From 63e7eb53953baa956a0025e491b2f31cba06e149 Mon Sep 17 00:00:00 2001
From: Vasu1105 <vasundhara.jagdale@chef.io>
Date: Wed, 22 Sep 2021 16:23:12 +0530
Subject: [PATCH] Fix opa_api and opa_cli resource to handle empty result

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
---
 docs-chef-io/content/inspec/resources/opa_api.md | 7 +++++++
 docs-chef-io/content/inspec/resources/opa_cli.md | 7 +++++++
 lib/inspec/resources/opa.rb                      | 4 ++++
 test/helpers/mock_loader.rb                      | 2 ++
 test/unit/resources/opa_api_test.rb              | 6 ++++++
 test/unit/resources/opa_cli_test.rb              | 6 ++++++
 6 files changed, 32 insertions(+)

diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md
index 97d0192dc..e781d5f2d 100644
--- a/docs-chef-io/content/inspec/resources/opa_api.md
+++ b/docs-chef-io/content/inspec/resources/opa_api.md
@@ -50,6 +50,7 @@ An OPA query as a JSON data file or a string in JSON format.
 The following examples show how to use this Chef InSpec audit resource.
 
     describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do
+      its["result"] { shoule_not be nil }
       its(["result"]) { should eq true }
       its("allow") { should eq "true" }
     end
@@ -62,6 +63,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
 
 ## Properties
 
+### result
+
+The `result` property checks whether query output is nil.
+
+    its('result') { should be nil }
+
 ### allow
 
 The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md
index ee1bebdc4..d1ba4dfd0 100644
--- a/docs-chef-io/content/inspec/resources/opa_cli.md
+++ b/docs-chef-io/content/inspec/resources/opa_cli.md
@@ -59,6 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI
 The following examples show how to use this Chef InSpec audit resource:
 
     describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do
+      its["result"] { shoule_not be nil }
       its(["result", 0, "expressions", 0, "value"]) { should eq true }
       its("allow") { should eq "true" }
     end
@@ -71,6 +72,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
 
 ## Properties
 
+### result
+
+The `result` property checks whether query output is nil.
+
+    its('result') { should be nil }
+
 ### allow
 
 The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb
index c8e4cfe34..a8cd0a979 100644
--- a/lib/inspec/resources/opa.rb
+++ b/lib/inspec/resources/opa.rb
@@ -12,6 +12,10 @@ module Inspec::Resources
       super({ content: @content })
     end
 
+    def result
+      @content == {} || @content["result"].empty? ? nil : @content
+    end
+
     private
 
     def parse(content)
diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb
index dc52ae331..61e882ddf 100644
--- a/test/helpers/mock_loader.rb
+++ b/test/helpers/mock_loader.rb
@@ -586,7 +586,9 @@ class MockLoader
       "semanage boolean -l -n" => cmd.call("semanage-boolean"),
       "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"),
       "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"),
+      "opa eval -i 'input.json' -d 'example.rego' 'data.example.voilation'" => cmd.call("opa-empty-result"),
       "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"),
+      "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input1.json -H 'Content-Type: application/json'" => cmd.call("opa-api-empty-result"),
 
       # ibmdb2
       "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"),
diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb
index f404e8876..fd10460dd 100644
--- a/test/unit/resources/opa_api_test.rb
+++ b/test/unit/resources/opa_api_test.rb
@@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaApi" do
     _(resource.params["result"]).must_include "ci"
   end
 
+  it "verify opa api query result parsing when output is empty" do
+     resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json")
+    _(resource.result).must_be_nil
+    _(resource.params["result"]).must_equal([])
+  end
+
   it "fails when url or data is nil." do
     resource = load_resource("opa_api")
     _(resource.resource_failed?).must_equal true
diff --git a/test/unit/resources/opa_cli_test.rb b/test/unit/resources/opa_cli_test.rb
index 7d7df9f33..d22a7fdef 100644
--- a/test/unit/resources/opa_cli_test.rb
+++ b/test/unit/resources/opa_cli_test.rb
@@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaCli" do
     _(resource.allow).must_equal false
   end
 
+  it "verify opa eval query result parsing when output is empty" do
+    resource = load_resource("opa_cli", policy: "example.rego", data: "input.json", query: "data.example.voilation")
+    _(resource.result).must_be_nil
+    _(resource.params).must_equal({})
+  end
+
   it "fails when policy, data or query is nil." do
     resource = load_resource("opa_cli")
     _(resource.resource_failed?).must_equal true