diff --git a/docs-chef-io/content/inspec/signing.md b/docs-chef-io/content/inspec/signing.md index 7f955c396..dad051f4e 100644 --- a/docs-chef-io/content/inspec/signing.md +++ b/docs-chef-io/content/inspec/signing.md @@ -54,7 +54,7 @@ A signed profile is checked for validity before being executed, and if it cannot The `inspec sign verify` command specifies which key is used to sign a profile. ```bash -[cwolfe@lodi temp]$ inspec sign verify --signed-profile simple-0.1.0-v2.iaf +[cwolfe@lodi temp]$ inspec sign verify simple-0.1.0-v2.iaf Verifying simple-0.1.0-v2.iaf Detected format version 'INSPEC-PROFILE-2' Attempting to verify using key 'cwolfe-03' @@ -171,10 +171,10 @@ Ensure to keep your signing key secret. It would help if you devised a way of di ### How do I sign profiles? -You will need a signing key to sign profiles. Specify the name of the key and the name of the profile. +You will need a signing key to sign profiles. Specify the path of profile and the name of the key. ```bash -[cwolfe@lodi temp]$ inspec sign profile --keyname test-03 --profile simple +[cwolfe@lodi temp]$ inspec sign profile simple --keyname test-03 Signing simple with key cwolfe-03 Dependencies for profile simple successfully vendored to /Users/cwolfe/sandbox/inspec/inspec-5/temp/simple/vendor Successfully generated simple-0.1.0.iaf diff --git a/lib/plugins/inspec-sign/lib/inspec-sign/base.rb b/lib/plugins/inspec-sign/lib/inspec-sign/base.rb index f30dad41a..d0213b2c7 100644 --- a/lib/plugins/inspec-sign/lib/inspec-sign/base.rb +++ b/lib/plugins/inspec-sign/lib/inspec-sign/base.rb @@ -45,25 +45,24 @@ module InspecPlugins end end - def self.profile_sign(options) + def self.profile_sign(profile_path, options) artifact = new - path_to_profile = options["profile"] # Writes the profile content id in the inspec.yml if options[:profile_content_id] && !options[:profile_content_id].strip.empty? - artifact.write_profile_content_id(path_to_profile, options[:profile_content_id]) + artifact.write_profile_content_id(profile_path, options[:profile_content_id]) end - puts "Signing #{options["profile"]} with key #{options["keyname"]}" + puts "Signing #{profile_path} with key #{options["keyname"]}" keypath = Inspec::IafFile.find_signing_key(options["keyname"]) # Read name and version from metadata and use them to form the filename - profile_md = artifact.read_profile_metadata(path_to_profile) + profile_md = artifact.read_profile_metadata(profile_path) artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}" # Generating tar.gz file using archive method of Inspec Cli - Inspec::InspecCLI.new.archive(path_to_profile, "error") + Inspec::InspecCLI.new.archive(profile_path, "error") tarfile = "#{profile_md["name"]}-#{profile_md["version"]}.tar.gz" tar_content = IO.binread(tarfile) FileUtils.rm(tarfile) @@ -89,8 +88,8 @@ module InspecPlugins Inspec::UI.new.exit(:usage_error) end - def self.profile_verify(options) - file_to_verify = options["signed_profile"] + def self.profile_verify(signed_profile_path) + file_to_verify = signed_profile_path puts "Verifying #{file_to_verify}" iaf_file = Inspec::IafFile.new(file_to_verify) @@ -110,12 +109,12 @@ module InspecPlugins Inspec::UI.new.exit(:usage_error) end - def read_profile_metadata(path_to_profile) + def read_profile_metadata(profile_path) begin - p = Pathname.new(path_to_profile) + p = Pathname.new(profile_path) p = p.join("inspec.yml") unless p.exist? - raise "#{path_to_profile} doesn't appear to be a valid #{PRODUCT_NAME} profile" + raise "#{profile_path} doesn't appear to be a valid #{PRODUCT_NAME} profile" end yaml = YAML.load_file(p.to_s) @@ -137,8 +136,8 @@ module InspecPlugins yaml end - def write_profile_content_id(path_to_profile, profile_content_id) - p = Pathname.new(path_to_profile) + def write_profile_content_id(profile_path, profile_content_id) + p = Pathname.new(profile_path) p = p.join("inspec.yml") yaml = YAML.load_file(p.to_s) existing_profile_content_id = yaml["profile_content_id"] @@ -152,7 +151,7 @@ module InspecPlugins lines = IO.readlines(p) lines << "\nprofile_content_id: #{profile_content_id}\n" - File.open("#{p}", "w" ) do | f | + File.open("#{p}", "w" ) do |f| f.puts lines end end diff --git a/lib/plugins/inspec-sign/lib/inspec-sign/cli.rb b/lib/plugins/inspec-sign/lib/inspec-sign/cli.rb index 8b2e45d5f..69c63b3a4 100644 --- a/lib/plugins/inspec-sign/lib/inspec-sign/cli.rb +++ b/lib/plugins/inspec-sign/lib/inspec-sign/cli.rb @@ -89,22 +89,18 @@ module InspecPlugins InspecPlugins::Sign::Base.keygen(options) end - desc "profile", "Create a signed .iaf artifact" - option :profile, type: :string, required: true, - desc: "Path to profile directory" + desc "profile PATH", "sign the profile in PATH and generate .iaf artifact." option :keyname, type: :string, required: true, desc: "Desriptive name of key" option :profile_content_id, type: :string, desc: "UUID of the profile. This will write the profile_content_id in the metadata file if it does not already exist in the metadata file." - def profile - InspecPlugins::Sign::Base.profile_sign(options) + def profile(profile_path) + InspecPlugins::Sign::Base.profile_sign(profile_path, options) end - desc "verify", "Verify a signed .iaf artifact" - option :signed_profile, type: :string, required: true, - desc: ".iaf file to verify" - def verify - InspecPlugins::Sign::Base.profile_verify(options) + desc "verify PATH", "Verify a signed profile .iaf artifact at given path." + def verify(signed_profile_path) + InspecPlugins::Sign::Base.profile_verify(signed_profile_path) end end end diff --git a/lib/plugins/inspec-sign/test/functional/inspec_sign_test.rb b/lib/plugins/inspec-sign/test/functional/inspec_sign_test.rb index e45adea63..10f4f4996 100644 --- a/lib/plugins/inspec-sign/test/functional/inspec_sign_test.rb +++ b/lib/plugins/inspec-sign/test/functional/inspec_sign_test.rb @@ -34,10 +34,10 @@ class SignCli < Minitest::Test out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out - out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") + out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out - out = run_inspec_process("sign verify --signed-profile artifact-profile-0.1.0.iaf", prefix: "cd #{dir};") + out = run_inspec_process("sign verify artifact-profile-0.1.0.iaf", prefix: "cd #{dir};") assert_exit_code 0, out assert_includes out.stdout.force_encoding(Encoding::UTF_8), "Verifying artifact-profile-0.1.0.iaf" diff --git a/test/functional/inspec_exec_signed_profile_test.rb b/test/functional/inspec_exec_signed_profile_test.rb index ed8d91c60..2d9517004 100644 --- a/test/functional/inspec_exec_signed_profile_test.rb +++ b/test/functional/inspec_exec_signed_profile_test.rb @@ -17,7 +17,7 @@ describe "inspec exec" do out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out - out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") + out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out out = run_inspec_process("exec profile_a-0.1.0.iaf --no-create-lockfile", prefix: "cd #{dir};") @@ -40,7 +40,7 @@ describe "inspec exec" do out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out - out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") + out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out delete_keys(unique_key_name) @@ -63,7 +63,7 @@ describe "inspec exec" do out = run_inspec_process("sign generate-keys --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out - out = run_inspec_process("sign profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") + out = run_inspec_process("sign profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir};") assert_exit_code 0, out out = run_inspec_process("exec profile_a-0.1.0.iaf --no-create-lockfile", prefix: "cd #{dir};")