mirror of
https://github.com/inspec/inspec
synced 2024-11-10 15:14:23 +00:00
Merge pull request #409 from chef/chris-rock/extras-compliance
Chef Compliance extension
This commit is contained in:
commit
1199400212
15 changed files with 606 additions and 143 deletions
|
@ -53,6 +53,8 @@ Style/AndOr:
|
|||
Enabled: false
|
||||
Style/Not:
|
||||
Enabled: false
|
||||
Style/FileName:
|
||||
Enabled: false
|
||||
Style/TrailingCommaInLiteral:
|
||||
EnforcedStyleForMultiline: comma
|
||||
Style/TrailingCommaInArguments:
|
||||
|
|
134
bin/inspec
134
bin/inspec
|
@ -7,46 +7,14 @@
|
|||
require 'thor'
|
||||
require 'json'
|
||||
require 'pp'
|
||||
require_relative '../lib/utils/base_cli'
|
||||
require_relative '../lib/inspec'
|
||||
require_relative '../lib/utils/json_log'
|
||||
|
||||
class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
|
||||
class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
|
||||
class_option :diagnose, type: :boolean,
|
||||
desc: 'Show diagnostics (versions, configurations)'
|
||||
|
||||
def self.target_options
|
||||
option :target, aliases: :t, type: :string,
|
||||
desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
|
||||
option :backend, aliases: :b, type: :string,
|
||||
desc: 'Choose a backend: local, ssh, winrm, docker.'
|
||||
option :host, type: :string,
|
||||
desc: 'Specify a remote host which is tested.'
|
||||
option :port, aliases: :p, type: :numeric,
|
||||
desc: 'Specify the login port for a remote scan.'
|
||||
option :user, type: :string,
|
||||
desc: 'The login user for a remote scan.'
|
||||
option :password, type: :string,
|
||||
desc: 'Login password for a remote scan, if required.'
|
||||
option :key_files, aliases: :i, type: :array,
|
||||
desc: 'Login key or certificate file for a remote scan.'
|
||||
option :path, type: :string,
|
||||
desc: 'Login path to use when connecting to the target (WinRM).'
|
||||
option :sudo, type: :boolean,
|
||||
desc: 'Run scans with sudo. Only activates on Unix and non-root user.'
|
||||
option :sudo_password, type: :string,
|
||||
desc: 'Specify a sudo password, if it is required.'
|
||||
option :sudo_options, type: :string,
|
||||
desc: 'Additional sudo options for a remote scan.'
|
||||
option :ssl, type: :boolean,
|
||||
desc: 'Use SSL for transport layer encryption (WinRM).'
|
||||
option :self_signed, type: :boolean,
|
||||
desc: 'Allow remote scans with self-signed certificates (WinRM).'
|
||||
option :json_config, type: :string,
|
||||
desc: 'Read configuration from JSON file (`-` reads from stdin).'
|
||||
option :log_level, aliases: :l, type: :string,
|
||||
desc: 'Set the log level: info (default), debug, warn, error'
|
||||
end
|
||||
|
||||
desc 'json PATH', 'read all tests in PATH and generate a JSON summary'
|
||||
option :id, type: :string,
|
||||
desc: 'Attach a profile ID to all test results'
|
||||
|
@ -91,14 +59,14 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
|
|||
%w{location profile controls timestamp valid}.each { |item|
|
||||
puts "#{mark_text(item.to_s.capitalize + ':')} #{result[:summary][item.to_sym]}"
|
||||
}
|
||||
newline
|
||||
puts
|
||||
|
||||
%w{errors warnings}.each { |list|
|
||||
headline(list.to_s.capitalize)
|
||||
result[list.to_sym].each { |item|
|
||||
puts "#{item[:file]}:#{item[:line]}:#{item[:column]}: #{item[:msg]} "
|
||||
}
|
||||
newline
|
||||
puts
|
||||
}
|
||||
end
|
||||
exit 1 unless result[:summary][:valid]
|
||||
|
@ -121,6 +89,13 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
|
|||
o[:logger].level = get_log_level(o.log_level)
|
||||
|
||||
profile = Inspec::Profile.from_path(path, o)
|
||||
result = profile.check
|
||||
|
||||
if result && !opts[:ignore_errors] == false
|
||||
@logger.info 'Profile check failed. Please fix the profile before generating an archive.'
