inspec 0.18.0 → 0.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5fcd7959abdb3de12c11854323ad29f484f0dbda
-  data.tar.gz: 79bbc6496cc71d18e02a9b05b4e6fbd3a5043315
+  metadata.gz: 3f8721f5a1366ca4d03be5b1cbfe3b8f61ba315f
+  data.tar.gz: 68a9c4ce7b72cde464e322d449ce8775f0afa6a8
 SHA512:
-  metadata.gz: 4256867dac4a3a9978b4f5dfda36aba67f9d97461d9d074e694f048d51ae22cd2e835593524e5dcbcc9d3f87a34279cbcd295f6f66d0d372939c8daf5e73688f
-  data.tar.gz: c6cc148cae574dd9dce10ad9781cb9e088fff6c52fdde9f3b40463d7166689e23923b539ba077a4d224e3611f33b0fd7c3b2799e9308590516a6231f536a78cc
+  metadata.gz: 595a34ad34f066fffe31f2ee6799d5692010521949d6dbe57c3d306f391922e7c4ea295f6504156d94b8b835553930623757a2a97e10ce706ae1340ccc40006f
+  data.tar.gz: d117f5aecbcdce653511e263b1b5c9ae394a354ae38bc5fdb93aa73850d9328d6e7934b3acdb5568e689d0163795134a15aef2e167212920baf6306d6d5e4e24

data/CHANGELOG.md

@@ -1,7 +1,39 @@
 # Change Log
 
-## [0.18.0](https://github.com/chef/inspec/tree/0.18.0) (2016-04-09)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.17.1...0.18.0)
+## [0.19.0](https://github.com/chef/inspec/tree/0.19.0) (2016-04-17)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.18.0...0.19.0)
+
+**Implemented enhancements:**
+
+- Add required inspec version to inspec.yml [\#644](https://github.com/chef/inspec/issues/644)
+- Resource grub conf [\#652](https://github.com/chef/inspec/pull/652) ([arlimus](https://github.com/arlimus))
+- fail on unsupported os/platform [\#651](https://github.com/chef/inspec/pull/651) ([arlimus](https://github.com/arlimus))
+- specify required inspec version in inspec.yml [\#648](https://github.com/chef/inspec/pull/648) ([arlimus](https://github.com/arlimus))
+- feature: `cmp \< / \> / \<= / \>= / == / != sth` matcher [\#643](https://github.com/chef/inspec/pull/643) ([arlimus](https://github.com/arlimus))
+- Add 'static' value as enabled to systemd service enabled check [\#637](https://github.com/chef/inspec/pull/637) ([jmccann](https://github.com/jmccann))
+- add dockerized inspec [\#635](https://github.com/chef/inspec/pull/635) ([arlimus](https://github.com/arlimus))
+- inspec-compliance + Compliance 1.0 [\#576](https://github.com/chef/inspec/pull/576) ([srenatus](https://github.com/srenatus))
+
+**Fixed bugs:**
+
+- `add\_test': undefined method error on Ubuntu 15.10 with Ruby 2.1 [\#642](https://github.com/chef/inspec/issues/642)
+- Install failed on Ubuntu with Ruby 2.1 [\#641](https://github.com/chef/inspec/issues/641)
+- Inspec json resource . example not working [\#631](https://github.com/chef/inspec/issues/631)
+- Checking on services on SLES 11 fails [\#627](https://github.com/chef/inspec/issues/627)
+- Inspec check fails on `examples/profile` [\#485](https://github.com/chef/inspec/issues/485)
+- bugfix: rspec world handling on rspec 3.5 [\#650](https://github.com/chef/inspec/pull/650) ([arlimus](https://github.com/arlimus))
+- Prevent its\(:to\_i\) from generated tests [\#639](https://github.com/chef/inspec/pull/639) ([alexpop](https://github.com/alexpop))
+- bugfix: non-profile execution with json formatter [\#632](https://github.com/chef/inspec/pull/632) ([arlimus](https://github.com/arlimus))
+
+**Merged pull requests:**
+
+- add usage instructions for inspec container [\#649](https://github.com/chef/inspec/pull/649) ([chris-rock](https://github.com/chris-rock))
+- update documentation for json resource [\#647](https://github.com/chef/inspec/pull/647) ([chris-rock](https://github.com/chris-rock))
+- Add support for suse 11 to service resource [\#638](https://github.com/chef/inspec/pull/638) ([spuranam](https://github.com/spuranam))
+- Add -i to ssh example, link to cli options [\#636](https://github.com/chef/inspec/pull/636) ([vjeffrey](https://github.com/vjeffrey))
+
+## [v0.18.0](https://github.com/chef/inspec/tree/v0.18.0) (2016-04-09)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.17.1...v0.18.0)
 
