inspec 2.0.32 → 2.0.45

data/lib/bundles/inspec-compliance.rb

@@ -1,16 +1,16 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-
-libdir = File.dirname(__FILE__)
-$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
-
-module Compliance
-  autoload :Configuration, 'inspec-compliance/configuration'
-  autoload :HTTP, 'inspec-compliance/http'
-  autoload :Support, 'inspec-compliance/support'
-  autoload :API, 'inspec-compliance/api'
-end
-
-require 'inspec-compliance/cli'
-require 'inspec-compliance/target'
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+module Compliance
+  autoload :Configuration, 'inspec-compliance/configuration'
+  autoload :HTTP, 'inspec-compliance/http'
+  autoload :Support, 'inspec-compliance/support'
+  autoload :API, 'inspec-compliance/api'
+end
+
+require 'inspec-compliance/cli'
+require 'inspec-compliance/target'

data/lib/bundles/inspec-compliance/.kitchen.yml

@@ -1,20 +1,20 @@
----
-driver:
-  name: vagrant
-  synced_folders:
-    - ['../../../', '/inspec']
-  network:
-    - ['private_network', {ip: '192.168.251.2'}]
-
-provisioner:
-  name: shell
-
-verifier:
-  name: inspec
-
-platforms:
-  - name: ubuntu-14.04
-suites:
-  - name: default
-    run_list:
-    attributes:
+---
+driver:
+  name: vagrant
+  synced_folders:
+    - ['../../../', '/inspec']
+  network:
+    - ['private_network', {ip: '192.168.251.2'}]
+
+provisioner:
+  name: shell
+
+verifier:
+  name: inspec
+
+platforms:
+  - name: ubuntu-14.04
+suites:
+  - name: default
+    run_list:
+    attributes:

data/lib/bundles/inspec-compliance/README.md

@@ -1,185 +1,185 @@
-# InSpec Extension for Chef Compliance
-
-This extensions offers the following features:
-
- - list available profiles in Chef Automate/Chef Compliance
- - execute profiles directly from Chef Automate/Chef Compliance locally
- - upload a local profile to Chef Automate/Chef Compliance
-
-To use the CLI, this InSpec add-on adds the following commands:
-
- * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
- * `$ inspec compliance profiles` - list all available Compliance profiles
- * `$ inspec exec compliance://profile` - runs a Compliance profile
- * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
- * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
-
-Compliance profiles can be executed in two mays:
-
-- via compliance exec: `inspec compliance exec profile`
-- via compliance scheme: `inspec exec compliance://profile`
-
-
-## Usage
-
-### Command options
-
-```
-$ inspec compliance
-Commands:
-  inspec compliance download PROFILE  # downloads a profile from Chef Compliance
-  inspec compliance exec PROFILE      # executes a Chef Compliance profile
-  inspec compliance help [COMMAND]    # Describe subcommands or one specific subcommand
-  inspec compliance login SERVER      # Log in to a Chef Automate/Chef Compliance SERVER
-  inspec compliance logout            # user logout from Chef Compliance
-  inspec compliance profiles          # list all available profiles in Chef Compliance
-  inspec compliance upload PATH       # uploads a local profile to Chef Compliance
-  inspec compliance version           # displays the version of the Chef Compliance server
-```
-
-### Login with Chef Automate
-
-You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
-
-```
-$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
-```
-
-### Login with Chef Compliance
-
-You will need an access token for authentication. You can retrieve one via:
-
-![Chef Compliance Token](images/cc-token.png)
-
-You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
-
-```
-$ inspec compliance login https://compliance.test --user admin --insecure --token '...'
