openscap 0.4.9 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c9d56737a95b91a18225def06b0f8a1d23a749e565b5dc302cc50e61f75ef87b
-  data.tar.gz: bd13f950489c98534bfbc4bc174196c449c1eece3c870dfb5dae4d88e2a11c0d
+  metadata.gz: 31f300d3cdcf9b72dcc0e552f4ce9c6113d54b1f9b5316441bff1133a09106ed
+  data.tar.gz: fdcb823bf21e22ed25cdd77f0bf534227db14af84f0f7383d7f74c65cf690932
 SHA512:
-  metadata.gz: a8315dd1675d6589d21a7324e9b125136c2a39dae45e1be4a30a47f5ea031d06e266aef58d4dee67e58515319173f547fb7bdfab2d7a68527fde27d952069e01
-  data.tar.gz: df5b605d6d6bb2e995bc7f7e0358134c57ef9c32b9fb154ddcbcb26875f376644c3f132ccac0cb13a73d5e21a1d63197d812b017eb87b9ac596307e1035e591f
+  metadata.gz: a21ae53d6e42bd055058423e54615780483bec7f8c0514a55dfa953ef6e37d88256c0404135a432e964339a9e26fb0a79ba9963e51ffd0317ba28428d7a70c5a
+  data.tar.gz: 790d230ca7fc2b54f9188f5362851d428152000d84d30f935222a323a8276838b491c640a81708f11b592d0c48dfa759f90718d7b80ae1201c9a4344b37513e4

data/README.md

@@ -1,13 +1,13 @@
-![ruby-openscap icon](http://isimluk.fedorapeople.org/ruby-OpenSCAP-small.png) ruby-OpenSCAP
+ruby-OpenSCAP <img alt="icon" src="http://isimluk.fedorapeople.org/ruby-OpenSCAP-small.png" width="100">
 =============
 
 Description
 -------------
-A FFI wrapper around the OpenSCAP library.
+An FFI wrapper around the OpenSCAP library.
 
 Features/problems
 -------------
-Current version supports minimal set of functions needed to build own scanner. This module
+Current version supports minimal set of functions needed to build own scanner. This gem
 is self documented by its test suite.
 
 Sample Scanner Implementation
@@ -23,28 +23,17 @@ Sample Scanner Implementation
 
 Development Requirements
 -------------
-On Fedora, command is
+On Fedora, commands are
 
-    dnf install ruby-devel rubygem-rake rubygem-ffi rubygem-bundler openscap
-
-On RHEL you can install requirements by issuing
-
-    yum install ruby-devel rubygem-rake rubygem-bundler openscap
-    gem install ffi # or install rubygem-ffi RPM package from EPEL
+    dnf install openscap
+    bundle install
 
 
 Test Requirements
 -------------
 On Fedora, more packages are necessary, but rubocop can be of the latest version
 
-    dnf install rubygem-minitest rubygem-test-unit rubygems-devel bzip2
-    gem install rubocop
-
-For tests on RHEL7, you need minitest package and specific older version of rubocop.
-Newer versions of rubocop requires Ruby >= 2.1.0
-
-    yum install rubygem-minitest bzip2
-    gem install rubocop -v 0.50.0
+    dnf install bzip2
 
 Tests are then performed using script
 

data/Rakefile

@@ -2,10 +2,10 @@
 
 require 'bundler'
 
-Bundler::GemHelper.install_tasks :name => 'openscap'
+Bundler::GemHelper.install_tasks name: 'openscap'
 
 task :test do
   $LOAD_PATH.unshift('lib')
   $LOAD_PATH.unshift('test')
-  Dir.glob('./test/**/*_test.rb') { |f| require f }
+  Dir.glob('./test/**/*_test.rb').each { |f| require f }
 end

data/lib/openscap/all.rb

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-Dir.glob(File.join(File.dirname(__FILE__), '{xccdf,ds,}', '*.rb'), &method(:require))
+# Dir.glob(File.join(File.dirname(__FILE__), '{xccdf,ds,}', '*.rb')).each(&method(:require))