|
||||
return exit 1
|
||||
end
|
||||
|
||||
# generate archive
|
||||
exit 1 unless profile.archive(opts)
|
||||
end
|
||||
|
@ -132,16 +107,7 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
|
|||
option :format, type: :string
|
||||
def exec(*tests)
|
||||
diagnose
|
||||
|
||||
o = opts.dup
|
||||
o[:logger] = Logger.new(opts['format'] == 'json' ? nil : STDOUT)
|
||||
o[:logger].level = get_log_level(o.log_level)
|
||||
|
||||
runner = Inspec::Runner.new(o)
|
||||
runner.add_tests(tests)
|
||||
exit runner.run
|
||||
rescue RuntimeError => e
|
||||
puts e.message
|
||||
run_tests(opts, tests)
|
||||
end
|
||||
|
||||
desc 'detect', 'detect the target OS'
|
||||
|
@ -174,82 +140,6 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
|
|||
def version
|
||||
puts Inspec::VERSION
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def diagnose
|
||||
return unless opts['diagnose']
|
||||
puts "InSpec version: #{Inspec::VERSION}"
|
||||
puts "Train version: #{Train::VERSION}"
|
||||
puts 'Command line configuration:'
|
||||
pp options
|
||||
puts 'JSON configuration file:'
|
||||
pp options_json
|
||||
puts 'Merged configuration:'
|
||||
pp opts
|
||||
puts
|
||||
end
|
||||
|
||||
def opts
|
||||
# argv overrides json
|
||||
Thor::CoreExt::HashWithIndifferentAccess.new(options_json.merge(options))
|
||||
end
|
||||
|
||||
def options_json
|
||||
conffile = options['json_config']
|
||||
@json ||= conffile ? read_config(conffile) : {}
|
||||
end
|
||||
|
||||
def configure_logger(o)
|
||||
o[:logger] = Logger.new(STDOUT)
|
||||
# output json if we have activated the json formatter
|
||||
if opts['log-format'] == 'json'
|
||||
o[:logger].formatter = Logger::JSONFormatter.new
|
||||
end
|
||||
o[:logger].level = get_log_level(o.log_level)
|
||||
end
|
||||
|
||||
# get the log level
|
||||
# DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
|
||||
def get_log_level(level)
|
||||
valid = %w{debug info warn error fatal}
|
||||
|
||||
if valid.include?(level)
|
||||
l = level
|
||||
else
|
||||
l = 'info'
|
||||
end
|
||||
|
||||
Logger.const_get(l.upcase)
|
||||
end
|
||||
|
||||
def read_config(file)
|
||||
if file == '-'
|
||||
puts 'WARN: reading JSON config from standard input' if STDIN.tty?
|
||||
config = STDIN.read
|
||||
else
|
||||
config = File.read(file)
|
||||
end
|
||||
|
||||
JSON.load(config)
|
||||
rescue JSON::ParserError => e
|
||||
puts "Failed to load JSON configuration: #{e}\nConfig was: #{config.inspect}"
|
||||
exit 1
|
||||
end
|
||||
|
||||
def mark_text(text)
|
||||
"\e[0;32m#{text}\e[0m"
|
||||
end
|
||||
|
||||
def headline(title)
|
||||
puts title
|
||||
title.each_char { print '-' }
|
||||
newline
|
||||
end
|
||||
|
||||
def newline
|
||||
print "\n"
|
||||
end
|
||||
end
|
||||
|
||||
# load CLI plugins before the Inspec CLI has been started
|
||||
|
|
14
lib/bundles/inspec-compliance.rb
Normal file
14
lib/bundles/inspec-compliance.rb
Normal file
|
@ -0,0 +1,14 @@
|
|||
# encoding: utf-8
|
||||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
libdir = File.dirname(__FILE__)
|
||||
$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
|
||||
|
||||
module Compliance
|
||||
autoload :Configuration, 'inspec-compliance/configuration'
|
||||
autoload :API, 'inspec-compliance/api'
|
||||
end
|
||||
|
||||
require 'inspec-compliance/cli'
|
||||
require 'inspec-compliance/target'
|
20
lib/bundles/inspec-compliance/README.md
Normal file
