Add gitpod support

.github/workflows/compare-ds.yaml

@@ -34,7 +34,7 @@ jobs:
           repository: mildas/content-test-filtering
           path: ctf
       - name: Detect content changes in the PR
-        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
+        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }}  --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
       - name: Test if there are no content changes
         run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" output.json)"
         id: ctf

.github/workflows/ctf.yaml

@@ -1,6 +1,6 @@
 name: Gating
 on:
-  pull_request:
+  pull_request_target:
     branches: [ master, 'stabilization*' ]
 jobs:
   content-test-filtering:
@@ -11,26 +11,69 @@ jobs:
         uses: mstksg/get-package@master
         with:
           apt-get: git python3-jinja2 python3-yaml python3-setuptools python3-deepdiff python3-git python3-github python3-requests xmldiff
-      # TODO: Use action's checkout along with --local and --repository options of ctf
-      # See: https://github.community/t/how-to-commit-to-two-branches-from-an-action/17713/4
       - name: Checkout
         uses: actions/checkout@v2
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - name: Find forking point
         env:
           BASE_BRANCH: ${{ github.base_ref }}
         run: echo "::set-output name=FORK_POINT::$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})"
         id: fork_point
+      - name: Checkout fork point
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.fork_point.outputs.FORK_POINT }}
+          fetch-depth: 0
       - name: Checkout (CTF)
         uses: actions/checkout@v2
         with:
           repository: mildas/content-test-filtering
           path: ctf
-      - name: Process (see the output for recommended tests)
-        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --verbose --output-format markdown ${{ github.event.pull_request.number }} # > ctf.md
-      # TODO: We can't do this for now: github.token is incapable of writing to the PR, and we can't provide our own
-      # for PRs coming from forked repos
-      # TODO: mshick/add-pr-comment@v1 and alike won't work as well
-      #- name: Update the PR
-      #  run: python3 ./ctf/utility_scripts/comment_pr.py --token ${{ github.token }} --pr ${{ github.event.pull_request.number }} --comment ctf.md
+      - name: Detect content changes in the PR
+        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
+      - name: Test if there are no content changes
+        run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" output.json)"
+        id: ctf
+      - name: Print changes to content detected if any
+        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
+        run: cat output.json
+      - name: Get product attribute
+        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
+        id: product
+        uses: notiz-dev/github-action-json-property@release
+        with:
+          path: 'output.json'
+          prop_path: 'product'
+      - name: Find Comment
+        uses: peter-evans/find-comment@v1
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: Start a new ephemeral environment with changes proposed in this pull request
+      - name: Create or update comment
+        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
+        uses: peter-evans/create-or-update-comment@v1
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Start a new ephemeral environment with changes proposed in this pull request:
+
+            [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#PRODUCT=${{steps.product.outputs.prop}}/${{ github.server_url }}/${{ github.repository }}/pulls/${{ github.event.pull_request.number }})
+
+          edit-mode: replace
+      - name: Create or update a trimmed comment
+        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE == '0' }}
+        uses: peter-evans/create-or-update-comment@v1
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Start a new ephemeral environment with changes proposed in this pull request:
+
+            [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#${{ github.server_url }}/${{ github.repository }}/pulls/${{ github.event.pull_request.number }})
+
+          edit-mode: replace

.github/workflows/ssgts.yaml

@@ -28,7 +28,7 @@ jobs:
         run: echo "::set-output name=FORK_POINT::$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})"
         id: fork_point
       - name: Detect content changes in the PR
-        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
+        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }}  --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
       - name: Test if there are no content changes
         run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" output.json)"
         id: ctf

.gitpod.Dockerfile

@@ -0,0 +1,25 @@
+FROM gitpod/workspace-full
+USER gitpod
+RUN sudo apt-get update -q && \
+    sudo apt-get install -yq \
+        cmake \
+        ninja-build \
+        libopenscap8 \
+        libxml2-utils \
+        expat \
+        xsltproc \
+        python3-jinja2 \
+        python3-yaml \
+        python3-setuptools \
+        ansible-lint \
+        python3-github \
+        bats \
+        python3-pytest \
+        python3-pytest-cov
+
+RUN pip install docker ansible
+
+RUN wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/utils/oscap-ssh && \
+      sudo chmod 755 oscap-ssh && \
+      sudo mv -v oscap-ssh /usr/local/bin && \
+      sudo chown root:root /usr/local/bin/oscap-ssh

