test/cases: OpenSCAP cloudapi tests

Run a basic check to see that the tailoring file has been created when
adding tailoring rules to the OpenSCAP config. Since the OpenSCAP scan
requires more memory and breaks some of the API tests, a full scan is
not run in the cloudapi tests.

test/cases/api.sh

@@ -394,6 +394,28 @@ esac
 export CUSTOM_GPG_KEY
 export REPOSITORY_CUSTOMIZATION_BLOCK
 
+# Define the customizations for the images here to not have to repeat them
+# in every image-type specific file.
+case "${IMAGE_TYPE}" in
+  # The Directories and Files customization is not supported for this image type.
+  "$IMAGE_TYPE_EDGE_INSTALLER")
+    OPENSCAP_CUSTOMIZATION_BLOCK=
+    ;;
+  *)
+    OPENSCAP_CUSTOMIZATION_BLOCK=$(cat <<EOF
+,
+    "openscap": {
+        "profile_id": "pci-dss",
+        "tailoring": {
+          "unselected": [ "rpm_verify_permissions" ]
+        }
+    }
+EOF
+)
+  ;;
+esac
+export OPENSCAP_CUSTOMIZATION_BLOCK
+
 # generate a temp key for user tests
 ssh-keygen -t rsa-sha2-512 -f "${WORKDIR}/usertest" -C "usertest" -N ""
 

test/cases/api/aws.sh

@@ -63,7 +63,7 @@ function createReqFile() {
         "name": "user2",
         "key": "$(cat "${WORKDIR}/usertest.pub")"
       }
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
   },
   "image_request": {
       "architecture": "$ARCH",

test/cases/api/azure.sh

@@ -84,7 +84,7 @@ function createReqFile() {
     "packages": [
       "postgresql",
       "dummy"
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
   },
   "image_request": {
     "architecture": "$ARCH",

test/cases/api/common/common.sh

@@ -55,6 +55,9 @@ function _instanceCheck() {
   verify_dirs_files_customization "$_ssh"
 
   verify_repository_customization "$_ssh"
+
+  verify_openscap_customization "$_ssh"
+
 }
 
 WORKER_REFRESH_TOKEN_PATH="/etc/osbuild-worker/token"
@@ -173,3 +176,26 @@ function verify_repository_customization {
     exit 1
   fi
 }
+
+# Verify that tailoring file was created
+function verify_openscap_customization {
+  echo "✔️ Checking OpenSCAP customizations"
+  local _ssh="$1"
+  local _error=0
+
+  # NOTE: We are only checking the creation of the tailoring file and ensuring it exists
+  # since running openscap tests here requires more memory and causes some out-of-memory issues.
+  local tailoring_file_content
+  tailoring_file_content=$($_ssh cat /usr/share/xml/osbuild-openscap-data/tailoring.xml \
+      | grep 'idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="false"' -c
+  )
+  if [[ "$tailoring_file_content" -eq 0 ]]; then
+    echo "File /usr/share/xml/osbuild-openscap-data/tailoring.xml has wrong content"
+    _error=1
+  fi
+
+  if [[ "$_error" == "1" ]]; then
+    echo "Testing of OpenSCAP customizations has failed."
+    exit 1
+  fi
+}

test/cases/api/common/s3.sh

@@ -78,7 +78,7 @@ function createReqFileGuest() {
         "name": "user2",
         "key": "$(cat "${WORKDIR}/usertest.pub")"
       }
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
   },
   "image_request": {
     "architecture": "$ARCH",

test/cases/api/gcp.sh

@@ -71,7 +71,7 @@ function createReqFile() {
     "packages": [
       "postgresql",
       "dummy"
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
   },
   "image_request": {
     "architecture": "$ARCH",