-```
-
-### List available profiles via Chef Compliance / Automate
-
-```
-$ inspec compliance profiles
-Available profiles:
--------------------
- * base/apache
- * base/linux
- * base/mysql
- * base/postgres
- * base/ssh
- * base/windows
- * cis/cis-centos6-level1
- * cis/cis-centos6-level2
- * cis/cis-centos7-level1
- * cis/cis-centos7-level2
- * cis/cis-rhel7-level1
- * cis/cis-rhel7-level2
- * cis/cis-ubuntu12.04lts-level1
- * cis/cis-ubuntu12.04lts-level2
- * cis/cis-ubuntu14.04lts-level1
- * cis/cis-ubuntu14.04lts-level2
-```
-
-### Upload a profile to Chef Compliance / Automate
-
-```
-$ inspec compliance version
-Chef Compliance version: 1.0.11
-➜  inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec compliance upload examples/profile
-I, [2016-05-06T14:27:20.907547 #37592]  INFO -- : Checking profile in examples/profile
-I, [2016-05-06T14:27:20.907668 #37592]  INFO -- : Metadata OK.
-I, [2016-05-06T14:27:20.968584 #37592]  INFO -- : Found 4 controls.
-I, [2016-05-06T14:27:20.968638 #37592]  INFO -- : Control definitions OK.
-Profile is valid
-Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
-I, [2016-05-06T14:27:21.020017 #37592]  INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
-I, [2016-05-06T14:27:21.024837 #37592]  INFO -- : Finished archive generation.
-Start upload to admin/profile
-Uploading to Chef Compliance
-Successfully uploaded profile
-
-# display all profiles
-$ inspec compliance profiles
-Available profiles:
--------------------
- * admin/profile
- * base/apache
- * base/linux
- * base/mysql
- * base/postgres
- * base/ssh
- * base/windows
- * cis/cis-centos6-level1
- * cis/cis-centos6-level2
- * cis/cis-centos7-level1
- * cis/cis-centos7-level2
- * cis/cis-rhel7-level1
- * cis/cis-rhel7-level2
- * cis/cis-ubuntu12.04lts-level1
- * cis/cis-ubuntu12.04lts-level2
- * cis/cis-ubuntu14.04lts-level1
- * cis/cis-ubuntu14.04lts-level2
-```
-
-### Run a profile from Chef Compliance / Chef Automate on Workstation
-
-```
-$ inspec exec compliance://admin/profile
-.*...
-
-Pending: (Failures listed here are expected and do not affect your suite's status)
-
-  1) gordon_config Can't find file "/tmp/gordon/config.yaml"
-     # Not yet implemented
-     # ./lib/inspec/runner.rb:157
-
-
-Finished in 0.02862 seconds (files took 0.62628 seconds to load)
-5 examples, 0 failures, 1 pending
-```
-
-Exec a specific version(2.0.1) of a profile when logged in with Automate:
-
-```
-$ inspec exec compliance://admin/apache-baseline#2.0.1
-```
-
-Download a specific version(2.0.2) of a profile when logged in with Automate:
-```
-$ inspec compliance download compliance://admin/apache-baseline#2.0.2
-```
-
-### To Logout from Chef Compliance
-
-```
-$ inspec compliance logout
-Successfully logged out
-```
-
-## Integration Tests
-
-At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:
-
- * run `kitchen converge`
- * open https://192.168.251.2 and log in with user `admin` and password `admin`
- * click on user->about and obtain the access token and the refresh token
- * run `kitchen verify` with the required env variables:
-
-```
-# both token need to be set, since the test suite runs for each token type
-export COMPLIANCE_ACCESSTOKEN='mycompliancetoken'
-export COMPLIANCE_REFRESHTOKEN='myrefreshtoken'
-kitchen verify
------> Starting Kitchen (v1.7.3)
------> Verifying <default-ubuntu-1404>...
-       Search `/Users/chartmann/Development/compliance/inspec/lib/bundles/inspec-compliance/test/integration/default` for tests
-..................................
-
-Finished in 6.35 seconds (files took 0.40949 seconds to load)
-34 examples, 0 failures
-
-       Finished verifying <default-ubuntu-1404> (0m6.62s).
------> Kitchen is finished. (0m7.02s)
-zlib(finalizer): the stream was freed prematurely.
