fix: make the plugin compatible with all versions of chef compliance

This commit is contained in:
Christoph Hartmann 2016-04-13 13:47:33 +02:00
parent 01bec4cd1e
commit 07c359431f
5 changed files with 228 additions and 212 deletions

View file

@ -7,6 +7,7 @@ $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
module Compliance
autoload :Configuration, 'inspec-compliance/configuration'
autoload :HTTP, 'inspec-compliance/http'
autoload :API, 'inspec-compliance/api'
end

View file

@ -8,117 +8,25 @@ require 'uri'
module Compliance
# API Implementation does not hold any state by itself,
# everything will be stored in local Configuration store
class API # rubocop:disable Metrics/ClassLength
class API
# login method for pre-1.0 compliance server
def self.legacy_login_post(url, username, password, insecure)
# form request
# TODO: reuse post function
uri = URI.parse(url)
req = Net::HTTP::Post.new(uri.path)
req.basic_auth(username, password)
req.form_data={}
# saves the a user refresh token supplied by the user
def self.refresh_token(url, refresh_token, verify, user, insecure)
config = Compliance::Configuration.new
config['server'] = url
config['refresh_token'] = refresh_token
config['user'] = user
config['insecure'] = insecure
config['version'] = version(url, insecure)
if !verify
config.store
success = true
msg = 'refresh token stored'
else
url = "#{server}/login"
success, msg, access_token = Compliance::API.post_refresh_token(url, refresh_token, insecure)
if success
config['token'] = access_token
config.store
msg = 'token verified and stored'
end
end
[success, msg]
end
# saves a user access token (limited time)
def self.access_token(url, token, insecure)
config = Compliance::Configuration.new
config['server'] = url
config['insecure'] = insecure
config['token'] = token
config['version'] = version(url, insecure)
config.store
[true, 'access token stored']
end
def self.login(insecure)
config = Compliance::Configuration.new
if config['refresh_token'].nil?
puts 'No API token stored, please run `inspec compliance token` first'
exit 1
end
url = "#{config['server']}/login"
success, msg, access_token = Compliance::API.post_refresh_token(url, config['refresh_token'], insecure)
config['token'] = access_token
config.store
[success, msg]
end
def self.legacy_login(server, username, password, insecure)
config = Compliance::Configuration.new
url = "#{config['server']}/oauth/token"
success, data = Compliance::API.legacy_login_post(url, username, password, insecure)
if !data.nil?
tokendata = JSON.parse(data)
if tokendata['access_token']
config['user'] = username
config['token'] = tokendata['access_token']
config['insecure'] = insecure
config['version'] = version(url, insecure)
config.store
success = true
msg = 'Successfully authenticated'
else
msg = 'Reponse does not include a token'
end
else
msg = "Authentication failed for Server: #{url}"
end
[success, msg]
end
def self.logout
config = Compliance::Configuration.new
config.destroy
end
def self.legacy_logout
config = Compliance::Configuration.new
url = "#{config['server']}/logout"
Compliance::API.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
config.destroy
end
# return the server api version
# NB this method does not use Compliance::Configuration to allow for using
# it before we know the version (e.g. oidc or not)
def self.version(url, insecure)
url = "#{url}/version"
_success, data = Compliance::API.get(url, nil, insecure)
if !data.nil?
JSON.parse(data)
else
{}
end
send_request(uri, req, insecure)
end
# return all compliance profiles available for the user
def self.profiles
config = Compliance::Configuration.new
def self.profiles(config)
url = "#{config['server']}/user/compliance"
_success, data = get(url, config['token'], config['insecure'], !config.supported?(:oidc))
# TODO, api should not be dependent on .supported?
response = Compliance::HTTP.get(url, config['token'], config['insecure'], !config.supported?(:oidc))
data = response.body
if !data.nil?
profiles = JSON.parse(data)
# iterate over profiles
@ -132,9 +40,22 @@ module Compliance
end
end
# return the server api version
# NB this method does not use Compliance::Configuration to allow for using
# it before we know the version (e.g. oidc or not)
def self.version(url, insecure)
response = Compliance::HTTP.get(url+'/version', nil, insecure)
data = response.body
if !data.nil?
JSON.parse(data)
else
{}
end
end
# verifies that a profile
def self.exist?(profile)
profiles = Compliance::API.profiles
def self.exist?(config, profile)
profiles = Compliance::API.profiles(config)
if !profiles.empty?
index = profiles.index { |p| "#{p[:org]}/#{p[:name]}" == profile }
!index.nil? && index >= 0
@ -143,34 +64,26 @@ module Compliance
end
end
def self.get(url, token, insecure, legacy = false)
uri = URI.parse(url)
req = Net::HTTP::Get.new(uri.path)
return send_request(uri, req, insecure) if token.nil?
if legacy
req.basic_auth(token, '')
else
req['Authorization'] = "Bearer #{token}"
end
send_request(uri, req, insecure)
def self.upload(config, owner, profile_name, archive_path)
# upload the tar to Chef Compliance
url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
res = Compliance::HTTP.post_file(url, config['token'], archive_path, config['insecure'], !config.supported?(:oidc))
[res.is_a?(Net::HTTPSuccess), res.body]
end
def self.post_refresh_token(url, token, insecure)
uri = URI.parse(url)
uri = URI.parse("#{url}/login")
req = Net::HTTP::Post.new(uri.path)
req['Authorization'] = "Bearer #{token}"
# req['Authorization'] = "Bearer #{token}"
req.body = { token: token }.to_json
access_token = ''
success, data = send_request(uri, req, insecure)
access_token = nil
response = Compliance::HTTP.send_request(uri, req, insecure)
data = response.body
if !data.nil?
begin
tokendata = JSON.parse(data)
access_token = tokendata['access_token']
msg = 'successfully fetched access token'
msg = 'Successfully fetched access token'
success = true
rescue JSON::ParserError => e
success = false
@ -178,73 +91,10 @@ module Compliance
end
else
success = false
msg = 'invalid response'
msg = 'Invalid refresh_token'
end
[success, msg, access_token]
end
def self.post(url, token, insecure, legacy = false)
# form request
uri = URI.parse(url)
req = Net::HTTP::Post.new(uri.path)
if legacy
req.basic_auth token, ''
else
req['Authorization'] = "Bearer #{token}"
end
req.form_data={}
send_request(uri, req, insecure)
end
def self.legacy_login_post(url, username, password, insecure)
# form request
uri = URI.parse(url)
req = Net::HTTP::Post.new(uri.path)
req.basic_auth(username, password)
req.form_data={}
send_request(uri, req, insecure)
end
# upload a file
def self.post_file(url, token, file_path, insecure, legacy = false)
uri = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
# set connection flags
http.use_ssl = (uri.scheme == 'https')
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
req = Net::HTTP::Post.new(uri.path)
if legacy
req.basic_auth token, ''
else
req['Authorization'] = "Bearer #{token}"
end
req.body_stream=File.open(file_path, 'rb')
req.add_field('Content-Length', File.size(file_path))
req.add_field('Content-Type', 'application/x-gtar')
boundary = 'INSPEC-PROFILE-UPLOAD'
req.add_field('session', boundary)
res=http.request(req)
[res.is_a?(Net::HTTPSuccess), res.body]
end
def self.send_request(uri, req, insecure)
opts = {
use_ssl: uri.scheme == 'https',
}
opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
res = Net::HTTP.start(uri.host, uri.port, opts) {|http|
http.request(req)
}
[res.is_a?(Net::HTTPSuccess), res.body]
end
end
end

