inspec 0.9.9 → 0.9.10

data/inspec.gemspec

@@ -8,8 +8,8 @@ Gem::Specification.new do |spec|
   spec.version       = Inspec::VERSION
   spec.authors       = ['Dominik Richter']
   spec.email         = ['dominik.richter@gmail.com']
-  spec.summary       = 'Validate Inspec compliance checks'
-  spec.description   = 'Validate Inspec compliance checks.'
+  spec.summary       = 'Infrastructure and compliance testing.'
+  spec.description   = 'InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification.'
   spec.homepage      = 'https://github.com/chef/inspec'
   spec.license       = 'Apache 2.0'
 

data/lib/extras/compliance/README.md

@@ -0,0 +1,15 @@
+# InSpec Extension for Chef Compliance
+
+This extensions offers the following features:
+
+ - list profiles available in Chef Compliance
+ - execute profiles from Chef Compliance
+ - upload a local profile to Chef Compliance
+
+To use the CLI, this extra package adds the following commands:
+
+ * `$ inspec compliance login user password` - retieves a authentication token from Chef Compliance
+ * `$ inspec compliance list` - list all available profiles in Chef Compliance
+ * `$ inspec exec profile` - runs a profile that is stored on Chef Compliance
+ * `$ inspec compliance upload path/to/local/profile` - uploads a local command to Chef Compliance
+ * `$ inspec compliance logout` - removes the authentication token from the local cache and logs out of the Chef Compliance server

