2016-03-25 00:31:19 +00:00
# encoding: utf-8
# author: Dominik Richter
# author: Christoph Hartmann
require 'functional/helper'
describe 'inspec exec' do
include FunctionalHelper
it 'can execute the profile' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + example_profile + ' --no-create-lockfile' )
2016-03-25 00:31:19 +00:00
out . stderr . must_equal ''
2018-02-14 16:54:20 +00:00
out . exit_status . must_equal 101
2016-06-15 17:27:56 +00:00
stdout = out . stdout . force_encoding ( Encoding :: UTF_8 )
2016-11-23 23:09:12 +00:00
stdout . must_include " \e [38;5;41m ✔ ssh-1: Allow only SSH Protocol 2 \e [0m \n "
stdout . must_include " \e [38;5;41m ✔ tmp-1.0: Create /tmp directory \e [0m \n "
2016-06-15 20:17:59 +00:00
stdout . must_include "
2016-11-23 23:09:12 +00:00
\ e [ 38 ; 5 ; 247 m ↺ gordon - 1 . 0 : Verify the version number of Gordon ( 1 skipped ) \ e [ 0 m
2018-04-05 12:50:49 +00:00
\ e [ 38 ; 5 ; 247 m ↺ Can ' t find file ` /tmp/gordon/config.yaml ` \ e [ 0 m
2016-06-15 20:17:59 +00:00
"
2017-08-23 14:29:09 +00:00
stdout . must_include " \n Profile Summary: \e [38;5;41m2 successful controls \e [0m, 0 control failures, \e [38;5;247m1 control skipped \e [0m \n "
stdout . must_include " \n Test Summary: \e [38;5;41m4 successful \e [0m, 0 failures, \e [38;5;247m1 skipped \e [0m \n "
2016-03-25 00:31:19 +00:00
end
2016-06-14 12:41:45 +00:00
it 'executes a minimum metadata-only profile' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + File . join ( profile_path , 'simple-metadata' ) + ' --no-create-lockfile' )
2016-03-25 00:31:19 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2016-06-14 12:41:45 +00:00
out . stdout . must_equal "
Profile : yumyum profile
2017-02-13 18:04:46 +00:00
Version : ( not specified )
2016-06-16 07:19:25 +00:00
Target : local : / /
2016-06-14 12:41:45 +00:00
2017-05-01 23:18:23 +00:00
No tests executed .
2016-06-14 12:41:45 +00:00
2017-08-23 14:29:09 +00:00
Test Summary : 0 successful , 0 failures , 0 skipped
2016-06-14 12:41:45 +00:00
"
2016-03-25 00:31:19 +00:00
end
2018-03-08 20:45:59 +00:00
it 'can execute the profile and write to directory' do
outpath = Dir . tmpdir
out = inspec ( " exec #{ example_profile } --no-create-lockfile --reporter json: #{ outpath } /foo/bar/test.json " )
out . stderr . must_equal ''
out . exit_status . must_equal 101
File . exist? ( " #{ outpath } /foo/bar/test.json " ) . must_equal true
File . stat ( " #{ outpath } /foo/bar/test.json " ) . size . must_be :> , 0
end
2016-06-14 12:41:45 +00:00
it 'executes a metadata-only profile' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + File . join ( profile_path , 'complete-metadata' ) + ' --no-create-lockfile' )
2016-03-25 00:31:19 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2016-06-14 12:41:45 +00:00
out . stdout . must_equal "
Profile : title ( name )
Version : 1 . 2 . 3
2016-06-16 07:19:25 +00:00
Target : local : / /
2016-06-14 12:41:45 +00:00
2017-05-01 23:18:23 +00:00
No tests executed .