View file

@ -23,27 +23,29 @@ module Compliance
desc: 'Chef Compliance access token'
option :refresh_token, type: :string, required: false,
desc: 'Chef Compliance refresh token'
def login(server)
# if Compliance::Configuration.new.supported?(:oidc)
# puts "Your server is support --token and --refresh_token"
# else
# puts "Your server is outdated and supports only combination of --user and --password"
# end
def login(server) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/AbcSize, PerceivedComplexity
# show warning if the Compliance Server does not support
if !Compliance::Configuration.new.supported?(:oidc) && (!options['token'].nil? || !options['refresh_token'].nil?)
puts 'Your server supports --user and --password only'
end
options['server'] = server
url = options['server'] + options['apipath']
if !options['user'].nil? && !options['password'].nil?
# username / password
success, msg = Compliance::API.legacy_login(url, options['user'], options['password'], options['insecure'])
elsif !options['token'].nil?
success, msg = login_legacy(url, options['user'], options['password'], options['insecure'])
elsif !options['user'].nil? && !options['token'].nil?
# access token
success, msg = Compliance::API.access_token(url, options['token'], options['insecure'])
success, msg = store_access_token(url, options['user'], options['token'], options['insecure'])
elsif !options['refresh_token'].nil? && !options['user'].nil?
# refresh token
success, msg = Compliance::API.refresh_token(url, options['token'], true, options['user'], options['insecure'])
success, msg = store_refresh_token(url, options['refresh_token'], true, options['user'], options['insecure'])
# TODO: we should login with the refreshtoken here
elsif !options['refresh_token'].nil?
success, msg = login_refreshtoken(url, options)
else
# try stored refresh_token
success, msg = Compliance::API.login(options['insecure'])
puts 'Please run `inspec compliance login` with options --token or --refresh_token and --user'
exit 1
end
if success
@ -55,7 +57,8 @@ module Compliance
desc 'profiles', 'list all available profiles in Chef Compliance'
def profiles
profiles = Compliance::API.profiles
config = Compliance::Configuration.new
profiles = Compliance::API.profiles(config)
if !profiles.empty?
# iterate over profiles
headline('Available profiles:')
@ -114,7 +117,7 @@ module Compliance
# check that the profile is not uploaded already,
# confirm upload to the user (overwrite with --force)
if Compliance::API.exist?("#{owner}/#{profile_name}") && !options['overwrite']
if Compliance::API.exist?(config, "#{owner}/#{profile_name}") && !options['overwrite']
error.call('Profile exists on the server, use --overwrite')
end
@ -137,11 +140,9 @@ module Compliance
puts "Start upload to #{owner}/#{profile_name}"
pname = ERB::Util.url_encode(profile_name)
# upload the tar to Chef Compliance
url = "#{config['server']}/owners/#{owner}/compliance/#{pname}/tar"
puts 'Uploading to Chef Compliance'
success, msg = Compliance::API.upload(config, owner, pname, archive_path)
puts "Uploading to #{url}"
success, msg = Compliance::API.post_file(url, config['token'], archive_path, config['insecure'])
if success
puts 'Successfully uploaded profile'
else
@ -164,17 +165,98 @@ module Compliance
desc 'logout', 'user logout from Chef Compliance'
def logout
if Compliance::Configuration.new.supported?(:oidc)
success = Compliance::API.logout
config = Compliance::Configuration.new
else
success = Compliance::API.legacy_logout
config = Compliance::Configuration.new
url = "#{config['server']}/logout"
Compliance::API.post(url, config['token'], config['insecure'], !config.supported?(:oidc))
end
success = config.destroy
if success
puts 'Successfully logged out'
else
puts 'Could not log out'
end
end
private
def login_refreshtoken(url, options)
success, msg, access_token = Compliance::API.post_refresh_token(url, options['refresh_token'], options['insecure'])
if success
config = Compliance::Configuration.new