20
lib/bundles/inspec-compliance/README.md
Normal file
|
@ -0,0 +1,20 @@
|
|||
# InSpec Extension for Chef Compliance
|
||||
|
||||
This extensions offers the following features:
|
||||
|
||||
- list available profiles in Chef Compliance
|
||||
- execute profiles directly from Chef Compliance locally
|
||||
- upload a local profile to Chef Compliance
|
||||
|
||||
To use the CLI, this InSpec add-on adds the following commands:
|
||||
|
||||
* `$ inspec compliance login user password` - authentication against Chef Compliance
|
||||
* `$ inspec compliance profiles` - list all available Chef Compliance profiles
|
||||
* `$ inspec compliance exec profile` - runs a Chef Compliance profile
|
||||
* `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Compliance
|
||||
* `$ inspec compliance logout` - logout of Chef Compliance
|
||||
|
||||
Compliance profiles can be executed in two mays:
|
||||
|
||||
- via compliance exec: `inspec compliance exec profile`
|
||||
- via compliance scheme: `inspec exec compliance://profile`
|
134
lib/bundles/inspec-compliance/api.rb
Executable file
134
lib/bundles/inspec-compliance/api.rb
Executable file
|
@ -0,0 +1,134 @@
|
|||
# encoding: utf-8
|
||||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
require 'net/http'
|
||||
require 'uri'
|
||||
|
||||
module Compliance
|
||||
# API Implementation does not hold any state by itself,
|
||||
# everything will be stored in local Configuration store
|
||||
class API
|
||||
# logs into the server, retrieves a token and stores it locally
|
||||
def self.login(server, username, password)
|
||||
config = Compliance::Configuration.new
|
||||
config['server'] = server
|
||||
url = "#{server}/oauth/token"
|
||||
|
||||
success, data = Compliance::API.post(url, username, password)
|
||||
if !data.nil?
|
||||
tokendata = JSON.parse(data)
|
||||
if tokendata['access_token']
|
||||
config['user'] = username
|
||||
config['token'] = tokendata['access_token']
|
||||
config.store
|
||||
success = true
|
||||
msg = 'Successfully authenticated'
|
||||
else
|
||||
msg = 'Reponse does not include a token'
|
||||
end
|
||||
else
|
||||
msg = "Authentication failed for Server: #{url}"
|
||||
end
|
||||
[success, msg]
|
||||
end
|
||||
|
||||
def self.logout
|
||||
config = Compliance::Configuration.new
|
||||
url = "#{config['server']}/logout"
|
||||
Compliance::API.post(url, config['token'], nil)
|
||||
config.destroy
|
||||
end
|
||||
|
||||
# return the server api version
|
||||
def self.version
|
||||
config = Compliance::Configuration.new
|
||||
url = "#{config['server']}/version"
|
||||
|
||||
_success, data = Compliance::API.get(url, nil, nil)
|
||||
if !data.nil?
|
||||
JSON.parse(data)
|
||||
else
|
||||
{}
|
||||
end
|
||||
end
|
||||
|
||||
# return all compliance profiles available for the user
|
||||
def self.profiles
|
||||
config = Compliance::Configuration.new
|
||||
|
||||
url = "#{config['server']}/user/compliance"
|
||||
_success, data = get(url, config['token'], '')
|
||||
|
||||
if !data.nil?
|
||||
profiles = JSON.parse(data)
|
||||
val = []
|
||||
# iterate over profiles
|
||||
profiles.each_key { |org|
|
||||
profiles[org].each_key { |name|
|
||||
val.push({ org: org, name: name })
|
||||
}
|
||||
}
|
||||
val
|
||||
else
|
||||
[]
|
||||
end
|
||||
end
|
||||
|
||||
# verifies that a profile
|
||||
def self.exist?(profile)
|
||||
profiles = Compliance::API.profiles
|
||||
if !profiles.empty?