-```
+# InSpec Extension for Chef Compliance
+
+This extensions offers the following features:
+
+ - list available profiles in Chef Automate/Chef Compliance
+ - execute profiles directly from Chef Automate/Chef Compliance locally
+ - upload a local profile to Chef Automate/Chef Compliance
+
+To use the CLI, this InSpec add-on adds the following commands:
+
+ * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
+ * `$ inspec compliance profiles` - list all available Compliance profiles
+ * `$ inspec exec compliance://profile` - runs a Compliance profile
+ * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
+
+Compliance profiles can be executed in two mays:
+
+- via compliance exec: `inspec compliance exec profile`
+- via compliance scheme: `inspec exec compliance://profile`
+
+
+## Usage
+
+### Command options
+
+```
+$ inspec compliance
+Commands:
+  inspec compliance download PROFILE  # downloads a profile from Chef Compliance
+  inspec compliance exec PROFILE      # executes a Chef Compliance profile
+  inspec compliance help [COMMAND]    # Describe subcommands or one specific subcommand
+  inspec compliance login SERVER      # Log in to a Chef Automate/Chef Compliance SERVER
+  inspec compliance logout            # user logout from Chef Compliance
+  inspec compliance profiles          # list all available profiles in Chef Compliance
+  inspec compliance upload PATH       # uploads a local profile to Chef Compliance
+  inspec compliance version           # displays the version of the Chef Compliance server
+```
+
+### Login with Chef Automate
+
+You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
+
+```
+$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
+```
+
+### Login with Chef Compliance
+
+You will need an access token for authentication. You can retrieve one via:
+
+![Chef Compliance Token](images/cc-token.png)
+
+You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
+
+```
+$ inspec compliance login https://compliance.test --user admin --insecure --token '...'
+```
+
+### List available profiles via Chef Compliance / Automate
+
+```
+$ inspec compliance profiles
+Available profiles:
+-------------------
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+
+### Upload a profile to Chef Compliance / Automate
+
+```
+$ inspec compliance version
+Chef Compliance version: 1.0.11
+➜  inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec compliance upload examples/profile
+I, [2016-05-06T14:27:20.907547 #37592]  INFO -- : Checking profile in examples/profile
+I, [2016-05-06T14:27:20.907668 #37592]  INFO -- : Metadata OK.
+I, [2016-05-06T14:27:20.968584 #37592]  INFO -- : Found 4 controls.
+I, [2016-05-06T14:27:20.968638 #37592]  INFO -- : Control definitions OK.
+Profile is valid
+Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
+I, [2016-05-06T14:27:21.020017 #37592]  INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
+I, [2016-05-06T14:27:21.024837 #37592]  INFO -- : Finished archive generation.
+Start upload to admin/profile
+Uploading to Chef Compliance
+Successfully uploaded profile
+
+# display all profiles
+$ inspec compliance profiles
+Available profiles:
+-------------------
+ * admin/profile
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+
+### Run a profile from Chef Compliance / Chef Automate on Workstation
+
+```
+$ inspec exec compliance://admin/profile
+.*...
+
+Pending: (Failures listed here are expected and do not affect your suite's status)
+
+  1) gordon_config Can't find file "/tmp/gordon/config.yaml"
+     # Not yet implemented
+     # ./lib/inspec/runner.rb:157
+
+
+Finished in 0.02862 seconds (files took 0.62628 seconds to load)
+5 examples, 0 failures, 1 pending
+```
+
+Exec a specific version(2.0.1) of a profile when logged in with Automate:
+
+```
+$ inspec exec compliance://admin/apache-baseline#2.0.1
+```
+
+Download a specific version(2.0.2) of a profile when logged in with Automate:
+```
+$ inspec compliance download compliance://admin/apache-baseline#2.0.2
+```
+
+### To Logout from Chef Compliance
+
+```
+$ inspec compliance logout
+Successfully logged out
+```
+
+## Integration Tests
+
+At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:
+
+ * run `kitchen converge`
+ * open https://192.168.251.2 and log in with user `admin` and password `admin`
+ * click on user->about and obtain the access token and the refresh token
+ * run `kitchen verify` with the required env variables:
+
+```
+# both token need to be set, since the test suite runs for each token type
+export COMPLIANCE_ACCESSTOKEN='mycompliancetoken'
+export COMPLIANCE_REFRESHTOKEN='myrefreshtoken'
+kitchen verify
+-----> Starting Kitchen (v1.7.3)
+-----> Verifying <default-ubuntu-1404>...
