Commit graph

114 commits

Author SHA1 Message Date
Jared Quick
457a33a2b3 Fix bundle exec calls (#2670)
* Fix bundle exec calls and add test.

Signed-off-by: Jared Quick <jquick@chef.io>

* Add exit check for supermarket exec.

Signed-off-by: Jared Quick <jquick@chef.io>
2018-02-17 16:49:52 +01:00
Jerry Aldrich
84817366a1 Remove deprecations for InSpec 2.0 (#2506)
* Add `release-2.0` target branch to AppVeyor/Travis (#2510)

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* simpleconfig: Remove deprecated config keys

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* cli (exec): Remove `--cache` command line argument

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* platform: Remove lowercase os name protection

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `contain_legacy_plus` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `contain_match` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `with_version` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `belong_to_group` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `belong_to_primary_group` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `contain` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* passwd: Remove deprecated properties

This removes:
  - `passwd.count`
  - `passwd.username`
  - `passwd.usernames`
  - `passwd.uid`

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* auditd_rules: Remove in favor of `auditd` resource

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* cli: Remove `login_automate` command

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Remove `resource_skipped` message method

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2018-02-08 11:05:21 +01:00
Jerry Aldrich
a3c993fe18 Fix OWCA detection for compliance login (#2401)
* Add handling for OWCA login via `compliance login`

OpsWorks Chef Automate currently returns a 200 for the
`/compliance/version` endpoint and redirects to the Chef Manage page.

This adds support to `inspec compliance login` to accept this as valid
behavior and continue with the login.

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Add test case for 200 response but no Chef Manage

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Add debug info and split `determine_server_type`

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Appease RuboCop

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Remove forced returns from `determine_server_type`

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Add `false` code path for non-200/non-401 response

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Reword debug messages

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-12-22 15:01:18 +01:00
Adam Leff
a18441f86e Rubocop: disable GuardClause and ClassLength (#2382)
Neither of these cops is helping us write good code, and GuardClause
specifically is actually contributing to us writing sometimes-unclear
code. Disabling both of these cops and removing all unnecessary disable
decorators in the codebase.

Signed-off-by: Adam Leff <adam@leff.co>
2017-12-07 20:22:55 +01:00
Adam Leff
4b9acb4800 Bump Rubocop to 0.49.1 (#2323)
* Bump Rubocop to 0.49.1

This change bumps Rubocop to 0.49.1. There have been a lot of changes
since 0.39.0 and this PR is hopefully a nice compromise of turning off
certain cops and updating our codebase to take advantage of new Ruby
2.3 methods and operators.

Signed-off-by: Adam Leff <adam@leff.co>

* Set end-of-line format to line-feed only, avoid Windows-related CRLF issues

Signed-off-by: Adam Leff <adam@leff.co>
2017-11-21 08:49:41 +01:00
Adam Leff
dde4a116d6
Update Rubocop to TargetRubyVersion 2.3 (#2311)
Bumps the Rubocop engine to use 2.3 and addresses the big changes
between 2.0 and 2.3.

Signed-off-by: Adam Leff <adam@leff.co>
2017-11-16 11:26:19 -05:00
Adam Leff
9e9025c138 Switch to tomlrb for TOML parsing (#2295)
The `toml` gem has a very strict version dependency on an old version
of parslet. This change switches us to use `tomlrb` instead which has
no direct dependencies. This will allow us to bump up to a later version
of parslet that has better error handling and insight into parser errors.

Signed-off-by: Adam Leff <adam@leff.co>
2017-11-08 11:41:00 +01:00
Dominik Richter
eb729c4034 allow users to specify user/namespace when fetching profiles from Chef Automate (#2275)
* allow users to configure the profiles namespace

By default it uses the username of the user that is logged into the system. However, the user can now specify the `--user` on the cli to list profiles from a user other than his own domain.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

* allow users to provide owner for profile listing and uploading

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>

* use config only

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-11-07 14:01:55 -05:00
Jerry Aldrich III
94a79b2fc7 Force https scheme for inspec compliance login (#2268)
This allows a user to specify an Automate server without prepending
`https://`. Without this, anything using the `url` fetcher will fail
because `open` doesn't interpret the argument as a URL.

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-27 10:32:52 +02:00
Jerry Aldrich III
91403d8c81 Add Chef Automate support to inspec compliance login (#2203)
* Merge `login` and `login_automate` commands

This provides a single interface for logging into either Chef Automate
or Chef Compliance servers. Server type is evaluated at run time via
HTTP responses from designated endpoints.

This also moves the login logic from `Compliance::ComplianceCLI` to a
separate set of modules in `Compliance::API`. This removes logic from
Thor and allows for more in depth Unit testing.

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Remove empty line below class definition

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Add message to `raise CannotDetermineServerType`

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Refactor `token_info` assignment

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Remove unnecessary rubocop disable

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Modify `Login` module namespacing

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Remove mentions of login_automate and --usertoken

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Modify `determine_server_type` to return a symbol

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Add support for `login_automate` and `--usertoken`

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Fix encoding typo

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Address PR feedback

This does the following:
  - Moves `CannotDetermineServerType` error to `.login`
  - Changes methods that store configuration to return the configuration
  - Moves user output to one location in `.login`
  - Makes other small improvements

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-10-26 17:32:47 +02:00
Adam Leff
3c3cb741ff Add inspec habitat profile setup command (#2239)
Introduces a new `inspec habitat profile setup` command
which will set up an existing profile repository with all
the files necessary to build a Habitat package. This will
prime a repository to be used by the Habitat Builder service.

