inspec-core 3.5.0 → 3.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 190e8714166fd805239f3a7cf9bd5b830af9a7abffb671001361dd62da963e26
-  data.tar.gz: 4f9d5fae927f80c5b136614fb581e308d43c2d1dabaa1e36238690891c499598
+  metadata.gz: 540ae71a1d966748d37cddcb1f171f7921e34f9bfcc6781702934756904476f9
+  data.tar.gz: 52a9a03513892e4e266eaba4a24eee0cee01749c6b96d99845c335616544b962
 SHA512:
-  metadata.gz: 80a02ea7b5bd63fbf69cea562a5e951afbdab37de14623861fb8b907ba9738af0c83be270e48e32b1bb797c4d4634bb03e671203b33fc49d9e42aba97d789d79
-  data.tar.gz: ccd6167f75157dd5ce47f0678846a5837e22cb1b023fd559aa80878b235e1efb712403a0503a1c10fc825654c5dd93f960fd5fe337a9d1cae2986617334073bc
+  metadata.gz: b13e81a88b36ee456597ffcacb701e84c1702d402f80e8ac1f2c9e135af14c3990394f366230969d6ca6968dad4b973cb09ada2a919e16789282e77cfcf38348
+  data.tar.gz: 1a27aa7f35b92b4b5b974123bee5ef33ab0d942e6bc90a478521927a771a564d92c9b1063f359a7d4d457b1e401229e96a5938cb62dd38b7fa6e10f57cab8778

data/etc/deprecations.json

@@ -5,6 +5,15 @@
     "attrs_value_replaces_default": {
       "action": "ignore",
       "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
+    },
+    "cli_option_json_config": {
+      "action": "ignore",
+      "prefix": "The --json-config option is being replaced by the --config option.",
+      "comment": "See #3661"
+    },
+    "filesystem_property_size": {
+      "action": "ignore",
+      "comment": "See #3778"
     }
   }
 }

data/lib/bundles/inspec-supermarket/cli.rb

@@ -30,7 +30,7 @@ module Supermarket
     desc 'exec PROFILE', 'execute a Supermarket profile'
     exec_options
     def exec(*tests)
-      o = opts(:exec).dup
+      o = config
       diagnose(o)
       configure_logger(o)
 

data/lib/inspec/backend.rb

@@ -4,6 +4,7 @@
 # author: Christoph Hartmann
 
 require 'train'
+require 'inspec/config'
 
 module Inspec
   module Backend
@@ -38,19 +39,19 @@ module Inspec
 
     # Create the transport backend with aggregated resources.
     #
-    # @param [Hash] config for the transport backend
+    # @param [Inspec::Config] config for the transport backend
     # @return [TransportBackend] enriched transport instance
     def self.create(config) # rubocop:disable Metrics/AbcSize
-      conf = Train.target_config(config)
-      name = Train.validate_backend(conf)
-      transport = Train.create(name, conf)
+      train_credentials = config.unpack_train_credentials
+      transport_name = Train.validate_backend(train_credentials)
+      transport = Train.create(transport_name, train_credentials)
       if transport.nil?
-        raise "Can't find transport backend '#{name}'."
+        raise "Can't find transport backend '#{transport_name}'."
       end
 
       connection = transport.connection
       if connection.nil?
-        raise "Can't connect to transport backend '#{name}'."
+        raise "Can't connect to transport backend '#{transport_name}'."
       end
 
       # Set caching settings. We always want to enable caching for
@@ -85,9 +86,9 @@ module Inspec
 
       cls.new
     rescue Train::ClientError => e
-      raise "Client error, can't connect to '#{name}' backend: #{e.message}"
+      raise "Client error, can't connect to '#{transport_name}' backend: #{e.message}"
     rescue Train::TransportError => e
-      raise "Transport error, can't connect to '#{name}' backend: #{e.message}"
+      raise "Transport error, can't connect to '#{transport_name}' backend: #{e.message}"
     end
   end
 end

data/lib/inspec/base_cli.rb

@@ -75,8 +75,9 @@ module Inspec
         desc: 'Whether to use disable sspi authentication, defaults to false (WinRM).'
       option :winrm_basic_auth, type: :boolean,
         desc: 'Whether to use basic authentication, defaults to false (WinRM).'
-      option :json_config, type: :string,
+      option :config, type: :string,
         desc: 'Read configuration from JSON file (`-` reads from stdin).'
+      option :json_config, type: :string, hide: true
       option :proxy_command, type: :string,
         desc: 'Specifies the command to use to connect to the server'
       option :bastion_host, type: :string,
@@ -118,92 +119,7 @@ module Inspec
         desc: 'Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures.'
     end
 
