inspec/lib/bundles/inspec-compliance/target.rb

# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter

require 'uri'
require 'inspec/fetcher'
require 'inspec/errors'

# InSpec Target Helper for Chef Compliance
# reuses UrlHelper, but it knows the target server and the access token already
# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
module Compliance
  class Fetcher < Fetchers::Url
    name 'compliance'
    priority 500
    def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity
      uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
              URI(target)
            elsif target.respond_to?(:key?) && target.key?(:compliance)
              URI("compliance://#{target[:compliance]}")
            end

      return nil if uri.nil?

      # we have detailed information available in our lockfile, no need to ask the server
      if target.respond_to?(:key?) && target.key?(:url)
        profile_fetch_url = target[:url]
        config = {}
      else
        # check if we have a compliance token
        config = Compliance::Configuration.new
        if config['token'].nil?
          if config['server_type'] == 'automate'
            server = 'automate'
            msg = 'inspec compliance login_automate https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --usertoken USERTOKEN'
          else
            server = 'compliance'
            msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
          end
          fail Inspec::FetcherFailure, <<EOF

Cannot fetch #{uri} because your #{server} token has not been
configured.

Please login using

    #{msg}
EOF
        end

        # verifies that the target e.g base/ssh exists
        profile = uri.host + uri.path
        if !Compliance::API.exist?(config, profile)
          fail Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
        end
        profile_fetch_url = target_url(profile, config)
      end
      new(profile_fetch_url, config)
    rescue URI::Error => _e
      nil
    end

    def self.target_url(profile, config)
      if config['server_type'] == 'automate'
        target = "#{config['server']}/#{profile}/tar"
      else
        owner, id = profile.split('/')
        target = "#{config['server']}/owners/#{owner}/compliance/#{id}/tar"
      end
      target
    end

    # We want to save compliance: in the lockfile rather than url: to
    # make sure we go back through the Compliance API handling.
    def resolved_source
      @resolved_source ||= {
        compliance: compliance_profile_name,
        url: @target,
        sha256: sha256,
      }
    end

    def to_s
      'Chef Compliance Profile Loader'
    end

    private

    def compliance_profile_name
      m = %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}.match(@target)
      "#{m[:owner]}/#{m[:id]}"
    end
  end
end
refactor compliance plugin 2016-02-05 07:38:45 +00:00			`# encoding: utf-8`
			`# author: Christoph Hartmann`
			`# author: Dominik Richter`

			`require 'uri'`
migrate inspec-compliance target to fetcher 2016-02-22 01:13:42 +00:00			`require 'inspec/fetcher'`
Improve error messages from compliance fetcher Signed-off-by: Steven Danna <steve@chef.io> 2016-09-22 13:02:20 +00:00			`require 'inspec/errors'`
refactor compliance plugin 2016-02-05 07:38:45 +00:00
			`# InSpec Target Helper for Chef Compliance`
			`# reuses UrlHelper, but it knows the target server and the access token already`
			# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
			`module Compliance`
Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00			`class Fetcher < Fetchers::Url`
migrate inspec-compliance target to fetcher 2016-02-22 01:13:42 +00:00			`name 'compliance'`
			`priority 500`
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity`
Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00			`uri = if target.is_a?(String) && URI(target).scheme == 'compliance'`
			`URI(target)`
			`elsif target.respond_to?(:key?) && target.key?(:compliance)`
			`URI("compliance://#{target[:compliance]}")`
			`end`

			`return nil if uri.nil?`
refactor compliance plugin 2016-02-05 07:38:45 +00:00
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`# we have detailed information available in our lockfile, no need to ask the server`
			`if target.respond_to?(:key?) && target.key?(:url)`
			`profile_fetch_url = target[:url]`
			`config = {}`
			`else`
			`# check if we have a compliance token`
			`config = Compliance::Configuration.new`
			`if config['token'].nil?`
			`if config['server_type'] == 'automate'`
			`server = 'automate'`
			`msg = 'inspec compliance login_automate https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --usertoken USERTOKEN'`
			`else`
			`server = 'compliance'`
			`msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "`
			`end`
			`fail Inspec::FetcherFailure, <<EOF`
Improve error messages from compliance fetcher Signed-off-by: Steven Danna <steve@chef.io> 2016-09-22 13:02:20 +00:00
Extend inspec compliance cli to support automate backend Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io> 2016-11-15 19:19:39 +00:00			`Cannot fetch #{uri} because your #{server} token has not been`
Improve error messages from compliance fetcher Signed-off-by: Steven Danna <steve@chef.io> 2016-09-22 13:02:20 +00:00			`configured.`

			`Please login using`

Extend inspec compliance cli to support automate backend Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io> 2016-11-15 19:19:39 +00:00			`#{msg}`
Improve error messages from compliance fetcher Signed-off-by: Steven Danna <steve@chef.io> 2016-09-22 13:02:20 +00:00			`EOF`
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`end`
refactor compliance plugin 2016-02-05 07:38:45 +00:00
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`# verifies that the target e.g base/ssh exists`
			`profile = uri.host + uri.path`
			`if !Compliance::API.exist?(config, profile)`
			`fail Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"`
			`end`
			`profile_fetch_url = target_url(profile, config)`
Improve error messages from compliance fetcher Signed-off-by: Steven Danna <steve@chef.io> 2016-09-22 13:02:20 +00:00			`end`
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`new(profile_fetch_url, config)`
migrate inspec-compliance target to fetcher 2016-02-22 01:13:42 +00:00			`rescue URI::Error => _e`
			`nil`
refactor compliance plugin 2016-02-05 07:38:45 +00:00			`end`

Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00			`def self.target_url(profile, config)`
address comments Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io> 2016-11-29 14:35:16 +00:00			`if config['server_type'] == 'automate'`
Extend inspec compliance cli to support automate backend Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io> 2016-11-15 19:19:39 +00:00			`target = "#{config['server']}/#{profile}/tar"`
			`else`
			`owner, id = profile.split('/')`
			`target = "#{config['server']}/owners/#{owner}/compliance/#{id}/tar"`
			`end`
			`target`
refactor compliance plugin 2016-02-05 07:38:45 +00:00			`end`

Typo supermarket -> compliance Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 13:46:36 +00:00			`# We want to save compliance: in the lockfile rather than url: to`
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`# make sure we go back through the Compliance API handling.`
Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00			`def resolved_source`
use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`@resolved_source \|\|= {`
			`compliance: compliance_profile_name,`
			`url: @target,`
			`sha256: sha256,`
			`}`
Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00			`end`

refactor compliance plugin 2016-02-05 07:38:45 +00:00			`def to_s`
			`'Chef Compliance Profile Loader'`
			`end`
Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00
			`private`

use cached profile for compliance dependencies if vendored Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2016-12-08 09:58:40 +00:00			`def compliance_profile_name`
Allow supermarket:// and compliance:// in inspec.yml Signed-off-by: Steven Danna <steve@chef.io> 2016-09-09 09:21:54 +00:00			`m = %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}.match(@target)`
			`"#{m[:owner]}/#{m[:id]}"`
			`end`
refactor compliance plugin 2016-02-05 07:38:45 +00:00			`end`
			`end`