inspec-core 2.3.5 → 2.3.10

data/lib/plugins/inspec-compliance/test/unit/api/login_test.rb

@@ -0,0 +1,190 @@
+require 'minitest/autorun'
+require 'mocha/setup'
+require 'webmock/minitest'
+require_relative '../../../lib/inspec-compliance/api.rb'
+
+describe InspecPlugins::Compliance::API do
+  let(:automate_options) do
+    {
+      'server' => 'https://automate.example.com',
+      'ent' => 'automate',
+      'user' => 'someone',
+      'token' => 'token',
+    }
+  end
+
+  let(:compliance_options) do
+    {
+      'server' => 'https://compliance.example.com',
+      'user' => 'someone',
+      'password' => 'password',
+      'token' => 'token',
+      'refresh_token' => 'refresh_token',
+    }
+  end
+
+  let(:fake_config) do
+    class FakeConfig
+      def initialize
+        @config = {}
+      end
+
+      def [](key)
+        @config[key]
+      end
+
+      def []=(key, value)
+        @config[key] = value
+      end
+
+      def clean
+        @config = {}
+      end
+
+      def store
+        nil
+      end
+    end
+
+    FakeConfig.new
+  end
+
+  describe '.login' do
+    describe 'when target is a Chef Automate2 server' do
+      before do
+        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:automate2)
+      end
+
+      it 'raises an error if `--user` is missing' do
+        options = automate_options
+        options.delete('user')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify a user.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'raises an error if `--token` and `--dctoken` are missing' do
+        options = automate_options
+        options.delete('token')
+        options.delete('dctoken')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify a token.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'stores an access token' do
+        stub_request(:get, automate_options['server'] + '/compliance/version')
+          .to_return(status: 200, body: '', headers: {})
+        options = automate_options
+        InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config)
+
+        InspecPlugins::Compliance::API.login(options)
+        fake_config['automate']['ent'].must_equal('automate')
+        fake_config['automate']['token_type'].must_equal('dctoken')
+        fake_config['user'].must_equal('someone')
+        fake_config['server'].must_equal('https://automate.example.com/api/v0')
+        fake_config['server_type'].must_equal('automate2')
+        fake_config['token'].must_equal('token')
+      end
+    end
+
+    describe 'when target is a Chef Automate server' do
+      before do
+        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:automate)
+      end
+
+      it 'raises an error if `--user` is missing' do
+        options = automate_options
+        options.delete('user')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify a user.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'raises an error if `--ent` is missing' do
+        options = automate_options
+        options.delete('ent')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify an enterprise.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'raises an error if `--token` and `--dctoken` are missing' do
+        options = automate_options
+        options.delete('token')
+        options.delete('dctoken')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify a token.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'stores an access token' do
+        stub_request(:get, automate_options['server'] + '/compliance/version')
+          .to_return(status: 200, body: '', headers: {})
+        options = automate_options
+        InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config)
+
+        InspecPlugins::Compliance::API.login(options)
+        fake_config['automate']['ent'].must_equal('automate')
+        fake_config['automate']['token_type'].must_equal('usertoken')
+        fake_config['user'].must_equal('someone')
+        fake_config['server'].must_equal('https://automate.example.com/compliance')
+        fake_config['server_type'].must_equal('automate')
+        fake_config['token'].must_equal('token')
+      end
+    end
+
+    describe 'when target is a Chef Compliance server' do
+      before do
+        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:compliance)
+      end
+
+      it 'raises an error if `--user` and `--refresh-token` are missing' do
+        options = automate_options
+        options.delete('user')
+        options.delete('refresh_token')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify a.*--user.*--refresh-token.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'raises an error if `--user` is present but authentication method missing' do
+        options = automate_options
+        options.delete('password')
+        options.delete('token')
+        options.delete('refresh_token')
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify.*--password.*--token.*--refresh-token.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'stores an access token' do
+        stub_request(:get, compliance_options['server'] + '/api/version')
+          .to_return(status: 200, body: '', headers: {})
