cookstyle-ng 8.0.0

data/cookstyle.gemspec

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'cookstyle/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'cookstyle-ng'
+  spec.version       = Cookstyle::VERSION
+  spec.authors       = ['Thom May', 'Tim Smith']
+  spec.email         = ['thom@chef.io', 'tsmith84@gmail.com']
+  spec.summary       = 'Cookstyle is a code linting tool that helps you to write better Chef Infra cookbooks by detecting and automatically correcting style, syntax, and logic mistakes in your code.'
+  spec.license       = 'Apache-2.0'
+  spec.homepage      = 'https://docs.chef.io/workstation/cookstyle/'
+  spec.required_ruby_version = '>= 3.0'
+
+  # the gemspec and Gemfile are necessary for appbundling of the gem
+  spec.files = %w(LICENSE cookstyle.gemspec Gemfile) + Dir.glob('{lib,bin,config}/**/*')
+  spec.executables = %w(cookstyle)
+  spec.require_paths = ['lib']
+
+  spec.add_dependency('rubocop', Cookstyle::RUBOCOP_VERSION)
+
+  spec.metadata = {
+    'homepage_uri' => 'https://github.com/chef/cookstyle',
+    'changelog_uri' => 'https://github.com/chef/cookstyle/blob/main/CHANGELOG.md',
+    'source_code_uri' => 'https://github.com/chef/cookstyle',
+    'documentation_uri' => 'https://docs.chef.io/workstation/cookstyle/',
+    'bug_tracker_uri' => 'https://github.com/chef/cookstyle/issues',
+  }
+end

data/lib/cookstyle/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Cookstyle
+  VERSION = "8.0.0" # rubocop: disable Style/StringLiterals
+  RUBOCOP_VERSION = '1.57.2'
+end

data/lib/cookstyle.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+require_relative 'cookstyle/version'
+
+require 'pathname' unless defined?(Pathname)
+require 'yaml' unless defined?(YAML)
+
+# ensure the desired target version of RuboCop is gem activated
+gem 'rubocop', "= #{Cookstyle::RUBOCOP_VERSION}"
+require 'rubocop'
+require_relative 'rubocop/monkey_patches/directive_comment'
+
+# monkey patches needed for the TargetChefVersion config option
+require_relative 'rubocop/monkey_patches/config'
+require_relative 'rubocop/monkey_patches/base'
+require_relative 'rubocop/monkey_patches/team'
+require_relative 'rubocop/monkey_patches/registry_cop'
+
+# Cookstyle patches the RuboCop tool to set a new default configuration that
+# is vendored in the Cookstyle codebase.
+module Cookstyle
+  # @return [String] the absolute path to the main RuboCop configuration YAML file
+  def self.config
+    File.realpath(File.join(__dir__, "..", "config", "cookstyle.yml"))
+  end
+end
+
+require_relative 'rubocop/chef'
+require_relative 'rubocop/chef/autocorrect_helpers'
+require_relative 'rubocop/chef/cookbook_helpers'
+require_relative 'rubocop/chef/platform_helpers'
+require_relative 'rubocop/chef/cookbook_only'
+require_relative 'rubocop/cop/target_chef_version'
+
+# Chef Infra specific cops
+Dir.glob(__dir__ + '/rubocop/cop/**/*.rb') do |file|
+  next if File.directory?(file)
+
+  require_relative file # not actually relative but require_relative is faster
+end
+
+# stub default value of TargetChefVersion to avoid STDERR noise
+RuboCop::ConfigLoader.default_configuration['AllCops']['TargetChefVersion'] = '~'
+
+RuboCop::ConfigLoader.default_configuration = RuboCop::ConfigLoader.configuration_from_file(Cookstyle.config)