 **Implemented enhancements:**
 
@@ -11,6 +43,7 @@
 
 **Merged pull requests:**
 
+- 0.18.0 [\#629](https://github.com/chef/inspec/pull/629) ([arlimus](https://github.com/arlimus))
 - Encourage sharing of profiles [\#625](https://github.com/chef/inspec/pull/625) ([nathenharvey](https://github.com/nathenharvey))
 - add travis and appveyor badges [\#622](https://github.com/chef/inspec/pull/622) ([chris-rock](https://github.com/chris-rock))
 - remove unused profile.tar.gz [\#621](https://github.com/chef/inspec/pull/621) ([chris-rock](https://github.com/chris-rock))

data/README.md

@@ -18,14 +18,14 @@ describe inetd_conf do
 end
 ```
 
-InSpec makes it easy to run your tests wherever you need.
+InSpec makes it easy to run your tests wherever you need. More options listed here: https://github.com/chef/inspec/blob/master/docs/ctl_inspec.rst
 
 ```bash
 # run test locally
 inspec exec test.rb
 
 # run test on remote host on SSH
-inspec exec test.rb -t ssh://user@hostname
+inspec exec test.rb -t ssh://user@hostname -i /path/to/key
 
 # run test on remote windows host on WinRM
 inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
@@ -51,6 +51,31 @@ InSpec requires Ruby ( >1.9 ).
 gem install inspec
 ```
 
+### Usage via Docker
+
+Download the image and define an alias for convenience:
+
+```
+docker pull chef/inspec
+alias inspec='docker run -it --rm -v $(pwd):/share chef/inspec'
+```
+
+If you call inspec from cli, it automatically mounts the current directory into the work directory. Therefore you can easily use local tests and key files. Note: Only files in the current directory are available to the container.
+
+```
+$ ls -1
+vagrant
+test.rb
+
+
+$ inspec exec test.rb -t ssh://root@192.168.64.2:11022 -i vagrant
+..
+
+Finished in 0.04321 seconds (files took 0.54917 seconds to load)
+2 examples, 0 failures
+```
+
+
 ### Install it from source
 
 That requires [bundler](http://bundler.io/):

data/docs/resources.rst

@@ -18,6 +18,7 @@ The following InSpec audit resources are available:
 * `file`_
 * `gem`_
 * `group <https://github.com/chef/inspec/blob/master/docs/resources.rst#group-1/>`_
+* `grub_conf`_
 * `host`_
 * `inetd_conf`_
 * `interface`_
@@ -1567,6 +1568,38 @@ The following examples show how to use this InSpec audit resource.
 
 
 
+
+grub_conf
+=====================================================
+
+Test both Grub 1 and Grub 2 configurations.
+
+**Stability: Experimental**
+
+Syntax
+-----------------------------------------------------
+A ``grub_conf`` resource is used to specify a configuration file and boot configuration.
+
+.. code-block:: ruby
+
+   describe grub_conf('/etc/grub.conf',  'default') do
+     its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
+     its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
+     its('default') { should_not eq '1' }
+     its('timeout') { should eq '5' }
+   end
+
+You can also check specific kernels:
+
+.. code-block:: ruby
+
+   grub_conf('/etc/grub.conf',  'CentOS (2.6.32-573.12.1.el6.x86_64)') do
+     its('kernel') { should include 'audit=1' }
+   end
+
+
+
+
 host
 =====================================================
 Use the ``host`` |inspec resource| to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.
@@ -1872,12 +1905,25 @@ Use the ``json`` |inspec resource| to test data in a |json| file.
 
 Syntax
 -----------------------------------------------------
-A ``json`` |inspec resource| block declares the data to be tested:
+A ``json`` |inspec resource| block declares the data to be tested. Assume the following json file:
+
+.. code-block:: json
+
+   {
+     "name" : "hello",
+     "meta" : {
+       "creator" : "John Doe"
+     }
+   }
+
+
+This file can be queried via:
 
 .. code-block:: ruby
 
-   describe json do
-     its('name') { should eq 'foo' }
+   describe json('/paht/to/name.json') do
+      its('name') { should eq 'hello' }
+      its(['meta','creator']) { should eq 'John Doe' }
    end
 
 where

data/inspec.gemspec

@@ -30,7 +30,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'rainbow', '~> 2'
   spec.add_dependency 'method_source', '~> 0.8'
   spec.add_dependency 'rubyzip', '~> 1.1'
-  spec.add_dependency 'rspec', '~> 3.3'
+  spec.add_dependency 'rspec', '~> 3'
