kitchen-inspec 0.25.0 → 0.26.0

data/Gemfile

@@ -0,0 +1,37 @@
+# -*- encoding: utf-8 -*-
+source "https://rubygems.org"
+gemspec
+
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.2.2")
+  gem "json", "< 2.0"
+  gem "rack", "< 2.0"
+  gem "ruby_dep", "< 1.4.0"
+  gem "listen", "< 3.0.0"
+end
+
+group :guard do
+  gem "guard-rspec",    :require => nil
+  gem "guard-rubocop",  :require => nil
+end
+
+group :test do
+  gem "bundler", "~> 1.10"
+  gem "minitest", "~> 5.5"
+  gem "rake", "~> 11.0"
+  gem "chefstyle", "0.4.0"
+  gem "concurrent-ruby", "~> 1.0"
+  gem "codeclimate-test-reporter", :require => nil
+  gem "rspec"
+  gem "simplecov", "~> 0.12"
+  gem "countloc", "~> 0.4"
+end
+
+group :integration do
+  gem "berkshelf", ">= 4.3.5"
+  gem "kitchen-dokken"
+end
+
+group :tools do
+  gem "pry", "~> 0.10"
+  gem "github_changelog_generator", "1.13.1"
+end

data/Guardfile

@@ -0,0 +1,23 @@
+# encoding: utf-8
+ignore %r{^\.gem/}
+
+def rspec_opts
+  { cmd: "bundle exec rspec" }
+end
+
+def rubocop_opts
+  { all_on_start: false, keep_failed: false, cli: "-r chefstyle" }
+end
+
+group :red_green_refactor, halt_on_fail: true do
+  guard :rspec, rspec_opts do
+    watch(%r{^spec/(.*)_spec\.rb})
+    watch(%r{^lib/(.*)([^/]+)\.rb})   { |m| "spec/#{m[1]}#{m[2]}_spec.rb" }
+    watch(%r{^spec/spec_helper\.rb})  { "spec" }
+  end
+
+  guard :rubocop, rubocop_opts do
+    watch(/.+\.rb$/)
+    watch(%r{(?:.+/)?\.rubocop\.yml$}) { |m| File.dirname(m[0]) }
+  end
+end

data/MAINTAINERS.md

@@ -0,0 +1,13 @@
+# Maintainers
+
+This file lists how the kitchen-inspec project is maintained. When making changes to the
+project, this file tells you who needs to review your patch - you need at least
+two maintainers to provide a :+1: on your pull request. Additionally, you need
+to not receive a veto from a Lieutenant or the Project Lead.
+Check out [How Chef is Maintained](https://github.com/chef/chef-rfc/blob/master/rfc030-maintenance-policy.md#how-the-project-is-maintained)
+for details on the process, how to become a maintainer, lieutenant, or the
+project lead.
+
+## List of Maintainers
+
+The [Maintainers of the InSpec project](https://github.com/chef/inspec/blob/master/MAINTAINERS.md) serve as maintainers of the kitchen-inspec project.