+        options = compliance_options
+        InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config)
+
+        InspecPlugins::Compliance::API.login(options)
+        fake_config['user'].must_equal('someone')
+        fake_config['server'].must_equal('https://compliance.example.com/api')
+        fake_config['server_type'].must_equal('compliance')
+        fake_config['token'].must_equal('token')
+      end
+    end
+
+    describe 'when target is neither a Chef Compliance nor Chef Automate server' do
+      it 'raises an error if `https://SERVER` is missing' do
+        options = {}
+        err = proc { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
+        err.message.must_match(/Please specify a server.*/)
+        err.message.lines.length.must_equal(1)
+      end
+
+      it 'rasies a `CannotDetermineServerType` error' do
+        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(nil)
+        err = proc { InspecPlugins::Compliance::API.login(automate_options) }.must_raise(StandardError)
+        err.message.must_match(/Unable to determine/)
+      end
+    end
+  end
+end

data/lib/plugins/inspec-compliance/test/unit/api_test.rb

@@ -0,0 +1,385 @@
+require 'minitest/autorun'
+require 'mocha/setup'
+require_relative '../../lib/inspec-compliance/api.rb'
+
+describe InspecPlugins::Compliance::API do
+  let(:profiles_response) do
+    [{ 'name'=>'apache-baseline',
+      'title'=>'DevSec Apache Baseline',
+      'maintainer'=>'DevSec Hardening Framework Team',
+      'copyright'=>'DevSec Hardening Framework Team',
+      'copyright_email'=>'hello@dev-sec.io',
+      'license'=>'Apache 2 license',
+      'summary'=>'Test-suite for best-practice apache hardening',
+      'version'=>'2.0.2',
+      'supports'=>[{ 'os-family'=>'unix' }],
+      'depends'=>nil,
+      'owner_id'=>'admin' },
+     { 'name'=>'apache-baseline',
+      'title'=>'DevSec Apache Baseline',
+      'maintainer'=>'Hardening Framework Team',
+      'copyright'=>'Hardening Framework Team',
+      'copyright_email'=>'hello@dev-sec.io',
+      'license'=>'Apache 2 license',
+      'summary'=>'Test-suite for best-practice apache hardening',
+      'version'=>'2.0.1',
+      'supports'=>[{ 'os-family'=>'unix' }],
+      'depends'=>nil,
+      'latest_version'=>'2.0.2',
+      'owner_id'=>'admin' },
+     { 'name'=>'cis-aix-5.3-6.1-level1',
+      'title'=>'CIS AIX 5.3 and AIX 6.1 Benchmark Level 1',
+      'maintainer'=>'Chef Software, Inc.',
+      'copyright'=>'Chef Software, Inc.',
+      'copyright_email'=>'support@chef.io',
+      'license'=>'Proprietary, All rights reserved',
+      'summary'=>'CIS AIX 5.3 and AIX 6.1 Benchmark Level 1 translated from SCAP',
+      'version'=>'1.1.0',
+      'supports'=>nil,
+      'depends'=>nil,
+      'latest_version'=>'1.1.0-3',
+      'owner_id'=>'admin' }]
+  end
+
+  describe '.version' do
+    let(:headers) { 'test-headers' }
+    let(:config) do
+      {
+        'server' => 'myserver',
+        'insecure' => true,
+      }
+    end
+
+    before do
+      InspecPlugins::Compliance::API.expects(:get_headers).returns(headers)
+    end
+
+    describe 'when a 404 is received' do
+      it 'should return an empty hash' do
+        response = mock
+        response.stubs(:code).returns('404')
+        InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
+        InspecPlugins::Compliance::API.version(config).must_equal({})
+      end
+    end
+
+    describe 'when the returned body is nil' do
+      it 'should return an empty hash' do
+        response = mock
+        response.stubs(:code).returns('200')
+        response.stubs(:body).returns(nil)
+        InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
+        InspecPlugins::Compliance::API.version(config).must_equal({})
+      end
+    end
+
+    describe 'when the returned body is an empty string' do
+      it 'should return an empty hash' do
+        response = mock
+        response.stubs(:code).returns('200')
+        response.stubs(:body).returns('')
+        InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
+        InspecPlugins::Compliance::API.version(config).must_equal({})
+      end
+    end
+
+    describe 'when the returned body has no version key' do
+      it 'should return an empty hash' do
+        response = mock
+        response.stubs(:code).returns('200')
+        response.stubs(:body).returns('{"api":"compliance"}')
+        InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
+        InspecPlugins::Compliance::API.version(config).must_equal({})
+      end
+    end
+
+    describe 'when the returned body has an empty version key' do
+      it 'should return an empty hash' do
+        response = mock
+        response.stubs(:code).returns('200')
+        response.stubs(:body).returns('{"api":"compliance","version":""}')
+        InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
+        InspecPlugins::Compliance::API.version(config).must_equal({})
+      end
+    end
+
+    describe 'when the returned body has a proper version' do
+      it 'should return an empty hash' do
+        response = mock
+        response.stubs(:code).returns('200')
