From a5932b7da7a15f296934450c2645572850e1928b Mon Sep 17 00:00:00 2001
From: Vasu1105 <vasundhara.jagdale@chef.io>
Date: Thu, 18 Mar 2021 21:37:48 +0530
Subject: [PATCH] Fixes 5215: While using --controls options the control block
 was also getting evaluated as filtering of the control was happening after
 evaluating so added the filter logic in the control_eval_context. Also when
 we have describe block outside control block we are we generating a control
 for them automatically and then execute due that also becomes a control and
 has to add same logic to filter the control in that mehtod

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
---
 lib/inspec/control_eval_context.rb            | 35 +++++++++++++-----
 .../controls-option-test/controls/example.rb  | 36 +++++++++++++++++++
 test/functional/inspec_exec_test.rb           |  1 -
 3 files changed, 63 insertions(+), 9 deletions(-)

diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb
index f785225d1..c748a7975 100644
--- a/lib/inspec/control_eval_context.rb
+++ b/lib/inspec/control_eval_context.rb
@@ -53,13 +53,9 @@ module Inspec
 
     def control(id, opts = {}, &block)
       opts[:skip_only_if_eval] = @skip_only_if_eval
-
-      id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
-        # Try to see if the inclusion is a regex, and if it matches
-        inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
-      end
-
-      if id_exist_in_list || @conf["profile"].include_controls_list.empty?
+      if control_exist_in_controls_list?(id)
+        register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
+      elsif control_list_empty?
         register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
       end
     end
@@ -75,11 +71,16 @@ module Inspec
       id = "(generated from #{loc} #{SecureRandom.hex})"
 
       res = nil
+
       rule = Inspec::Rule.new(id, profile_id, resources_dsl, {}) do
         res = describe(*args, &block)
       end
-      register_control(rule, &block)
 
+      if control_exist_in_controls_list?(id)
+        register_control(rule, &block)
+      elsif control_list_empty?
+        register_control(rule, &block)
+      end
       res
     end
 
@@ -183,5 +184,23 @@ module Inspec
         "#{File.basename(path)}:#{line}"
       end
     end
+
+    def profile_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
+    end
+
+    def control_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+    end
+
+    def control_exist_in_controls_list?(id)
+      if profile_config_exist?
+        id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
+          # Try to see if the inclusion is a regex, and if it matches
+          inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
+        end
+      end
+      id_exist_in_list
+    end
   end
 end
diff --git a/test/fixtures/profiles/controls-option-test/controls/example.rb b/test/fixtures/profiles/controls-option-test/controls/example.rb
index fb00d3fdc..948b97d6c 100644
--- a/test/fixtures/profiles/controls-option-test/controls/example.rb
+++ b/test/fixtures/profiles/controls-option-test/controls/example.rb
@@ -30,4 +30,40 @@ control "11_pass2" do
   describe 'a thing' do
     it { should cmp 'a thing' }
   end
+end
+
+describe 'a thing' do
+  it { should cmp 'a thing' }
+end
+
+describe.one do
+  describe 'ConfigurationA' do
+    it { should cmp 'a thing' }
+  end
+
+  describe 'ConfigurationB' do
+    it { should cmp 'a thing' }
+  end
+end
+
+title '/ profile'
+
+# you add controls here
+control 'tmp-1.0' do                                   # A unique ID for this control
+  impact 0.7                                           # The criticality, if this control fails.
+  title 'Create / directory'                        # A human-readable title
+  desc 'An optional description...'                    # Describe why this is needed
+  desc 'label', 'An optional description with a label' # Pair a part of the description with a label
+  tag data: 'temp data'                                # A tag allows you to associate key information
+  tag 'security'                                       # to the test
+  ref 'Document A-12', url: 'http://...'               # Additional references
+
+  describe file('/') do                             # The actual test
+    it { should be_directory }
+  end
+end
+
+# you can also use plain tests
+describe file('/') do
+  it { should be_directory }
 end
\ No newline at end of file
diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb
index 3198805c9..8816c6a23 100644
--- a/test/functional/inspec_exec_test.rb
+++ b/test/functional/inspec_exec_test.rb
@@ -192,7 +192,6 @@ Test Summary: 0 successful, 0 failures, 0 skipped
     inspec("exec " + File.join(profile_path, "controls-option-test") + " --no-create-lockfile --controls '/^11/'")
     _(out.stdout).must_include "11_pass"
     _(out.stdout).must_include "11_pass2"
-    _(out.stdout).wont_include "foo"
     _(out.stdout).wont_include "bar"
     _(out.stdout).wont_include "baz"
     _(stderr).must_equal ""