-    def self.default_options
-      {
-        exec: {
-          'reporter' => ['cli'],
-          'show_progress' => false,
-          'color' => true,
-          'create_lockfile' => true,
-          'backend_cache' => true,
-        },
-        shell: {
-          'reporter' => ['cli'],
-        },
-      }
-    end
-
-    def self.parse_reporters(opts) # rubocop:disable Metrics/AbcSize
-      # default to cli report for ad-hoc runners
-      opts['reporter'] = ['cli'] if opts['reporter'].nil?
-
-      # parse out cli to proper report format
-      if opts['reporter'].is_a?(Array)
-        reports = {}
-        opts['reporter'].each do |report|
-          reporter_name, target = report.split(':', 2)
-          if target.nil? || target.strip == '-'
-            reports[reporter_name] = { 'stdout' => true }
-          else
-            reports[reporter_name] = {
-              'file' => target,
-              'stdout' => false,
-            }
-            reports[reporter_name]['target_id'] = opts['target_id'] if opts['target_id']
-          end
-        end
-        opts['reporter'] = reports
-      end
-
-      # add in stdout if not specified
-      if opts['reporter'].is_a?(Hash)
-        opts['reporter'].each do |reporter_name, config|
-          opts['reporter'][reporter_name] = {} if config.nil?
-          opts['reporter'][reporter_name]['stdout'] = true if opts['reporter'][reporter_name].empty?
-          opts['reporter'][reporter_name]['target_id'] = opts['target_id'] if opts['target_id']
-        end
-      end
-
-      validate_reporters(opts['reporter'])
-      opts
-    end
-
-    def self.validate_reporters(reporters)
-      return if reporters.nil?
-
-      valid_types = [
-        'automate',
-        'cli',
-        'documentation',
-        'html',
-        'json',
-        'json-automate',
-        'json-min',
-        'json-rspec',
-        'junit',
-        'progress',
-        'yaml',
-      ]
-
-      reporters.each do |k, v|
-        raise NotImplementedError, "'#{k}' is not a valid reporter type." unless valid_types.include?(k)
-
-        next unless k == 'automate'
-        %w{token url}.each do |option|
-          raise Inspec::ReporterError, "You must specify a automate #{option} via the json-config." if v[option].nil?
-        end
-      end
-
-      # check to make sure we are only reporting one type to stdout
-      stdout = 0
-      reporters.each_value do |v|
-        stdout += 1 if v['stdout'] == true
-      end
-
-      raise ArgumentError, 'The option --reporter can only have a single report outputting to stdout.' if stdout > 1
-    end
-
-    def self.detect(params: {}, indent: 0, color: 39)
+    def self.format_platform_info(params: {}, indent: 0, color: 39)
       str = ''
       params.each { |item, info|
         data = info
@@ -286,86 +202,12 @@ module Inspec
       false
     end
 
-    def diagnose(opts)
-      return unless opts['diagnose']
-      puts "InSpec version: #{Inspec::VERSION}"
-      puts "Train version: #{Train::VERSION}"
-      puts 'Command line configuration:'
-      pp options
-      puts 'JSON configuration file:'
-      pp options_json
-      puts 'Merged configuration:'
-      pp opts
-      puts
-    end
-
-    def opts(type = nil)
-      o = merged_opts(type)
-
-      # Due to limitations in Thor it is not possible to set an argument to be
-      # both optional and its value to be mandatory. E.g. the user supplying
-      # the --password argument is optional and not always required, but
-      # whenever it is used, it requires a value. Handle options that were
-      # defined above and require a value here:
-      %w{password sudo-password}.each do |v|
-        id = v.tr('-', '_').to_sym
-        next unless o[id] == -1
-        raise ArgumentError, "Please provide a value for --#{v}. For example: --#{v}=hello."
-      end
-
-      # Infer `--sudo` if using `--sudo-password` without `--sudo`
-      if o[:sudo_password] && !o[:sudo]
-        o[:sudo] = true
-        warn 'WARN: `--sudo-password` used without `--sudo`. Adding `--sudo`.'
-      end
-
-      # check for compliance settings
-      if o['compliance']
-        require 'plugins/inspec-compliance/lib/inspec-compliance/api'
-        InspecPlugins::Compliance::API.login(o['compliance'])
-      end
-
-      o
+    def diagnose(_ = nil)
+      config.diagnose
     end
 
