Merge pull request #14060 from Mab879/per_product_control_files

Add per product control files

Author: vojtapolasek

build-scripts/compile_all.py

@@ -213,11 +213,15 @@ def main():
     load_benchmark_source_data_from_directory_tree(loader, env_yaml, product_yaml)
 
     controls_dir = os.path.join(project_root_abspath, "controls")
+    product_controls_dir = os.path.join(product_yaml['product_dir'], 'controls')
+    controls_dirs = [controls_dir]
+    if os.path.exists(product_controls_dir):
+        controls_dirs.append(product_controls_dir)
 
     existing_rules = find_existing_rules(project_root_abspath)
 
     controls_manager = ssg.controls.ControlsManager(
-        controls_dir, env_yaml, existing_rules)
+        controls_dirs, env_yaml, existing_rules)
     controls_manager.load()
     controls_manager.remove_selections_not_known(loader.all_rules)
     controls_manager.add_references(loader.all_rules)

docs/adr/0003_per_product_controls.md

@@ -0,0 +1,19 @@
+---
+content-version: 0.1.79
+title: ADR-0003 - Per Product Controls
+status: proposed
+---
+
+## Context
+As of late October 2025  there was over 50 control files in the `controls` folder.
+Many of these control files are product specific.
+The goal of this ADR is to help keep product specific information separate from the global standard like ANSSI.
+
+
+## Decision
+We will allow the creation of `controls` directory under each product.
+All product specific control files will be moved to the product specific control file.
+The product specific control files in `products/example/controls` can override the controls in `controls`.
+
+## Consequences
+This will create more places to look for control files, but it will help keep product specific information with the product.

docs/manual/developer/03_creating_content.md

@@ -837,6 +837,8 @@ controls:
        - systemd_target_multi_user
 ```
 
+Control files that apply to multiple products should be stored in `controls` folder in the root of the project.
+If the control file is only applicable to one product it should be store in the `controls` directory under the products folder.
 
 ### Defining levels
 

docs/manual/developer/04_style_guide.md

@@ -317,7 +317,8 @@ Benchmark sections must be in the following order, if they are present.
 
 ### Controls
 
-These rules apply to the files in `controls/`.
+These rules apply to the files in `controls/` and `products/*/controls`.
+Product specific controls should be stored under the respective controls directory.
 All the above [YAML](#yaml) rules apply.
 
 #### Control Sections

controls/bsi_sys_1_1_rhel9.yml renamed to products/rhel9/controls/bsi_sys_1_1_rhel9.yml

@@ -5,7 +5,9 @@
 import collections
 import os
 import copy
+import sys
 from glob import glob
+from typing import List, Dict
 
 import ssg.entities.common
 import ssg.yaml
@@ -369,6 +371,7 @@ class Policy(ssg.entities.common.XCCDFEntity):
         product (list): A list of products associated with the policy.
     """
     def __init__(self, filepath, env_yaml=None):
+        self.controls_dirs = []
         self.id = None
         self.env_yaml = env_yaml
         self.filepath = filepath
@@ -637,6 +640,7 @@ def load(self):
         controls_dir = yaml_contents.get("controls_dir")
         if controls_dir:
             self.controls_dir = os.path.join(os.path.dirname(self.filepath), controls_dir)
+            self.controls_dirs = [self.controls_dir]
         self.id = ssg.utils.required_key(yaml_contents, "id")
         self.policy = ssg.utils.required_key(yaml_contents, "policy")
         self.title = ssg.utils.required_key(yaml_contents, "title")
@@ -786,17 +790,17 @@ def add_references(self, rules):
             control.add_references(self.reference_type, rules)
 
 
-class ControlsManager():
+class ControlsManager:
     """
     Manages the loading, processing, and saving of control policies.
 
     Attributes:
-        controls_dir (str): The directory where control policy files are located.
+        controls_dirs (List[str]): The directories where control policy files are located.
         env_yaml (str, optional): The environment YAML file.
         existing_rules (dict, optional): Existing rules to check against.
         policies (dict): A dictionary of loaded policies.
     """
-    def __init__(self, controls_dir, env_yaml=None, existing_rules=None):
+    def __init__(self, controls_dirs: List[str], env_yaml=None, existing_rules=None):
         """
         Initializes the Controls class.
 
@@ -805,19 +809,25 @@ def __init__(self, controls_dir, env_yaml=None, existing_rules=None):
             env_yaml (str, optional): Path to the environment YAML file. Defaults to None.
             existing_rules (dict, optional): Dictionary of existing rules. Defaults to None.
         """
-        self.controls_dir = os.path.abspath(controls_dir)
+        self.controls_dirs = [os.path.abspath(controls_dir) for controls_dir in controls_dirs]
         self.env_yaml = env_yaml
         self.existing_rules = existing_rules
         self.policies = {}
 
     def _load(self, format):
-        if not os.path.exists(self.controls_dir):
-            return
-        for filename in sorted(glob(os.path.join(self.controls_dir, "*." + format))):
-            filepath = os.path.join(self.controls_dir, filename)
-            policy = Policy(filepath, self.env_yaml)
-            policy.load()
-            self.policies[policy.id] = policy
+        for controls_dir in self.controls_dirs:
+            if not os.path.isdir(controls_dir):
+                continue
+            for filepath in sorted(glob(os.path.join(controls_dir, "*." + format))):
+                policy = Policy(filepath, self.env_yaml)
+                policy.load()
+                if policy.id in self.policies:
+                    print(f"Policy {policy.id} was defined first at "
+                                     f"{self.policies[policy.id].filepath} and now another policy "
+                                     f"with the same ID is being loaded from {policy.filepath}."
+                                     f"Overriding with later.",
+                                     file=sys.stderr)
+                self.policies[policy.id] = policy
         self.check_all_rules_exist()
         self.resolve_controls()
 
@@ -948,7 +958,7 @@ def get_control(self, policy_id, control_id):
         control = policy.get_control(control_id)
         return control
 
-    def get_all_controls_dict(self, policy_id):
+    def get_all_controls_dict(self, policy_id: str) -> Dict[str, Control]:
         """
         Retrieve all controls for a given policy as a dictionary.
 
@@ -959,7 +969,6 @@ def get_all_controls_dict(self, policy_id):
             Dict[str, list]: A dictionary where the keys are control IDs and the values are lists
                              of controls.
         """
-        # type: (str) -> typing.Dict[str, list]
         policy = self._get_policy(policy_id)
         return policy.controls_by_id