data/lib/rubocop/chef/autocorrect_helpers.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+#
+# Copyright:: Copyright 2020, Chef Software Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Chef
+    # Helpers for use in autocorrection
+    module AutocorrectHelpers
+      # if the node has a heredoc as an argument you'll only get the start of the heredoc and removing
+      # the node will result in broken ruby. This way we match the node and the entire heredoc for removal
+      def expression_including_heredocs(node)
+        if node.arguments.last.respond_to?(:heredoc?) && node.arguments.last.heredoc?
+          node.loc.expression.join(node.arguments.last.loc.heredoc_end)
+        else
+          node.loc.expression
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/chef/cookbook_helpers.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+#
+# Copyright:: Copyright 2019, Chef Software Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Chef
+    # Common node helpers used for matching against Chef Infra Cookbooks
+    module CookbookHelpers
+      def resource_block_name_if_string(node)
+        if looks_like_resource?(node) && node.children.first.arguments.first.respond_to?(:value)
+          node.children.first.arguments.first.value
+        end
+      end
+
+      # Match a particular resource
+      #
+      # @param [String] resource_name The name of the resource to match
+      # @param [RuboCop::AST::Node] node The rubocop ast node to search
+      #
+      # @yield
+      #
+      def match_resource_type?(resource_name, node)
+        return unless looks_like_resource?(node)
+        # bail out if we're not in the resource we care about or nil was passed (all resources)
+        yield(node) if node.children.first.method?(resource_name.to_sym)
+      end
+
+      # Match particular properties within a resource
+      #
+      # @param [Symbol, Array<Symbol>] resource_names The name of the resources to match
+      # @param [String] property_names The name of the property to match (or action)
+      # @param [RuboCop::AST::Node] node The rubocop ast node to search
+      #
+      # @yield
+      #
+      def match_property_in_resource?(resource_names, property_names, node)
+        return unless looks_like_resource?(node)
+        # bail out if we're not in the resource we care about or nil was passed (all resources)
+        return unless resource_names.nil? || Array(resource_names).include?(node.children.first.method_name) # see if we're in the right resource
+
+        resource_block = node.children[2] # the 3rd child is the actual block in the resource
+        return unless resource_block # nil would be an empty block
+
+        if resource_block.begin_type? # if begin_type we need to iterate over the children
+          resource_block.children.each do |resource_blk_child|
+            extract_send_types(resource_blk_child) do |p|
+              yield(p) if symbolized_property_types(property_names).include?(p.method_name)
+            end
+          end
+        else # there's only a single property to check
+          extract_send_types(resource_block) do |p|
+            yield(p) if symbolized_property_types(property_names).include?(p.method_name)
+          end
+        end
+      end
+
+      def method_arg_ast_to_string(ast)
+        # a property without a value. This is totally bogus, but they exist
+        return if ast.children[2].nil?
+        # https://rubular.com/r/6uzOMd6WCHewOu
+        m = ast.children[2].source.match(/^("|')(.*)("|')$/)
+        return m[2] unless m.nil?
+      end
+
+      private
+
+      # @param [String, Array] property
+      #
+      # @return [Array]
+      def symbolized_property_types(property)
+        Array(property).map(&:to_sym)
+      end
+
+      #
+      # given a node object does it look like a chef resource or not?
+      # warning: currently this requires a resource with properties since we key off blocks and property-less resources look like methods
+      #
+      # @param [RuboCop::AST::Node] node AST object to test
+      #
+      # @return [boolean]
+      #
+      def looks_like_resource?(node)
+        return false unless node.block_type? # resources are blocks if they have properties
+        return false unless node.children.first.receiver.nil? # resource blocks don't have a receiver
+        return false if node.send_node.arguments.first.is_a?(RuboCop::AST::SymbolNode) # resources have a string name. resource actions have symbols
+
+        # bail if the block doesn't have a name a resource *generally* has a name.
+        # This isn't 100% true with things like apt_update and build_essential, but we'll live
+        # with that for now to avoid the false positives of getting stuck in generic blocks in resources
+        return false if node.children.first.arguments.empty?
