Fix opa_api and opa_cli resource to handle empty result

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
This commit is contained in:
Vasu1105 2021-09-22 16:23:12 +05:30
parent f09d49da66
commit 63e7eb5395
6 changed files with 32 additions and 0 deletions

View file

@ -50,6 +50,7 @@ An OPA query as a JSON data file or a string in JSON format.
The following examples show how to use this Chef InSpec audit resource.
describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do
its["result"] { shoule_not be nil }
its(["result"]) { should eq true }
its("allow") { should eq "true" }
end
@ -62,6 +63,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
## Properties
### result
The `result` property checks whether query output is nil.
its('result') { should be nil }
### allow
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.

View file

@ -59,6 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI
The following examples show how to use this Chef InSpec audit resource:
describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do
its["result"] { shoule_not be nil }
its(["result", 0, "expressions", 0, "value"]) { should eq true }
its("allow") { should eq "true" }
end
@ -71,6 +72,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
## Properties
### result
The `result` property checks whether query output is nil.
its('result') { should be nil }
### allow
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.

View file

@ -12,6 +12,10 @@ module Inspec::Resources
super({ content: @content })
end
def result
@content == {} || @content["result"].empty? ? nil : @content
end
private
def parse(content)

View file

@ -586,7 +586,9 @@ class MockLoader
"semanage boolean -l -n" => cmd.call("semanage-boolean"),
"Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"),
"opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"),
"opa eval -i 'input.json' -d 'example.rego' 'data.example.voilation'" => cmd.call("opa-empty-result"),
"curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"),
"curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input1.json -H 'Content-Type: application/json'" => cmd.call("opa-api-empty-result"),
# ibmdb2
"/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"),

View file

@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaApi" do
_(resource.params["result"]).must_include "ci"
end
it "verify opa api query result parsing when output is empty" do
resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json")
_(resource.result).must_be_nil
_(resource.params["result"]).must_equal([])
end
it "fails when url or data is nil." do
resource = load_resource("opa_api")
_(resource.resource_failed?).must_equal true

View file

@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaCli" do
_(resource.allow).must_equal false
end
it "verify opa eval query result parsing when output is empty" do
resource = load_resource("opa_cli", policy: "example.rego", data: "input.json", query: "data.example.voilation")
_(resource.result).must_be_nil
_(resource.params).must_equal({})
end
it "fails when policy, data or query is nil." do
resource = load_resource("opa_cli")
_(resource.resource_failed?).must_equal true