puppet_auditor 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f19c4e65cec6c68311283a645f82a70c5972713a8914998f90980c72ac46d9e
-  data.tar.gz: 2fcfd26e374196b17aae75102910375efa8f32b25672d2d5de2d4f12effce9e9
+  metadata.gz: 84f7e5cffe4df624ca9e10438b1d30199fc56560c954a0eab2bb166b8cc46cf7
+  data.tar.gz: be50f8f05976de06718e2285de06ab04d0af18856b6aceb3be42bf7125392aa0
 SHA512:
-  metadata.gz: 68f90d008056423702b399e106c75518ffe4e5b44f209a708239f557cc460665a96f7bc4fe4d5efce1b0e7368ef1818a6a4a806d7401e7eb6bf2f4d87bdb74dc
-  data.tar.gz: '08c51f70e10d0c21edf941cbb9a9414b0c73e7e8367fdf3f35e18897b25b07550e481243a724334b172e91a0cac12e7ccf48fe2f9765bba925ccd63814b7495e'
+  metadata.gz: 7f0c3058f2a7765dd714e1ed28a45c77d755eb8494771d55f5d46749a29fd072b891d9a28bc2a5d627a4fec47942bfd8b41282d704e4e67a155f17e02d76188f
+  data.tar.gz: 523be5ff715b774b387eb99b786608da7fe952d83a6d9a454db8c8a96057c738c79d5fbd904011ac3328d0c064092ba95c12bf30b446ab00f87b07ccc04c263c

data/Gemfile.lock

@@ -1,21 +1,28 @@
 PATH
   remote: .
   specs:
-    puppet_auditor (0.1.0)
+    puppet_auditor (0.2.0)
+      puppet (~> 5.5)
       puppet-lint (>= 1.1, < 3.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    coderay (1.1.2)
     diff-lcs (1.3)
     docile (1.3.0)
+    facter (2.5.1)
+    fast_gettext (1.1.2)
+    hiera (3.4.4)
     json (2.1.0)
-    method_source (0.9.0)
-    pry (0.11.3)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    puppet-lint (2.3.5)
+    locale (2.1.2)
+    multi_json (1.13.1)
+    puppet (5.5.6)
+      facter (> 2.0.1, < 4)
+      fast_gettext (~> 1.1.2)
+      hiera (>= 3.2.1, < 4)
+      locale (~> 2.1)
+      multi_json (~> 1.10)
+    puppet-lint (2.3.6)
     rake (10.5.0)
     rspec (3.7.0)
       rspec-core (~> 3.7.0)
@@ -46,7 +53,6 @@ PLATFORMS
 
 DEPENDENCIES
   bundler (~> 1.16)
-  pry
   puppet_auditor!
   rake (~> 10.0)
   rspec (~> 3.0)

data/README.md

@@ -1,3 +1,6 @@
+[![Build Status](https://travis-ci.org/instruct-br/puppet_auditor.svg?branch=master)](https://travis-ci.org/instruct-br/puppet_auditor)
+[![Gem Version](https://badge.fury.io/rb/puppet_auditor.svg)](https://badge.fury.io/rb/puppet_auditor)
+
 # PuppetAuditor
 
 PuppetAuditor is a tool to test Puppet manifests against a set of defined rules.

data/lib/puppet_auditor/cli.rb

@@ -1,7 +1,15 @@
 module PuppetAuditor
   class Cli
+
+    @@path = ''
+
+    def self.path
+      @@path
+    end
+
     def initialize(args)
       @checks = []
+
       OptionParser.new do |opts|
         opts.banner = "Usage: puppet_auditor [options]"
 
@@ -30,6 +38,9 @@ module PuppetAuditor
         load_checks('~/.puppet_auditor.yaml')   if user_default && ENV.key?('HOME')
         load_checks('.puppet_auditor.yaml')     if project_default
         load_checks(specific_yaml_rules)        if specific_yaml_rules
+
+        @@path = File.expand_path('.')
+
       end.parse!
     end
 

data/lib/puppet_auditor/lint_plugin.rb

@@ -1,3 +1,5 @@
+require 'puppet'
+
 module PuppetAuditor
   class LintPlugin < PuppetLint::CheckPlugin
 
@@ -14,17 +16,112 @@ module PuppetAuditor
 
     def initialize
       super
-      @resource   = self.class::RESOURCE
-      @attributes = self.class::ATTRIBUTES
-      @message    = self.class::MESSAGE
+      @resource         = self.class::RESOURCE
+      @attributes       = self.class::ATTRIBUTES
+      @message          = self.class::MESSAGE
+      @scoped_variables = { 'global' => {} }
+      @scopes           = {}
     end
 
     def check
+      discover_scopes
+      build_scope
+      scan_variables
       resource_indexes.each { |resource| resource_block(resource) if resource[:type].value == @resource }
     end
 
