reports per node

Author: CamrynCarter

shell/models/compliance.cattle.io.clusterscan.js

@@ -196,17 +196,33 @@ export default class ClusterScan extends SteveModel {
 
     try {
       const benchmark = await this._resolveBenchmark();
-      const { generateXCCDF } = await import(/* webpackChunkName: "xccdf" */'@shell/utils/xccdf');
+      const { generateXCCDFPerNode } = await import(/* webpackChunkName: "xccdf" */'@shell/utils/xccdf');
 
-      const xml = generateXCCDF({
-        report:           report.parsedReport || {},
-        benchmarkVersion: report.parsedReport?.version || benchmark?.spec?.benchmarkVersion || '',
+      const parsed = report.parsedReport || {};
+      const common = {
+        report:           parsed,
+        benchmarkVersion: parsed.version || benchmark?.spec?.benchmarkVersion || '',
         metadata:         benchmark?.spec?.benchmarkMetadata || {},
         stigChecks:       benchmark?.spec?.stigChecks || {},
-        clusterName:      this.spec?.clusterName,
+      };
+
+      const toZip = {};
+
+      Object.entries(parsed.nodes || {}).forEach(([role, hosts]) => {
+        (hosts || []).forEach((hostname) => {
+          const xml = generateXCCDFPerNode({
+            ...common, hostname, role,
+          });
+
+          toZip[`${ labelFor(report) }--${ hostname }.xml`] = xml;
+        });
       });
 
-      downloadFile(`${ labelFor(report) }.xml`, xml, 'application/xml');
+      if (!isEmpty(toZip)) {
+        const zip = await generateZip(toZip);
+
+        downloadFile(`${ labelFor(report) }-per-node.zip`, zip, 'application/zip');
+      }
     } catch (err) {
       this.$dispatch('growl/fromError', { title: 'Error downloading file', err }, { root: true });
     }
@@ -218,27 +234,36 @@ export default class ClusterScan extends SteveModel {
 
     try {
       const benchmark = await this._resolveBenchmark();
-      const { generateXCCDF } = await import(/* webpackChunkName: "xccdf" */'@shell/utils/xccdf');
+      const { generateXCCDFPerNode } = await import(/* webpackChunkName: "xccdf" */'@shell/utils/xccdf');
 
       reports.forEach((report) => {
         try {
-          const xml = generateXCCDF({
-            report:           report.parsedReport || {},
-            benchmarkVersion: report.parsedReport?.version || benchmark?.spec?.benchmarkVersion || '',
+          const parsed = report.parsedReport || {};
+          const common = {
+            report:           parsed,
+            benchmarkVersion: parsed.version || benchmark?.spec?.benchmarkVersion || '',
             metadata:         benchmark?.spec?.benchmarkMetadata || {},
             stigChecks:       benchmark?.spec?.stigChecks || {},
-            clusterName:      this.spec?.clusterName,
-          });
+          };
+          const folder = labelFor(report);
+
+          Object.entries(parsed.nodes || {}).forEach(([role, hosts]) => {
+            (hosts || []).forEach((hostname) => {
+              const xml = generateXCCDFPerNode({
+                ...common, hostname, role,
+              });
 
-          toZip[`${ labelFor(report) }.xml`] = xml;
+              toZip[`${ folder }/${ hostname }.xml`] = xml;
+            });
+          });
         } catch (err) {
           this.$dispatch('growl/fromError', { title: 'Error downloading file', err }, { root: true });
         }
       });
 
       if (!isEmpty(toZip)) {
         generateZip(toZip).then((zip) => {
-          downloadFile(`${ this.id }-reports-xccdf`, zip, 'application/zip');
+          downloadFile(`${ this.id }-reports-xccdf-per-node.zip`, zip, 'application/zip');
         });
       }
     } catch (err) {

shell/utils/__tests__/xccdf.test.ts

@@ -1,4 +1,4 @@
-import { generateXCCDF } from '@shell/utils/xccdf';
+import { generateXCCDF, generateXCCDFPerNode } from '@shell/utils/xccdf';
 