data/lib/extras/compliance/compliance.rb

@@ -0,0 +1,245 @@
+#!/usr/bin/env ruby
+# encoding: utf-8
+# author: Christoph Hartmann
+
+require 'thor'
+require 'net/http'
+require 'uri'
+
+# TODO:
+# - invalidate token
+# - fix file upload and genereate tar if required
+# - hook into exec with a new target helper
+
+class ComplianceCLI < Thor
+  namespace 'compliance'
+
+  desc 'login SERVER', 'Log in to a Chef Compliance SERVER'
+  options :username => :required, :password => :required
+  def login(server)
+    config = Compliance::Configuration.new
+    config['server'] = server
+    url = "#{server}/oauth/token"
+
+    data = post(url, options['username'], options['password'])
+    if !data.nil?
+      tokendata = JSON.parse(data)
+      if tokendata['access_token']
+        config['token'] = tokendata['access_token']
+        puts "Successfully authenticated"
+      else
+        puts 'Reponse does not include a token'
+      end
+    else
+      puts "Authentication failed for Server: #{url}"
+    end
+    config.store
+  end
+
+  desc 'list', 'list all available profiles in Chef Compliance'
+  def list
+    profiles = get_profiles
+    if !profiles.empty?
+      # iterate over profiles
+      puts "Available profiles: "
+      profiles.each { |profile|
+        puts " * #{profile[:org]}/#{profile[:name]}"
+      }
+    else
+      puts "Could not reach server #{url}"
+    end
+  end
+
+  desc 'exec PROFILE', 'executes a profile from Chef Compliance'
+  def exec(profile)
+    config = Compliance::Configuration.new
+    profiles = get_profiles
+    if !profiles.empty?
+      # 1. verify that the profile exists (list)
+      index = profiles.index { |p| "#{p[:org]}/#{p[:name]}" == profile }
+      if index >= 0
+        p = profiles[index]
+        # 2. execute the profile with the proper url, inject `inspec exec` with the suitable params`
+        url = "#{config['server']}/owners/#{p[:org]}/compliance/#{p[:name]}/tar"
+        puts "b bin/inspec exec #{url} --user #{config['token']}"
+      end
+    else
+      puts "The profile #{profile} is not available"
+    end
+  end
+
+  desc 'upload PATH', 'uploads a local profile to Chef Compliance'
+  def upload(path)
+    # 1. detect if tar or folder
+    # 2. archive if folder
+    # 3. check if tar is a compliance profile
+    # 4. show result and confirm upload to the user (skip with --force)
+    # 5. upload tar to server
+
+    # find the tar
+    config = Compliance::Configuration.new
+    tar_path = File.join(Dir.pwd, 'profile.tar.gz')
+
+    owner = 'admin'
+    profile = 'profile'
+    url = "#{config['server']}/owners/#{owner}/compliance/#{profile}/tar"
+
+    puts "Uploading to #{url}"
+    if post_file(url, config['token'], '', tar_path)
+      puts "Successfully uploaded profile"
+    else
+      puts "Error during profile upload"
+    end
+  end
+
+  desc 'version', 'displays the version of the Chef Compliance server'
+  def version
+    config = Compliance::Configuration.new
+    url = "#{config['server']}/version"
+
+    data = get(url, nil, nil)
+    if !data.nil?
+      info = JSON.parse(data)
+      puts "Chef Compliance version: #{info['version']}"
+    else
+      puts "Could not reach server #{url}"
+    end
+  end
+
+  desc 'logout', 'user logout from Chef Compliance'
+  def logout
+    config = Compliance::Configuration.new
+    url = "#{config['server']}/logout"
+    data = post(url, config['token'], nil)
+    if !data.nil?
+      puts "Successfully logged out"
+    else
+      puts "Could not log out"
+    end
+    config.destroy
+  end
+
+  private
+
+  def get_profiles
+    config = Compliance::Configuration.new
+
+    url = "#{config['server']}/user/compliance"
+    data = get(url, config['token'], '')
+
+    if !data.nil?
+      profiles = JSON.parse(data)
+      val = []
+      # iterate over profiles
+      profiles.each_key { |org|
+        profiles[org].each_key { |name|
+          val.push({ org: org, name: name})
+        }
+      }
+      val
+    else
+      []
+    end
+  end
+
+  def get(url, username, password)
+    uri = URI.parse(url)
+    req = Net::HTTP::Get.new(uri.path)
+    req.basic_auth username, password
+
+    send_request(uri, req)
+  end
+
+  def post(url, username, password)
+    # form request
+    uri = URI.parse(url)
+    req = Net::HTTP::Post.new(uri.path)
+    req.basic_auth username, password
+    req.form_data={}
+
+    send_request(uri, req)
+  end
+
+  # upload a file
+  def post_file(url, username, password, file_path)
+    uri = URI.parse(url)
+    http = Net::HTTP.new(uri.host, uri.port)
+    req = Net::HTTP::Post.new(uri.path)
+    req.basic_auth username, password
+
+    req.body_stream=File.open(file_path)
+    req["Content-Type"] = "multipart/form-data"
+    req.add_field('Content-Length', File.size(file_path))
+    req.add_field('Content-Type', 'application/x-gtar')
+
+    boundary = "INSPEC-PROFILE-UPLOAD"
+    req.add_field('session', boundary)
+    res=http.request(req)
+
+    # puts "Response #{response.code} #{response.message}"
+    # puts "#{response.body}"
+    # puts "Headers: #{response.to_hash.inspect}"
+
+    res.is_a?(Net::HTTPSuccess)
+  end
+
+  def send_request(uri, req)
+    # send request
+    res = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') {|http|
+      http.request(req)
+    }
+    if res.is_a?(Net::HTTPSuccess)
+      res.body
+    else
+      nil
+    end
+  end
+end
+
+module Compliance
+  class Configuration
+
+    def initialize
+      @config_path = File.join(ENV['HOME'], '/.inspec')
+      # ensure the directory is available
+      unless File.directory?(@config_path)
+        FileUtils.mkdir_p(@config_path)
+      end
+      # set config file pasth
+      @config_file = File.join(@config_path, '/config.json')
+      @config = {}
+
+      # load the data
+      get
+    end
+
+    # direct access to config
+    def [](key)
+      @config[key]
+    end
+
+    def []=(key, value)
+      @config[key] = value
+    end
+
+    # return the json data
+    def get
+      if File.exists?(@config_file)
+        file = File.read(@config_file)
+        @config = JSON.parse(file)
+      end
+      @config
+    end
+
+    # stores a hash to json
+    def store
+      File.open(@config_file,"w") do |f|
+        f.write(@config.to_json)
+      end
+    end
+
+    def destroy
+      File.delete(@config_file)
+    end
+  end
+end

data/lib/inspec/metadata.rb

@@ -73,7 +73,9 @@ module Inspec
         family = try_support[:'os-family']
         release = try_support[:release]
       elsif entry.is_a?(String)
-        @logger.warn("Using deprecated `supports` syntax: using `#{entry}` as OS family")
+        @logger.warn(
+          "Do not use deprecated `supports: #{entry}` syntax. Instead use "\
+          "`supports: {os-family: #{entry}}`.")
         family = entry
       end
 

data/lib/inspec/profile.rb

@@ -33,11 +33,13 @@ module Inspec
       @params = @metadata.params
       # use the id from parameter, name or fallback to nil
       @profile_id = options[:id] || params[:name] || nil
+      @params[:name] = @profile_id
 
