inspec-core 2.1.67

data/lib/bundles/inspec-compliance/configuration.rb

@@ -0,0 +1,103 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+module Compliance
+  # stores configuration on local filesystem
+  class Configuration
+    def initialize
+      @config_path = File.join(Dir.home, '.inspec', 'compliance')
+      # ensure the directory is available
+      unless File.directory?(@config_path)
+        FileUtils.mkdir_p(@config_path)
+      end
+      # set config file path
+      @config_file = File.join(@config_path, '/config.json')
+      @config = {}
+
+      # load the data
+      get
+    end
+
+    # direct access to config
+    def [](key)
+      @config[key]
+    end
+
+    def []=(key, value)
+      @config[key] = value
+    end
+
+    def key?(key)
+      @config.key?(key)
+    end
+
+    def clean
+      @config = {}
+    end
+
+    # return the json data
+    def get
+      if File.exist?(@config_file)
+        file = File.read(@config_file)
+        @config = JSON.parse(file)
+      end
+      @config
+    end
+
+    # stores a hash to json
+    def store
+      File.open(@config_file, 'w') do |f|
+        f.chmod(0600)
+        f.write(@config.to_json)
+      end
+    end
+
+    # deletes data
+    def destroy
+      if File.exist?(@config_file)
+        File.delete(@config_file)
+      else
+        true
+      end
+    end
+
+    # return if the (stored) api version does not support a certain feature
+    def supported?(feature)
+      sup = version_with_support(feature)
+
+      # we do not know the version, therefore we do not know if its possible to use the feature
+      return if self['version'].nil? || self['version']['version'].nil?
+
+      if sup.is_a?(Array)
+        Gem::Version.new(self['version']['version']) >= sup[0] &&
+          Gem::Version.new(self['version']['version']) < sup[1]
+      else
+        Gem::Version.new(self['version']['version']) >= sup
+      end
+    end
+
+    # exit 1 if the version of compliance that we're working with doesn't support odic
+    def legacy_check!(feature)
+      return if supported?(feature)
+
+      puts "This feature (#{feature}) is not available for legacy installations."
+      puts 'Please upgrade to a recent version of Chef Compliance.'
+      exit 1
+    end
+
+    private
+
+    # for a feature, returns either:
+    #  - a version v0:                      v supports v0       iff v0 <= v
+    #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
+    def version_with_support(feature)
+      case feature.to_sym
+      when :oidc
+        Gem::Version.new('0.16.19')
+      else
+        Gem::Version.new('0.0.0')
+      end
+    end
+  end
+end