     private
 
+    def build_scope
+      Puppet.settings[:hiera_config] = File.join(PuppetAuditor::Cli.path, 'hiera.yaml')
+
+      env = Puppet::Node::Environment.create(:_p_auditor, [])
+      node = Puppet::Node.new('localhost', environment: env)
+      Puppet.push_context({environments: Puppet::Environments::Static.new(env)})
+      compiler = Puppet::Parser::Compiler.new(node)
+      @scope = compiler.topscope
+    end
+
+    def lookup(key)
+      Puppet::Pops::Lookup.lookup(key, nil, nil, false, :default, Puppet::Pops::Lookup::Invocation.new(@scope, {}, {}))
+    end
+
+    def class_scopes
+      class_indexes.each do |class_hash|
+        class_name = class_hash[:tokens].first.next_code_token
+        # class name { -> :NAME
+        #   (...)
+        # }
+        #
+        # class name( -> :FUNCTION_NAME
+        #   Type $parameter = 'default',
+        # ) {
+        #   (...)
+        # }
+        if class_name.type == :NAME || class_name.type == :FUNCTION_NAME
+          @scopes["class_#{class_name.value}"] = [class_hash[:start], class_hash[:end]]
+          @scoped_variables["class_#{class_name.value}"] = {}
+        end
+      end
+    end
+
+    def defined_type_scopes
+      defined_type_indexes.each do |defined_type_hash|
+        defined_type_name = defined_type_hash[:tokens].first.next_code_token
+        if defined_type_name.type == :NAME
+          @scopes["dtype_#{defined_type_name.value}"] = [defined_type_hash[:start], defined_type_hash[:end]]
+          @scoped_variables["dtype_#{defined_type_name.value}"] = {}
+        end
+      end
+    end
+
+    def node_scopes
+      node_indexes.each do |node_hash|
+        node_name = node_hash[:tokens].first.next_code_token
+        if node_name.type == :SSTRING
+          @scopes["node_#{node_name.value}"] = [node_hash[:start], node_hash[:end]]
+          @scoped_variables["node_#{node_name.value}"] = {}
+        end
+      end
+    end
+
+    def scope(index)
+      @scopes.sort_by { |name, range|
+        if name.start_with?('class')
+          0
+        elsif name.start_with?('dtype')
+          1
+        elsif name.start_with?('node')
+          2
+        else
+          3
+        end
+      }.find(-> { ['global'] }) { |name, range| index.between?(*range) }.first
+    end
+
+    def token_index(unknown)
+      tokens.find_index { |indexed| indexed.line == unknown.line && indexed.column == unknown.column }
+    end
+
+    def discover_scopes
+      class_scopes
+      defined_type_scopes
+      node_scopes
+    end
+
+    def scan_variables
+      # This method works because:
+      # - "variable assignments are evaluation-order dependent"
+      # - "Unlike most other languages, Puppet only allows a given variable to be assigned once within a given scope"
+      #
+      # See: https://puppet.com/docs/puppet/5.5/lang_variables.html
+      tokens.each_with_index do |token, index|
+        if token.type == :VARIABLE && token.next_code_token.type == :EQUALS
+          @scoped_variables[scope(index)][token.value] = cast_token(token.next_code_token.next_code_token)
+        end
+      end
+    end
+
     def resource_block(resource)
       @attributes.each do |attribute_name, comparison_rules|
         attribute = resource[:tokens].find { |t| t.type == :NAME && t.value == attribute_name && t.next_code_token.type == :FARROW }
@@ -63,12 +160,27 @@ module PuppetAuditor
         while next_token.type != :DQPOST
           next_token = next_token.next_code_token
           if next_token.type == :VARIABLE
-            full_str += "${#{next_token.value}}"
+            full_str += cast_token(next_token) || "${#{next_token.value}}"
           else
             full_str += next_token.value
           end
         end
         full_str
+      when :VARIABLE
+        @scoped_variables[scope(token_index(token))][token.value]
+      when :NAME, :FUNCTION_NAME
+        if token.value == 'hiera' || token.value == 'lookup'
+          next_token = token
+          while next_token.type != :SSTRING && next_token.type != :RPAREN
+            next_token = next_token.next_code_token
+            if next_token.type == :SSTRING
+              return lookup(next_token.value)
+            elsif next_token.type == :NAME || next_token.type == :FUNCTION_NAME
+              return lookup(cast_token(next_token))
+            end
+          end
+        end
+        token.value
       else
         token.value
       end

data/lib/puppet_auditor/version.rb

@@ -1,3 +1,3 @@
 module PuppetAuditor
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/puppet_auditor.gemspec

@@ -26,6 +26,7 @@ Gem::Specification.new do |spec|
   spec.require_paths  = ["lib"]
 
   spec.add_dependency 'puppet-lint', '>= 1.1', '< 3.0'
+  spec.add_dependency 'puppet', '~> 5.5'
 
   spec.add_development_dependency "bundler", "~> 1.16"
   spec.add_development_dependency "rake", "~> 10.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet_auditor
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Oscar Esgalha
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-26 00:00:00.000000000 Z
+date: 2018-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: puppet-lint
@@ -30,6 +30,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: puppet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement