inspec-core 2.3.5 → 2.3.10

data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb

@@ -0,0 +1,103 @@
+# encoding: utf-8
+
+module InspecPlugins
+  module Compliance
+    # stores configuration on local filesystem
+    class Configuration
+      def initialize
+        @config_path = File.join(Dir.home, '.inspec', 'compliance')
+        # ensure the directory is available
+        unless File.directory?(@config_path)
+          FileUtils.mkdir_p(@config_path)
+        end
+        # set config file path
+        @config_file = File.join(@config_path, '/config.json')
+        @config = {}
+
+        # load the data
+        get
+      end
+
+      # direct access to config
+      def [](key)
+        @config[key]
+      end
+
+      def []=(key, value)
+        @config[key] = value
+      end
+
+      def key?(key)
+        @config.key?(key)
+      end
+
+      def clean
+        @config = {}
+      end
+
+      # return the json data
+      def get
+        if File.exist?(@config_file)
+          file = File.read(@config_file)
+          @config = JSON.parse(file)
+        end
+        @config
+      end
+
+      # stores a hash to json
+      def store
+        File.open(@config_file, 'w') do |f|
+          f.chmod(0600)
+          f.write(@config.to_json)
+        end
+      end
+
+      # deletes data
+      def destroy
+        if File.exist?(@config_file)
+          File.delete(@config_file)
+        else
+          true
+        end
+      end
+
+      # return if the (stored) api version does not support a certain feature
+      def supported?(feature)
+        sup = version_with_support(feature)
+
+        # we do not know the version, therefore we do not know if its possible to use the feature
+        return if self['version'].nil? || self['version']['version'].nil?
+
+        if sup.is_a?(Array)
+          Gem::Version.new(self['version']['version']) >= sup[0] &&
+            Gem::Version.new(self['version']['version']) < sup[1]
+        else
+          Gem::Version.new(self['version']['version']) >= sup
+        end
+      end
+
+      # exit 1 if the version of compliance that we're working with doesn't support odic
+      def legacy_check!(feature)
+        return if supported?(feature)
+
+        puts "This feature (#{feature}) is not available for legacy installations."
+        puts 'Please upgrade to a recent version of Chef Compliance.'
+        exit 1
+      end
+
+      private
+
+      # for a feature, returns either:
+      #  - a version v0:                      v supports v0       iff v0 <= v
+      #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
+      def version_with_support(feature)
+        case feature.to_sym
+        when :oidc
+          Gem::Version.new('0.16.19')
+        else
+          Gem::Version.new('0.0.0')
+        end
+      end
+    end
+  end
+end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb

@@ -0,0 +1,116 @@
+# encoding: utf-8
+
+require 'net/http'
+require 'net/http/post/multipart'
+require 'uri'
+
+module InspecPlugins
+  module Compliance
+    # implements a simple http abstraction on top of Net::HTTP
+    class HTTP
+      # generic get requires
+      def self.get(url, headers = nil, insecure)
+        uri = _parse_url(url)
+        req = Net::HTTP::Get.new(uri.path)
+        headers&.each do |key, value|
+          req.add_field(key, value)
+        end
+        send_request(uri, req, insecure)
+      end
+
+      # generic post request
+      def self.post(url, token, insecure, basic_auth = false)
+        # form request
+        uri = _parse_url(url)
+        req = Net::HTTP::Post.new(uri.path)
+        if basic_auth
+          req.basic_auth token, ''
+        else
+          req['Authorization'] = "Bearer #{token}"
+        end
+        req.form_data={}
+
+        send_request(uri, req, insecure)
+      end
+
+      def self.post_with_headers(url, headers, body, insecure)
+        uri = _parse_url(url)
+        req = Net::HTTP::Post.new(uri.path)
+        req.body = body unless body.nil?
+        headers&.each do |key, value|
+          req.add_field(key, value)
+        end
+        send_request(uri, req, insecure)
+      end
+
+      # post a file
+      def self.post_file(url, headers, file_path, insecure)
+        uri = _parse_url(url)
+        raise "Unable to parse URL: #{url}" if uri.nil? || uri.host.nil?
+        http = Net::HTTP.new(uri.host, uri.port)
+
+        # set connection flags
+        http.use_ssl = (uri.scheme == 'https')
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
+
+        req = Net::HTTP::Post.new(uri.path)
+        headers.each do |key, value|
+          req.add_field(key, value)
+        end
+
+        req.body_stream=File.open(file_path, 'rb')
+        req.add_field('Content-Length', File.size(file_path))
+        req.add_field('Content-Type', 'application/x-gzip')
+
+        boundary = 'INSPEC-PROFILE-UPLOAD'
+        req.add_field('session', boundary)
+        res=http.request(req)
+        res
+      end
+
+      def self.post_multipart_file(url, headers, file_path, insecure)
+        uri = _parse_url(url)
+        raise "Unable to parse URL: #{url}" if uri.nil? || uri.host.nil?
+        http = Net::HTTP.new(uri.host, uri.port)
+
+        # set connection flags
+        http.use_ssl = (uri.scheme == 'https')
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
+
+        File.open(file_path) do |tar|
+          req = Net::HTTP::Post::Multipart.new(uri, 'file' => UploadIO.new(tar, 'application/x-gzip', File.basename(file_path)))
+          headers.each do |key, value|
+            req.add_field(key, value)
+          end
+          res = http.request(req)
+          return res
+        end
+      end
+
+      # sends a http requests
+      def self.send_request(uri, req, insecure)
+        opts = {
+          use_ssl: uri.scheme == 'https',
+        }
+        opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
+
+        raise "Unable to parse URI: #{uri}" if uri.nil? || uri.host.nil?
+        res = Net::HTTP.start(uri.host, uri.port, opts) { |http|
+          http.request(req)
+        }
+        res
+      rescue OpenSSL::SSL::SSLError => e
+        raise e unless e.message.include? 'certificate verify failed'
+
+        puts "Error: Failed to connect to #{uri}."
+        puts 'If the server uses a self-signed certificate, please re-run the login command with the --insecure option.'
+        exit 1
+      end
+
+      def self._parse_url(url)
+        url = "https://#{url}" if URI.parse(url).scheme.nil?
+        URI.parse(url)
+      end
+    end
+  end
+end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+
+module InspecPlugins
+  module Compliance
+    # is a helper that provides information which version of compliance supports
+    # which feature
+    class Support
+      # for a feature, returns either:
+      #  - a version v0:                      v supports v0       iff v0 <= v
+      #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
+      def self.version_with_support(feature)
+        case feature.to_sym
+        when :oidc # open id connect authentication
+          Gem::Version.new('0.16.19')
+        else
+          Gem::Version.new('0.0.0')
+        end
+      end
+
+      # determines if the given version support a certain feature
+      def self.supported?(feature, version)
+        sup = version_with_support(feature)
+
+        if sup.is_a?(Array)
+          Gem::Version.new(version) >= sup[0] &&
+            Gem::Version.new(version) < sup[1]
+        else
+          Gem::Version.new(version) >= sup
+        end
+      end
+
+      # we do not know the version, therefore we do not know if its possible to use the feature
+      # return if self['version'].nil? || self['version']['version'].nil?
+    end
+  end
+end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb

@@ -0,0 +1,143 @@
+# encoding: utf-8
+
+require 'uri'
+require 'inspec/fetcher'
+require 'inspec/errors'
+
+# InSpec Target Helper for Chef Compliance
+# reuses UrlHelper, but it knows the target server and the access token already
+# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
+module InspecPlugins
+  module Compliance
+    class Fetcher < Fetchers::Url
+      name 'compliance'
+      priority 500
+      attr_reader :upstream_sha256
+
+      def initialize(target, opts)
+        super(target, opts)
+        @upstream_sha256 = ''
+        if target.is_a?(Hash) && target.key?(:url)
+          @target = target[:url]
+          @upstream_sha256 = target[:sha256]
+        elsif target.is_a?(String)
+          @target = target
+        end
+      end
+
+      def sha256
+        upstream_sha256.empty? ? super : upstream_sha256
+      end
+
+      def self.check_compliance_token(uri, config)
+        if config['token'].nil? && config['refresh_token'].nil?
+          if config['server_type'] == 'automate'
+            server = 'automate'
+            msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
+          elsif config['server_type'] == 'automate2'
+            server = 'automate2'
+            msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
+          else
+            server = 'compliance'
+            msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
+          end
+          raise Inspec::FetcherFailure, <<~EOF
+
+            Cannot fetch #{uri} because your #{server} token has not been
+            configured.
+
+            Please login using
+
+                #{msg}
+          EOF
+        end
+      end
+
+      def self.get_target_uri(target)
+        if target.is_a?(String) && URI(target).scheme == 'compliance'
+          URI(target)
+        elsif target.respond_to?(:key?) && target.key?(:compliance)
+          URI("compliance://#{target[:compliance]}")
+        end
+      end
+
+      def self.resolve(target)
+        uri = get_target_uri(target)
+        return nil if uri.nil?
+
+        config = InspecPlugins::Compliance::Configuration.new
+        profile = InspecPlugins::Compliance::API.sanitize_profile_name(uri)
+        profile_fetch_url = InspecPlugins::Compliance::API.target_url(config, profile)
+        # we have detailed information available in our lockfile, no need to ask the server
+        if target.respond_to?(:key?) && target.key?(:sha256)
+          profile_checksum = target[:sha256]
+        else
+          check_compliance_token(uri, config)
+          # verifies that the target e.g base/ssh exists
+          # Call profiles directly instead of exist? to capture the results
+          # so we can access the upstream sha256 from the results.
+          _msg, profile_result = InspecPlugins::Compliance::API.profiles(config, profile)
+          if profile_result.empty?
+            raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
+          else
+            # Guarantee sorting by verison and grab the latest.
+            # If version was specified, it will be the first and only result.
+            # Note we are calling the sha256 as a string, not a symbol since
+            # it was returned as json from the Compliance API.
+            profile_info = profile_result.sort_by { |x| Gem::Version.new(x['version']) }[0]
+            profile_checksum = profile_info.key?('sha256') ? profile_info['sha256'] : ''
+          end
+        end
+        # We need to pass the token to the fetcher
+        config['token'] = InspecPlugins::Compliance::API.get_token(config)
+
+        # Needed for automate2 post request
+        profile_stub = profile || target[:compliance]
+        config['profile'] = InspecPlugins::Compliance::API.profile_split(profile_stub)
+
+        new({ url: profile_fetch_url, sha256: profile_checksum }, config)
+      rescue URI::Error => _e
+        nil
+      end
+
+      # We want to save compliance: in the lockfile rather than url: to
+      # make sure we go back through the Compliance API handling.
+      def resolved_source
+        @resolved_source ||= {
+          compliance: compliance_profile_name,
+          url: @target,
+          sha256: sha256,
+        }
+      end
+
+      def to_s
+        'Chef Compliance Profile Loader'
+      end
+
+      private
+
+      # determine the owner_id and the profile name from the url
+      def compliance_profile_name
+        m = if InspecPlugins::Compliance::API.is_automate_server_pre_080?(@config)
+              %r{^#{@config['server']}/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
+            elsif InspecPlugins::Compliance::API.is_automate_server_080_and_later?(@config)
+              %r{^#{@config['server']}/profiles/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
+            else
+              %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}
+            end.match(@target)
+
+        if InspecPlugins::Compliance::API.is_automate2_server?(@config)
+          m = {}
+          m[:owner] = @config['profile'][0]
+          m[:id] = @config['profile'][1]
+        end
+
+        raise 'Unable to determine compliance profile name. This can be caused by ' \
+          'an incorrect server in your configuration. Try to login to compliance ' \
+          'via the `inspec compliance login` command.' if m.nil?
+
+        "#{m[:owner]}/#{m[:id]}"
+      end
+    end
+  end
+end

data/lib/plugins/inspec-compliance/test/functional/inspec_compliance_test.rb

@@ -0,0 +1,43 @@
+# encoding: utf-8
+
+require_relative '../../../shared/core_plugin_test_helper.rb'
+
+class ComplianceCli < MiniTest::Test
+  include CorePluginFunctionalHelper
+
+  def test_help_output
+    out = run_inspec_process('compliance help')
+    assert_equal out.exit_status, 0
+    assert_includes out.stdout, 'inspec compliance exec PROFILE'
+  end
+
+  def test_logout_command
+    out = run_inspec_process('compliance logout')
+    assert_equal out.exit_status, 0
+    assert_includes out.stdout, ''
+  end
+
+  def test_error_login_with_invalid_url
+    out = run_inspec_process('compliance login')
+    assert_equal out.exit_status, 1
+    assert_includes out.stderr, 'ERROR: "inspec compliance login" was called with no arguments'
+  end
+
+  def test_profile_list_without_auth
+    out = run_inspec_process('compliance profiles')
+    assert_equal out.exit_status, 0 # TODO: make this error
+    assert_includes out.stdout, 'You need to login first with `inspec compliance login`'
+  end
+
+  def test_error_upload_without_args
+    out = run_inspec_process('compliance upload')
+    assert_equal out.exit_status, 1
+    assert_includes out.stderr, 'ERROR: "inspec compliance upload" was called with no arguments'
+  end
+
+  def test_error_upload_with_fake_path
+    out = run_inspec_process('compliance upload /path/to/dir')
+    assert_equal out.exit_status, 0 # TODO: make this error
+    assert_includes out.stdout, 'You need to login first with `inspec compliance login`'
+  end
+end