Merge pull request #409 from chef/chris-rock/extras-compliance

Chef Compliance extension

.rubocop.yml

@@ -53,6 +53,8 @@ Style/AndOr:
   Enabled: false
 Style/Not:
   Enabled: false
+Style/FileName:
+  Enabled: false
 Style/TrailingCommaInLiteral:
   EnforcedStyleForMultiline: comma
 Style/TrailingCommaInArguments:

bin/inspec

@@ -7,46 +7,14 @@
 require 'thor'
 require 'json'
 require 'pp'
+require_relative '../lib/utils/base_cli'
 require_relative '../lib/inspec'
 require_relative '../lib/utils/json_log'
 
-class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
+class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   class_option :diagnose, type: :boolean,
     desc: 'Show diagnostics (versions, configurations)'
 
-  def self.target_options
-    option :target, aliases: :t, type: :string,
-      desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
-    option :backend, aliases: :b, type: :string,
-      desc: 'Choose a backend: local, ssh, winrm, docker.'
-    option :host, type: :string,
-      desc: 'Specify a remote host which is tested.'
-    option :port, aliases: :p, type: :numeric,
-      desc: 'Specify the login port for a remote scan.'
-    option :user, type: :string,
-      desc: 'The login user for a remote scan.'
-    option :password, type: :string,
-      desc: 'Login password for a remote scan, if required.'
-    option :key_files, aliases: :i, type: :array,
-      desc: 'Login key or certificate file for a remote scan.'
-    option :path, type: :string,
-      desc: 'Login path to use when connecting to the target (WinRM).'
-    option :sudo, type: :boolean,
-      desc: 'Run scans with sudo. Only activates on Unix and non-root user.'
-    option :sudo_password, type: :string,
-      desc: 'Specify a sudo password, if it is required.'
-    option :sudo_options, type: :string,
-      desc: 'Additional sudo options for a remote scan.'
-    option :ssl, type: :boolean,
-      desc: 'Use SSL for transport layer encryption (WinRM).'
-    option :self_signed, type: :boolean,
-      desc: 'Allow remote scans with self-signed certificates (WinRM).'
-    option :json_config, type: :string,
-      desc: 'Read configuration from JSON file (`-` reads from stdin).'
-    option :log_level, aliases: :l, type: :string,
-      desc: 'Set the log level: info (default), debug, warn, error'
-  end
-
   desc 'json PATH', 'read all tests in PATH and generate a JSON summary'
   option :id, type: :string,
     desc: 'Attach a profile ID to all test results'
@@ -91,14 +59,14 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
       %w{location profile controls timestamp valid}.each { |item|
         puts "#{mark_text(item.to_s.capitalize + ':')} #{result[:summary][item.to_sym]}"
       }
-      newline
+      puts
 
       %w{errors warnings}.each { |list|
         headline(list.to_s.capitalize)
         result[list.to_sym].each { |item|
           puts "#{item[:file]}:#{item[:line]}:#{item[:column]}: #{item[:msg]} "
         }
-        newline
+        puts
       }
     end
     exit 1 unless result[:summary][:valid]
@@ -121,6 +89,13 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
     o[:logger].level = get_log_level(o.log_level)
 
     profile = Inspec::Profile.from_path(path, o)
+    result = profile.check
+
+    if result && !opts[:ignore_errors] == false
+      @logger.info 'Profile check failed. Please fix the profile before generating an archive.'
+      return exit 1
+    end
+
     # generate archive
     exit 1 unless profile.archive(opts)
   end
@@ -132,16 +107,7 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
   option :format, type: :string
   def exec(*tests)
     diagnose
-
-    o = opts.dup
-    o[:logger] = Logger.new(opts['format'] == 'json' ? nil : STDOUT)
-    o[:logger].level = get_log_level(o.log_level)
-
-    runner = Inspec::Runner.new(o)
-    runner.add_tests(tests)
-    exit runner.run
-  rescue RuntimeError => e
-    puts e.message
+    run_tests(opts, tests)
   end
 