+
+        # if we made it this far we're probably in a resource
+        true
+      end
+
+      def extract_send_types(node)
+        return if node.nil? # there are cases we can be passed an empty node
+        case node.type
+        when :send
+          yield(node) if node.receiver.nil? # if it's not nil then we're not in a property foo we're in bar.foo
+        when :block # ie: not_if { ruby_foo }
+          yield(node)
+        when :while
+          extract_send_types(node.body) { |t| yield(t) }
+        when :if
+          node.branches.each { |n| extract_send_types(n) { |t| yield(t) } }
+        when :case
+          node.when_branches.each { |n| extract_send_types(n.body) { |t| yield(t) } } # unless node.when_branches.nil?
+          extract_send_types(node.else_branch) { |t| yield(t) } if node.else_branch
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/chef/cookbook_only.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Chef
+    # Mixin for cops that skips non-cookbook files
+    #
+    # The criteria for whether cookstyle analyzes a certain ruby file
+    # is configured via `AllCops/Chef`. For example, if you want to
+    # customize your project to scan all files within a `test/` directory
+    # then you could add this to your configuration:
+    #
+    # @example configuring analyzed paths
+    #
+    #   AllCops:
+    #     Chef:
+    #       Patterns:
+    #       - '_spec.rb$'
+    #       - '(?:^|/)spec/'
+    #
+    module CookbookOnly
+      DEFAULT_CONFIGURATION = CONFIG.fetch('AllCops')
+      COOKBOOK_SEGMENTS = %w(attributes definitions libraries metadata providers recipes resources).freeze
+
+      def relevant_file?(file)
+        cookbook_pattern =~ file && super
+      end
+
+      private
+
+      def cookbook_pattern
+        patterns = []
+        COOKBOOK_SEGMENTS.each do |segment|
+          next unless self.class.cookbook_only_segments[segment.to_sym]
+
+          cookbook_pattern_config(segment).each do |pattern|
+            patterns << Regexp.new(pattern)
+          end
+        end
+        Regexp.union(patterns)
+      end
+
+      def cookbook_pattern_config(segment)
+        config_key = "Chef#{segment.capitalize}"
+        config
+          .for_all_cops
+          .fetch(config_key, DEFAULT_CONFIGURATION.fetch(config_key))
+          .fetch('Patterns')
+      end
+
+      module ClassMethods
+        attr_writer :cookbook_only_segments
+
+        def cookbook_only_segments
+          @cookbook_only_segments || Hash.new(true)
+        end
+
+        def included(klass)
+          super
+          klass.extend(ClassMethods)
+        end
+      end
+
+      extend ClassMethods
+    end
+
+    def self.CookbookOnly(segments)
+      Module.new do |mod|
+        mod.define_singleton_method(:included) do |klass|
+          super(klass)
+          klass.include(CookbookOnly)
+          klass.cookbook_only_segments = segments
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/chef/platform_helpers.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+#
+# Copyright:: Copyright 2019-2020, Chef Software Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Chef
+    # common helpers for Platforms in Chef Infra Cookbooks
+    module PlatformHelpers
+      # a mapping of invalid platform family values to valid platform family
+      INVALID_PLATFORM_FAMILIES = {
+        'archlinux' => 'arch',
+        'centos' => 'rhel',
+        'darwin' => 'mac_os_x',
+        'debuan' => 'debian',
+        'linux' => nil,
+        'mac_os_x_server' => 'mac_os_x',
+        'macos' => 'mac_os_x',
+        'macosx' => 'mac_os_x',
+        'mingw32' => 'windows',
+        'mswin' => 'windows',
+        'opensuse' => 'suse',
+        'opensuseleap' => 'suse',
+        'oracle' => 'rhel',
+        'redhat' => 'rhel',
+        'scientific' => 'rhel',
+        'sles' => 'suse',
+        'ubuntu' => 'debian',
+      }.freeze
+
+      # a mapping of invalid platforms values to valid platforms
+      INVALID_PLATFORMS = {
+        'aws' => nil,
+        'archlinux' => 'arch',
+        'amazonlinux' => 'amazon',
+        'darwin' => 'mac_os_x',
+        'debuan' => 'debian',
+        'mingw32' => 'windows',
+        'mswin' => 'windows',
+        'macos' => 'mac_os_x',
+        'macosx' => 'mac_os_x',
+        'mac_os_x_server' => 'mac_os_x',
+        'mint' => 'linuxmint',
+        'linux' => nil,
+        'oel' => 'oracle',
+        'oraclelinux' => 'oracle',
+        'rhel' => 'redhat',
+        'schientific' => 'scientific',
+        'scientificlinux' => 'scientific',
+        'sles' => 'suse',
+        'solaris' => 'solaris2',
+        'ubundu' => 'ubuntu',
+        'ubunth' => 'ubuntu',
+        'ubunutu' => 'ubuntu',
+        'windwos' => 'windows',
+        'xcp' => nil,
+      }.freeze
+    end
+  end
+end

