inspec 4.18.51 → 4.18.85

data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb

@@ -1,12 +0,0 @@
-module InspecPlugins
-  module Compliance
-    class Plugin < Inspec.plugin(2)
-      plugin_name :'inspec-compliance'
-
-      cli_command :compliance do
-        require_relative "inspec-compliance/cli"
-        InspecPlugins::Compliance::CLI
-      end
-    end
-  end
-end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb

@@ -1,362 +0,0 @@
-require "net/http"
-require "uri"
-require "json"
-require "inspec/dist"
-
-require_relative "api/login"
-require_relative "configuration"
-require_relative "http"
-require_relative "target"
-require_relative "support"
-
-module InspecPlugins
-  module Compliance
-    class ServerConfigurationMissing < StandardError; end
-
-    # API Implementation does not hold any state by itself,
-    # everything will be stored in local Configuration store
-    class API
-      include Inspec::Dist
-      extend InspecPlugins::Compliance::API::Login
-
-      # return all compliance profiles available for the user
-      # the user is either specified in the options hash or by default
-      # the username of the account is used that is logged in
-      def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
-        owner = config["owner"] || config["user"]
-
-        # Chef Compliance
-        if is_compliance_server?(config)
-          url = "#{config["server"]}/user/compliance"
-        # Chef Automate2
-        elsif is_automate2_server?(config)
-          url = "#{config["server"]}/compliance/profiles/search"
-        # Chef Automate
-        elsif is_automate_server?(config)
-          url = "#{config["server"]}/profiles/#{owner}"
-        else
-          raise ServerConfigurationMissing
-        end
-
-        headers = get_headers(config)
-        if profile_filter
-          _owner, id, ver = profile_split(profile_filter)
-        else
-          id, ver = nil
-        end
-
-        if is_automate2_server?(config)
-          body = { owner: owner, name: id }.to_json
-          response = InspecPlugins::Compliance::HTTP.post_with_headers(url, headers, body, config["insecure"])
-        else
-          response = InspecPlugins::Compliance::HTTP.get(url, headers, config["insecure"])
-        end
-        data = response.body
-        response_code = response.code
-        case response_code
-        when "200"
-          msg = "success"
-          profiles = JSON.parse(data)
-          # iterate over profiles
-          if is_compliance_server?(config)
-            mapped_profiles = []
-            profiles.values.each do |org|
-              mapped_profiles += org.values
-            end
-          # Chef Automate pre 0.8.0
-          elsif is_automate_server_pre_080?(config)
-            mapped_profiles = profiles.values.flatten
-          elsif is_automate2_server?(config)
-            mapped_profiles = []
-            profiles["profiles"].each do |p|
-              mapped_profiles << p
-            end
-          else
-            mapped_profiles = profiles.map do |e|
-              e["owner_id"] = owner
-              e
-            end
-          end
-          # filter by name and version if they were specified in profile_filter
-          mapped_profiles.select! do |p|
-            (!ver || p["version"] == ver) && (!id || p["name"] == id)
-          end
-          return msg, mapped_profiles
-        when "401"
-          msg = "401 Unauthorized. Please check your token."
-          return msg, []
-        else
-          msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
-          return msg, []
-        end
-      end
-
-      # return the server api version
-      # NB this method does not use Compliance::Configuration to allow for using
-      # it before we know the version (e.g. oidc or not)
-      def self.version(config)
-        url = config["server"]
-        insecure = config["insecure"]
-
-        raise ServerConfigurationMissing if url.nil?
-
-        headers = get_headers(config)
-        response = InspecPlugins::Compliance::HTTP.get(url + "/version", headers, insecure)
-        return {} if response.code == "404"
-
-        data = response.body
-        return {} if data.nil? || data.empty?
-
-        parsed = JSON.parse(data)
-        return {} unless parsed.key?("version") && !parsed["version"].empty?
-
-        parsed
-      end
-
-      # verifies that a profile exists
-      def self.exist?(config, profile)
-        _msg, profiles = InspecPlugins::Compliance::API.profiles(config, profile)
-        !profiles.empty?