2016-06-14 12:41:45 +00:00
2017-08-23 14:29:09 +00:00
Test Summary : 0 successful , 0 failures , 0 skipped
2016-06-14 12:41:45 +00:00
"
2016-03-25 00:31:19 +00:00
end
2016-09-06 23:40:07 +00:00
it " executes a profile and reads attributes " do
2016-09-21 21:22:53 +00:00
out = inspec ( " exec #{ File . join ( examples_path , 'profile-attribute' ) } --no-create-lockfile --attrs #{ File . join ( examples_path , " profile-attribute.yml " ) } " )
2016-09-06 23:40:07 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Test Summary: \e [38;5;41m2 successful \e [0m, 0 failures, 0 skipped "
2016-09-06 23:40:07 +00:00
end
2016-06-14 12:41:45 +00:00
it 'executes a specs-only profile' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + File . join ( profile_path , 'spec_only' ) + ' --no-create-lockfile' )
2016-04-11 14:30:35 +00:00
out . stderr . must_equal ''
2018-02-14 16:54:20 +00:00
out . exit_status . must_equal 100
2016-09-04 16:57:03 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Target: local:// "
2018-02-08 09:06:58 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " working "
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " ✔ should eq \" working \" "
2016-09-20 16:03:43 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " skippy \n "
2016-11-23 04:26:02 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " ↺ This will be skipped intentionally "
2018-02-08 09:06:58 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " failing "
2018-02-14 16:54:20 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × should eq \" as intended \" "
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Test Summary: \e [38;5;41m1 successful \e [0m, \e [38;5;9m1 failure \e [0m, \e [38;5;247m1 skipped \e [0m \n "
2016-04-11 14:30:35 +00:00
end
2016-06-14 12:41:45 +00:00
it 'executes only specified controls' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + example_profile + ' --no-create-lockfile --controls tmp-1.0' )
2016-04-11 14:30:35 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2017-08-23 14:29:09 +00:00
out . stdout . must_include " \n Profile Summary: \e [38;5;41m1 successful control \e [0m, 0 control failures, 0 controls skipped \n "
2016-04-11 14:30:35 +00:00
end
2016-06-14 12:41:45 +00:00
it 'can execute a simple file with the default formatter' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + example_control + ' --no-create-lockfile' )
2016-06-14 12:41:45 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2017-08-23 14:29:09 +00:00
out . stdout . must_include " \n Profile Summary: \e [38;5;41m1 successful control \e [0m, 0 control failures, 0 controls skipped \n "
out . stdout . must_include " \n Test Summary: \e [38;5;41m2 successful \e [0m, 0 failures, 0 skipped \n "
2016-03-25 00:31:19 +00:00
end
2016-04-05 16:07:00 +00:00
describe 'with a profile that is not supported on this OS/platform' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'skippy-profile-os' ) + ' --no-create-lockfile' ) }
2016-04-05 16:07:00 +00:00
let ( :json ) { JSON . load ( out . stdout ) }
2016-04-17 00:04:10 +00:00
it 'exits with an error' do
2016-09-07 11:10:35 +00:00
out . stderr . must_match ( / ^This OS \/ platform \ (.+ \ ) is not supported by this profile.$ / )
2016-04-17 00:04:10 +00:00
out . exit_status . must_equal 1
2016-04-05 16:07:00 +00:00
end
2016-04-17 00:04:10 +00:00
end
2016-04-05 16:07:00 +00:00
2016-09-20 16:03:43 +00:00
describe 'with a profile that contains skipped controls' do
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'skippy-controls' ) + ' --no-create-lockfile' ) }
let ( :json ) { JSON . load ( out . stdout ) }
it 'exits with an error' do
2016-11-23 23:09:12 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " skippy \e [0m \n \e [38;5;247m ↺ This will be skipped super intentionally. \e [0m \n "
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " ↺ CONTROL database: MySQL Session \e [0m \n \e [38;5;247m ↺ Can't run MySQL SQL checks without authentication \e [0m \n "
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: 0 successful controls, 0 control failures, \e [38;5;247m2 controls skipped \e [0m \n Test Summary: 0 successful, 0 failures, \e [38;5;247m2 skipped \e [0m \n "
2018-02-14 16:54:20 +00:00
out . exit_status . must_equal 101
2016-09-20 16:03:43 +00:00
end
end
2018-02-16 20:15:53 +00:00
describe 'with a profile that contains skipped resources' do
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'aws-profile' ) ) }
let ( :stdout ) { out . stdout . force_encoding ( Encoding :: UTF_8 ) }
it 'exits with an error' do
stdout . must_include 'Resource Aws_iam_users is not supported on platform'
stdout . must_include 'Resource Aws_iam_access_keys is not supported on platform'
stdout . must_include 'Resource Aws_s3_bucket is not supported on platform'
stdout . must_include '3 skipped'
out . exit_status . must_equal 101
end
end
2016-04-16 19:34:23 +00:00
describe 'with a profile that is supported on this version of inspec' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'supported_inspec' ) + ' --no-create-lockfile' ) }