data/README.md

@@ -0,0 +1,275 @@
+# Kitchen::InSpec - A Test Kitchen Verifier for InSpec
+
+[![Build Status Master](https://travis-ci.org/inspec/kitchen-inspec.svg?branch=master)](https://travis-ci.org/inspec/kitchen-inspec) [![Gem Version](https://badge.fury.io/rb/kitchen-inspec.svg)](https://badge.fury.io/rb/kitchen-inspec)
+
+This is the kitchen driver for [InSpec](https://github.com/chef/inspec). To see the project in action, we have the following test-kitchen examples available:
+
+- [Chef and InSpec](https://github.com/inspec/inspec/tree/master/examples/kitchen-chef)
+- [Puppet and InSpec](https://github.com/inspec/inspec/tree/master/examples/kitchen-puppet)
+- [Ansible and InSpec](https://github.com/inspec/inspec/tree/master/examples/kitchen-ansible)
+
+## Installation
+
+`Note:` kitchen-inspec ships as part of ChefDK. Installation is not necessary for DK users.
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'kitchen-inspec'
+```
+
+And then execute:
+
+```shell
+$ bundle
+```
+
+Or install it yourself as:
+
+```shell
+$ gem install kitchen-inspec
+```
+
+## Usage
+
+In your .kitchen.yml include
+
+```yaml
+verifier:
+  name: inspec
+```
+
+Optionally specify sudo and sudo_command
+
+```yaml
+verifier:
+  name: inspec
+  sudo: true
+  sudo_command: 'skittles'
+```
+
+You can also specify the host and port to be used by InSpec when targeting the node. Otherwise, it defaults to the hostname and port used by kitchen for converging.
+
+```yaml
+verifier:
+  name: inspec
+  host: 192.168.56.40
+  port: 22
+```
+
+### Expected Directory Structure
+
+By default `kitchen-inspec` expects test to be in `test/integration/%suite%` directory structure (we use Chef as provisioner here):
+
+```
+.
+├── Berksfile
+├── Gemfile
+├── README.md
+├── metadata.rb
+├── recipes
+│   ├── default.rb
+│   └── nginx.rb
+└── test
+    └── integration
+        └── default
+            └── web_spec.rb
+```
+
+#### Directory Structure with complete profile
+
+A complete profile is used here, including a custom InSpec resource named `gordon_config`:
+
+```
+.
+├── Berksfile
+├── Gemfile
+├── README.md
+├── metadata.rb
+├── recipes
+│   ├── default.rb
+│   └── nginx.rb
+└── test
+    └── integration
+        └── default
+            ├── controls
+            │   └── gordon.rb
+            ├── inspec.yml
+            └── libraries
+                └── gordon_config.rb
+```
+
+#### Combination with other testing frameworks
+
+If you need support with other testing frameworks, we recommend to place the tests in `test/integration/%suite%/inspec`:
+
+```
+.
+├── Berksfile
+├── Gemfile
+├── README.md
+├── metadata.rb
+├── recipes
+│   ├── default.rb
+│   └── nginx.rb
+└── test
+    └── integration
+        └── default
+            └── inspec
+                └── web_spec.rb
+```
+
+### Specifying the Sudo Command
+
+You can enable/disable sudo and set your own custom sudo command.
+
+```yaml
+verifier:
+  name: inspec
+  sudo: true
+  sudo_command: 'skittles'
+```
+
+### Custom Host Settings
+
+You can also specify the host, port, and proxy settings to be used by InSpec when targeting the node. Otherwise, it defaults to the hostname and port used by kitchen for converging.
+
+```yaml
+verifier:
+  name: inspec
+  host: 192.168.56.40
+  port: 22
+  proxy_command: ssh user@1.2.3.4 -W %h:%p
+```
+
+### Custom Outputs
+
+If you want to customize the output file per platform or test suite you can use template format for your output variable. Current flags supported:
+
+- _%{platform}_
+- _%{suite}_
+
+```yaml
+verifier:
+  name: inspec
+  reporter:
+    - cli
+    - junit:path/to/results/%{platform}_%{suite}_inspec.xml
+```
+
+You can also decide to only run specific controls, instead of a full profile. This is done by specifying a list of controls:
+
+```yaml
+suites:
+  - name: supermarket
+    run_list:
+      - recipe[apt]
+      - recipe[ssh-hardening]
+    verifier:
+      inspec_tests:
+        - name: dev-sec/ssh-baseline
+      controls:
+        - sshd-46
+    ...
+```
+
+### Use remote InSpec profiles
+
+In case you want to reuse tests across multiple cookbooks, they should become an extra artifact independent of a Chef cookbook, called [InSpec profiles](https://github.com/inspec/inspec/blob/master/docs/profiles.md). Those can be easily added to existing local tests as demonstrated in previous sections. To include remote profiles, adapt the `verifier` attributes in `.kitchen.yml`
+
+```yaml
+suites:
+  - name: default
+    verifier:
+      inspec_tests:
+        - name: ssh-hardening
+          url: https://github.com/dev-sec/tests-ssh-hardening
+```
+
+`inspec_tests` accepts all values that `inspec exec profile` would expect. We support:
+
+- local directory eg. `path: /path/to/profile`
+- github url `git: https://github.com/dev-sec/tests-ssh-hardening.git`
+- Chef Supermarket `name: hardening/ssh-hardening` # defaults to supermarket (list all available profiles with `inspec supermarket profiles`)
+- Chef Compliance `name: ssh` `compliance: base/ssh`
+
+The following example illustrates the usage in a `.kitchen.yml`
+
+```yaml
+suites:
+  - name: contains_inspec
+    run_list:
+      - recipe[apt]
+      - recipe[yum]
+      - recipe[ssh-hardening]
+      - recipe[os-hardening]
+    verifier:
+      inspec_tests:
+        - path: path/to/some/local/tests
+        - name: ssh-hardening
+          url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
+        - name: os-hardening
+          git: https://github.com/dev-sec/tests-os-hardening.git
+  - name: supermarket
+    run_list:
+      - recipe[apt]
+      - recipe[yum]
+      - recipe[ssh-hardening]
+    verifier:
+      inspec_tests:
+        - name: hardening/ssh-hardening  # name only defaults to supermarket
+        - name: ssh-supermarket  # alternatively, you can explicitly specify that the profile is from supermarket in this way
+          supermarket: hardening/ssh-hardening
+          supermarket_url: http://supermarket.example.com
+  # before you are able to use the compliance plugin, you need to run
+  # insecure is only required if you use self-signed certificates
+  # $ inspec compliance login https://compliance.test --user admin --insecure --token ''
+  - name: compliance
+    run_list:
+      - recipe[apt]
+      - recipe[yum]
+      - recipe[ssh-hardening]
+    verifier:
+      inspec_tests:
+        - name: ssh
+          compliance: base/ssh
+```
+
+### Use attributes with your inspec profiles
+
+To run a profile with attributes defined inline, you can adapt your `.kitchen.yml`:
+
+```yaml
+    verifier:
+      inspec_tests:
+        - path: test/integration/attributes
+      attributes:
+        user: bob
+        password: secret
+```
+
+You can also define your attributes in an external file. Adapt your `.kitchen.yml` to point to that file:
+
+```yaml
+    verifier:
+      inspec_tests:
+        - path: test/integration/attributes
+      attrs:
+        - test/integration/profile-attribute.yml
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at <https://github.com/inspec/kitchen-inspec>.
+
+## License
+
+Apache 2.0 (see [LICENSE])
+
+[license]: https://github.com/inspec/kitchen-inspec/blob/master/LICENSE