-      end
-
-      def self.upload(config, owner, profile_name, archive_path)
-        # Chef Compliance
-        if is_compliance_server?(config)
-          url = "#{config["server"]}/owners/#{owner}/compliance/#{profile_name}/tar"
-        # Chef Automate pre 0.8.0
-        elsif is_automate_server_pre_080?(config)
-          url = "#{config["server"]}/#{owner}"
-        elsif is_automate2_server?(config)
-          url = "#{config["server"]}/compliance/profiles?owner=#{owner}"
-        # Chef Automate
-        else
-          url = "#{config["server"]}/profiles/#{owner}"
-        end
-
-        headers = get_headers(config)
-        if is_automate2_server?(config)
-          res = InspecPlugins::Compliance::HTTP.post_multipart_file(url, headers, archive_path, config["insecure"])
-        else
-          res = InspecPlugins::Compliance::HTTP.post_file(url, headers, archive_path, config["insecure"])
-        end
-
-        [res.is_a?(Net::HTTPSuccess), res.body]
-      end
-
-      # Use username and refresh_token to get an API access token
-      def self.get_token_via_refresh_token(url, refresh_token, insecure)
-        uri = URI.parse("#{url}/login")
-        req = Net::HTTP::Post.new(uri.path)
-        req.body = { token: refresh_token }.to_json
-        access_token = nil
-        response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure)
-        data = response.body
-        if response.code == "200"
-          begin
-            tokendata = JSON.parse(data)
-            access_token = tokendata["access_token"]
-            msg = "Successfully fetched API access token"
-            success = true
-          rescue JSON::ParserError => e
-            success = false
-            msg = e.message
-          end
-        else
-          success = false
-          msg = "Failed to authenticate to #{url} \n\
-    Response code: #{response.code}\n  Body: #{response.body}"
-        end
-
-        [success, msg, access_token]
-      end
-
-      # Use username and password to get an API access token
-      def self.get_token_via_password(url, username, password, insecure)
-        uri = URI.parse("#{url}/login")
-        req = Net::HTTP::Post.new(uri.path)
-        req.body = { userid: username, password: password }.to_json
-        access_token = nil
-        response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure)
-        data = response.body
-        if response.code == "200"
-          access_token = data
-          msg = "Successfully fetched an API access token valid for 12 hours"
-          success = true
-        else
-          success = false
-          msg = "Failed to authenticate to #{url} \n\
-    Response code: #{response.code}\n  Body: #{response.body}"
-        end
-
-        [success, msg, access_token]
-      end
-
-      def self.get_headers(config)
-        token = get_token(config)
-        if is_automate_server?(config) || is_automate2_server?(config)
-          headers = { "chef-delivery-enterprise" => config["automate"]["ent"] }
-          if config["automate"]["token_type"] == "dctoken"
-            headers["x-data-collector-token"] = token
-          else
-            headers["chef-delivery-user"] = config["user"]
-            headers["chef-delivery-token"] = token
-          end
-        else
-          headers = { "Authorization" => "Bearer #{token}" }
-        end
-        headers
-      end
-
-      def self.get_token(config)
-        return config["token"] unless config["refresh_token"]
-
-        _success, _msg, token = get_token_via_refresh_token(config["server"], config["refresh_token"], config["insecure"])
-        token
-      end
-
-      def self.target_url(config, profile)
-        owner, id, ver = profile_split(profile)
-
-        return "#{config["server"]}/compliance/profiles/tar" if is_automate2_server?(config)
-        return "#{config["server"]}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
-
-        if ver.nil?
-          "#{config["server"]}/profiles/#{owner}/#{id}/tar"
-        else
-          "#{config["server"]}/profiles/#{owner}/#{id}/version/#{ver}/tar"
-        end
-      end
-
-      def self.profile_split(profile)
-        owner, id = profile.split("/")
-        id, version = id.split("#")
-        [owner, id, version]
-      end
-
-      # returns a parsed url for `admin/profile` or `compliance://admin/profile`
-      def self.sanitize_profile_name(profile)
-        if URI(profile).scheme == "compliance"
-          uri = URI(profile)
-        else
-          uri = URI("compliance://#{profile}")
-        end
-        uri.to_s.sub(%r{^compliance:\/\/}, "")
-      end
-
-      def self.is_compliance_server?(config)
-        config["server_type"] == "compliance"
-      end
-
-      def self.is_automate_server_pre_080?(config)
-        # Automate versions before 0.8.x do not have a valid version in the config
-        return false unless config["server_type"] == "automate"
-
-        server_version_from_config(config).nil?
-      end
-
-      def self.is_automate_server_080_and_later?(config)
-        # Automate versions 0.8.x and later will have a "version" key in the config
-        # that is properly parsed out via server_version_from_config below
-        return false unless config["server_type"] == "automate"
-
-        !server_version_from_config(config).nil?