   spec.add_dependency 'rspec-its', '~> 1.2'
   spec.add_dependency 'pry', '~> 0'
 

data/lib/bundles/inspec-compliance/README.md

@@ -8,7 +8,8 @@ This extensions offers the following features:
 
 To use the CLI, this InSpec add-on adds the following commands:
 
- * `$ inspec compliance login user password` - authentication against Chef Compliance
+ * `$ inspec compliance api_token server --token TOKEN --user USER` - save the Chef Compliance API token for user
+ * `$ inspec compliance login` - authentication of the API token against Chef Compliance
  * `$ inspec compliance profiles` - list all available Chef Compliance profiles
  * `$ inspec compliance exec profile` - runs a Chef Compliance profile
  * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Compliance

data/lib/bundles/inspec-compliance/api.rb

@@ -8,45 +8,44 @@ require 'uri'
 module Compliance
   # API Implementation does not hold any state by itself,
   # everything will be stored in local Configuration store
-  class API # rubocop:disable Metrics/ClassLength
-    # logs into the server, retrieves a token and stores it locally
-    def self.login(server, username, password, insecure, apipath)
-      config = Compliance::Configuration.new
-      config['server'] = "#{server}#{apipath}"
-      url = "#{config['server']}/oauth/token"
+  class API
+    # login method for pre-1.0 compliance server
+    def self.legacy_login_post(url, username, password, insecure)
+      # form request
+      # TODO: reuse post function
+      uri = URI.parse(url)
+      req = Net::HTTP::Post.new(uri.path)
+      req.basic_auth(username, password)
+      req.form_data={}
+
+      send_request(uri, req, insecure)
+    end
 
-      success, data = Compliance::API.post(url, username, password, insecure)
+    # return all compliance profiles available for the user
+    def self.profiles(config)
+      url = "#{config['server']}/user/compliance"
+      # TODO, api should not be dependent on .supported?
+      response = Compliance::HTTP.get(url, config['token'], config['insecure'], !config.supported?(:oidc))
+      data = response.body
       if !data.nil?
-        tokendata = JSON.parse(data)
-        if tokendata['access_token']
-          config['user'] = username
-          config['token'] = tokendata['access_token']
-          config['insecure'] = insecure
-          config.store
-          success = true
-          msg = 'Successfully authenticated'
-        else
-          msg = 'Reponse does not include a token'
-        end
+        profiles = JSON.parse(data)
+        # iterate over profiles
+        profiles.map do |owner, ps|
+          ps.keys.map do |name|
+            { org: owner, name: name }
+          end
+        end.flatten
       else
-        msg = "Authentication failed for Server: #{url}"
+        []
       end
-      [success, msg]
-    end
-
-    def self.logout
-      config = Compliance::Configuration.new
-      url = "#{config['server']}/logout"
-      Compliance::API.post(url, config['token'], nil, config['insecure'])
-      config.destroy
     end
 
     # return the server api version
-    def self.version
-      config = Compliance::Configuration.new
-      url = "#{config['server']}/version"
-
-      _success, data = Compliance::API.get(url, nil, nil, config['insecure'])
+    # NB this method does not use Compliance::Configuration to allow for using
+    # it before we know the version (e.g. oidc or not)
+    def self.version(url, insecure)
+      response = Compliance::HTTP.get(url+'/version', nil, insecure)
+      data = response.body
       if !data.nil?
         JSON.parse(data)
       else
@@ -54,30 +53,9 @@ module Compliance
       end
     end
 
-    # return all compliance profiles available for the user
-    def self.profiles
-      config = Compliance::Configuration.new
-      url = "#{config['server']}/user/compliance"
-      _success, data = get(url, config['token'], '', config['insecure'])
-
-      if !data.nil?
-        profiles = JSON.parse(data)
-        val = []
-        # iterate over profiles
-        profiles.each_key { |org|
-          profiles[org].each_key { |name|
-            val.push({ org: org, name: name })
-          }
-        }
-        val
-      else
-        []
-      end
-    end
