inspec 2.2.102 → 2.2.112

data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb

@@ -0,0 +1,114 @@
+# encoding: utf-8
+require_relative 'base'
+
+#
+# Notes:
+#
+# Generate keys
+#   The initial implementation uses 2048 bit RSA key pairs (public + private).
+#   Public keys must be available for a customer to install and verify an artifact.
+#   Private keys should be stored in a secure location and NOT be distributed.
+#     (They're only for creating artifacts).
+#
+#
+# .IAF file format
+#   .iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
+#   The iaf file wraps a binary artifact with some metadata. The first implementation
+#   looks like this:
+#
+# INSPEC-PROFILE-1
+# name_of_signing_key
+# algorithm
+# signature
+# <empty line>
+# binary-blob
+# <eof>
+#
+# Let's look at each line:
+# INSPEC-PROFILE-1:
+#   This is the artifact version descriptor. It should't change unless the
+#   format of the archive changes.
+#
+# name_of_signing_key
+#   The name of the public key that can be used to verify an artifact
+#
+# algorithm
+#   The digest used to sign, I picked SHA512 to start with.
+#   If we support multiple digests, we'll need to have the verify() method
+#   support each digest.
+#
+# signature
+#   The result of passing the binary artifact through the digest algorithm above.
+#   Result is base64 encoded.
+#
+# <empty line>
+#   We use an empty line to separate artifact header from artifact body (binary blob).
+#   The artifact body can be anything you like.
+#
+# binary-blob
+#   A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
+#   stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
+#   format, the artifact version descriptor must be incremented, and the sign()
+#   and verify() methods must be updated to support a newer version.
+#
+#
+# Key revocation
+#   This implementation doesn't support key revocation. However, a customer
+#   can remove the public cert file before installation, and artifacts will then
+#   fail verification.
+#
+# Key locations
+#   This implementation uses the current working directory to find public and
+#   private keys. We should establish a common key directory (similar to /hab/cache/keys
+#   or ~/.hab/cache/keys in Habitat).
+#
+# Extracting artifacts outside of Inspec
+#   As in Habitat, the artifact format for Inspec allows the use of common
+#   Unix tools to read the header and body of an artifact.
+# To extract the header from a .iaf:
+#        sed '/^$/q' foo.iaf
+# To extract the raw content from a .iaf:
+#        sed '1,/^$/d' foo.iaf
+
+module InspecPlugins
+  module Artifact
+    class CLI < Inspec.plugin(2, :cli_command)
+      subcommand_desc 'artifact SUBCOMMAND', 'Manage InSpec Artifacts'
+
+      desc 'generate', 'Generate a RSA key pair for signing and verification'
+      option :keyname, type: :string, required: true,
+        desc: 'Desriptive name of key'
+      option :keydir, type: :string, default: './',
+        desc: 'Directory to search for keys'
+      def generate_keys
+        puts 'Generating keys'
+        InspecPlugins::Artifact::Base.keygen(options)
+      end
+
+      desc 'sign-profile', 'Create a signed .iaf artifact'
+      option :profile, type: :string, required: true,
+        desc: 'Path to profile directory'
+      option :keyname, type: :string, required: true,
+        desc: 'Desriptive name of key'
+      def sign_profile
+        InspecPlugins::Artifact::Base.profile_sign(options)
+      end
+
+      desc 'verify-profile', 'Verify a signed .iaf artifact'
+      option :infile, type: :string, required: true,
+          desc: '.iaf file to verify'
+      def verify_profile
+        InspecPlugins::Artifact::Base.profile_verify(options)
+      end
+
+      desc 'install-profile', 'Verify and install a signed .iaf artifact'
+      option :infile, type: :string, required: true,
+          desc: '.iaf file to install'
+      option :destdir, type: :string, required: true,
+        desc: 'Installation directory'
+      def install_profile
+        InspecPlugins::Artifact::Base.profile_install(options)
+      end
+    end
+  end
+end