+        response.stubs(:body).returns('{"api":"compliance","version":"1.2.3"}')
+        InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
+        InspecPlugins::Compliance::API.version(config).must_equal({ 'version' => '1.2.3', 'api' => 'compliance' })
+      end
+    end
+  end
+
+  describe 'automate/compliance is? checks' do
+    describe 'when the config has a compliance server_type' do
+      it 'automate/compliance server is? methods return correctly' do
+        config = InspecPlugins::Compliance::Configuration.new
+        config.clean
+        config['server_type'] = 'compliance'
+        InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
+      end
+    end
+
+    describe 'when the config has a automate2 server_type' do
+      it 'automate/compliance server is? methods return correctly' do
+        config = InspecPlugins::Compliance::Configuration.new
+        config.clean
+        config['server_type'] = 'automate2'
+        InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal true
+      end
+    end
+
+    describe 'when the config has an automate server_type and no version key' do
+      it 'automate/compliance server is? methods return correctly' do
+        config = InspecPlugins::Compliance::Configuration.new
+        config.clean
+        config['server_type'] = 'automate'
+        InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
+      end
+    end
+
+    describe 'when the config has an automate server_type and a version key that is not a hash' do
+      it 'automate/compliance server is? methods return correctly' do
+        config = InspecPlugins::Compliance::Configuration.new
+        config.clean
+        config['server_type'] = 'automate'
+        config['version'] = '1.2.3'
+        InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
+      end
+    end
+
+    describe 'when the config has an automate server_type and a version hash with no version' do
+      it 'automate/compliance server is? methods return correctly' do
+        config = InspecPlugins::Compliance::Configuration.new
+        config.clean
+        config['server_type'] = 'automate'
+        config['version'] = {}
+        InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
+      end
+    end
+
+    describe 'when the config has an automate server_type and a version hash with a version' do
+      it 'automate/compliance server is? methods return correctly' do
+        config = InspecPlugins::Compliance::Configuration.new
+        config.clean
+        config['server_type'] = 'automate'
+        config['version'] = { 'version' => '0.8.1' }
+        InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
+        InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
+        InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal true
+      end
+    end
+  end
+
+  describe '.server_version_from_config' do
+    it 'returns nil when the config has no version key' do
+      config = {}
+      InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
+    end
+
+    it 'returns nil when the version value is not a hash' do
+      config = { 'version' => '123' }
+      InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
+    end
+
+    it 'returns nil when the version value is a hash but has no version key inside' do
+      config = { 'version' => {} }
+      InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
+    end
+
+    it 'returns the version if the version value is a hash containing a version' do
+      config = { 'version' => { 'version' => '1.2.3' } }
+      InspecPlugins::Compliance::API.server_version_from_config(config).must_equal '1.2.3'
+    end
+  end
+
+  describe 'profile_split' do
+    it 'handles a profile without version' do
+      InspecPlugins::Compliance::API.profile_split('admin/apache-baseline').must_equal ['admin', 'apache-baseline', nil]
+    end
+
+    it 'handles a profile with a version' do
+      InspecPlugins::Compliance::API.profile_split('admin/apache-baseline#2.0.1').must_equal ['admin', 'apache-baseline', '2.0.1']
+    end
+  end
+
+  describe 'target_url' do
+    it 'handles a automate profile with and without version' do
+      config = InspecPlugins::Compliance::Configuration.new
+      config.clean
+      config['server_type'] = 'automate'
+      config['server'] = 'https://myautomate'
+      config['version'] = '1.6.99'
+      InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline').must_equal       'https://myautomate/profiles/admin/apache-baseline/tar'
+      InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline#2.0.2').must_equal 'https://myautomate/profiles/admin/apache-baseline/version/2.0.2/tar'
+    end
+
+    it 'handles a chef-compliance profile with and without version' do
+      config = InspecPlugins::Compliance::Configuration.new
+      config.clean
+      config['server_type'] = 'compliance'
+      config['server'] = 'https://mychefcompliance'
+      config['version'] = '1.1.2'
+      InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline').must_equal       'https://mychefcompliance/owners/admin/compliance/apache-baseline/tar'
