inspec 4.18.51 → 4.18.85

data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb

@@ -1,34 +0,0 @@
-module InspecPlugins
-  module Compliance
-    # is a helper that provides information which version of compliance supports
-    # which feature
-    class Support
-      # for a feature, returns either:
-      #  - a version v0:                      v supports v0       iff v0 <= v
-      #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
-      def self.version_with_support(feature)
-        case feature.to_sym
-        when :oidc # open id connect authentication
-          Gem::Version.new("0.16.19")
-        else
-          Gem::Version.new("0.0.0")
-        end
-      end
-
-      # determines if the given version support a certain feature
-      def self.supported?(feature, version)
-        sup = version_with_support(feature)
-
-        if sup.is_a?(Array)
-          Gem::Version.new(version) >= sup[0] &&
-            Gem::Version.new(version) < sup[1]
-        else
-          Gem::Version.new(version) >= sup
-        end
-      end
-
-      # we do not know the version, therefore we do not know if its possible to use the feature
-      # return if self['version'].nil? || self['version']['version'].nil?
-    end
-  end
-end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb

@@ -1,146 +0,0 @@
-require "uri"
-require "inspec/fetcher"
-require "inspec/errors"
-require "inspec/dist"
-
-# InSpec Target Helper for Chef Compliance
-# reuses UrlHelper, but it knows the target server and the access token already
-# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
-module InspecPlugins
-  module Compliance
-    class Fetcher < Inspec::Fetcher::Url
-      include Inspec::Dist
-
-      name "compliance"
-      priority 500
-      attr_reader :upstream_sha256
-
-      def initialize(target, opts)
-        super(target, opts)
-        @upstream_sha256 = ""
-        if target.is_a?(Hash) && target.key?(:url)
-          @target = target[:url]
-          @upstream_sha256 = target[:sha256]
-        elsif target.is_a?(String)
-          @target = target
-        end
-      end
-
-      def sha256
-        upstream_sha256.empty? ? super : upstream_sha256
-      end
-
-      def self.check_compliance_token(uri, config)
-        if config["token"].nil? && config["refresh_token"].nil?
-          if config["server_type"] == "automate"
-            server = "automate"
-            msg = "#{EXEC_NAME} compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
-          elsif config["server_type"] == "automate2"
-            server = "automate2"
-            msg = "#{EXEC_NAME} compliance login https://your_automate2_server --user USER --token APITOKEN"
-          else
-            server = "compliance"
-            msg = "#{EXEC_NAME} compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
-          end
-          raise Inspec::FetcherFailure, <<~EOF
-
-            Cannot fetch #{uri} because your #{server} token has not been
-            configured.
-
-            Please login using
-
-                #{msg}
-          EOF
-        end
-      end
-
-      def self.get_target_uri(target)
-        if target.is_a?(String) && URI(target).scheme == "compliance"
-          URI(target)
-        elsif target.respond_to?(:key?) && target.key?(:compliance)
-          URI("compliance://#{target[:compliance]}")
-        end
-      end
-
-      def self.resolve(target)
-        uri = get_target_uri(target)
-        return nil if uri.nil?
-
-        config = InspecPlugins::Compliance::Configuration.new
-        profile = InspecPlugins::Compliance::API.sanitize_profile_name(uri)
-        profile_fetch_url = InspecPlugins::Compliance::API.target_url(config, profile)
-        # we have detailed information available in our lockfile, no need to ask the server
-        if target.respond_to?(:key?) && target.key?(:sha256)
-          profile_checksum = target[:sha256]
-        else
-          check_compliance_token(uri, config)
-          # verifies that the target e.g base/ssh exists
-          # Call profiles directly instead of exist? to capture the results
-          # so we can access the upstream sha256 from the results.
-          _msg, profile_result = InspecPlugins::Compliance::API.profiles(config, profile)
-          if profile_result.empty?
-            raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
-          else
-            # Guarantee sorting by verison and grab the latest.
-            # If version was specified, it will be the first and only result.
-            # Note we are calling the sha256 as a string, not a symbol since
-            # it was returned as json from the Compliance API.
-            profile_info = profile_result.sort_by { |x| Gem::Version.new(x["version"]) }[0]
-            profile_checksum = profile_info.key?("sha256") ? profile_info["sha256"] : ""
-          end
-        end
-        # We need to pass the token to the fetcher
-        config["token"] = InspecPlugins::Compliance::API.get_token(config)
-
-        # Needed for automate2 post request
-        profile_stub = profile || target[:compliance]
-        config["profile"] = InspecPlugins::Compliance::API.profile_split(profile_stub)
-
-        new({ url: profile_fetch_url, sha256: profile_checksum }, config)
-      rescue URI::Error => _e
-        nil
-      end
-
-      # We want to save compliance: in the lockfile rather than url: to
-      # make sure we go back through the Compliance API handling.
-      def resolved_source
-        @resolved_source ||= {
-          compliance: compliance_profile_name,
-          url: @target,
-          sha256: sha256,
-        }
-      end
-
-      def to_s
-        "#{COMPLIANCE_PRODUCT_NAME} Profile Loader"
-      end
-
-      private
-
-      # determine the owner_id and the profile name from the url
-      def compliance_profile_name
-        m = if InspecPlugins::Compliance::API.is_automate_server_pre_080?(@config)
-              %r{^#{@config['server']}/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
-            elsif InspecPlugins::Compliance::API.is_automate_server_080_and_later?(@config)
-              %r{^#{@config['server']}/profiles/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
-            else
-              %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}
-            end.match(@target)
-
-        if InspecPlugins::Compliance::API.is_automate2_server?(@config)
-          m = {}
-          m[:owner] = @config["profile"][0]
-          m[:id] = @config["profile"][1]
-        end
-
-        if m.nil?
-          raise "Unable to determine compliance profile name. This can be caused by " \
-            "an incorrect server in your configuration. Try to login to compliance " \
-            "via the `#{EXEC_NAME} compliance login` command."
-        end
-
-        "#{m[:owner]}/#{m[:id]}"
-      end
-    end
-  end
-end