-
     # verifies that a profile
-    def self.exist?(profile)
-      profiles = Compliance::API.profiles
+    def self.exist?(config, profile)
+      profiles = Compliance::API.profiles(config)
       if !profiles.empty?
         index = profiles.index { |p| "#{p[:org]}/#{p[:name]}" == profile }
         !index.nil? && index >= 0
@@ -86,57 +64,37 @@ module Compliance
       end
     end
 
-    def self.get(url, username, password, insecure)
-      uri = URI.parse(url)
-      req = Net::HTTP::Get.new(uri.path)
-      req.basic_auth username, password
-
-      send_request(uri, req, insecure)
-    end
-
-    def self.post(url, username, password, insecure)
-      # form request
-      uri = URI.parse(url)
-      req = Net::HTTP::Post.new(uri.path)
-      req.basic_auth username, password
-      req.form_data={}
-
-      send_request(uri, req, insecure)
-    end
-
-    # upload a file
-    def self.post_file(url, username, password, file_path, insecure)
-      uri = URI.parse(url)
-      http = Net::HTTP.new(uri.host, uri.port)
-
-      # set connection flags
-      http.use_ssl = (uri.scheme == 'https')
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
-
-      req = Net::HTTP::Post.new(uri.path)
-      req.basic_auth username, password
-
-      req.body_stream=File.open(file_path, 'rb')
-      req.add_field('Content-Length', File.size(file_path))
-      req.add_field('Content-Type', 'application/x-gtar')
-
-      boundary = 'INSPEC-PROFILE-UPLOAD'
-      req.add_field('session', boundary)
-      res=http.request(req)
-
+    def self.upload(config, owner, profile_name, archive_path)
+      # upload the tar to Chef Compliance
+      url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
+      res = Compliance::HTTP.post_file(url, config['token'], archive_path, config['insecure'], !config.supported?(:oidc))
       [res.is_a?(Net::HTTPSuccess), res.body]
     end
 
-    def self.send_request(uri, req, insecure)
-      opts = {
-        use_ssl: uri.scheme == 'https',
-      }
-      opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
+    def self.post_refresh_token(url, token, insecure)
+      uri = URI.parse("#{url}/login")
+      req = Net::HTTP::Post.new(uri.path)
+      # req['Authorization'] = "Bearer #{token}"
+      req.body = { token: token }.to_json
+      access_token = nil
+      response = Compliance::HTTP.send_request(uri, req, insecure)
+      data = response.body
+      if !data.nil?
+        begin
+          tokendata = JSON.parse(data)
+          access_token = tokendata['access_token']
+          msg = 'Successfully fetched access token'
+          success = true
+        rescue JSON::ParserError => e
+          success = false
+          msg = e.message
+        end
+      else
+        success = false
+        msg = 'Invalid refresh_token'
+      end
 
-      res = Net::HTTP.start(uri.host, uri.port, opts) {|http|
-        http.request(req)
-      }
-      [res.is_a?(Net::HTTPSuccess), res.body]
+      [success, msg, access_token]
     end
   end
 end

data/lib/bundles/inspec-compliance/cli.rb

@@ -10,16 +10,44 @@ module Compliance
     namespace 'compliance'
 
     desc 'login SERVER', 'Log in to a Chef Compliance SERVER'
-    option :user, type: :string, required: true,
-      desc: 'Chef Compliance Username'
-    option :password, type: :string, required: true,
-      desc: 'Chef Compliance Password'
+    option :server, type: :string, desc: 'Chef Compliance Server URL'
     option :insecure, aliases: :k, type: :boolean,
       desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
+    option :user, type: :string, required: false,
+      desc: 'Chef Compliance Username (for legacy auth)'
+    option :password, type: :string, required: false,
+      desc: 'Chef Compliance Password (for legacy auth)'
     option :apipath, type: :string, default: '/api',
       desc: 'Set the path to the API, defaults to /api'
-    def login(server)
-      success, msg = Compliance::API.login(server, options['user'], options['password'], options['insecure'], options['apipath'])
+    option :token, type: :string, required: false,
+      desc: 'Chef Compliance access token'
+    option :refresh_token, type: :string, required: false,
+      desc: 'Chef Compliance refresh token'