   desc 'detect', 'detect the target OS'
@@ -174,82 +140,6 @@ class Inspec::InspecCLI < Thor # rubocop:disable Metrics/ClassLength
   def version
     puts Inspec::VERSION
   end
-
-  private
-
-  def diagnose
-    return unless opts['diagnose']
-    puts "InSpec version: #{Inspec::VERSION}"
-    puts "Train version: #{Train::VERSION}"
-    puts 'Command line configuration:'
-    pp options
-    puts 'JSON configuration file:'
-    pp options_json
-    puts 'Merged configuration:'
-    pp opts
-    puts
-  end
-
-  def opts
-    # argv overrides json
-    Thor::CoreExt::HashWithIndifferentAccess.new(options_json.merge(options))
-  end
-
-  def options_json
-    conffile = options['json_config']
-    @json ||= conffile ? read_config(conffile) : {}
-  end
-
-  def configure_logger(o)
-    o[:logger] = Logger.new(STDOUT)
-    # output json if we have activated the json formatter
-    if opts['log-format'] == 'json'
-      o[:logger].formatter = Logger::JSONFormatter.new
-    end
-    o[:logger].level = get_log_level(o.log_level)
-  end
-
-  # get the log level
-  # DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
-  def get_log_level(level)
-    valid = %w{debug info warn error fatal}
-
-    if valid.include?(level)
-      l = level
-    else
-      l = 'info'
-    end
-
-    Logger.const_get(l.upcase)
-  end
-
-  def read_config(file)
-    if file == '-'
-      puts 'WARN: reading JSON config from standard input' if STDIN.tty?
-      config = STDIN.read
-    else
-      config = File.read(file)
-    end
-
-    JSON.load(config)
-  rescue JSON::ParserError => e
-    puts "Failed to load JSON configuration: #{e}\nConfig was: #{config.inspect}"
-    exit 1
-  end
-
-  def mark_text(text)
-    "\e[0;32m#{text}\e[0m"
-  end
-
-  def headline(title)
-    puts title
-    title.each_char { print '-' }
-    newline
-  end
-
-  def newline
-    print "\n"
-  end
 end
 
 # load CLI plugins before the Inspec CLI has been started

lib/bundles/inspec-compliance.rb

@@ -0,0 +1,14 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+module Compliance
+  autoload :Configuration, 'inspec-compliance/configuration'
+  autoload :API, 'inspec-compliance/api'
+end
+
+require 'inspec-compliance/cli'
+require 'inspec-compliance/target'

lib/bundles/inspec-compliance/README.md

@@ -0,0 +1,20 @@
+# InSpec Extension for Chef Compliance
+
+This extensions offers the following features:
+
+ - list available profiles in Chef Compliance
+ - execute profiles directly from Chef Compliance locally
+ - upload a local profile to Chef Compliance
+
+To use the CLI, this InSpec add-on adds the following commands:
+
+ * `$ inspec compliance login user password` - authentication against Chef Compliance
+ * `$ inspec compliance profiles` - list all available Chef Compliance profiles
+ * `$ inspec compliance exec profile` - runs a Chef Compliance profile
+ * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Compliance
+ * `$ inspec compliance logout` - logout of Chef Compliance
+
+Compliance profiles can be executed in two mays:
+
+- via compliance exec: `inspec compliance exec profile`
+- via compliance scheme: `inspec exec compliance://profile`