data/lib/bundles/inspec-compliance/http.rb

@@ -0,0 +1,125 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'net/http'
+require 'uri'
+
+module Compliance
+  # implements a simple http abstraction on top of Net::HTTP
+  class HTTP
+    # generic get requires
+    def self.get(url, headers = nil, insecure)
+      uri = _parse_url(url)
+      req = Net::HTTP::Get.new(uri.path)
+      headers&.each do |key, value|
+        req.add_field(key, value)
+      end
+      send_request(uri, req, insecure)
+    end
+
+    # generic post request
+    def self.post(url, token, insecure, basic_auth = false)
+      # form request
+      uri = _parse_url(url)
+      req = Net::HTTP::Post.new(uri.path)
+      if basic_auth
+        req.basic_auth token, ''
+      else
+        req['Authorization'] = "Bearer #{token}"
+      end
+      req.form_data={}
+
+      send_request(uri, req, insecure)
+    end
+
+    def self.post_with_headers(url, headers, body, insecure)
+      uri = _parse_url(url)
+      req = Net::HTTP::Post.new(uri.path)
+      req.body = body unless body.nil?
+      headers&.each do |key, value|
+        req.add_field(key, value)
+      end
+      send_request(uri, req, insecure)
+    end
+
+    # post a file
+    def self.post_file(url, headers, file_path, insecure)
+      uri = _parse_url(url)
+      raise "Unable to parse URL: #{url}" if uri.nil? || uri.host.nil?
+      http = Net::HTTP.new(uri.host, uri.port)
+
+      # set connection flags
+      http.use_ssl = (uri.scheme == 'https')
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
+
+      req = Net::HTTP::Post.new(uri.path)
+      headers.each do |key, value|
+        req.add_field(key, value)
+      end
+
+      req.body_stream=File.open(file_path, 'rb')
+      req.add_field('Content-Length', File.size(file_path))
+      req.add_field('Content-Type', 'application/x-gtar')
+
+      boundary = 'INSPEC-PROFILE-UPLOAD'
+      req.add_field('session', boundary)
+      res=http.request(req)
+      res
+    end
+
+    def self.post_multipart_file(url, headers, file_path, insecure)
+      uri = _parse_url(url)
+      raise "Unable to parse URL: #{url}" if uri.nil? || uri.host.nil?
+      http = Net::HTTP.new(uri.host, uri.port)
+
+      # set connection flags
+      http.use_ssl = (uri.scheme == 'https')
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
+
+      req = Net::HTTP::Post.new(uri)
+      headers.each do |key, value|
+        req.add_field(key, value)
+      end
+
+      boundry = 'AaB03x'
+      req.add_field('Content-Type', "multipart/form-data; boundary=#{boundry}")
+
+      post_body = []
+      post_body << "--#{boundry}\r\n"
+      post_body << "Content-Disposition: form-data; name=\"file\"; filename=\"#{File.basename(file_path)}\"\r\n"
+      post_body << "Content-Type: application/x-gtar\r\n\r\n"
+      post_body << File.read(file_path)
+      post_body << "\r\n\r\n--#{boundry}--\r\n"
+      req.body = post_body.join
+
+      res=http.request(req)
+      res
+    end
+
+    # sends a http requests
+    def self.send_request(uri, req, insecure)
+      opts = {
+        use_ssl: uri.scheme == 'https',
+      }
+      opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
+
+      raise "Unable to parse URI: #{uri}" if uri.nil? || uri.host.nil?
+      res = Net::HTTP.start(uri.host, uri.port, opts) { |http|
+        http.request(req)
+      }
+      res
+    rescue OpenSSL::SSL::SSLError => e
+      raise e unless e.message.include? 'certificate verify failed'
+
+      puts "Error: Failed to connect to #{uri}."
+      puts 'If the server uses a self-signed certificate, please re-run the login command with the --insecure option.'
+      exit 1
+    end
+
+    def self._parse_url(url)
+      url = "https://#{url}" if URI.parse(url).scheme.nil?
+      URI.parse(url)
+    end
+  end
+end

data/lib/bundles/inspec-compliance/support.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+module Compliance
+  # is a helper that provides information which version of compliance supports
+  # which feature
+  class Support
+    # for a feature, returns either:
+    #  - a version v0:                      v supports v0       iff v0 <= v
+    #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
+    def self.version_with_support(feature)
+      case feature.to_sym
+      when :oidc # open id connect authentication
+        Gem::Version.new('0.16.19')
+      else
+        Gem::Version.new('0.0.0')
+      end
+    end
+
+    # determines if the given version support a certain feature
+    def self.supported?(feature, version)
+      sup = version_with_support(feature)
+
+      if sup.is_a?(Array)
+        Gem::Version.new(version) >= sup[0] &&
+          Gem::Version.new(version) < sup[1]
+      else
+        Gem::Version.new(version) >= sup
+      end
+    end
+
+    # we do not know the version, therefore we do not know if its possible to use the feature
+    # return if self['version'].nil? || self['version']['version'].nil?
+  end
+end

