inspec 2.1.0 → 2.1.10

data/lib/bundles/inspec-compliance/api/login.rb

@@ -1,152 +1,152 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Ricter
-# author: Jerry Aldrich
-
-module Compliance
-  class API
-    module Login
-      class CannotDetermineServerType < StandardError; end
-
-      def login(options)
-        raise ArgumentError, 'Please specify a server using `inspec compliance login https://SERVER`' unless options['server']
-
-        options['server'] = URI("https://#{options['server']}").to_s if URI(options['server']).scheme.nil?
-
-        options['server_type'] = Compliance::API.determine_server_type(options['server'], options['insecure'])
-
-        case options['server_type']
-        when :automate
-          config = Login::AutomateServer.login(options)
-        when :compliance
-          config = Login::ComplianceServer.login(options)
-        else
-          raise CannotDetermineServerType, "Unable to determine if #{options['server']} is a Chef Automate or Chef Compliance server"
-        end
-
-        puts "Stored configuration for Chef #{config['server_type'].capitalize}: #{config['server']}' with user: '#{config['user']}'"
-      end
-
-      module AutomateServer
-        def self.login(options)
-          verify_thor_options(options)
-
-          options['url'] = options['server'] + '/compliance'
-          token = options['dctoken'] || options['token']
-          store_access_token(options, token)
-        end
-
-        def self.store_access_token(options, token)
-          token_type = if options['token']
-                         'usertoken'
-                       else
-                         'dctoken'
-                       end
-
-          config = Compliance::Configuration.new
-
-          config.clean
-
-          config['automate'] = {}
-          config['automate']['ent'] = options['ent']
-          config['automate']['token_type'] = token_type
-          config['server'] = options['url']
-          config['user'] = options['user']
-          config['insecure'] = options['insecure'] || false
-          config['server_type'] = options['server_type'].to_s
-          config['token'] = token
-          config['version'] = Compliance::API.version(config)
-
-          config.store
-          config
-        end
-
-        # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
-        def self.verify_thor_options(o)
-          error_msg = []
-
-          error_msg.push('Please specify a user using `--user=\'USER\'`') if o['user'].nil?
-          error_msg.push('Please specify an enterprise using `--ent=\'automate\'`') if o['ent'].nil?
-
-          if o['token'].nil? && o['dctoken'].nil?
-            error_msg.push('Please specify a token using `--token=\'AUTOMATE_TOKEN\'` or `--dctoken=\'DATA_COLLECTOR_TOKEN\'`')
-          end
-
-          raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
-        end
-      end
-
-      module ComplianceServer
-        def self.login(options)
-          compliance_verify_thor_options(options)
-
-          options['url'] = options['server'] + '/api'
-
-          if options['user'] && options['token']
-            compliance_store_access_token(options, options['token'])
-          elsif options['user'] && options['password']
-            compliance_login_user_pass(options)
-          elsif options['refresh_token']
-            compliance_login_refresh_token(options)
-          end
-        end
-
-        def self.compliance_login_user_pass(options)
-          success, msg, token = Compliance::API.get_token_via_password(
-            options['url'],
-            options['user'],
-            options['password'],
-            options['insecure'],
-          )
-
-          raise msg unless success
-          compliance_store_access_token(options, token)
-        end
-
-        def self.compliance_login_refresh_token(options)
-          success, msg, token = Compliance::API.get_token_via_refresh_token(
-            options['url'],
-            options['refresh_token'],
-            options['insecure'],
-          )
-
-          raise msg unless success
-          compliance_store_access_token(options, token)
-        end
-
-        def self.compliance_store_access_token(options, token)
-          config = Compliance::Configuration.new
-          config.clean
-
-          config['user'] = options['user'] if options['user']
-          config['server'] = options['url']
-          config['insecure'] = options['insecure'] || false
-          config['server_type'] = options['server_type'].to_s
-          config['token'] = token
-          config['version'] = Compliance::API.version(config)
-
-          config.store
-          config
-        end
-
-        # Compliance login requires `--user` or `--refresh_token`
-        # If `--user` then either `--password`, `--token`, or `--refresh-token`, is required
-        def self.compliance_verify_thor_options(o)
-          error_msg = []
-
-          error_msg.push('Please specify a server using `inspec compliance login https://SERVER`') if o['server'].nil?
