inspec 1.42.3 → 1.43.5

data/docs/resources/shadow.md.erb

@@ -29,17 +29,31 @@ A `shadow` resource block declares one (or more) users and associated user infor
       its('users') { should_not include 'forbidden_user' }
     end
 
+or with a single query:
+
+    describe shadow.users('root') do
+      its('count') { should eq 1 }
+    end
+
 or with a filter:
 
-    describe shadow.uid(filter) do
-      its('users') { should cmp 'root' }
+    describe shadow.filter(min_days: '0', max_days: '99999') do
       its('count') { should eq 1 }
     end
 
-where
+The following properties are available:
+
+* `users`
+* `passwords`
+* `last_changes`
+* `min_days`
+* `max_days`
+* `warn_days`
+* `inactive_days`
+* `expiry_date`
+* `reserved`
 
-* `homes`, `gids`, `passwords`, `shells`, `uids`, and `users` are valid accessors for `passwd`
-* `filter` one (or more) arguments, for example: `passwd.users(/name/)` used to define filtering; `filter` may take any of the following arguments: `count` (retrieves the number of entries), `lines` (provides raw `passwd` lines), and `params` (returns an array of maps for all entries)
+Properties can be used as a single query or can be joined together with the `.filter` method.
 
 <br>
 
@@ -72,7 +86,7 @@ The `count` matcher tests the number of times the named user appears in `/etc/sh
 
     its('count') { should eq 1 }
 
-TThis matcher is best used in conjunction with filters. For example:
+This matcher is best used in conjunction with filters. For example:
 
     describe shadow.users('dannos') do
        its('count') { should eq 1 }

data/lib/bundles/inspec-compliance/README.md

@@ -2,18 +2,17 @@
 
 This extensions offers the following features:
 
- - list available profiles in Chef Compliance
- - execute profiles directly from Chef Compliance locally
- - upload a local profile to Chef Compliance
+ - list available profiles in Chef Automate/Chef Compliance
+ - execute profiles directly from Chef Automate/Chef Compliance locally
+ - upload a local profile to Chef Automate/Chef Compliance
 
 To use the CLI, this InSpec add-on adds the following commands:
 
- * `$ inspec compliance login` - authentication of the API token against Chef Compliance
- * `$ inspec compliance login_automate` - authentication of the API token against Chef Automate
- * `$ inspec compliance profiles` - list all available Chef Compliance profiles
- * `$ inspec exec compliance://profile` - runs a Chef Compliance profile
- * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Compliance
- * `$ inspec compliance logout` - logout of Chef Compliance
+ * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
+ * `$ inspec compliance profiles` - list all available Compliance profiles
+ * `$ inspec exec compliance://profile` - runs a Compliance profile
+ * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
 
 Compliance profiles can be executed in two mays:
 
@@ -31,8 +30,7 @@ Commands:
   inspec compliance download PROFILE  # downloads a profile from Chef Compliance
   inspec compliance exec PROFILE      # executes a Chef Compliance profile
   inspec compliance help [COMMAND]    # Describe subcommands or one specific subcommand
-  inspec compliance login SERVER      # Log in to a Chef Compliance SERVER
-  inspec compliance login_automate SERVER   # Log in to an Automate SERVER
+  inspec compliance login SERVER      # Log in to a Chef Automate/Chef Compliance SERVER
   inspec compliance logout            # user logout from Chef Compliance
   inspec compliance profiles          # list all available profiles in Chef Compliance
   inspec compliance upload PATH       # uploads a local profile to Chef Compliance
@@ -41,29 +39,22 @@ Commands:
 
 ### Login with Chef Automate
 
-You need a Chef Automate server up and running. Compliance features need to [be activated](https://docs.chef.io/install_chef_automate.html#compliance), too.
-
-Now, you need a user token. You can retrieve that via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
+You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
 
 ```
-inspec compliance login_automate https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --usertoken 'zuop..._KzE'
+$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
 ```
 