lib/bundles/inspec-compliance/api.rb

@@ -0,0 +1,134 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'net/http'
+require 'uri'
+
+module Compliance
+  # API Implementation does not hold any state by itself,
+  # everything will be stored in local Configuration store
+  class API
+    # logs into the server, retrieves a token and stores it locally
+    def self.login(server, username, password)
+      config = Compliance::Configuration.new
+      config['server'] = server
+      url = "#{server}/oauth/token"
+
+      success, data = Compliance::API.post(url, username, password)
+      if !data.nil?
+        tokendata = JSON.parse(data)
+        if tokendata['access_token']
+          config['user'] = username
+          config['token'] = tokendata['access_token']
+          config.store
+          success = true
+          msg = 'Successfully authenticated'
+        else
+          msg = 'Reponse does not include a token'
+        end
+      else
+        msg = "Authentication failed for Server: #{url}"
+      end
+      [success, msg]
+    end
+
+    def self.logout
+      config = Compliance::Configuration.new
+      url = "#{config['server']}/logout"
+      Compliance::API.post(url, config['token'], nil)
+      config.destroy
+    end
+
+    # return the server api version
+    def self.version
+      config = Compliance::Configuration.new
+      url = "#{config['server']}/version"
+
+      _success, data = Compliance::API.get(url, nil, nil)
+      if !data.nil?
+        JSON.parse(data)
+      else
+        {}
+      end
+    end
+
+    # return all compliance profiles available for the user
+    def self.profiles
+      config = Compliance::Configuration.new
+
+      url = "#{config['server']}/user/compliance"
+      _success, data = get(url, config['token'], '')
+
+      if !data.nil?
+        profiles = JSON.parse(data)
+        val = []
+        # iterate over profiles
+        profiles.each_key { |org|
+          profiles[org].each_key { |name|
+            val.push({ org: org, name: name })
+          }
+        }
+        val
+      else
+        []
+      end
+    end
+
+    # verifies that a profile
+    def self.exist?(profile)
+      profiles = Compliance::API.profiles
+      if !profiles.empty?
+        index = profiles.index { |p| "#{p[:org]}/#{p[:name]}" == profile }
+        !index.nil? && index >= 0
+      else
+        false
+      end
+    end
+
+    def self.get(url, username, password)
+      uri = URI.parse(url)
+      req = Net::HTTP::Get.new(uri.path)
+      req.basic_auth username, password
+
+      send_request(uri, req)
+    end
+
+    def self.post(url, username, password)
+      # form request
+      uri = URI.parse(url)
+      req = Net::HTTP::Post.new(uri.path)
+      req.basic_auth username, password
+      req.form_data={}
+
+      send_request(uri, req)
+    end
+
+    # upload a file
+    def self.post_file(url, username, password, file_path)
+      uri = URI.parse(url)
+      http = Net::HTTP.new(uri.host, uri.port)
+      req = Net::HTTP::Post.new(uri.path)
+      req.basic_auth username, password
+
+      req.body_stream=File.open(file_path)
+      req['Content-Type'] = 'multipart/form-data'
+      req.add_field('Content-Length', File.size(file_path))
+      req.add_field('Content-Type', 'application/x-gtar')
+
+      boundary = 'INSPEC-PROFILE-UPLOAD'
+      req.add_field('session', boundary)
+      res=http.request(req)
+
+      [res.is_a?(Net::HTTPSuccess), res.body]
+    end
+
+    def self.send_request(uri, req)
+      # send request
+      res = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') {|http|
+        http.request(req)
+      }
+      [res.is_a?(Net::HTTPSuccess), res.body]
+    end
+  end
+end

lib/bundles/inspec-compliance/cli.rb

@@ -0,0 +1,146 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'thor'
+
+module Compliance
+  class ComplianceCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
+    namespace 'compliance'
+
+    desc 'login SERVER', 'Log in to a Chef Compliance SERVER'
+    option :user, type: :string, required: true,
+      desc: 'Chef Compliance Username'
+    option :password, type: :string, required: true,
+      desc: 'Chef Compliance Password'
+    def login(server)
+      success, msg = Compliance::API.login(server, options['user'], options['password'])
+      if success
+        puts 'Successfully authenticated'
+      else
+        puts msg
+      end
+    end
+
+    desc 'profiles', 'list all available profiles in Chef Compliance'
+    def profiles
+      profiles = Compliance::API.profiles
+      if !profiles.empty?
+        # iterate over profiles
+        headline('Available profiles:')
+        profiles.each { |profile|
+          li("#{profile[:org]}/#{profile[:name]}")
+        }
+      else
+        puts 'Could not find any profiles'
+      end
+    end
+
+    desc 'exec PROFILE', 'executes a Chef Compliance profile'
+    option :id, type: :string,
+      desc: 'Attach a profile ID to all test results'
+    target_options
+    option :format, type: :string
+    def exec(*tests)
+      # iterate over tests and add compliance scheme
+      tests = tests.map { |t| 'compliance://' + t }
+
+      # execute profile from inspec exec implementation
+      diagnose
+      run_tests(opts, tests)
+    end
+
+    desc 'upload PATH', 'uploads a local profile to Chef Compliance'
+    option :overwrite, type: :boolean, default: false,
+      desc: 'Overwrite existing profile on Chef Compliance.'
+    def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity
+      o = options.dup
+      configure_logger(o)
+      # check the profile, we only allow to upload valid profiles
+      profile = Inspec::Profile.from_path(path, o)
+
+      # start verification process
+      error_count = 0
+      error = lambda { |msg|
+        error_count += 1
+        puts msg
+      }
+
+      result = profile.check
+      unless result[:summary][:valid]
+        error.call('Profile check failed. Please fix the profile before upload.')
+      else
+        puts('Profile is valid')
+      end
+
+      # determine user information
+      config = Compliance::Configuration.new
+      if config['token'].nil? || config['user'].nil?
+        error.call('Please login via `inspec compliance login`')
+      end
+
+      # owner
+      owner = config['user']
+      # read profile name from inspec.yml
+      profile_name = profile.params[:name]
+
+      # check that the profile is not uploaded already,
+      # confirm upload to the user (overwrite with --force)
+      if Compliance::API.exist?("#{owner}/#{profile_name}") && !options['overwrite']
+        error.call('Profile exists on the server, use --overwrite')
+      end
+
+      # abort if we found an error
+      if error_count > 0
+        puts "Found #{error_count} error(s)"
+        exit 1
+      end
+
+      # if it is a directory, tar it to tmp directory
+      if File.directory?(path)
+        file = Tempfile.new([profile_name, '.tar.gz'])
+        archive_path = file.path
+        puts "Generate temporary profile archive at #{archive_path}"
+        profile.archive({ archive: archive_path, ignore_errors: false, overwrite: true })
+      else
+        archive_path = path
+      end
+
+      puts "Start upload to #{owner}/#{profile_name}"
+
+      # upload the tar to Chef Compliance
+      url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
+
+      puts "Uploading to #{url}"
+      success, msg = Compliance::API.post_file(url, config['token'], '', archive_path)
+      if success
+        puts 'Successfully uploaded profile'
+      else
+        puts 'Error during profile upload:'
+        puts msg
+      end
+    end
+
+    desc 'version', 'displays the version of the Chef Compliance server'
+    def version
+      info = Compliance::API.version
+      if !info.nil? && info['version']
+        puts "Chef Compliance version: #{info['version']}"
+      else
+        puts 'Could not determine server version.'
+      end
+    end
+
+    desc 'logout', 'user logout from Chef Compliance'
+    def logout
+      if Compliance::API.logout
+        puts 'Successfully logged out'
+      else
+        puts 'Could not log out'
+      end
+    end
+  end
+
+  # register the subcommand to Inspec CLI registry
+  Inspec::Plugins::CLI.register(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
+end