data/lib/openscap/ds/arf.rb

@@ -58,8 +58,8 @@ module OpenSCAP
 
   attach_function :ds_rds_session_new_from_source, [:pointer], :pointer
   attach_function :ds_rds_session_free, [:pointer], :void
-  attach_function :ds_rds_session_select_report, [:pointer, :string], :pointer
-  attach_function :ds_rds_session_replace_report_with_source, [:pointer, :pointer], :int
-  attach_function :ds_rds_session_select_report_request, [:pointer, :string], :pointer
+  attach_function :ds_rds_session_select_report, %i[pointer string], :pointer
+  attach_function :ds_rds_session_replace_report_with_source, %i[pointer pointer], :int
+  attach_function :ds_rds_session_select_report_request, %i[pointer string], :pointer
   attach_function :ds_rds_session_get_html_report, [:pointer], :pointer
 end

data/lib/openscap/ds/sds.rb

@@ -15,6 +15,12 @@ module OpenSCAP
                  OpenSCAP.ds_sds_session_new_from_source param[:source].raw
                end
         OpenSCAP.raise! if @raw.null?
+
+        begin
+          yield self
+        ensure
+          destroy
+        end if block_given?
       end
 
       def select_checklist(p = {})
@@ -43,6 +49,6 @@ module OpenSCAP
 
   attach_function :ds_sds_session_new_from_source, [:pointer], :pointer
   attach_function :ds_sds_session_free, [:pointer], :void
-  attach_function :ds_sds_session_select_checklist, [:pointer, :string, :string, :string], :pointer
-  attach_function :ds_sds_session_get_html_guide, [:pointer, :string], :string
+  attach_function :ds_sds_session_select_checklist, %i[pointer string string string], :pointer
+  attach_function :ds_sds_session_get_html_guide, %i[pointer string], :string
 end

data/lib/openscap/openscap.rb

@@ -25,6 +25,15 @@ module OpenSCAP
     raise OpenSCAPError, err
   end
 
+  def self._iterate(over:, as:, &)
+    has_more_method = "#{as}_iterator_has_more"
+    next_method = "#{as}_iterator_next"
+    free_method = "#{as}_iterator_free"
+
+    yield send(next_method, over) while send(has_more_method, over)
+    send(free_method, over)
+  end
+
   attach_function :oscap_init, [], :void
   attach_function :oscap_cleanup, [], :void
   attach_function :oscap_get_version, [], :string

data/lib/openscap/source.rb

@@ -20,6 +20,12 @@ module OpenSCAP
         raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{param}'"
       end
       OpenSCAP.raise! if @raw.null?
+
+      begin
+        yield self
+      ensure
+        destroy
+      end if block_given?
     end
 
     def type
@@ -51,13 +57,13 @@ module OpenSCAP
   end
 
   attach_function :oscap_source_new_from_file, [:string], :pointer
-  attach_function :oscap_source_new_from_memory, [:pointer, :int, :string], :pointer
+  attach_function :oscap_source_new_from_memory, %i[pointer int string], :pointer
   attach_function :oscap_source_get_scap_type, [:pointer], :int
   attach_function :oscap_source_free, [:pointer], :void
-  attach_function :oscap_source_save_as, [:pointer, :string], :int
+  attach_function :oscap_source_save_as, %i[pointer string], :int
 
-  callback :xml_reporter, [:string, :int, :string, :pointer], :int
-  attach_function :oscap_source_validate, [:pointer, :xml_reporter, :pointer], :int
+  callback :xml_reporter, %i[string int string pointer], :int
+  attach_function :oscap_source_validate, %i[pointer xml_reporter pointer], :int
   XmlReporterCallback = proc do |filename, line_number, error_message, e|
     offset = e.get_string(0).length
     msg = "#{filename}:#{line_number}: #{error_message}"

data/lib/openscap/text.rb

@@ -4,8 +4,13 @@ module OpenSCAP
   class Text
     attr_reader :raw
 
-    def initialize
-      @raw = OpenSCAP.oscap_text_new
+    def initialize(t = nil)
+      @raw = case t
+             when FFI::Pointer
+               t
+             when nil
+               OpenSCAP.oscap_text_new
+             end
     end
 
     def text=(str)
@@ -13,7 +18,7 @@ module OpenSCAP
     end
 
     def text
-      OpenSCAP.oscap_text_get_text(raw)
+      OpenSCAP.oscap_text_get_text(@raw).force_encoding Encoding::UTF_8
     end
 
     def destroy
@@ -25,22 +30,46 @@ module OpenSCAP
   class TextList
     def initialize(oscap_text_iterator)
       @raw = oscap_text_iterator
+
+      begin
+        yield self
+      ensure
+        destroy
+      end if block_given?
     end
 
     def plaintext(lang = nil)
       OpenSCAP.oscap_textlist_get_preferred_plaintext @raw, lang
     end
 
