chef 17.4.38-universal-mingw32 → 17.5.22-universal-mingw32

data/lib/chef/secret_fetcher/akeyless_vault.rb

@@ -0,0 +1,57 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require_relative "hashi_vault"
+
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::AKeylessVault
+    # A fetcher that fetches a secret from AKeyless Vault.  Initial implementation is
+    # based on HashiVault , because AKeyless provides a compatibility layer that makes this possible.
+    # Future revisions will use native akeyless authentication.
+    #
+    # Required config:
+    # :access_id - the access id of the API key
+    # :access_key - the access key of the API key
+    #
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: "my-access-id", access_key: "my-access-key"  }, run_context )
+    # fetcher.fetch("/secret/data/secretkey1")
+    #
+    AKEYLESS_VAULT_PROXY_ADDR = "https://hvp.akeyless.io".freeze
+    class AKeylessVault < HashiVault
+      def validate!
+        if config[:access_key].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the secret access key in the configuration as :secret_access_key")
+        end
+        if config[:access_id].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the access key id in the configuration as :access_key_id")
+        end
+
+        config[:vault_addr] ||= AKEYLESS_VAULT_PROXY_ADDR
+        config[:auth_method] = :token
+        config[:token] = "#{config[:access_id]}..#{config[:access_key]}"
+        super
+      end
+    end
+  end
+end
+

data/lib/chef/secret_fetcher/aws_secrets_manager.rb

@@ -52,7 +52,7 @@ class Chef
       end
 
       # @param identifier [String] the secret_id
-      # @param version [String] the secret version. Not usd at this time
+      # @param version [String] the secret version.
       # @return Aws::SecretsManager::Types::GetSecretValueResponse
       def do_fetch(identifier, version)
         client = Aws::SecretsManager::Client.new(config)

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -2,7 +2,7 @@ require_relative "base"
 
 class Chef
   class SecretFetcher
-    # == Chef::SecretFetcher::AWSSecretsManager
+    # == Chef::SecretFetcher::AzureKeyVault
     # A fetcher that fetches a secret from Azure Key Vault. Supports fetching with version.
     #
     # In this initial iteration this authenticates via token obtained from the OAuth2  /token

data/lib/chef/secret_fetcher/base.rb

@@ -56,7 +56,7 @@ class Chef
       # @raise [Chef::Exceptions::Secret::ConfigurationInvalid] if it is not.
       def validate!; end
 
-      # Called to fetch the secret identified by 'identifer'.  Implementations
+      # Called to fetch the secret identified by 'identifier'.  Implementations
       # should expect that `validate!` has been invoked before `do_fetch`.
       #
       # @param identifier [Object] Unique identifier of the secret to be retrieved.

data/lib/chef/secret_fetcher/hashi_vault.rb

@@ -0,0 +1,100 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require "aws-sdk-core" # Support for aws instance profile auth
+require "vault"
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::HashiVault
+    # A fetcher that fetches a secret from Hashi Vault.
+    #
+    # Does not yet support fetching with version when a versioned key store is in use.
+    # In this initial iteration the only supported authentication is IAM role-based
+    #
+    # Required config:
+    # :auth_method - one of :iam_role, :token.  default: :iam_role
+    # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
+    #
+    # For `:token` auth: `:token` - a Vault token valid for authentication.
+    #
+    # For `:iam_role`:  `:role_name` - the name of the role in Vault that was created
+    # to support authentication via IAM.  See the Vault documentation for details[1].
+    # A Terraform example is also available[2]
+    #
+    #
+    # [1] https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
+    # [2] https://registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth
+    #             an IAM principal ARN bound to it.
+    #
+    # Optional config
+    # :namespace - the namespace under which secrets are kept.  Only supported in with Vault Enterprise
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
+    class HashiVault < Base
+
+      # Validate and authenticate the current session using the configured auth strategy and parameters
+      def validate!
+        if config[:vault_addr].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr")
+        end
+
+        Vault.address = config[:vault_addr]
+        Vault.namespace = config[:namespace] unless config[:namespace].nil?
+
+        case config[:auth_method]
+        when :token
+          if config[:token].nil?
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
+          end
+
+          Vault.auth.token(config[:token])
+        when :iam_role, nil
+          if config[:role_name].nil?
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
+          end
+
+          Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
+        else
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided.  You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
+        end
+      end
+
+      # @param identifier [String] Identifier of the secret to be fetched, which should
+      # be the full path of that secret, eg 'secret/example'
+      # @param _version [String] not used in this implementation
+      # @return [Hash] containing key/value pairs stored at the location given in 'identifier'
+      def do_fetch(identifier, _version)
+        result = Vault.logical.read(identifier)
+        raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil?
+
+        result.data
+      end
+    end
+  end
+end
+

data/lib/chef/secret_fetcher.rb

@@ -21,7 +21,7 @@ require_relative "exceptions"
 class Chef
   class SecretFetcher
 