lib/bundles/inspec-compliance/configuration.rb

@@ -0,0 +1,52 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+module Compliance
+  # stores configuration on local filesystem
+  class Configuration
+    def initialize
+      @config_path = File.join(Dir.home, '.inspec', 'compliance')
+      # ensure the directory is available
+      unless File.directory?(@config_path)
+        FileUtils.mkdir_p(@config_path)
+      end
+      # set config file path
+      @config_file = File.join(@config_path, '/config.json')
+      @config = {}
+
+      # load the data
+      get
+    end
+
+    # direct access to config
+    def [](key)
+      @config[key]
+    end
+
+    def []=(key, value)
+      @config[key] = value
+    end
+
+    # return the json data
+    def get
+      if File.exist?(@config_file)
+        file = File.read(@config_file)
+        @config = JSON.parse(file)
+      end
+      @config
+    end
+
+    # stores a hash to json
+    def store
+      File.open(@config_file, 'w') do |f|
+        f.write(@config.to_json)
+      end
+    end
+
+    # deletes data
+    def destroy
+      File.delete(@config_file)
+    end
+  end
+end

lib/bundles/inspec-compliance/target.rb

@@ -0,0 +1,61 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'uri'
+
+# InSpec Target Helper for Chef Compliance
+# reuses UrlHelper, but it knows the target server and the access token already
+# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
+module Compliance
+  class ChefComplianceHelper < Inspec::Targets::UrlHelper
+    def handles?(target)
+      # check for local scheme compliance://
+      uri = URI(target)
+      return unless URI(uri).scheme == 'compliance'
+
+      # check if we have a compliance token
+      config = Compliance::Configuration.new
+      return if config['token'].nil?
+
+      # get profile name
+      profile = get_profile_name(uri)
+
+      # verifies that the target e.g base/ssh exists
+      Compliance::API.exist?(profile)
+    rescue URI::Error => _e
+      false
+    end
+
+    # generates proper url
+    def resolve(target, opts = {})
+      profile = get_profile_name(URI(target))
+      # generates server url
+      target = build_target_url(profile)
+      config = Compliance::Configuration.new
+      opts['user'] = config['token']
+      puts target
+      super(target, opts)
+    end
+
+    # extracts profile name from url
+    def get_profile_name(uri)
+      uri.host + uri.path
+    end
+
+    def build_target_url(target)
+      owner, profile = target.split('/')
+      config = Compliance::Configuration.new
+      url = "#{config['server']}/owners/%owner_name%/compliance/%profile_name%/tar"
+            .gsub('%owner_name%', owner)
+            .gsub('%profile_name%', profile)
+      url
+    end
+
+    def to_s
+      'Chef Compliance Profile Loader'
+    end
+  end
+
+  Inspec::Targets.add_module('chefcompliance', ChefComplianceHelper.new)
+end

lib/inspec.rb

@@ -16,8 +16,12 @@ require 'inspec/rspec_json_formatter'
 require 'inspec/rule'
 require 'matchers/matchers'
 require 'inspec/runner'
+require 'inspec/shell'
+
+# all utils that may be required by plugins
+require 'utils/base_cli'
+
 # ensure resource and plugins are loaded after runner, because the runner loads
 # targets
 require 'inspec/resource'
 require 'inspec/plugins'
-require 'inspec/shell'

lib/inspec/plugins.rb

@@ -39,7 +39,7 @@ module Inspec
       if path.nil?
         fail "Couldn't find plugin #{name}. Searching in #{@home}"
       end
-      puts "Loading plugin #{name} from #{path}"
+      # puts "Loading plugin #{name} from #{path}"
       require path
     end
   end

lib/inspec/profile.rb

@@ -181,19 +181,18 @@ module Inspec
     end
 
     # generates a archive of a folder profile
+    # assumes that the profile was checked before
     def archive(opts) # rubocop:disable Metrics/AbcSize
-      check_result = check
-
-      if check_result && !opts[:ignore_errors] == false
-        @logger.info 'Profile check failed. Please fix the profile before generating an archive.'
-        return false
-      end
-
       profile_name = @params[:name]
 
       ext = opts[:zip] ? 'zip' : 'tar.gz'
-      slug = profile_name.downcase.strip.tr(' ', '-').gsub(/[^\w-]/, '_')
-      archive = Pathname.new(File.dirname(__FILE__)).join('../..', "#{slug}.#{ext}")
+
+      if opts[:archive]
+        archive = Pathname.new(opts[:archive])
+      else
+        slug = profile_name.downcase.strip.tr(' ', '-').gsub(/[^\w-]/, '_')
+        archive = Pathname.new(File.dirname(__FILE__)).join('../..', "#{slug}.#{ext}")
+      end
 
       # check if file exists otherwise overwrite the archive
       if archive.exist? && !opts[:overwrite]
@@ -204,7 +203,7 @@ module Inspec
       # remove existing archive
       File.delete(archive) if archive.exist?
 
-      @logger.info "Profile check finished. Generate archive #{archive}."
+      @logger.info "Generate archive #{archive}."
 
       # find all files
       files = Dir.glob("#{path}/**/*")

lib/inspec/targets/url.rb

@@ -13,6 +13,8 @@ module Inspec::Targets
       uri = URI.parse(target)
       return false if uri.nil? or uri.scheme.nil?
       %{ http https }.include? uri.scheme
+    rescue URI::Error => _e
+      false
     end
 
     def resolve(target, opts = {})
@@ -20,14 +22,13 @@ module Inspec::Targets
       return nil unless target.start_with?('https://', 'http://')
 
       # support for github url
-      m = %r{^https?://(www\.)?github\.com/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?$}.match(target)
+      m = %r{^https?://(www\.)?github\.com/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}.match(target)
       if m
         url = "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz"
       else
         url = target
       end
-
-      resolve_zip(url, opts)
+      resolve_archive(url, opts)
     end
 
     # download url into archive using opts,
@@ -47,7 +48,7 @@ module Inspec::Targets
       [archive, remote.meta['content-type']]
     end
 
-    def resolve_zip(url, opts)
+    def resolve_archive(url, opts)
       archive, content_type = download_archive(url, Tempfile.new(['inspec-dl-', '.tar.gz']), opts)
 
       # replace extension with zip if we detected a zip content type

lib/utils/base_cli.rb

@@ -0,0 +1,129 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'thor'
+
+class Inspec::BaseCLI < Thor # rubocop:disable Metrics/ClassLength
+  def self.target_options
+    option :target, aliases: :t, type: :string,
+      desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
+    option :backend, aliases: :b, type: :string,
+      desc: 'Choose a backend: local, ssh, winrm, docker.'
+    option :host, type: :string,
+      desc: 'Specify a remote host which is tested.'
+    option :port, aliases: :p, type: :numeric,
+      desc: 'Specify the login port for a remote scan.'
+    option :user, type: :string,
+      desc: 'The login user for a remote scan.'
+    option :password, type: :string,
+      desc: 'Login password for a remote scan, if required.'
+    option :key_files, aliases: :i, type: :array,
+      desc: 'Login key or certificate file for a remote scan.'
+    option :path, type: :string,
+      desc: 'Login path to use when connecting to the target (WinRM).'
+    option :sudo, type: :boolean,
+      desc: 'Run scans with sudo. Only activates on Unix and non-root user.'
+    option :sudo_password, type: :string,
+      desc: 'Specify a sudo password, if it is required.'
+    option :sudo_options, type: :string,
+      desc: 'Additional sudo options for a remote scan.'
+    option :ssl, type: :boolean,
+      desc: 'Use SSL for transport layer encryption (WinRM).'
+    option :self_signed, type: :boolean,
+      desc: 'Allow remote scans with self-signed certificates (WinRM).'
+    option :json_config, type: :string,
+      desc: 'Read configuration from JSON file (`-` reads from stdin).'
+    option :log_level, aliases: :l, type: :string,
+      desc: 'Set the log level: info (default), debug, warn, error'
+  end
+
+  private
+
+  # helper method to run tests
+  def run_tests(opts, tests)
+    o = opts.dup
+    o[:logger] = Logger.new(opts['format'] == 'json' ? nil : STDOUT)
+    o[:logger].level = get_log_level(o.log_level)
+
+    runner = Inspec::Runner.new(o)
+    runner.add_tests(tests)
+    exit runner.run
+  rescue RuntimeError => e
+    puts e.message
+  end
+
+  def diagnose
+    return unless opts['diagnose']
+    puts "InSpec version: #{Inspec::VERSION}"
+    puts "Train version: #{Train::VERSION}"
+    puts 'Command line configuration:'
+    pp options
+    puts 'JSON configuration file:'
+    pp options_json
+    puts 'Merged configuration:'
+    pp opts
+    puts
+  end
+
+  def opts
+    # argv overrides json
+    Thor::CoreExt::HashWithIndifferentAccess.new(options_json.merge(options))
+  end
+
+  def options_json
+    conffile = options['json_config']
+    @json ||= conffile ? read_config(conffile) : {}
+  end
+
+  def read_config(file)
+    if file == '-'
+      puts 'WARN: reading JSON config from standard input' if STDIN.tty?
+      config = STDIN.read
+    else
+      config = File.read(file)
+    end
+
+    JSON.load(config)
+  rescue JSON::ParserError => e
+    puts "Failed to load JSON configuration: #{e}\nConfig was: #{config.inspect}"
+    exit 1
+  end
+
+  # get the log level
+  # DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
+  def get_log_level(level)
+    valid = %w{debug info warn error fatal}
+
+    if valid.include?(level)
+      l = level
+    else
+      l = 'info'
+    end
+
+    Logger.const_get(l.upcase)
+  end
+
+  def configure_logger(o)
+    o[:logger] = Logger.new(STDOUT)
+    # output json if we have activated the json formatter
+    if opts['log-format'] == 'json'
+      o[:logger].formatter = Logger::JSONFormatter.new
+    end
+    o[:logger].level = get_log_level(o.log_level)
+  end
+
+  def mark_text(text)
+    "\e[0;32m#{text}\e[0m"
+  end
+
+  def headline(title)
+    puts title
+    title.each_char { print '-' }
+    puts
+  end
+
+  def li(entry)
+    puts " #{mark_text('*')} #{entry}"
+  end
+end

test/helper.rb

@@ -14,11 +14,12 @@ SimpleCov.start do
   add_group 'Backends', 'lib/inspec/backend'
 end
 
+require 'utils/base_cli'
+require 'inspec/targets'
 require 'inspec/resource'
 require 'inspec/backend'
 require 'inspec/profile'
-require 'inspec/targets'
-require 'inspec/targets/zip'
+
 
 class MockLoader
   # collects emulation operating systems

test/unit/plugin_test.rb

@@ -2,15 +2,25 @@
 # author: Christoph Hartmann
 # author: Dominik Richter
 
-require 'helper'
-require 'inspec/plugins'
+# TODO: do not use helper, since all plugins are loaded statically
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'mocha/setup'
+
+require 'inspec/targets'
+require 'inspec/plugins/cli'
 require 'thor'
 
 describe 'plugin system' do
-
   describe 'with an empty profile' do
     let(:cli_reg) { Inspec::Plugins::CLI }
 
+    before do
+      # TODO: remove this, once the plugin loading is not based on ruby-load time
+      # initialization
+      cli_reg.registry.clear
+    end
+
     it 'is empty' do
       cli_reg.registry.must_equal({})
     end