inspec-core 2.3.5 → 2.3.10

data/lib/bundles/inspec-compliance/http.rb

@@ -1,116 +1,4 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
+# This file has been moved to the v2.0 plugins. This redirect allows for legacy use.
+# TODO: Remove in inspec 4.0
 
-require 'net/http'
-require 'net/http/post/multipart'
-require 'uri'
-
-module Compliance
-  # implements a simple http abstraction on top of Net::HTTP
-  class HTTP
-    # generic get requires
-    def self.get(url, headers = nil, insecure)
-      uri = _parse_url(url)
-      req = Net::HTTP::Get.new(uri.path)
-      headers&.each do |key, value|
-        req.add_field(key, value)
-      end
-      send_request(uri, req, insecure)
-    end
-
-    # generic post request
-    def self.post(url, token, insecure, basic_auth = false)
-      # form request
-      uri = _parse_url(url)
-      req = Net::HTTP::Post.new(uri.path)
-      if basic_auth
-        req.basic_auth token, ''
-      else
-        req['Authorization'] = "Bearer #{token}"
-      end
-      req.form_data={}
-
-      send_request(uri, req, insecure)
-    end
-
-    def self.post_with_headers(url, headers, body, insecure)
-      uri = _parse_url(url)
-      req = Net::HTTP::Post.new(uri.path)
-      req.body = body unless body.nil?
-      headers&.each do |key, value|
-        req.add_field(key, value)
-      end
-      send_request(uri, req, insecure)
-    end
-
-    # post a file
-    def self.post_file(url, headers, file_path, insecure)
-      uri = _parse_url(url)
-      raise "Unable to parse URL: #{url}" if uri.nil? || uri.host.nil?
-      http = Net::HTTP.new(uri.host, uri.port)
-
-      # set connection flags
-      http.use_ssl = (uri.scheme == 'https')
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
-
-      req = Net::HTTP::Post.new(uri.path)
-      headers.each do |key, value|
-        req.add_field(key, value)
-      end
-
-      req.body_stream=File.open(file_path, 'rb')
-      req.add_field('Content-Length', File.size(file_path))
-      req.add_field('Content-Type', 'application/x-gzip')
-
-      boundary = 'INSPEC-PROFILE-UPLOAD'
-      req.add_field('session', boundary)
-      res=http.request(req)
-      res
-    end
-
-    def self.post_multipart_file(url, headers, file_path, insecure)
-      uri = _parse_url(url)
-      raise "Unable to parse URL: #{url}" if uri.nil? || uri.host.nil?
-      http = Net::HTTP.new(uri.host, uri.port)
-
-      # set connection flags
-      http.use_ssl = (uri.scheme == 'https')
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
-
-      File.open(file_path) do |tar|
-        req = Net::HTTP::Post::Multipart.new(uri, 'file' => UploadIO.new(tar, 'application/x-gzip', File.basename(file_path)))
-        headers.each do |key, value|
-          req.add_field(key, value)
-        end
-        res = http.request(req)
-        return res
-      end
-    end
-
-    # sends a http requests
-    def self.send_request(uri, req, insecure)
-      opts = {
-        use_ssl: uri.scheme == 'https',
-      }
-      opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
-
-      raise "Unable to parse URI: #{uri}" if uri.nil? || uri.host.nil?
-      res = Net::HTTP.start(uri.host, uri.port, opts) { |http|
-        http.request(req)
-      }
-      res
-    rescue OpenSSL::SSL::SSLError => e
-      raise e unless e.message.include? 'certificate verify failed'
-
-      puts "Error: Failed to connect to #{uri}."
-      puts 'If the server uses a self-signed certificate, please re-run the login command with the --insecure option.'
-      exit 1
-    end
-
-    def self._parse_url(url)
-      url = "https://#{url}" if URI.parse(url).scheme.nil?
-      URI.parse(url)
-    end
-  end
-end
+require 'plugins/inspec-compliance/lib/inspec-compliance/http'

data/lib/bundles/inspec-compliance/support.rb

@@ -1,36 +1,4 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
+# This file has been moved to the v2.0 plugins. This redirect allows for legacy use.
+# TODO: Remove in inspec 4.0
 