-      end
-
-      def self.is_automate2_server?(config)
-        config["server_type"] == "automate2"
-      end
-
-      def self.is_automate_server?(config)
-        config["server_type"] == "automate"
-      end
-
-      def self.server_version_from_config(config)
-        # Automate versions 0.8.x and later will have a "version" key in the config
-        # that looks like: "version":{"api":"compliance","version":"0.8.24"}
-        return nil unless config.key?("version")
-        return nil unless config["version"].is_a?(Hash)
-
-        config["version"]["version"]
-      end
-
-      def self.determine_server_type(url, insecure)
-        if target_is_automate2_server?(url, insecure)
-          :automate2
-        elsif target_is_automate_server?(url, insecure)
-          :automate
-        elsif target_is_compliance_server?(url, insecure)
-          :compliance
-        else
-          Inspec::Log.debug("Could not determine server type using known endpoints")
-          nil
-        end
-      end
-
-      def self.target_is_automate2_server?(url, insecure)
-        automate_endpoint = "/dex/auth"
-        response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
-        if response.code == "400"
-          Inspec::Log.debug(
-            "Received 400 from #{url}#{automate_endpoint} - " \
-            "assuming target is a #{AUTOMATE_PRODUCT_NAME}2 instance"
-          )
-          true
-        else
-          false
-        end
-      end
-
-      def self.target_is_automate_server?(url, insecure)
-        automate_endpoint = "/compliance/version"
-        response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
-        case response.code
-        when "401"
-          Inspec::Log.debug(
-            "Received 401 from #{url}#{automate_endpoint} - " \
-            "assuming target is a #{AUTOMATE_PRODUCT_NAME} instance"
-          )
-          true
-        when "200"
-          # Chef Automate currently returns 401 for `/compliance/version` but some
-          # versions of OpsWorks Chef Automate return 200 and a Chef Manage page
-          # when unauthenticated requests are received.
-          if response.body.include?("Are You Looking For the #{SERVER_PRODUCT_NAME}?")
-            Inspec::Log.debug(
-              "Received 200 from #{url}#{automate_endpoint} - " \
-              "assuming target is an #{AUTOMATE_PRODUCT_NAME} instance"
-            )
-            true
-          else
-            Inspec::Log.debug(
-              "Received 200 from #{url}#{automate_endpoint} " \
-              "but did not receive the Chef Manage page - " \
-              "assuming target is not a #{AUTOMATE_PRODUCT_NAME} instance"
-            )
-            false
-          end
-        else
-          Inspec::Log.debug(
-            "Received unexpected status code #{response.code} " \
-            "from #{url}#{automate_endpoint} - " \
-            "assuming target is not a #{AUTOMATE_PRODUCT_NAME} instance"
-          )
-          false
-        end
-      end
-
-      def self.target_is_compliance_server?(url, insecure)
-        # All versions of Chef Compliance return 200 for `/api/version`
-        compliance_endpoint = "/api/version"
-
-        response = InspecPlugins::Compliance::HTTP.get(url + compliance_endpoint, nil, insecure)
-        return false unless response.code == "200"
-
-        Inspec::Log.debug(
-          "Received 200 from #{url}#{compliance_endpoint} - " \
-          "assuming target is a #{COMPLIANCE_PRODUCT_NAME} server"
-        )
-        true
-      end
-    end
-  end
-end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb

@@ -1,198 +0,0 @@
-require "inspec/dist"
-
-module InspecPlugins
-  module Compliance
-    class API
-      module Login
-        include Inspec::Dist
-
-        class CannotDetermineServerType < StandardError; end
-
-        def login(options)
-          raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
-
-          options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil?
-
-          options["server_type"] = InspecPlugins::Compliance::API.determine_server_type(options["server"], options["insecure"])
-
-          case options["server_type"]
-          when :automate2
-            Login::Automate2Server.login(options)
-          when :automate
-            Login::AutomateServer.login(options)
-          when :compliance
-            Login::ComplianceServer.login(options)
-          else
-            raise CannotDetermineServerType, "Unable to determine if #{options["server"]} is a #{AUTOMATE_PRODUCT_NAME} or #{COMPLIANCE_PRODUCT_NAME} server"
-          end
-        end
-
-        module Automate2Server
-          def self.login(options)
-            verify_thor_options(options)
-
-            options["url"] = options["server"] + "/api/v0"
-            token = options["dctoken"] || options["token"]
-            store_access_token(options, token)
-          end
-
-          def self.store_access_token(options, token)
-            config = InspecPlugins::Compliance::Configuration.new
-            config.clean
-
-            config["automate"] = {}
-            config["automate"]["ent"] = "automate"
-            config["automate"]["token_type"] = "dctoken"
-            config["server"] = options["url"]
-            config["user"] = options["user"]
-            config["owner"] = options["user"]
-            config["insecure"] = options["insecure"] || false
-            config["server_type"] = options["server_type"].to_s
-            config["token"] = token
-            config["version"] = "0"
-
-            config.store
-            config
-          end
-
-          def self.verify_thor_options(o)
-            error_msg = []
-
-            error_msg.push("Please specify a user using `--user='USER'`") if o["user"].nil?