+    def markup(lang:)
+      text_pointer = OpenSCAP.oscap_textlist_get_preferred_text @raw, lang
+      return nil if text_pointer.null?
+
+      Text.new(text_pointer).text
+    end
+
     def destroy
       OpenSCAP.oscap_text_iterator_free @raw
     end
+
+    def self.extract(pointer, lang:, markup:)
+      new(pointer) do |list|
+        if markup
+          return list.markup(lang:)
+        else
+          return list.plaintext(lang)
+        end
+      end
+    end
   end
 
   attach_function :oscap_text_new, [], :pointer
-  attach_function :oscap_text_set_text, [:pointer, :string], :bool
+  attach_function :oscap_text_set_text, %i[pointer string], :bool
   attach_function :oscap_text_get_text, [:pointer], :string
   attach_function :oscap_text_free, [:pointer], :void
 
-  attach_function :oscap_textlist_get_preferred_plaintext, [:pointer, :string], :string
+  attach_function :oscap_textlist_get_preferred_plaintext, %i[pointer string], :string
+  attach_function :oscap_textlist_get_preferred_text, %i[pointer string], :pointer
   attach_function :oscap_text_iterator_free, [:pointer], :void
 end

data/lib/openscap/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OpenSCAP
-  VERSION = '0.4.9'
+  VERSION = '0.5.0'
 end

data/lib/openscap/xccdf/benchmark.rb

@@ -3,10 +3,14 @@
 require 'openscap/source'
 require 'openscap/xccdf/profile'
 require 'openscap/xccdf/item'
+require 'openscap/xccdf/item_common'
+require 'openscap/xccdf/value'
+require 'openscap/xccdf/status'
 
 module OpenSCAP
   module Xccdf
     class Benchmark
+      include ItemCommon
       attr_reader :raw
 
       def initialize(p)
@@ -18,6 +22,20 @@ module OpenSCAP
                 "Cannot initialize OpenSCAP::Xccdf::Benchmark with '#{p}'"
         end
         OpenSCAP.raise! if @raw.null?
+
+        begin
+          yield self
+        ensure
+          destroy
+        end if block_given?
+      end
+
+      def resolved?
+        OpenSCAP.xccdf_benchmark_get_resolved @raw
+      end
+
+      def status_current
+        Status.new OpenSCAP.xccdf_benchmark_get_status_current(raw)
       end
 
       def profiles
@@ -28,8 +46,40 @@ module OpenSCAP
         @items ||= items_init
       end
 
+      def each_item(&)
+        OpenSCAP._iterate over: OpenSCAP.xccdf_item_get_content(@raw), as: 'xccdf_item' do |pointer|
+          yield OpenSCAP::Xccdf::Item.build(pointer)
+        end
+      end
+
+      def each_profile(&)
+        OpenSCAP._iterate over: OpenSCAP.xccdf_benchmark_get_profiles(@raw), as: 'xccdf_profile' do |pointer|
+          yield OpenSCAP::Xccdf::Profile.new pointer
+        end
+      end
+
+      def each_value(&)
+        OpenSCAP._iterate over: OpenSCAP.xccdf_benchmark_get_values(@raw), as: 'xccdf_value' do |pointer|
+          yield OpenSCAP::Xccdf::Value.new pointer
+        end
+      end
+
+      def policy_model
+        @policy_model ||= PolicyModel.new(self)
+      end
+
+      def schema_version
+        pointer = OpenSCAP.xccdf_benchmark_get_schema_version(@raw)
+        OpenSCAP.xccdf_version_info_get_version(pointer)
+      end
+
       def destroy
-        OpenSCAP.xccdf_benchmark_free @raw
+        # Policy Model takes ownership of Xccdf::Benchmark. It is one of these lovely quirks of libopenscap
+        if @policy_model
+          @policy_model.destroy
+        else
+          OpenSCAP.xccdf_benchmark_free @raw
+        end
         @raw = nil
       end
 