-
-          if o['user'].nil? && o['refresh_token'].nil?
-            error_msg.push('Please specify a `--user=\'USER\'` or a `--refresh-token=\'TOKEN\'`')
-          end
-
-          if o['user'] && o['password'].nil? && o['token'].nil? && o['refresh_token'].nil?
-            error_msg.push('Please specify either a `--password`, `--token`, or `--refresh-token`')
-          end
-
-          raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
-        end
-      end
-    end
-  end
-end
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Ricter
+# author: Jerry Aldrich
+
+module Compliance
+  class API
+    module Login
+      class CannotDetermineServerType < StandardError; end
+
+      def login(options)
+        raise ArgumentError, 'Please specify a server using `inspec compliance login https://SERVER`' unless options['server']
+
+        options['server'] = URI("https://#{options['server']}").to_s if URI(options['server']).scheme.nil?
+
+        options['server_type'] = Compliance::API.determine_server_type(options['server'], options['insecure'])
+
+        case options['server_type']
+        when :automate
+          config = Login::AutomateServer.login(options)
+        when :compliance
+          config = Login::ComplianceServer.login(options)
+        else
+          raise CannotDetermineServerType, "Unable to determine if #{options['server']} is a Chef Automate or Chef Compliance server"
+        end
+
+        puts "Stored configuration for Chef #{config['server_type'].capitalize}: #{config['server']}' with user: '#{config['user']}'"
+      end
+
+      module AutomateServer
+        def self.login(options)
+          verify_thor_options(options)
+
+          options['url'] = options['server'] + '/compliance'
+          token = options['dctoken'] || options['token']
+          store_access_token(options, token)
+        end
+
+        def self.store_access_token(options, token)
+          token_type = if options['token']
+                         'usertoken'
+                       else
+                         'dctoken'
+                       end
+
+          config = Compliance::Configuration.new
+
+          config.clean
+
+          config['automate'] = {}
+          config['automate']['ent'] = options['ent']
+          config['automate']['token_type'] = token_type
+          config['server'] = options['url']
+          config['user'] = options['user']
+          config['insecure'] = options['insecure'] || false
+          config['server_type'] = options['server_type'].to_s
+          config['token'] = token
+          config['version'] = Compliance::API.version(config)
+
+          config.store
+          config
+        end
+
+        # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
+        def self.verify_thor_options(o)
+          error_msg = []
+
+          error_msg.push('Please specify a user using `--user=\'USER\'`') if o['user'].nil?
+          error_msg.push('Please specify an enterprise using `--ent=\'automate\'`') if o['ent'].nil?
+
+          if o['token'].nil? && o['dctoken'].nil?
+            error_msg.push('Please specify a token using `--token=\'AUTOMATE_TOKEN\'` or `--dctoken=\'DATA_COLLECTOR_TOKEN\'`')
+          end
+
+          raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+        end
+      end
+
+      module ComplianceServer
+        def self.login(options)
+          compliance_verify_thor_options(options)
+
+          options['url'] = options['server'] + '/api'
+
+          if options['user'] && options['token']
+            compliance_store_access_token(options, options['token'])
+          elsif options['user'] && options['password']
+            compliance_login_user_pass(options)
+          elsif options['refresh_token']
+            compliance_login_refresh_token(options)
+          end
+        end
+
+        def self.compliance_login_user_pass(options)
+          success, msg, token = Compliance::API.get_token_via_password(
+            options['url'],
+            options['user'],
+            options['password'],
+            options['insecure'],
+          )
+
+          raise msg unless success
+          compliance_store_access_token(options, token)
+        end
+
+        def self.compliance_login_refresh_token(options)
+          success, msg, token = Compliance::API.get_token_via_refresh_token(
+            options['url'],
+            options['refresh_token'],
+            options['insecure'],
+          )
+
+          raise msg unless success
+          compliance_store_access_token(options, token)
+        end
+
+        def self.compliance_store_access_token(options, token)
+          config = Compliance::Configuration.new
+          config.clean
+
+          config['user'] = options['user'] if options['user']
+          config['server'] = options['url']
+          config['insecure'] = options['insecure'] || false
+          config['server_type'] = options['server_type'].to_s
+          config['token'] = token
+          config['version'] = Compliance::API.version(config)
+
+          config.store
+          config
+        end
+
+        # Compliance login requires `--user` or `--refresh_token`
+        # If `--user` then either `--password`, `--token`, or `--refresh-token`, is required
+        def self.compliance_verify_thor_options(o)
+          error_msg = []
+
+          error_msg.push('Please specify a server using `inspec compliance login https://SERVER`') if o['server'].nil?
