Commit graph

93 commits

Author SHA1 Message Date
Dominik Richter
a0e8be2568 bugfix: non-url servers with compliance login
Non-url URIs may have lead to broader crashes than initially fixed. Overwrite all URL resolvers in the plugin to work with these non-schema URLs.

Fixes #1473

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-05-30 12:04:21 -04:00
Adam Leff
266f061b9e Habitat Profiles: redirect stderr to stdout
Due to habitat-sh/habitat#2395, we shouldn't try to log stderr output
to a file for now. While this makes for a less-than-awesome UX, it's
better than a process locking up due to a buffer filling up!

This change redirects stderr from InSpec to stdout and adds some
helpful troubleshooting messages. Should InSpec be able to generate
unique exit codes for when controls fail (vs. a Ruby eval failure)
then we can fix this up some more, too.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-29 15:31:26 -04:00
Adam Leff
88581ae3dd
Raise exception if profile target URL cannot be parsed
When attempting to parse the profile out of the target URL, we
were not raising an exception if we failed to do so. Such a situation
could arise if a user's inspec config.json is incorrect either due to
manual editing or failure to re-login after an upgrade past Automate
0.8.0.

This change provides a clear exception if this occurs and also adds
tests for the compliance_profile_name method.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-26 14:30:37 -05:00
Adam Leff
81bfdf2d55
Fix is_automate_server_080_and_later? call
Method name was incorrect (missing `?`) and also was missing
the required config parameter.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-19 21:07:58 -04:00
Seth Thomas
9f30fe1726 Fixing typo on method name
Signed-off-by: Seth Thomas <sthomas@chef.io>
2017-05-19 19:58:46 -04:00
Christoph Hartmann
5cc288d5df support new automate 0.8.0
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-17 15:02:08 +02:00
Elliott Davis
31645968e2 Update hab exporter to use inspec in path over calling to hab sup
Signed-off-by: Elliott Davis <edavis@chef.io>
2017-05-09 20:09:33 -05:00
Ryan Hass
99ebae186b Fix exit status check in hab run hook generator.
The exit status would never return "InSpec run completed successfully"
since the value of $RC was always an integer which never was prefixed
with an "x". This checks the return directly since we currently do not
have any complex logic which warrants the need to check different
return status values where a prefixed return code is necessary.

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
2017-04-28 11:54:13 -07:00
Ryan Hass
4622de7a28 Update habitat plan and hook generators
* Fixed bug with install step where profile would include the .hart
  files from previous builds.
* Updated the generated plan to support plan.sh syntax changes in
  habitat 0.21.0 and later by removing the `pkg_source` and the
  `do_download`, `do_verify`, and `do_unpack` overrides.
* Updated the generate run hook to leverage habitat to perform most of
  the origin, package name, and path variable interpolations.

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
2017-04-28 09:31:11 -07:00
Adam Leff
7a71719f13 Move Habitat sleep time to config file
Because the sleep_time is not written to a config file but instead
only rendered into the run hook, hab-sup doesn't restart the running
process upon any config updates. This change moves the sleep_time to
a settings config file which is read in by the run hook. This will
allow Habitat to restart the InSpec process whenever a user changes
the sleep time.

I also cleaned up the non-zero exit error message to give the user
a better indication as to why the run may have "failed."

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-14 12:01:25 -04:00
Christoph Hartmann
effd0dd9f8 harmonize compliance profiles view with supermarket views (#1654)
* harmonize profiles view with supermarket plugin

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-13 11:24:17 -04:00
Adam Leff
9b472e1b59
Habitat packages should run as root
Many InSpec resources require root access to properly scan. Let's
default the run user to root until we need to accommodate different
options.

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-13 10:34:47 -04:00
Jeremy J. Miller
735b67ab8a allow Automate profile dependencies
Signed-off-by: Jeremy J. Miller <jm@chef.io>
2017-04-11 16:45:24 -04:00
Ryan Larson
0e187f6117 Feature/fix ability to pass in supermarket url (#1595)
* Enable customization of supermarket_url

It looks like this was originally supposed to work, but at some point
the default value was put in the method body rather than in the method
parameters.