 ### Login with Chef Compliance
 
-Before you start using the compliance plugin, you need a running [Chef Compliance](https://www.chef.io/compliance/) server. Please login and gather the access token:
+You will need an access token for authentication. You can retrieve one via:
 
 ![Chef Compliance Token](images/cc-token.png)
 
 You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
 
 ```
-# login to chef compliance server
 $ inspec compliance login https://compliance.test --user admin --insecure --token '...'
-
-# display the chef compliance server version
-$ inspec compliance version
-Chef Compliance version: 1.0.11
 ```
 
 ### List available profiles via Chef Compliance / Automate
@@ -131,7 +122,7 @@ Available profiles:
  * cis/cis-ubuntu14.04lts-level2
 ```
 
-### Run a profile from Chef Compliance / Automate on Workstation
+### Run a profile from Chef Compliance / Chef Automate on Workstation
 
 ```
 $ inspec exec compliance://admin/profile

data/lib/bundles/inspec-compliance/api.rb

@@ -5,13 +5,16 @@
 require 'net/http'
 require 'uri'
 
+require_relative 'api/login'
+
 module Compliance
-  class ServerConfigurationMissing < StandardError
-  end
+  class ServerConfigurationMissing < StandardError; end
 
   # API Implementation does not hold any state by itself,
   # everything will be stored in local Configuration store
   class API # rubocop:disable Metrics/ClassLength
+    extend Compliance::API::Login
+
     # return all compliance profiles available for the user
     def self.profiles(config)
       # Chef Compliance
@@ -238,5 +241,13 @@ module Compliance
       return nil unless config['version'].is_a?(Hash)
       config['version']['version']
     end
+
+    def self.determine_server_type(url, insecure)
+      if Compliance::HTTP.get(url + '/compliance/version', nil, insecure).code == '401'
+        :automate
+      elsif Compliance::HTTP.get(url + '/api/version', nil, insecure).code == '200'
+        :compliance
+      end
+    end
   end
 end