-    def merged_opts(type = nil)
-      opts = {}
-
-      # start with default options if we have any
-      opts = BaseCLI.default_options[type] unless type.nil? || BaseCLI.default_options[type].nil?
-      opts['type'] = type unless type.nil?
-      Inspec::BaseCLI.inspec_cli_command = type
-
-      # merge in any options from json-config
-      json_config = options_json
-      opts.merge!(json_config)
-
-      # merge in any options defined via thor
-      opts.merge!(options)
-
-      # parse reporter options
-      opts = BaseCLI.parse_reporters(opts) if %i(exec shell).include?(type)
-
-      Thor::CoreExt::HashWithIndifferentAccess.new(opts)
-    end
-
-    def options_json
-      conffile = options['json_config']
-      @json ||= conffile ? read_config(conffile) : {}
-    end
-
-    def read_config(file)
-      if file == '-'
-        puts 'WARN: reading JSON config from standard input' if STDIN.tty?
-        config = STDIN.read
-      else
-        config = File.read(file)
-      end
-
-      JSON.parse(config)
-    rescue JSON::ParserError => e
-      puts "Failed to load JSON configuration: #{e}\nConfig was: #{config.inspect}"
-      exit 1
+    def config
+      @config ||= Inspec::Config.new(options) # 'options' here is CLI opts from Thor
     end
 
     # get the log level
@@ -409,12 +251,12 @@ module Inspec
 
     def configure_logger(o)
       #
-      # TODO(ssd): This is a big gross, but this configures the
+      # TODO(ssd): This is a bit gross, but this configures the
       # logging singleton Inspec::Log. Eventually it would be nice to
       # move internal debug logging to use this logging singleton.
       #
-      loc = if o.log_location
-              o.log_location
+      loc = if o['log_location']
+              o['log_location']
             elsif suppress_log_output?(o)
               STDERR
             else
@@ -422,14 +264,14 @@ module Inspec
             end
 
       Inspec::Log.init(loc)
-      Inspec::Log.level = get_log_level(o.log_level)
+      Inspec::Log.level = get_log_level(o['log_level'])
 
       o[:logger] = Logger.new(loc)
       # output json if we have activated the json formatter
       if o['log-format'] == 'json'
         o[:logger].formatter = Logger::JSONFormatter.new
       end
-      o[:logger].level = get_log_level(o.log_level)
+      o[:logger].level = get_log_level(o['log_level'])
     end
   end
 end

data/lib/inspec/cli.rb

@@ -15,6 +15,7 @@ require 'inspec/plugin/v2'
 require 'inspec/runner_mock'
 require 'inspec/env_printer'
 require 'inspec/schema'
+require 'inspec/config'
 
 class Inspec::InspecCLI < Inspec::BaseCLI
   class_option :log_level, aliases: :l, type: :string,
@@ -45,12 +46,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: 'A list of controls to include. Ignore all other tests.'
   profile_options
   def json(target)
-    o = opts.dup
+    o = config
     diagnose(o)
     o['log_location'] = STDERR
     configure_logger(o)
 