+    def login(server) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/AbcSize, PerceivedComplexity
+      # show warning if the Compliance Server does not support
+      if !Compliance::Configuration.new.supported?(:oidc) && (!options['token'].nil? || !options['refresh_token'].nil?)
+        puts 'Your server supports --user and --password only'
+      end
+
+      options['server'] = server
+      url = options['server'] + options['apipath']
+      if !options['user'].nil? && !options['password'].nil?
+        # username / password
+        success, msg = login_legacy(url, options['user'], options['password'], options['insecure'])
+      elsif !options['user'].nil? && !options['token'].nil?
+        # access token
+        success, msg = store_access_token(url, options['user'], options['token'], options['insecure'])
+      elsif !options['refresh_token'].nil? && !options['user'].nil?
+        # refresh token
+        success, msg = store_refresh_token(url, options['refresh_token'], true, options['user'], options['insecure'])
+        # TODO: we should login with the refreshtoken here
+      elsif !options['refresh_token'].nil?
+        success, msg = login_refreshtoken(url, options)
+      else
+        puts 'Please run `inspec compliance login` with options --token or --refresh_token and --user'
+        exit 1
+      end
+
       if success
         puts 'Successfully authenticated'
       else
@@ -29,7 +57,8 @@ module Compliance
 
     desc 'profiles', 'list all available profiles in Chef Compliance'
     def profiles
-      profiles = Compliance::API.profiles
+      config = Compliance::Configuration.new
+      profiles = Compliance::API.profiles(config)
       if !profiles.empty?
         # iterate over profiles
         headline('Available profiles:')
@@ -56,6 +85,11 @@ module Compliance
     option :overwrite, type: :boolean, default: false,
       desc: 'Overwrite existing profile on Chef Compliance.'
     def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity
+      unless File.exist?(path)
+        puts "Directory #{path} does not exist."
+        exit 1
+      end
+
       o = options.dup
       configure_logger(o)
       # check the profile, we only allow to upload valid profiles
@@ -88,7 +122,7 @@ module Compliance
 
       # check that the profile is not uploaded already,
       # confirm upload to the user (overwrite with --force)
-      if Compliance::API.exist?("#{owner}/#{profile_name}") && !options['overwrite']
+      if Compliance::API.exist?(config, "#{owner}/#{profile_name}") && !options['overwrite']
         error.call('Profile exists on the server, use --overwrite')
       end
 
@@ -111,11 +145,9 @@ module Compliance
       puts "Start upload to #{owner}/#{profile_name}"
       pname = ERB::Util.url_encode(profile_name)
 
-      # upload the tar to Chef Compliance
-      url = "#{config['server']}/owners/#{owner}/compliance/#{pname}/tar"
+      puts 'Uploading to Chef Compliance'
+      success, msg = Compliance::API.upload(config, owner, pname, archive_path)
 
-      puts "Uploading to #{url}"
-      success, msg = Compliance::API.post_file(url, config['token'], '', archive_path, config['insecure'])
       if success
         puts 'Successfully uploaded profile'
       else
@@ -126,7 +158,8 @@ module Compliance
 
     desc 'version', 'displays the version of the Chef Compliance server'
     def version
-      info = Compliance::API.version
+      config = Compliance::Configuration.new
+      info = Compliance::API.version(config['server'], config['insecure'])
       if !info.nil? && info['version']
         puts "Chef Compliance version: #{info['version']}"
       else
@@ -136,12 +169,98 @@ module Compliance
 
     desc 'logout', 'user logout from Chef Compliance'
     def logout
-      if Compliance::API.logout
+      config = Compliance::Configuration.new
+      unless config.supported?(:oidc) || config['token'].nil?
+        config = Compliance::Configuration.new
+        url = "#{config['server']}/logout"
+        Compliance::API.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
+      end
+
+      success = config.destroy
+
+      if success
         puts 'Successfully logged out'
       else
         puts 'Could not log out'
       end
     end
+
+    private
+
+    def login_refreshtoken(url, options)
+      success, msg, access_token = Compliance::API.post_refresh_token(url, options['refresh_token'], options['insecure'])
+      if success
+        config = Compliance::Configuration.new
+        config['server'] = url
+        config['token'] = access_token
+        config['insecure'] = options['insecure']
+        config['version'] = Compliance::API.version(url, options['insecure'])
+        config.store
+      end
+
+      [success, msg]
+    end
+
+    def login_legacy(url, username, password, insecure)
+      config = Compliance::Configuration.new
+      success, data = Compliance::API.legacy_login_post(url+'/oauth/token', username, password, insecure)
+      if !data.nil?
+        tokendata = JSON.parse(data)
+        if tokendata['access_token']
+          config['server'] = url
+          config['user'] = username
+          config['token'] = tokendata['access_token']
+          config['insecure'] = insecure
+          config['version'] = Compliance::API.version(url, insecure)
+          config.store
+          success = true
+          msg = 'Successfully authenticated'
+        else
+          msg = 'Reponse does not include a token'
+        end
+      else
+        msg = "Authentication failed for Server: #{url}"
+      end
+      [success, msg]
+    end
+
+    # saves a user access token (limited time)
+    def store_access_token(url, user, token, insecure)
+      config = Compliance::Configuration.new
+      config['server'] = url
+      config['insecure'] = insecure
+      config['user'] = user
+      config['token'] = token
+      config['version'] = Compliance::API.version(url, insecure)
+      config.store
+
+      [true, 'access token stored']
+    end
+
+    # saves the a user refresh token supplied by the user
+    def store_refresh_token(url, refresh_token, verify, user, insecure)
+      config = Compliance::Configuration.new
+      config['server'] = url
+      config['refresh_token'] = refresh_token
+      config['user'] = user
+      config['insecure'] = insecure
+      config['version'] = Compliance::API.version(url, insecure)
+
+      if !verify
+        config.store
+        success = true
+        msg = 'refresh token stored'
+      else
+        success, msg, access_token = Compliance::API.post_refresh_token(url, refresh_token, insecure)
+        if success
+          config['token'] = access_token
+          config.store
+          msg = 'token verified and stored'
+        end
+      end
+
+      [success, msg]
+    end
   end
 
   # register the subcommand to Inspec CLI registry

data/lib/bundles/inspec-compliance/configuration.rb

@@ -47,7 +47,49 @@ module Compliance
 
     # deletes data
     def destroy
-      File.delete(@config_file)
+      if File.exist?(@config_file)
+        File.delete(@config_file)
+      else
+        true
+      end
+    end
+
+    # return if the (stored) api version does not support a certain feature
+    def supported?(feature)
+      sup = version_with_support(feature)
+
+      # we do not know the version, therefore we do not know if its possible to use the feature
+      return if self['version'].nil? || self['version']['version'].nil?
+
+      if sup.is_a?(Array)
+        Gem::Version.new(self['version']['version']) >= sup[0] &&
+          Gem::Version.new(self['version']['version']) < sup[1]
+      else
+        Gem::Version.new(self['version']['version']) >= sup
+      end
+    end
+
+    # exit 1 if the version of compliance that we're working with doesn't support odic
+    def legacy_check!(feature)
+      if !supported?(feature)
+        puts "This feature (#{feature}) is not available for legacy installations."
+        puts 'Please upgrade to a recent version of Chef Compliance.'
+        exit 1
+      end
+    end
+
+    private
+
+    # for a feature, returns either:
+    #  - a version v0:                      v supports v0       iff v0 <= v
+    #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
+    def version_with_support(feature)
+      case feature.to_sym
+      when :oidc
+        Gem::Version.new('0.16.19')
+      else
+        Gem::Version.new('0.0.0')
+      end
     end
   end
 end