+       Search `/Users/chartmann/Development/compliance/inspec/lib/bundles/inspec-compliance/test/integration/default` for tests
+..................................
+
+Finished in 6.35 seconds (files took 0.40949 seconds to load)
+34 examples, 0 failures
+
+       Finished verifying <default-ubuntu-1404> (0m6.62s).
+-----> Kitchen is finished. (0m7.02s)
+zlib(finalizer): the stream was freed prematurely.
+```

data/lib/bundles/inspec-compliance/api.rb

@@ -1,316 +1,316 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-
-require 'net/http'
-require 'uri'
-
-require_relative 'api/login'
-
-module Compliance
-  class ServerConfigurationMissing < StandardError; end
-
-  # API Implementation does not hold any state by itself,
-  # everything will be stored in local Configuration store
-  class API
-    extend Compliance::API::Login
-
-    # return all compliance profiles available for the user
-    # the user is either specified in the options hash or by default
-    # the username of the account is used that is logged in
-    def self.profiles(config)
-      owner = config['owner'] || config['user']
-
-      # Chef Compliance
-      if is_compliance_server?(config)
-        url = "#{config['server']}/user/compliance"
-      # Chef Automate
-      elsif is_automate_server?(config)
-        url = "#{config['server']}/profiles/#{owner}"
-      else
-        raise ServerConfigurationMissing
-      end
-
-      headers = get_headers(config)
-      response = Compliance::HTTP.get(url, headers, config['insecure'])
-      data = response.body
-      response_code = response.code
-      case response_code
-      when '200'
-        msg = 'success'
-        profiles = JSON.parse(data)
-        # iterate over profiles
-        if is_compliance_server?(config)
-          mapped_profiles = []
-          profiles.values.each { |org|
-            mapped_profiles += org.values
-          }
-        # Chef Automate pre 0.8.0
-        elsif is_automate_server_pre_080?(config)
-          mapped_profiles = profiles.values.flatten
-        else
-          mapped_profiles = profiles.map { |e|
-            e['owner_id'] = owner
-            e
-          }
-        end
-        return msg, mapped_profiles
-      when '401'
-        msg = '401 Unauthorized. Please check your token.'
-        return msg, []
-      else
-        msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
-        return msg, []
-      end
-    end
-
-    # return the server api version
-    # NB this method does not use Compliance::Configuration to allow for using
-    # it before we know the version (e.g. oidc or not)
-    def self.version(config)
-      url = config['server']
-      insecure = config['insecure']
-
-      raise ServerConfigurationMissing if url.nil?
-
-      headers = get_headers(config)
-      response = Compliance::HTTP.get(url+'/version', headers, insecure)
-      return {} if response.code == '404'
-
-      data = response.body
-      return {} if data.nil? || data.empty?
-
-      parsed = JSON.parse(data)
-      return {} unless parsed.key?('version') && !parsed['version'].empty?
-
-      parsed
-    end
-
-    # verifies that a profile
-    def self.exist?(config, profile)
-      owner, id, ver = profile_split(profile)
-
-      # ensure that we do not manipulate the configuration object
-      user_config = config.dup
-      user_config['owner'] = owner
-      _msg, profiles = Compliance::API.profiles(user_config)
-
-      if !profiles.empty?