data/lib/plugins/inspec-artifact/test/functional/inspec_artifact_test.rb

@@ -0,0 +1,46 @@
+# encoding: utf-8
+
+require_relative '../../../shared/core_plugin_test_helper.rb'
+require 'fileutils'
+require 'securerandom'
+
+class ArtifactCli < MiniTest::Test
+  include CorePluginFunctionalHelper
+
+  def test_generating_archive_keys
+    Dir.mktmpdir do |dir|
+      unique_key_name = SecureRandom.uuid()
+      out = run_inspec_process("artifact generate --keyname #{unique_key_name}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      stdout = out.stdout.force_encoding(Encoding::UTF_8)
+      assert_includes stdout, 'Generating private key'
+      assert_includes stdout, 'Generating public key'
+    end
+  end
+
+  def test_verify_and_install_signed_profile
+    Dir.mktmpdir do |dir|
+      unique_key_name = SecureRandom.uuid()
+      install_dir = File.join(dir, SecureRandom.uuid())
+      profile = File.join(dir, 'profile')
+      FileUtils.mkdir(install_dir)
+
+      # create profile
+      profile = File.join(dir, 'artifact-profile')
+      run_inspec_process("init profile artifact-profile", prefix: "cd #{dir} &&")
+
+      out = run_inspec_process("artifact generate --keyname #{unique_key_name}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      out = run_inspec_process("artifact sign-profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      out = run_inspec_process("artifact install-profile --infile artifact-profile-0.1.0.iaf --destdir #{install_dir}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      assert_includes out.stdout.force_encoding(Encoding::UTF_8), "Installing to #{install_dir}"
+      assert_includes Dir.entries(install_dir).join, 'inspec.yml'
+    end
+  end
+end

data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb

@@ -0,0 +1,11 @@
+module InspecPlugins
+  module Habitat
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-habitat'
+      cli_command :habitat do
+        require_relative 'inspec-habitat/cli'
+        InspecPlugins::Habitat::CLI
+      end
+    end
+  end
+end

data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb

@@ -0,0 +1,39 @@
+# encoding: utf-8
+require_relative 'profile'
+
+module InspecPlugins
+  module Habitat
+    class ProfileCLI < Inspec.plugin(2, :cli_command)
+      # Override banner method to correct missing subcommand.
+      # @see https://github.com/erikhuda/thor/issues/261
+      def self.banner(command, _namespace = nil, _subcommand = false)
+        "#{basename} habitat profile #{command.usage}"
+      end
+
+      desc 'create PATH', 'Create a one-time Habitat artifact for the profile found at PATH'
+      option :output_dir, type: :string, required: false,
+        desc: 'Directory in which to save the generated Habitat artifact. Default: current directory'
+      def create(path)
+        InspecPlugins::Habitat::Profile.create(path, options)
+      end
+
+      desc 'setup PATH', 'Configure the profile at PATH for Habitat, including a plan and hooks'
+      def setup(path)
+        InspecPlugins::Habitat::Profile.setup(path)
+      end
+
+      desc 'upload PATH', 'Create a one-time Habitat artifact for the profile found at PATH, and upload it to a Habitat Depot'
+      def upload(path)
+        InspecPlugins::Habitat::Profile.upload(path, options)
+      end
+    end
+
+    class CLI < Inspec.plugin(2, :cli_command)
+      subcommand_desc 'habitat SUBCOMMAND', 'Manage Habitat with InSpec'
+      namespace 'habitat'
+
+      desc 'profile', 'Manage InSpec profiles as Habitat artifacts'
+      subcommand 'profile', ProfileCLI
+    end
+  end
+end

