inspec-chef 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: afe50e575ce5384475bd4c1f0ba240df92727baf14cde3a96f35e2a474eceb8c
+  data.tar.gz: 6f51ad5775fa43d5ea7eff553608f91f24de4e3248ffcd8722fd92c4e393fba7
+SHA512:
+  metadata.gz: 645ab50c1f28a99b7b545d205aa460a819bcdc1380853ed6cbdf0538a53dfb140dd08d0733dab722c9a2cc9b9f4198ae808ff5fe0efb8a2e5ac05ca7e7d2b01a
+  data.tar.gz: e7a43170a680e81d11416e72aca2b81e85aa961ca6120fe44e2d4a0c366cebab152741336d3ff5e4ad9f06b914e66de73790ca3ae67bf59f53a4cd832b32491d

data/Gemfile

@@ -0,0 +1,14 @@
+# encoding: utf-8
+source "https://rubygems.org"
+
+gemspec
+
+gem "inspec-bin"
+
+group :development do
+  gem "chefstyle", "0.13.0"
+  gem "m"
+  gem "bundler"
+  gem "rake"
+  gem "rubocop"
+end

data/README.md

@@ -0,0 +1,102 @@
+# inspec-chef
+
+Input plugin for InSpec to access Chef Server data within profiles
+
+## Use Case
+
+Some systems rely on Chef Databags or Attributes to be provisioned in the right
+state, triggering specific configuration which is then hard to verify using
+InSpec. For example, one system could have an SQL Server 2012 installed
+while the other has SQL Server 2019. While both might perform an identical
+role, the InSpec tests have to distinguish between both and get some
+information on the characteristics to test.
+
+As the configuration information is already present in those constructs,
+it makes little sense to manually configure separate profiles.
+
+## Installation
+
+Simply execute `inspec plugin install inspec-chef`, which will get
+the plugin from RubyGems and install/register it with InSpec.
+
+You can verify successful installation via `inspec plugin list`
+
+## Configuration
+
+Each plugin option may be set either as an environment variable, or as a plugin
+option in your Chef InSpec configuration file at ~/.inspec/config.json. For
+example, to set the chef server information in the config file, lay out the
+config file as follows:
+
+```json
+{
+  "version": "1.2",
+  "plugins":{
+    "inspec-chef":{
+      "chef_api_endpoint": "https://chef.example.com/organizations/testing",
+      "chef_api_client":   "workstation",
+      "chef_api_key":      "/etc/chef/workstation.pem"
+    }
+  }
+}
+```
+
+Config file option names are always lowercase.
+
+This plugin supports the following options:
+
+| Environment Variable | config.json Option | Description |
+| - | - | - |
+| INSPEC_CHEF_ENDPOINT | chef_api_endpoint | The URL of your Chef server, including the organization |
+| INSPEC_CHEF_CLIENT   | chef_api_client   | The name of the client of the Chef server to connect as |
+| INSPEC_CHEF_KEY      | chef_api_key      | Path to the private certificate identifying the node |
+
+## Usage
+
+When this plugin is loaded, you can use databag items as inputs:
+
+```ruby
+hostname = input('databag://name/item/some/nested/value')
+
+describe host(hostname, port: 80, protocol: 'tcp') do
+  it { should be_reachable }
+end
+```
+
+In the same way, you can also add attributes of arbitary nodes:
+
+```ruby
+hostname = input('node://name/attributes/some/nested/attribute')
+
+describe host(hostname, port: 80, protocol: 'tcp') do
+  it { should be_reachable }
+end
+```
+
+InSpec will go through all loaded input plugins by priority and determine the value.
+
+Keep in mind, that the node executing your InSpec runs needs to be
+registered with the chef server to be able to access the data. Lookup
+is __not__ done on the clients tested, but the executing workstation.
+
+## Example
+
+With this plugin, the input names consist of the name of the databag,
+the item and a path getting a specific value within an item.
+This way, you can have a databag "configuration" with an item "database" like:
+
+```json
+{
+  "SQL": {
+    "Type": "SQL2019"
+  }
+}
+```
+
+and then use `input('databag://configuration/database/SQL/Type')` to get the
+"SQL2019" value out.
+
+## Limitations
+
+There currently is no support for arrays or more complex expressions within
+the query, but support via JMESPath expressions is planned.

data/inspec-chef.gemspec

@@ -0,0 +1,39 @@
+# coding: utf-8
+
+# As plugins are usually packaged and distributed as a RubyGem,
+# we have to provide a .gemspec file, which controls the gembuild
+# and publish process.  This is a fairly generic gemspec.
+
+# It is traditional in a gemspec to dynamically load the current version
+# from a file in the source tree.  The next three lines make that happen.
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "inspec-chef/version"
+
+Gem::Specification.new do |spec|
+  # Importantly, all InSpec plugins must be prefixed with `inspec-` (most
+  # plugins) or `train-` (plugins which add new connectivity features).
+  spec.name          = "inspec-chef"
+
+  # It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase
+  spec.version       = InspecPlugins::Chef::VERSION
+  spec.authors       = ["Thomas Heinen"]
+  spec.email         = ["theinen@tecracer.de"]
+  spec.summary       = "InSpec input plugin to access Chef Infra Server databags and attributes."
+  spec.description   = "This plugin allows InSpec 'inputs' to be provided by Chef Server."
+  spec.homepage      = "https://github.com/tecracer-theinen/inspec-chef"
+  spec.license       = "Apache-2.0"
+
+  # Though complicated-looking, this is pretty standard for a gemspec.
+  # It just filters what will actually be packaged in the gem (leaving
+  # out tests, etc)
+  spec.files = %w{
+    README.md inspec-chef.gemspec Gemfile
+  } + Dir.glob(
+    "lib/**/*", File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "chef-api", "~> 0.10"
+  spec.add_dependency "jmespath", "~> 1.4"
+end

data/lib/inspec-chef/input.rb

@@ -0,0 +1,103 @@
+require "chef-api"
+require "jmespath"
+require "uri"
+
+module InspecPlugins::Chef
+  class Input < Inspec.plugin(2, :input)
+    VALID_PATTERNS = [
+      Regexp.new("^databag://[^/]+/[^/]+/.+$"),
+      Regexp.new("^node://[^/]+/attributes/.+$"),
+    ].freeze
+
+    attr_reader :plugin_conf, :chef_endpoint, :chef_client, :chef_api_key
+    attr_reader :chef_api
+
+    # Set up new class
+    def initialize
+      @plugin_conf = Inspec::Config.cached.fetch_plugin_config("inspec-chef")
+
+      @chef_endpoint = fetch_plugin_setting("endpoint")
+      @chef_client   = fetch_plugin_setting("client")
+      @chef_api_key  = fetch_plugin_setting("key")
+
+      if chef_endpoint.nil? || chef_client.nil? || chef_api_key.nil?
+        raise "ERROR: Need configuration of chef endpoint, client name and api key."
+      end
+
+      connect_to_chef_server
+    end
+
+    # Fetch method used for Input plugins
+    def fetch(_profile_name, input_uri)
+      return nil unless valid_plugin_input? input_uri
+
+      input = parse_input(input_uri)
+
+      if input[:type] == :databag
+        data = get_databag_item(input[:object], input[:item])
+      elsif input[:type] == :node
+        data = get_attributes(input[:object]) if input[:item] == "attributes"
+      end
+
+      JMESPath.search(input[:query].join("."), data)
+    end
+
+    private
+
+    # Get plugin setting via environment, config file or default
+    def fetch_plugin_setting(setting_name, default = nil)
+      env_var_name = "INSPEC_CHEF_#{setting_name.upcase}"
+      config_name = "chef_api_#{setting_name.downcase}"
+      ENV[env_var_name] || plugin_conf[config_name] || default
+    end
+
+    # Establish a Chef Server connection
+    def connect_to_chef_server
+      @chef_api ||= ChefAPI::Connection.new(
+        endpoint: chef_endpoint,
+        client:   chef_client,
+        key:      chef_api_key
+      )
+    end
+
+    # Retrieve a Databag item from Chef Server
+    def get_databag_item(databag, item)
+      chef_api.data_bag_item.fetch(item, bag: databag).data
+    end
+
+    # Retrieve attributes of a node
+    def get_attributes(node)
+      data = get_search(:node, "name:#{node}")
+
+      merge_attributes(data)
+    end
+
+    # Low-level Chef search expression
+    def get_search(index, expression)
+      chef_api.search.query(index, expression).rows.first
+    end
+
+    # Merge attributes in hierarchy like Chef
+    def merge_attributes(data)
+      data["default"].merge(data["normal"]).merge(data["override"]).merge(data["automatic"])
+    end
+
+    # Verify if input is valid for this plugin
+    def valid_plugin_input?(input)
+      VALID_PATTERNS.any? { |regex| regex.match? input }
+    end
+
+    # Parse InSpec input name into Databag, Item and search query
+    def parse_input(input_uri)
+      uri = URI(input_uri)
+      item, *components = uri.path.slice(1..-1).split("/")
+
+      {
+        type: uri.scheme.to_sym,
+        object: uri.host,
+        item: item,
+        query: components,
+      }
+    end
+  end
+end

data/lib/inspec-chef/plugin.rb

@@ -0,0 +1,25 @@
+# encoding: UTF-8
+
+# Plugin Definition file
+# The purpose of this file is to declare to InSpec what plugin_types (capabilities)
+# are included in this plugin, and provide hooks that will load them as needed.
+
+# It is important that this file load successfully and *quickly*.
+# Your plugin's functionality may never be used on this InSpec run; so we keep things
+# fast and light by only loading heavy things when they are needed.
+
+require "inspec-chef/version"
+module InspecPlugins
+  module Chef
+    class Plugin < ::Inspec.plugin(2)
+      # Internal machine name of the plugin. InSpec will use this in errors, etc.
+      plugin_name :'inspec-chef'
+
+      # Define an Input plugin type.
+      input :chef do
+        require_relative "input.rb"
+        InspecPlugins::Chef::Input
+      end
+    end
+  end
+end

data/lib/inspec-chef/version.rb

@@ -0,0 +1,10 @@
+# encoding: UTF-8
+
+# This file simply makes it easier for CI engines to update
+# the version stamp, and provide a clean way for the gemspec
+# to learn the current version.
+module InspecPlugins
+  module Chef
+    VERSION = "0.1.0".freeze
+  end
+end

data/lib/inspec-chef.rb

@@ -0,0 +1,4 @@
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require "inspec-chef/plugin"

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification
+name: inspec-chef
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Thomas Heinen
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-01-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: chef-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: jmespath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description: This plugin allows InSpec 'inputs' to be provided by Chef Server.
+email:
+- theinen@tecracer.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- inspec-chef.gemspec
+- lib/inspec-chef.rb
+- lib/inspec-chef/input.rb
+- lib/inspec-chef/plugin.rb
+- lib/inspec-chef/version.rb
+homepage: https://github.com/tecracer-theinen/inspec-chef
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: InSpec input plugin to access Chef Infra Server databags and attributes.
+test_files: []