inspec/lib/bundles/inspec-compliance/cli.rb

# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter

require 'thor'
require 'erb'

module Compliance
  class ComplianceCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
    namespace 'compliance'

    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
    def self.banner(command, _namespace = nil, _subcommand = false)
      "#{basename} #{subcommand_prefix} #{command.usage}"
    end

    def self.subcommand_prefix
      namespace
    end

    desc "login SERVER --insecure --user='USER' --token='TOKEN'", 'Log in to a Chef Compliance SERVER'
    option :insecure, aliases: :k, type: :boolean,
      desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
    option :user, type: :string, required: false,
      desc: 'Chef Compliance Username'
    option :password, type: :string, required: false,
      desc: 'Chef Compliance Password'
    option :apipath, type: :string, default: '/api',
      desc: 'Set the path to the API, defaults to /api'
    option :token, type: :string, required: false,
      desc: 'Chef Compliance access token'
    option :refresh_token, type: :string, required: false,
      desc: 'Chef Compliance refresh token'
    def login(server) # rubocop:disable Metrics/AbcSize
      # show warning if the Compliance Server does not support

      options['server'] = server
      url = options['server'] + options['apipath']

      if !options['user'].nil? && !options['password'].nil?
        # username / password
        _success, msg = login_username_password(url, options['user'], options['password'], options['insecure'])
      elsif !options['user'].nil? && !options['token'].nil?
        # access token
        _success, msg = store_access_token(url, options['user'], options['token'], options['insecure'])
      elsif !options['refresh_token'].nil? && !options['user'].nil?
        # refresh token
        _success, msg = store_refresh_token(url, options['refresh_token'], true, options['user'], options['insecure'])
        # TODO: we should login with the refreshtoken here
      elsif !options['refresh_token'].nil?
        _success, msg = login_refreshtoken(url, options)
      else
        puts 'Please run `inspec compliance login SERVER` with options --token or --refresh_token, --user, and --insecure or --not-insecure'
        exit 1
      end

      puts '', msg
    end

    desc "login_automate SERVER --user='USER' --ent='ENT' --dctoken or --usertoken='TOKEN'", 'Log in to an Automate SERVER'
    option :dctoken, type: :string,
      desc: 'Data Collector token'
    option :usertoken, type: :string,
      desc: 'Automate user token'
    option :user, type: :string,
      desc: 'Automate username'
    option :ent, type: :string,
      desc: 'Enterprise for Chef Automate reporting'
    option :insecure, aliases: :k, type: :boolean,
      desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
    def login_automate(server) # rubocop:disable Metrics/AbcSize
      options['server'] = server
      url = options['server'] + '/compliance/profiles'

      if url && !options['user'].nil? && !options['ent'].nil?
        if !options['dctoken'].nil? || !options['usertoken'].nil?
          msg = login_automate_config(url, options['user'], options['dctoken'], options['usertoken'], options['ent'], options['insecure'])
        else
          puts "Please specify a token using --dctoken='DATA_COLLECTOR_TOKEN' or usertoken='AUTOMATE_TOKEN' "
          exit 1
        end
      else
        puts "Please login to your automate instance using 'inspec compliance login_automate SERVER --user AUTOMATE_USER --ent AUTOMATE_ENT --dctoken DC_TOKEN or --usertoken USER_TOKEN' "
        exit 1
      end
      puts '', msg
    end

    desc 'profiles', 'list all available profiles in Chef Compliance'
    def profiles
      config = Compliance::Configuration.new
      return if !loggedin(config)

      msg, profiles = Compliance::API.profiles(config)
      if !profiles.empty?
        # iterate over profiles
        headline('Available profiles:')
        profiles.each { |profile|
          li("#{profile[:org]}/#{profile[:name]}")
        }
      else
        puts msg, 'Could not find any profiles'
        exit 1
      end
    end

    desc 'exec PROFILE', 'executes a Chef Compliance profile'
    exec_options
    def exec(*tests)
      config = Compliance::Configuration.new
      return if !loggedin(config)
      # iterate over tests and add compliance scheme
      tests = tests.map { |t| 'compliance://' + t }
      # execute profile from inspec exec implementation
      diagnose
      run_tests(tests, opts)
    end

    desc 'upload PATH', 'uploads a local profile to Chef Compliance'
    option :overwrite, type: :boolean, default: false,
      desc: 'Overwrite existing profile on Chef Compliance.'
    def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity, Metrics/CyclomaticComplexity
      config = Compliance::Configuration.new
      return if !loggedin(config)

      unless File.exist?(path)
        puts "Directory #{path} does not exist."
        exit 1
      end

      vendor_deps(path, options) if File.directory?(path)

      o = options.dup
      configure_logger(o)
      # check the profile, we only allow to upload valid profiles
      profile = Inspec::Profile.for_target(path, o)

      # start verification process
      error_count = 0
      error = lambda { |msg|
        error_count += 1
        puts msg
      }

      result = profile.check
      unless result[:summary][:valid]
        error.call('Profile check failed. Please fix the profile before upload.')
      else
        puts('Profile is valid')
      end

      # determine user information
      if config['token'].nil? || config['user'].nil?
        error.call('Please login via `inspec compliance login`')
      end