-    o[:backend] = Inspec::Backend.create(target: 'mock://')
+    o[:backend] = Inspec::Backend.create(Inspec::Config.mock)
     o[:check_mode] = true
     o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
@@ -81,9 +82,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :format, type: :string
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize
-    o = opts.dup
+    o = config
     diagnose(o)
-    o[:backend] = Inspec::Backend.create(target: 'mock://')
+    o[:backend] = Inspec::Backend.create(Inspec::Config.mock)
     o[:check_mode] = true
     o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
@@ -133,10 +134,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :overwrite, type: :boolean, default: false,
     desc: 'Overwrite existing vendored dependencies and lockfile.'
   def vendor(path = nil)
-    o = opts.dup
+    o = config
     configure_logger(o)
     o[:logger] = Logger.new(STDOUT)
-    o[:logger].level = get_log_level(o.log_level)
+    o[:logger].level = get_log_level(o[:log_level])
 
     vendor_deps(path, o)
   end
@@ -154,12 +155,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :ignore_errors, type: :boolean, default: false,
     desc: 'Ignore profile warnings.'
   def archive(path)
-    o = opts.dup
+    o = config
     diagnose(o)
 
     o[:logger] = Logger.new(STDOUT)
-    o[:logger].level = get_log_level(o.log_level)
-    o[:backend] = Inspec::Backend.create(target: 'mock://')
+    o[:logger].level = get_log_level(o[:log_level])
+    o[:backend] = Inspec::Backend.create(Inspec::Config.mock)
 
     # Force vendoring with overwrite when archiving
     vendor_options = o.dup
@@ -254,7 +255,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   EOT
   exec_options
   def exec(*targets)
-    o = opts(:exec).dup
+    o = config
     diagnose(o)
     configure_logger(o)
 
@@ -273,14 +274,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   target_options
   option :format, type: :string
   def detect
-    o = opts(:detect).dup
+    o = config
     o[:command] = 'platform.params'
     (_, res) = run_command(o)
     if o['format'] == 'json'
       puts res.to_json
     else
       headline('Platform Details')
-      puts Inspec::BaseCLI.detect(params: res, indent: 0, color: 36)
+      puts Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36)
     end
   rescue ArgumentError, RuntimeError, Train::UserError => e
     $stderr.puts e.message
@@ -301,13 +302,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :distinct_exit, type: :boolean, default: true,
     desc: 'Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default).  If disabled, exit 0 on skips and 1 for failures.'
   def shell_func
-    o = opts(:shell).dup
+    o = config
     diagnose(o)
     o[:debug_shell] = true
 
     log_device = suppress_log_output?(o) ? nil : STDOUT
     o[:logger] = Logger.new(log_device)
-    o[:logger].level = get_log_level(o.log_level)
+    o[:logger].level = get_log_level(o[:log_level])
 
     if o[:command].nil?
       runner = Inspec::Runner.new(o)
@@ -346,7 +347,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   desc 'version', 'prints the version of this tool'
   option :format, type: :string
   def version
-    if opts['format'] == 'json'
+    if config['format'] == 'json'
       v = { version: Inspec::VERSION }
       puts v.to_json
     else
@@ -363,7 +364,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   private
 
   def run_command(opts)
-    runner = Inspec::Runner.new(opts)
+    runner = Inspec::Runner.new(Inspec::Config.new(opts))
     res = runner.eval_with_virtual_profile(opts[:command])
     runner.load
 