-        profiles.any? do |p|
-          p['owner_id'] == owner &&
-            p['name'] == id &&
-            (ver.nil? || p['version'] == ver)
-        end
-      else
-        false
-      end
-    end
-
-    def self.upload(config, owner, profile_name, archive_path)
-      # Chef Compliance
-      if is_compliance_server?(config)
-        url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
-      # Chef Automate pre 0.8.0
-      elsif is_automate_server_pre_080?(config)
-        url = "#{config['server']}/#{owner}"
-      # Chef Automate
-      else
-        url = "#{config['server']}/profiles/#{owner}"
-      end
-
-      headers = get_headers(config)
-      res = Compliance::HTTP.post_file(url, headers, archive_path, config['insecure'])
-      [res.is_a?(Net::HTTPSuccess), res.body]
-    end
-
-    # Use username and refresh_token to get an API access token
-    def self.get_token_via_refresh_token(url, refresh_token, insecure)
-      uri = URI.parse("#{url}/login")
-      req = Net::HTTP::Post.new(uri.path)
-      req.body = { token: refresh_token }.to_json
-      access_token = nil
-      response = Compliance::HTTP.send_request(uri, req, insecure)
-      data = response.body
-      if response.code == '200'
-        begin
-          tokendata = JSON.parse(data)
-          access_token = tokendata['access_token']
-          msg = 'Successfully fetched API access token'
-          success = true
-        rescue JSON::ParserError => e
-          success = false
-          msg = e.message
-        end
-      else
-        success = false
-        msg = "Failed to authenticate to #{url} \n\
-  Response code: #{response.code}\n  Body: #{response.body}"
-      end
-
-      [success, msg, access_token]
-    end
-
-    # Use username and password to get an API access token
-    def self.get_token_via_password(url, username, password, insecure)
-      uri = URI.parse("#{url}/login")
-      req = Net::HTTP::Post.new(uri.path)
-      req.body = { userid: username, password: password }.to_json
-      access_token = nil
-      response = Compliance::HTTP.send_request(uri, req, insecure)
-      data = response.body
-      if response.code == '200'
-        access_token = data
-        msg = 'Successfully fetched an API access token valid for 12 hours'
-        success = true
-      else
-        success = false
-        msg = "Failed to authenticate to #{url} \n\
-  Response code: #{response.code}\n  Body: #{response.body}"
-      end
-
-      [success, msg, access_token]
-    end
-
-    def self.get_headers(config)
-      token = get_token(config)
-      if is_automate_server?(config)
-        headers = { 'chef-delivery-enterprise' => config['automate']['ent'] }
-        if config['automate']['token_type'] == 'dctoken'
-          headers['x-data-collector-token'] = token
-        else
-          headers['chef-delivery-user'] = config['user']
-          headers['chef-delivery-token'] = token
-        end
-      else
-        headers = { 'Authorization' => "Bearer #{token}" }
-      end
-      headers
-    end
-
-    def self.get_token(config)
-      return config['token'] unless config['refresh_token']
-      _success, _msg, token = get_token_via_refresh_token(config['server'], config['refresh_token'], config['insecure'])
-      token
-    end
-
-    def self.target_url(config, profile)
-      owner, id, ver = profile_split(profile)
-
-      return "#{config['server']}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
-
-      if ver.nil?
-        "#{config['server']}/profiles/#{owner}/#{id}/tar"
-      else
-        "#{config['server']}/profiles/#{owner}/#{id}/version/#{ver}/tar"
-      end
-    end
-
-    def self.profile_split(profile)
-      owner, id = profile.split('/')
-      id, version = id.split('#')
-      [owner, id, version]
-    end
-
-    # returns a parsed url for `admin/profile` or `compliance://admin/profile`
-    def self.sanitize_profile_name(profile)
-      if URI(profile).scheme == 'compliance'
-        uri = URI(profile)
-      else
-        uri = URI("compliance://#{profile}")
-      end
-      uri.to_s.sub(%r{^compliance:\/\/}, '')
-    end
-
-    def self.is_compliance_server?(config)
-      config['server_type'] == 'compliance'
-    end
-
-    def self.is_automate_server_pre_080?(config)
-      # Automate versions before 0.8.x do not have a valid version in the config
-      return false unless config['server_type'] == 'automate'
-      server_version_from_config(config).nil?
-    end
-
-    def self.is_automate_server_080_and_later?(config)
-      # Automate versions 0.8.x and later will have a "version" key in the config
-      # that is properly parsed out via server_version_from_config below
-      return false unless config['server_type'] == 'automate'
-      !server_version_from_config(config).nil?