-module Compliance
-  # is a helper that provides information which version of compliance supports
-  # which feature
-  class Support
-    # for a feature, returns either:
-    #  - a version v0:                      v supports v0       iff v0 <= v
-    #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
-    def self.version_with_support(feature)
-      case feature.to_sym
-      when :oidc # open id connect authentication
-        Gem::Version.new('0.16.19')
-      else
-        Gem::Version.new('0.0.0')
-      end
-    end
-
-    # determines if the given version support a certain feature
-    def self.supported?(feature, version)
-      sup = version_with_support(feature)
-
-      if sup.is_a?(Array)
-        Gem::Version.new(version) >= sup[0] &&
-          Gem::Version.new(version) < sup[1]
-      else
-        Gem::Version.new(version) >= sup
-      end
-    end
-
-    # we do not know the version, therefore we do not know if its possible to use the feature
-    # return if self['version'].nil? || self['version']['version'].nil?
-  end
-end
+require 'plugins/inspec-compliance/lib/inspec-compliance/support'

data/lib/bundles/inspec-compliance/target.rb

@@ -1,143 +1,4 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
+# This file has been moved to the v2.0 plugins. This redirect allows for legacy use.
+# TODO: Remove in inspec 4.0
 
-require 'uri'
-require 'inspec/fetcher'
-require 'inspec/errors'
-
-# InSpec Target Helper for Chef Compliance
-# reuses UrlHelper, but it knows the target server and the access token already
-# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
-module Compliance
-  class Fetcher < Fetchers::Url
-    name 'compliance'
-    priority 500
-    attr_reader :upstream_sha256
-
-    def initialize(target, opts)
-      super(target, opts)
-      @upstream_sha256 = ''
-      if target.is_a?(Hash) && target.key?(:url)
-        @target = target[:url]
-        @upstream_sha256 = target[:sha256]
-      elsif target.is_a?(String)
-        @target = target
-      end
-    end
-
-    def sha256
-      upstream_sha256.empty? ? super : upstream_sha256
-    end
-
-    def self.check_compliance_token(uri, config)
-      if config['token'].nil? && config['refresh_token'].nil?
-        if config['server_type'] == 'automate'
-          server = 'automate'
-          msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
-        elsif config['server_type'] == 'automate2'
-          server = 'automate2'
-          msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
-        else
-          server = 'compliance'
-          msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
-        end
-        raise Inspec::FetcherFailure, <<~EOF
-
-          Cannot fetch #{uri} because your #{server} token has not been
-          configured.
-
-          Please login using
-
-              #{msg}
-        EOF
-      end
-    end
-
-    def self.get_target_uri(target)
-      if target.is_a?(String) && URI(target).scheme == 'compliance'
-        URI(target)
-      elsif target.respond_to?(:key?) && target.key?(:compliance)
-        URI("compliance://#{target[:compliance]}")
-      end
-    end
-
-    def self.resolve(target)
-      uri = get_target_uri(target)
-      return nil if uri.nil?
-
-      config = Compliance::Configuration.new
-      profile = Compliance::API.sanitize_profile_name(uri)
-      profile_fetch_url = Compliance::API.target_url(config, profile)
-      # we have detailed information available in our lockfile, no need to ask the server
-      if target.respond_to?(:key?) && target.key?(:sha256)
-        profile_checksum = target[:sha256]
-      else
-        check_compliance_token(uri, config)
-        # verifies that the target e.g base/ssh exists
-        # Call profiles directly instead of exist? to capture the results
-        # so we can access the upstream sha256 from the results.
-        _msg, profile_result = Compliance::API.profiles(config, profile)
-        if profile_result.empty?
-          raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
-        else
-          # Guarantee sorting by verison and grab the latest.
-          # If version was specified, it will be the first and only result.
-          # Note we are calling the sha256 as a string, not a symbol since
-          # it was returned as json from the Compliance API.
-          profile_info = profile_result.sort_by { |x| Gem::Version.new(x['version']) }[0]
-          profile_checksum = profile_info.key?('sha256') ? profile_info['sha256'] : ''
-        end
-      end
-      # We need to pass the token to the fetcher
-      config['token'] = Compliance::API.get_token(config)
-
-      # Needed for automate2 post request
-      profile_stub = profile || target[:compliance]
-      config['profile'] = Compliance::API.profile_split(profile_stub)
-
-      new({ url: profile_fetch_url, sha256: profile_checksum }, config)
-    rescue URI::Error => _e
-      nil
-    end
-
-    # We want to save compliance: in the lockfile rather than url: to
-    # make sure we go back through the Compliance API handling.
-    def resolved_source
-      @resolved_source ||= {
-        compliance: compliance_profile_name,
-        url: @target,
-        sha256: sha256,
-      }
-    end
-
-    def to_s
-      'Chef Compliance Profile Loader'
-    end
-
-    private
-
-    # determine the owner_id and the profile name from the url
-    def compliance_profile_name
-      m = if Compliance::API.is_automate_server_pre_080?(@config)
-            %r{^#{@config['server']}/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
-          elsif Compliance::API.is_automate_server_080_and_later?(@config)
-            %r{^#{@config['server']}/profiles/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
-          else
-            %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}
-          end.match(@target)
-
-      if Compliance::API.is_automate2_server?(@config)
-        m = {}
-        m[:owner] = @config['profile'][0]
-        m[:id] = @config['profile'][1]
-      end
-
-      raise 'Unable to determine compliance profile name. This can be caused by ' \
-        'an incorrect server in your configuration. Try to login to compliance ' \
-        'via the `inspec compliance login` command.' if m.nil?
-
-      "#{m[:owner]}/#{m[:id]}"
-    end
-  end
-end
+require 'plugins/inspec-compliance/lib/inspec-compliance/target'