+
+          if o['user'].nil? && o['refresh_token'].nil?
+            error_msg.push('Please specify a `--user=\'USER\'` or a `--refresh-token=\'TOKEN\'`')
+          end
+
+          if o['user'] && o['password'].nil? && o['token'].nil? && o['refresh_token'].nil?
+            error_msg.push('Please specify either a `--password`, `--token`, or `--refresh-token`')
+          end
+
+          raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
+        end
+      end
+    end
+  end
+end

data/lib/bundles/inspec-compliance/bootstrap.sh

@@ -1,41 +1,41 @@
-#!/bin/bash
-
-echo "Installing Chef Compliance $deb"
-# select latest package from cache directory
-# deb=$(find /inspec/.cache -name '*.deb' | tail -1)
-# sudo dpkg -i $deb
-
-# use chef compliance package repository
-sudo apt-get install -y apt-transport-https
-sudo apt-get install wget
-wget -qO - https://downloads.chef.io/packages-chef-io-public.key | sudo apt-key add -
-CHANNEL=${CHANNEL:-stable}
-DISTRIBUTION=$(lsb_release --codename | cut -f2)
-echo "found $DISTRIBUTION"
-echo "use $CHANNEL channel"
-echo "deb https://packages.chef.io/$CHANNEL-apt $DISTRIBUTION main" > /etc/apt/sources.list.d/chef-$CHANNEL.list
-sudo apt-get update
-sudo apt-get install chef-compliance
-
-sudo chef-compliance-ctl reconfigure --accept-license
-sudo chef-compliance-ctl restart
-
-# finalize setup
-cd /
-/opt/chef-compliance/embedded/service/core/bin/core setup --endpoint "http://127.0.0.1:10500/setup" --login "admin" --password "admin" --name "John Doe" --accept-eula
-
-# wget --no-check-certificate http://127.0.0.1/api/version
-# cat version
-
-# install ruby 2.3
-sudo apt-get install -y software-properties-common
-sudo apt-add-repository -y ppa:brightbox/ruby-ng
-sudo apt-get update
-sudo apt-get install -y ruby2.3 ruby2.3-dev
-ruby2.3 -v
-
-# prepare the usage of bundler
-sudo gem install bundler
-cd /inspec
-bundle install
-BUNDLE_GEMFILE=/inspec/Gemfile bundle exec inspec version
+#!/bin/bash
+
+echo "Installing Chef Compliance $deb"
+# select latest package from cache directory
+# deb=$(find /inspec/.cache -name '*.deb' | tail -1)
+# sudo dpkg -i $deb
+
+# use chef compliance package repository
+sudo apt-get install -y apt-transport-https
+sudo apt-get install wget
+wget -qO - https://downloads.chef.io/packages-chef-io-public.key | sudo apt-key add -
+CHANNEL=${CHANNEL:-stable}
+DISTRIBUTION=$(lsb_release --codename | cut -f2)
+echo "found $DISTRIBUTION"
+echo "use $CHANNEL channel"
+echo "deb https://packages.chef.io/$CHANNEL-apt $DISTRIBUTION main" > /etc/apt/sources.list.d/chef-$CHANNEL.list
+sudo apt-get update
+sudo apt-get install chef-compliance
+
+sudo chef-compliance-ctl reconfigure --accept-license
+sudo chef-compliance-ctl restart
+
+# finalize setup
+cd /
+/opt/chef-compliance/embedded/service/core/bin/core setup --endpoint "http://127.0.0.1:10500/setup" --login "admin" --password "admin" --name "John Doe" --accept-eula
+
+# wget --no-check-certificate http://127.0.0.1/api/version
+# cat version
+
+# install ruby 2.3
+sudo apt-get install -y software-properties-common
+sudo apt-add-repository -y ppa:brightbox/ruby-ng
+sudo apt-get update
+sudo apt-get install -y ruby2.3 ruby2.3-dev
+ruby2.3 -v
+
+# prepare the usage of bundler
+sudo gem install bundler
+cd /inspec
+bundle install
+BUNDLE_GEMFILE=/inspec/Gemfile bundle exec inspec version

data/lib/bundles/inspec-compliance/cli.rb

@@ -1,254 +1,254 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-
-require 'thor'
-require 'erb'
-
-module Compliance
-  class ComplianceCLI < Inspec::BaseCLI
-    namespace 'compliance'
-
-    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
-    def self.banner(command, _namespace = nil, _subcommand = false)
-      "#{basename} #{subcommand_prefix} #{command.usage}"
-    end
-
-    def self.subcommand_prefix
-      namespace