|
||||
index = profiles.index { |p| "#{p[:org]}/#{p[:name]}" == profile }
|
||||
!index.nil? && index >= 0
|
||||
else
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
def self.get(url, username, password)
|
||||
uri = URI.parse(url)
|
||||
req = Net::HTTP::Get.new(uri.path)
|
||||
req.basic_auth username, password
|
||||
|
||||
send_request(uri, req)
|
||||
end
|
||||
|
||||
def self.post(url, username, password)
|
||||
# form request
|
||||
uri = URI.parse(url)
|
||||
req = Net::HTTP::Post.new(uri.path)
|
||||
req.basic_auth username, password
|
||||
req.form_data={}
|
||||
|
||||
send_request(uri, req)
|
||||
end
|
||||
|
||||
# upload a file
|
||||
def self.post_file(url, username, password, file_path)
|
||||
uri = URI.parse(url)
|
||||
http = Net::HTTP.new(uri.host, uri.port)
|
||||
req = Net::HTTP::Post.new(uri.path)
|
||||
req.basic_auth username, password
|
||||
|
||||
req.body_stream=File.open(file_path)
|
||||
req['Content-Type'] = 'multipart/form-data'
|
||||
req.add_field('Content-Length', File.size(file_path))
|
||||
req.add_field('Content-Type', 'application/x-gtar')
|
||||
|
||||
boundary = 'INSPEC-PROFILE-UPLOAD'
|
||||
req.add_field('session', boundary)
|
||||
res=http.request(req)
|
||||
|
||||
[res.is_a?(Net::HTTPSuccess), res.body]
|
||||
end
|
||||
|
||||
def self.send_request(uri, req)
|
||||
# send request
|
||||
res = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') {|http|
|
||||
http.request(req)
|
||||
}
|
||||
[res.is_a?(Net::HTTPSuccess), res.body]
|
||||
end
|
||||
end
|
||||
end
|
146
lib/bundles/inspec-compliance/cli.rb
Normal file
146
lib/bundles/inspec-compliance/cli.rb
Normal file
|
@ -0,0 +1,146 @@
|
|||
# encoding: utf-8
|
||||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
require 'thor'
|
||||
|
||||
module Compliance
|
||||
class ComplianceCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
|
||||
namespace 'compliance'
|
||||
|
||||
desc 'login SERVER', 'Log in to a Chef Compliance SERVER'
|
||||
option :user, type: :string, required: true,
|
||||
desc: 'Chef Compliance Username'
|
||||
option :password, type: :string, required: true,
|
||||
desc: 'Chef Compliance Password'
|
||||
def login(server)
|
||||
success, msg = Compliance::API.login(server, options['user'], options['password'])
|
||||
if success
|
||||
puts 'Successfully authenticated'
|
||||
else
|
||||
puts msg
|
||||
end
|
||||
end
|
||||
|
||||
desc 'profiles', 'list all available profiles in Chef Compliance'
|
||||
def profiles
|
||||
profiles = Compliance::API.profiles
|
||||
if !profiles.empty?
|
||||
# iterate over profiles
|
||||
headline('Available profiles:')
|
||||
profiles.each { |profile|
|
||||
li("#{profile[:org]}/#{profile[:name]}")
|
||||
}
|
||||
else
|
||||
puts 'Could not find any profiles'
|
||||
end
|
||||
end
|
||||
|
||||
desc 'exec PROFILE', 'executes a Chef Compliance profile'
|
||||
option :id, type: :string,
|
||||
desc: 'Attach a profile ID to all test results'
|
||||
target_options
|
||||
option :format, type: :string
|
||||
def exec(*tests)
|
||||
# iterate over tests and add compliance scheme
|
||||
tests = tests.map { |t| 'compliance://' + t }
|
||||
|
||||
# execute profile from inspec exec implementation
|
||||
diagnose
|
||||
run_tests(opts, tests)
|
||||
end
|
||||
|
||||
desc 'upload PATH', 'uploads a local profile to Chef Compliance'
|
||||
option :overwrite, type: :boolean, default: false,
|
||||
desc: 'Overwrite existing profile on Chef Compliance.'
|
||||
def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity
|
||||
o = options.dup
|
||||
configure_logger(o)
|
||||
# check the profile, we only allow to upload valid profiles
|
||||
profile = Inspec::Profile.from_path(path, o)
|
||||
|
||||
# start verification process
|
||||
error_count = 0
|
||||
error = lambda { |msg|
|
||||
error_count += 1
|
||||
puts msg
|
||||
}
|
||||
|
||||
result = profile.check
|
||||
unless result[:summary][:valid]
|
||||
error.call('Profile check failed. Please fix the profile before upload.')
|
||||
else
|
||||
puts('Profile is valid')
|
||||
end
|
||||
|
||||
# determine user information
|
||||
config = Compliance::Configuration.new
|
||||
if config['token'].nil? || config['user'].nil?