data/Rakefile

@@ -0,0 +1,129 @@
+# -*- encoding: utf-8 -*-
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "chefstyle"
+require "rubocop/rake_task"
+
+# Specs
+RSpec::Core::RakeTask.new(:spec)
+
+desc "Run all test suites"
+task :test => [:spec]
+
+# Rubocop
+desc "Run Rubocop lint checks"
+task :rubocop do
+  RuboCop::RakeTask.new
+end
+
+# lint the project
+desc "Run robocop linter"
+task lint: [:rubocop]
+
+desc "Display LOC stats"
+task :stats do
+  puts "\n## Production Code Stats"
+  sh "countloc -r lib/kitchen"
+  puts "\n## Test Code Stats"
+  sh "countloc -r spec"
+end
+
+desc "Run all quality tasks"
+task :quality => [:lint, :stats]
+
+task :default => [:test, :quality]
+
+# Automatically generate a changelog for this project. Only loaded if
+# the necessary gem is installed.
+begin
+  require "github_changelog_generator/task"
+  GitHubChangelogGenerator::RakeTask.new :changelog
+rescue LoadError
+  puts ">>>>> GitHub Changelog Generator not loaded, omitting tasks"
+end
+
+# Print the current version of this gem or update it.
+#
+# @param [Type] target the new version you want to set, or nil if you only want to show
+def kitchen_inspec_version(target = nil)
+  path = "lib/kitchen/verifier/inspec_version.rb"
+  require_relative path.sub(/.rb$/, "")
+
+  nu_version = target.nil? ? "" : " -> #{target}"
+  puts "Kitchen-inspec: #{Kitchen::Verifier::INSPEC_VERSION}#{nu_version}"
+
+  unless target.nil?
+    raw = File.read(path)
+    nu = raw.sub(/INSPEC_VERSION.*/, "INSPEC_VERSION = \"#{target}\"")
+    File.write(path, nu)
+    load(path)
+  end
+end
+
+# Check if a command is available
+#
+# @param [Type] x the command you are interested in
+# @param [Type] msg the message to display if the command is missing
+def require_command(x, msg = nil)
+  return if system("command -v #{x} || exit 1")
+  msg ||= "Please install it first!"
+  puts "\033[31;1mCan't find command #{x.inspect}. #{msg}\033[0m"
+  exit 1
+end
+
+# Check if a required environment variable has been set
+#
+# @param [String] x the variable you are interested in
+# @param [String] msg the message you want to display if the variable is missing
+def require_env(x, msg = nil)
+  exists = `env | grep "^#{x}="`
+  return unless exists.empty?
+  puts "\033[31;1mCan't find environment variable #{x.inspect}. #{msg}\033[0m"
+  exit 1
+end
+
+# Check the requirements for running an update of this repository.
+def check_update_requirements
+  require_command "git"
+  require_command "github_changelog_generator", "\n"\
+    "For more information on how to install it see:\n"\
+    "  https://github.com/skywinder/github-changelog-generator\n"
+  require_env "CHANGELOG_GITHUB_TOKEN", "\n"\
+    "Please configure this token to make sure you can run all commands\n"\
+    "against GitHub.\n\n"\
+    "See github_changelog_generator homepage for more information:\n"\
+    "  https://github.com/skywinder/github-changelog-generator\n"
+end
+
+# Show the current version of this gem.
+desc "Show the version of this gem"
+task :version do
+  kitchen_inspec_version
+end
+
+desc "Generate the changelog"
+task :changelog do
+  require_relative "lib/kitchen/verifier/inspec_version"
+  system "github_changelog_generator -u chef -p kitchen-inspec --future-release #{Kitchen::Verifier::INSPEC_VERSION}"
+end
+
+# Update the version of this gem and create an updated
+# changelog. It covers everything short of actually releasing
+# the gem.
+desc "Bump the version of this gem"
+task :bump_version, [:version] do |_, args|
+  v = args[:version] || ENV["to"]
+  raise "You must specify a target version!  rake release[1.2.3]" if v.empty?
+  check_update_requirements
+  kitchen_inspec_version(v)
+  Rake::Task["changelog"].invoke
+end
+
+namespace :test do
+  task :integration do
+    concurrency = ENV["CONCURRENCY"] || 1
+    os = ENV["OS"] || ""
+    sh("sh", "-c", "bundle exec kitchen test -c #{concurrency} #{os}")
+  end
+end