data/lib/bundles/inspec-compliance/target.rb

@@ -0,0 +1,106 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'uri'
+require 'inspec/fetcher'
+require 'inspec/errors'
+
+# InSpec Target Helper for Chef Compliance
+# reuses UrlHelper, but it knows the target server and the access token already
+# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
+module Compliance
+  class Fetcher < Fetchers::Url
+    name 'compliance'
+    priority 500
+    def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize
+      uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
+              URI(target)
+            elsif target.respond_to?(:key?) && target.key?(:compliance)
+              URI("compliance://#{target[:compliance]}")
+            end
+
+      return nil if uri.nil?
+
+      # we have detailed information available in our lockfile, no need to ask the server
+      if target.respond_to?(:key?) && target.key?(:url)
+        profile_fetch_url = target[:url]
+        config = {}
+      else
+        # check if we have a compliance token
+        config = Compliance::Configuration.new
+        if config['token'].nil? && config['refresh_token'].nil?
+          if config['server_type'] == 'automate'
+            server = 'automate'
+            msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
+          elsif config['server_type'] == 'automate2'
+            server = 'automate2'
+            msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
+          else
+            server = 'compliance'
+            msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
+          end
+          raise Inspec::FetcherFailure, <<~EOF
+
+            Cannot fetch #{uri} because your #{server} token has not been
+            configured.
+
+            Please login using
+
+                #{msg}
+          EOF
+        end
+
+        # verifies that the target e.g base/ssh exists
+        profile = Compliance::API.sanitize_profile_name(uri)
+        if !Compliance::API.exist?(config, profile)
+          raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
+        end
+        profile_fetch_url = Compliance::API.target_url(config, profile)
+      end
+      # We need to pass the token to the fetcher
+      config['token'] = Compliance::API.get_token(config)
+
+      # Needed for automate2 post request
+      profile_stub = profile || target[:compliance]
+      config['profile'] = Compliance::API.profile_split(profile_stub)
+
+      new(profile_fetch_url, config)
+    rescue URI::Error => _e
+      nil
+    end
+
+    # We want to save compliance: in the lockfile rather than url: to
+    # make sure we go back through the Compliance API handling.
+    def resolved_source
+      @resolved_source ||= {
+        compliance: compliance_profile_name,
+        url: @target,
+        sha256: sha256,
+      }
+    end
+
+    def to_s
+      'Chef Compliance Profile Loader'
+    end
+
+    private
+
+    # determine the owner_id and the profile name from the url
+    def compliance_profile_name
+      m = if Compliance::API.is_automate_server_pre_080?(@config)
+            %r{^#{@config['server']}/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
+          elsif Compliance::API.is_automate_server_080_and_later?(@config)
+            %r{^#{@config['server']}/profiles/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
+          else
+            %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}
+          end.match(@target)
+
+      raise 'Unable to determine compliance profile name. This can be caused by ' \
+        'an incorrect server in your configuration. Try to login to compliance ' \
+        'via the `inspec compliance login` command.' if m.nil?
+
+      "#{m[:owner]}/#{m[:id]}"
+    end
+  end
+end

data/lib/bundles/inspec-compliance/test/integration/default/cli.rb

@@ -0,0 +1,93 @@
+# encoding: utf-8
+
+# options
+inspec_bin = 'BUNDLE_GEMFILE=/inspec/Gemfile bundle exec inspec'
+api_url = 'https://0.0.0.0'
+profile = '/inspec/examples/profile'
+
+user = command('whoami').stdout.strip
+pwd = command('pwd').stdout.strip
+puts "Run test as #{user} in path #{pwd}"
+
+# TODO: determine tokens automatically, define in kitchen yml
+access_token = ENV['COMPLIANCE_ACCESSTOKEN']
+refresh_token = ENV['COMPLIANCE_REFRESHTOKEN']
+
+%w{refresh_token access_token}.each do |type| # rubocop:disable Metrics/BlockLength
+  case type
+  when 'access_token'
+    token_options = "--token '#{access_token}'"
+  when 'refresh_token'
+    token_options = "--refresh_token '#{refresh_token}'"
+  end
+
+  # verifies that the help command works
+  describe command("#{inspec_bin} compliance help") do
+    its('stdout') { should include 'inspec compliance help [COMMAND]' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # version command fails gracefully when server not configured
+  describe command("#{inspec_bin} compliance version") do
+    its('stdout') { should include 'Server configuration information is missing' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 1 }
+  end
+
+  # submitting a wrong token should have an exit of 0
+  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user 'admin' --token 'wrong-token'") do
+    its('stdout') { should include 'token stored' }
+  end
+
+  # compliance login --help should give an accurate message for login
+  describe command("#{inspec_bin} compliance login --help") do
+    its('stdout') { should include "inspec compliance login SERVER --insecure --user='USER' --token='TOKEN'" }
+    its('exit_status') { should eq 0 }
+  end
+
+  # profiles command fails gracefully when token/server info is incorrect
+  describe command("#{inspec_bin} compliance profiles") do
+    its('stdout') { should include '401 Unauthorized. Please check your token' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 1 }
+  end
+
+  # login via access token token
+  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user 'admin' #{token_options}") do
+    its('stdout') { should include 'token', 'stored' }
+    its('stdout') { should_not include 'Your server supports --user and --password only' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # see available resources
+  describe command("#{inspec_bin} compliance profiles") do
+    its('stdout') { should include 'base/ssh' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # upload a compliance profile
+  describe command("#{inspec_bin} compliance upload #{profile} --overwrite") do
+    its('stdout') { should include 'Profile is valid' }
+    its('stdout') { should include 'Successfully uploaded profile' }
+    its('stdout') { should_not include 'error(s)' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # returns the version of the server
+  describe command("#{inspec_bin} compliance version") do
+    its('stdout') { should include 'Chef Compliance version:' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # logout
+  describe command("#{inspec_bin} compliance logout") do
+    its('stdout') { should include 'Successfully logged out' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+end