inspec 4.1.4.preview → 4.2.0.preview

data/lib/inspec/objects/input.rb

@@ -14,6 +14,73 @@ end
 
 module Inspec
   class Input
+    #===========================================================================#
+    #                        Class Input::Event
+    #===========================================================================#
+
+    # Information about how the input obtained its value.
+    # Each time it changes, an Input::Event is added to the #events array.
+    class Event
+      EVENT_PROPERTIES = [
+        :action,   # :create, :set, :fetch
+        :provider, # Name of the plugin
+        :priority, # Priority of this plugin for resolving conflicts.  1-100, higher numbers win.
+        :value,    # New value, if provided.
+        :file,     # File containing the input-changing action, if known
+        :line,     # Line in file containing the input-changing action, if known
+        :hit,      # if action is :fetch, true if the remote source had the input
+      ].freeze
+
+      # Value has a special handler
+      EVENT_PROPERTIES.reject { |p| p == :value }.each do |prop|
+        attr_accessor prop
+      end
+
+      attr_reader :value
+
+      def initialize(properties = {})
+        @value_has_been_set = false
+
+        properties.each do |prop_name, prop_value|
+          if EVENT_PROPERTIES.include? prop_name
+            # OK, save the property
+            send((prop_name.to_s + '=').to_sym, prop_value)
+          else
+            raise "Unrecognized property to Input::Event: #{prop_name}"
+          end
+        end
+      end
+
+      def value=(the_val)
+        # Even if set to nil or false, it has indeed been set; note that fact.
+        @value_has_been_set = true
+        @value = the_val
+      end
+
+      def value_has_been_set?
+        @value_has_been_set
+      end
+
+      def diagnostic_string
+        to_h.reject { |_, val| val.nil? }.to_a.map { |pair| "#{pair[0]}: '#{pair[1]}'" }.join(', ')
+      end
+
+      def to_h
+        EVENT_PROPERTIES.each_with_object({}) do |prop, hash|
+          hash[prop] = send(prop)
+        end
+      end
+
+      def self.probe_stack
+        frames = caller_locations(2, 40)
+        frames.reject! { |f| f.path && f.path.include?('/lib/inspec/') }
+        frames.first
+      end
+    end
+
+    #===========================================================================#
+    #                    Class NO_VALUE_SET
+    #===========================================================================#
     # This special class is used to represent the value when an input has
     # not been assigned a value. This allows a user to explicitly assign nil
     # to an input.
@@ -62,8 +129,11 @@ module Inspec
   end
 
   class Input
-    attr_accessor :name
+    #===========================================================================#
+    #                       Class Inspec::Input
+    #===========================================================================#
 
+    # Validation types for input values
     VALID_TYPES = %w{
       String
       Numeric
@@ -74,6 +144,21 @@ module Inspec
       Any
     }.freeze
 
+    # If you call `input` in a control file, the input will receive this priority.
+    # You can override that with a :priority option.
+    DEFAULT_PRIORITY_FOR_DSL_ATTRIBUTES = 20
+
+    # If you somehow manage to initialize an Input outside of the DSL,
+    # AND you don't provide an Input::Event, this is the priority you get.
+    DEFAULT_PRIORITY_FOR_UNKNOWN_CALLER = 10
+
+    # If you directly call value=, this is the priority assigned.
+    # This is the highest priority within InSpec core; though plugins
+    # are free to go higher.
+    DEFAULT_PRIORITY_FOR_VALUE_SET = 60
+
+    attr_reader :description, :events, :identifier, :name, :required, :title, :type
+
     def initialize(name, options = {})
       @name = name
       @opts = options
@@ -82,49 +167,164 @@ module Inspec
         if @opts.key?(:value)
           Inspec::Log.warn "Input #{@name} created using both :default and :value options - ignoring :default"
           @opts.delete(:default)
+        end
+      end
+
+      # Array of Input::Event objects.  These compete with one another to determine
+      # the value of the input when value() is called, as well as providing a
+      # debugging record of when and how the value changed.
+      @events = []
+      events.push make_creation_event(options)
+
+      update(options)
+    end
+
+    def set_events
+      events.select { |e| e.action == :set }
+    end
+
+    def diagnostic_string
+      "Input #{name}, with history:\n" +
+        events.map(&:diagnostic_string).map { |line| "  #{line}" }.join("\n")
+    end
+
+    #--------------------------------------------------------------------------#
+    #                           Managing Value
+    #--------------------------------------------------------------------------#
+
+    def update(options)
+      _update_set_metadata(options)
+      normalize_type_restriction!
+
+      # Values are set by passing events in; but we can also infer an event.
+      if options.key?(:value) || options.key?(:default)
+        if options.key?(:event)
+          if options.key?(:value) || options.key?(:default)
+            Inspec::Log.warn "Do not provide both an Event and a value as an option to attribute('#{name}') - using value from event"
+          end
         else
-          @opts[:value] = @opts.delete(:default)
+          self.class.infer_event(options) # Sets options[:event]
         end
       end
-      @value = @opts[:value]
-      validate_value_type(@value) if @opts.key?(:type) && @opts.key?(:value)
+      events << options[:event] if options.key? :event
+
+      enforce_type_restriction!
     end
 
-    def value=(new_value)
-      validate_value_type(new_value) if @opts.key?(:type)
-      @value = new_value
+    # We can determine a value:
+    # 1. By event.value (preferred)
+    # 2. By options[:value]
+    # 3. By options[:default] (deprecated)
+    def self.infer_event(options)
+      # Don't rely on this working; you really should be passing a proper Input::Event
+      # with the context information you have.
+      location = Input::Event.probe_stack
+      event = Input::Event.new(
+        action: :set,
+        provider: options[:provider] || :unknown,
+        priority: options[:priority] || Inspec::Input::DEFAULT_PRIORITY_FOR_UNKNOWN_CALLER,
+        file: location.path,
+        line: location.lineno,
+      )
+
+      if options.key?(:default)
+        Inspec.deprecate(:attrs_value_replaces_default, "attribute name: '#{name}'")
+        if options.key?(:value)
+          Inspec::Log.warn "Input #{@name} created using both :default and :value options - ignoring :default"
+          options.delete(:default)
+        else
+          options[:value] = options.delete(:default)
+        end
+      end
+      event.value = options[:value] if options.key?(:value)
+      options[:event] = event
     end
 
-    def value
-      if @value.nil?
-        validate_required(@value) if @opts[:required] == true
-        @value = value_or_dummy
+    private
+
+    def _update_set_metadata(options)
+      # Basic metadata
+      @title = options[:title] if options.key?(:title)
+      @description = options[:description] if options.key?(:description)
+      @required = options[:required] if options.key?(:required)
+      @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
+      @type = options[:type] if options.key?(:type)
+    end
+
+    def make_creation_event(options)
+      loc = options[:location] || Event.probe_stack
+      Input::Event.new(
+        action: :create,
+        provider: options[:provider],
+        file: loc.path,
+        line: loc.lineno,
+      )
+    end
+
+    # Determine the current winning value, but don't validate it
+    def current_value
+      # Examine the events to determine highest-priority value. Tie-break
+      # by using the last one set.
+      events_that_set_a_value = events.select(&:value_has_been_set?)
+      winning_priority = events_that_set_a_value.map(&:priority).max
+      winning_events = events_that_set_a_value.select { |e| e.priority == winning_priority }
+      winning_event = winning_events.last # Last for tie-break
+
+      if winning_event.nil?
+        # No value has been set - return special no value object
+        NO_VALUE_SET.new(name)
       else
-        @value
+        winning_event.value # May still be nil
       end
     end
 
-    def title
-      @opts[:title]
+    public
+
+    def value=(new_value, priority = DEFAULT_PRIORITY_FOR_VALUE_SET)
+      # Inject a new Event with the new value.
+      location = Event.probe_stack
+      events << Event.new(
+        action: :set,
+        provider: :value_setter,
+        priority: priority,
+        value: new_value,
+        file: location.path,
+        line: location.lineno,
+      )
+      enforce_type_restriction!
+
+      new_value
     end
 