-    SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault}.freeze
+    SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze
 
     # Returns a configured and validated instance
     # of a [Chef::SecretFetcher::Base]  for the given
@@ -42,10 +42,16 @@ class Chef
                 when :azure_key_vault
                   require_relative "secret_fetcher/azure_key_vault"
                   Chef::SecretFetcher::AzureKeyVault.new(config, run_context)
+                when :hashi_vault
+                  require_relative "secret_fetcher/hashi_vault"
+                  Chef::SecretFetcher::HashiVault.new(config, run_context)
+                when :akeyless_vault
+                  require_relative "secret_fetcher/akeyless_vault"
+                  Chef::SecretFetcher::AKeylessVault.new(config, run_context)
                 when nil, ""
                   raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
                 else
-                  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service}", SECRET_FETCHERS)
+                  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS)
                 end
       fetcher.validate!
       fetcher

data/lib/chef/version.rb

@@ -23,7 +23,7 @@ require_relative "version_string"
 
 class Chef
   CHEF_ROOT = File.expand_path("..", __dir__)
-  VERSION = Chef::VersionString.new("17.4.38")
+  VERSION = Chef::VersionString.new("17.5.22")
 end
 
 #

data/spec/functional/resource/archive_file_spec.rb

@@ -0,0 +1,87 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "tmpdir"
+
+# Exclude this test on platforms where ffi-libarchive loading is broken
+describe Chef::Resource::ArchiveFile, :libarchive_loading_broken do
+  include RecipeDSLHelper
+
+  let(:tmp_path) { Dir.mktmpdir }
+  let(:extract_destination) { "#{tmp_path}/extract_here" }
+  let(:test_archive_path) { File.expand_path("archive_file/test_archive.tar.gz", CHEF_SPEC_DATA) }
+
+  after do
+    FileUtils.remove_entry_secure(extract_destination) if File.exist?(extract_destination)
+  end
+
+  context "when strip_components is 0" do
+    it "extracts archive to destination" do
+      af = archive_file test_archive_path do
+        destination extract_destination
+      end
+      af.should_be_updated
+
+      expect(af.strip_components).to eq(0) # Validate defaults haven't changed here
+      expect(Dir.glob("#{extract_destination}/**/*").length).to eq(4)
+      expect(Dir.exist?("#{extract_destination}/folder-1")).to eq(true)
+      expect(File.exist?("#{extract_destination}/folder-1/file-1.txt")).to eq(true)
+      expect(Dir.exist?("#{extract_destination}/folder-1/folder-2")).to eq(true)
+      expect(File.exist?("#{extract_destination}/folder-1/folder-2/file-2.txt")).to eq(true)
+    end
+  end
+
+  context "when strip_components is 1" do
+    it "extracts archive to destination, with 1 component stripped" do
+      archive_file test_archive_path do
+        destination extract_destination
+        strip_components 1
+      end.should_be_updated
+
+      expect(Dir.exist?("#{extract_destination}/folder-1")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/file-1.txt")).to eq(false)
+      expect(Dir.exist?("#{extract_destination}/folder-1/folder-2")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/folder-2/file-2.txt")).to eq(false)
+
+      expect(Dir.glob("#{extract_destination}/**/*").length).to eq(3)
+      expect(File.exist?("#{extract_destination}/file-1.txt")).to eq(true)
+      expect(Dir.exist?("#{extract_destination}/folder-2")).to eq(true)
+      expect(File.exist?("#{extract_destination}/folder-2/file-2.txt")).to eq(true)
+    end
+  end
+
+  context "when strip_components is 2" do
+    it "extracts archive to destination, with 2 components stripped" do
+      archive_file test_archive_path do
+        destination extract_destination
+        strip_components 2
+      end.should_be_updated
+
+      expect(Dir.exist?("#{extract_destination}/folder-1")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/file-1.txt")).to eq(false)
+      expect(Dir.exist?("#{extract_destination}/folder-1/folder-2")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-1/folder-2/file-2.txt")).to eq(false)
+      expect(File.exist?("#{extract_destination}/file-1.txt")).to eq(false)
+      expect(Dir.exist?("#{extract_destination}/folder-2")).to eq(false)
+      expect(File.exist?("#{extract_destination}/folder-2/file-2.txt")).to eq(false)
+
+      expect(Dir.glob("#{extract_destination}/**/*").length).to eq(1)
+      expect(File.exist?("#{extract_destination}/file-2.txt")).to eq(true)
+    end
+  end
+end

