ComplianceAsCode · jan-cerny · Jul 8, 2025 · Jul 4, 2025 · Jul 4, 2025 · Jul 7, 2025
@@ -199,14 +199,22 @@ def _update_profile_with_policy(profile: ProfileSelections, policy: Policy, leve
         profile (ProfileSelections): The profile to be updated.
         policy (Policy): The policy containing controls to update the profile with.
         level (str): The level of controls to be processed. If 'all', all controls are processed.
-                     Otherwise, only controls matching the specified level are processed.
+                     Otherwise, only controls matching the specified level are processed honoring
+                     inheritance.
 
     Returns:
         None
     """
-    for control in policy.controls:
-        if level == 'all' or level in control.levels:
-            _process_control(profile, control)
+    inherited_levels = getattr(policy.levels_by_id.get(level), "inherits_from", []) or []
+    for inherited_level in inherited_levels:
+        _update_profile_with_policy(profile, policy, inherited_level)
+
+    controls = (
+        policy.controls if level == 'all'
+        else [ctrl for ctrl in policy.controls if level in ctrl.levels]
+    )
+    for control in controls:
+        _process_control(profile, control)
 
 
 def _process_controls(profile: ProfileSelections, control_line: str,
@@ -281,18 +289,17 @@ def _process_profile(profile: ProfileSelections, profile_yaml: dict, profiles_fi
     return profile
 
 
-def _load_controls_manager(controls_dir: str, product_yaml: dict) -> object:
+def _load_controls_manager(controls_dir: str) -> object:
     """
     Loads and initializes a ControlsManager instance.
 
     Args:
         controls_dir (str): The directory containing control files.
-        product_yaml (dict): The product configuration in YAML format.
 
     Returns:
         object: An instance of ControlsManager with loaded controls.
     """
-    control_mgr = ControlsManager(controls_dir, product_yaml)
+    control_mgr = ControlsManager(controls_dir)
     control_mgr.load()
     return control_mgr
 
@@ -333,7 +340,7 @@ def get_profiles_from_products(content_dir: str, products: list,
         product_yaml = _load_product_yaml(content_dir, product)
         product_title = product_yaml.get("full_name")
         profiles_files = get_profile_files_from_root(product_yaml, product_yaml)
-        controls_manager = _load_controls_manager(controls_dir, product_yaml)
+        controls_manager = _load_controls_manager(controls_dir)
         for file in profiles_files:
             profile_id = os.path.basename(file).split('.profile')[0]
             profile_yaml = _load_yaml_profile_file(file)

@@ -57,13 +57,13 @@ controls:
     levels:
       - medium
     rules:
-      - configure_crypto_policy
+      - file_groupownership_sshd_private_key
       - var_system_crypto_policy=fips
 
   - id: S7
     title: Future Crypto Policy
     levels:
       - high
     rules:
-      - configure_crypto_policy
+      - sshd_set_keepalive
       - var_system_crypto_policy=future
@@ -8,6 +8,5 @@ description: |-
 
 selections:
     - abcd-levels:all:medium
-    - file_groupownership_sshd_private_key
     - sshd_set_keepalive
     - var_sshd_set_keepalive=1
@@ -22,5 +22,13 @@ def test_get_profiles_from_products():
 
     assert len(profiles) == count_profiles_in_products_dir(products[0])
     assert 'rhel' in profiles[0].product_id
-    assert len(profiles[0].rules) > 0
-    assert len(profiles[0].variables) > 0
+    assert len(profiles[0].rules) == 3
+    assert len(profiles[0].variables) == 3
+
+    # The testing profile uses "abcd-levels:all:medium", which explicitly includes
+    # "file_groupownership_sshd_private_key" as a rule in level "medium". It should also inherit
+    # "configure_crypto_policy" from level "low". Finally, it should include "sshd_set_keepalive"
+    # defined in the profile file.
+    assert 'configure_crypto_policy' in profiles[0].rules   # from level "low"
+    assert 'file_groupownership_sshd_private_key' in profiles[0].rules  # from level "medium"
+    assert 'sshd_set_keepalive' in profiles[0].rules  # from profile file
@@ -66,11 +66,11 @@ def test_get_variable_options(tmp_path):
 
 
 def test_get_variables_by_products():
-    products = ["rhel9"]
-    content_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../.."))
+    products = ["rhel8"]
+    content_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "data/content_dir"))
     result = get_variables_by_products(str(content_dir), products)
-    assert "var_selinux_policy_name" in result
-    assert "rhel9" in result["var_selinux_policy_name"]
+    assert "var_sshd_set_keepalive" in result
+    assert "rhel8" in result["var_sshd_set_keepalive"]
 
 
 def test_get_variable_values(tmp_path):