@@ -37,27 +87,18 @@ module OpenSCAP
 
       def profiles_init
         profiles = {}
-        profit = OpenSCAP.xccdf_benchmark_get_profiles raw
-        while OpenSCAP.xccdf_profile_iterator_has_more profit
-          profile_p = OpenSCAP.xccdf_profile_iterator_next profit
-          profile = OpenSCAP::Xccdf::Profile.new profile_p
+        each_profile do |profile|
           profiles[profile.id] = profile
         end
-        OpenSCAP.xccdf_profile_iterator_free profit
         profiles
       end
 
       def items_init
         items = {}
-        items_it = OpenSCAP.xccdf_item_get_content raw
-        while OpenSCAP.xccdf_item_iterator_has_more items_it
-          item_p = OpenSCAP.xccdf_item_iterator_next items_it
-          item = OpenSCAP::Xccdf::Item.build item_p
+        each_item do |item|
           items.merge! item.sub_items
           items[item.id] = item
-          # TODO: iterate through childs
         end
-        OpenSCAP.xccdf_item_iterator_free items_it
         items
       end
     end
@@ -66,8 +107,19 @@ module OpenSCAP
   attach_function :xccdf_benchmark_import_source, [:pointer], :pointer
   attach_function :xccdf_benchmark_free, [:pointer], :void
 
+  attach_function :xccdf_benchmark_get_status_current, [:pointer], :pointer
+  attach_function :xccdf_benchmark_get_resolved, [:pointer], :pointer
   attach_function :xccdf_benchmark_get_profiles, [:pointer], :pointer
   attach_function :xccdf_profile_iterator_has_more, [:pointer], :bool
   attach_function :xccdf_profile_iterator_next, [:pointer], :pointer
   attach_function :xccdf_profile_iterator_free, [:pointer], :void
+  attach_function :xccdf_benchmark_get_values, [:pointer], :pointer
+  attach_function :xccdf_value_iterator_has_more, [:pointer], :bool
+  attach_function :xccdf_value_iterator_next, [:pointer], :pointer
+  attach_function :xccdf_value_iterator_free, [:pointer], :void
+
+  attach_function :xccdf_benchmark_get_schema_version, [:pointer], :pointer
+  attach_function :xccdf_version_info_get_version, [:pointer], :string
 end
+
+require_relative 'policy_model'

data/lib/openscap/xccdf/fix.rb

@@ -29,10 +29,10 @@ module OpenSCAP
 
       def to_hash
         {
-          :id => id,
-          :platform => platform,
-          :system => fix_system,
-          :content => content
+          id:,
+          platform:,
+          system: fix_system,
+          content:
         }
       end
     end

data/lib/openscap/xccdf/group.rb

@@ -7,6 +7,38 @@ require 'openscap/xccdf/item'
 module OpenSCAP
   module Xccdf
     class Group < Item
+      def each_child(&)
+        OpenSCAP._iterate over: OpenSCAP.xccdf_item_get_content(@raw), as: 'xccdf_item' do |pointer|
+          yield OpenSCAP::Xccdf::Item.build pointer
+        end
+      end
+
+      def each_value(&)
+        OpenSCAP._iterate over: OpenSCAP.xccdf_group_get_values(@raw), as: 'xccdf_value' do |pointer|
+          yield OpenSCAP::Xccdf::Value.new pointer
+        end
+      end
+
+      def sub_items
+        @sub_items ||= sub_items_init
+      end
+
+      private
+
+      def sub_items_init
+        collect = {}
+        each_child do |item|
+          collect.merge! item.sub_items
+          collect[item.id] = item
+        end
+        collect
+      end
     end
   end
+
+  attach_function :xccdf_item_get_content, [:pointer], :pointer
+  attach_function :xccdf_item_iterator_has_more, [:pointer], :bool
+  attach_function :xccdf_item_iterator_next, [:pointer], :pointer
+  attach_function :xccdf_item_iterator_free, [:pointer], :void
+  attach_function :xccdf_group_get_values, [:pointer], :pointer
 end

data/lib/openscap/xccdf/item.rb

@@ -2,13 +2,15 @@
 
 require 'openscap/exceptions'
 require 'openscap/text'
+require 'openscap/xccdf/item_common'
 require 'openscap/xccdf/group'
 require 'openscap/xccdf/rule'
-require 'openscap/xccdf/reference'
 
 module OpenSCAP
   module Xccdf
     class Item
+      include ItemCommon # reflects OpenSCAP's struct xccdf_item (thus operates with Benchmark, Profile, Group, Rule, and Value)
+
       def self.build(t)
         raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with #{t}" \
           unless t.is_a?(FFI::Pointer)
@@ -25,80 +27,36 @@ module OpenSCAP
       end
 
       def initialize(t)
-        if self.class == OpenSCAP::Xccdf::Item
-          raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} abstract base class."
-        end
+        raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} abstract base class." if instance_of?(OpenSCAP::Xccdf::Item)
 
