Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-25 22:20:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

initial commit

Browse source
This commit is contained in:
Christoph Hartmann 2016-12-15 09:53:01 +01:00
commit 46b65ba490
10 changed files with 511 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
.rubocop.yml Normal file
View file

@ -0,0 +1,72 @@
---
AllCops:
Exclude:
- Gemfile
- Rakefile
- 'test/**/*'
- 'examples/**/*'
- 'vendor/**/*'
- 'lib/bundles/inspec-init/templates/**/*'
Documentation:
Enabled: false
AlignParameters:
Enabled: true
Encoding:
Enabled: true
HashSyntax:
Enabled: true
LineLength:
Enabled: false
EmptyLinesAroundBlockBody:
Enabled: false
MethodLength:
Max: 40
NumericLiterals:
MinDigits: 10
Metrics/CyclomaticComplexity:
Max: 10
Metrics/PerceivedComplexity:
Max: 11
Metrics/AbcSize:
Max: 33
Style/PercentLiteralDelimiters:
PreferredDelimiters:
'%': '{}'
'%i': ()
'%q': '{}'
'%Q': ()
'%r': '{}'
'%s': ()
'%w': '{}'
'%W': ()
'%x': ()
Style/AlignHash:
Enabled: false
Style/PredicateName:
Enabled: false
Style/ClassAndModuleChildren:
Enabled: false
Style/ConditionalAssignment:
Enabled: false
Style/BracesAroundHashParameters:
Enabled: false
Style/AndOr:
Enabled: false
Style/Not:
Enabled: false
Style/FileName:
Enabled: false
Style/TrailingCommaInLiteral:
EnforcedStyleForMultiline: comma
Style/TrailingCommaInArguments:
EnforcedStyleForMultiline: comma
Style/NegatedIf:
Enabled: false
Style/UnlessElse:
Enabled: false
BlockDelimiters:
Enabled: false
Style/SpaceAroundOperators:
Enabled: false
Style/IfUnlessModifier:
Enabled: false

9
.travis.yml Normal file
View file

@ -0,0 +1,9 @@
sudo: false
language: ruby
cache: bundler
rvm:
- 2.3.1
bundler_args: --without integration
script: bundle exec rake