-    end
-
-    def self.is_automate_server?(config)
-      config['server_type'] == 'automate'
-    end
-
-    def self.server_version_from_config(config)
-      # Automate versions 0.8.x and later will have a "version" key in the config
-      # that looks like: "version":{"api":"compliance","version":"0.8.24"}
-      return nil unless config.key?('version')
-      return nil unless config['version'].is_a?(Hash)
-      config['version']['version']
-    end
-
-    def self.determine_server_type(url, insecure)
-      if target_is_automate_server?(url, insecure)
-        :automate
-      elsif target_is_compliance_server?(url, insecure)
-        :compliance
-      else
-        Inspec::Log.debug('Could not determine server type using known endpoints')
-        nil
-      end
-    end
-
-    def self.target_is_automate_server?(url, insecure)
-      automate_endpoint = '/compliance/version'
-      response = Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
-      case response.code
-      when '401'
-        Inspec::Log.debug(
-          "Received 401 from #{url}#{automate_endpoint} - " \
-          'assuming target is a Chef Automate instance',
-        )
-        true
-      when '200'
-        # Chef Automate currently returns 401 for `/compliance/version` but some
-        # versions of OpsWorks Chef Automate return 200 and a Chef Manage page
-        # when unauthenticated requests are received.
-        if response.body.include?('Are You Looking For the Chef Server?')
-          Inspec::Log.debug(
-            "Received 200 from #{url}#{automate_endpoint} - " \
-            'assuming target is an OpsWorks Chef Automate instance',
-          )
-          true
-        else
-          Inspec::Log.debug(
-            "Received 200 from #{url}#{automate_endpoint} " \
-            'but did not receive the Chef Manage page - ' \
-            'assuming target is not a Chef Automate instance',
-          )
-          false
-        end
-      else
-        Inspec::Log.debug(
-          "Received unexpected status code #{response.code} " \
-          "from #{url}#{automate_endpoint} - " \
-          'assuming target is not a Chef Automate instance',
-        )
-        false
-      end
-    end
-
-    def self.target_is_compliance_server?(url, insecure)
-      # All versions of Chef Compliance return 200 for `/api/version`
-      compliance_endpoint = '/api/version'
-
-      response = Compliance::HTTP.get(url + compliance_endpoint, nil, insecure)
-      return false unless response.code == '200'
-
-      Inspec::Log.debug(
-        "Received 200 from #{url}#{compliance_endpoint} - " \
-        'assuming target is a Compliance server',
-      )
-      true
-    end
-  end
-end
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'net/http'
+require 'uri'
+
+require_relative 'api/login'
+
+module Compliance
+  class ServerConfigurationMissing < StandardError; end
+
+  # API Implementation does not hold any state by itself,
+  # everything will be stored in local Configuration store
+  class API
+    extend Compliance::API::Login
+
+    # return all compliance profiles available for the user
+    # the user is either specified in the options hash or by default
+    # the username of the account is used that is logged in
+    def self.profiles(config)
+      owner = config['owner'] || config['user']
+
+      # Chef Compliance
+      if is_compliance_server?(config)
+        url = "#{config['server']}/user/compliance"
+      # Chef Automate
+      elsif is_automate_server?(config)
+        url = "#{config['server']}/profiles/#{owner}"
+      else
+        raise ServerConfigurationMissing
+      end
+
+      headers = get_headers(config)
+      response = Compliance::HTTP.get(url, headers, config['insecure'])
+      data = response.body
+      response_code = response.code
+      case response_code
+      when '200'
+        msg = 'success'
+        profiles = JSON.parse(data)
+        # iterate over profiles
+        if is_compliance_server?(config)
+          mapped_profiles = []
+          profiles.values.each { |org|
+            mapped_profiles += org.values
+          }
+        # Chef Automate pre 0.8.0
+        elsif is_automate_server_pre_080?(config)
+          mapped_profiles = profiles.values.flatten
+        else
+          mapped_profiles = profiles.map { |e|
+            e['owner_id'] = owner
+            e
+          }
+        end
+        return msg, mapped_profiles
+      when '401'
+        msg = '401 Unauthorized. Please check your token.'