      # owner
      owner = config['user']
      # read profile name from inspec.yml
      profile_name = profile.params[:name]

      # check that the profile is not uploaded already,
      # confirm upload to the user (overwrite with --force)
      if Compliance::API.exist?(config, "#{owner}/#{profile_name}") && !options['overwrite']
        error.call('Profile exists on the server, use --overwrite')
      end

      # abort if we found an error
      if error_count > 0
        puts "Found #{error_count} error(s)"
        exit 1
      end

      # if it is a directory, tar it to tmp directory
      if File.directory?(path)
        archive_path = Dir::Tmpname.create([profile_name, '.tar.gz']) {}
        puts "Generate temporary profile archive at #{archive_path}"
        profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
      else
        archive_path = path
      end

      puts "Start upload to #{owner}/#{profile_name}"
      pname = ERB::Util.url_encode(profile_name)

      config['server_type'] == 'automate' ? upload_msg = 'Uploading to Chef Automate' : upload_msg = 'Uploading to Chef Compliance'
      puts upload_msg
      success, msg = Compliance::API.upload(config, owner, pname, archive_path)

      if success
        puts 'Successfully uploaded profile'
      else
        puts 'Error during profile upload:'
        puts msg
        exit 1
      end
    end

    desc 'version', 'displays the version of the Chef Compliance server'
    def version
      config = Compliance::Configuration.new
      if config['server_type'] == 'automate'
        puts 'Version not available when logged in with Automate.'
      else
        info = Compliance::API.version(config['server'], config['insecure'])
        if !info.nil? && info['version']
          puts "Chef Compliance version: #{info['version']}"
        else
          puts 'Could not determine server version.'
          exit 1
        end
      end
    end

    desc 'logout', 'user logout from Chef Compliance'
    def logout
      config = Compliance::Configuration.new
      unless config.supported?(:oidc) || config['token'].nil? || config['server_type'] == 'automate'
        config = Compliance::Configuration.new
        url = "#{config['server']}/logout"
        Compliance::API.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
      end
      success = config.destroy

      if success
        puts 'Successfully logged out'
      else
        puts 'Could not log out'
      end
    end

    private

    def login_automate_config(url, user, dctoken, usertoken, ent, insecure) # rubocop:disable Metrics/ParameterLists
      config = Compliance::Configuration.new
      config['user'] = user
      config['server'] = url
      config['automate'] = {}
      config['automate']['ent'] = ent
      config['server_type'] = 'automate'
      config['insecure'] = insecure

      # determine token method being used
      if !dctoken.nil?
        config['token'] = dctoken
        token_type = 'dctoken'
        token_msg = 'data collector token'
      else
        config['token'] = usertoken
        token_type = 'usertoken'
        token_msg = 'automate user token'
      end

      config['automate']['token_type'] = token_type
      config.store
      msg = "Stored configuration for Chef Automate: '#{url}' with user: '#{user}', ent: '#{ent}' and your #{token_msg}"
      msg
    end

    def login_refreshtoken(url, options)
      success, msg, access_token = Compliance::API.get_token_via_refresh_token(url, options['refresh_token'], options['insecure'])
      if success
        config = Compliance::Configuration.new
        config['server'] = url
        config['token'] = access_token
        config['insecure'] = options['insecure']
        config['version'] = Compliance::API.version(url, options['insecure'])
        config['server_type'] = 'compliance'
        config.store
      end

      [success, msg]
    end

    def login_username_password(url, username, password, insecure)
      config = Compliance::Configuration.new
      success, msg, api_token = Compliance::API.get_token_via_password(url, username, password, insecure)
      if success
        config['server'] = url
        config['user'] = username
        config['token'] = api_token
        config['insecure'] = insecure
        config['version'] = Compliance::API.version(url, insecure)
        config['server_type'] = 'compliance'
        config.store
        success = true
      end
      [success, msg]
    end

    # saves a user access token (limited time)
    def store_access_token(url, user, token, insecure)
      config = Compliance::Configuration.new
      config['server'] = url
      config['insecure'] = insecure
      config['user'] = user
      config['token'] = token
      config['version'] = Compliance::API.version(url, insecure)
      config.store

      [true, 'API access token stored']
    end

    # saves a refresh token supplied by the user
    def store_refresh_token(url, refresh_token, verify, user, insecure)
      config = Compliance::Configuration.new
      config['server'] = url
      config['refresh_token'] = refresh_token
      config['user'] = user
      config['insecure'] = insecure
      config['version'] = Compliance::API.version(url, insecure)

      if !verify
        config.store
        success = true
        msg = 'API refresh token stored'
      else
        success, msg, access_token = Compliance::API.get_token_via_refresh_token(url, refresh_token, insecure)
        if success
          config['token'] = access_token
          config.store
          msg = 'API access token verified and stored'
        end
      end

      [success, msg]
    end

    def loggedin(config)
      serverknown = !config['server'].nil?
      puts 'You need to login first with `inspec compliance login` or `inspec compliance login_automate`' if !serverknown
      serverknown
    end
  end

  # register the subcommand to Inspec CLI registry
  Inspec::Plugins::CLI.add_subcommand(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
end