155
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,155 @@
# Contributing to InSpec
We are glad you want to contribute to InSpec! This document will help answer common questions you may have during your first contribution.
## Submitting Issues
We utilize **Github Issues** for issue tracking and contributions. You can contribute in two ways:
1. Reporting an issue or making a feature request [here](#issues).
2. Adding features or fixing bugs yourself and contributing your code to InSpec.
We ask you not to submit security concerns via Github. For details on submitting potential security issues please see <https://www.chef.io/security/>
## Contribution Process
We have a 3 step process for contributions:
1. Commit changes to a git branch, making sure to sign-off those changes for the [Developer Certificate of Origin](#developer-certification-of-origin-dco).
2. Create a Github Pull Request for your change, following the instructions in the pull request template.
3. Perform a [Code Review](#code-review-process) with the project maintainers on the pull request.
### Pull Request Requirements
Chef Projects are built to last. We strive to ensure high quality throughout the experience. In order to ensure this, we require that all pull requests to Chef projects meet these specifications:
1. **Tests:** To ensure high quality code and protect against future regressions, we require all the code in Chef Projects to have at least unit test coverage. See the [test/unit](https://github.com/chef/inspec/tree/master/test/unit)
directory for the existing tests and use ```bundle exec rake test``` to run them.
2. **Green CI Tests:** We use [Travis CI](https://travis-ci.org/) and/or [AppVeyor](https://www.appveyor.com/) CI systems to test all pull requests. We require these test runs to succeed on every pull request before being merged.
3. **Up-to-date Documentation:** Every code change should be reflected in an update for our [documentation](https://github.com/chef/inspec/tree/master/docs). We expect PRs to update the documentation with the code change.
In addition to this it would be nice to include the description of the problem you are solving
with your change. You can use [Issue Template](#issuetemplate) in the description section
of the pull request.
### Code Review Process
Code review takes place in Github pull requests. See [this article](https://help.github.com/articles/about-pull-requests/) if you're not familiar with Github Pull Requests.
Once you open a pull request, project maintainers will review your code and respond to your pull request with any feedback they might have. The process at this point is as follows:
1. Two thumbs-up (:+1:) are required from project maintainers. See the master maintainers document for InSpec projects at <https://github.com/chef/inspec/blob/master/MAINTAINERS.md>.
2. When ready, your pull request will be merged into `master`, we may require you to rebase your PR to the latest `master`.
3. Once the PR is merged, you will be included in `CHANGELOG.md`.
If you would like to learn about when your code will be available in a release of Chef, read more about [Chef Release Cycles](#release-cycles).
### Developer Certification of Origin (DCO)
Licensing is very important to open source projects. It helps ensure the software continues to be available under the terms that the author desired.
Chef uses [the Apache 2.0 license](https://github.com/chef/chef/blob/master/LICENSE) to strike a balance between open contribution and allowing you to use the software however you would like to.
The license tells you what rights you have that are provided by the copyright holder. It is important that the contributor fully understands what rights they are licensing and agrees to them. Sometimes the copyright holder isn't the contributor, such as when the contributor is doing work on behalf of a company.
To make a good faith effort to ensure these criteria are met, Chef requires the Developer Certificate of Origin (DCO) process to be followed.
The DCO is an attestation attached to every contribution made by every developer. In the commit message of the contribution, the developer simply adds a Signed-off-by statement and thereby agrees to the DCO, which you can find below or at <http://developercertificate.org/>.
```
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the
best of my knowledge, is covered under an appropriate open
source license and I have the right under that license to
submit that work with modifications, whether created in whole
or in part by me, under the same open source license (unless
I am permitted to submit under a different license), as
Indicated in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including
all personal information I submit with it, including my
sign-off) is maintained indefinitely and may be redistributed
consistent with this project or the open source license(s)
involved.
```
For more information on the change see the Chef Blog post [Introducing Developer Certificate of Origin](https://blog.chef.io/2016/09/19/introducing-developer-certificate-of-origin/)
#### DCO Sign-Off Methods
The DCO requires a sign-off message in the following format appear on each commit in the pull request:
```
Signed-off-by: Julia Child <juliachild@chef.io>
```
The DCO text can either be manually added to your commit body, or you can add either **-s** or **--signoff** to your usual git commit commands. If you forget to add the sign-off you can also amend a previous commit with the sign-off by running **git commit --amend -s**. If you've pushed your changes to Github already you'll need to force push your branch after this with **git push -f**.
### Obvious Fix Policy
Small contributions, such as fixing spelling errors, where the content is small enough to not be considered intellectual property, can be submitted without signing the contribution for the DCO.
As a rule of thumb, changes are obvious fixes if they do not introduce any new functionality or creative thinking. Assuming the change does not affect functionality, some common obvious fix examples include the following:
- Spelling / grammar fixes
- Typo correction, white space and formatting changes
- Comment clean up
- Bug fixes that change default return values or error codes stored in constants
- Adding logging messages or debugging output
- Changes to 'metadata' files like Gemfile, .gitignore, build scripts, etc.
- Moving source files from one directory or package to another
**Whenever you invoke the "obvious fix" rule, please say so in your commit message:**
```
------------------------------------------------------------------------
commit 370adb3f82d55d912b0cf9c1d1e99b132a8ed3b5
Author: Julia Child <juliachild@chef.io>
Date: Wed Sep 18 11:44:40 2015 -0700
Fix typo in the README.
Obvious fix.
------------------------------------------------------------------------
```
## Release Cycles
Our primary shipping vehicle is operating system specific packages that includes all the requirements of InSpec. We call these [Omnibus packages](https://github.com/chef/omnibus)
We also release our software as gems to [Rubygems](https://rubygems.org/) but we strongly recommend using InSpec or ChefDK packages.
Our version numbering roughly follows [Semantic Versioning](http://semver.org/) standard. Our standard version numbers look like X.Y.Z which mean:
- X is a major release, which may not be fully compatible with prior major releases
- Y is a minor release, which adds both new features and bug fixes
- Z is a patch release, which adds just bug fixes
After shipping a release of InSpec we bump at least the `Minor` version by one to start development of the next minor release. We do a release approximately every week. Announcements of releases are made to the [InSpec mailing list](https://discourse.chef.io/c/chef-release) when they are available.
## InSpec Community
InSpec is made possible by a strong community of developers, system administrators, auditor and security experts. If you have any questions or if you would like to get involved in the InSpec community you can check out:
- [InSpec Mailing List](https://discourse.chef.io/c/inspec)
- [Chef Community Slack](https://community-slack.chef.io/)
Also here are some additional pointers to some awesome Chef content:
- [InSpec Docs](http://inspec.io/docs/)
- [Learn Chef](https://learn.chef.io/)
- [Chef Website](https://www.chef.io/)