+      InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline#2.0.2').must_equal 'https://mychefcompliance/owners/admin/compliance/apache-baseline/tar'
+    end
+  end
+
+  describe 'exist?' do
+    it 'works with profiles returned by Automate' do
+      # ruby 2.3.3 has issues running stub_requests properly
+      # skipping for that specific version
+      return if RUBY_VERSION = '2.3.3'
+
+      config = InspecPlugins::Compliance::Configuration.new
+      config.clean
+      config['owner'] = 'admin'
+      config['server_type'] = 'automate'
+      config['server'] = 'https://myautomate'
+      config['version'] = '1.6.99'
+      config['automate'] = { 'ent'=>'automate', 'token_type'=>'dctoken' }
+      config['version'] = { 'api'=> 'compliance', 'version'=>'0.8.24' }
+      
+      stub_request(:get, 'https://myautomate/profiles/admin')
+        .with(headers: { 'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Chef-Delivery-Enterprise'=>'automate', 'User-Agent'=>'Ruby', 'X-Data-Collector-Token'=>'' })
+        .to_return(status: 200, body: profiles_response.to_json, headers: {})
+
+      InspecPlugins::Compliance::API.exist?(config, 'admin/apache-baseline').must_equal true
+      InspecPlugins::Compliance::API.exist?(config, 'admin/apache-baseline#2.0.1').must_equal true
+      InspecPlugins::Compliance::API.exist?(config, 'admin/apache-baseline#2.0.999').must_equal false
+      InspecPlugins::Compliance::API.exist?(config, 'admin/missing-in-action').must_equal false
+    end
+  end
+
+  describe '.determine_server_type' do
+    let(:url) { 'https://someserver.onthe.net/' }
+
+    let(:compliance_endpoint) { '/api/version' }
+    let(:automate_endpoint) { '/compliance/version' }
+    let(:automate2_endpoint) { '/dex/auth' }
+    let(:headers) { nil }
+    let(:insecure) { true }
+
+    let(:good_response) { mock }
+    let(:bad_response) { mock }
+
+    it 'returns `:automate2` when a 400 is received from `https://URL/dex/auth`' do
+      good_response.stubs(:code).returns('400')
+
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate2_endpoint, headers, insecure)
+                      .returns(good_response)
+
+      InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate2)
+    end
+
+    it 'returns `:automate` when a 401 is received from `https://URL/compliance/version`' do
+      good_response.stubs(:code).returns('401')
+      bad_response.stubs(:code).returns('404')
+
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate2_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate_endpoint, headers, insecure)
+                      .returns(good_response)
+
+      InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate)
+    end
+
+    # Chef Automate currently returns 401 for `/compliance/version` but some
+    # versions of OpsWorks Chef Automate return 200 and a Chef Manage page when
+    # unauthenticated requests are received.
+    it 'returns `:automate` when a 200 is received from `https://URL/compliance/version`' do
+      bad_response.stubs(:code).returns('404')
+      good_response.stubs(:code).returns('200')
+      good_response.stubs(:body).returns('Are You Looking For the Chef Server?')
+
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate2_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate_endpoint, headers, insecure)
+                      .returns(good_response)
+
+      InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate)
+    end
+
+    it 'returns `nil` if a 200 is received from `https://URL/compliance/version` but not redirected to Chef Manage' do
+      bad_response.stubs(:code).returns('200')
+      bad_response.stubs(:body).returns('No Chef Manage here')
+
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate2_endpoint, headers, insecure)
+                      .returns(bad_response)
+
+      mock_compliance_response = mock
+      mock_compliance_response.stubs(:code).returns('404')
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + compliance_endpoint, headers, insecure)
+                      .returns(mock_compliance_response)
+
+      InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_be_nil
+    end
+
+    it 'returns `:compliance` when a 200 is received from `https://URL/api/version`' do
+      good_response.stubs(:code).returns('200')
+      bad_response.stubs(:code).returns('404')
+
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate2_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + compliance_endpoint, headers, insecure)
+                      .returns(good_response)
+
+      InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:compliance)
+    end
+
+    it 'returns `nil` if it cannot determine the server type' do
+      bad_response.stubs(:code).returns('404')
+
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate2_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + automate_endpoint, headers, insecure)
+                      .returns(bad_response)
+      InspecPlugins::Compliance::HTTP.expects(:get)
+                      .with(url + compliance_endpoint, headers, insecure)
+                      .returns(bad_response)
+
+      InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_be_nil
+    end
+  end
+end