-    def description
-      @opts[:description]
+    def value
+      enforce_required_validation!
+      current_value
     end
 
-    def ruby_var_identifier
-      @opts[:identifier] || 'attr_' + @name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
+    def has_value?
+      !current_value.is_a? NO_VALUE_SET
     end
 
+    #--------------------------------------------------------------------------#
+    #                               Marshalling
+    #--------------------------------------------------------------------------#
+
     def to_hash
-      {
-        name: @name,
-        options: @opts,
-      }
+      as_hash = { name: name, options: {} }
+      [:description, :title, :identifier, :type, :required, :value].each do |field|
+        val = send(field)
+        next if val.nil?
+        as_hash[:options][field] = val
+      end
+      as_hash
+    end
+
+    def ruby_var_identifier
+      identifier || 'attr_' + name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
     end
 
     def to_ruby
-      res = ["#{ruby_var_identifier} = attribute('#{@name}',{"]
+      res = ["#{ruby_var_identifier} = attribute('#{name}',{"]
       res.push "  title: '#{title}'," unless title.to_s.empty?
       res.push "  value: #{value.inspect}," unless value.to_s.empty?
       # to_ruby may generate code that is to be used by older versions of inspec.
@@ -136,37 +336,78 @@ module Inspec
       res.join("\n")
     end
 
+    #--------------------------------------------------------------------------#
+    #                           Value Type Coercion
+    #--------------------------------------------------------------------------#
+
     def to_s
-      "Input #{@name} with #{@value}"
+      "Input #{name} with #{current_value}"
     end
 
+    #--------------------------------------------------------------------------#
+    #                               Validation
+    #--------------------------------------------------------------------------#
+
     private
 
-    def validate_required(value)
+    def enforce_required_validation!
+      return unless required
       # skip if we are not doing an exec call (archive/vendor/check)
       return unless Inspec::BaseCLI.inspec_cli_command == :exec
 
-      # value will be set already if a secrets file was passed in
-      if (!@opts.key?(:default) && value.nil?) || (@opts[:default].nil? && value.nil?)
+      proposed_value = current_value
+      if proposed_value.nil? || proposed_value.is_a?(NO_VALUE_SET)
         error = Inspec::Input::RequiredError.new
-        error.input_name = @name
+        error.input_name = name
         raise error, "Input '#{error.input_name}' is required and does not have a value."
       end
     end
 
-    def validate_type(type)
-      type = type.capitalize
+    def enforce_type_restriction! # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      return unless type
+      return unless has_value?
+
+      type_req = type
+      return if type_req == 'Any'
+
+      proposed_value = current_value
+
+      invalid_type = false
+      if type_req == 'Regexp'
+        invalid_type = true if !valid_regexp?(proposed_value)
+      elsif type_req == 'Numeric'
+        invalid_type = true if !valid_numeric?(proposed_value)
+      elsif type_req == 'Boolean'
+        invalid_type = true if ![true, false].include?(proposed_value)
+      elsif proposed_value.is_a?(Module.const_get(type_req)) == false
+        # TODO: why is this case here?
+        invalid_type = true
+      end
+
+      if invalid_type == true
+        error = Inspec::Input::ValidationError.new
+        error.input_name = @name
+        error.input_value = proposed_value
+        error.input_type = type_req
+        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to type '#{error.input_type}'."
+      end
+    end
+
+    def normalize_type_restriction!
+      return unless type
+
+      type_req = type.capitalize
       abbreviations = {
         'Num' => 'Numeric',
         'Regex' => 'Regexp',
       }
-      type = abbreviations[type] if abbreviations.key?(type)
-      if !VALID_TYPES.include?(type)
+      type_req = abbreviations[type_req] if abbreviations.key?(type_req)
+      if !VALID_TYPES.include?(type_req)
         error = Inspec::Input::TypeError.new
-        error.input_type = type
+        error.input_type = type_req
         raise error, "Type '#{error.input_type}' is not a valid input type."
       end
-      type
+      @type = type_req
     end
 