2016-04-16 19:34:23 +00:00
it 'exits cleanly' do
out . stderr . must_equal ''
out . exit_status . must_equal 0
end
end
describe 'with a profile that is not supported on this version of inspec' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'unsupported_inspec' ) + ' --no-create-lockfile' ) }
2016-04-16 19:34:23 +00:00
it 'does not support this profile' do
out . exit_status . must_equal 1
out . stderr . must_equal " This profile requires InSpec version >= 99.0.0. You are running InSpec v #{ Inspec :: VERSION } . \n "
end
end
2016-06-03 19:36:16 +00:00
describe 'with a profile that loads a library and reference' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'library' ) + ' --no-create-lockfile' ) }
2016-06-03 19:36:16 +00:00
it 'executes the profile without error' do
out . exit_status . must_equal 0
end
end
2016-08-22 15:57:33 +00:00
describe 'given a profile with controls and anonymous describe blocks' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + example_control + ' --no-create-lockfile' ) }
2016-08-22 15:57:33 +00:00
it 'prints the control results, then the anonymous describe block results' do
2017-11-09 11:32:54 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_match ( %r{ Profile: tests from .*examples.profile.controls.example.rb } )
2017-02-13 18:04:46 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include "
Version : ( not specified )
2016-08-22 15:57:33 +00:00
Target : local : / /
2016-11-23 23:09:12 +00:00
\ e [ 38 ; 5 ; 41 m \ xE2 \ x9C \ x94 tmp - 1 . 0 : Create / tmp directory \ e[0m
\ e [ 38 ; 5 ; 41 m \ xE2 \ x9C \ x94 File / tmp should be directory \ e[0m
2016-08-22 15:57:33 +00:00
File / tmp
2016-11-23 23:09:12 +00:00
\ e [ 38 ; 5 ; 41 m \ xE2 \ x9C \ x94 should be directory \ e [ 0 m
2016-08-22 15:57:33 +00:00
2017-08-23 14:29:09 +00:00
Profile Summary : \ e [ 38 ; 5 ; 41 m1 successful control \ e [ 0 m , 0 control failures , 0 controls skipped
Test Summary : \ e [ 38 ; 5 ; 41 m2 successful \ e [ 0 m , 0 failures , 0 skipped \ n "
2016-08-22 15:57:33 +00:00
end
end
2016-09-01 12:25:56 +00:00
describe 'given a profile with an anonymous describe block' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + failure_control + ' --no-create-lockfile' ) }
2016-09-01 12:25:56 +00:00
it 'prints the exception message when a test has a syntax error' do
out . stdout . must_include " undefined method `should_nota' "
end
end
2016-09-01 22:54:03 +00:00
describe 'given an inherited profile that has more that one test per control block' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + simple_inheritance + ' --no-create-lockfile' ) }
2016-09-01 22:54:03 +00:00
it 'should print all the results' do
2016-11-23 04:26:02 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × tmp-1.0: Create /tmp directory (1 failed)\e [0m "
2018-02-14 16:54:20 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × should not be directory\n "
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × undefined method `should_nota'"
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × should not be directory\n expected `File /tmp.directory?` to return false, got true \e [0m "
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × 7 should cmp >= 9\n "
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × 7 should not cmp == /^\\ d$/ \n "
2016-10-05 18:01:24 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " ✔ 7 should cmp == \" 7 \" "
2016-10-11 10:00:24 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " expected: \" 01147 \"
got : \ " 01777 \" \n "
2016-09-01 22:54:03 +00:00
end
end
2016-09-02 16:33:21 +00:00
describe 'when passing in two profiles given an inherited profile that has more that one test per control block' do
2016-09-21 21:22:53 +00:00
let ( :out ) { inspec ( 'exec ' + File . join ( profile_path , 'dependencies' , 'profile_d' ) + ' ' + simple_inheritance + ' --no-create-lockfile' ) }
2016-09-02 16:33:21 +00:00
it 'should print all the results' do
2016-11-23 04:26:02 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × tmp-1.0: Create /tmp directory (1 failed)\e [0m "
2018-02-14 16:54:20 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × should not be directory"
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × undefined method `should_nota'"
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " × should not be directory\n expected `File /tmp.directory?` to return false, got true \e [0m "
2016-09-02 16:33:21 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " ✔ profiled-1: Create /tmp directory (profile d) "
2016-09-15 00:10:06 +00:00
end
end
2016-09-26 16:10:43 +00:00
describe 'given an inherited profile' do
let ( :out ) { inspec ( 'exec ' + simple_inheritance ) }
it 'should print the profile information and then the test results' do
2016-11-30 09:20:37 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " \e [38;5;9m × tmp-1.0: Create /tmp directory (1 failed) \e [0m \n \e [38;5;41m ✔ File /tmp should be directory \e [0m \n \e [38;5;9m × File /tmp should not be directory \n "
2016-09-26 16:10:43 +00:00
