Change template.py of grub2_bootloader_argument to support numeric comparison

macko1 · macko1 · commit 4a538ba6cda2 · 2026-04-17T00:19:29.000+02:00
- audit_backlog_limit needs &gt;= comparison
- Test scenarios now use TEST_CORRECT_VALUE/TEST_WRONG_VALUE
  instead of hardcoded strings.
diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py
@@ -1,29 +1,56 @@
 import ssg.utils
 
+VALID_OPERATIONS = {
+    "pattern match",
+    "greater than or equal",
+}
+
 
 def preprocess(data, lang):
+    # arg_value and arg_variable are mutually exclusive
     if 'arg_value' in data and 'arg_variable' in data:
         raise RuntimeError(
                 "ERROR: The template should not set both 'arg_value' and 'arg_variable'.\n"
                 "arg_name: {0}\n"
                 "arg_variable: {1}".format(data['arg_value'], data['arg_variable']))
 
-    if 'arg_variable' in data:
+    # Fallback to pattern match operation if not set
+    if "operation" not in data:
+        data["operation"] = "pattern match"
+
+    # Placeholder values substituted into tests/*.sh scenarios via
+    # TEST_CORRECT_VALUE / TEST_WRONG_VALUE (e.g. grub2_bootloader_argument_remediation calls)  
+    match data["operation"]:
+        case "pattern match":
+            data["test_correct_value"] = "correct_value"
+            data["test_wrong_value"] = "wrong_value"
+        case "greater than or equal":
+            data["test_correct_value"] = "200"
+            data["test_wrong_value"] = "199"
+        case _:
+            raise RuntimeError(
+                f"ERROR: Invalid operation '{data['operation']}' for rule "
+                f"'{data['_rule_id']}'. "
+                f"Must be one of: {sorted(VALID_OPERATIONS)}"
+            )
+
+    # Build ARG_NAME_VALUE ("name=value") used in oval.template comments/metadata,
+    # bash.template remediation, and ansible.template remediation.
+    # When arg_variable is set the value comes from an XCCDF variable at eval time.
+    
+    if 'arg_variable' in data or "arg_value" not in data:
         data["arg_name_value"] = data["arg_name"]
     else:
-        if "arg_value" in data:
             data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
-        else:
-            data["arg_name_value"] = data["arg_name"]
 
     if 'is_substring' not in data:
         data["is_substring"] = "false"
 
-    if lang == "oval":
-        # escape dot, this is used in oval regex
-        data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
-        data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
-        # replace . with _, this is used in test / object / state ids
-
+    # OVAL-specific: escape dots for regex patterns in oval.template
+    # (ESCAPED_ARG_NAME_VALUE in state subexpressions, ESCAPED_ARG_NAME in object patterns)
+    data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+    data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
+    # SANITIZED_ARG_NAME: used as component of OVAL IDs (test_grub2_<name>_*,
+    # obj_grub2_<name>_*, state_grub2_<name>_*) and bash bootc .toml filenames
     data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
     return data