         @raw = t
       end
 
-      def id
-        OpenSCAP.xccdf_item_get_id @raw
-      end
-
-      def title(prefered_lang = nil)
-        textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_item_get_title(@raw))
-        title = textlist.plaintext(prefered_lang)
-        textlist.destroy
-        title
+      def rationale(prefered_lang = nil, markup: false)
+        TextList.extract(OpenSCAP.xccdf_item_get_rationale(@raw), lang: prefered_lang, markup:)
       end
 
-      def description(prefered_lang = nil)
-        textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_item_get_description(@raw))
-        description = textlist.plaintext(prefered_lang)
-        textlist.destroy
-        description
-      end
-
-      def rationale(prefered_lang = nil)
-        textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_item_get_rationale(@raw))
-        rationale = textlist.plaintext(prefered_lang)
-        textlist.destroy
-        rationale
-      end
-
-      def references
-        refs = []
-        refs_it = OpenSCAP.xccdf_item_get_references(@raw)
-        while OpenSCAP.oscap_reference_iterator_has_more refs_it
-          ref = OpenSCAP::Xccdf::Reference.new(OpenSCAP.oscap_reference_iterator_next(refs_it))
-          refs << ref
+      def warnings
+        @warnings ||= [].tap do |warns|
+          OpenSCAP._iterate over: OpenSCAP.xccdf_item_get_warnings(@raw), as: 'xccdf_warning' do |pointer|
+            warns << {
+              category: OpenSCAP.xccdf_warning_get_category(pointer),
+              text: Text.new(OpenSCAP.xccdf_warning_get_text(pointer))
+            }
+          end
         end
-        OpenSCAP.oscap_reference_iterator_free refs_it
-        refs
       end
 
-      def sub_items
-        @sub_items ||= sub_items_init
-      end
+      def sub_items = {}
 
       def destroy
         OpenSCAP.xccdf_item_free @raw
         @raw = nil
       end
-
-      private
-
-      def sub_items_init
-        collect = {}
-        items_it = OpenSCAP.xccdf_item_get_content @raw
-        while OpenSCAP.xccdf_item_iterator_has_more items_it
-          item_p = OpenSCAP.xccdf_item_iterator_next items_it
-          item = OpenSCAP::Xccdf::Item.build item_p
-          collect.merge! item.sub_items
-          collect[item.id] = item
-        end
-        OpenSCAP.xccdf_item_iterator_free items_it
-        collect
-      end
     end
   end
 
-  attach_function :xccdf_item_get_id, [:pointer], :string
-  attach_function :xccdf_item_get_content, [:pointer], :pointer
   attach_function :xccdf_item_free, [:pointer], :void
-  attach_function :xccdf_item_get_title, [:pointer], :pointer
-  attach_function :xccdf_item_get_description, [:pointer], :pointer
   attach_function :xccdf_item_get_rationale, [:pointer], :pointer
 
   XccdfItemType = enum(:benchmark, 0x0100,
@@ -109,11 +67,25 @@ module OpenSCAP
                        :value, 0x4000)
   attach_function :xccdf_item_get_type, [:pointer], XccdfItemType
 
-  attach_function :xccdf_item_iterator_has_more, [:pointer], :bool
-  attach_function :xccdf_item_iterator_next, [:pointer], :pointer
-  attach_function :xccdf_item_iterator_free, [:pointer], :void
+  enum :xccdf_warning_category_t, [
+    :not_specified, # empty value
+    :general, # General-purpose warning
+    :functionality, # Warning about possible impacts to functionality
+    :performance, # Warning about changes to target system performance
+    :hardware, # Warning about hardware restrictions or possible impacts to hardware
+    :legal, # Warning about legal implications
+    :regulatory,	# Warning about regulatory obligations
+    :management, # Warning about impacts to the mgmt or administration of the target system
+    :audit, # Warning about impacts to audit or logging
+    :dependency # Warning about dependencies between this Rule and other parts of the target system
+  ]
+  attach_function :xccdf_item_get_warnings, [:pointer], :pointer
+  attach_function :xccdf_warning_iterator_has_more, [:pointer], :bool
+  attach_function :xccdf_warning_iterator_next, [:pointer], :pointer
+  attach_function :xccdf_warning_iterator_free, [:pointer], :void
+  attach_function :xccdf_warning_get_category, [:pointer], :xccdf_warning_category_t
+  attach_function :xccdf_warning_get_text, [:pointer], :pointer
 