data/lib/inspec/base_cli.rb

@@ -292,7 +292,10 @@ module Inspec
       end
 
       # check for compliance settings
-      Compliance::API.login(o['compliance']) if o['compliance']
+      if o['compliance']
+        require 'plugins/inspec-compliance/lib/inspec-compliance/api'
+        InspecPlugins::Compliance::API.login(o['compliance'])
+      end
 
       o
     end

data/lib/inspec/cli.rb

@@ -221,7 +221,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :depends, type: :array, default: [],
     desc: 'A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell'
   option :distinct_exit, type: :boolean, default: true,
-    desc: 'Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures.'
+    desc: 'Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default).  If disabled, exit 0 on skips and 1 for failures.'
   def shell_func
     o = opts(:shell).dup
     diagnose(o)

data/lib/inspec/control_eval_context.rb

@@ -142,8 +142,8 @@ module Inspec
         end
 
         # method for attributes; import attribute handling
-        define_method :attribute do |name, options = {}|
-          if options.empty?
+        define_method :attribute do |name, options = nil|
+          if options.nil?
             Inspec::AttributeRegistry.find_attribute(name, profile_id).value
           else
             profile_context_owner.register_attribute(name, options)

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.3.5'
+  VERSION = '2.3.10'
 end

data/lib/matchers/matchers.rb

@@ -294,13 +294,13 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   failure_message do |actual|
-    actual = ('0' + actual.to_s(8)).inspect if octal?(@expected)
-    "\n" + format_expectation(false) + "\n     got: #{actual}\n\n(compared using `cmp` matcher)\n"
+    actual = ('0' + actual.to_s(8)) if octal?(@expected)
+    "\n" + format_expectation(false) + "\n     got: #{actual.inspect}\n\n(compared using `cmp` matcher)\n"
   end
 
   failure_message_when_negated do |actual|
     actual = ('0' + actual.to_s(8)).inspect if octal?(@expected)
-    "\n" + format_expectation(true) + "\n     got: #{actual}\n\n(compared using `cmp` matcher)\n"
+    "\n" + format_expectation(true) + "\n     got: #{actual.inspect}\n\n(compared using `cmp` matcher)\n"
   end
 
   description do

data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Compliance
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-compliance'
+
+      cli_command :compliance do
+        require_relative 'inspec-compliance/cli'
+        InspecPlugins::Compliance::CLI
+      end
+    end
+  end
+end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb

@@ -0,0 +1,358 @@
+# encoding: utf-8
+
+require 'net/http'
+require 'uri'
+require 'json'
+
+require_relative 'api/login'
+require_relative 'configuration'
+require_relative 'http'
+require_relative 'target'
+require_relative 'support'
+
+module InspecPlugins
+  module Compliance
+    class ServerConfigurationMissing < StandardError; end
+
+    # API Implementation does not hold any state by itself,
+    # everything will be stored in local Configuration store
+    class API
+      extend InspecPlugins::Compliance::API::Login
+
+      # return all compliance profiles available for the user
+      # the user is either specified in the options hash or by default
+      # the username of the account is used that is logged in
+      def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
+        owner = config['owner'] || config['user']
+
+        # Chef Compliance
+        if is_compliance_server?(config)
+          url = "#{config['server']}/user/compliance"
+        # Chef Automate2
+        elsif is_automate2_server?(config)
+          url = "#{config['server']}/compliance/profiles/search"
+        # Chef Automate
+        elsif is_automate_server?(config)
+          url = "#{config['server']}/profiles/#{owner}"
+        else
+          raise ServerConfigurationMissing
+        end
+
+        headers = get_headers(config)
+        if profile_filter
+          _owner, id, ver = profile_split(profile_filter)
+        else
+          id, ver = nil
+        end
+
+        if is_automate2_server?(config)
+          body = { owner: owner, name: id }.to_json
+          response = InspecPlugins::Compliance::HTTP.post_with_headers(url, headers, body, config['insecure'])
+        else
+          response = InspecPlugins::Compliance::HTTP.get(url, headers, config['insecure'])
+        end
+        data = response.body
+        response_code = response.code
+        case response_code
+        when '200'
+          msg = 'success'
+          profiles = JSON.parse(data)
+          # iterate over profiles
+          if is_compliance_server?(config)
+            mapped_profiles = []
+            profiles.values.each { |org|
+              mapped_profiles += org.values
+            }
+          # Chef Automate pre 0.8.0
+          elsif is_automate_server_pre_080?(config)
+            mapped_profiles = profiles.values.flatten
+          elsif is_automate2_server?(config)
+            mapped_profiles = []
+            profiles['profiles'].each { |p|
+              mapped_profiles << p
+            }
+          else
+            mapped_profiles = profiles.map { |e|
+              e['owner_id'] = owner
+              e
+            }
+          end
+          # filter by name and version if they were specified in profile_filter
+          mapped_profiles.select! do |p|
+            (!ver || p['version'] == ver) && (!id || p['name'] == id)
+          end
+          return msg, mapped_profiles
+        when '401'
+          msg = '401 Unauthorized. Please check your token.'
+          return msg, []
+        else
+          msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
+          return msg, []
+        end
+      end
+
+      # return the server api version
+      # NB this method does not use Compliance::Configuration to allow for using
+      # it before we know the version (e.g. oidc or not)
+      def self.version(config)
+        url = config['server']
+        insecure = config['insecure']
+
+        raise ServerConfigurationMissing if url.nil?
+
+        headers = get_headers(config)
+        response = InspecPlugins::Compliance::HTTP.get(url+'/version', headers, insecure)
+        return {} if response.code == '404'
+
+        data = response.body
+        return {} if data.nil? || data.empty?
+
+        parsed = JSON.parse(data)
+        return {} unless parsed.key?('version') && !parsed['version'].empty?
+
+        parsed
+      end
+
+      # verifies that a profile exists
+      def self.exist?(config, profile)
+        _msg, profiles = InspecPlugins::Compliance::API.profiles(config, profile)
+        !profiles.empty?
+      end
+
+      def self.upload(config, owner, profile_name, archive_path)
+        # Chef Compliance
+        if is_compliance_server?(config)
+          url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
