Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-25 14:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity

Updated sign and verify command to directly accept the path of the profile instead of additional option to provide those. Updated docs for the same.

Browse source 
Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
This commit is contained in:
Vasu1105 2022-06-02 00:30:51 +05:30
parent 6d4211ccaf
commit 078d1ce898
5 changed files with 27 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
docs-chef-io/content/inspec/signing.md
View file

@ -54,7 +54,7 @@ A signed profile is checked for validity before being executed, and if it cannot
The `inspec sign verify` command specifies which key is used to sign a profile.
```bash
[cwolfe@lodi temp]$ inspec sign verify --signed-profile simple-0.1.0-v2.iaf
[cwolfe@lodi temp]$ inspec sign verify simple-0.1.0-v2.iaf
Verifying simple-0.1.0-v2.iaf
Detected format version 'INSPEC-PROFILE-2'
Attempting to verify using key 'cwolfe-03'
@ -171,10 +171,10 @@ Ensure to keep your signing key secret. It would help if you devised a way of di
### How do I sign profiles?
You will need a signing key to sign profiles. Specify the name of the key and the name of the profile.
You will need a signing key to sign profiles. Specify the path of profile and the name of the key.
```bash
[cwolfe@lodi temp]$ inspec sign profile --keyname test-03 --profile simple
[cwolfe@lodi temp]$ inspec sign profile simple --keyname test-03
Signing simple with key cwolfe-03
Dependencies for profile simple successfully vendored to /Users/cwolfe/sandbox/inspec/inspec-5/temp/simple/vendor
Successfully generated simple-0.1.0.iaf

27
lib/plugins/inspec-sign/lib/inspec-sign/base.rb
View file

@ -45,25 +45,24 @@ module InspecPlugins
end
end
def self.profile_sign(options)
def self.profile_sign(profile_path, options)
artifact = new
path_to_profile = options["profile"]
# Writes the profile content id in the inspec.yml
if options[:profile_content_id] && !options[:profile_content_id].strip.empty?
artifact.write_profile_content_id(path_to_profile, options[:profile_content_id])
artifact.write_profile_content_id(profile_path, options[:profile_content_id])
end
puts "Signing #{options["profile"]} with key #{options["keyname"]}"
puts "Signing #{profile_path} with key #{options["keyname"]}"
keypath = Inspec::IafFile.find_signing_key(options["keyname"])
# Read name and version from metadata and use them to form the filename
profile_md = artifact.read_profile_metadata(path_to_profile)
profile_md = artifact.read_profile_metadata(profile_path)
artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}"
# Generating tar.gz file using archive method of Inspec Cli
Inspec::InspecCLI.new.archive(path_to_profile, "error")
Inspec::InspecCLI.new.archive(profile_path, "error")
tarfile = "#{profile_md["name"]}-#{profile_md["version"]}.tar.gz"
tar_content = IO.binread(tarfile)
FileUtils.rm(tarfile)
@ -89,8 +88,8 @@ module InspecPlugins
Inspec::UI.new.exit(:usage_error)
end
def self.profile_verify(options)
file_to_verify = options["signed_profile"]
def self.profile_verify(signed_profile_path)
file_to_verify = signed_profile_path
puts "Verifying #{file_to_verify}"
iaf_file = Inspec::IafFile.new(file_to_verify)
@ -110,12 +109,12 @@ module InspecPlugins
Inspec::UI.new.exit(:usage_error)
end
def read_profile_metadata(path_to_profile)
def read_profile_metadata(profile_path)
begin
p = Pathname.new(path_to_profile)
p = Pathname.new(profile_path)
p = p.join("inspec.yml")
unless p.exist?
raise "#{path_to_profile} doesn't appear to be a valid #{PRODUCT_NAME} profile"
raise "#{profile_path} doesn't appear to be a valid #{PRODUCT_NAME} profile"
end
yaml = YAML.load_file(p.to_s)
@ -137,8 +136,8 @@ module InspecPlugins
yaml
end
def write_profile_content_id(path_to_profile, profile_content_id)
p = Pathname.new(path_to_profile)
def write_profile_content_id(profile_path, profile_content_id)
p = Pathname.new(profile_path)
p = p.join("inspec.yml")
yaml = YAML.load_file(p.to_s)
existing_profile_content_id = yaml["profile_content_id"]
@ -152,7 +151,7 @@ module InspecPlugins
lines = IO.readlines(p)
lines << "\nprofile_content_id: #{profile_content_id}\n"
File.open("#{p}", "w" ) do | f |
File.open("#{p}", "w" ) do |f|
f.puts lines
end
end

16
lib/plugins/inspec-sign/lib/inspec-sign/cli.rb
View file

@ -89,22 +89,18 @@ module InspecPlugins
InspecPlugins::Sign::Base.keygen(options)
end
desc "profile", "Create a signed .iaf artifact"
option :profile, type: :string, required: true,
desc: "Path to profile directory"
desc "profile PATH", "sign the profile in PATH and generate .iaf artifact."
option :keyname, type: :string, required: true,
desc: "Desriptive name of key"
option :profile_content_id, type: :string,
desc: "UUID of the profile. This will write the profile_content_id in the metadata file if it does not already exist in the metadata file."
def profile
InspecPlugins::Sign::Base.profile_sign(options)
def profile(profile_path)
InspecPlugins::Sign::Base.profile_sign(profile_path, options)
end
desc "verify", "Verify a signed .iaf artifact"
option :signed_profile, type: :string, required: true,
desc: ".iaf file to verify"
def verify
InspecPlugins::Sign::Base.profile_verify(options)
desc "verify PATH", "Verify a signed profile .iaf artifact at given path."
def verify(signed_profile_path)
InspecPlugins::Sign::Base.profile_verify(signed_profile_path)
end
end
end

4
lib/plugins/inspec-sign/test/functional/inspec_sign_test.rb
View file

@ -34,10 +34,10 @@ class SignCli < Minitest::Test
out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("sign verify --signed-profile artifact-profile-0.1.0.iaf", prefix: "cd #{dir};")
out = run_inspec_process("sign verify artifact-profile-0.1.0.iaf", prefix: "cd #{dir};")
assert_exit_code 0, out
assert_includes out.stdout.force_encoding(Encoding::UTF_8), "Verifying artifact-profile-0.1.0.iaf"

6
test/functional/inspec_exec_signed_profile_test.rb
View file

@ -17,7 +17,7 @@ describe "inspec exec" do
out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("exec profile_a-0.1.0.iaf --no-create-lockfile", prefix: "cd #{dir};")
@ -40,7 +40,7 @@ describe "inspec exec" do
out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
delete_keys(unique_key_name)
@ -63,7 +63,7 @@ describe "inspec exec" do
out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};")
assert_exit_code 0, out
out = run_inspec_process("exec profile_a-0.1.0.iaf --no-create-lockfile", prefix: "cd #{dir};")