This change allows you to configure the supermarket_url in test kitchen
like so:

```
verifier:
  inspec_tests:
  - name: linux-hardening
    supermarket: som3guy/apache-disa-stig
    supermarket_url: https://my.supermarket.com
```

Signed-off-by: Ryan Larson <ryan.mango.larson@gmail.com>
2017-03-29 12:42:24 -04:00
Adam Leff
e1c664272e Break out profile vendor activities into separate class
Per PR feedback, `Inspec::ProfileVendor` is created to centralize
the logic and data of vendoring profile dependencies. The `BaseCLI`
class and the `Habitat::Profile` class have been modified to use it

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
8269d0da9e Support vendored profiles in Habitat-packaged profiles
This change adds support in Habitat-packaged profiles for
profiles that depend on other profiles. When `inspec habitat
profile create` or `inspec habitat profile upload` is run,
it will see if the profile's dependencies have been vendored
yet, and if not, it will vendor them before creating the
habitat artifact.

For the git and URL fetchers, more explicit creation of the
target directories for the vendored profiles is done. This
is implicitly done via normal CLI interactions a user may
go through, but in our case, we want to ensure those directories
are there before the fetchers try to write out content.

By adding this support, we also fix a bug experienced in Habitat
where a profile that was packaged before an `inspec exec` was run
for the profile would cause a failure in Habitat. This is caused
by `inspec exec` doing a vendor of the dependencies if necessary
and generating the inspec.lock file. In Habitat, the package dir
is not writable by the hab user and InSpec would fail to run due
to an inability to write out an inspec.lock.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
90b0ce08c5 Remove errant puts in inspec habitat CLI command
Left a `puts` behind during some testing that made its way into
a PR. Removing it!

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-28 22:57:08 +02:00
Adam Leff
9550137605 Write Habitat-driven InSpec output to svc_var directory
When running a InSpec profile built with Habitat, we now
write the formatter/reporter data to a JSON file in the
pkg.svc_var_path rather than STDOUT. This will allow for
programmatic collection of this data and future enhancements
to allow this data to be passed around a Habitat ring.

This also corrects an issue creating a Habitat profile if the
profile had never been in the local InSpec cache. By setting a
mock Backend when creating the profile object, similarly to what
the archivers do, this issue is avoided.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-02 17:45:16 -05:00
Christoph Hartmann
71cc62c757 use -- for description of inspec login_automate
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-03-02 12:30:33 +01:00
Adam Leff
0342cca62e Adding a Habitat profile artifact creator
Two new commands have been created:

 * inspec habitat profile create /path/to/profile
 * inspec habitat profile upload /path/to/profile

The `create` command creates a Habitat artifact that contains the contents
of the Habitat profile found at the provided path. This will be used later
in some Habitat + InSpec integrations.

The `upload` command does the same create process but then uploads the
resulting artifact to the Habitat Depot.

Signed-off-by: Adam Leff <adam@leff.co>
2017-02-23 18:25:22 -05:00
Dominik Richter
b86201d6df Merge pull request #1478 from chef/tduffield/relax-rubocop-pin
Use RuboCop 0.39.0 (same as chefstyle)
2017-02-09 00:09:48 +01:00
Tom Duffield
1ea83f526c Address rubocop violations
Signed-off-by: Tom Duffield <tom@chef.io>
2017-02-08 16:49:16 -06:00
Dominik Richter
d4243b3558 map url to https for compliance plugin
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-02-08 23:29:58 +01:00
Dominik Richter
8c48e81b10 bugfix: warn users about insecure login requirements
Fixes https://github.com/chef/inspec/issues/1469

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-02-08 08:47:31 +01:00
Montague, Brent
463f3ff09f Refactor after revisions requested from @chris-rock
Signed-off-by: Montague, Brent <brent@bmontague.com>
2017-01-25 14:33:34 -05:00
Montague, Brent
caa554b467 Updated compliance api requests to actually use refresh token correctly
We do not store a token in the config file but rather generate one on
each commmand.  This is just a first pass and needs some work.