-    end
-
-    desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
-    long_desc <<-LONGDESC
-      `login` allows you to use InSpec with Chef Automate or a Chef Compliance Server
-
-      You need to a token for communication. More information about token retrieval
-      is available at:
-        https://docs.chef.io/api_automate.html#authentication-methods
-        https://docs.chef.io/api_compliance.html#obtaining-an-api-token
-    LONGDESC
-    option :insecure, aliases: :k, type: :boolean,
-      desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
-    option :user, type: :string, required: false,
-      desc: 'Username'
-    option :password, type: :string, required: false,
-      desc: 'Password (Chef Compliance Only)'
-    option :token, type: :string, required: false,
-      desc: 'Access token'
-    option :refresh_token, type: :string, required: false,
-      desc: 'Chef Compliance refresh token (Chef Compliance Only)'
-    option :dctoken, type: :string, required: false,
-      desc: 'Data Collector token (Chef Automate Only)'
-    option :ent, type: :string, required: false,
-      desc: 'Enterprise for Chef Automate reporting (Chef Automate Only)'
-    def login(server)
-      options['server'] = server
-      Compliance::API.login(options)
-    end
-
-    desc 'profiles', 'list all available profiles in Chef Compliance'
-    option :owner, type: :string, required: false,
-      desc: 'owner whose profiles to list'
-    def profiles
-      config = Compliance::Configuration.new
-      return if !loggedin(config)
-
-      # set owner to config
-      config['owner'] = options['owner'] || config['user']
-
-      msg, profiles = Compliance::API.profiles(config)
-      profiles.sort_by! { |hsh| hsh['title'] }
-      if !profiles.empty?
-        # iterate over profiles
-        headline('Available profiles:')
-        profiles.each { |profile|
-          li("#{profile['title']} v#{profile['version']} (#{mark_text(profile['owner_id'] + '/' + profile['name'])})")
-        }
-      else
-        puts msg, 'Could not find any profiles'
-        exit 1
-      end
-    rescue Compliance::ServerConfigurationMissing
-      STDERR.puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
-      exit 1
-    end
-
-    desc 'exec PROFILE', 'executes a Chef Compliance profile'
-    exec_options
-    def exec(*tests)
-      config = Compliance::Configuration.new
-      return if !loggedin(config)
-      o = opts(:exec).dup
-      diagnose(o)
-      configure_logger(o)
-
-      # iterate over tests and add compliance scheme
-      tests = tests.map { |t| 'compliance://' + Compliance::API.sanitize_profile_name(t) }
-
-      runner = Inspec::Runner.new(o)
-      tests.each { |target| runner.add_target(target) }
-
-      exit runner.run
-    rescue ArgumentError, RuntimeError, Train::UserError => e
-      $stderr.puts e.message
-      exit 1
-    end
-
-    desc 'download PROFILE', 'downloads a profile from Chef Compliance'
-    option :name, type: :string,
-      desc: 'Name of the archive filename (file type will be added)'
-    def download(profile_name)
-      o = options.dup
-      configure_logger(o)
-
-      config = Compliance::Configuration.new
-      return if !loggedin(config)
-
-      profile_name = Compliance::API.sanitize_profile_name(profile_name)
-      if Compliance::API.exist?(config, profile_name)
-        puts "Downloading `#{profile_name}`"
-
-        fetcher = Compliance::Fetcher.resolve(
-          {
-            compliance: profile_name,
-          },
-        )
-
-        # we provide a name, the fetcher adds the extension
-        _owner, id = profile_name.split('/')
-        file_name = fetcher.fetch(o.name || id)
-        puts "Profile stored to #{file_name}"
-      else
-        puts "Profile #{profile_name} is not available in Chef Compliance."
