Merge pull request #6074 from inspec/nm/aws-profile-version-fix

CFINSPEC-249 Fix for dependent profiles with same name but different version

lib/inspec/dependencies/dependency_set.rb

@@ -25,7 +25,9 @@ module Inspec
     def self.from_array(dependencies, cwd, cache, backend)
       dep_list = {}
       dependencies.each do |d|
-        dep_list[d.name] = d
+        # if depedent profile does not have a source version then only name is used in dependency hash
+        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue "#{d.name}"
+        dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
     end
@@ -39,7 +41,9 @@ module Inspec
     def self.flatten_dep_tree(dep_tree)
       dep_list = {}
       dep_tree.each do |d|
-        dep_list[d.name] = d
+        # if depedent profile does not have a source version then only name is used in dependency hash
+        key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue d.name
+        dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end
       dep_list

lib/inspec/dsl.rb

@@ -6,13 +6,13 @@ require "inspec/utils/deprecated_cloud_resources_list"
 module Inspec::DSL
   attr_accessor :backend
 
-  def require_controls(id, &block)
-    opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies }
+  def require_controls(id, version = nil, &block)
+    opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies, profile_version: version }
     ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block)
   end
 
-  def include_controls(id, &block)
-    opts = { profile_id: id, include_all: true, backend: @backend, conf: @conf, dependencies: @dependencies }
+  def include_controls(id, version = nil, &block)
+    opts = { profile_id: id, include_all: true, backend: @backend, conf: @conf, dependencies: @dependencies, profile_version: version }
     ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block)
   end
 
@@ -85,7 +85,20 @@ module Inspec::DSL
   def self.load_spec_files_for_profile(bind_context, opts, &block)
     dependencies = opts[:dependencies]
     profile_id = opts[:profile_id]
-    dep_entry = dependencies.list[profile_id]
+    profile_version = opts[:profile_version]
+
+    new_profile_id = nil
+    if profile_version
+      new_profile_id = "#{profile_id}-#{profile_version}"
+    else
+      dependencies.list.keys.each do |key|
+        # If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
+        profile_id_key = key.split("-")
+        profile_id_key.pop
+        new_profile_id = key if profile_id_key.join("-") == profile_id
+      end
+    end
+    dep_entry = new_profile_id ? dependencies.list[new_profile_id] : dependencies.list[profile_id]
 
     if dep_entry.nil?
       raise <<~EOF

test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/controls/example.rb

@@ -0,0 +1,3 @@
+require_controls "ssh" do
+  control "sshd-50"
+end

test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/inspec.yml

@@ -0,0 +1,15 @@
+name: child-profile-1
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0
+supports:
+  platform: os
+depends:
+  - name: ssh
+    git: https://github.com/dev-sec/ssh-baseline.git
+    tag: 2.7.0
+    

test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/controls/example.rb

@@ -0,0 +1,3 @@
+require_controls "ssh" do
+  control "sshd-01"
+end

test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/inspec.yml

@@ -0,0 +1,14 @@
+name: child-profile-2
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0
+supports:
+  platform: os
+depends:
+  - name: ssh
+    git: https://github.com/dev-sec/ssh-baseline.git
+    tag: 2.6.0

test/fixtures/profiles/git-fetcher/inheritance/parent-profile/controls/example.rb

@@ -0,0 +1,2 @@
+include_controls "child-profile-1"
+include_controls "child-profile-2"

test/fixtures/profiles/git-fetcher/inheritance/parent-profile/inspec.yml

@@ -0,0 +1,15 @@
+name: parent-profile
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0
+supports:
+  platform: os
+depends:
+  - name: child-profile-2
+    path: ../child-profile-2
+  - name: child-profile-1
+    path: ../child-profile-1

test/functional/inspec_exec_test.rb

@@ -1305,4 +1305,16 @@ EOT
       assert_json_controls_passing
     end
   end
+
+  describe "when profiles are dependent on different versions of same profile" do
+    let(:profile) { "#{profile_path}/git-fetcher/inheritance/parent-profile" }
+    let(:run_result) { run_inspec_process("exec #{profile}") }
+    it "should evaluate all test controls of all versions correctly" do
+      _(run_result.stderr).must_be_empty
+      _(run_result.stdout).must_include "2.7.0"
+      _(run_result.stdout).must_include "2.6.0"
+      _(run_result.stdout).must_include "sshd-01"
+      _(run_result.stdout).must_include "sshd-50"
+    end
+  end
 end