From 63e7eb53953baa956a0025e491b2f31cba06e149 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 22 Sep 2021 16:23:12 +0530 Subject: [PATCH 1/4] Fix opa_api and opa_cli resource to handle empty result Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 7 +++++++ docs-chef-io/content/inspec/resources/opa_cli.md | 7 +++++++ lib/inspec/resources/opa.rb | 4 ++++ test/helpers/mock_loader.rb | 2 ++ test/unit/resources/opa_api_test.rb | 6 ++++++ test/unit/resources/opa_cli_test.rb | 6 ++++++ 6 files changed, 32 insertions(+) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index 97d0192dc..e781d5f2d 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -50,6 +50,7 @@ An OPA query as a JSON data file or a string in JSON format. The following examples show how to use this Chef InSpec audit resource. describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do + its["result"] { shoule_not be nil } its(["result"]) { should eq true } its("allow") { should eq "true" } end @@ -62,6 +63,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ## Properties +### result + +The `result` property checks whether query output is nil. + + its('result') { should be nil } + ### allow The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index ee1bebdc4..d1ba4dfd0 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -59,6 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI The following examples show how to use this Chef InSpec audit resource: describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do + its["result"] { shoule_not be nil } its(["result", 0, "expressions", 0, "value"]) { should eq true } its("allow") { should eq "true" } end @@ -71,6 +72,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ## Properties +### result + +The `result` property checks whether query output is nil. + + its('result') { should be nil } + ### allow The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb index c8e4cfe34..a8cd0a979 100644 --- a/lib/inspec/resources/opa.rb +++ b/lib/inspec/resources/opa.rb @@ -12,6 +12,10 @@ module Inspec::Resources super({ content: @content }) end + def result + @content == {} || @content["result"].empty? ? nil : @content + end + private def parse(content) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index dc52ae331..61e882ddf 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -586,7 +586,9 @@ class MockLoader "semanage boolean -l -n" => cmd.call("semanage-boolean"), "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"), "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"), + "opa eval -i 'input.json' -d 'example.rego' 'data.example.voilation'" => cmd.call("opa-empty-result"), "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"), + "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input1.json -H 'Content-Type: application/json'" => cmd.call("opa-api-empty-result"), # ibmdb2 "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb index f404e8876..fd10460dd 100644 --- a/test/unit/resources/opa_api_test.rb +++ b/test/unit/resources/opa_api_test.rb @@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaApi" do _(resource.params["result"]).must_include "ci" end + it "verify opa api query result parsing when output is empty" do + resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json") + _(resource.result).must_be_nil + _(resource.params["result"]).must_equal([]) + end + it "fails when url or data is nil." do resource = load_resource("opa_api") _(resource.resource_failed?).must_equal true diff --git a/test/unit/resources/opa_cli_test.rb b/test/unit/resources/opa_cli_test.rb index 7d7df9f33..d22a7fdef 100644 --- a/test/unit/resources/opa_cli_test.rb +++ b/test/unit/resources/opa_cli_test.rb @@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaCli" do _(resource.allow).must_equal false end + it "verify opa eval query result parsing when output is empty" do + resource = load_resource("opa_cli", policy: "example.rego", data: "input.json", query: "data.example.voilation") + _(resource.result).must_be_nil + _(resource.params).must_equal({}) + end + it "fails when policy, data or query is nil." do resource = load_resource("opa_cli") _(resource.resource_failed?).must_equal true From 2b9bef28cb93d6ef6100ec01aae0418057782db5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 22 Sep 2021 16:27:15 +0530 Subject: [PATCH 2/4] test fixturs files for opa_api and opa_cli resource Signed-off-by: Vasu1105 --- test/fixtures/cmd/opa-api-empty-result | 1 + test/fixtures/cmd/opa-empty-result | 1 + 2 files changed, 2 insertions(+) create mode 100644 test/fixtures/cmd/opa-api-empty-result create mode 100644 test/fixtures/cmd/opa-empty-result diff --git a/test/fixtures/cmd/opa-api-empty-result b/test/fixtures/cmd/opa-api-empty-result new file mode 100644 index 000000000..ec1b73f97 --- /dev/null +++ b/test/fixtures/cmd/opa-api-empty-result @@ -0,0 +1 @@ +{"result": []} diff --git a/test/fixtures/cmd/opa-empty-result b/test/fixtures/cmd/opa-empty-result new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/test/fixtures/cmd/opa-empty-result @@ -0,0 +1 @@ +{} From bfd59c1b14d9d593de7dc2ed9ccc8255caf553e5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 23 Sep 2021 15:19:09 +0530 Subject: [PATCH 3/4] Fixed docs review comments Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 4 ++-- docs-chef-io/content/inspec/resources/opa_cli.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index e781d5f2d..7728d936c 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -50,7 +50,7 @@ An OPA query as a JSON data file or a string in JSON format. The following examples show how to use this Chef InSpec audit resource. describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do - its["result"] { shoule_not be nil } + its("result") { shoule_not be nil } its(["result"]) { should eq true } its("allow") { should eq "true" } end @@ -65,7 +65,7 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ### result -The `result` property checks whether query output is nil. +The `result` property checks whether the resource query returns an empty result. its('result') { should be nil } diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index d1ba4dfd0..ac8e095d7 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -59,7 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI The following examples show how to use this Chef InSpec audit resource: describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do - its["result"] { shoule_not be nil } + its("result") { shoule_not be nil } its(["result", 0, "expressions", 0, "value"]) { should eq true } its("allow") { should eq "true" } end @@ -74,7 +74,7 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ### result -The `result` property checks whether query output is nil. +The `result` property checks whether the resource query returns an empty result. its('result') { should be nil } From 04c1af6a24ae4fb7db1d151ca8a5a0844f9a1b68 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 28 Sep 2021 12:13:18 +0530 Subject: [PATCH 4/4] Fixed lint Signed-off-by: Vasu1105 --- lib/inspec/resources/opa.rb | 1 - test/unit/resources/opa_api_test.rb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb index a8cd0a979..ad1200de2 100644 --- a/lib/inspec/resources/opa.rb +++ b/lib/inspec/resources/opa.rb @@ -6,7 +6,6 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" - attr_reader :result def initialize(content) @content = content super({ content: @content }) diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb index fd10460dd..75e4700e2 100644 --- a/test/unit/resources/opa_api_test.rb +++ b/test/unit/resources/opa_api_test.rb @@ -10,7 +10,7 @@ describe "Inspec::Resources::OpaApi" do end it "verify opa api query result parsing when output is empty" do - resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json") + resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json") _(resource.result).must_be_nil _(resource.params["result"]).must_equal([]) end