data/lib/inspec/config.rb

@@ -0,0 +1,391 @@
+# Represents InSpec configuration.  Merges defaults, config file options,
+# and CLI arguments.
+
+require 'pp'
+require 'stringio'
+
+module Inspec
+  class Config
+    # These are options that apply to any transport
+    GENERIC_CREDENTIALS = %w{
+      backend
+      sudo
+      sudo_password
+      sudo_command
+      sudo_options
+      shell
+      shell_options
+      shell_command
+    }.freeze
+
+    extend Forwardable
+
+    # Many parts of InSpec expect to treat the Config as a Hash
+    def_delegators :@final_options, :each, :delete, :[], :[]=, :key?
+    attr_reader :final_options
+
+    # This makes it easy to make a config with a mock backend.
+    def self.mock(opts = {})
+      Inspec::Config.new({ backend: :mock }.merge(opts), StringIO.new('{}'))
+    end
+
+    def initialize(cli_opts = {}, cfg_io = nil, command_name = nil)
+      @command_name = command_name || (ARGV.empty? ? nil : ARGV[0].to_sym)
+      @defaults = Defaults.for_command(@command_name)
+
+      @cli_opts = cli_opts.dup
+      cfg_io = resolve_cfg_io(@cli_opts, cfg_io)
+      @cfg_file_contents = read_cfg_file_io(cfg_io)
+
+      @merged_options = merge_options
+      @final_options = finalize_options
+    end
+
+    def diagnose
+      return unless self[:diagnose]
+      puts "InSpec version: #{Inspec::VERSION}"
+      puts "Train version: #{Train::VERSION}"
+      puts 'Command line configuration:'
+      pp @cli_opts
+      puts 'JSON configuration file:'
+      pp @cfg_file_contents
+      puts 'Merged configuration:'
+      pp @merged_options
+      puts
+    end
+
+    #-----------------------------------------------------------------------#
+    #                      Train Credential Handling
+    #-----------------------------------------------------------------------#
+
+    # Returns a Hash with Symbol keys as follows:
+    #   backend: machine name of the Train transport needed
+    #   If present, any of the GENERIC_CREDENTIALS.
+    #   All other keys are specific to the backend.
+    #
+    # The credentials are gleaned from:
+    #  * the Train transport defaults. Train handles this on transport creation,
+    #      so this method doesn't load defaults.
+    #  * individual InSpec CLI options (which in many cases may have the
+    #      transport name prefixed, which is stripped before being added
+    #      to the creds hash)
+    #  * the --target CLI option, which is interpreted:
+    #     - as an arbitrary URI, which is parsed by Train.unpack_target_from_uri
+
+    def unpack_train_credentials
+      # Internally, use indifferent access while we build the creds
+      credentials = Thor::CoreExt::HashWithIndifferentAccess.new({})
+
+      # Helper methods prefixed with _utc_ (Unpack Train Credentials)
+
+      credentials.merge!(_utc_generic_credentials)
+
+      _utc_determine_backend(credentials)
+      credentials.merge!(Train.unpack_target_from_uri(final_options[:target] || '')) # TODO: this will be replaced with the credset work
+      transport_name = credentials[:backend].to_s
+      _utc_merge_transport_options(credentials, transport_name)
+
+      # Convert to all-Symbol keys
+      credentials.each_with_object({}) do |(option, value), creds|
+        creds[option.to_sym] = value
+        creds
+      end
+    end
+
+    private
+
+    def _utc_merge_transport_options(credentials, transport_name)
+      # Ask Train for the names of the transport options
+      transport_options = Train.options(transport_name).keys.map(&:to_s)
+
+      # If there are any options with those (unprefixed) names, merge them in.
+      unprefixed_transport_options = final_options.select do |option_name, _value|
+        transport_options.include? option_name # e.g., 'host'
+      end
+      credentials.merge!(unprefixed_transport_options)
+
+      # If there are any prefixed options, merge them in, stripping the prefix.
+      transport_prefix = transport_name.downcase.tr('-', '_') + '_'
+      transport_options.each do |bare_option_name|
+        prefixed_option_name = transport_prefix + bare_option_name.to_s
+        if final_options.key?(prefixed_option_name)
+          credentials[bare_option_name.to_s] = final_options[prefixed_option_name]
+        end
+      end
+    end
+
+    # fetch any info that applies to all transports (like sudo information)
+    def _utc_generic_credentials
+      @final_options.select { |option, _value| GENERIC_CREDENTIALS.include?(option) }
+    end
+
+    def _utc_determine_backend(credentials)
+      return if credentials.key?(:backend)
+
+      # Default to local
+      unless @final_options.key?(:target)
+        credentials[:backend] = 'local'
+        return
+      end
+
+      # Look into target
+      %r{^(?<transport_name>[a-z_\-0-9]+)://.*$} =~ final_options[:target]
+      unless transport_name