data/lib/plugins/inspec-compliance/test/functional/inspec_compliance_test.rb

@@ -1,53 +0,0 @@
-require_relative "../../../shared/core_plugin_test_helper.rb"
-
-class ComplianceCli < Minitest::Test
-  include CorePluginFunctionalHelper
-
-  def test_help_output
-    out = run_inspec_process("compliance help")
-
-    assert_includes out.stdout, "inspec compliance exec PROFILE"
-
-    assert_exit_code 0, out
-  end
-
-  def test_logout_command
-    out = run_inspec_process("compliance logout")
-
-    assert_includes out.stdout, ""
-
-    assert_exit_code 0, out
-  end
-
-  def test_error_login_with_invalid_url
-    out = run_inspec_process("compliance login")
-
-    assert_includes out.stderr, 'ERROR: "inspec compliance login" was called with no arguments'
-
-    assert_exit_code 1, out
-  end
-
-  def test_profile_list_without_auth
-    out = run_inspec_process("compliance profiles")
-
-    assert_includes out.stdout, "You need to login first with `inspec compliance login`"
-
-    assert_exit_code 0, out # TODO: make this error
-  end
-
-  def test_error_upload_without_args
-    out = run_inspec_process("compliance upload")
-
-    assert_includes out.stderr, 'ERROR: "inspec compliance upload" was called with no arguments'
-
-    assert_exit_code 1, out
-  end
-
-  def test_error_upload_with_fake_path
-    out = run_inspec_process("compliance upload /path/to/dir")
-
-    assert_includes out.stdout, "You need to login first with `inspec compliance login`"
-
-    assert_exit_code 0, out # TODO: make this error
-  end
-end