-  attach_function :xccdf_item_get_references, [:pointer], :pointer
   attach_function :oscap_reference_iterator_has_more, [:pointer], :bool
   attach_function :oscap_reference_iterator_next, [:pointer], :pointer
   attach_function :oscap_reference_iterator_free, [:pointer], :void

data/lib/openscap/xccdf/item_common.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'openscap/text'
+require 'openscap/xccdf/reference'
+
+module OpenSCAP
+  module Xccdf
+    module ItemCommon
+      def id
+        OpenSCAP.xccdf_item_get_id @raw
+      end
+
+      def version
+        OpenSCAP.xccdf_item_get_version @raw
+      end
+
+      def title lang: nil
+        TextList.extract OpenSCAP.xccdf_item_get_title(@raw), lang:, markup: false
+      end
+
+      def description prefered_lang: nil, markup: true
+        TextList.extract(OpenSCAP.xccdf_item_get_description(@raw), lang: prefered_lang, markup:)
+      end
+
+      def references
+        refs = []
+        OpenSCAP._iterate over: OpenSCAP.xccdf_item_get_references(@raw), as: 'oscap_reference' do |pointer|
+          refs << OpenSCAP::Xccdf::Reference.new(pointer)
+        end
+        refs
+      end
+    end
+  end
+
+  attach_function :xccdf_item_get_id, [:pointer], :string
+  attach_function :xccdf_item_get_title, [:pointer], :pointer
+  attach_function :xccdf_item_get_description, [:pointer], :pointer
+  attach_function :xccdf_item_get_references, [:pointer], :pointer
+  attach_function :xccdf_item_get_version, [:pointer], :string
+end

data/lib/openscap/xccdf/policy.rb

@@ -21,8 +21,18 @@ module OpenSCAP
       def id
         OpenSCAP.xccdf_policy_get_id raw
       end
+
+      def profile
+        Profile.new OpenSCAP.xccdf_policy_get_profile @raw
+      end
+
+      def selects_item?(item_idref)
+        OpenSCAP.xccdf_policy_is_item_selected @raw, item_idref
+      end
     end
   end
 
   attach_function :xccdf_policy_get_id, [:pointer], :string
+  attach_function :xccdf_policy_get_profile, [:pointer], :pointer
+  attach_function :xccdf_policy_is_item_selected, %i[pointer string], :bool
 end

data/lib/openscap/xccdf/policy_model.rb

@@ -18,6 +18,12 @@ module OpenSCAP
                 "Cannot initialize OpenSCAP::Xccdf::PolicyModel with '#{b}'"
         end
         OpenSCAP.raise! if @raw.null?
+
+        begin
+          yield self
+        ensure
+          destroy
+        end if block_given?
       end
 
       def policies
@@ -29,18 +35,21 @@ module OpenSCAP
         @raw = nil
       end
 
+      def each_policy(&)
+        OpenSCAP.raise! unless OpenSCAP.xccdf_policy_model_build_all_useful_policies(raw).zero?
+        OpenSCAP._iterate over: OpenSCAP.xccdf_policy_model_get_policies(@raw),
+                          as: 'xccdf_policy' do |pointer|
+          yield OpenSCAP::Xccdf::Policy.new pointer
+        end
+      end
+
       private
 
       def policies_init
         policies = {}
-        OpenSCAP.raise! unless OpenSCAP.xccdf_policy_model_build_all_useful_policies(raw).zero?
-        polit = OpenSCAP.xccdf_policy_model_get_policies raw
-        while OpenSCAP.xccdf_policy_iterator_has_more polit
-          policy_p = OpenSCAP.xccdf_policy_iterator_next polit
-          policy = OpenSCAP::Xccdf::Policy.new policy_p
+        each_policy do |policy|
           policies[policy.id] = policy
         end
-        OpenSCAP.xccdf_policy_iterator_free polit
         policies
       end
     end