inspec/lib/plugins/inspec-compliance/README.md

208 lines
6.6 KiB
Markdown
Raw Normal View History

2016-01-26 10:54:53 +00:00
# InSpec Extension for Chef Compliance
This extensions offers the following features:
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
- list available profiles in Chef Automate/Chef Compliance
- execute profiles directly from Chef Automate/Chef Compliance locally
- upload a local profile to Chef Automate/Chef Compliance
2016-01-26 10:54:53 +00:00
To use the CLI, this InSpec add-on adds the following commands:
2016-01-26 10:54:53 +00:00
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
* `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
* `$ inspec compliance profiles` - list all available Compliance profiles
* `$ inspec exec compliance://profile` - runs a Compliance profile
* `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
* `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
2016-02-02 10:16:27 +00:00
Compliance profiles can be executed in two ways:
2016-02-02 10:16:27 +00:00
- via compliance exec: `inspec compliance exec profile`
- via compliance scheme: `inspec exec compliance://profile`
2016-05-06 12:47:07 +00:00
## Usage
### Command options
```
$ inspec compliance
Commands:
inspec compliance download PROFILE # downloads a profile from Chef Compliance
inspec compliance exec PROFILE # executes a Chef Compliance profile
inspec compliance help [COMMAND] # Describe subcommands or one specific subcommand
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
inspec compliance login SERVER # Log in to a Chef Automate/Chef Compliance SERVER
inspec compliance logout # user logout from Chef Compliance
inspec compliance profiles # list all available profiles in Chef Compliance
inspec compliance upload PATH # uploads a local profile to Chef Compliance
inspec compliance version # displays the version of the Chef Compliance server
```
### Login with Chef Automate 2
You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui.
```
$ inspec compliance login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
```
#### Login with Chef Automate 2 via json-config
With automate 2 you can automatically login by passing a json config via `--json-config`
Example:
```json
"compliance": {
"server" : "https://YOUR_A2_URL",
"token" : "YOUR_A2_ADMIN_TOKEN",
"user" : "YOUR_A2_USER",
"insecure" : true
}
```
### Login with Chef Automate
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
```
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
```
### Login with Chef Compliance
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
You will need an access token for authentication. You can retrieve one via:
2016-05-06 12:47:07 +00:00
![Chef Compliance Token](images/cc-token.png)
You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
```
$ inspec compliance login https://compliance.test --user admin --insecure --token '...'
```
### List available profiles via Chef Compliance / Automate
2016-05-06 12:47:07 +00:00
```
2016-05-06 12:47:07 +00:00
$ inspec compliance profiles
Available profiles:
-------------------
* base/apache
* base/linux
* base/mysql
* base/postgres
* base/ssh
* base/windows
* cis/cis-centos6-level1
* cis/cis-centos6-level2
* cis/cis-centos7-level1
* cis/cis-centos7-level2
* cis/cis-rhel7-level1
* cis/cis-rhel7-level2
* cis/cis-ubuntu12.04lts-level1
* cis/cis-ubuntu12.04lts-level2
* cis/cis-ubuntu14.04lts-level1
* cis/cis-ubuntu14.04lts-level2
```
### Upload a profile to Chef Compliance / Automate
2016-05-06 12:47:07 +00:00
```
2016-05-06 12:47:07 +00:00
$ inspec compliance version
Chef Compliance version: 1.0.11
➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec compliance upload examples/profile
I, [2016-05-06T14:27:20.907547 #37592] INFO -- : Checking profile in examples/profile
I, [2016-05-06T14:27:20.907668 #37592] INFO -- : Metadata OK.
I, [2016-05-06T14:27:20.968584 #37592] INFO -- : Found 4 controls.
I, [2016-05-06T14:27:20.968638 #37592] INFO -- : Control definitions OK.
Profile is valid
Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
I, [2016-05-06T14:27:21.020017 #37592] INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
I, [2016-05-06T14:27:21.024837 #37592] INFO -- : Finished archive generation.
Start upload to admin/profile
Uploading to Chef Compliance
Successfully uploaded profile
# display all profiles
$ inspec compliance profiles
Available profiles:
-------------------
* admin/profile
* base/apache
* base/linux
* base/mysql
* base/postgres
* base/ssh
* base/windows
* cis/cis-centos6-level1
* cis/cis-centos6-level2
* cis/cis-centos7-level1
* cis/cis-centos7-level2
* cis/cis-rhel7-level1
* cis/cis-rhel7-level2
* cis/cis-ubuntu12.04lts-level1
* cis/cis-ubuntu12.04lts-level2
* cis/cis-ubuntu14.04lts-level1
* cis/cis-ubuntu14.04lts-level2
```
Add Chef Automate support to `inspec compliance login` (#2203) * Merge `login` and `login_automate` commands This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints. This also moves the login logic from `Compliance::ComplianceCLI` to a separate set of modules in `Compliance::API`. This removes logic from Thor and allows for more in depth Unit testing. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove empty line below class definition Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add message to `raise CannotDetermineServerType` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Refactor `token_info` assignment Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove unnecessary rubocop disable Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `Login` module namespacing Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Remove mentions of login_automate and --usertoken Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Modify `determine_server_type` to return a symbol Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add support for `login_automate` and `--usertoken` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Fix encoding typo Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Address PR feedback This does the following: - Moves `CannotDetermineServerType` error to `.login` - Changes methods that store configuration to return the configuration - Moves user output to one location in `.login` - Makes other small improvements Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 15:32:47 +00:00
### Run a profile from Chef Compliance / Chef Automate on Workstation
2016-05-06 12:47:07 +00:00
```
2016-05-06 12:47:07 +00:00
$ inspec exec compliance://admin/profile
.*...
Pending: (Failures listed here are expected and do not affect your suite's status)
1) example_config Can't find file "/tmp/example/config.yaml"
2016-05-06 12:47:07 +00:00
# Not yet implemented
# ./lib/inspec/runner.rb:157
Finished in 0.02862 seconds (files took 0.62628 seconds to load)
5 examples, 0 failures, 1 pending
```
Exec a specific version(2.0.1) of a profile when logged in with Automate:
```
$ inspec exec compliance://admin/apache-baseline#2.0.1
```
Download a specific version(2.0.2) of a profile when logged in with Automate:
```
$ inspec compliance download compliance://admin/apache-baseline#2.0.2
```
### To Logout from Chef Compliance
2016-05-06 12:47:07 +00:00
```
$ inspec compliance logout
Successfully logged out
```
## Integration Tests
At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:
* run `kitchen converge`
* open https://192.168.251.2 and log in with user `admin` and password `admin`
* click on user->about and obtain the access token and the refresh token
* run `kitchen verify` with the required env variables:
```
# both token need to be set, since the test suite runs for each token type
export COMPLIANCE_ACCESSTOKEN='mycompliancetoken'
export COMPLIANCE_REFRESHTOKEN='myrefreshtoken'
kitchen verify
-----> Starting Kitchen (v1.7.3)
-----> Verifying <default-ubuntu-1404>...
Search `/Users/chartmann/Development/compliance/inspec/lib/bundles/inspec-compliance/test/integration/default` for tests
..................................
Finished in 6.35 seconds (files took 0.40949 seconds to load)
34 examples, 0 failures
Finished verifying <default-ubuntu-1404> (0m6.62s).
-----> Kitchen is finished. (0m7.02s)
zlib(finalizer): the stream was freed prematurely.
```