data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb

@@ -0,0 +1,394 @@
+# encoding: utf-8
+# author: Adam Leff
+
+require 'inspec/profile_vendor'
+require 'mixlib/shellout'
+require 'tomlrb'
+
+module InspecPlugins
+  module Habitat
+    class Profile
+      attr_reader :options, :path, :profile
+
+      def self.create(path, options = {})
+        creator = new(path, options)
+        hart_file = creator.create
+        creator.copy(hart_file)
+      ensure
+        creator.delete_work_dir
+      end
+
+      def self.setup(path)
+        new(path).setup
+      end
+
+      def self.upload(path, options = {})
+        uploader = new(path, options)
+        uploader.upload
+      ensure
+        uploader.delete_work_dir
+      end
+
+      def initialize(path, options = {})
+        @path    = path
+        @options = options
+        @cli_config = nil
+
+        log_level = options.fetch('log_level', 'info')
+        @log = Inspec::Log
+        @log.level(log_level.to_sym)
+      end
+
+      def create
+        @log.info("Creating a Habitat artifact for profile: #{path}")
+
+        validate_habitat_installed
+        validate_habitat_origin
+        create_profile_object
+        verify_profile
+        vendor_profile_dependencies
+        copy_profile_to_work_dir
+        create_habitat_directories(work_dir)
+        create_plan(work_dir)
+        create_run_hook(work_dir)
+        create_settings_file(work_dir)
+        create_default_config(work_dir)
+
+        # returns the path to the .hart file in the work directory
+        build_hart
+      rescue => e
+        @log.debug(e.backtrace.join("\n"))
+        exit_with_error(
+          'Unable to generate Habitat artifact.',
+          "#{e.class} -- #{e.message}",
+        )
+      end
+
+      def copy(hart_file)
+        validate_output_dir
+
+        @log.info("Copying artifact to #{output_dir}...")
+        copy_hart(hart_file)
+      end
+
+      def upload
+        validate_habitat_auth_token
+        hart_file = create
+        upload_hart(hart_file)
+      rescue => e
+        @log.debug(e.backtrace.join("\n"))
+        exit_with_error(
+          'Unable to upload Habitat artifact.',
+          "#{e.class} -- #{e.message}",
+        )
+      end
+
+      def delete_work_dir
+        @log.debug("Deleting work directory #{work_dir}")
+        FileUtils.rm_rf(work_dir) if Dir.exist?(work_dir)
+      end
+
+      def setup
+        @log.info("Setting up profile at #{path} for Habitat...")
+        create_profile_object
+        verify_profile
+        vendor_profile_dependencies
+        create_habitat_directories(path)
+        create_plan(path)
+        create_run_hook(path)
+        create_settings_file(path)
+        create_default_config(path)
+      end
+
+      private
+
+      def create_profile_object
+        @profile = Inspec::Profile.for_target(
+          path,
+          backend: Inspec::Backend.create(target: 'mock://'),
+        )
+      end
+
+      def verify_profile
+        @log.info('Checking to see if the profile is valid...')
+
+        unless profile.check[:summary][:valid]
+          exit_with_error('Profile check failed. Please fix the profile before creating a Habitat artifact.')
+        end
+
+        @log.info('Profile is valid.')
+      end
+
+      def vendor_profile_dependencies
+        profile_vendor = Inspec::ProfileVendor.new(path)
+        if profile_vendor.lockfile.exist? && profile_vendor.cache_path.exist?
+          @log.info("Profile's dependencies are already vendored, skipping vendor process.")
+        else
+          @log.info("Vendoring the profile's dependencies...")
+          profile_vendor.vendor!
+
+          @log.info('Ensuring all vendored content has read permissions...')
+          profile_vendor.make_readable
+
+          # refresh the profile object since the profile now has new files
+          create_profile_object
+        end
+      end
+
+      def validate_habitat_installed
+        @log.info('Checking to see if Habitat is installed...')
+        cmd = Mixlib::ShellOut.new('hab --version')
