Revert, Reimplement "greater than or equal" and adjust tests and docs accordingly

Author: macko1

docs/templates/template_reference.md

@@ -466,6 +466,13 @@ they must be of the same length.
     -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`
         This parameter is mutually exclusive with **arg_value**.
 
+    -   **operation** - (optional) OVAL operation used to compare the
+        collected argument value with the expected value. Default value:
+        `pattern match`. When set to a numeric operation such as
+        `greater than or equal`, the OVAL check captures only the
+        numeric portion of the argument and compares it as an integer.
+        Works with both **arg_variable** and **arg_value**.
+
 -   Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
 
 #### grub2_bootloader_argument_absent

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml

@@ -51,3 +51,4 @@ template:
     vars:
         arg_name: audit_backlog_limit
         arg_variable: var_audit_backlog_limit
+        operation: greater than or equal

shared/templates/grub2_bootloader_argument/oval.template

@@ -1,13 +1,43 @@
 import ssg.utils
 
+VALID_OPERATIONS = {
+    "pattern match",
+    "greater than or equal",
+}
+
 
 def preprocess(data, lang):
+    # arg_value and arg_variable are mutually exclusive
     if 'arg_value' in data and 'arg_variable' in data:
         raise RuntimeError(
                 "ERROR: The template should not set both 'arg_value' and 'arg_variable'.\n"
                 "arg_name: {0}\n"
                 "arg_variable: {1}".format(data['arg_value'], data['arg_variable']))
 
+    # Default and validate the OVAL comparison operation (oval.template
+    # branches on "pattern match" vs "greater than or equal" for state checks)
+    if "operation" not in data:
+        data["operation"] = "pattern match"
+
+    if data["operation"] not in VALID_OPERATIONS:
+        raise RuntimeError(
+            f"ERROR: Invalid operation '{data['operation']}' for rule "
+            f"'{data['_rule_id']}'. "
+            f"Must be one of: {sorted(VALID_OPERATIONS)}"
+        )
+
+    # Placeholder values substituted into tests/*.sh scenarios via
+    # TEST_CORRECT_VALUE / TEST_WRONG_VALUE (e.g. grub2_bootloader_argument_remediation calls)
+    if data["operation"] == "pattern match":
+        data["test_correct_value"] = "correct_value"
+        data["test_wrong_value"] = "wrong_value"
+    elif data["operation"] == "greater than or equal":
+        data["test_correct_value"] = "200"
+        data["test_wrong_value"] = "199"
+
+    # Build ARG_NAME_VALUE ("name=value") used in oval.template comments/metadata,
+    # bash.template remediation, and ansible.template remediation.
+    # When arg_variable is set the value comes from an XCCDF variable at eval time.
     if 'arg_variable' in data:
         data["arg_name_value"] = data["arg_name"]
     else:
@@ -19,11 +49,13 @@ def preprocess(data, lang):
     if 'is_substring' not in data:
         data["is_substring"] = "false"
 
+    # OVAL-specific: escape dots for regex patterns in oval.template
+    # (ESCAPED_ARG_NAME_VALUE in state subexpressions, ESCAPED_ARG_NAME in object patterns)
     if lang == "oval":
-        # escape dot, this is used in oval regex
         data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
         data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
-        # replace . with _, this is used in test / object / state ids
 
+    # SANITIZED_ARG_NAME: used as component of OVAL IDs (test_grub2_<name>_*,
+    # obj_grub2_<name>_*, state_grub2_<name>_*) and bash bootc .toml filenames
     data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
     return data

shared/templates/grub2_bootloader_argument/template.py

@@ -4,8 +4,8 @@
 # packages = grub2,grubby
 
 {{%- if ARG_VARIABLE %}}
-# variables = {{{ ARG_VARIABLE }}}=correct_value
-{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+# variables = {{{ ARG_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}}
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=" ~ TEST_CORRECT_VALUE %}}
 {{%- endif %}}
 
 source common.sh

shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh

@@ -3,8 +3,8 @@
 # platform = multi_platform_all
 
 {{%- if ARG_VARIABLE %}}
-# variables = {{{ ARG_VARIABLE }}}=correct_value
-{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+# variables = {{{ ARG_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}}
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=" ~ TEST_CORRECT_VALUE %}}
 {{%- endif %}}
 
 source common.sh

shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub.fail.sh

@@ -2,8 +2,8 @@
 
 # platform = multi_platform_all
 {{%- if ARG_VARIABLE %}}
-# variables = {{{ ARG_VARIABLE }}}=correct_value
-{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+# variables = {{{ ARG_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}}
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=" ~ TEST_CORRECT_VALUE %}}
 {{%- endif %}}
 
 source common.sh

shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh

@@ -4,8 +4,8 @@
 # packages = grub2,grubby
 
 {{%- if ARG_VARIABLE %}}
-# variables = {{{ ARG_VARIABLE }}}=correct_value
-{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+# variables = {{{ ARG_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}}
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=" ~ TEST_CORRECT_VALUE %}}
 {{%- endif %}}
 
 source common.sh

shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_and_not_referenced.pass.sh

@@ -3,8 +3,8 @@
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
 # packages = grub2,grubby
 {{%- if ARG_VARIABLE %}}
-# variables = {{{ ARG_VARIABLE }}}=correct_value
-{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+# variables = {{{ ARG_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}}
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=" ~ TEST_CORRECT_VALUE %}}
 {{%- endif %}}
 
 source common.sh

shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_but_referenced.fail.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{% if OPERATION == "pattern match" %}}
+# platform = Not Applicable
+{{% else %}}
+# platform = multi_platform_all
+{{% endif %}}
+{{%- if 'ubuntu' in product %}}
+# packages = grub2
+{{%- else %}}
+# packages = grub2,grubby
+{{%- endif %}}
+{{%- if ARG_VARIABLE %}}
+# variables = {{{ ARG_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}}
+{{% endif %}}
+
+source common.sh
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME ~ "=" ~ TEST_WRONG_VALUE) }}}