data/spec/functional/resource/group_spec.rb

@@ -44,6 +44,10 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
       members.shift # Get rid of GroupMembership: string
       members.include?(user)
     else
+      # TODO For some reason our temporary AIX 7.2 system does not correctly report group membership immediately after changes have been made.
+      # Adding a 2 second delay for this platform is enough to get correct results.
+      # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+      sleep 2 if aix? && (ohai[:platform_version] == "7.2")
       Etc.getgrnam(group_name).mem.include?(user)
     end
   end
@@ -181,7 +185,7 @@ describe Chef::Resource::Group, :requires_root_or_running_windows do
 
     describe "when the users exist" do
       before do
-        high_uid = 30000
+        high_uid = 40000
         (spec_members).each do |member|
           remove_user(member)
           create_user(member, high_uid)

data/spec/functional/resource/link_spec.rb

@@ -345,9 +345,17 @@ describe Chef::Resource::Link do
             let(:test_user) { "test-link-user" }
             before do
               user(test_user).run_action(:create)
+              # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+              # Adding a 2 second delay for this platform is enough to get correct results.
+              # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+              sleep 2 if aix? && (ohai[:platform_version] == "7.2")
             end
             after do
               user(test_user).run_action(:remove)
+              # TODO For some reason our temporary AIX 7.2 system does not correctly report user existence immediately after changes have been made.
+              # Adding a 2 second delay for this platform is enough to get correct results.
+              # We hope to remove this delay after we get more permanent AIX 7.2 systems in our CI pipeline. reference: https://github.com/chef/release-engineering/issues/1617
+              sleep 2 if aix? && (ohai[:platform_version] == "7.2")
             end
             before(:each) do
               resource.owner(test_user)

data/spec/integration/compliance/compliance_spec.rb

@@ -80,4 +80,64 @@ describe "chef-client with compliance phase" do
       expect(result["status"]).to eq("passed")
     end
   end
+
+  when_the_repository "has a compliance segment" do
+    let(:report_file) { path_to("report_file.json") }
+
+    before do
+      directory "cookbooks/x" do
+        directory "compliance" do
+          directory "profiles/my_profile" do
+            file "inspec.yml", <<~FILE
+              ---
+              name: my-profile
+            FILE
+
+            directory "controls" do
+              file "my_control.rb", <<~FILE
+                control "my control" do
+                  describe Dir.home do
+                    it { should be_kind_of String }
+                  end
+                end
+              FILE
+            end
+          end
+        end
+        file "attributes/default.rb", <<~FILE
+        default['audit']['reporter'] = "json-file"
+        default['audit']['json_file'] = {
+              "location" => "#{report_file}"
+            }
+        FILE
+        file "recipes/default.rb", <<~FILE
+          include_profile ".*::.*"
+        FILE
+      end
+      file "config/client.rb", <<~EOM
+        local_mode true
+        cookbook_path "#{path_to("cookbooks")}"
+        log_level :warn
+      EOM
+    end
+
+    it "should complete with success" do
+      result = shell_out!("#{chef_client} -c \"#{path_to("config/client.rb")}\" -r 'recipe[x]'", cwd: chef_dir)
+      result.error!
+
+      inspec_report = JSON.parse(File.read(report_file))
+      expect(inspec_report["profiles"].length).to eq(1)
+
+      profile = inspec_report["profiles"].first
+      expect(profile["name"]).to eq("my-profile")
+      expect(profile["controls"].length).to eq(1)
+
+      control = profile["controls"].first
+      expect(control["id"]).to eq("my control")
+      expect(control["results"].length).to eq(1)
+
+      result = control["results"].first
+      expect(result["status"]).to eq("passed")
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -68,6 +68,7 @@ end
 require "spec/support/local_gems" if File.exist?(File.join(File.dirname(__FILE__), "support", "local_gems.rb"))
 
 # Explicitly require spec helpers that need to load first
+require "spec/support/ruby_installer"
 require "spec/support/platform_helpers"
 require "spec/support/shared/unit/mock_shellout"
 
@@ -186,6 +187,8 @@ RSpec.configure do |config|
   config.filter_run_excluding not_rhel7: true if rhel7?
   config.filter_run_excluding not_intel_64bit: true if intel_64bit?
 
+  config.filter_run_excluding libarchive_loading_broken: true if aix? || amazon_linux? || rhel7?
+
   # these let us use chef: ">= 13" or ruby: "~> 2.0.0" or any other Gem::Dependency-style constraint
   config.filter_run_excluding chef: DependencyProc.with(Chef::VERSION)
   config.filter_run_excluding ruby: DependencyProc.with(RUBY_VERSION)

data/spec/support/platform_helpers.rb

@@ -163,6 +163,10 @@ def aix?
   RUBY_PLATFORM.include?("aix")
 end
 
+def amazon_linux?
+  ohai[:platform_family] == "amazon"
+end
+
 def wpar?
   !((ohai[:virtualization] || {})[:wpar_no].nil?)
 end

