2016-02-05 07:38:45 +00:00
|
|
|
# encoding: utf-8
|
|
|
|
# author: Christoph Hartmann
|
|
|
|
# author: Dominik Richter
|
|
|
|
|
|
|
|
require 'uri'
|
2016-02-22 01:13:42 +00:00
|
|
|
require 'inspec/fetcher'
|
2016-09-22 13:02:20 +00:00
|
|
|
require 'inspec/errors'
|
2016-02-05 07:38:45 +00:00
|
|
|
|
|
|
|
# InSpec Target Helper for Chef Compliance
|
|
|
|
# reuses UrlHelper, but it knows the target server and the access token already
|
|
|
|
# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
|
|
|
|
module Compliance
|
2016-09-09 09:21:54 +00:00
|
|
|
class Fetcher < Fetchers::Url
|
2016-02-22 01:13:42 +00:00
|
|
|
name 'compliance'
|
|
|
|
priority 500
|
2017-05-16 21:56:56 +00:00
|
|
|
def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity
|
2016-09-09 09:21:54 +00:00
|
|
|
uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
|
|
|
|
URI(target)
|
|
|
|
elsif target.respond_to?(:key?) && target.key?(:compliance)
|
|
|
|
URI("compliance://#{target[:compliance]}")
|
|
|
|
end
|
|
|
|
|
|
|
|
return nil if uri.nil?
|
2016-02-05 07:38:45 +00:00
|
|
|
|
2016-12-08 09:58:40 +00:00
|
|
|
# we have detailed information available in our lockfile, no need to ask the server
|
|
|
|
if target.respond_to?(:key?) && target.key?(:url)
|
|
|
|
profile_fetch_url = target[:url]
|
|
|
|
config = {}
|
|
|
|
else
|
|
|
|
# check if we have a compliance token
|
|
|
|
config = Compliance::Configuration.new
|
2017-01-18 01:38:34 +00:00
|
|
|
if config['token'].nil? && config['refresh_token'].nil?
|
2016-12-08 09:58:40 +00:00
|
|
|
if config['server_type'] == 'automate'
|
|
|
|
server = 'automate'
|
|
|
|
msg = 'inspec compliance login_automate https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --usertoken USERTOKEN'
|
|
|
|
else
|
|
|
|
server = 'compliance'
|
|
|
|
msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
|
|
|
|
end
|
2017-02-08 22:49:16 +00:00
|
|
|
raise Inspec::FetcherFailure, <<EOF
|
2016-09-22 13:02:20 +00:00
|
|
|
|
2016-11-15 19:19:39 +00:00
|
|
|
Cannot fetch #{uri} because your #{server} token has not been
|
2016-09-22 13:02:20 +00:00
|
|
|
configured.
|
|
|
|
|
|
|
|
Please login using
|
|
|
|
|
2016-11-15 19:19:39 +00:00
|
|
|
#{msg}
|
2016-09-22 13:02:20 +00:00
|
|
|
EOF
|
2016-12-08 09:58:40 +00:00
|
|
|
end
|
2016-02-05 07:38:45 +00:00
|
|
|
|
2016-12-08 09:58:40 +00:00
|
|
|
# verifies that the target e.g base/ssh exists
|
2017-05-16 21:56:56 +00:00
|
|
|
profile = Compliance::API.sanitize_profile_name(uri)
|
2016-12-08 09:58:40 +00:00
|
|
|
if !Compliance::API.exist?(config, profile)
|
2017-02-08 22:49:16 +00:00
|
|
|
raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
|
2016-12-08 09:58:40 +00:00
|
|
|
end
|
2017-01-05 11:37:43 +00:00
|
|
|
profile_fetch_url = Compliance::API.target_url(config, profile)
|
2016-09-22 13:02:20 +00:00
|
|
|
end
|
2017-01-18 01:38:34 +00:00
|
|
|
# We need to pass the token to the fetcher
|
|
|
|
config['token'] = Compliance::API.get_token(config)
|
2016-12-08 09:58:40 +00:00
|
|
|
new(profile_fetch_url, config)
|
2016-02-22 01:13:42 +00:00
|
|
|
rescue URI::Error => _e
|
|
|
|
nil
|
2016-02-05 07:38:45 +00:00
|
|
|
end
|
|
|
|
|
2016-09-09 13:46:36 +00:00
|
|
|
# We want to save compliance: in the lockfile rather than url: to
|
2016-12-08 09:58:40 +00:00
|
|
|
# make sure we go back through the Compliance API handling.
|
2016-09-09 09:21:54 +00:00
|
|
|
def resolved_source
|
2016-12-08 09:58:40 +00:00
|
|
|
@resolved_source ||= {
|
|
|
|
compliance: compliance_profile_name,
|
|
|
|
url: @target,
|
|
|
|
sha256: sha256,
|
|
|
|
}
|
2016-09-09 09:21:54 +00:00
|
|
|
end
|
|
|
|
|
2016-02-05 07:38:45 +00:00
|
|
|
def to_s
|
|
|
|
'Chef Compliance Profile Loader'
|
|
|
|
end
|
2016-09-09 09:21:54 +00:00
|
|
|
|
|
|
|
private
|
|
|
|
|
2017-04-13 15:24:17 +00:00
|
|
|
# determine the owner_id and the profile name from the url
|
2016-12-08 09:58:40 +00:00
|
|
|
def compliance_profile_name
|
2017-05-19 23:58:46 +00:00
|
|
|
m = if Compliance::API.is_automate_server_pre_080?(@config)
|
2017-04-11 20:45:24 +00:00
|
|
|
%r{^#{@config['server']}/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
|
2017-05-20 01:07:58 +00:00
|
|
|
elsif Compliance::API.is_automate_server_080_and_later?(@config)
|
2017-05-16 21:56:56 +00:00
|
|
|
%r{^#{@config['server']}/profiles/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
|
2017-04-11 20:45:24 +00:00
|
|
|
else
|
|
|
|
%r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}
|
|
|
|
end.match(@target)
|
2017-05-26 19:30:37 +00:00
|
|
|
|
|
|
|
raise 'Unable to determine compliance profile name. This can be caused by ' \
|
|
|
|
'an incorrect server in your configuration. Try to login to compliance ' \
|
|
|
|
'via the `inspec compliance login` or `inspec compliance login_automate` ' \
|
|
|
|
'commands.' if m.nil?
|
|
|
|
|
2016-09-09 09:21:54 +00:00
|
|
|
"#{m[:owner]}/#{m[:id]}"
|
|
|
|
end
|
2016-02-05 07:38:45 +00:00
|
|
|
end
|
|
|
|
end
|