12
Gemfile Normal file
View file

@ -0,0 +1,12 @@
source 'https://rubygems.org'
gem 'rake'
gem 'inspec', '~> 1'
gem 'rubocop', '~> 0.44.0'
gem 'highline', '~> 1.6.0'
gem 'aws-sdk'
gem 'nokogiri'
group :tools do
gem 'github_changelog_generator', '~> 1.12.0'
end

13
LICENSE Normal file
View file

@ -0,0 +1,13 @@
Copyright (c) 2016 Chef Software Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

109
README.md Normal file
View file

@ -0,0 +1,109 @@
# InSpec AWS Resource Pack
NOTE: This is early access and not suitable for production. We use this repository to prototype and verify our design goals.
This resource pack provides resources for AWS. It will ship with the required resources to write your own AWS tests.
```
├── README.md - this readme
├── controls - contains no controls
└── libraries - contains AWS resources
```
## Design Goals
Goals for this project are:
- Find the right abstraction layer for AWS
- InSpec AWS resources should be aware that they target AWS
- No mixture of InSpec OS and InSpec AWS resource in one profile possible
- AWS should become a native target for InSpec `inspec exec inspec-aws -t aws://accesskey:secret@region`
This project will be merged into [InSpec](https://github.com/chef/inspec), once we reached all the goals.
## Get started
To run the profile, use InSpec with an environment variable for AWS credentials:
- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`
Those variables are defined in [AWS CLI Docs](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-environment)
Now you can use `inspec exec inspec-aws`. Please note, that you have to define the AWS target in future: `inspec exec inspec-aws -t aws://accesskey:secret@region`.
## Use the resources
Since this is a InSpec resource pack, it only defines InSpec resources. It includes example tests only. You can easily use the AWS InSpec resources in your tests do the following:
### Create a new profile
```
inspec init profile my-profile
```
### Adapt the `inspec.yml`
```
name: my-profile
title: My own AWS profile
version: 0.1.0
depends:
- name: aws
url: https://github.com/chef/inspec-aws/archive/master.tar.gz
```
### Add controls
Since your profile depends on the resource pack, you can use those resources in your own profile:
```
control "aws-1" do
impact 0.7
title 'Checks the machine is running'
describe ec2('my-ec2-machine') do
it { should be_running }
end
end
```
### Available Resources
* `aws_ec2` - This resource reads information about an ec2 instance
### Roadmap
* `aws_ami`
* `aws_s3bucket`
* `aws_security_group`
* `aws_iam_group`
* `aws_iam_policy`
* `aws_iam_role`
* `aws_iam_user`
...
## Kudos
This project was inspired by [inspec-aws](https://github.com/arothian/inspec-aws) from [arothian](https://github.com/arothian).
## License
| | |
| ------ | --- |
| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
| **Copyright:** | Copyright (c) 2016 Chef Software Inc. |
| **License:** | Apache License, Version 2.0 |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