data/lib/bundles/inspec-compliance/api/login.rb

@@ -0,0 +1,150 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Ricter
+# author: Jerry Aldrich
+
+module Compliance
+  class API
+    module Login
+      class CannotDetermineServerType < StandardError; end
+
+      def login(options)
+        raise ArgumentError, 'Please specify a server using `inspec compliance login https://SERVER`' unless options['server']
+
+        options['server_type'] = Compliance::API.determine_server_type(options['server'], options['insecure'])
+
+        case options['server_type']
+        when :automate
+          config = Login::AutomateServer.login(options)
+        when :compliance
+          config = Login::ComplianceServer.login(options)
+        else
+          raise CannotDetermineServerType, "Unable to determine if #{options['server']} is a Chef Automate or Chef Compliance server"
+        end
+
+        puts "Stored configuration for Chef #{config['server_type'].capitalize}: #{config['server']}' with user: '#{config['user']}'"
+      end
+
+      module AutomateServer
+        def self.login(options)
+          verify_thor_options(options)
+
+          options['url'] = options['server'] + '/compliance'
+          token = options['dctoken'] || options['token']
+          store_access_token(options, token)
+        end
+
+        def self.store_access_token(options, token)
+          token_type = if options['token']
+                         'usertoken'
+                       else
+                         'dctoken'
+                       end
+
+          config = Compliance::Configuration.new
+
+          config.clean
+
+          config['automate'] = {}
+          config['automate']['ent'] = options['ent']
+          config['automate']['token_type'] = token_type
+          config['server'] = options['url']
+          config['user'] = options['user']
+          config['insecure'] = options['insecure'] || false
+          config['server_type'] = options['server_type'].to_s
+          config['token'] = token
+          config['version'] = Compliance::API.version(config)
+
+          config.store
+          config
+        end
+
+        # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
+        def self.verify_thor_options(o)
+          error_msg = []
+
+          error_msg.push('Please specify a user using `--user=\'USER\'`') if o['user'].nil?
+          error_msg.push('Please specify an enterprise using `--ent=\'automate\'`') if o['ent'].nil?
+
+          if o['token'].nil? && o['dctoken'].nil?
+            error_msg.push('Please specify a token using `--token=\'AUTOMATE_TOKEN\'` or `--dctoken=\'DATA_COLLECTOR_TOKEN\'`')
+          end
+
+          raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+        end
+      end
+
+      module ComplianceServer
+        def self.login(options)
+          compliance_verify_thor_options(options)
+
+          options['url'] = options['server'] + '/api'
+
+          if options['user'] && options['token']
+            compliance_store_access_token(options, options['token'])
+          elsif options['user'] && options['password']
+            compliance_login_user_pass(options)
+          elsif options['refresh_token']
+            compliance_login_refresh_token(options)
+          end
+        end
+
+        def self.compliance_login_user_pass(options)
+          success, msg, token = Compliance::API.get_token_via_password(
+            options['url'],
+            options['user'],
+            options['password'],
+            options['insecure'],
+          )
+
+          raise msg unless success
+          compliance_store_access_token(options, token)
+        end
+
+        def self.compliance_login_refresh_token(options)
+          success, msg, token = Compliance::API.get_token_via_refresh_token(
+            options['url'],
+            options['refresh_token'],
+            options['insecure'],
+          )
+
+          raise msg unless success
+          compliance_store_access_token(options, token)
+        end
+
+        def self.compliance_store_access_token(options, token)
+          config = Compliance::Configuration.new
+          config.clean
+
+          config['user'] = options['user'] if options['user']
+          config['server'] = options['url']
+          config['insecure'] = options['insecure'] || false
+          config['server_type'] = options['server_type'].to_s
+          config['token'] = token
+          config['version'] = Compliance::API.version(config)
+
+          config.store
+          config
+        end
+
+        # Compliance login requires `--user` or `--refresh_token`
+        # If `--user` then either `--password`, `--token`, or `--refresh-token`, is required
+        def self.compliance_verify_thor_options(o)
+          error_msg = []
+
+          error_msg.push('Please specify a server using `inspec compliance login https://SERVER`') if o['server'].nil?
+
+          if o['user'].nil? && o['refresh_token'].nil?
+            error_msg.push('Please specify a `--user=\'USER\'` or a `--refresh-token=\'TOKEN\'`')
+          end
+
+          if o['user'] && o['password'].nil? && o['token'].nil? && o['refresh_token'].nil?
+            error_msg.push('Please specify either a `--password`, `--token`, or `--refresh-token`')
+          end
+
+          raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+        end
+      end
+    end
+  end
+end