       @params[:rules] = rules = {}
       @runner = Runner.new(
         id: @profile_id,
         backend: :mock,
+        test_collector: @options.delete(:test_collector),
       )
       @runner.add_tests([@path], @options)
       @runner.rules.each do |id, rule|

data/lib/inspec/profile_context.rb

@@ -4,11 +4,10 @@
 
 require 'inspec/rule'
 require 'inspec/dsl'
-require 'rspec/core/dsl'
 require 'securerandom'
 
 module Inspec
-  class ProfileContext # rubocop:disable Metrics/ClassLength
+  class ProfileContext
     attr_reader :rules, :only_ifs
     def initialize(profile_id, backend, profile_registry = {}, only_ifs = [])
       if backend.nil?
@@ -25,9 +24,8 @@ module Inspec
     end
 
     def reload_dsl
-      dsl = create_inner_dsl(@backend)
-      outer_dsl = create_outer_dsl(dsl)
-      ctx = create_context(outer_dsl)
+      resources_dsl = Inspec::Resource.create_dsl(@backend)
+      ctx = create_context(resources_dsl, rule_context(resources_dsl))
       @profile_context = ctx.new
     end
 
@@ -66,36 +64,42 @@ module Inspec
 
     private
 
-    # Creates the inner DSL which includes all resources for
-    # creating tests. It is always connected to one target,
-    # which is specified via the backend argument.
+    # Create the context for controls. This includes all components of the DSL,
+    # including matchers and resources.
     #
-    # @param backend [BackendRunner] exposing the target to resources
-    # @return [InnerDSLModule]
-    def create_inner_dsl(backend)
-      Module.new do
-        Inspec::Resource.registry.each do |id, r|
-          define_method id.to_sym do |*args|
-            r.new(backend, id.to_s, *args)
-          end
-        end
+    # @param [ResourcesDSL] resources_dsl which has all resources to attach
+    # @return [RuleContext] the inner context of rules
+    def rule_context(resources_dsl)
+      require 'rspec/core/dsl'
+      Class.new(Inspec::Rule) do
+        include RSpec::Core::DSL
+        include resources_dsl
       end
     end
 
-    # Creates the outer DSL which includes all methods for creating
-    # tests and control structures.
+    # Creates the heart of the profile context:
+    # An instantiated object which has all resources registered to it
+    # and exposes them to the a test file. The profile context serves as a
+    # container for all profiles which are registered. Within the context
+    # profiles get access to all DSL calls for creating tests and controls.
     #
-    # @param dsl [InnerDSLModule] which contains all resources
-    # @return [OuterDSLClass]
-    def create_outer_dsl(dsl)
-      rule_class = Class.new(Inspec::Rule) do
-        include RSpec::Core::DSL
-        include dsl
-      end
+    # @param outer_dsl [OuterDSLClass]
+    # @return [ProfileContextClass]
+    def create_context(resources_dsl, rule_class)
+      profile_context_owner = self
 
       # rubocop:disable Lint/NestedMethodDefinition
       Class.new do
-        include dsl
+        include Inspec::DSL
+        include resources_dsl
+
+        define_method :title do |arg|
+          profile_context_owner.set_header(:title, arg)
+        end
+
+        def to_s
+          'Profile Context Run'
+        end
 
         define_method :control do |*args, &block|
           id = args[0]
@@ -107,7 +111,7 @@ module Inspec
           # controls.
           return if @skip_profile && os[:family] != 'unknown'
 
-          __register_rule rule_class.new(id, opts, &block)
+          profile_context_owner.register_rule(rule_class.new(id, opts, &block))
         end
 
         alias_method :rule, :control
@@ -119,7 +123,7 @@ module Inspec
           rule = rule_class.new(id, {}) do
             describe(*args, &block)
           end
-          __register_rule rule, &block
+          profile_context_owner.register_rule(rule, &block)
         end
 
         # TODO: mock method for attributes; import attribute handling
@@ -128,7 +132,7 @@ module Inspec
         end
 
         def skip_control(id)
-          __unregister_rule id
+          profile_context_owner.unregister_rule(id)
         end
 
         alias_method :skip_rule, :skip_control
@@ -140,38 +144,5 @@ module Inspec
       end
       # rubocop:enable all
     end
-
-    # Creates the heart of the profile context:
-    # An instantiated object which has all resources registered to it
-    # and exposes them to the a test file. The profile context serves as a
-    # container for all profiles which are registered. Within the context
-    # profiles get access to all DSL calls for creating tests and controls.
-    #
-    # @param outer_dsl [OuterDSLClass]
-    # @return [ProfileContextClass]
-    def create_context(outer_dsl)
-      profile_context_owner = self
-
-      # rubocop:disable Lint/NestedMethodDefinition
-      Class.new(outer_dsl) do
-        include Inspec::DSL
-
-        define_method :title do |arg|
-          profile_context_owner.set_header(:title, arg)
-        end
-
-        define_method :__register_rule do |*args|
-          profile_context_owner.register_rule(*args)
-        end
-        define_method :__unregister_rule do |*args|
-          profile_context_owner.unregister_rule(*args)
-        end
-
-        def to_s
-          'Profile Context Run'
-        end
-      end
-      # rubocop:enable all
-    end
   end
 end