+        raise ArgumentError, "Could not recognize a backend from the target #{final_options[:target]} - use a URI format with the backend name as the URI schema.  Example: 'ssh://somehost.com' or 'transport://credset' or 'transport://' if credentials are provided outside of InSpec."
+      end
+      credentials[:backend] = transport_name.to_s # these are indeed stored in Train as Strings.
+    end
+
+    #-----------------------------------------------------------------------#
+    #                         Reading Config Files
+    #-----------------------------------------------------------------------#
+
+    # Regardless of our situation, end up with a readable IO object
+    def resolve_cfg_io(cli_opts, cfg_io)
+      raise(ArgumentError, 'Inspec::Config must use an IO to read from') if cfg_io && !cfg_io.respond_to?(:read)
+      cfg_io ||= check_for_piped_config(cli_opts)
+      return cfg_io if cfg_io
+
+      path = determine_cfg_path(cli_opts)
+
+      cfg_io = File.open(path) if path
+      cfg_io || StringIO.new('{ "version": "1.1" }')
+    end
+
+    def check_for_piped_config(cli_opts)
+      cli_opt = cli_opts[:config] || cli_opts[:json_config]
+      Inspec.deprecate(:cli_option_json_config, '') if cli_opts.key?(:json_config)
+
+      return nil unless cli_opt
+      return nil unless cli_opt == '-'
+      # This warning is here so that if a user invokes inspec with --config=-,
+      # they will have an explanation for why it appears to hang.
+      Inspec::Log.warn 'Reading JSON config from standard input' if STDIN.tty?
+      STDIN
+    end
+
+    def determine_cfg_path(cli_opts)
+      path = cli_opts[:config] || cli_opts[:json_config]
+      Inspec.deprecate(:cli_option_json_config, '') if cli_opts.key?(:json_config)
+
+      if path.nil?
+        default_path = File.join(Inspec.config_dir, 'config.json')
+        path = default_path if File.exist?(default_path)
+      elsif !File.exist?(path)
+        raise ArgumentError, "Could not read configuration file at #{path}"
+      end
+      path
+    end
+
+    def read_cfg_file_io(cfg_io)
+      contents = cfg_io.read
+      begin
+        @cfg_file_contents = JSON.parse(contents)
+        validate_config_file_contents!
+      rescue JSON::ParserError => e
+        raise Inspec::ConfigError::MalformedJson, "Failed to load JSON configuration: #{e}\nConfig was: #{contents}"
+      end
+      @cfg_file_contents
+    end
+
+    def file_version
+      @cfg_file_contents['version'] || :legacy
+    end
+
+    def legacy_file?
+      file_version == :legacy
+    end
+
+    def config_file_cli_options
+      if legacy_file?
+        # Assume everything in the file is a CLI option
+        @cfg_file_contents
+      else
+        @cfg_file_contents['cli_options'] || {}
+      end
+    end
+
+    def config_file_reporter_options
+      # This is assumed to be top-level in both legacy and 1.1.
+      # Technically, you could sneak it in the 1.1 cli opts area.
+      @cfg_file_contents.key?('reporter') ? { 'reporter' => @cfg_file_contents['reporter'] } : {}
+    end
+
+    #-----------------------------------------------------------------------#
+    #                            Validation
+    #-----------------------------------------------------------------------#
+    def validate_config_file_contents!
+      version = @cfg_file_contents['version']
+
+      # Assume legacy format, which is unconstrained
+      return unless version
+
+      unless version == '1.1'
+        raise Inspec::ConfigError::Invalid, "Unsupported config file version '#{version}' - currently supported versions: 1.1"
+      end
+
+      valid_fields = %w{version cli_options credentials compliance reporter}.sort
+      @cfg_file_contents.keys.each do |seen_field|
+        unless valid_fields.include?(seen_field)
+          raise Inspec::ConfigError::Invalid, "Unrecognized top-level configuration field #{seen_field}.  Recognized fields: #{valid_fields.join(', ')}"
+        end
+      end
+    end
+
+    def validate_reporters!(reporters)
+      return if reporters.nil?
+      # TODO: move this into a reporter plugin type system
+      valid_types = [
+        'automate',
+        'cli',
+        'documentation',
+        'html',
+        'json',
+        'json-automate',
+        'json-min',
+        'json-rspec',
+        'junit',
+        'progress',
+        'yaml',
+      ]
+
+      reporters.each do |reporter_name, reporter_config|
+        raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)
+
+        next unless reporter_name == 'automate'
+        %w{token url}.each do |option|
+          raise Inspec::ReporterError, "You must specify a automate #{option} via the config file." if reporter_config[option].nil?
+        end
+      end
+
+      # check to make sure we are only reporting one type to stdout
+      stdout_reporters = 0
+      reporters.each_value do |reporter_config|