.gitpod.launch.json

@@ -0,0 +1,93 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "inputs": [
+      {
+      "id": "pickContainerName",
+      "description": "Select Container Name",
+      "type": "pickString",
+      "options": ["ssg_test_suite"],
+      "default": "ssg_test_suite"
+      },
+      {
+      "id": "pickProductName",
+      "description": "Select Product Name",
+      "type": "pickString",
+      "options": [
+          "chromium",
+          "debian8", "debian9", "debian10",
+          "eap6",
+          "fedora",
+          "firefox",
+          "fuse6",
+          "jre",
+          "macos1015",
+          "ocp4",
+          "ol7", "ol8",
+          "opensuse","rhel7", "rhel8", "rhel9",
+          "rhosp10", "rhosp13",
+          "rhv4",
+          "sle12", "sle15",
+          "ubuntu1604", "ubuntu1804", "ubuntu2004",
+          "wrlinux8", "wrlinux1019"
+      ],
+      "default": "&&DEFAULT_PRODUCT&&"
+      },
+      {
+      "id": "pickRemediationType",
+      "description": "Select Remediation Type",
+      "type": "pickString",
+      "options": ["oscap", "bash", "ansible"],
+      "default": "bash"
+      }
+  ],
+  "configurations": [
+    {
+      "name": "Run SSGTS using Docker backend",
+      "type": "python",
+      "request": "launch",
+      "console": "integratedTerminal",
+      "program": "${workspaceFolder}/tests/test_suite.py",
+      "args": [
+          "rule",
+          "--dontclean",
+          "--debug",
+          "--docker",
+          "${input:pickContainerName}",
+          "--datastream",
+          "${workspaceFolder}/build/ssg-${input:pickProductName}-ds.xml",
+          "--remediate-using",
+          "${input:pickRemediationType}",
+          "--remove-machine-only",
+          "--remove-ocp4-only",
+          "--add-product-to-fips-certified",
+          "fedora",
+          "--add-platform",
+          "cpe:/o:fedoraproject:fedora:35",
+          "${command:content-navigator.getRuleId}"
+      ]
+    },
+    {
+      "name": "Run SSGTS using Docker backend (test_rule_in_container.sh)",
+      "type": "bashdb",
+      "request": "launch",
+      "program": "${workspaceFolder}/tests/test_rule_in_container.sh",
+      "args": [
+          "--dontclean",
+          "--docker",
+          "--name",
+          "${input:pickContainerName}",
+          "--datastream",
+          "${workspaceFolder}/build/ssg-${input:pickProductName}-ds.xml",
+          "--remediate-using",
+          "${input:pickRemediationType}",
+          "${command:content-navigator.getRuleId}"
+      ],
+      "env": {
+        "ADDITIONAL_SSGTS_OPTIONS": "--debug --duplicate-templates --add-product-to-fips-certified fedora"
+      }
+    }
+  ]
+}

.gitpod.yml

@@ -0,0 +1,19 @@
+# Commands to start on workspace startup
+image:
+  file: .gitpod.Dockerfile
+
+vscode:
+  extensions:
+    - ggbecker.content-navigator
+    - ms-vscode.live-server
+    - rogalmic.bash-debug # support bashdb debug configurations
+
+tasks:
+  - name: Prepare Env
+    init: |
+      [ -z "$PRODUCT" ] && PRODUCT="fedora"
+      mkdir -p .vscode && cp .gitpod.launch.json .vscode/launch.json
+      sed -i "s/&&DEFAULT_PRODUCT&&/$PRODUCT/g" .vscode/launch.json
+      ssh-keygen -N '' -f ~/.ssh/id_rsa
+      docker build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f Dockerfiles/test_suite-fedora .
+      ./build_product $PRODUCT --datastream-only

README.md

@@ -12,6 +12,7 @@
 [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/ComplianceAsCode/content/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/ComplianceAsCode/content/?branch=master)
 [![Profile Statistics](https://jenkins.complianceascode.io/job/scap-security-guide-stats/badge/icon?subject=Statistics)](https://jenkins.complianceascode.io/job/scap-security-guide-stats/Statistics/)
 [![Join the chat at https://gitter.im/Compliance-As-Code-The/content](https://badges.gitter.im/Compliance-As-Code-The/content.svg)](https://gitter.im/Compliance-As-Code-The/content?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-908a85?logo=gitpod)](https://gitpod.io/#https://github.com/ComplianceAsCode/content)
 