-        exit 1
-      end
-    end
-
-    desc 'upload PATH', 'uploads a local profile to Chef Compliance'
-    option :overwrite, type: :boolean, default: false,
-      desc: 'Overwrite existing profile on Server.'
-    option :owner, type: :string, required: false,
-      desc: 'Owner that should own the profile'
-    def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity, Metrics/CyclomaticComplexity
-      config = Compliance::Configuration.new
-      return if !loggedin(config)
-
-      # set owner to config
-      config['owner'] = options['owner'] || config['user']
-
-      unless File.exist?(path)
-        puts "Directory #{path} does not exist."
-        exit 1
-      end
-
-      vendor_deps(path, options) if File.directory?(path)
-
-      o = options.dup
-      configure_logger(o)
-      # check the profile, we only allow to upload valid profiles
-      profile = Inspec::Profile.for_target(path, o)
-
-      # start verification process
-      error_count = 0
-      error = lambda { |msg|
-        error_count += 1
-        puts msg
-      }
-
-      result = profile.check
-      unless result[:summary][:valid]
-        error.call('Profile check failed. Please fix the profile before upload.')
-      else
-        puts('Profile is valid')
-      end
-
-      # determine user information
-      if (config['token'].nil? && config['refresh_token'].nil?) || config['user'].nil?
-        error.call('Please login via `inspec compliance login`')
-      end
-
-      # read profile name from inspec.yml
-      profile_name = profile.params[:name]
-
-      # check that the profile is not uploaded already,
-      # confirm upload to the user (overwrite with --force)
-      if Compliance::API.exist?(config, "#{config['owner']}/#{profile_name}") && !options['overwrite']
-        error.call('Profile exists on the server, use --overwrite')
-      end
-
-      # abort if we found an error
-      if error_count > 0
-        puts "Found #{error_count} error(s)"
-        exit 1
-      end
-
-      # if it is a directory, tar it to tmp directory
-      if File.directory?(path)
-        archive_path = Dir::Tmpname.create([profile_name, '.tar.gz']) {}
-        puts "Generate temporary profile archive at #{archive_path}"
-        profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
-      else
-        archive_path = path
-      end
-
-      puts "Start upload to #{config['owner']}/#{profile_name}"
-      pname = ERB::Util.url_encode(profile_name)
-
-      Compliance::API.is_automate_server?(config) ? upload_msg = 'Uploading to Chef Automate' : upload_msg = 'Uploading to Chef Compliance'
-      puts upload_msg
-      success, msg = Compliance::API.upload(config, config['owner'], pname, archive_path)
-
-      if success
-        puts 'Successfully uploaded profile'
-      else
-        puts 'Error during profile upload:'
-        puts msg
-        exit 1
-      end
-    end
-
-    desc 'version', 'displays the version of the Chef Compliance server'
-    def version
-      config = Compliance::Configuration.new
-      info = Compliance::API.version(config)
-      if !info.nil? && info['version']
-        puts "Name:    #{info['api']}"
-        puts "Version: #{info['version']}"
-      else
-        puts 'Could not determine server version.'
-        exit 1
-      end
-    rescue Compliance::ServerConfigurationMissing
-      puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
-      exit 1
-    end
-
-    desc 'logout', 'user logout from Chef Compliance'
-    def logout
-      config = Compliance::Configuration.new
-      unless config.supported?(:oidc) || config['token'].nil? || config['server_type'] == 'automate'
-        config = Compliance::Configuration.new
-        url = "#{config['server']}/logout"
-        Compliance::API.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
-      end
-      success = config.destroy
-
-      if success
-        puts 'Successfully logged out'
-      else
-        puts 'Could not log out'
-      end
-    end
-
-    private
-
-    def loggedin(config)
-      serverknown = !config['server'].nil?