|
||||
error.call('Please login via `inspec compliance login`')
|
||||
end
|
||||
|
||||
# owner
|
||||
owner = config['user']
|
||||
# read profile name from inspec.yml
|
||||
profile_name = profile.params[:name]
|
||||
|
||||
# check that the profile is not uploaded already,
|
||||
# confirm upload to the user (overwrite with --force)
|
||||
if Compliance::API.exist?("#{owner}/#{profile_name}") && !options['overwrite']
|
||||
error.call('Profile exists on the server, use --overwrite')
|
||||
end
|
||||
|
||||
# abort if we found an error
|
||||
if error_count > 0
|
||||
puts "Found #{error_count} error(s)"
|
||||
exit 1
|
||||
end
|
||||
|
||||
# if it is a directory, tar it to tmp directory
|
||||
if File.directory?(path)
|
||||
file = Tempfile.new([profile_name, '.tar.gz'])
|
||||
archive_path = file.path
|
||||
puts "Generate temporary profile archive at #{archive_path}"
|
||||
profile.archive({ archive: archive_path, ignore_errors: false, overwrite: true })
|
||||
else
|
||||
archive_path = path
|
||||
end
|
||||
|
||||
puts "Start upload to #{owner}/#{profile_name}"
|
||||
|
||||
# upload the tar to Chef Compliance
|
||||
url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
|
||||
|
||||
puts "Uploading to #{url}"
|
||||
success, msg = Compliance::API.post_file(url, config['token'], '', archive_path)
|
||||
if success
|
||||
puts 'Successfully uploaded profile'
|
||||
else
|
||||
puts 'Error during profile upload:'
|
||||
puts msg
|
||||
end
|
||||
end
|
||||
|
||||
desc 'version', 'displays the version of the Chef Compliance server'
|
||||
def version
|
||||
info = Compliance::API.version
|
||||
if !info.nil? && info['version']
|
||||
puts "Chef Compliance version: #{info['version']}"
|
||||
else
|
||||
puts 'Could not determine server version.'
|
||||
end
|
||||
end
|
||||
|
||||
desc 'logout', 'user logout from Chef Compliance'
|
||||
def logout
|
||||
if Compliance::API.logout
|
||||
puts 'Successfully logged out'
|
||||
else
|
||||
puts 'Could not log out'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# register the subcommand to Inspec CLI registry
|
||||
Inspec::Plugins::CLI.register(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
|
||||
end
|
52
lib/bundles/inspec-compliance/configuration.rb
Normal file
52
lib/bundles/inspec-compliance/configuration.rb
Normal file
|
@ -0,0 +1,52 @@
|
|||
# encoding: utf-8
|
||||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
module Compliance
|
||||
# stores configuration on local filesystem
|
||||
class Configuration
|
||||
def initialize
|
||||
@config_path = File.join(Dir.home, '.inspec', 'compliance')
|
||||
# ensure the directory is available
|
||||
unless File.directory?(@config_path)
|
||||
FileUtils.mkdir_p(@config_path)
|
||||
end
|
||||
# set config file path
|
||||
@config_file = File.join(@config_path, '/config.json')
|
||||
@config = {}
|
||||
|
||||
# load the data
|
||||
get
|
||||
end
|
||||
|
||||
# direct access to config
|
||||
def [](key)
|
||||
@config[key]
|
||||
end
|
||||
|
||||
def []=(key, value)
|
||||
@config[key] = value
|
||||
end
|
||||
|
||||
# return the json data
|
||||
def get
|
||||
if File.exist?(@config_file)
|
||||
file = File.read(@config_file)
|
||||
@config = JSON.parse(file)
|
||||
end
|
||||
@config
|
||||
end
|
||||
|
||||
# stores a hash to json
|
||||
def store
|
||||
File.open(@config_file, 'w') do |f|
|
||||
f.write(@config.to_json)
|
||||
end
|
||||
end
|
||||
|
||||
# deletes data
|
||||
def destroy
|
||||
File.delete(@config_file)
|
||||
end
|
||||
end
|
||||
end
|
61
lib/bundles/inspec-compliance/target.rb
Normal file
61
lib/bundles/inspec-compliance/target.rb
Normal file
|
@ -0,0 +1,61 @@
|
|||
# encoding: utf-8
|
||||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
require 'uri'
|
||||
|
||||
# InSpec Target Helper for Chef Compliance
|
||||
# reuses UrlHelper, but it knows the target server and the access token already
|
||||
# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
|
||||
module Compliance
|
||||
class ChefComplianceHelper < Inspec::Targets::UrlHelper
|
||||
def handles?(target)
|
||||
# check for local scheme compliance://
|
||||
uri = URI(target)
|
||||
return unless URI(uri).scheme == 'compliance'
|
||||
|
||||
# check if we have a compliance token
|
||||
config = Compliance::Configuration.new
|
||||
return if config['token'].nil?