+        stdout_reporters += 1 if reporter_config['stdout'] == true
+      end
+
+      raise ArgumentError, 'The option --reporter can only have a single report outputting to stdout.' if stdout_reporters > 1
+    end
+
+    #-----------------------------------------------------------------------#
+    #                         Merging Options
+    #-----------------------------------------------------------------------#
+    def merge_options
+      options = Thor::CoreExt::HashWithIndifferentAccess.new({})
+
+      # Lowest precedence: default, which may vary by command
+      options.merge!(@defaults)
+
+      # Middle precedence: merge in any CLI options defined from the config file
+      options.merge!(config_file_cli_options)
+      # Reporter options may be defined top-level.
+      options.merge!(config_file_reporter_options)
+
+      # Highest precedence: merge in any options defined via the CLI
+      options.merge!(@cli_opts)
+
+      options
+    end
+
+    #-----------------------------------------------------------------------#
+    #                          Finalization
+    #-----------------------------------------------------------------------#
+    def finalize_options
+      options = @merged_options.dup
+
+      finalize_set_top_level_command(options)
+      finalize_parse_reporters(options)
+      finalize_handle_sudo(options)
+      finalize_compliance_login(options)
+
+      Thor::CoreExt::HashWithIndifferentAccess.new(options)
+    end
+
+    def finalize_set_top_level_command(options)
+      options[:type] = @command_name
+      Inspec::BaseCLI.inspec_cli_command = @command_name # TODO: move to a more relevant location
+    end
+
+    def finalize_parse_reporters(options) # rubocop:disable Metrics/AbcSize
+      # default to cli report for ad-hoc runners
+      options['reporter'] = ['cli'] if options['reporter'].nil?
+
+      # parse out cli to proper report format
+      if options['reporter'].is_a?(Array)
+        reports = {}
+        options['reporter'].each do |report|
+          reporter_name, destination = report.split(':', 2)
+          if destination.nil? || destination.strip == '-'
+            reports[reporter_name] = { 'stdout' => true }
+          else
+            reports[reporter_name] = {
+              'file' => destination,
+              'stdout' => false,
+            }
+            reports[reporter_name]['target_id'] = options['target_id'] if options['target_id']
+          end
+        end
+        options['reporter'] = reports
+      end
+
+      # add in stdout if not specified
+      if options['reporter'].is_a?(Hash)
+        options['reporter'].each do |reporter_name, config|
+          options['reporter'][reporter_name] = {} if config.nil?
+          options['reporter'][reporter_name]['stdout'] = true if options['reporter'][reporter_name].empty?
+          options['reporter'][reporter_name]['target_id'] = options['target_id'] if options['target_id']
+        end
+      end
+
+      validate_reporters!(options['reporter'])
+      options
+    end
+
+    def finalize_handle_sudo(options)
+      # Due to limitations in Thor it is not possible to set an argument to be
+      # both optional and its value to be mandatory. E.g. the user supplying
+      # the --password argument is optional and not always required, but
+      # whenever it is used, it requires a value. Handle options that were
+      # defined in such a way and require a value here:
+      %w{password sudo-password}.each do |option_name|
+        snake_case_option_name = option_name.tr('-', '_').to_s
+        next unless options[snake_case_option_name] == -1 # Thor sets -1 for missing value - see #1918
+        raise ArgumentError, "Please provide a value for --#{option_name}. For example: --#{option_name}=hello."
+      end
+
+      # Infer `--sudo` if using `--sudo-password` without `--sudo`
+      if options['sudo_password'] && !options['sudo']
+        options['sudo'] = true
+        Inspec::Log.warn '`--sudo-password` used without `--sudo`. Adding `--sudo`.'
+      end
+    end
+
+    def finalize_compliance_login(options)
+      # check for compliance settings
+      # This is always a hash, comes from config file, not CLI opts
+      if options.key?('compliance')
+        require 'plugins/inspec-compliance/lib/inspec-compliance/api'
+        InspecPlugins::Compliance::API.login(options['compliance'])
+      end
+    end
+
+    class Defaults
+      DEFAULTS = {
+        exec: {
+          'reporter' => ['cli'],
+          'show_progress' => false,
+          'color' => true,
+          'create_lockfile' => true,
+          'backend_cache' => true,
+        },
+        shell: {
+          'reporter' => ['cli'],
+        },
+      }.freeze
+
+      def self.for_command(command_name)
+        DEFAULTS[command_name] || {}
+      end
+    end
+  end
+end