 describe('xccdf util: generateXCCDF', () => {
   const baseReport = {
@@ -193,3 +193,199 @@ describe('xccdf util: generateXCCDF', () => {
     expect(xml).toContain('id="xccdf_compliance-operator_rule_5.1.1"');
   });
 });
+
+describe('xccdf util: generateXCCDFPerNode', () => {
+  const multiNodeReport = {
+    version: '1.0',
+    total:   3,
+    pass:    1,
+    nodes:   { master: ['m-1'], node: ['w-1', 'w-2'] },
+    results: [{
+      id:          '1.1',
+      description: 'Master Node Configuration',
+      checks:      [{
+        id:          '1.1.1',
+        description: 'master check',
+        scored:      true,
+        state:       'pass' as const,
+      }],
+    }, {
+      id:          '4.1',
+      description: 'Worker Node Configuration',
+      checks:      [{
+        id:          '4.1.1',
+        description: 'mixed check',
+        scored:      true,
+        state:       'mixed' as const,
+        nodes:       ['w-2'],
+      }, {
+        id:          '4.1.2',
+        description: 'failing check',
+        scored:      false,
+        state:       'fail' as const,
+      }],
+    }],
+  };
+
+  it('emits a single <target> equal to the hostname', () => {
+    const xml = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toContain('<target>w-1</target>');
+    expect(xml).not.toContain('<target>w-2</target>');
+    expect(xml).not.toContain('<target>m-1</target>');
+  });
+
+  it('assigns each per-node document a TestResult id suffixed with the hostname so co-loaded files do not collide', () => {
+    const a = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+    const b = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-2', role: 'node',
+    });
+
+    expect(a).toContain('<TestResult id="xccdf_compliance-operator_testresult_1_w-1"');
+    expect(b).toContain('<TestResult id="xccdf_compliance-operator_testresult_1_w-2"');
+    expect(a).not.toContain('id="xccdf_compliance-operator_testresult_1_w-2"');
+  });
+
+  it('emits every rule from the cluster report regardless of role', () => {
+    const workerXml = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+    const masterXml = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'm-1', role: 'master',
+    });
+
+    [workerXml, masterXml].forEach((xml) => {
+      expect(xml).toContain('xccdf_compliance-operator_rule_1.1.1');
+      expect(xml).toContain('xccdf_compliance-operator_rule_4.1.1');
+      expect(xml).toContain('xccdf_compliance-operator_rule_4.1.2');
+    });
+  });
+
+  it('maps mixed-state checks to fail for dissenting hosts and pass for the rest', () => {
+    const dissenter = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-2', role: 'node',
+    });
+    const compliant = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(dissenter).toMatch(/idref="xccdf_compliance-operator_rule_4\.1\.1"[\s\S]*?<result>fail<\/result>/);
+    expect(compliant).toMatch(/idref="xccdf_compliance-operator_rule_4\.1\.1"[\s\S]*?<result>pass<\/result>/);
+  });
+
+  it('treats mixed-state checks with no dissent list as pass for all nodes', () => {
+    const report = {
+      ...multiNodeReport,
+      results: [{
+        id:          '4.1',
+        description: 'g',
+        checks:      [{
+          id: '4.1.9', description: 'm', state: 'mixed' as const,
+        }],
+      }],
+    };
+    const xml = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toMatch(/idref="xccdf_compliance-operator_rule_4\.1\.9"[\s\S]*?<result>pass<\/result>/);
+  });
+
+  it('recomputes pass count per node while preserving cluster total as the scoring denominator', () => {
+    const report = {
+      version: '1.0',
+      total:   2,
+      pass:    1,
+      nodes:   { node: ['w-1', 'w-2'] },
+      results: [{
+        id:          '1',
+        description: 'g',
+        checks:      [
+          {
+            id: 'a', description: 'a', state: 'pass' as const
+          },
+          {
+            id: 'b', description: 'b', state: 'mixed' as const, nodes: ['w-2'],
+          },
+        ],
+      }],
+    };
+    const compliant = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+    const dissenter = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-2', role: 'node',
+    });
+
+    expect(compliant).toMatch(/<score[^>]*>100\.0<\/score>/);
+    expect(dissenter).toMatch(/<score[^>]*>50\.0<\/score>/);
+  });
+
+  it('preserves full rule metadata (title, fixtext, idents, check) from the cluster report', () => {
+    const report = {
+      version: '1.0',
+      total:   1,
+      pass:    1,
+      nodes:   { node: ['w-1'] },
+      results: [{
+        id:          'V-254554',
+        description: 'controller manager group',
+        checks:      [{
+          id:          'V-254554',
+          description: 'use-service-account-credentials',
+          audit:       '/bin/ps -fC kube-controller-manager',
+          remediation: 'set use-service-account-credentials=true',
+          scored:      true,
+          state:       'pass' as const,
+        }],
+      }],
+    };
+    const xml = generateXCCDFPerNode({
+      report, benchmarkVersion: 'rke2-stig-1.31-rgs', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toContain('<Group id="V-254554">');
+    expect(xml).toContain('<check-content>/bin/ps -fC kube-controller-manager</check-content>');
+    expect(xml).toContain('set use-service-account-credentials=true');
+  });
+
+  it('passes through non-mixed states unchanged', () => {
+    const report = {
+      ...multiNodeReport,
+      results: [{
+        id:          '4.1',
+        description: 'g',
+        checks:      [
+          {
+            id: 'a', description: 'a', state: 'pass' as const
+          },
+          {
+            id: 'b', description: 'b', state: 'fail' as const
+          },
+          {
+            id: 'c', description: 'c', state: 'skip' as const
+          },
+          {
+            id: 'd', description: 'd', state: 'warn' as const
+          },
+          {
+            id: 'e', description: 'e', state: 'notApplicable' as const
+          },
+        ],
+      }],
+    };
+    const xml = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toContain('<result>pass</result>');
+    expect(xml).toContain('<result>fail</result>');
+    expect(xml).toContain('<result>notselected</result>');
+    expect(xml).toContain('<result>informational</result>');
+    expect(xml).toContain('<result>notapplicable</result>');
+  });
+});