data/lib/bundles/inspec-compliance/cli.rb

@@ -18,78 +18,64 @@ module Compliance
       namespace
     end
 
-    desc "login SERVER --insecure --user='USER' --token='TOKEN'", 'Log in to a Chef Compliance SERVER'
+    desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
+    long_desc <<-LONGDESC
+      `login` allows you to use InSpec with Chef Automate or a Chef Compliance Server
+
+      You need to a token for communication. More information about token retrieval
+      is available at:
+        https://docs.chef.io/api_automate.html#authentication-methods
+        https://docs.chef.io/api_compliance.html#obtaining-an-api-token
+    LONGDESC
     option :insecure, aliases: :k, type: :boolean,
       desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
     option :user, type: :string, required: false,
-      desc: 'Chef Compliance Username'
+      desc: 'Username'
     option :password, type: :string, required: false,
-      desc: 'Chef Compliance Password'
-    option :apipath, type: :string, default: '/api',
-      desc: 'Set the path to the API, defaults to /api'
+      desc: 'Password (Chef Compliance Only)'
     option :token, type: :string, required: false,
-      desc: 'Chef Compliance access token'
+      desc: 'Access token'
     option :refresh_token, type: :string, required: false,
-      desc: 'Chef Compliance refresh token'
-    def login(server) # rubocop:disable Metrics/AbcSize
-      # show warning if the Compliance Server does not support
-
+      desc: 'Chef Compliance refresh token (Chef Compliance Only)'
+    option :dctoken, type: :string, required: false,
+      desc: 'Data Collector token (Chef Automate Only)'
+    option :ent, type: :string, required: false,
+      desc: 'Enterprise for Chef Automate reporting (Chef Automate Only)'
+    def login(server)
       options['server'] = server
-      url = options['server'] + options['apipath']
-
-      if !options['user'].nil? && !options['password'].nil?
-        # username / password
-        _success, msg = login_username_password(url, options['user'], options['password'], options['insecure'])
-      elsif !options['user'].nil? && !options['token'].nil?
-        # access token
-        _success, msg = store_access_token(url, options['user'], options['token'], options['insecure'])
-      elsif !options['refresh_token'].nil? && !options['user'].nil?
-        # refresh token
-        _success, msg = store_refresh_token(url, options['refresh_token'], true, options['user'], options['insecure'])
-        # TODO: we should login with the refreshtoken here
-      elsif !options['refresh_token'].nil?
-        _success, msg = login_refreshtoken(url, options)
-      else
-        puts 'Please run `inspec compliance login SERVER` with options --token or --refresh_token, --user, and --insecure or --not-insecure'
-        exit 1
-      end
-
-      puts '', msg
+      Compliance::API.login(options)
     end
 
-    desc "login_automate SERVER --insecure --user='USER' --ent='ENT' --usertoken='TOKEN'", 'Log in to an Automate SERVER'
+    desc "login_automate https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --usertoken='TOKEN'", 'Log in to a Chef Automate SERVER (DEPRECATED: Please use `login`)'
     long_desc <<-LONGDESC
-      `login_automate` allows you to use InSpec with Chef Automate
+      This commmand is deprecated and will be removed, please use `--login`.
+
+      `login_automate` allows you to use InSpec with Chef Automate.
 
-      You need to a user-token for communication with Chef Automate. More
-      information about token retrieval for Automate is available at:
-      https://docs.chef.io/api_delivery.html
+      You need to a token for communication. More information about token retrieval
+      is available at:
+        https://docs.chef.io/api_automate.html#authentication-methods
+        https://docs.chef.io/api_compliance.html#obtaining-an-api-token
     LONGDESC
-    option :dctoken, type: :string,
-      desc: 'Data Collector token'
-    option :usertoken, type: :string,
-      desc: 'Automate user token'
-    option :user, type: :string,
-      desc: 'Automate username'
-    option :ent, type: :string,
-      desc: 'Enterprise for Chef Automate reporting'
     option :insecure, aliases: :k, type: :boolean,
       desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
-    def login_automate(server) # rubocop:disable Metrics/AbcSize
+    option :user, type: :string, required: true,
+      desc: 'Username'
+    option :usertoken, type: :string, required: false,
+      desc: 'Access token (DEPRECATED: Please use `--token`)'
+    option :token, type: :string, required: false,
+      desc: 'Access token'
+    option :dctoken, type: :string, required: false,
+      desc: 'Data Collector token'
+    option :ent, type: :string, required: true,
+      desc: 'Enterprise for Chef Automate reporting'
+    def login_automate(server)
+      warn '[DEPRECATION] `inspec compliance login_automate` is deprecated. Please use `inspec compliance login`'
       options['server'] = server
-      url = options['server'] + '/compliance'
 
-      if url && !options['user'].nil? && !options['ent'].nil? && (!options['dctoken'].nil? || !options['usertoken'].nil?)
-        msg = login_automate_config(url, options['user'], options['dctoken'], options['usertoken'], options['ent'], options['insecure'])
-        puts '', msg
-        exit 0
-      end
+      options['token'] = options['usertoken'] if options['usertoken']
 