     def valid_numeric?(value)
@@ -177,41 +418,11 @@ module Inspec
     end
 
     def valid_regexp?(value)
-      # check for invalid regex syntex
+      # check for invalid regex syntax
       Regexp.new(value)
       true
     rescue
       false
     end
-
-    # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-    def validate_value_type(value)
-      type = validate_type(@opts[:type])
-      return if type == 'Any'
-
-      invalid_type = false
-      if type == 'Regexp'
-        invalid_type = true if !value.is_a?(String) || !valid_regexp?(value)
-      elsif type == 'Numeric'
-        invalid_type = true if !valid_numeric?(value)
-      elsif type == 'Boolean'
-        invalid_type = true if ![true, false].include?(value)
-      elsif value.is_a?(Module.const_get(type)) == false
-        invalid_type = true
-      end
-
-      if invalid_type == true
-        error = Inspec::Input::ValidationError.new
-        error.input_name = @name
-        error.input_value = value
-        error.input_type = type
-        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to type '#{error.input_type}'."
-      end
-    end
-    # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-
-    def value_or_dummy
-      @opts.key?(:value) ? @opts[:value] : Inspec::Input::NO_VALUE_SET.new(@name)
-    end
   end
 end

data/lib/inspec/profile.rb

@@ -81,7 +81,7 @@ module Inspec
     end
 
     attr_reader :source_reader, :backend, :runner_context, :check_mode
-    attr_accessor :parent_profile, :profile_name
+    attr_accessor :parent_profile, :profile_id, :profile_name
     def_delegator :@source_reader, :tests
     def_delegator :@source_reader, :libraries
     def_delegator :@source_reader, :metadata
@@ -118,25 +118,32 @@ module Inspec
       @runtime_profile = RuntimeProfile.new(self)
       @backend.profile = @runtime_profile
 
+      # The AttributeRegistry is in charge of keeping track of inputs;
+      # it is the single source of truth. Now that we have a profile object,
+      # we can create any inputs that were provided by various mechanisms.
+      options[:runner_conf] ||= Inspec::Config.cached
+
+      if options[:runner_conf].key?(:attrs)
+        Inspec.deprecate(:rename_attributes_to_inputs, 'Use --input-file on the command line instead of --attrs.')
+        options[:runner_conf][:input_file] = options[:runner_conf].delete(:attrs)
+      end
+
+      Inspec::InputRegistry.bind_profile_inputs(
+        # Every input only exists in the context of a profile
+        metadata.params[:name], # TODO: test this with profile aliasing
+        # Remaining args are possible sources of inputs
+        cli_input_files: options[:runner_conf][:input_file], # From CLI --input-file
+        profile_metadata: metadata,
+        # TODO: deprecation checks here
+        runner_api: options[:runner_conf][:attributes], # This is the route the audit_cookbook and kitchen-inspec take
+      )
+
       @runner_context =
         options[:profile_context] ||
-        Inspec::ProfileContext.for_profile(self, @backend, @input_values)
+        Inspec::ProfileContext.for_profile(self, @backend)
 
       @supports_platform = metadata.supports_platform?(@backend)
       @supports_runtime = metadata.supports_runtime?
-      register_metadata_inputs
-    end
-
-    def register_metadata_inputs # TODO: deprecate
-      if metadata.params.key?(:attributes) && metadata.params[:attributes].is_a?(Array)
-        metadata.params[:attributes].each do |attribute|
-          attr_dup = attribute.dup
-          name = attr_dup.delete(:name)
-          @runner_context.register_input(name, attr_dup)
-        end
-      elsif metadata.params.key?(:attributes)
-        Inspec::Log.warn 'Inputs must be defined as an Array. Skipping current definition.'
-      end
     end
 
     def name
@@ -595,7 +602,7 @@ module Inspec
         f = load_rule_filepath(prefix, rule)
         load_rule(rule, f, controls, groups)
       end
-      params[:inputs] = @runner_context.inputs
+      params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
       params
     end