+        # Chef Automate pre 0.8.0
+        elsif is_automate_server_pre_080?(config)
+          url = "#{config['server']}/#{owner}"
+        elsif is_automate2_server?(config)
+          url = "#{config['server']}/compliance/profiles?owner=#{owner}"
+        # Chef Automate
+        else
+          url = "#{config['server']}/profiles/#{owner}"
+        end
+
+        headers = get_headers(config)
+        if is_automate2_server?(config)
+          res = InspecPlugins::Compliance::HTTP.post_multipart_file(url, headers, archive_path, config['insecure'])
+        else
+          res = InspecPlugins::Compliance::HTTP.post_file(url, headers, archive_path, config['insecure'])
+        end
+
+        [res.is_a?(Net::HTTPSuccess), res.body]
+      end
+
+      # Use username and refresh_token to get an API access token
+      def self.get_token_via_refresh_token(url, refresh_token, insecure)
+        uri = URI.parse("#{url}/login")
+        req = Net::HTTP::Post.new(uri.path)
+        req.body = { token: refresh_token }.to_json
+        access_token = nil
+        response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure)
+        data = response.body
+        if response.code == '200'
+          begin
+            tokendata = JSON.parse(data)
+            access_token = tokendata['access_token']
+            msg = 'Successfully fetched API access token'
+            success = true
+          rescue JSON::ParserError => e
+            success = false
+            msg = e.message
+          end
+        else
+          success = false
+          msg = "Failed to authenticate to #{url} \n\
+    Response code: #{response.code}\n  Body: #{response.body}"
+        end
+
+        [success, msg, access_token]
+      end
+
+      # Use username and password to get an API access token
+      def self.get_token_via_password(url, username, password, insecure)
+        uri = URI.parse("#{url}/login")
+        req = Net::HTTP::Post.new(uri.path)
+        req.body = { userid: username, password: password }.to_json
+        access_token = nil
+        response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure)
+        data = response.body
+        if response.code == '200'
+          access_token = data
+          msg = 'Successfully fetched an API access token valid for 12 hours'
+          success = true
+        else
+          success = false
+          msg = "Failed to authenticate to #{url} \n\
+    Response code: #{response.code}\n  Body: #{response.body}"
+        end
+
+        [success, msg, access_token]
+      end
+
+      def self.get_headers(config)
+        token = get_token(config)
+        if is_automate_server?(config) || is_automate2_server?(config)
+          headers = { 'chef-delivery-enterprise' => config['automate']['ent'] }
+          if config['automate']['token_type'] == 'dctoken'
+            headers['x-data-collector-token'] = token
+          else
+            headers['chef-delivery-user'] = config['user']
+            headers['chef-delivery-token'] = token
+          end
+        else
+          headers = { 'Authorization' => "Bearer #{token}" }
+        end
+        headers
+      end
+
+      def self.get_token(config)
+        return config['token'] unless config['refresh_token']
+        _success, _msg, token = get_token_via_refresh_token(config['server'], config['refresh_token'], config['insecure'])
+        token
+      end
+
+      def self.target_url(config, profile)
+        owner, id, ver = profile_split(profile)
+
+        return "#{config['server']}/compliance/profiles/tar" if is_automate2_server?(config)
+        return "#{config['server']}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
+
+        if ver.nil?
+          "#{config['server']}/profiles/#{owner}/#{id}/tar"
+        else
+          "#{config['server']}/profiles/#{owner}/#{id}/version/#{ver}/tar"
+        end
+      end
+
+      def self.profile_split(profile)
+        owner, id = profile.split('/')
+        id, version = id.split('#')
+        [owner, id, version]
+      end
+
+      # returns a parsed url for `admin/profile` or `compliance://admin/profile`
+      def self.sanitize_profile_name(profile)
+        if URI(profile).scheme == 'compliance'
+          uri = URI(profile)
+        else
+          uri = URI("compliance://#{profile}")
