inspec-core 2.3.5 → 2.3.10

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb

@@ -0,0 +1,192 @@
+# encoding: utf-8
+
+module InspecPlugins
+  module Compliance
+    class API
+      module Login
+        class CannotDetermineServerType < StandardError; end
+
+        def login(options)
+          raise ArgumentError, 'Please specify a server using `inspec compliance login https://SERVER`' unless options['server']
+
+          options['server'] = URI("https://#{options['server']}").to_s if URI(options['server']).scheme.nil?
+
+          options['server_type'] = InspecPlugins::Compliance::API.determine_server_type(options['server'], options['insecure'])
+
+          case options['server_type']
+          when :automate2
+            Login::Automate2Server.login(options)
+          when :automate
+            Login::AutomateServer.login(options)
+          when :compliance
+            Login::ComplianceServer.login(options)
+          else
+            raise CannotDetermineServerType, "Unable to determine if #{options['server']} is a Chef Automate or Chef Compliance server"
+          end
+        end
+
+        module Automate2Server
+          def self.login(options)
+            verify_thor_options(options)
+
+            options['url'] = options['server'] + '/api/v0'
+            token = options['dctoken'] || options['token']
+            store_access_token(options, token)
+          end
+
+          def self.store_access_token(options, token)
+            config = InspecPlugins::Compliance::Configuration.new
+            config.clean
+
+            config['automate'] = {}
+            config['automate']['ent'] = 'automate'
+            config['automate']['token_type'] = 'dctoken'
+            config['server'] = options['url']
+            config['user'] = options['user']
+            config['owner'] = options['user']
+            config['insecure'] = options['insecure'] || false
+            config['server_type'] = options['server_type'].to_s
+            config['token'] = token
+            config['version'] = '0'
+
+            config.store
+            config
+          end
+
+          def self.verify_thor_options(o)
+            error_msg = []
+
+            error_msg.push('Please specify a user using `--user=\'USER\'`') if o['user'].nil?
+
+            if o['token'].nil? && o['dctoken'].nil?
+              error_msg.push('Please specify a token using `--token=\'APITOKEN\'`')
+            end
+
+            raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+          end
+        end
+
+        module AutomateServer
+          def self.login(options)
+            verify_thor_options(options)
+
+            options['url'] = options['server'] + '/compliance'
+            token = options['dctoken'] || options['token']
+            store_access_token(options, token)
+          end
+
+          def self.store_access_token(options, token)
+            token_type = if options['token']
+                           'usertoken'
+                         else
+                           'dctoken'
+                         end
+
+            config = InspecPlugins::Compliance::Configuration.new
+
+            config.clean
+
+            config['automate'] = {}
+            config['automate']['ent'] = options['ent']
+            config['automate']['token_type'] = token_type
+            config['server'] = options['url']
+            config['user'] = options['user']
+            config['insecure'] = options['insecure'] || false
+            config['server_type'] = options['server_type'].to_s
+            config['token'] = token
+            config['version'] = InspecPlugins::Compliance::API.version(config)
+
+            config.store
+            config
+          end
+
+          # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
+          def self.verify_thor_options(o)
+            error_msg = []
+
+            error_msg.push('Please specify a user using `--user=\'USER\'`') if o['user'].nil?
+            error_msg.push('Please specify an enterprise using `--ent=\'automate\'`') if o['ent'].nil?
+
+            if o['token'].nil? && o['dctoken'].nil?
+              error_msg.push('Please specify a token using `--token=\'AUTOMATE_TOKEN\'` or `--dctoken=\'DATA_COLLECTOR_TOKEN\'`')
+            end
+
+            raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+          end
+        end
+
+        module ComplianceServer
+          def self.login(options)
+            compliance_verify_thor_options(options)
+
+            options['url'] = options['server'] + '/api'
+
+            if options['user'] && options['token']
+              compliance_store_access_token(options, options['token'])
+            elsif options['user'] && options['password']
+              compliance_login_user_pass(options)
+            elsif options['refresh_token']
+              compliance_login_refresh_token(options)
+            end
+          end
+
+          def self.compliance_login_user_pass(options)
+            success, msg, token = InspecPlugins::Compliance::API.get_token_via_password(
+              options['url'],
+              options['user'],
+              options['password'],
+              options['insecure'],
+            )
+
+            raise msg unless success
+            compliance_store_access_token(options, token)
+          end
+
+          def self.compliance_login_refresh_token(options)
+            success, msg, token = InspecPlugins::Compliance::API.get_token_via_refresh_token(
+              options['url'],
+              options['refresh_token'],
+              options['insecure'],
+            )
+
+            raise msg unless success
+            compliance_store_access_token(options, token)
+          end
+
+          def self.compliance_store_access_token(options, token)
+            config = InspecPlugins::Compliance::Configuration.new
+            config.clean
+
+            config['user'] = options['user'] if options['user']
+            config['server'] = options['url']
+            config['insecure'] = options['insecure'] || false
+            config['server_type'] = options['server_type'].to_s
+            config['token'] = token
+            config['version'] = InspecPlugins::Compliance::API.version(config)
+
+            config.store
+            config
+          end
+
+          # Compliance login requires `--user` or `--refresh_token`
+          # If `--user` then either `--password`, `--token`, or `--refresh-token`, is required
+          def self.compliance_verify_thor_options(o)
+            error_msg = []
+
+            error_msg.push('Please specify a server using `inspec compliance login https://SERVER`') if o['server'].nil?
