Implement credential set loading

Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
2025-02-16 22:18:38 +00:00 · 2019-01-08 22:58:28 -08:00 · 2019-01-08 22:58:28 -08:00 · 7328e82ae6
commit 7328e82ae6
parent 354e7bb5e3
4 changed files with 84 additions and 2 deletions
--- a/lib/inspec/config.rb
+++ b/lib/inspec/config.rb
@ -71,6 +71,8 @@ module Inspec
    #      transport name prefixed, which is stripped before being added
    #      to the creds hash)
    #  * the --target CLI option, which is interpreted:
+    #     - as a transport://credset format, which looks up the creds in
+    #       the config file in the credentials section
    #     - as an arbitrary URI, which is parsed by Train.unpack_target_from_uri

    def unpack_train_credentials
@ -82,8 +84,9 @@ module Inspec
      credentials.merge!(_utc_generic_credentials)

      _utc_determine_backend(credentials)
-      credentials.merge!(Train.unpack_target_from_uri(final_options[:target] || '')) # TODO: this will be replaced with the credset work
      transport_name = credentials[:backend].to_s
+
+      _utc_merge_credset(credentials, transport_name)
      _utc_merge_transport_options(credentials, transport_name)

      # Convert to all-Symbol keys
@ -137,6 +140,33 @@ module Inspec
      credentials[:backend] = transport_name.to_s # these are indeed stored in Train as Strings.
    end

+    def _utc_merge_credset(credentials, transport_name)
+      # Look for Config File credentials/transport_name/credset
+      credset_name = _utc_find_credset_name(credentials, transport_name)
+
+      if credset_name
+        credset = @cfg_file_contents.dig('credentials', transport_name, credset_name)
+        if credset
+          credentials.merge!(credset)
+        else
+          # OK, we had a target that looked like transport://something
+          # But we don't know what that something is - there was no
+          # matching credset with it.  Let train parse it.
+          credentials.merge!(Train.unpack_target_from_uri(final_options[:target]))
+        end
+      elsif final_options.key?(:target)
+        # Not sure what target looked like at all!
+        # Let train parse it.
+        credentials.merge!(Train.unpack_target_from_uri(final_options[:target]))
+      end
+    end
+
+    def _utc_find_credset_name(_credentials, transport_name)
+      return nil unless final_options[:target]
+      match = final_options[:target].match(%r{^#{transport_name}://(?<credset_name>[a-z_\-0-9]+)$})
+      match ? match[:credset_name] : nil
+    end
+
    #-----------------------------------------------------------------------#
    #                         Reading Config Files
    #-----------------------------------------------------------------------#
--- a/test/functional/inspec_exec_test.rb
+++ b/test/functional/inspec_exec_test.rb
@ -656,7 +656,7 @@ Test Summary: \e[38;5;41m2 successful\e[0m, 0 failures, 0 skipped\n"
      JSON.parse(json).select{|k,v| ['name', 'release'].include? k }
    end
    let(:run_result) { run_inspec_process('exec ' + File.join(profile_path, 'simple-metadata') + ' ' + cli_args, json: true) }
-    let(:seen_platform) { run_result.payload.json['platform'].select{|k,v| ['name', 'release'].include? k } }
+    let(:seen_platform) { run_result.payload.json['platform'].select{|k,v| ['name', 'release', 'target_id'].include? k } }
    let(:stderr) { run_result.stderr }

    describe 'when neither target nor backend is specified' do
@ -710,5 +710,12 @@ Test Summary: \e[38;5;41m2 successful\e[0m, 0 failures, 0 skipped\n"
        stderr.must_include 'transport://credset'
      end
    end
+
+    describe 'when a target URI with a known credset is used' do
+      let(:cli_args) { '--target mock://mycredset' + ' --config ' + File.join(config_dir_path, 'json-config', 'mock-credset.json') }
+      it 'should connect to the mock platform' do
+        seen_platform.must_equal({"name" => "mock","release" => "unknown","target_id" => "from-mock-credset-config-file"})
+      end
+    end
  end
 end
--- a/test/unit/config_test.rb
+++ b/test/unit/config_test.rb
@ -303,6 +303,30 @@ describe 'Inspec::Config' do
      end
    end

+    describe 'when creds are specified with a credset target_uri in a 1.1 file without transport prefixes' do
+      let(:file_fixture_name) { :basic }
+      let(:cli_opts) { { target: 'ssh://set1' }}
+      it 'should use the credset to lookup the creds in the file' do
+        expected = [:backend, :host, :user].sort
+        seen_fields.must_equal expected
+        creds[:backend].must_equal 'ssh'
+        creds[:host].must_equal 'some.host'
+        creds[:user].must_equal 'some_user'
+      end
+    end
+
+    describe 'when creds are specified with a credset target_uri in a 1.1 file and a prefixed override on the CLI' do
+      let(:file_fixture_name) { :basic }
+      let(:cli_opts) { { target: 'ssh://set1', ssh_user: 'bob' } }
+      it 'should use the credset to lookup the creds in the file then override the single value' do
+        expected = [:backend, :host, :user].sort
+        seen_fields.must_equal expected
+        creds[:backend].must_equal 'ssh'
+        creds[:host].must_equal 'some.host'
+        creds[:user].must_equal 'bob'
+      end
+    end
+
    describe 'when creds are specified with a non-credset target_uri' do
      let(:cfg_io) { nil }
      let(:cli_opts) { { target: 'ssh://bob@somehost' } }
@ -425,6 +449,14 @@ module ConfigTestHelper
            "url": "http://some.where",
            "token" : "YOUR_A2_ADMIN_TOKEN"
          }
+        },
+        "credentials": {
+          "ssh": {
+            "set1": {
+              "host": "some.host",
+              "user": "some_user"
+            }
+          }
        }
      }
      EOJ2
--- a/test/unit/mock/config_dirs/json-config/mock-credset.json
+++ b/test/unit/mock/config_dirs/json-config/mock-credset.json
@ -0,0 +1,13 @@
+{
+  "version": "1.1",
+  "cli_options": {
+    "target_id": "from-mock-credset-config-file"
+  },
+  "credentials": {
+    "mock": {
+      "mycredset": {
+        "a_setting": "a_value"
+      }
+    }
+  }
+}