data/lib/plugins/inspec-compliance/test/integration/default/cli.rb

@@ -1,91 +0,0 @@
-# options
-inspec_bin = "BUNDLE_GEMFILE=/inspec/Gemfile bundle exec inspec"
-api_url = "https://0.0.0.0"
-profile = "/inspec/examples/profile"
-
-user = command("whoami").stdout.strip
-pwd = command("pwd").stdout.strip
-puts "Run test as #{user} in path #{pwd}"
-
-# TODO: determine tokens automatically, define in kitchen yml
-access_token = ENV["COMPLIANCE_ACCESSTOKEN"]
-refresh_token = ENV["COMPLIANCE_REFRESHTOKEN"]
-
-%w{refresh_token access_token}.each do |type| # rubocop:disable Metrics/BlockLength
-  case type
-  when "access_token"
-    token_options = "--token '#{access_token}'"
-  when "refresh_token"
-    token_options = "--refresh_token '#{refresh_token}'"
-  end
-
-  # verifies that the help command works
-  describe command("#{inspec_bin} compliance help") do
-    its("stdout") { should include "inspec compliance help [COMMAND]" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 0 }
-  end
-
-  # version command fails gracefully when server not configured
-  describe command("#{inspec_bin} compliance version") do
-    its("stdout") { should include "Server configuration information is missing" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 1 }
-  end
-
-  # submitting a wrong token should have an exit of 0
-  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user 'admin' --token 'wrong-token'") do
-    its("stdout") { should include "token stored" }
-  end
-
-  # compliance login --help should give an accurate message for login
-  describe command("#{inspec_bin} compliance login --help") do
-    its("stdout") { should include "inspec compliance login SERVER --insecure --user='USER' --token='TOKEN'" }
-    its("exit_status") { should eq 0 }
-  end
-
-  # profiles command fails gracefully when token/server info is incorrect
-  describe command("#{inspec_bin} compliance profiles") do
-    its("stdout") { should include "401 Unauthorized. Please check your token" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 1 }
-  end
-
-  # login via access token token
-  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user 'admin' #{token_options}") do
-    its("stdout") { should include "token", "stored" }
-    its("stdout") { should_not include "Your server supports --user and --password only" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 0 }
-  end
-
-  # see available resources
-  describe command("#{inspec_bin} compliance profiles") do
-    its("stdout") { should include "base/ssh" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 0 }
-  end
-
-  # upload a compliance profile
-  describe command("#{inspec_bin} compliance upload #{profile} --overwrite") do
-    its("stdout") { should include "Profile is valid" }
-    its("stdout") { should include "Successfully uploaded profile" }
-    its("stdout") { should_not include "error(s)" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 0 }
-  end
-
-  # returns the version of the server
-  describe command("#{inspec_bin} compliance version") do
-    its("stdout") { should include "Chef Compliance version:" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 0 }
-  end
-
-  # logout
-  describe command("#{inspec_bin} compliance logout") do
-    its("stdout") { should include "Successfully logged out" }
-    its("stderr") { should eq "" }
-    its("exit_status") { should eq 0 }
-  end
-end

