Merge pull request #5671 from inspec/vasundhara/fix-opa-resources

Fix opa_cli and opa_api resource unable to verify empty result {}

docs-chef-io/content/inspec/resources/opa_api.md

@@ -50,6 +50,7 @@ An OPA query as a JSON data file or a string in JSON format.
 The following examples show how to use this Chef InSpec audit resource.
 
     describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do
+      its("result") { shoule_not be nil }
       its(["result"]) { should eq true }
       its("allow") { should eq "true" }
     end
@@ -62,6 +63,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
 
 ## Properties
 
+### result
+
+The `result` property checks whether the resource query returns an empty result.
+
+    its('result') { should be nil }
+
 ### allow
 
 The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.

docs-chef-io/content/inspec/resources/opa_cli.md

@@ -59,6 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI
 The following examples show how to use this Chef InSpec audit resource:
 
     describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do
+      its("result") { shoule_not be nil }
       its(["result", 0, "expressions", 0, "value"]) { should eq true }
       its("allow") { should eq "true" }
     end
@@ -71,6 +72,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
 
 ## Properties
 
+### result
+
+The `result` property checks whether the resource query returns an empty result.
+
+    its('result') { should be nil }
+
 ### allow
 
 The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.

lib/inspec/resources/opa.rb

@@ -6,12 +6,15 @@ module Inspec::Resources
     supports platform: "unix"
     supports platform: "windows"
 
-    attr_reader :result
     def initialize(content)
       @content = content
       super({ content: @content })
     end
 
+    def result
+      @content == {} || @content["result"].empty? ? nil : @content
+    end
+
     private
 
     def parse(content)

test/fixtures/cmd/opa-api-empty-result

@@ -0,0 +1 @@
+{"result": []}

test/fixtures/cmd/opa-empty-result

@@ -0,0 +1 @@
+{}

test/helpers/mock_loader.rb

@@ -586,7 +586,9 @@ class MockLoader
       "semanage boolean -l -n" => cmd.call("semanage-boolean"),
       "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"),
       "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"),
+      "opa eval -i 'input.json' -d 'example.rego' 'data.example.voilation'" => cmd.call("opa-empty-result"),
       "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"),
+      "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input1.json -H 'Content-Type: application/json'" => cmd.call("opa-api-empty-result"),
 
       # ibmdb2
       "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"),

test/unit/resources/opa_api_test.rb

@@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaApi" do
     _(resource.params["result"]).must_include "ci"
   end
 
+  it "verify opa api query result parsing when output is empty" do
+    resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json")
+    _(resource.result).must_be_nil
+    _(resource.params["result"]).must_equal([])
+  end
+
   it "fails when url or data is nil." do
     resource = load_resource("opa_api")
     _(resource.resource_failed?).must_equal true

test/unit/resources/opa_cli_test.rb

@@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaCli" do
     _(resource.allow).must_equal false
   end
 
+  it "verify opa eval query result parsing when output is empty" do
+    resource = load_resource("opa_cli", policy: "example.rego", data: "input.json", query: "data.example.voilation")
+    _(resource.result).must_be_nil
+    _(resource.params).must_equal({})
+  end
+
   it "fails when policy, data or query is nil." do
     resource = load_resource("opa_cli")
     _(resource.resource_failed?).must_equal true