-      # parameters are missing if we reach here
-      puts 'Please specify an user using `--user \'USER\'`' if options['user'].nil?
-      puts 'Please specify an enterprise using `--ent \'cd\'`' if options['ent'].nil?
-      puts 'Please specify a token using `--usertoken=\'AUTOMATE_TOKEN\'`' if options['usertoken'].nil? && options['dctoken'].nil?
-      exit 1
+      Compliance::API.login(options)
     end
 
     desc 'profiles', 'list all available profiles in Chef Compliance'
@@ -111,7 +97,7 @@ module Compliance
         exit 1
       end
     rescue Compliance::ServerConfigurationMissing
-      puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
+      STDERR.puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
       exit 1
     end
 
@@ -272,109 +258,9 @@ module Compliance
 
     private
 
-    def login_automate_config(url, user, dctoken, usertoken, ent, insecure) # rubocop:disable Metrics/ParameterLists
-      config = Compliance::Configuration.new
-      config.clean
-      config['user'] = user
-      config['server'] = url
-      config['automate'] = {}
-      config['automate']['ent'] = ent
-      config['server_type'] = 'automate'
-      config['insecure'] = insecure
-
-      # determine token method being used
-      if !dctoken.nil?
-        config['token'] = dctoken
-        token_type = 'dctoken'
-        token_msg = 'data collector token'
-      else
-        config['token'] = usertoken
-        token_type = 'usertoken'
-        token_msg = 'automate user token'
-      end
-      config['automate']['token_type'] = token_type
-      config['version'] = Compliance::API.version(config)
-      config.store
-      msg = "Stored configuration for Chef Automate: '#{url}' with user: '#{user}', ent: '#{ent}' and your #{token_msg}"
-      msg
-    end
-
-    def login_refreshtoken(url, options)
-      success, msg, _access_token = Compliance::API.get_token_via_refresh_token(url, options['refresh_token'], options['insecure'])
-      if success
-        config = Compliance::Configuration.new
-        config.clean
-        config['server'] = url
-        config['insecure'] = options['insecure']
-        config['server_type'] = 'compliance'
-        config['version'] = Compliance::API.version(config)
-        config.store
-      end
-
-      [success, msg]
-    end
-
-    def login_username_password(url, username, password, insecure)
-      config = Compliance::Configuration.new
-      config.clean
-      success, msg, api_token = Compliance::API.get_token_via_password(url, username, password, insecure)
-      if success
-        config['server'] = url
-        config['user'] = username
-        config['token'] = api_token
-        config['insecure'] = insecure
-        config['server_type'] = 'compliance'
-        config['version'] = Compliance::API.version(config)
-        config.store
-        success = true
-      end
-      [success, msg]
-    end
-
-    # saves a user access token (limited time)
-    def store_access_token(url, user, token, insecure)
-      config = Compliance::Configuration.new
-      config.clean
-      config['server'] = url
-      config['insecure'] = insecure
-      config['user'] = user
-      config['token'] = token
-      config['server_type'] = 'compliance'
-      config['version'] = Compliance::API.version(config)
-      config.store
-
-      [true, 'API access token stored']
-    end
-
-    # saves a refresh token supplied by the user
-    def store_refresh_token(url, refresh_token, verify, user, insecure)
-      config = Compliance::Configuration.new
-      config.clean
-      config['server'] = url
-      config['refresh_token'] = refresh_token
-      config['user'] = user
-      config['insecure'] = insecure
-      config['server_type'] = 'compliance'
-      config['version'] = Compliance::API.version(config)
-
-      if !verify
-        config.store
-        success = true
-        msg = 'API refresh token stored'
-      else
-        success, msg, _access_token= Compliance::API.get_token_via_refresh_token(url, refresh_token, insecure)
-        if success
-          config.store
-          msg = 'API access token verified'
-        end
-      end
-
-      [success, msg]
-    end
-
     def loggedin(config)
       serverknown = !config['server'].nil?
-      puts 'You need to login first with `inspec compliance login` or `inspec compliance login_automate`' if !serverknown
+      puts 'You need to login first with `inspec compliance login`' if !serverknown
       serverknown
     end
   end