data/spec/support/ruby_installer.rb

@@ -0,0 +1,51 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+def add_libarchive_dll_directory
+  require "ruby_installer"
+  libarchive_paths = Dir.glob("{#{Gem.dir},C:/hab}/**/libarchive.dll").map { |f| File.expand_path(f) }
+  if libarchive_paths.empty?
+    $stderr.puts <<~EOL
+      !!!!
+        We couldn't find a libarchive.dll in #{Gem.dir} or C:/hab
+
+        If this is running in a CI/CD environment, this may end up causing failures
+        in the tests for archive_file. If this is not running in a CI/CD
+        environment then it may be safe to ignore this. That is especially true if
+        you're not using the Ruby Installer as your Ruby runtime.
+      !!!!
+    EOL
+    return
+  end
+
+  $stderr.puts "\nFound the following libarchive paths:\n\n#{libarchive_paths.map { |f| "- #{f}\n" }.join}\n\n"
+  libarchive_path = libarchive_paths.first
+  libarchive_dir = File.dirname(libarchive_path)
+
+  if defined?(RubyInstaller::Build) && RubyInstaller::Build.methods.include?(:add_dll_directory)
+    $stderr.puts "Adding #{libarchive_dir} as a DLL load path using RubyInstaller::Build#add_dll_directory"
+    RubyInstaller::Build.add_dll_directory(libarchive_dir)
+  elsif defined?(RubyInstaller::Runtime) && RubyInstaller::Runtime.methods.include?(:add_dll_directory)
+    $stderr.puts "Adding #{libarchive_dir} as a DLL load path using RubyInstaller::Runtime#add_dll_directory"
+    RubyInstaller::Runtime.add_dll_directory(libarchive_dir)
+  else
+    $stderr.puts "Unable to find the right namespace to call #add_dll_directory! Please raise an issue on [GitHub](https://github.com/chef/chef/issues/new/choose)."
+  end
+rescue LoadError
+  $stderr.puts "Failed to load ruby_installer. Assuming Ruby Installer is not being used."
+end
+
+add_libarchive_dll_directory if RUBY_PLATFORM =~ /mswin|mingw32|windows/

data/spec/unit/compliance/input_spec.rb

@@ -0,0 +1,104 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "tempfile"
+
+describe Chef::Compliance::Input do
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:data) { { "ssh-01" => { "expiration_date" => Date.jd(2463810), "justification" => "waived, yo", "run" => false } } }
+  let(:path) { "/var/chef/cache/cookbooks/acme_compliance/compliance/inputs/default.yml" }
+  let(:cookbook_name) { "acme_compliance" }
+  let(:input) { Chef::Compliance::Input.new(events, data, path, cookbook_name) }
+
+  it "has a cookbook_name" do
+    expect(input.cookbook_name).to eql(cookbook_name)
+  end
+
+  it "has a path" do
+    expect(input.path).to eql(path)
+  end
+
+  it "has a pathname based on the path" do
+    expect(input.pathname).to eql("default")
+  end
+
+  it "is disabled" do
+    expect(input.enabled).to eql(false)
+    expect(input.enabled?).to eql(false)
+  end
+
+  it "has an event handler" do
+    expect(input.events).to eql(events)
+  end
+
+  it "can be enabled by enable!" do
+    input.enable!
+    expect(input.enabled).to eql(true)
+    expect(input.enabled?).to eql(true)
+  end
+
+  it "enabling sends an event" do
+    expect(events).to receive(:compliance_input_enabled).with(input)
+    input.enable!
+  end
+
+  it "can be disabled by disable!" do
+    input.enable!
+    input.disable!
+    expect(input.enabled).to eql(false)
+    expect(input.enabled?).to eql(false)
+  end
+
+  it "has a #inspec_data method that renders the data" do
+    expect(input.inspec_data).to eql(data)
+  end
+
+  it "doesn't render the events in the inspect output" do
+    expect(input.inspect).not_to include("events")
+  end
+
+  it "inflates objects from YAML" do
+    string = <<~EOH
+ssh-01:
+  expiration_date: 2033-07-31
+  run: false
+  justification: "waived, yo"
+    EOH
+    newinput = Chef::Compliance::Input.from_yaml(events, string, path, cookbook_name)
+    expect(newinput.data).to eql(data)
+  end
+
+  it "inflates objects from files" do
+    string = <<~EOH
+ssh-01:
+  expiration_date: 2033-07-31
+  run: false
+  justification: "waived, yo"
+    EOH
+    tempfile = Tempfile.new("chef-compliance-test")
+    tempfile.write string
+    tempfile.close
+    newinput = Chef::Compliance::Input.from_file(events, tempfile.path, cookbook_name)
+    expect(newinput.data).to eql(data)
+  end
+
+  it "inflates objects from hashes" do
+    newinput = Chef::Compliance::Input.from_hash(events, data, path, cookbook_name)
+    expect(newinput.data).to eql(data)
+  end
+end