Signed-off-by: Montague, Brent <brent@bmontague.com>
2017-01-25 14:33:34 -05:00
Christoph Hartmann
8015f1191c implement download of profiles
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-01-05 13:31:36 +01:00
Christoph Hartmann
fc6ab8d6f9 print name for supermarket profiles 2016-12-22 09:48:53 +01:00
Christoph Hartmann
7a0aa49986 use cached profile for compliance dependencies if vendored
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2016-12-08 10:11:55 +00:00
Victoria Jeffrey
0991cd142f move vendor_deps to base_cli
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-12-01 15:29:47 +01:00
Victoria Jeffrey
b110c1fba5 Vendor profile when uploading to chef-compliance
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 18:24:12 +01:00
Victoria Jeffrey
d8b512ec8c refactor headers retrieval into get_headers method
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 18:10:33 +01:00
Victoria Jeffrey
60009b292b address comments
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 13:27:50 +01:00
Victoria Jeffrey
bdf5eae15e Extend inspec compliance cli to support automate backend
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 13:27:50 +01:00
Robb Kidd
ae474b894e update supermarket profile search to use new type param
Reverts the work-around that pulls down the latest 100 tools
and filters for type == 'compliance_profile' in the client.

Go back to using tool-search with the new type parameter.

Omit start:0 because that's the default.

Keep the number of items returned at 100, which is more than the
default 10.

Signed-off-by: Robb Kidd <robb@thekidds.org>
2016-11-12 15:45:19 -05:00
Jerry Aldrich III
cafa35e5ce Change Inpsec to Inspec
Signed-off-by: Jerry Aldrich III <jerry@chef.io>
2016-11-08 11:20:32 -06:00
Dave Parfitt
51378d326b adds profile signing/verification
Signed-off-by: Dave Parfitt <dparfitt@chef.io>
2016-10-27 14:44:10 +02:00
Alex Pop
d40ee684f8 supermarket tools get and filter by tool_type (#1254)
Signed-off-by: Alex Pop <apop@chef.io>
2016-10-26 15:42:43 +02:00
Steven Danna
76ef897d80 Improve error messages from compliance fetcher
Signed-off-by: Steven Danna <steve@chef.io>
2016-09-26 01:57:58 +02:00
Alex Pop
624849d418 removed unsupported legacy login and replaced it with the current username/password login option. a bit of refactoring around error checking and error/success output content 2016-09-19 23:08:42 +02:00
Steven Danna
4d2d0f2b67
Typo supermarket -> compliance
Signed-off-by: Steven Danna <steve@chef.io>
2016-09-09 14:46:36 +01:00
Steven Danna
120b3d895a
Allow supermarket:// and compliance:// in inspec.yml
Signed-off-by: Steven Danna <steve@chef.io>
2016-09-09 14:14:37 +01:00
Steven Danna
85cbe713d7
Add GitFetcher and rework Fetchers+SourceReaders
This adds a new git fetcher. In doing so, it also refactors how the
fetchers work a bit to better support fetchers that need to resolve
user-provided sources to fully specified sources appropriate for a
lockfile.

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-09 14:14:36 +01:00
Alex Pop
8dcd71374b Raise error when an invalid URI is received 2016-09-05 14:44:01 +01:00
Kartik Null Cating-Subramanian
1243d9475d Rubocoooop! 2016-08-25 14:22:15 -04:00
Kartik Null Cating-Subramanian
33ae22d313 Support controls and describe blocks in InSpec shell 2016-08-19 19:07:23 +02:00
Christoph Hartmann
af04a0f5ba implement workaround for thor 2016-08-18 20:50:49 +02:00
Victoria Jeffrey
b98c3e243e give accurate information for inspec compliance login --help 2016-08-18 20:00:27 +02:00
Christoph Hartmann
cf784ded7c update exit codes 2016-08-18 19:40:08 +02:00
Victoria Jeffrey
c3d245fafd fail gracefully on inspec compliance profiles when bad token is provided 2016-08-18 19:35:29 +02:00