Bug 1321534

Summary: [Patch] Make OVAL XML file cached in advance utilized in SCAP Oval test
Product: Red Hat Certification Program Reporter: Satoru SATOH <ssato>
Component: redhat-certification-commonsAssignee: Shreyank Gupta <sgupta>
Status: CLOSED CURRENTRELEASE QA Contact: Swati Goswami <swgoswam>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0CC: chkumar, jweng
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-06 08:47:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Patch to utilize the local cached Oval XML file if exists in /var/tmp none

Description Satoru SATOH 2016-03-28 08:38:55 UTC 
Created attachment 1140806 [details]
Patch to utilize the local cached Oval XML file if exists in /var/tmp

Description of problem:
rhcert-backend will try to fetch OVAL XML file from RH site when to run
SCAP Oval test during certification process. But sometimes (acutally,
very often) it's not possible to access the RH site directly from
certification target hosts in cloud environment, and then test fails.

The attached patch makes rhcert-backend tyring to utilize the OVAL XML file
fetched previously, maybe in another host can connect to the RH site.

Version-Release number of selected component (if applicable):
redhat-certification-commons-1.0-1.el7


How reproducible:
The problem should happen if rhcert-backend runs in the host
cannot access https://www.redhat.com


Steps to Reproduce:
Run rhcert-backend with following the instruction of
https://access.redhat.com/articles/2058543.


Actual results:
SCAP Oval test failes due to the lack of https access to https://www.redhat.com
Comment 1 Chandan Kumar 2016-03-28 09:16:25 UTC 
(In reply to Satoru SATOH from comment #0)
> Created attachment 1140806 [details]
> Patch to utilize the local cached Oval XML file if exists in /var/tmp
> 
> Description of problem:
> rhcert-backend will try to fetch OVAL XML file from RH site when to run
> SCAP Oval test during certification process. But sometimes (acutally,
Hello Satoru,

> very often) it's not possible to access the RH site directly from
> certification target hosts in cloud environment, and then test fails.
> 
> The attached patch makes rhcert-backend tyring to utilize the OVAL XML file
> fetched previously, maybe in another host can connect to the RH site.
> 

Thanks for submitting the patch. I will take a look.

This issue is already fixed in redhat-certification-commons-1.2-1.el7 which is released through errata https://errata.devel.redhat.com/advisory/22724 and the workaround for the same is updated in the CCSP user guide (How to run OVAL tests in offline environment): https://access.redhat.com/articles/2058543#InstalltheRequiredSoftwarePackages under step 4.

Here is the workaround:
$ cd /var/tmp
$ wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 (For a RHEL 7 image)

We will update the version of redhat-certification-commons in the CCSP user-guide doc,
Feedbacks are welcome to improve the workaround for the same.

Thanks,

Chandan Kumar
Comment 2 Satoru SATOH 2016-03-28 17:41:23 UTC 
Excuse me, I should check the latest but not. Thanks you for letting me know about it.

However, the logic of the latest code in that RPM looks very strange for me:

   def oval_guide(self):
        """
        Latest OVAL data to run test against

        If connected to the internet, download latest OVAL XML file.
        If not connected, check if user has manually made the file available
        at /var/tmp/
        If not, override core() to fail.
        """
        el = int(float(platform.dist()[1]))
        try:
            path = self.download_oval_guide(el)  # First, try to fetch anyway
        except:  # (pep8 violation, bare except)
            url = URL % el
            filename = os.path.basename(urllib2.urlparse.urlsplit(url).path)
            path = os.path.join(TMP, filename)  # If the above try failes local path will be returned.
        if os.path.exists(path):
            return path


It should check the local cache first like my patch anyway to avoid to
download the file more than twice even if it can connect to the RH site
instead of the try, I think.
Comment 3 Chandan Kumar 2016-03-29 12:30:31 UTC 
Hello Satoru,

(In reply to Satoru SATOH from comment #2)
> Excuse me, I should check the latest but not. Thanks you for letting me know
> about it.
> 
> However, the logic of the latest code in that RPM looks very strange for me:
> 
>    def oval_guide(self):
>         """
>         Latest OVAL data to run test against
> 
>         If connected to the internet, download latest OVAL XML file.
>         If not connected, check if user has manually made the file available
>         at /var/tmp/
>         If not, override core() to fail.
>         """
>         el = int(float(platform.dist()[1]))
>         try:
>             path = self.download_oval_guide(el)  # First, try to fetch anyway
>         except:  # (pep8 violation, bare except)
>             url = URL % el
>             filename = os.path.basename(urllib2.urlparse.urlsplit(url).path)
>             path = os.path.join(TMP, filename)  # If the above try failes
> local path will be returned.
>         if os.path.exists(path):
>             return path
> 
> 
> It should check the local cache first like my patch anyway to avoid to
> download the file more than twice even if it can connect to the RH site
> instead of the try, I think.

I will apply the patch, and let you know and will ship in the next release of redhat-certification-commons-1.3.

Thanks,

Chandan Kumar