config['server'] = url
config['token'] = access_token
config['insecure'] = options['insecure']
config['version'] = Compliance::API.version(url, options['insecure'])
config.store
end
[success, msg]
end
def login_legacy(url, username, password, insecure)
config = Compliance::Configuration.new
success, data = Compliance::API.legacy_login_post(url+'/oauth/token', username, password, insecure)
if !data.nil?
tokendata = JSON.parse(data)
if tokendata['access_token']
config['server'] = url
config['user'] = username
config['token'] = tokendata['access_token']
config['insecure'] = insecure
config['version'] = Compliance::API.version(url, insecure)
config.store
success = true
msg = 'Successfully authenticated'
else
msg = 'Reponse does not include a token'
end
else
msg = "Authentication failed for Server: #{url}"
end
[success, msg]
end
# saves a user access token (limited time)
def store_access_token(url, user, token, insecure)
config = Compliance::Configuration.new
config['server'] = url
config['insecure'] = insecure
config['user'] = user
config['token'] = token
config['version'] = Compliance::API.version(url, insecure)
config.store
[true, 'access token stored']
end
# saves the a user refresh token supplied by the user
def store_refresh_token(url, refresh_token, verify, user, insecure)
config = Compliance::Configuration.new
config['server'] = url
config['refresh_token'] = refresh_token
config['user'] = user
config['insecure'] = insecure
config['version'] = Compliance::API.version(url, insecure)
if !verify
config.store
success = true
msg = 'refresh token stored'
else
success, msg, access_token = Compliance::API.post_refresh_token(url, refresh_token, insecure)
if success
config['token'] = access_token
config.store
msg = 'token verified and stored'
end
end
[success, msg]
end
end
# register the subcommand to Inspec CLI registry

View file

@ -54,6 +54,9 @@ module Compliance
def supported?(feature)
sup = version_with_support(feature)
# we do not know the version, therefore we do not know if its possible to use the feature
return if self['version'].nil? || self['version']['version'].nil?
if sup.is_a?(Array)
Gem::Version.new(self['version']['version']) >= sup[0] &&
Gem::Version.new(self['version']['version']) < sup[1]

View file

@ -0,0 +1,80 @@
# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter
require 'net/http'
require 'uri'
module Compliance
# implements a simple http abstraction on top of Net::HTTP
class HTTP
# generic get requires
def self.get(url, token, insecure, basic_auth = false)
uri = URI.parse(url)
req = Net::HTTP::Get.new(uri.path)
return send_request(uri, req, insecure) if token.nil?
if basic_auth
req.basic_auth(token, '')
else
req['Authorization'] = "Bearer #{token}"
end
send_request(uri, req, insecure)
end
# generic post request
def self.post(url, token, insecure, basic_auth = false)
# form request
uri = URI.parse(url)
req = Net::HTTP::Post.new(uri.path)
if basic_auth
req.basic_auth token, ''
else
req['Authorization'] = "Bearer #{token}"
end
req.form_data={}
send_request(uri, req, insecure)
end
# post a file
def self.post_file(url, token, file_path, insecure, basic_auth = false)
uri = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
# set connection flags
http.use_ssl = (uri.scheme == 'https')
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
req = Net::HTTP::Post.new(uri.path)
if basic_auth
req.basic_auth token, ''
else
req['Authorization'] = "Bearer #{token}"
end
req.body_stream=File.open(file_path, 'rb')
req.add_field('Content-Length', File.size(file_path))
req.add_field('Content-Type', 'application/x-gtar')
boundary = 'INSPEC-PROFILE-UPLOAD'
req.add_field('session', boundary)
res=http.request(req)
res
end
# sends a http requests
def self.send_request(uri, req, insecure)
opts = {
use_ssl: uri.scheme == 'https',
}
opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
res = Net::HTTP.start(uri.host, uri.port, opts) {|http|
http.request(req)
}
res
end
end
end