shell/utils/xccdf.ts

@@ -15,6 +15,11 @@ export interface XccdfReportCheck {
   audit?: string;
   scored?: boolean;
   state?: string;
+  nodes?: string[];
+  // eslint-disable-next-line camelcase
+  node_type?: string[];
+  // eslint-disable-next-line camelcase
+  actual_value_per_node?: Record<string, string>;
 }
 
 export interface XccdfReportGroup {
@@ -82,6 +87,8 @@ export interface GenerateXccdfArgs {
   targetFacts?: XccdfTargetFact[];
   /** Override the cluster name used for the <target> element. Falls back to metadata.clusterName, then derived node names. */
   clusterName?: string;
+  /** Override the TestResult @id. Required when multiple documents from the same benchmark will be co-loaded into a validator. */
+  testResultId?: string;
 }
 
 const na = (s?: string): string => (s && s.length > 0 ? s : NA);
@@ -184,6 +191,7 @@ export function generateXCCDF({
   targetAddresses,
   targetFacts,
   clusterName,
+  testResultId,
 }: GenerateXccdfArgs): string {
   const now = new Date();
   const timeStr = now.toISOString().replace(/\.\d{3}Z$/, 'Z');
@@ -301,7 +309,7 @@ export function generateXCCDF({
   const targets = clusterName ? [clusterName] : metadata.clusterName ? [metadata.clusterName] : collectTargets(report);
 
   const testResult = benchmark.ele('TestResult', {
-    id:            `${ ID_PREFIX }_${ TEST_RESULT_ID_SUFFIX }`,
+    id:            testResultId || `${ ID_PREFIX }_${ TEST_RESULT_ID_SUFFIX }`,
     'start-time':  timeStr,
     'end-time':    timeStr,
     version:       benchmarkVersion,
@@ -369,3 +377,42 @@ export function generateXCCDF({
 
   return doc.end({ prettyPrint: true });
 }
+
+export interface GenerateXccdfPerNodeArgs extends Omit<GenerateXccdfArgs, 'clusterName' | 'targetAddresses' | 'targetFacts'> {
+  hostname: string;
+  role: string;
+}
+
+const remapCheckForNode = (check: XccdfReportCheck, hostname: string): XccdfReportCheck => {
+  const isMixed = (check.state || '').toLowerCase() === 'mixed';
+  const state = isMixed ? ((check.nodes || []).includes(hostname) ? 'fail' : 'pass') : check.state;
+
+  return { ...check, state };
+};
+
+export function generateXCCDFPerNode(args: GenerateXccdfPerNodeArgs): string {
+  const {
+    report, hostname, role, ...rest
+  } = args;
+
+  const perNodeResults: XccdfReportGroup[] = (report.results || []).map((group) => ({
+    ...group,
+    checks: (group.checks || []).map((c) => remapCheckForNode(c, hostname)),
+  }));
+
+  const passForNode = perNodeResults
+    .flatMap((g) => g.checks || [])
+    .filter((c) => (c.state || '').toLowerCase() === 'pass').length;
+
+  return generateXCCDF({
+    ...rest,
+    report: {
+      ...report,
+      results: perNodeResults,
+      pass:    passForNode,
+      nodes:   { [role]: [hostname] },
+    },
+    clusterName:  hostname,
+    testResultId: `${ ID_PREFIX }_${ TEST_RESULT_ID_SUFFIX }_${ safeId(hostname) }`,
+  });
+}