data/lib/rubocop/chef.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+module RuboCop
+  # RuboCop Chef project namespace
+  module Chef
+    PROJECT_ROOT   = Pathname.new(__dir__).parent.parent.expand_path.freeze
+    CONFIG_DEFAULT = PROJECT_ROOT.join('config', 'cookstyle.yml').freeze
+    CONFIG         = YAML.load(CONFIG_DEFAULT.read).freeze
+
+    private_constant(*constants(false))
+  end
+end

data/lib/rubocop/cop/chef/correctness/block_guard_clause_string_only.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+#
+# Copyright:: Copyright 2019, Chef Software Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Correctness
+        # A resource guard (not_if/only_if) that is a string should not be wrapped in `{}`. Wrapping a guard string in {} causes it to be executed as Ruby code which will always return true instead of a shell command that will actually run.
+        #
+        # @example
+        #
+        #   ### incorrect
+        #   template '/etc/foo' do
+        #     mode '0644'
+        #     source 'foo.erb'
+        #     only_if { 'test -f /etc/foo' }
+        #   end
+        #
+        #   ### correct
+        #   template '/etc/foo' do
+        #     mode '0644'
+        #     source 'foo.erb'
+        #     only_if 'test -f /etc/foo'
+        #   end
+        #
+        class BlockGuardWithOnlyString < Base
+          extend AutoCorrector
+
+          MSG = 'A resource guard (not_if/only_if) that is a string should not be wrapped in {}. Wrapping a guard string in {} causes it to be executed as Ruby code which will always return true instead of a shell command that will actually run.'
+
+          def_node_matcher :block_guard_with_only_string?, <<-PATTERN
+            (block (send nil? ${:not_if :only_if}) (args) (str $_) )
+          PATTERN
+
+          def on_block(node)
+            block_guard_with_only_string?(node) do
+              add_offense(node, severity: :refactor) do |corrector|
+                new_val = "#{node.method_name} #{node.body.source}"
+                corrector.replace(node, new_val)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/chef/correctness/chef_application_fatal.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+#
+# Copyright:: Copyright 2020, Chef Software Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Correctness
+        # Use `raise` to force Chef Infra Client to fail instead of using `Chef::Application.fatal`, which masks the full stack trace of the failure and makes debugging difficult.
+        #
+        # @example
+        #
+        #   ### incorrect
+        #   Chef::Application.fatal!('Something horrible happened!')
+        #
+        #   ### correct
+        #   raise "Something horrible happened!"
+        #
+        class ChefApplicationFatal < Base
+          extend AutoCorrector
+
+          MSG = 'Use raise to force Chef Infra Client to fail instead of using Chef::Application.fatal'
+          RESTRICT_ON_SEND = [:fatal!].freeze
+
+          def_node_matcher :application_fatal?, <<-PATTERN
+            (send
+              (const
+                (const nil? :Chef) :Application) :fatal!
+              $( ... ))
+          PATTERN
+
+          def on_send(node)
+            application_fatal?(node) do |val|
+              add_offense(node, severity: :refactor) do |corrector|
+                corrector.replace(node, "raise(#{val.source})")
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/chef/correctness/conditional_ruby_shellout.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+#
+# Copyright:: 2020, Chef Software, Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Correctness
+        # Don't use Ruby to shellout in a `only_if` / `not_if` conditional. Any string value used in an `only_if` / `not_if` is executed in your system's shell and the return code of the command is the result for the `not_if` / `only_if` determination.
+        #
+        # @example
+        #
+        #   ### incorrect
+        #   cookbook_file '/logs/foo/error.log' do
+        #     source 'error.log'
+        #     only_if { system('wget https://www.bar.com/foobar.txt -O /dev/null') }
+        #   end
+        #
+        #   cookbook_file '/logs/foo/error.log' do
+        #     source 'error.log'
+        #     only_if { shell_out('wget https://www.bar.com/foobar.txt -O /dev/null').exitstatus == 0 }
+        #   end
+        #
+        #   ### correct
+        #   cookbook_file '/logs/foo/error.log' do
+        #     source 'error.log'
+        #     only_if 'wget https://www.bar.com/foobar.txt -O /dev/null'
+        #   end
+        #
+        class ConditionalRubyShellout < Base
+          extend AutoCorrector
+          include RuboCop::Chef::CookbookHelpers
+
+          MSG = "Don't use Ruby to shellout in an only_if / not_if conditional when you can shellout directly by wrapping the command in quotes."
+
+          def_node_matcher :conditional_shellout?, <<-PATTERN
+          (block
+            (send nil? ${:only_if :not_if})
+            (args)
+            {(send nil? :system $(str ...))
+             (send (send (send nil? :shell_out $(str ...)) :exitstatus) :== (int 0))
+              })
+          PATTERN
+
+          def on_block(node)
+            conditional_shellout?(node) do |type, val|
+              add_offense(node, severity: :refactor) do |corrector|
+                corrector.replace(node, "#{type} #{val.source}")
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/chef/correctness/dnf_package_allow_downgrades.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+#
+# Copyright:: Copyright 2019-2020, Chef Software Inc.
+# Author:: Tim Smith (<tsmith84@gmail.com>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      module Correctness
+        # The `dnf_package` resource does not support the `allow_downgrades` property.
+        #
+        # @example
+        #
+        #   ### incorrect
+        #   dnf_package 'nginx' do
+        #     version '1.2.3'
+        #     allow_downgrades true
+        #   end
+        #
+        #   ### correct
+        #   dnf_package 'nginx' do
+        #     version '1.2.3'
+        #   end
+        #
+        class DnfPackageAllowDowngrades < Base
+          include RangeHelp
+          include RuboCop::Chef::CookbookHelpers
+          extend AutoCorrector
+
+          MSG = 'dnf_package does not support the allow_downgrades property'
+
+          def on_block(node)
+            match_property_in_resource?(:dnf_package, :allow_downgrades, node) do |prop|
+              add_offense(prop, severity: :refactor) do |corrector|
+                corrector.remove(range_with_surrounding_space(range: prop.loc.expression, side: :left))
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end