mirror of
https://github.com/inspec/inspec
synced 2024-11-10 07:04:15 +00:00
* Matching semver using regex to determine profile name without version in dsl logic * Testing for selecting control using version in require control dsl * Documentation for using version with profile name when including or selecting controls in a profile * Commenting in dsl library about logic for fetching version and matching it * Comment for regex used to fetch version * Minor improvement for regex variable placement Signed-off-by: Nikita Mathur <nikita.mathur@chef.io> Co-authored-by: Nikita Mathur <Nik08@users.noreply.github.com>
This commit is contained in:
parent
bbf4c7eabe
commit
812001abcc
5 changed files with 76 additions and 4 deletions
|
@ -404,6 +404,44 @@ As with the prior example, only `baseline-2` and `baseline-4` are executed, but
|
|||
if `baseline-2` fails, it will report with an impact of `0.5` instead of the
|
||||
originally-intended `1.0` impact.
|
||||
|
||||
## Including or Selecting controls from a profile with same name and different version.
|
||||
|
||||
When an inspec profile has dependency on another profile to it's specific version, then the controls can be included or selected by using profile name with version separated by `-`.
|
||||
|
||||
Here, the Profile - A has following dependency:
|
||||
|
||||
```yaml
|
||||
name: profile-a
|
||||
depends:
|
||||
- name: ssh
|
||||
git: https://github.com/dev-sec/ssh-baseline.git
|
||||
tag: 2.6.0
|
||||
```
|
||||
|
||||
And Profile - B has following dependency:
|
||||
|
||||
```yaml
|
||||
name: profile-b
|
||||
depends:
|
||||
- name: ssh
|
||||
git: https://github.com/dev-sec/ssh-baseline.git
|
||||
tag: 2.7.0
|
||||
```
|
||||
|
||||
Controls of these profiles can be included or required in a profile in a following manner:
|
||||
|
||||
```ruby
|
||||
include_controls "ssh-2.6.0"
|
||||
include_controls "ssh-2.7.0"
|
||||
```
|
||||
|
||||
OR
|
||||
|
||||
```ruby
|
||||
require_controls "ssh-2.6.0"
|
||||
require_controls "ssh-2.7.0"
|
||||
```
|
||||
|
||||
## Using Resources from an Included Profile
|
||||
|
||||
By default, all of the custom resources from a listed dependency are available
|
||||
|
|
|
@ -91,13 +91,19 @@ module Inspec::DSL
|
|||
if profile_version
|
||||
new_profile_id = "#{profile_id}-#{profile_version}"
|
||||
else
|
||||
# This scary regex is used to match version following semantic Versioning (SemVer). Thanks to https://ihateregex.io/expr/semver/
|
||||
regex_for_semver = /(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?/
|
||||
dependencies.list.keys.each do |key|
|
||||
# If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
|
||||
profile_id_key = key.split("-")
|
||||
profile_id_key.pop
|
||||
new_profile_id = key if profile_id_key.join("-") == profile_id
|
||||
# 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
|
||||
# 2. Matching original profile dependency name with profile name used with include or require control DSL.
|
||||
fetching_semver = key.match(regex_for_semver).to_s
|
||||
unless fetching_semver.nil? || fetching_semver.empty?
|
||||
profile_id_key = key.split("-#{fetching_semver}")[0]
|
||||
new_profile_id = key if profile_id_key == profile_id
|
||||
end
|
||||
end
|
||||
end
|
||||
# If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list.
|
||||
dep_entry = new_profile_id ? dependencies.list[new_profile_id] : dependencies.list[profile_id]
|
||||
|
||||
if dep_entry.nil?
|
||||
|
|
3
test/fixtures/profiles/git-fetcher/inheritance/child-profile-3/controls/example.rb
vendored
Normal file
3
test/fixtures/profiles/git-fetcher/inheritance/child-profile-3/controls/example.rb
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
require_controls "ssh-2.6.0" do
|
||||
control "sshd-01"
|
||||
end
|
14
test/fixtures/profiles/git-fetcher/inheritance/child-profile-3/inspec.yml
vendored
Normal file
14
test/fixtures/profiles/git-fetcher/inheritance/child-profile-3/inspec.yml
vendored
Normal file
|
@ -0,0 +1,14 @@
|
|||
name: child-profile-3
|
||||
title: InSpec Profile
|
||||
maintainer: The Authors
|
||||
copyright: The Authors
|
||||
copyright_email: you@example.com
|
||||
license: Apache-2.0
|
||||
summary: An InSpec Compliance Profile
|
||||
version: 0.1.0
|
||||
supports:
|
||||
platform: os
|
||||
depends:
|
||||
- name: ssh
|
||||
git: https://github.com/dev-sec/ssh-baseline.git
|
||||
tag: 2.6.0
|
|
@ -1319,6 +1319,17 @@ EOT
|
|||
_(run_result.stdout).must_include "sshd-50"
|
||||
end
|
||||
end
|
||||
|
||||
describe "DSL with version: when profiles are dependent on different versions of same profile" do
|
||||
let(:profile) { "#{profile_path}/git-fetcher/inheritance/child-profile-3" }
|
||||
let(:run_result) { run_inspec_process("exec #{profile}") }
|
||||
it "should evaluate all test controls of all versions correctly" do
|
||||
skip_windows!
|
||||
_(run_result.stderr).must_be_empty
|
||||
_(run_result.stdout).must_include "2.6.0"
|
||||
_(run_result.stdout).must_include "sshd-01"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if windows?
|
||||
|
|
Loading…
Reference in a new issue