✓ adds additional checks for vendored profiles (#3362)

* ✓ adds additional checks for vendored profiles

This PR adds additional checks to verify if:
- inspec.yml and inspec.lock dependencies are out-of-sync
- complains about a missing lock file if we have dependencies defined

* skip if legacy profile path is used
* Fix unit tests.
* Force static sha256 for lock files and protect from unnamed depends.
* Add vendor profiles for checks. Windows downloads with different sha256.

lib/inspec/profile.rb

@@ -101,6 +101,7 @@ module Inspec
       @libraries_loaded = false
       @check_mode = options[:check_mode] || false
       @parent_profile = options[:parent_profile]
+      @legacy_profile_path = options[:profiles_path] || false
       Metadata.finalize(@source_reader.metadata, @profile_id, options)
 
       # if a backend has already been created, clone it so each profile has its own unique backend object
@@ -373,6 +374,32 @@ module Inspec
       m_unsupported.each { |u| warn.call(meta_path, 0, 0, nil, "doesn't support: #{u}") }
       @logger.info 'Metadata OK.' if m_errors.empty? && m_unsupported.empty?
 
+      # only run the vendor check if the legacy profile-path is not used as argument
+      if @legacy_profile_path == false
+        # verify that a lockfile is present if we have dependencies
+        if !metadata.dependencies.empty?
+          error.call(meta_path, 0, 0, nil, 'Your profile needs to be vendored with `inspec vendor`.') if !lockfile_exists?
+        end
+
+        if lockfile_exists?
+          # verify if metadata and lockfile are out of sync
+          if lockfile.deps.size != metadata.dependencies.size
+            error.call(meta_path, 0, 0, nil, 'inspec.yml and inspec.lock are out-of-sync. Please re-vendor with `inspec vendor`.')
+          end
+
+          # verify if metadata and lockfile have the same dependency names
+          metadata.dependencies.each { |dep|
+            # Skip if the dependency does not specify a name
+            next if dep[:name].nil?
+
+            # TODO: should we also verify that the soure is the same?
+            if !lockfile.deps.map { |x| x[:name] }.include? dep[:name]
+              error.call(meta_path, 0, 0, nil, "Cannot find #{dep[:name]} in lockfile. Please re-vendor with `inspec vendor`.")
+            end
+          }
+        end
+      end
+
       # extract profile name
       result[:summary][:profile] = metadata.params[:name]
 

test/functional/inspec_check_test.rb

@@ -65,4 +65,29 @@ describe 'inspec check' do
       end
     end
   end
+
+  describe 'inspec check for lockfile and dependencies' do
+    it 'can check a profile where a lock file is not required' do
+      out = inspec('check ' + File.join(profile_path, 'profile-lock-notrequired'))
+      out.exit_status.must_equal 0
+    end
+
+    it 'can check a profile where a lock file is required' do
+      out = inspec('check ' + File.join(profile_path, 'profile-lock-required'))
+      out.exit_status.must_equal 1
+      out.stdout.must_include 'profile needs to be vendored with `inspec vendor`.'
+    end
+
+    it 'can check a profile where lock file and inspec.yml are in synnc' do
+      out = inspec('check ' + File.join(profile_path, 'profile-lock-insync'))
+      out.exit_status.must_equal 0
+    end
+
+    it 'can check a profile where lock file and inspec.yml are in not synnc' do
+      out = inspec('check ' + File.join(profile_path, 'profile-lock-outofsync'))
+      out.exit_status.must_equal 1
+      out.stdout.must_include 'inspec.yml and inspec.lock are out-of-sync. Please re-vendor with `inspec vendor`.'
+      out.stdout.must_include 'Cannot find linux-baseline in lockfile. Please re-vendor with `inspec vendor`.'
+    end    
+  end
 end

test/unit/mock/profiles/profile-lock-insync/inspec.lock

@@ -0,0 +1,8 @@
+---
+lockfile_version: 1
+depends:
+- name: ssh-baseline
+  resolved_source:
+    url: https://github.com/dev-sec/ssh-baseline/archive/2.3.0.zip
+    sha256: f15d94086d07cb81d2a69b2b774135b1dbfd1c1918415aec7d266658aecfb47a
+  version_constraints: []

test/unit/mock/profiles/profile-lock-insync/inspec.yml

@@ -0,0 +1,11 @@
+name: profile-lock-required
+title: mock profile for inspec check
+summary: An InSpec Compliance Profile
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache-2.0
+version: 1.0.0
+depends:
+  - name: ssh-baseline
+    url: https://github.com/dev-sec/ssh-baseline

test/unit/mock/profiles/profile-lock-notrequired/inspec.yml

@@ -0,0 +1,8 @@
+name: profile-lock-notrequired
+title: mock profile for inspec check
+summary: An InSpec Compliance Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+version: 0.1.0

test/unit/mock/profiles/profile-lock-outofsync/inspec.lock

@@ -0,0 +1,8 @@
+---
+lockfile_version: 1
+depends:
+- name: ssh-baseline
+  resolved_source:
+    url: https://github.com/dev-sec/ssh-baseline/archive/2.3.0.zip
+    sha256: f15d94086d07cb81d2a69b2b774135b1dbfd1c1918415aec7d266658aecfb47a
+  version_constraints: []

test/unit/mock/profiles/profile-lock-outofsync/inspec.yml

@@ -0,0 +1,13 @@
+name: profile-lock-required
+title: mock profile for inspec check
+summary: An InSpec Compliance Profile
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache-2.0
+version: 1.0.0
+depends:
+  - name: ssh-baseline
+    url: https://github.com/dev-sec/ssh-baseline
+  - name: linux-baseline
+    url: https://github.com/dev-sec/linux-baseline

test/unit/mock/profiles/profile-lock-required/inspec.yml

@@ -0,0 +1,11 @@
+name: profile-lock-required
+title: mock profile for inspec check
+summary: An InSpec Compliance Profile
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache-2.0
+version: 1.0.0
+depends:
+  - name: ssh-baseline
+    url: https://github.com/dev-sec/ssh-baseline