|
||||
|
||||
# get profile name
|
||||
profile = get_profile_name(uri)
|
||||
|
||||
# verifies that the target e.g base/ssh exists
|
||||
Compliance::API.exist?(profile)
|
||||
rescue URI::Error => _e
|
||||
false
|
||||
end
|
||||
|
||||
# generates proper url
|
||||
def resolve(target, opts = {})
|
||||
profile = get_profile_name(URI(target))
|
||||
# generates server url
|
||||
target = build_target_url(profile)
|
||||
config = Compliance::Configuration.new
|
||||
opts['user'] = config['token']
|
||||
puts target
|
||||
super(target, opts)
|
||||
end
|
||||
|
||||
# extracts profile name from url
|
||||
def get_profile_name(uri)
|
||||
uri.host + uri.path
|
||||
end
|
||||
|
||||
def build_target_url(target)
|
||||
owner, profile = target.split('/')
|
||||
config = Compliance::Configuration.new
|
||||
url = "#{config['server']}/owners/%owner_name%/compliance/%profile_name%/tar"
|
||||
.gsub('%owner_name%', owner)
|
||||
.gsub('%profile_name%', profile)
|
||||
url
|
||||
end
|
||||
|
||||
def to_s
|
||||
'Chef Compliance Profile Loader'
|
||||
end
|
||||
end
|
||||
|
||||
Inspec::Targets.add_module('chefcompliance', ChefComplianceHelper.new)
|
||||
end
|
|
@ -16,8 +16,12 @@ require 'inspec/rspec_json_formatter'
|
|||
require 'inspec/rule'
|
||||
require 'matchers/matchers'
|
||||
require 'inspec/runner'
|
||||
require 'inspec/shell'
|
||||
|
||||
# all utils that may be required by plugins
|
||||
require 'utils/base_cli'
|
||||
|
||||
# ensure resource and plugins are loaded after runner, because the runner loads
|
||||
# targets
|
||||
require 'inspec/resource'
|
||||
require 'inspec/plugins'
|
||||
require 'inspec/shell'
|
||||
|
|
|
@ -39,7 +39,7 @@ module Inspec
|
|||
if path.nil?
|
||||
fail "Couldn't find plugin #{name}. Searching in #{@home}"
|
||||
end
|
||||
puts "Loading plugin #{name} from #{path}"
|
||||
# puts "Loading plugin #{name} from #{path}"
|
||||
require path
|
||||
end
|
||||
end
|
||||
|
|
|
@ -181,19 +181,18 @@ module Inspec
|
|||
end
|
||||
|
||||
# generates a archive of a folder profile
|
||||
# assumes that the profile was checked before
|
||||
def archive(opts) # rubocop:disable Metrics/AbcSize
|
||||
check_result = check
|
||||
|
||||
if check_result && !opts[:ignore_errors] == false
|
||||
@logger.info 'Profile check failed. Please fix the profile before generating an archive.'
|
||||
return false
|
||||
end
|
||||
|
||||
profile_name = @params[:name]
|
||||
|
||||
ext = opts[:zip] ? 'zip' : 'tar.gz'
|
||||
slug = profile_name.downcase.strip.tr(' ', '-').gsub(/[^\w-]/, '_')
|
||||
archive = Pathname.new(File.dirname(__FILE__)).join('../..', "#{slug}.#{ext}")
|
||||
|
||||
if opts[:archive]
|
||||
archive = Pathname.new(opts[:archive])
|
||||
else
|
||||
slug = profile_name.downcase.strip.tr(' ', '-').gsub(/[^\w-]/, '_')
|
||||
archive = Pathname.new(File.dirname(__FILE__)).join('../..', "#{slug}.#{ext}")
|
||||
end
|
||||
|
||||
# check if file exists otherwise overwrite the archive
|
||||
if archive.exist? && !opts[:overwrite]
|
||||
|
@ -204,7 +203,7 @@ module Inspec
|
|||
# remove existing archive
|
||||
File.delete(archive) if archive.exist?