+        end
+        uri.to_s.sub(%r{^compliance:\/\/}, '')
+      end
+
+      def self.is_compliance_server?(config)
+        config['server_type'] == 'compliance'
+      end
+
+      def self.is_automate_server_pre_080?(config)
+        # Automate versions before 0.8.x do not have a valid version in the config
+        return false unless config['server_type'] == 'automate'
+        server_version_from_config(config).nil?
+      end
+
+      def self.is_automate_server_080_and_later?(config)
+        # Automate versions 0.8.x and later will have a "version" key in the config
+        # that is properly parsed out via server_version_from_config below
+        return false unless config['server_type'] == 'automate'
+        !server_version_from_config(config).nil?
+      end
+
+      def self.is_automate2_server?(config)
+        config['server_type'] == 'automate2'
+      end
+
+      def self.is_automate_server?(config)
+        config['server_type'] == 'automate'
+      end
+
+      def self.server_version_from_config(config)
+        # Automate versions 0.8.x and later will have a "version" key in the config
+        # that looks like: "version":{"api":"compliance","version":"0.8.24"}
+        return nil unless config.key?('version')
+        return nil unless config['version'].is_a?(Hash)
+        config['version']['version']
+      end
+
+      def self.determine_server_type(url, insecure)
+        if target_is_automate2_server?(url, insecure)
+          :automate2
+        elsif target_is_automate_server?(url, insecure)
+          :automate
+        elsif target_is_compliance_server?(url, insecure)
+          :compliance
+        else
+          Inspec::Log.debug('Could not determine server type using known endpoints')
+          nil
+        end
+      end
+
+      def self.target_is_automate2_server?(url, insecure)
+        automate_endpoint = '/dex/auth'
+        response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
+        if response.code == '400'
+          Inspec::Log.debug(
+            "Received 400 from #{url}#{automate_endpoint} - " \
+            'assuming target is a Chef Automate2 instance',
+          )
+          true
+        else
+          false
+        end
+      end
+
+      def self.target_is_automate_server?(url, insecure)
+        automate_endpoint = '/compliance/version'
+        response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
+        case response.code
+        when '401'
+          Inspec::Log.debug(
+            "Received 401 from #{url}#{automate_endpoint} - " \
+            'assuming target is a Chef Automate instance',
+          )
+          true
+        when '200'
+          # Chef Automate currently returns 401 for `/compliance/version` but some
+          # versions of OpsWorks Chef Automate return 200 and a Chef Manage page
+          # when unauthenticated requests are received.
+          if response.body.include?('Are You Looking For the Chef Server?')
+            Inspec::Log.debug(
+              "Received 200 from #{url}#{automate_endpoint} - " \
+              'assuming target is an OpsWorks Chef Automate instance',
+            )
+            true
+          else
+            Inspec::Log.debug(
+              "Received 200 from #{url}#{automate_endpoint} " \
+              'but did not receive the Chef Manage page - ' \
+              'assuming target is not a Chef Automate instance',
+            )
+            false
+          end
+        else
+          Inspec::Log.debug(
+            "Received unexpected status code #{response.code} " \
+            "from #{url}#{automate_endpoint} - " \
+            'assuming target is not a Chef Automate instance',
+          )
+          false
+        end
+      end
+
+      def self.target_is_compliance_server?(url, insecure)
+        # All versions of Chef Compliance return 200 for `/api/version`
+        compliance_endpoint = '/api/version'
+
+        response = InspecPlugins::Compliance::HTTP.get(url + compliance_endpoint, nil, insecure)
+        return false unless response.code == '200'
+
+        Inspec::Log.debug(
+          "Received 200 from #{url}#{compliance_endpoint} - " \
+          'assuming target is a Compliance server',
+        )
+        true
+      end
+    end
+  end
+end