+
+            if o['user'].nil? && o['refresh_token'].nil?
+              error_msg.push('Please specify a `--user=\'USER\'` or a `--refresh-token=\'TOKEN\'`')
+            end
+
+            if o['user'] && o['password'].nil? && o['token'].nil? && o['refresh_token'].nil?
+              error_msg.push('Please specify either a `--password`, `--token`, or `--refresh-token`')
+            end
+
+            raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -0,0 +1,266 @@
+# encoding: utf-8
+
+require_relative 'api'
+
+module InspecPlugins
+  module Compliance
+    class CLI < Inspec.plugin(2, :cli_command)
+      subcommand_desc 'compliance SUBCOMMAND', 'Chef Compliance commands'
+
+      # desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
+      desc 'login', 'Log in to a Chef Compliance/Chef Automate SERVER'
+      long_desc <<-LONGDESC
+        `login` allows you to use InSpec with Chef Automate or a Chef Compliance Server
+
+        You need to a token for communication. More information about token retrieval
+        is available at:
+          https://docs.chef.io/api_automate.html#authentication-methods
+          https://docs.chef.io/api_compliance.html#obtaining-an-api-token
+      LONGDESC
+      option :insecure, aliases: :k, type: :boolean,
+        desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
+      option :user, type: :string, required: false,
+        desc: 'Username'
+      option :password, type: :string, required: false,
+        desc: 'Password (Chef Compliance Only)'
+      option :token, type: :string, required: false,
+        desc: 'Access token'
+      option :refresh_token, type: :string, required: false,
+        desc: 'Chef Compliance refresh token (Chef Compliance Only)'
+      option :dctoken, type: :string, required: false,
+        desc: 'Data Collector token (Chef Automate Only)'
+      option :ent, type: :string, required: false,
+        desc: 'Enterprise for Chef Automate reporting (Chef Automate Only)'
+      def login(server)
+        options['server'] = server
+        InspecPlugins::Compliance::API.login(options)
+        config = InspecPlugins::Compliance::Configuration.new
+        puts "Stored configuration for Chef #{config['server_type'].capitalize}: #{config['server']}' with user: '#{config['user']}'"
+      end
+
+      desc 'profiles', 'list all available profiles in Chef Compliance'
+      option :owner, type: :string, required: false,
+        desc: 'owner whose profiles to list'
+      def profiles
+        config = InspecPlugins::Compliance::Configuration.new
+        return if !loggedin(config)
+
+        # set owner to config
+        config['owner'] = options['owner'] || config['user']
+
+        msg, profiles = InspecPlugins::Compliance::API.profiles(config)
+        profiles.sort_by! { |hsh| hsh['title'] }
+        if !profiles.empty?
+          # iterate over profiles
+          headline('Available profiles:')
+          profiles.each { |profile|
+            owner = profile['owner_id'] || profile['owner']
+            li("#{profile['title']} v#{profile['version']} (#{mark_text(owner + '/' + profile['name'])})")
+          }
+        else
+          puts msg if msg != 'success'
+          puts 'Could not find any profiles'
+          exit 1
+        end
+      rescue InspecPlugins::Compliance::ServerConfigurationMissing
+        STDERR.puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
+        exit 1
+      end
+
+      desc 'exec PROFILE', 'executes a Chef Compliance profile'
+      exec_options
+      def exec(*tests)
+        config = InspecPlugins::Compliance::Configuration.new
+        return if !loggedin(config)
+        o = opts(:exec).dup
+        diagnose(o)
+        configure_logger(o)
+
+        # iterate over tests and add compliance scheme
+        tests = tests.map { |t| 'compliance://' + InspecPlugins::Compliance::API.sanitize_profile_name(t) }
+
+        runner = Inspec::Runner.new(o)
+        tests.each { |target| runner.add_target(target) }
+
+        exit runner.run
+      rescue ArgumentError, RuntimeError, Train::UserError => e
+        $stderr.puts e.message
+        exit 1
+      end
+
+      desc 'download PROFILE', 'downloads a profile from Chef Compliance'
+      option :name, type: :string,
+        desc: 'Name of the archive filename (file type will be added)'
+      def download(profile_name)
+        o = options.dup
+        configure_logger(o)
+
+        config = InspecPlugins::Compliance::Configuration.new
+        return if !loggedin(config)
+
+        profile_name = InspecPlugins::Compliance::API.sanitize_profile_name(profile_name)
+        if InspecPlugins::Compliance::API.exist?(config, profile_name)
+          puts "Downloading `#{profile_name}`"
+
+          fetcher = InspecPlugins::Compliance::Fetcher.resolve(
+            {
+              compliance: profile_name,
+            },
+          )
+
+          # we provide a name, the fetcher adds the extension
+          _owner, id = profile_name.split('/')
+          file_name = fetcher.fetch(o.name || id)
+          puts "Profile stored to #{file_name}"
+        else
+          puts "Profile #{profile_name} is not available in Chef Compliance."