-      puts 'You need to login first with `inspec compliance login`' if !serverknown
-      serverknown
-    end
-  end
-
-  # register the subcommand to Inspec CLI registry
-  Inspec::Plugins::CLI.add_subcommand(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
-end
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'thor'
+require 'erb'
+
+module Compliance
+  class ComplianceCLI < Inspec::BaseCLI
+    namespace 'compliance'
+
+    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
+    def self.banner(command, _namespace = nil, _subcommand = false)
+      "#{basename} #{subcommand_prefix} #{command.usage}"
+    end
+
+    def self.subcommand_prefix
+      namespace
+    end
+
+    desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
+    long_desc <<-LONGDESC
+      `login` allows you to use InSpec with Chef Automate or a Chef Compliance Server
+
+      You need to a token for communication. More information about token retrieval
+      is available at:
+        https://docs.chef.io/api_automate.html#authentication-methods
+        https://docs.chef.io/api_compliance.html#obtaining-an-api-token
+    LONGDESC
+    option :insecure, aliases: :k, type: :boolean,
+      desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
+    option :user, type: :string, required: false,
+      desc: 'Username'
+    option :password, type: :string, required: false,
+      desc: 'Password (Chef Compliance Only)'
+    option :token, type: :string, required: false,
+      desc: 'Access token'
+    option :refresh_token, type: :string, required: false,
+      desc: 'Chef Compliance refresh token (Chef Compliance Only)'
+    option :dctoken, type: :string, required: false,
+      desc: 'Data Collector token (Chef Automate Only)'
+    option :ent, type: :string, required: false,
+      desc: 'Enterprise for Chef Automate reporting (Chef Automate Only)'
+    def login(server)
+      options['server'] = server
+      Compliance::API.login(options)
+    end
+
+    desc 'profiles', 'list all available profiles in Chef Compliance'
+    option :owner, type: :string, required: false,
+      desc: 'owner whose profiles to list'
+    def profiles
+      config = Compliance::Configuration.new
+      return if !loggedin(config)
+
+      # set owner to config
+      config['owner'] = options['owner'] || config['user']
+
+      msg, profiles = Compliance::API.profiles(config)
+      profiles.sort_by! { |hsh| hsh['title'] }
+      if !profiles.empty?
+        # iterate over profiles
+        headline('Available profiles:')
+        profiles.each { |profile|
+          li("#{profile['title']} v#{profile['version']} (#{mark_text(profile['owner_id'] + '/' + profile['name'])})")
+        }
+      else
+        puts msg, 'Could not find any profiles'
+        exit 1
+      end
+    rescue Compliance::ServerConfigurationMissing
+      STDERR.puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
+      exit 1
+    end
+
+    desc 'exec PROFILE', 'executes a Chef Compliance profile'
+    exec_options
+    def exec(*tests)
+      config = Compliance::Configuration.new
+      return if !loggedin(config)
+      o = opts(:exec).dup
+      diagnose(o)
+      configure_logger(o)
+
+      # iterate over tests and add compliance scheme
+      tests = tests.map { |t| 'compliance://' + Compliance::API.sanitize_profile_name(t) }
+
+      runner = Inspec::Runner.new(o)
+      tests.each { |target| runner.add_target(target) }
+
+      exit runner.run
+    rescue ArgumentError, RuntimeError, Train::UserError => e
+      $stderr.puts e.message
+      exit 1
+    end
+
+    desc 'download PROFILE', 'downloads a profile from Chef Compliance'
+    option :name, type: :string,
+      desc: 'Name of the archive filename (file type will be added)'
+    def download(profile_name)
+      o = options.dup
+      configure_logger(o)
+
+      config = Compliance::Configuration.new
+      return if !loggedin(config)
+
+      profile_name = Compliance::API.sanitize_profile_name(profile_name)
+      if Compliance::API.exist?(config, profile_name)
+        puts "Downloading `#{profile_name}`"
+
+        fetcher = Compliance::Fetcher.resolve(
+          {
+            compliance: profile_name,
+          },
+        )
+
+        # we provide a name, the fetcher adds the extension
+        _owner, id = profile_name.split('/')
+        file_name = fetcher.fetch(o.name || id)
+        puts "Profile stored to #{file_name}"
+      else
+        puts "Profile #{profile_name} is not available in Chef Compliance."