data/lib/plugins/inspec-compliance/test/unit/api/login_test.rb

@@ -1,190 +0,0 @@
-require "minitest/autorun"
-require "mocha/setup"
-require "webmock/minitest"
-require_relative "../../../lib/inspec-compliance/api.rb"
-
-describe InspecPlugins::Compliance::API do
-  let(:automate_options) do
-    {
-      "server" => "https://automate.example.com",
-      "ent" => "automate",
-      "user" => "someone",
-      "token" => "token",
-    }
-  end
-
-  let(:compliance_options) do
-    {
-      "server" => "https://compliance.example.com",
-      "user" => "someone",
-      "password" => "password",
-      "token" => "token",
-      "refresh_token" => "refresh_token",
-    }
-  end
-
-  let(:fake_config) do
-    class FakeConfig
-      def initialize
-        @config = {}
-      end
-
-      def [](key)
-        @config[key]
-      end
-
-      def []=(key, value)
-        @config[key] = value
-      end
-
-      def clean
-        @config = {}
-      end
-
-      def store
-        nil
-      end
-    end
-
-    FakeConfig.new
-  end
-
-  describe ".login" do
-    describe "when target is a Chef Automate2 server" do
-      before do
-        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:automate2)
-      end
-
-      it "raises an error if `--user` is missing" do
-        options = automate_options
-        options.delete("user")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify a user.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "raises an error if `--token` and `--dctoken` are missing" do
-        options = automate_options
-        options.delete("token")
-        options.delete("dctoken")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify a token.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "stores an access token" do
-        stub_request(:get, automate_options["server"] + "/compliance/version")
-          .to_return(status: 200, body: "", headers: {})
-        options = automate_options
-        InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config)
-
-        InspecPlugins::Compliance::API.login(options)
-        _(fake_config["automate"]["ent"]).must_equal("automate")
-        _(fake_config["automate"]["token_type"]).must_equal("dctoken")
-        _(fake_config["user"]).must_equal("someone")
-        _(fake_config["server"]).must_equal("https://automate.example.com/api/v0")
-        _(fake_config["server_type"]).must_equal("automate2")
-        _(fake_config["token"]).must_equal("token")
-      end
-    end
-
-    describe "when target is a Chef Automate server" do
-      before do
-        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:automate)
-      end
-
-      it "raises an error if `--user` is missing" do
-        options = automate_options
-        options.delete("user")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify a user.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "raises an error if `--ent` is missing" do
-        options = automate_options
-        options.delete("ent")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify an enterprise.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "raises an error if `--token` and `--dctoken` are missing" do
-        options = automate_options
-        options.delete("token")
-        options.delete("dctoken")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify a token.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "stores an access token" do
-        stub_request(:get, automate_options["server"] + "/compliance/version")
-          .to_return(status: 200, body: "", headers: {})
-        options = automate_options
-        InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config)
-
-        InspecPlugins::Compliance::API.login(options)
-        _(fake_config["automate"]["ent"]).must_equal("automate")
-        _(fake_config["automate"]["token_type"]).must_equal("usertoken")
-        _(fake_config["user"]).must_equal("someone")
-        _(fake_config["server"]).must_equal("https://automate.example.com/compliance")
-        _(fake_config["server_type"]).must_equal("automate")
-        _(fake_config["token"]).must_equal("token")
-      end
-    end
-
-    describe "when target is a Chef Compliance server" do
-      before do
-        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:compliance)
-      end
-
-      it "raises an error if `--user` and `--refresh-token` are missing" do
-        options = automate_options
-        options.delete("user")
-        options.delete("refresh_token")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify a.*--user.*--refresh-token.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "raises an error if `--user` is present but authentication method missing" do
-        options = automate_options
-        options.delete("password")
-        options.delete("token")
-        options.delete("refresh_token")
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify.*--password.*--token.*--refresh-token.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "stores an access token" do
-        stub_request(:get, compliance_options["server"] + "/api/version")
-          .to_return(status: 200, body: "", headers: {})
-        options = compliance_options
-        InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config)
-
-        InspecPlugins::Compliance::API.login(options)
-        _(fake_config["user"]).must_equal("someone")
-        _(fake_config["server"]).must_equal("https://compliance.example.com/api")
-        _(fake_config["server_type"]).must_equal("compliance")
-        _(fake_config["token"]).must_equal("token")
-      end
-    end
-
-    describe "when target is neither a Chef Compliance nor Chef Automate server" do
-      it "raises an error if `https://SERVER` is missing" do
-        options = {}
-        err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError)
-        _(err.message).must_match(/Please specify a server.*/)
-        _(err.message.lines.length).must_equal(1)
-      end
-
-      it "rasies a `CannotDetermineServerType` error" do
-        InspecPlugins::Compliance::API.expects(:determine_server_type).returns(nil)
-        err = _ { InspecPlugins::Compliance::API.login(automate_options) }.must_raise(StandardError)
-        _(err.message).must_match(/Unable to determine/)
-      end
-    end
-  end
-end