+          exit 1
+        end
+      end
+
+      desc 'upload PATH', 'uploads a local profile to Chef Compliance'
+      option :overwrite, type: :boolean, default: false,
+        desc: 'Overwrite existing profile on Server.'
+      option :owner, type: :string, required: false,
+        desc: 'Owner that should own the profile'
+      def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity, Metrics/CyclomaticComplexity
+        config = InspecPlugins::Compliance::Configuration.new
+        return if !loggedin(config)
+
+        # set owner to config
+        config['owner'] = options['owner'] || config['user']
+
+        unless File.exist?(path)
+          puts "Directory #{path} does not exist."
+          exit 1
+        end
+
+        vendor_deps(path, options) if File.directory?(path)
+
+        o = options.dup
+        configure_logger(o)
+
+        # only run against the mock backend, otherwise we run against the local system
+        o[:backend] = Inspec::Backend.create(target: 'mock://')
+        o[:check_mode] = true
+        o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
+
+        # check the profile, we only allow to upload valid profiles
+        profile = Inspec::Profile.for_target(path, o)
+
+        # start verification process
+        error_count = 0
+        error = lambda { |msg|
+          error_count += 1
+          puts msg
+        }
+
+        result = profile.check
+        unless result[:summary][:valid]
+          error.call('Profile check failed. Please fix the profile before upload.')
+        else
+          puts('Profile is valid')
+        end
+
+        # determine user information
+        if (config['token'].nil? && config['refresh_token'].nil?) || config['user'].nil?
+          error.call('Please login via `inspec compliance login`')
+        end
+
+        # read profile name from inspec.yml
+        profile_name = profile.params[:name]
+
+        # read profile version from inspec.yml
+        profile_version = profile.params[:version]
+
+        # check that the profile is not uploaded already,
+        # confirm upload to the user (overwrite with --force)
+        if InspecPlugins::Compliance::API.exist?(config, "#{config['owner']}/#{profile_name}##{profile_version}") && !options['overwrite']
+          error.call('Profile exists on the server, use --overwrite')
+        end
+
+        # abort if we found an error
+        if error_count > 0
+          puts "Found #{error_count} error(s)"
+          exit 1
+        end
+
+        # if it is a directory, tar it to tmp directory
+        generated = false
+        if File.directory?(path)
+          generated = true
+          archive_path = Dir::Tmpname.create([profile_name, '.tar.gz']) {}
+          puts "Generate temporary profile archive at #{archive_path}"
+          profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
+        else
+          archive_path = path
+        end
+
+        puts "Start upload to #{config['owner']}/#{profile_name}"
+        pname = ERB::Util.url_encode(profile_name)
+
+        if InspecPlugins::Compliance::API.is_automate_server?(config) || InspecPlugins::Compliance::API.is_automate2_server?(config)
+          puts 'Uploading to Chef Automate'
+        else
+          puts 'Uploading to Chef Compliance'
+        end
+        success, msg = InspecPlugins::Compliance::API.upload(config, config['owner'], pname, archive_path)
+
+        # delete temp file if it was temporary generated
+        File.delete(archive_path) if generated && File.exist?(archive_path)
+
+        if success
+          puts 'Successfully uploaded profile'
+        else
+          puts 'Error during profile upload:'
+          puts msg
+          exit 1
+        end
+      end
+
+      desc 'version', 'displays the version of the Chef Compliance server'
+      def version
+        config = InspecPlugins::Compliance::Configuration.new
+        info = InspecPlugins::Compliance::API.version(config)
+        if !info.nil? && info['version']
+          puts "Name:    #{info['api']}"
+          puts "Version: #{info['version']}"
+        else
+          puts 'Could not determine server version.'
+          exit 1
+        end
+      rescue InspecPlugins::Compliance::ServerConfigurationMissing
+        puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
+        exit 1
+      end
+
+      desc 'logout', 'user logout from Chef Compliance'
+      def logout
+        config = InspecPlugins::Compliance::Configuration.new
+        unless config.supported?(:oidc) || config['token'].nil? || config['server_type'] == 'automate'
+          config = InspecPlugins::Compliance::Configuration.new
+          url = "#{config['server']}/logout"
+          InspecPlugins::Compliance::HTTP.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
+        end
+        success = config.destroy
+
+        if success
+          puts 'Successfully logged out'
+        else
+          puts 'Could not log out'
+        end
+      end
+
+      private
+
+      def loggedin(config)
+        serverknown = !config['server'].nil?
+        puts 'You need to login first with `inspec compliance login`' if !serverknown
+        serverknown
+      end
+    end
+
+    # register the subcommand to Inspec CLI registry
+    # Inspec::Plugins::CLI.add_subcommand(InspecPlugins::ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef InspecPlugins::Compliance commands', {})
+  end
+end