+        return msg, []
+      else
+        msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
+        return msg, []
+      end
+    end
+
+    # return the server api version
+    # NB this method does not use Compliance::Configuration to allow for using
+    # it before we know the version (e.g. oidc or not)
+    def self.version(config)
+      url = config['server']
+      insecure = config['insecure']
+
+      raise ServerConfigurationMissing if url.nil?
+
+      headers = get_headers(config)
+      response = Compliance::HTTP.get(url+'/version', headers, insecure)
+      return {} if response.code == '404'
+
+      data = response.body
+      return {} if data.nil? || data.empty?
+
+      parsed = JSON.parse(data)
+      return {} unless parsed.key?('version') && !parsed['version'].empty?
+
+      parsed
+    end
+
+    # verifies that a profile
+    def self.exist?(config, profile)
+      owner, id, ver = profile_split(profile)
+
+      # ensure that we do not manipulate the configuration object
+      user_config = config.dup
+      user_config['owner'] = owner
+      _msg, profiles = Compliance::API.profiles(user_config)
+
+      if !profiles.empty?
+        profiles.any? do |p|
+          p['owner_id'] == owner &&
+            p['name'] == id &&
+            (ver.nil? || p['version'] == ver)
+        end
+      else
+        false
+      end
+    end
+
+    def self.upload(config, owner, profile_name, archive_path)
+      # Chef Compliance
+      if is_compliance_server?(config)
+        url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
+      # Chef Automate pre 0.8.0
+      elsif is_automate_server_pre_080?(config)
+        url = "#{config['server']}/#{owner}"
+      # Chef Automate
+      else
+        url = "#{config['server']}/profiles/#{owner}"
+      end
+
+      headers = get_headers(config)
+      res = Compliance::HTTP.post_file(url, headers, archive_path, config['insecure'])
+      [res.is_a?(Net::HTTPSuccess), res.body]
+    end
+
+    # Use username and refresh_token to get an API access token
+    def self.get_token_via_refresh_token(url, refresh_token, insecure)
+      uri = URI.parse("#{url}/login")
+      req = Net::HTTP::Post.new(uri.path)
+      req.body = { token: refresh_token }.to_json
+      access_token = nil
+      response = Compliance::HTTP.send_request(uri, req, insecure)
+      data = response.body
+      if response.code == '200'
+        begin
+          tokendata = JSON.parse(data)
+          access_token = tokendata['access_token']
+          msg = 'Successfully fetched API access token'
+          success = true
+        rescue JSON::ParserError => e
+          success = false
+          msg = e.message
+        end
+      else
+        success = false
+        msg = "Failed to authenticate to #{url} \n\
+  Response code: #{response.code}\n  Body: #{response.body}"
+      end
+
+      [success, msg, access_token]
+    end
+
+    # Use username and password to get an API access token
+    def self.get_token_via_password(url, username, password, insecure)
+      uri = URI.parse("#{url}/login")
+      req = Net::HTTP::Post.new(uri.path)
+      req.body = { userid: username, password: password }.to_json
+      access_token = nil
+      response = Compliance::HTTP.send_request(uri, req, insecure)
+      data = response.body
+      if response.code == '200'
+        access_token = data
+        msg = 'Successfully fetched an API access token valid for 12 hours'
+        success = true
+      else
+        success = false
+        msg = "Failed to authenticate to #{url} \n\
+  Response code: #{response.code}\n  Body: #{response.body}"
+      end
+
+      [success, msg, access_token]
+    end
+
+    def self.get_headers(config)
+      token = get_token(config)
+      if is_automate_server?(config)
+        headers = { 'chef-delivery-enterprise' => config['automate']['ent'] }
+        if config['automate']['token_type'] == 'dctoken'
+          headers['x-data-collector-token'] = token
+        else
+          headers['chef-delivery-user'] = config['user']
+          headers['chef-delivery-token'] = token
+        end
+      else
+        headers = { 'Authorization' => "Bearer #{token}" }
+      end
+      headers
+    end
+
+    def self.get_token(config)
+      return config['token'] unless config['refresh_token']
+      _success, _msg, token = get_token_via_refresh_token(config['server'], config['refresh_token'], config['insecure'])
+      token
+    end
+
+    def self.target_url(config, profile)
+      owner, id, ver = profile_split(profile)
+
+      return "#{config['server']}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
+
+      if ver.nil?