+        exit 1
+      end
+    end
+
+    desc 'upload PATH', 'uploads a local profile to Chef Compliance'
+    option :overwrite, type: :boolean, default: false,
+      desc: 'Overwrite existing profile on Server.'
+    option :owner, type: :string, required: false,
+      desc: 'Owner that should own the profile'
+    def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity, Metrics/CyclomaticComplexity
+      config = Compliance::Configuration.new
+      return if !loggedin(config)
+
+      # set owner to config
+      config['owner'] = options['owner'] || config['user']
+
+      unless File.exist?(path)
+        puts "Directory #{path} does not exist."
+        exit 1
+      end
+
+      vendor_deps(path, options) if File.directory?(path)
+
+      o = options.dup
+      configure_logger(o)
+      # check the profile, we only allow to upload valid profiles
+      profile = Inspec::Profile.for_target(path, o)
+
+      # start verification process
+      error_count = 0
+      error = lambda { |msg|
+        error_count += 1
+        puts msg
+      }
+
+      result = profile.check
+      unless result[:summary][:valid]
+        error.call('Profile check failed. Please fix the profile before upload.')
+      else
+        puts('Profile is valid')
+      end
+
+      # determine user information
+      if (config['token'].nil? && config['refresh_token'].nil?) || config['user'].nil?
+        error.call('Please login via `inspec compliance login`')
+      end
+
+      # read profile name from inspec.yml
+      profile_name = profile.params[:name]
+
+      # check that the profile is not uploaded already,
+      # confirm upload to the user (overwrite with --force)
+      if Compliance::API.exist?(config, "#{config['owner']}/#{profile_name}") && !options['overwrite']
+        error.call('Profile exists on the server, use --overwrite')
+      end
+
+      # abort if we found an error
+      if error_count > 0
+        puts "Found #{error_count} error(s)"
+        exit 1
+      end
+
+      # if it is a directory, tar it to tmp directory
+      if File.directory?(path)
+        archive_path = Dir::Tmpname.create([profile_name, '.tar.gz']) {}
+        puts "Generate temporary profile archive at #{archive_path}"
+        profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
+      else
+        archive_path = path
+      end
+
+      puts "Start upload to #{config['owner']}/#{profile_name}"
+      pname = ERB::Util.url_encode(profile_name)
+
+      Compliance::API.is_automate_server?(config) ? upload_msg = 'Uploading to Chef Automate' : upload_msg = 'Uploading to Chef Compliance'
+      puts upload_msg
+      success, msg = Compliance::API.upload(config, config['owner'], pname, archive_path)
+
+      if success
+        puts 'Successfully uploaded profile'
+      else
+        puts 'Error during profile upload:'
+        puts msg
+        exit 1
+      end
+    end
+
+    desc 'version', 'displays the version of the Chef Compliance server'
+    def version
+      config = Compliance::Configuration.new
+      info = Compliance::API.version(config)
+      if !info.nil? && info['version']
+        puts "Name:    #{info['api']}"
+        puts "Version: #{info['version']}"
+      else
+        puts 'Could not determine server version.'
+        exit 1
+      end
+    rescue Compliance::ServerConfigurationMissing
+      puts "\nServer configuration information is missing. Please login using `inspec compliance login`"
+      exit 1
+    end
+
+    desc 'logout', 'user logout from Chef Compliance'
+    def logout
+      config = Compliance::Configuration.new
+      unless config.supported?(:oidc) || config['token'].nil? || config['server_type'] == 'automate'
+        config = Compliance::Configuration.new
+        url = "#{config['server']}/logout"
+        Compliance::API.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
+      end
+      success = config.destroy
+
+      if success
+        puts 'Successfully logged out'
+      else
+        puts 'Could not log out'
+      end
+    end
+
+    private
+
+    def loggedin(config)
+      serverknown = !config['server'].nil?
+      puts 'You need to login first with `inspec compliance login`' if !serverknown
+      serverknown
+    end
+  end
+
+  # register the subcommand to Inspec CLI registry
+  Inspec::Plugins::CLI.add_subcommand(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
+end