Enhance openscap module: add "xccdf_eval" function

changelog/63416.added

@@ -0,0 +1 @@
+adding new call for openscap xccdf eval supporting new parameters

salt/modules/openscap.py

@@ -4,11 +4,14 @@
 """
 
 
+import os.path
 import shlex
 import shutil
 import tempfile
 from subprocess import PIPE, Popen
 
+import salt.utils.versions
+
 ArgumentParser = object
 
 try:
@@ -55,6 +58,134 @@ def error(self, message, *args, **kwargs):
 }
 
 
+def xccdf_eval(
+    xccdffile,
+    ovalfiles=None,
+    profile=None,
+    rule=None,
+    oval_results=None,
+    results=None,
+    report=None,
+    fetch_remote_resources=None,
+    tailoring_file=None,
+    tailoring_id=None,
+    remediate=None,
+):
+    """
+    Run ``oscap xccdf eval`` commands on minions.
+
+    .. versionadded:: 3007
+
+    It uses cp.push_dir to upload the generated files to the salt master
+    in the master's minion files cachedir
+    (defaults to ``/var/cache/salt/master/minions/minion-id/files``)
+
+    It needs ``file_recv`` set to ``True`` in the master configuration file.
+
+    xccdffile
+        the path to the xccdf file to evaluate
+
+    ovalfiles
+        additional oval definition files
+
+    profile
+        the name of Profile to be evaluated
+
+    rule
+        the name of a single rule to be evaluated
+
+    oval_results
+        save OVAL results as well (True or False)
+
+    results
+        write XCCDF Results into given file
+
+    report
+        write HTML report into given file
+
+    fetch_remote_resources
+        download remote content referenced by XCCDF (True or False)
+
+    tailoring_file
+        use given XCCDF Tailoring file
+
+    tailoring_id
+        use given DS component as XCCDF Tailoring file
+
+    remediate
+        automatically execute XCCDF fix elements for failed rules.
+        Use of this option is always at your own risk. (True or False)
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*'  openscap.xccdf_eval /usr/share/openscap/scap-yast2sec-xccdf.xml profile=Default
+
+    """
+    success = True
+    error = None
+    upload_dir = None
+    returncode = None
+    if not ovalfiles:
+        ovalfiles = []
+
+    cmd_opts = ["oscap", "xccdf", "eval"]
+    if oval_results:
+        cmd_opts.append("--oval-results")
+    if results:
+        cmd_opts.append("--results")
+        cmd_opts.append(results)
+    if report:
+        cmd_opts.append("--report")
+        cmd_opts.append(report)
+    if profile:
+        cmd_opts.append("--profile")
+        cmd_opts.append(profile)
+    if rule:
+        cmd_opts.append("--rule")
+        cmd_opts.append(rule)
+    if tailoring_file:
+        cmd_opts.append("--tailoring-file")
+        cmd_opts.append(tailoring_file)
+    if tailoring_id:
+        cmd_opts.append("--tailoring-id")
+        cmd_opts.append(tailoring_id)
+    if fetch_remote_resources:
+        cmd_opts.append("--fetch-remote-resources")
+    if remediate:
+        cmd_opts.append("--remediate")
+    cmd_opts.append(xccdffile)
+    cmd_opts.extend(ovalfiles)
+
+    if not os.path.exists(xccdffile):
+        success = False
+        error = "XCCDF File '{}' does not exist".format(xccdffile)
+    for ofile in ovalfiles:
+        if success and not os.path.exists(ofile):
+            success = False
+            error = "Oval File '{}' does not exist".format(ofile)
+
+    if success:
+        tempdir = tempfile.mkdtemp()
+        proc = Popen(cmd_opts, stdout=PIPE, stderr=PIPE, cwd=tempdir)
+        (stdoutdata, error) = proc.communicate()
+        success = _OSCAP_EXIT_CODES_MAP.get(proc.returncode, False)
+        if proc.returncode < 0:
+            error += "\nKilled by signal {}\n".format(proc.returncode).encode("ascii")
+        returncode = proc.returncode
+        if success:
+            if not __salt__["cp.push_dir"](tempdir):
+                success = False
+                error = "There was an error uploading openscap results files to salt master. Please check logs."
+            upload_dir = tempdir
+        shutil.rmtree(tempdir, ignore_errors=True)
+
+    return dict(
+        success=success, upload_dir=upload_dir, error=error, returncode=returncode
+    )
+
+
 def xccdf(params):
     """
     Run ``oscap xccdf`` commands on minions.
@@ -70,6 +201,10 @@ def xccdf(params):
 
         salt '*'  openscap.xccdf "eval --profile Default /usr/share/openscap/scap-yast2sec-xccdf.xml"
     """
+    salt.utils.versions.warn_until(
+        3009,
+        "The 'xccdf' function has been deprecated, please use 'xccdf_eval' instead",
+    )
     params = shlex.split(params)
     policy = params[-1]
 
@@ -92,10 +227,14 @@ def xccdf(params):
         tempdir = tempfile.mkdtemp()
         proc = Popen(shlex.split(cmd), stdout=PIPE, stderr=PIPE, cwd=tempdir)
         (stdoutdata, error) = proc.communicate()
-        success = _OSCAP_EXIT_CODES_MAP[proc.returncode]
+        success = _OSCAP_EXIT_CODES_MAP.get(proc.returncode, False)
+        if proc.returncode < 0:
+            error += "\nKilled by signal {}\n".format(proc.returncode).encode("ascii")
         returncode = proc.returncode
         if success:
-            __salt__["cp.push_dir"](tempdir)
+            if not __salt__["cp.push_dir"](tempdir):
+                success = False
+                error = "There was an error uploading openscap results files to salt master. Please check logs."
             shutil.rmtree(tempdir, ignore_errors=True)
             upload_dir = tempdir