+        "#{config['server']}/profiles/#{owner}/#{id}/tar"
+      else
+        "#{config['server']}/profiles/#{owner}/#{id}/version/#{ver}/tar"
+      end
+    end
+
+    def self.profile_split(profile)
+      owner, id = profile.split('/')
+      id, version = id.split('#')
+      [owner, id, version]
+    end
+
+    # returns a parsed url for `admin/profile` or `compliance://admin/profile`
+    def self.sanitize_profile_name(profile)
+      if URI(profile).scheme == 'compliance'
+        uri = URI(profile)
+      else
+        uri = URI("compliance://#{profile}")
+      end
+      uri.to_s.sub(%r{^compliance:\/\/}, '')
+    end
+
+    def self.is_compliance_server?(config)
+      config['server_type'] == 'compliance'
+    end
+
+    def self.is_automate_server_pre_080?(config)
+      # Automate versions before 0.8.x do not have a valid version in the config
+      return false unless config['server_type'] == 'automate'
+      server_version_from_config(config).nil?
+    end
+
+    def self.is_automate_server_080_and_later?(config)
+      # Automate versions 0.8.x and later will have a "version" key in the config
+      # that is properly parsed out via server_version_from_config below
+      return false unless config['server_type'] == 'automate'
+      !server_version_from_config(config).nil?
+    end
+
+    def self.is_automate_server?(config)
+      config['server_type'] == 'automate'
+    end
+
+    def self.server_version_from_config(config)
+      # Automate versions 0.8.x and later will have a "version" key in the config
+      # that looks like: "version":{"api":"compliance","version":"0.8.24"}
+      return nil unless config.key?('version')
+      return nil unless config['version'].is_a?(Hash)
+      config['version']['version']
+    end
+
+    def self.determine_server_type(url, insecure)
+      if target_is_automate_server?(url, insecure)
+        :automate
+      elsif target_is_compliance_server?(url, insecure)
+        :compliance
+      else
+        Inspec::Log.debug('Could not determine server type using known endpoints')
+        nil
+      end
+    end
+
+    def self.target_is_automate_server?(url, insecure)
+      automate_endpoint = '/compliance/version'
+      response = Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
+      case response.code
+      when '401'
+        Inspec::Log.debug(
+          "Received 401 from #{url}#{automate_endpoint} - " \
+          'assuming target is a Chef Automate instance',
+        )
+        true
+      when '200'
+        # Chef Automate currently returns 401 for `/compliance/version` but some
+        # versions of OpsWorks Chef Automate return 200 and a Chef Manage page
+        # when unauthenticated requests are received.
+        if response.body.include?('Are You Looking For the Chef Server?')
+          Inspec::Log.debug(
+            "Received 200 from #{url}#{automate_endpoint} - " \
+            'assuming target is an OpsWorks Chef Automate instance',
+          )
+          true
+        else
+          Inspec::Log.debug(
+            "Received 200 from #{url}#{automate_endpoint} " \
+            'but did not receive the Chef Manage page - ' \
+            'assuming target is not a Chef Automate instance',
+          )
+          false
+        end
+      else
+        Inspec::Log.debug(
+          "Received unexpected status code #{response.code} " \
+          "from #{url}#{automate_endpoint} - " \
+          'assuming target is not a Chef Automate instance',
+        )
+        false
+      end
+    end
+
+    def self.target_is_compliance_server?(url, insecure)
+      # All versions of Chef Compliance return 200 for `/api/version`
+      compliance_endpoint = '/api/version'
+
+      response = Compliance::HTTP.get(url + compliance_endpoint, nil, insecure)
+      return false unless response.code == '200'
+
+      Inspec::Log.debug(
+        "Received 200 from #{url}#{compliance_endpoint} - " \
+        'assuming target is a Compliance server',
+      )
+      true
+    end
+  end
+end