|
||||
|
||||
@logger.info "Profile check finished. Generate archive #{archive}."
|
||||
@logger.info "Generate archive #{archive}."
|
||||
|
||||
# find all files
|
||||
files = Dir.glob("#{path}/**/*")
|
||||
|
|
|
@ -13,6 +13,8 @@ module Inspec::Targets
|
|||
uri = URI.parse(target)
|
||||
return false if uri.nil? or uri.scheme.nil?
|
||||
%{ http https }.include? uri.scheme
|
||||
rescue URI::Error => _e
|
||||
false
|
||||
end
|
||||
|
||||
def resolve(target, opts = {})
|
||||
|
@ -20,14 +22,13 @@ module Inspec::Targets
|
|||
return nil unless target.start_with?('https://', 'http://')
|
||||
|
||||
# support for github url
|
||||
m = %r{^https?://(www\.)?github\.com/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?$}.match(target)
|
||||
m = %r{^https?://(www\.)?github\.com/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}.match(target)
|
||||
if m
|
||||
url = "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz"
|
||||
else
|
||||
url = target
|
||||
end
|
||||
|
||||
resolve_zip(url, opts)
|
||||
resolve_archive(url, opts)
|
||||
end
|
||||
|
||||
# download url into archive using opts,
|
||||
|
@ -47,7 +48,7 @@ module Inspec::Targets
|
|||
[archive, remote.meta['content-type']]
|
||||
end
|
||||
|
||||
def resolve_zip(url, opts)
|
||||
def resolve_archive(url, opts)
|
||||
archive, content_type = download_archive(url, Tempfile.new(['inspec-dl-', '.tar.gz']), opts)
|
||||
|
||||
# replace extension with zip if we detected a zip content type
|
||||
|
|
129
lib/utils/base_cli.rb
Normal file
129
lib/utils/base_cli.rb
Normal file
|
@ -0,0 +1,129 @@
|
|||
# encoding: utf-8
|
||||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
require 'thor'
|
||||
|
||||
class Inspec::BaseCLI < Thor # rubocop:disable Metrics/ClassLength
|
||||
def self.target_options
|
||||
option :target, aliases: :t, type: :string,
|
||||
desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
|
||||
option :backend, aliases: :b, type: :string,
|
||||
desc: 'Choose a backend: local, ssh, winrm, docker.'
|
||||
option :host, type: :string,
|
||||
desc: 'Specify a remote host which is tested.'
|
||||
option :port, aliases: :p, type: :numeric,
|
||||
desc: 'Specify the login port for a remote scan.'
|
||||
option :user, type: :string,
|
||||
desc: 'The login user for a remote scan.'
|
||||
option :password, type: :string,
|
||||
desc: 'Login password for a remote scan, if required.'
|
||||
option :key_files, aliases: :i, type: :array,
|
||||
desc: 'Login key or certificate file for a remote scan.'
|
||||
option :path, type: :string,
|
||||
desc: 'Login path to use when connecting to the target (WinRM).'
|
||||
option :sudo, type: :boolean,
|
||||
desc: 'Run scans with sudo. Only activates on Unix and non-root user.'
|
||||
option :sudo_password, type: :string,
|
||||
desc: 'Specify a sudo password, if it is required.'
|
||||
option :sudo_options, type: :string,
|
||||
desc: 'Additional sudo options for a remote scan.'
|
||||
option :ssl, type: :boolean,
|
||||
desc: 'Use SSL for transport layer encryption (WinRM).'
|
||||
option :self_signed, type: :boolean,
|
||||
desc: 'Allow remote scans with self-signed certificates (WinRM).'
|
||||
option :json_config, type: :string,
|
||||
desc: 'Read configuration from JSON file (`-` reads from stdin).'