26
Rakefile Normal file
View file

@ -0,0 +1,26 @@
#!/usr/bin/env rake
# encoding: utf-8
require 'rake/testtask'
require 'rubocop/rake_task'
# Rubocop
desc 'Run Rubocop lint checks'
task :rubocop do
RuboCop::RakeTask.new
end
# lint the project
desc 'Run robocop linter'
task lint: [:rubocop]
# run tests
task default: [:lint, 'test:check']
namespace :test do
# run inspec check to verify that the profile is properly configured
task :check do
dir = File.join(File.dirname(__FILE__))
sh("bundle exec inspec check #{dir}")
end
end

14
controls/example.rb Normal file
View file

@ -0,0 +1,14 @@
describe aws_ec2(name: 'aws-inspec') do
it { should be_running }
its('state') { should eq 'running' }
its('instance_id') { should eq 'i-1234a1ab' }
its('image_id') { should eq 'ami-c123aaa1' }
its('public_ip_address') { should eq '123.123.123.123' }
its('private_ip_address') { should eq '123.123.123.123' }
its('vpc_id') { should eq 'vpc-1234567' }
its('subnet_id') { should eq 'subnet-1234567' }
end
describe aws_ec2(name: 'aws-opsworks-cm-serdar2') do
it { should_not be_running }
end

7
inspec.yml Normal file
View file

@ -0,0 +1,7 @@
name: inspec-aws
title: InSpec AWS Resource Pack
maintainer: Chef Software Inc.
copyright: chris@lollyrock.com
copyright_email: chris@lollyrock.com
license: Apache 2 license
version: 1.0.0

94
libraries/ec2.rb Normal file
View file

@ -0,0 +1,94 @@
# author: Christoph Hartmann
require 'aws_conn'
class Ec2 < Inspec.resource(1)
name 'aws_ec2'
desc 'Returns information about an EC2 instance'
example "
describe aws_ec2('i-123456') do
it { should be_running }
end
describe aws_ec2(name: 'my-instance') do
it { should be_running }
end
"
def initialize(opts)
@opts = opts
@opts.is_a?(Hash) ? @display_name = @opts[:name] : @display_name = opts
conn = AWSConnection.new
@ec2_client = conn.ec2_client
@ec2_resource = conn.ec2_resource
end
def id
return @instance_id if defined?(@instance_id)
if @opts.is_a?(Hash)
first = @ec2_resource.instances(
{
filters: [{
name: 'tag:Name',
values: [@opts[:name]],
}],
},
).first
# catch case where the instance is not known
@instance_id = first.id unless first.nil?
else
@instance_id = @opts
end
end
alias instance_id id
def exists?
!id.nil?
end
# returns the instance state
def state
instance.state.name if instance
end
# helper methods for each state
%w{
pending running shutting-down
terminated stopping stopped unknown
}.each do |state_name|
define_method state_name.tr('-', '_') + '?' do
state == state_name
end
end
# attributes that we want to expose
%w{
public_ip_address private_ip_address key_name private_dns_name
public_dns_name subnet_id architecture root_device_type
root_device_name virtualization_type client_token launch_time
instance_type image_id vpc_id
}.each do |attribute|
define_method attribute do
instance.send(attribute)
end
end
def security_groups
@security_groups ||= instance.security_groups.map { |sg| { id: sg.group_id, name: sg.group_name } }
end
def tags
@tags ||= instance.tags.map { |tag| { key: tag.key, value: tag.value } }
end
def to_s
"EC2 Instance #{@display_name}"
end
private
def instance
@instance ||= @ec2_resource.instance(id)
end
end