end
end
2016-09-15 07:54:15 +00:00
describe 'using namespaced resources' do
it 'works' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + File . join ( profile_path , 'dependencies' , 'resource-namespace' ) + ' --no-create-lockfile' )
2016-09-15 07:54:15 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: \e [38;5;41m1 successful control \e [0m, 0 control failures, 0 controls skipped \n "
2016-09-15 07:54:15 +00:00
end
end
2016-09-26 12:38:27 +00:00
describe 'with require_controls' do
it 'does not run rules you did not include' do
out = inspec ( 'exec ' + File . join ( profile_path , 'dependencies' , 'require_controls_test' ) + ' --no-create-lockfile' )
out . stderr . must_equal ''
out . exit_status . must_equal 0
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: \e [38;5;41m1 successful control \e [0m, 0 control failures, 0 controls skipped \n "
2016-09-26 12:38:27 +00:00
end
end
2016-09-15 00:10:06 +00:00
describe " with a 2-level dependency tree " do
it 'correctly runs tests from the whole tree' do
2016-09-21 21:22:53 +00:00
out = inspec ( 'exec ' + File . join ( profile_path , 'dependencies' , 'inheritance' ) + ' --no-create-lockfile' )
2016-09-15 00:10:06 +00:00
out . stderr . must_equal ''
out . exit_status . must_equal 0
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: \e [38;5;41m6 successful controls \e [0m, 0 control failures, 0 controls skipped \n "
2016-09-02 16:33:21 +00:00
end
end
2016-09-13 10:03:24 +00:00
describe 'when using profiles on the supermarket' do
it 'can run supermarket profiles directly from the command line' do
2016-09-21 21:22:53 +00:00
out = inspec ( " exec supermarket://nathenharvey/tmp-compliance-profile --no-create-lockfile " )
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: \e [38;5;41m2 successful controls \e [0m, 0 control failures, 0 controls skipped \n "
2016-09-13 10:03:24 +00:00
end
it 'can run supermarket profiles from inspec.yml' do
2016-09-21 21:22:53 +00:00
out = inspec ( " exec #{ File . join ( profile_path , 'supermarket-dep' ) } --no-create-lockfile " )
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: \e [38;5;41m2 successful controls \e [0m, 0 control failures, 0 controls skipped \n "
2016-09-13 10:03:24 +00:00
end
end
2016-09-14 07:41:19 +00:00
describe 'when a dependency does not support our backend platform' do
it 'skips the controls from that profile' do
2016-09-21 21:22:53 +00:00
out = inspec ( " exec #{ File . join ( profile_path , 'profile-support-skip' ) } --no-create-lockfile " )
2017-08-23 14:29:09 +00:00
out . stdout . force_encoding ( Encoding :: UTF_8 ) . must_include " Profile Summary: 0 successful controls, 0 control failures, \e [38;5;247m2 controls skipped \e [0m \n "
2016-09-14 07:41:19 +00:00
end
end
2017-04-28 21:30:05 +00:00
describe 'when trying to use --sudo with a local target' do
it 'must print an error and exit' do
out = inspec ( " exec #{ File . join ( profile_path , 'profile-support-skip' ) } --sudo " )
2017-05-31 03:38:18 +00:00
str = " Sudo is only valid when running against a remote host. To run this locally with elevated privileges, run the command with `sudo ...`. \n "
out . stderr . force_encoding ( Encoding :: UTF_8 ) . must_include str
2017-04-28 21:30:05 +00:00
out . exit_status . must_equal 1
end
end
2017-05-01 23:18:23 +00:00
describe 'when --no-color is used' do
it 'does not output color control characters' do
out = inspec ( 'exec ' + File . join ( profile_path , 'simple-metadata' ) + ' --no-color' )
out . exit_status . must_equal 0
out . stdout . wont_include " \e [38 "
end
end
2017-06-12 21:33:16 +00:00
describe 'when --password is used' do
it 'raises an exception if no password is provided' do
out = inspec ( 'exec ' + example_profile + ' --password' )
out . exit_status . must_equal 1
out . stderr . must_include 'Please provide a value for --password. For example: --password=hello.'
end
end
describe 'when --sudo-password is used' do
it 'raises an exception if no sudo password is provided' do
out = inspec ( 'exec ' + example_profile + ' --sudo-password' )
out . exit_status . must_equal 1
out . stderr . must_include 'Please provide a value for --sudo-password. For example: --sudo-password=hello.'
end
end
2017-08-25 20:21:49 +00:00
describe 'with sensitive resources' do
it 'hides sensitive output' do
out = inspec ( 'exec ' + sensitive_profile + ' --no-create-lockfile' )
out . stderr . must_equal ''
2018-02-14 16:54:20 +00:00
out . exit_status . must_equal 100
2017-08-25 20:21:49 +00:00
stdout = out . stdout . force_encoding ( Encoding :: UTF_8 )
2018-02-14 16:54:20 +00:00
stdout . must_include '× should eq "billy"'
2017-08-25 20:21:49 +00:00
stdout . must_include 'expected: "billy"'
stdout . must_include 'got: "bob"'
2018-02-14 16:54:20 +00:00
stdout . must_include '× should eq "secret"'
2017-08-25 20:21:49 +00:00
stdout . must_include '*** sensitive output suppressed ***'
stdout . must_include " \n Test Summary: \e [38;5;41m2 successful \e [0m, \e [38;5;9m2 failures \e [0m, 0 skipped \n "
end
end
2016-03-25 00:31:19 +00:00
end