+        cmd.run_command
+        exit_with_error('Unable to run Habitat commands.', cmd.stderr) if cmd.error?
+      end
+
+      def validate_habitat_origin
+        exit_with_error(
+          'Unable to determine Habitat origin name.',
+          'Run `hab setup` or set the HAB_ORIGIN environment variable.',
+        ) if habitat_origin.nil?
+      end
+
+      def validate_habitat_auth_token
+        exit_with_error(
+          'Unable to determine Habitat auth token for publishing.',
+          'Run `hab setup` or set the HAB_AUTH_TOKEN environment variable.',
+        ) if habitat_auth_token.nil?
+      end
+
+      def validate_output_dir
+        exit_with_error("Output directory #{output_dir} is not a directory or does not exist.") unless
+          File.directory?(output_dir)
+      end
+
+      def work_dir
+        return @work_dir if @work_dir
+
+        @work_dir ||= Dir.mktmpdir('inspec-habitat-exporter')
+        @log.debug("Generated work directory #{@work_dir}")
+
+        @work_dir
+      end
+
+      def create_habitat_directories(parent_directory)
+        [
+          File.join(parent_directory, 'habitat'),
+          File.join(parent_directory, 'habitat', 'config'),
+          File.join(parent_directory, 'habitat', 'hooks'),
+        ].each do |dir|
+          Dir.mkdir(dir) unless Dir.exist?(dir)
+        end
+      end
+
+      def copy_profile_to_work_dir
+        @log.info('Copying profile contents to the work directory...')
+        profile.files.each do |f|
+          src = File.join(profile.root_path, f)
+          dst = File.join(work_dir, f)
+          if File.directory?(f)
+            @log.debug("Creating directory #{dst}")
+            FileUtils.mkdir_p(dst)
+          else
+            @log.debug("Copying file #{src} to #{dst}")
+            FileUtils.cp_r(src, dst)
+          end
+        end
+      end
+
+      def create_plan(directory)
+        plan_file = File.join(directory, 'habitat', 'plan.sh')
+        @log.info("Generating Habitat plan at #{plan_file}...")
+        File.write(plan_file, plan_contents)
+      end
+
+      def create_run_hook(directory)
+        run_hook_file = File.join(directory, 'habitat', 'hooks', 'run')
+        @log.info("Generating a Habitat run hook at #{run_hook_file}...")
+        File.write(run_hook_file, run_hook_contents)
+      end
+
+      def create_settings_file(directory)
+        settings_file = File.join(directory, 'habitat', 'config', 'settings.sh')
+        @log.info("Generating a settings file at #{settings_file}...")
+        File.write(settings_file, "SLEEP_TIME={{cfg.sleep_time}}\n")
+      end
+
+      def create_default_config(directory)
+        default_toml = File.join(directory, 'habitat', 'default.toml')
+        @log.info("Generating Habitat's default.toml configuration...")
+        File.write(default_toml, 'sleep_time = 300')
+      end
+
+      def build_hart
+        @log.info('Building our Habitat artifact...')
+
+        env = {
+          'TERM'               => 'vt100',
+          'HAB_ORIGIN'         => habitat_origin,
+          'HAB_NONINTERACTIVE' => 'true',
+        }
+
+        env['RUST_LOG'] = 'debug' if @log.level == :debug
+
+        # TODO: Would love to use Mixlib::ShellOut here, but it doesn't
+        # seem to preserve the STDIN tty, and docker gets angry.
+        Dir.chdir(work_dir) do
+          unless system(env, 'hab pkg build .')
+            exit_with_error('Unable to build the Habitat artifact.')
+          end
+        end
+
+        hart_files = Dir.glob(File.join(work_dir, 'results', '*.hart'))
+
+        if hart_files.length > 1
+          exit_with_error('More than one Habitat artifact was created which was not expected.')
+        elsif hart_files.empty?
+          exit_with_error('No Habitat artifact was created.')
+        end
+
+        hart_files.first
+      end
+
+      def copy_hart(working_dir_hart)
+        hart_basename = File.basename(working_dir_hart)
+        dst = File.join(output_dir, hart_basename)
+        FileUtils.cp(working_dir_hart, dst)
+
+        dst
+      end
+
+      def upload_hart(hart_file)
+        @log.info('Uploading the Habitat artifact to our Depot...')
+
+        env = {
+          'TERM'               => 'vt100',
+          'HAB_AUTH_TOKEN'     => habitat_auth_token,
+          'HAB_NONINTERACTIVE' => 'true',
+        }
+
+        env['HAB_DEPOT_URL'] = ENV['HAB_DEPOT_URL'] if ENV['HAB_DEPOT_URL']
+
+        cmd = Mixlib::ShellOut.new("hab pkg upload #{hart_file}", env: env)
+        cmd.run_command
+        if cmd.error?
+          exit_with_error(
+            'Unable to upload Habitat artifact to the Depot.',
+            cmd.stdout,
+            cmd.stderr,
+          )
+        end
+
+        @log.info('Upload complete!')
+      end
+
+      def habitat_origin
+        ENV['HAB_ORIGIN'] || habitat_cli_config['origin']
+      end
+
+      def habitat_auth_token
+        ENV['HAB_AUTH_TOKEN'] || habitat_cli_config['auth_token']
+      end
+
+      def habitat_cli_config
+        return @cli_config if @cli_config
+
+        config_file = File.join(ENV['HOME'], '.hab', 'etc', 'cli.toml')
+        return {} unless File.exist?(config_file)
+
+        @cli_config = Tomlrb.load_file(config_file)
+      end
+
+      def output_dir
+        options[:output_dir] || Dir.pwd
+      end
+
+      def exit_with_error(*errors)
+        errors.each do |error_msg|
+          @log.error(error_msg)
+        end
+
+        exit 1
+      end
+
+      def package_name
+        "inspec-profile-#{profile.name}"
+      end
+
+      def plan_contents
+        plan = <<~EOL
+          pkg_name=#{package_name}
+          pkg_version=#{profile.version}
+          pkg_origin=#{habitat_origin}
+          pkg_deps=(chef/inspec core/ruby core/hab)
+          pkg_svc_user=root
+        EOL
+
+        plan += "pkg_license='#{profile.metadata.params[:license]}'\n\n" if profile.metadata.params[:license]
+
+        plan += <<~EOL
+
+          do_build() {
+            cp -vr $PLAN_CONTEXT/../* $HAB_CACHE_SRC_PATH/$pkg_dirname
+          }
+
+          do_install() {
+            local profile_contents
+            local excludes
+            profile_contents=($(ls))
+            excludes=(habitat results *.hart)
+
+            for item in ${excludes[@]}; do
+              profile_contents=(${profile_contents[@]/$item/})
+            done
+
+            mkdir ${pkg_prefix}/dist
+            cp -r ${profile_contents[@]} ${pkg_prefix}/dist/
+          }
+        EOL
+
+        plan
+      end
+
+      def run_hook_contents
+        <<~EOL
+          #!/bin/sh
+
+          # redirect stderr to stdout
+          # ultimately, we'd like to log this somewhere useful, but due to
+          # https://github.com/habitat-sh/habitat/issues/2395, we need to
+          # avoid doing that for now.
+          exec 2>&1
+
+          # InSpec will try to create a .cache directory in the user's home directory
+          # so this needs to be someplace writeable by the hab user
+          export HOME={{pkg.svc_var_path}}
+
+          PROFILE_IDENT="{{pkg.origin}}/{{pkg.name}}"
+          RESULTS_DIR="{{pkg.svc_var_path}}/inspec_results"
+          RESULTS_FILE="${RESULTS_DIR}/{{pkg.name}}.json"
+
+          # Create a directory for inspec formatter output
+          mkdir -p {{pkg.svc_var_path}}/inspec_results
+
+          while true; do
+            echo "Executing InSpec for ${PROFILE_IDENT}"
+            inspec exec {{pkg.path}}/dist --format=json > ${RESULTS_FILE}
+
+            if [ $? -eq 0 ]; then
+              echo "InSpec run completed successfully."
+            else
+              echo "InSpec run did not complete successfully. If you do not see any errors above,"
+              echo "control failures were detected. Check the InSpec results here for details:"
+              echo ${RESULTS_FILE}
+              echo "Otherwise, troubleshoot any errors shown above."
+            fi
+
+            source {{pkg.svc_config_path}}/settings.sh
+            echo "sleeping for ${SLEEP_TIME} seconds"
+            sleep ${SLEEP_TIME}
+          done
+        EOL
+      end
+    end
+  end
+end