreamNotFoundError` when the datastream mapping is missing or empty for an OpenSCAP test case.
+- [ ] `test_data[:scan][:datastream]` is `nil` for CIS-CAT test cases.
+- [ ] The hardcoded `ssg-rhel8-ds.xml` fallback is removed from `perform_scan` in `scan_service.rb` and its fixture mirror.
+- [ ] `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` is updated.
+- [ ] All existing specs pass.
+- [ ] New unit tests for `DatastreamNotFoundError` and datastream lookup in `scan_post_processing!` pass.
+
+## Files Touched
+
+- `lib/cem_acpt/config/cem_acpt_scan.rb` — add `datastreams: { openscap: {} }` default.
+- `lib/cem_acpt/scan/errors.rb` — add `DatastreamNotFoundError`.
+- `lib/cem_acpt/test_data.rb` — add datastream lookup and error raise in `scan_post_processing!`.
+- `lib/terraform/gcp/linux/scan/scan_service.rb` — remove hardcoded fallback from `perform_scan`.
+- `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb` — mirror update.
+- `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` — checksum update.
+- `spec/cem_acpt/scan/errors_spec.rb` — add `DatastreamNotFoundError` describe block.
+- `spec/cem_acpt/scan/test_data_scan_spec.rb` — datastream lookup and error raise tests.
+- `spec/terraform/gcp/linux/scan/scan_service_spec.rb` — absence of hardcoded fallback text-grep.
+- `specifications/CEM-6798.md` — this file.

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cem_acpt
 version: !ruby/object:Gem::Version
-  version: 0.11.2
+  version: 0.12.1
 platform: ruby
 authors:
 - puppetlabs
+autorequire:
 bindir: exe
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: async-http
@@ -219,6 +220,7 @@ email:
 executables:
 - cem_acpt
 - cem_acpt_image
+- cem_acpt_scan
 extensions: []
 extra_rdoc_files: []
 files:
@@ -252,6 +254,7 @@ files:
 - docs/rfcs/README.md
 - exe/cem_acpt
 - exe/cem_acpt_image
+- exe/cem_acpt_scan
 - lib/cem_acpt.rb
 - lib/cem_acpt/actions.rb
 - lib/cem_acpt/bolt.rb
@@ -272,6 +275,7 @@ files:
 - lib/cem_acpt/config/base.rb
 - lib/cem_acpt/config/cem_acpt.rb
 - lib/cem_acpt/config/cem_acpt_image.rb
+- lib/cem_acpt/config/cem_acpt_scan.rb
 - lib/cem_acpt/core_ext.rb
 - lib/cem_acpt/goss.rb
 - lib/cem_acpt/goss/api.rb
@@ -286,12 +290,15 @@ files:
 - lib/cem_acpt/platform.rb
 - lib/cem_acpt/platform/base.rb
 - lib/cem_acpt/platform/gcp.rb
-- lib/cem_acpt/provision.rb
 - lib/cem_acpt/provision/terraform.rb
 - lib/cem_acpt/provision/terraform/linux.rb
 - lib/cem_acpt/provision/terraform/os_data.rb
 - lib/cem_acpt/provision/terraform/terraform_cmd.rb
 - lib/cem_acpt/provision/terraform/windows.rb
+- lib/cem_acpt/scan.rb
+- lib/cem_acpt/scan/daemon_client.rb
+- lib/cem_acpt/scan/errors.rb
+- lib/cem_acpt/scan/result.rb
 - lib/cem_acpt/test_data.rb
 - lib/cem_acpt/test_runner.rb
 - lib/cem_acpt/test_runner/log_formatter.rb
@@ -299,6 +306,7 @@ files:
 - lib/cem_acpt/test_runner/log_formatter/bolt_summary_results_formatter.rb
 - lib/cem_acpt/test_runner/log_formatter/goss_action_response.rb
 - lib/cem_acpt/test_runner/log_formatter/goss_error_formatter.rb
+- lib/cem_acpt/test_runner/log_formatter/scan_result_formatter.rb
 - lib/cem_acpt/test_runner/log_formatter/standard_error_formatter.rb
 - lib/cem_acpt/test_runner/test_results.rb
 - lib/cem_acpt/utils.rb
@@ -314,6 +322,8 @@ files:
 - lib/terraform/gcp/linux/goss/puppet_noop.yaml
 - lib/terraform/gcp/linux/log_service/log_service.rb
 - lib/terraform/gcp/linux/main.tf
+- lib/terraform/gcp/linux/scan/scan_service.rb
+- lib/terraform/gcp/linux/scan/scan_service.service
 - lib/terraform/gcp/linux/systemd/goss-acpt.service
 - lib/terraform/gcp/linux/systemd/goss-idempotent.service
 - lib/terraform/gcp/linux/systemd/goss-noop.service
@@ -324,6 +334,7 @@ files:
 - lib/terraform/image/gcp/linux/main.tf
 - lib/terraform/image/gcp/windows/.keep
 - sample_config.yaml
+- specifications/CEM-6511.md
 - specifications/CEM-6713.md
 - specifications/CEM-6714.md
 - specifications/CEM-6715.md
@@ -331,6 +342,13 @@ files:
 - specifications/CEM-6717.md
 - specifications/CEM-6718.md
 - specifications/CEM-6719.md
+- specifications/CEM-6720.md
+- specifications/CEM-6759.md
+- specifications/CEM-6760.md
+- specifications/CEM-6761.md
+- specifications/CEM-6762.md
+- specifications/CEM-6765.md
+- specifications/CEM-6798.md
 homepage: https://github.com/puppetlabs/cem_acpt
 licenses:
 - proprietary
@@ -338,6 +356,7 @@ metadata:
   homepage_uri: https://github.com/puppetlabs/cem_acpt
   source_code_uri: https://github.com/puppetlabs/cem_acpt
   changelog_uri: https://github.com/puppetlabs/cem_acpt
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -352,7 +371,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: CEM Acceptance Tests
 test_files: []

data/lib/cem_acpt/provision.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'logging'
-require_relative 'provision/terraform'
-
-module CemAcpt
-  module Provision
-    include CemAcpt::Logging
-
-    def self.new_provisioner(config, provision_data)
-      case config.get('provisioner')
-      when 'terraform'
-        logger.debug('CemAcpt::Provision') { 'Using Terraform provisioner' }
-        CemAcpt::Provision::Terraform.new(config, provision_data)
-      else
-        raise ArgumentError, "Unknown provisioner #{config.get('provisioner')}"
-      end
-    end
-  end
-end