|
||||
option :log_level, aliases: :l, type: :string,
|
||||
desc: 'Set the log level: info (default), debug, warn, error'
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
# helper method to run tests
|
||||
def run_tests(opts, tests)
|
||||
o = opts.dup
|
||||
o[:logger] = Logger.new(opts['format'] == 'json' ? nil : STDOUT)
|
||||
o[:logger].level = get_log_level(o.log_level)
|
||||
|
||||
runner = Inspec::Runner.new(o)
|
||||
runner.add_tests(tests)
|
||||
exit runner.run
|
||||
rescue RuntimeError => e
|
||||
puts e.message
|
||||
end
|
||||
|
||||
def diagnose
|
||||
return unless opts['diagnose']
|
||||
puts "InSpec version: #{Inspec::VERSION}"
|
||||
puts "Train version: #{Train::VERSION}"
|
||||
puts 'Command line configuration:'
|
||||
pp options
|
||||
puts 'JSON configuration file:'
|
||||
pp options_json
|
||||
puts 'Merged configuration:'
|
||||
pp opts
|
||||
puts
|
||||
end
|
||||
|
||||
def opts
|
||||
# argv overrides json
|
||||
Thor::CoreExt::HashWithIndifferentAccess.new(options_json.merge(options))
|
||||
end
|
||||
|
||||
def options_json
|
||||
conffile = options['json_config']
|
||||
@json ||= conffile ? read_config(conffile) : {}
|
||||
end
|
||||
|
||||
def read_config(file)
|
||||
if file == '-'
|
||||
puts 'WARN: reading JSON config from standard input' if STDIN.tty?
|
||||
config = STDIN.read
|
||||
else
|
||||
config = File.read(file)
|
||||
end
|
||||
|
||||
JSON.load(config)
|
||||
rescue JSON::ParserError => e
|
||||
puts "Failed to load JSON configuration: #{e}\nConfig was: #{config.inspect}"
|
||||
exit 1
|
||||
end
|
||||
|
||||
# get the log level
|
||||
# DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
|
||||
def get_log_level(level)
|
||||
valid = %w{debug info warn error fatal}
|
||||
|
||||
if valid.include?(level)
|
||||
l = level
|
||||
else
|
||||
l = 'info'
|
||||
end
|
||||
|
||||
Logger.const_get(l.upcase)
|
||||
end
|
||||
|
||||
def configure_logger(o)
|
||||
o[:logger] = Logger.new(STDOUT)
|
||||
# output json if we have activated the json formatter
|
||||
if opts['log-format'] == 'json'
|
||||
o[:logger].formatter = Logger::JSONFormatter.new
|
||||
end
|
||||
o[:logger].level = get_log_level(o.log_level)
|
||||
end
|
||||
|
||||
def mark_text(text)
|
||||
"\e[0;32m#{text}\e[0m"
|
||||
end
|
||||
|
||||
def headline(title)
|
||||
puts title
|
||||
title.each_char { print '-' }
|
||||
puts
|
||||
end
|
||||
|
||||
def li(entry)
|
||||
puts " #{mark_text('*')} #{entry}"
|
||||
end
|
||||
end
|
|
@ -14,11 +14,12 @@ SimpleCov.start do
|
|||
add_group 'Backends', 'lib/inspec/backend'
|
||||
end
|
||||
|
||||
require 'utils/base_cli'
|
||||
require 'inspec/targets'
|
||||
require 'inspec/resource'
|
||||
require 'inspec/backend'
|
||||
require 'inspec/profile'
|
||||
require 'inspec/targets'
|
||||
require 'inspec/targets/zip'
|
||||
|
||||
|
||||
class MockLoader
|
||||
# collects emulation operating systems
|
||||
|
|
|
@ -2,15 +2,25 @@
|
|||
# author: Christoph Hartmann
|
||||
# author: Dominik Richter
|
||||
|
||||
require 'helper'
|
||||
require 'inspec/plugins'
|
||||
# TODO: do not use helper, since all plugins are loaded statically
|
||||
require 'minitest/autorun'
|
||||
require 'minitest/spec'
|
||||
require 'mocha/setup'
|
||||
|
||||
require 'inspec/targets'
|
||||
require 'inspec/plugins/cli'
|
||||
require 'thor'
|
||||
|
||||
describe 'plugin system' do
|
||||
|
||||
describe 'with an empty profile' do
|
||||
let(:cli_reg) { Inspec::Plugins::CLI }
|
||||
|
||||
before do
|
||||
# TODO: remove this, once the plugin loading is not based on ruby-load time
|
||||
# initialization
|
||||
cli_reg.registry.clear
|
||||
end
|
||||
|
||||
it 'is empty' do
|
||||
cli_reg.registry.must_equal({})
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue