cem_acpt 0.12.0 → 0.12.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b82bc3c9709dc1486de6675c33508a532f8c036fde480e6fd967e5a2e7dfdae8
-  data.tar.gz: 4fad921e96175030f521ac21a898ee3488a57b109e309f696980e044efc28123
+  metadata.gz: c9db8e060c748eb655248cac9a3a00d67802081d0d63b31f9f3a5daa6385c13f
+  data.tar.gz: 365a1e9551b3721869e7b9dc649408f544be47eddc84cccb3b8cf0f0ab025178
 SHA512:
-  metadata.gz: b711d5b4ee1cf1f4c712d38b12c68fd3e20939a69e161004b1b2ecc0256838c04473bf089b86e1c78097db848197b6218617cbc31fb53ba52a2bd7dc84910b07
-  data.tar.gz: bd425c7655b89ce251c32d239b0dd7ac1333d0d17f262e08a8c997b388a065a900f6849404e31fbdd969d3e8042aeb934b276b2b002611c72e190e4094245a83
+  metadata.gz: e33957643fc4601962aff311034849f6840972ba8d47860ebabcaef9b42cab1e8cf874aa06be1f0e3743d8511c494a2ec92d57d92f74ef0f3cfa673d08e14b39
+  data.tar.gz: 9fadc4795a4b18a1ad889719c69b2962c70c19b54775cebafd00c67f3d876e118913a06267b973d17080942a67937deab2b00bee6bec97b7c36741910fa1e488

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cem_acpt (0.12.0)
+    cem_acpt (0.12.1)
       async-http (>= 0.60, < 0.70)
       bcrypt_pbkdf (>= 1.0, < 2.0)
       deep_merge (>= 1.2, < 2.0)

data/lib/cem_acpt/config/cem_acpt_scan.rb

@@ -53,6 +53,9 @@ module CemAcpt
             benchmarks: {
               cis_cat: {},
             },
+            datastreams: {
+              openscap: {},
+            },
           },
           ci_mode: false,
           config_file: nil,

data/lib/cem_acpt/scan/errors.rb

@@ -40,5 +40,14 @@ module CemAcpt
         super("No benchmark configured for test case '#{test_case}' (scanner: #{scanner}). Set '#{config_key}' in cem_acpt config.")
       end
     end
+
+    # Raised when a test case has no entry in `cem_acpt_scan.datastreams.openscap`
+    # and so no datastream path can be resolved. The message carries the missing
+    # config key so the operator can fix it without re-running.
+    class DatastreamNotFoundError < StandardError
+      def initialize(test_case, scanner, config_key)
+        super("No datastream configured for test case '#{test_case}' (scanner: #{scanner}). Set '#{config_key}' in cem_acpt config.")
+      end
+    end
   end
 end

data/lib/cem_acpt/test_data.rb

@@ -117,11 +117,24 @@ module CemAcpt
           end
         end
 
+        datastream = nil
+        if scanner == :openscap
+          datastreams = @config.get('cem_acpt_scan.datastreams.openscap') || {}
+          datastream  = datastreams[test_data[:test_name]] || datastreams[test_data[:test_name].to_sym]
+          if datastream.nil? || datastream.to_s.empty?
+            raise CemAcpt::Scan::DatastreamNotFoundError.new(
+              test_data[:test_name], scanner,
+              "cem_acpt_scan.datastreams.openscap.#{test_data[:test_name]}"
+            )
+          end
+        end
+
         test_data[:scan] = {
-          scanner: scanner,
-          profile: profile,
-          level: test_data[:level] || test_data['level'],
-          benchmark: benchmark,
+          scanner:    scanner,
+          profile:    profile,
+          level:      test_data[:level] || test_data['level'],
+          benchmark:  benchmark,
+          datastream: datastream,
         }
       end
 

data/lib/cem_acpt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CemAcpt
-  VERSION = '0.12.0'
+  VERSION = '0.12.1'
 end

data/lib/terraform/gcp/linux/main.tf

@@ -291,7 +291,7 @@ resource "null_resource" "cis_cat_pro_upload" {
   # `shopt -s dotglob`) up into /opt/cis-cat-pro/.
   provisioner "remote-exec" {
     inline = each.value.cis_cat_pro_format == "zip" ? [
-      "sudo dnf install -y unzip || sudo apt-get install -y unzip",
+      "sudo dnf install -y unzip || sudo bash -c 'NEEDRESTART_MODE=a apt-get install -y unzip'",
       "sudo mkdir -p /opt/cis-cat-pro",
       "sudo rm -rf /tmp/cis-cat-pro-extract",
       "sudo unzip -q -o ${each.value.provision_dir_dest}/cis-cat-pro.zip -d /tmp/cis-cat-pro-extract",
@@ -320,7 +320,7 @@ resource "null_resource" "cis_cat_pro_upload" {
 
   provisioner "remote-exec" {
     inline = each.value.cis_cat_pro_license_format == "zip" ? [
-      "sudo dnf install -y unzip || sudo apt-get install -y unzip",
+      "sudo dnf install -y unzip || sudo bash -c 'NEEDRESTART_MODE=a apt-get install -y unzip'",
       "sudo mkdir -p /opt/cis-cat-pro/license",
       "sudo unzip -q -o ${each.value.provision_dir_dest}/cis-cat-pro-license.zip -d /opt/cis-cat-pro/license",
     ] : [

data/lib/terraform/gcp/linux/scan/scan_service.rb

@@ -119,7 +119,7 @@ def perform_scan
 
   case cfg['scanner']
   when 'openscap'
-    run_openscap(cfg['profile'], cfg['datastream'] || '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml')
+    run_openscap(cfg['profile'], cfg['datastream'])
   when 'ciscat'
     run_ciscat(cfg['profile'], cfg['benchmark'])
   else

data/specifications/CEM-6798.md

@@ -0,0 +1,170 @@
+# CEM-6798 — Per-OS OpenSCAP datastream config (required, with DatastreamNotFoundError)
+
+## Summary
+
+`scan_post_processing!` in `lib/cem_acpt/test_data.rb` never populates a `datastream` key in
+the `:scan` hash it builds for each OpenSCAP test case. The on-node scan daemon's
+`perform_scan` in `lib/terraform/gcp/linux/scan/scan_service.rb` fills the gap with a
+hardcoded `|| '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml'` fallback, which silently
+uses the wrong datastream on every non-RHEL 8 OS — confirmed when RHEL 9 provisioning failed
+because `ssg-rhel8-ds.xml` does not exist on that OS.
+
+Remove the hardcoded fallback. Add a `cem_acpt_scan.datastreams.openscap` config map (keyed
+by test-case name, same pattern as `cem_acpt_scan.profiles.openscap`) and raise a new
+`DatastreamNotFoundError` in `scan_post_processing!` when an OpenSCAP test case has no
+datastream configured. CIS-CAT test cases are unaffected; their `datastream` key remains
+`nil`.
+
+## Goals
+
+- OpenSCAP scans receive the correct per-OS datastream file path from operator-supplied config.
+- Misconfiguration is caught before any node is provisioned (early error in `scan_post_processing!`).
+- The `ssg-rhel8-ds.xml` fallback is removed so it can never silently produce wrong scan results on non-RHEL 8 nodes.
+
+## Non-goals
+
+- Automatic discovery or lookup of datastream paths by OS family or version at runtime.
+- Changing the on-node `run_openscap` invocation or any OpenSCAP flags.
+- Any changes to the CIS-CAT scan path.
+- Removing the `level` key from `test_data[:scan]` or `scan_config.json`.
+
+## Proposed Design
+
+### `lib/cem_acpt/config/cem_acpt_scan.rb`
+
+Add `datastreams: { openscap: {} }` alongside the existing `benchmarks` entry in `defaults`:
+
+```ruby
+# before
+benchmarks: {
+  cis_cat: {},
+},
+
+# after
+benchmarks: {
+  cis_cat: {},
+},
+datastreams: {
+  openscap: {},
+},
+```
+
+### `lib/cem_acpt/scan/errors.rb`
+
+Add `DatastreamNotFoundError` following the same shape as `BenchmarkNotFoundError`:
+
+```ruby
+# Raised when a test case has no entry in `cem_acpt_scan.datastreams.openscap`
+# and so no datastream path can be resolved. The message carries the missing
+# config key so the operator can fix it without re-running.
+class DatastreamNotFoundError < StandardError
+  def initialize(test_case, scanner, config_key)
+    super("No datastream configured for test case '#{test_case}' (scanner: #{scanner}). Set '#{config_key}' in cem_acpt config.")
+  end
+end
+```
+
+### `lib/cem_acpt/test_data.rb` — `scan_post_processing!`
+
+After the `benchmark` lookup block (which is already gated to `scanner == :ciscat`), add a
+symmetric `datastream` lookup gated to `scanner == :openscap`. Raise `DatastreamNotFoundError`
+when the mapping is missing or empty. Pass `datastream` as a new key in `test_data[:scan]`.
+
+```ruby
+datastream = nil
+if scanner == :openscap
+  datastreams = @config.get('cem_acpt_scan.datastreams.openscap') || {}
+  datastream  = datastreams[test_data[:test_name]] || datastreams[test_data[:test_name].to_sym]
+  if datastream.nil? || datastream.to_s.empty?
+    raise CemAcpt::Scan::DatastreamNotFoundError.new(
+      test_data[:test_name], scanner,
+      "cem_acpt_scan.datastreams.openscap.#{test_data[:test_name]}"
+    )
+  end
+end
+
+test_data[:scan] = {
+  scanner:    scanner,
+  profile:    profile,
+  level:      test_data[:level] || test_data['level'],
+  benchmark:  benchmark,
+  datastream: datastream,
+}
+```
+
+### `lib/terraform/gcp/linux/scan/scan_service.rb` — `perform_scan`
+
+Remove the hardcoded `|| '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml'` fallback:
+
+```ruby
+# before
+run_openscap(cfg['profile'], cfg['datastream'] || '/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml')
+
+# after
+run_openscap(cfg['profile'], cfg['datastream'])
+```
+
+The fixture mirror at `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb`
+is updated identically. `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt`
+is regenerated.
+
+## Edge Cases
+
+- **`datastream` is `nil` for CIS-CAT test cases** — `run_ciscat` does not receive a datastream argument; the `nil` assignment is harmless.
+- **`datastream` key present but empty string** — treated as missing; `DatastreamNotFoundError` is raised.
+- **`cem_acpt_scan.datastreams.openscap` key absent from config** — `@config.get(...)` returns `nil`; the `|| {}` guard prevents a `NoMethodError` on the subsequent lookup.
+
+## Constraints / Invariants
+
+- `test_data[:scan]` hash shape gains one key (`datastream`) but is otherwise unchanged. All
+  existing callers that read `scanner`, `profile`, `level`, `benchmark` are unaffected.
+- `DatastreamNotFoundError` is raised in `scan_post_processing!`, before any Terraform
+  provisioning begins — same as `ProfileNotFoundError` and `BenchmarkNotFoundError`.
+- The on-node `scan_config.json` payload already passes `cfg['datastream']` through to
+  `run_openscap`; no change to `lib/cem_acpt/provision/terraform.rb` or the scan-config
+  serialization is needed.
+
+## Test Plan
+
+### `spec/cem_acpt/scan/errors_spec.rb`
+
+Add a `DatastreamNotFoundError` describe block mirroring the existing `BenchmarkNotFoundError`
+block: assert the message includes the test-case name and the config key path.
+
+### `spec/cem_acpt/scan/test_data_scan_spec.rb`
+
+1. Update the existing "does not require a benchmark for openscap test cases" example to
+   also supply a `datastreams` map and assert `scan[:datastream]` equals the configured value.
+2. Add a test that `DatastreamNotFoundError` is raised when the datastream mapping is absent
+   for an OpenSCAP test case, and that the error message includes the missing config key path.
+3. Add a test that CIS-CAT test cases still have `scan[:datastream]` set to `nil`.
+
+### `spec/terraform/gcp/linux/scan/scan_service_spec.rb`
+
+Add a text-grep assertion that the hardcoded `ssg-rhel8-ds.xml` fallback string is absent
+from `scan_service.rb` (mirrors the `-l` absence test added for CEM-6765).
+
+## Acceptance Criteria
+
+- [ ] `cem_acpt_scan.datastreams.openscap` is a recognized config key with a default of `{}`.
+- [ ] `DatastreamNotFoundError` is defined in `lib/cem_acpt/scan/errors.rb`; its message includes the test-case name and the missing config key path.
+- [ ] `scan_post_processing!` populates `test_data[:scan][:datastream]` from the config map for OpenSCAP test cases.
+- [ ] `scan_post_processing!` raises `DatastreamNotFoundError` when the datastream mapping is missing or empty for an OpenSCAP test case.
+- [ ] `test_data[:scan][:datastream]` is `nil` for CIS-CAT test cases.
+- [ ] The hardcoded `ssg-rhel8-ds.xml` fallback is removed from `perform_scan` in `scan_service.rb` and its fixture mirror.
+- [ ] `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` is updated.
+- [ ] All existing specs pass.
+- [ ] New unit tests for `DatastreamNotFoundError` and datastream lookup in `scan_post_processing!` pass.
+
+## Files Touched
+
+- `lib/cem_acpt/config/cem_acpt_scan.rb` — add `datastreams: { openscap: {} }` default.
+- `lib/cem_acpt/scan/errors.rb` — add `DatastreamNotFoundError`.
+- `lib/cem_acpt/test_data.rb` — add datastream lookup and error raise in `scan_post_processing!`.
+- `lib/terraform/gcp/linux/scan/scan_service.rb` — remove hardcoded fallback from `perform_scan`.
+- `spec/fixtures/config_testing/user_config_dir/terraform/gcp/linux/scan/scan_service.rb` — mirror update.
+- `spec/fixtures/config_testing/user_config_dir/terraform_checksum.txt` — checksum update.
+- `spec/cem_acpt/scan/errors_spec.rb` — add `DatastreamNotFoundError` describe block.
+- `spec/cem_acpt/scan/test_data_scan_spec.rb` — datastream lookup and error raise tests.
+- `spec/terraform/gcp/linux/scan/scan_service_spec.rb` — absence of hardcoded fallback text-grep.
+- `specifications/CEM-6798.md` — this file.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cem_acpt
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.12.1
 platform: ruby
 authors:
 - puppetlabs
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-08 00:00:00.000000000 Z
+date: 2026-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: async-http
@@ -348,6 +348,7 @@ files:
 - specifications/CEM-6761.md
 - specifications/CEM-6762.md
 - specifications/CEM-6765.md
+- specifications/CEM-6798.md
 homepage: https://github.com/puppetlabs/cem_acpt
 licenses:
 - proprietary