-
-            if o["token"].nil? && o["dctoken"].nil?
-              error_msg.push("Please specify a token using `--token='APITOKEN'`")
-            end
-
-            raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
-          end
-        end
-
-        module AutomateServer
-          def self.login(options)
-            verify_thor_options(options)
-
-            options["url"] = options["server"] + "/compliance"
-            token = options["dctoken"] || options["token"]
-            store_access_token(options, token)
-          end
-
-          def self.store_access_token(options, token)
-            token_type = if options["token"]
-                           "usertoken"
-                         else
-                           "dctoken"
-                         end
-
-            config = InspecPlugins::Compliance::Configuration.new
-
-            config.clean
-
-            config["automate"] = {}
-            config["automate"]["ent"] = options["ent"]
-            config["automate"]["token_type"] = token_type
-            config["server"] = options["url"]
-            config["user"] = options["user"]
-            config["insecure"] = options["insecure"] || false
-            config["server_type"] = options["server_type"].to_s
-            config["token"] = token
-            config["version"] = InspecPlugins::Compliance::API.version(config)
-
-            config.store
-            config
-          end
-
-          # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
-          def self.verify_thor_options(o)
-            error_msg = []
-
-            error_msg.push("Please specify a user using `--user='USER'`") if o["user"].nil?
-            error_msg.push("Please specify an enterprise using `--ent='automate'`") if o["ent"].nil?
-
-            if o["token"].nil? && o["dctoken"].nil?
-              error_msg.push("Please specify a token using `--token='AUTOMATE_TOKEN'` or `--dctoken='DATA_COLLECTOR_TOKEN'`")
-            end
-
-            raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
-          end
-        end
-
-        module ComplianceServer
-          include Inspec::Dist
-
-          def self.login(options)
-            compliance_verify_thor_options(options)
-
-            options["url"] = options["server"] + "/api"
-
-            if options["user"] && options["token"]
-              compliance_store_access_token(options, options["token"])
-            elsif options["user"] && options["password"]
-              compliance_login_user_pass(options)
-            elsif options["refresh_token"]
-              compliance_login_refresh_token(options)
-            end
-          end
-
-          def self.compliance_login_user_pass(options)
-            success, msg, token = InspecPlugins::Compliance::API.get_token_via_password(
-              options["url"],
-              options["user"],
-              options["password"],
-              options["insecure"]
-            )
-
-            raise msg unless success
-
-            compliance_store_access_token(options, token)
-          end
-
-          def self.compliance_login_refresh_token(options)
-            success, msg, token = InspecPlugins::Compliance::API.get_token_via_refresh_token(
-              options["url"],
-              options["refresh_token"],
-              options["insecure"]
-            )
-
-            raise msg unless success
-
-            compliance_store_access_token(options, token)
-          end
-
-          def self.compliance_store_access_token(options, token)
-            config = InspecPlugins::Compliance::Configuration.new
-            config.clean
-
-            config["user"] = options["user"] if options["user"]
-            config["server"] = options["url"]
-            config["insecure"] = options["insecure"] || false
-            config["server_type"] = options["server_type"].to_s
-            config["token"] = token
-            config["version"] = InspecPlugins::Compliance::API.version(config)
-
-            config.store
-            config
-          end
-
-          # Compliance login requires `--user` or `--refresh_token`
-          # If `--user` then either `--password`, `--token`, or `--refresh-token`, is required
-          def self.compliance_verify_thor_options(o)
-            error_msg = []
-
-            error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
-
-            if o["user"].nil? && o["refresh_token"].nil?
-              error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`")
-            end
-
-            if o["user"] && o["password"].nil? && o["token"].nil? && o["refresh_token"].nil?
-              error_msg.push("Please specify either a `--password`, `--token`, or `--refresh-token`")
-            end
-
-            raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
-          end
-        end
-      end
-    end
-  end
-end