 <a href="docs/readme_images/report_sample.png"><img align="right" width="250" src="docs/readme_images/report_sample.png" alt="Evaluation report sample"></a>
 

tests/test_rule_in_container.sh

@@ -8,6 +8,7 @@
 # ARG_OPTIONAL_SINGLE([logdir],[l],[Directory where logs will be stored])
 # ARG_OPTIONAL_BOOLEAN([dontclean],[],[Dont remove HTML reports from the log directory.])
 # ARG_OPTIONAL_BOOLEAN([dry-run],[],[Just print the test suite command-line.])
+# ARG_OPTIONAL_BOOLEAN([--docker],[],[Use Docker instead of Podman as container backend.])
 # ARG_USE_ENV([ADDITIONAL_SSGTS_OPTIONS],[],[Whitespace-separated string of arguments to pass to SSGTS])
 # ARG_POSITIONAL_SINGLE([rule],[The short rule ID. Wildcards are supported.])
 # ARG_TYPE_GROUP_SET([remediations],[REMEDIATION],[remediate-using],[oscap,bash,ansible])
@@ -60,12 +61,13 @@ _arg_remediate_using="oscap"
 _arg_logdir=
 _arg_dontclean="off"
 _arg_dry_run="off"
+_arg_docker="off"
 
 
 print_help()
 {
 	printf '%s\n' "Test a rule using the container backend."
-	printf 'Usage: %s [-n|--name <arg>] [-s|--scenarios <arg>] [-d|--datastream <arg>] [-r|--remediate-using <REMEDIATION>] [--dontclean] [--dry-run] [-h|--help] <rule>\n' "$0"
+	printf 'Usage: %s [-n|--name <arg>] [-s|--scenarios <arg>] [-d|--datastream <arg>] [-r|--remediate-using <REMEDIATION>] [-l|--logdir <DIRECTORY>] [--dontclean] [--dry-run] [--docker] [-h|--help] <rule>\n' "$0"
 	printf '\t%s\n' "<rule>: The short rule ID. Wildcards are supported."
 	printf '\t%s\n' "-n, --name: Name of the test image (default: 'ssg_test_suite')"
 	printf '\t%s\n' "-s, --scenarios: Regex to reduce selection of tested scenarios (default: '')"
@@ -74,6 +76,7 @@ print_help()
 	printf '\t%s\n' "-l, --logdir: Directory where logs will be stored"
 	printf '\t%s\n' "--dontclean: Dont remove HTML reports from the log directory."
 	printf '\t%s\n' "--dry-run: Just print the test suite command-line."
+	printf '\t%s\n' "--docker: Use Docker instead of Podman as container backend."
 	printf '\t%s\n' "-h, --help: Prints help"
 	printf '\nEnvironment variables that are supported:\n'
 	printf '\t%s\n' "ADDITIONAL_SSGTS_OPTIONS: Whitespace-separated string of arguments to pass to SSGTS."
@@ -148,6 +151,9 @@ parse_commandline()
 			--dry-run)
 				_arg_dry_run="on"
 				;;
+			--docker)
+				_arg_docker="on"
+				;;
 			-h|--help)
 				print_help
 				exit 0
@@ -200,9 +206,15 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" || { echo "Couldn't d
 
 ### END OF CODE GENERATED BY Argbash (sortof) ### ])
 # [ <-- needed because of Argbash
+CONTAINER_BACKEND="podman"
+CONTAINER_OPT="--container"
+if test "$_arg_docker" = on; then
+	CONTAINER_BACKEND="docker"
+	CONTAINER_OPT="--docker"
+fi
 
-podman images | grep -q "$_arg_name" || die "Couldn't find the podman image '$_arg_name'"
-test_image_cpe_product=$(podman run --rm "$_arg_name" sh -c '. /etc/os-release && echo "$CPE_NAME"')
+$CONTAINER_BACKEND images | grep -q "$_arg_name" || die "Couldn't find the podman image '$_arg_name'"
+test_image_cpe_product=$($CONTAINER_BACKEND run --rm "$_arg_name" sh -c '. /etc/os-release && echo "$CPE_NAME"')
 test -n "$test_image_cpe_product" || die "Unable to deduce the product CPE from the container's /etc/os-release file."
 
 additional_args=()
@@ -217,7 +229,7 @@ test -n "$_arg_remediate_using" && additional_args+=(--remediate-using "$_arg_re
 
 test -n "$_arg_logdir" && additional_args+=(--logdir "$_arg_logdir")
 
-command=(python3 "${script_dir}/test_suite.py" rule ${ADDITIONAL_SSGTS_OPTIONS} --remove-machine-only --remove-ocp4-only "${additional_args[@]}" --add-platform "$test_image_cpe_product" --container "$_arg_name" -- "${_arg_rule}")
+command=(python3 "${script_dir}/test_suite.py" rule ${ADDITIONAL_SSGTS_OPTIONS} --remove-machine-only --remove-ocp4-only "${additional_args[@]}" --add-platform "$test_image_cpe_product" $CONTAINER_OPT "$_arg_name" -- "${_arg_rule}")
 if test "$_arg_dry_run" = on; then
 	printf '%s\n' "${command[*]}"
 else