Signed-off-by: Adam Leff <adam@leff.co>
2017-10-17 14:53:41 +02:00
Nathen Harvey
05ac2724ec Update the profile tempate (#2238)
* Remove a broken link.

Signed-off-by: Nathen Harvey <nharvey@chef.io>

* It is now 2017

While the content in this file was actually written in 2015, this
example is meant to be overwritten and is generated by the user in the
current year.

Signed-off-by: Nathen Harvey <nharvey@chef.io>
2017-10-11 14:31:44 +01:00
Alex Pop
cf6fdd09af Show versions for inspec compliance profiles (#2143)
Signed-off-by: Alex Pop <apop@chef.io>
2017-09-13 17:52:45 -04:00
Alex Pop
35becd7e0f Support profile versions for automate profiles storage (#2128)
* Support profile versions for automate profiles storage

Signed-off-by: Alex Pop <apop@chef.io>

* Add unit tests for inspec-compliance bundle

Signed-off-by: Alex Pop <apop@chef.io>

* Refactor target_url method, fix tests, fix rubocop errors

Signed-off-by: Adam Leff <adam@leff.co>
2017-09-13 16:53:36 -04:00
Adam Leff
a6582bea9b Remove any "All Rights Reserved" references (#1969)
* Remove any "All Rights Reserved" references

InSpec is licensed and released under the Apache 2.0 license. This
change removes all reference to legacy code files that still had
any Copyright or License lines referring to "All Rights Reserved".

Signed-off-by: Adam Leff <adam@leff.co>

* fix functional tests

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-06-28 04:14:19 -07:00
Adam Leff
f7c8c646a9 Extract Compliance::API version parsing to separate method (#1931)
For cleanliness and ease of testing, I've moved the logic that
parses the server version from the compliance config to a
separate method.

Signed-off-by: Adam Leff <adam@leff.co>
2017-06-23 08:29:50 -07:00
Adam Leff
6668bf15ea Fix detection of Automate pre-0.8.x in Compliance::API (#1922)
The is_automate_server_pre_080? and is_automate_server_080_and_later?
methods needed some fixing. The Compliance configuration could have
a "version" key that was not nil but was an empty hash, indicating
that it came from a pre-0.8.x Automate server. What we really need
to look for is config['version']['version'] being nil?.

Signed-off-by: Adam Leff <adam@leff.co>
2017-06-13 10:05:09 +02:00
Adam Leff
dda24b9f98 Fix compliance uploads when version is not present
The Compliance::API.version method could potentially return
a hash containing no "version" key but would return an empty
hash upon any expected failure. Downstream callers of the
Compliance::API.version method were looking for a "version"
key to always be present when, in some cases, it would not be.

This change ensures that if a version is not available, there
is no "version" key in the hash, and downstream callers of this
method have been changed to check for nil instead of empty.

Signed-off-by: Adam Leff <adam@leff.co>
2017-06-06 14:49:25 +02:00
Christoph Hartmann
be2453def6 Merge pull request #1875 from ndobson/fixrefreshtoken
Fix version method call for refresh token
2017-05-31 22:05:20 -05:00
Nick Dobson
7a4ff97863 Fix version method call
Signed-off-by: Nick Dobson <nick.dobson@me.com>
2017-05-31 10:44:14 -05:00
Christoph Hartmann
a6ef98c896 verifies that inspec.yml uses licenses in SPDX format
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-31 00:21:05 -05:00
Dominik Richter
a0e8be2568 bugfix: non-url servers with compliance login
Non-url URIs may have lead to broader crashes than initially fixed. Overwrite all URL resolvers in the plugin to work with these non-schema URLs.

Fixes #1473

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-05-30 12:04:21 -04:00
Adam Leff
266f061b9e Habitat Profiles: redirect stderr to stdout
Due to habitat-sh/habitat#2395, we shouldn't try to log stderr output
to a file for now. While this makes for a less-than-awesome UX, it's
better than a process locking up due to a buffer filling up!

This change redirects stderr from InSpec to stdout and adds some
helpful troubleshooting messages. Should InSpec be able to generate
unique exit codes for when controls fail (vs. a Ruby eval failure)
then we can fix this up some more, too.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-29 15:31:26 -04:00
Adam Leff
88581ae3dd
Raise exception if profile target URL cannot be parsed
When attempting to parse the profile out of the target URL, we
were not raising an exception if we failed to do so. Such a situation
could arise if a user's inspec config.json is incorrect either due to
manual editing or failure to re-login after an upgrade past Automate
0.8.0.

This change provides a clear exception if this occurs and also adds
tests for the compliance_profile_name method.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-26 14:30:37 -05:00
Adam Leff
81bfdf2d55
Fix is_automate_server_080_and_later? call
Method name was incorrect (missing `?`) and also was missing
the required config parameter.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-19 21:07:58 -04:00
Seth Thomas
9f30fe1726 Fixing typo on method name
Signed-off-by: Seth Thomas <sthomas@chef.io>
2017-05-19 19:58:46 -04:00
Christoph Hartmann
5cc288d5df support new automate 0.8.0
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-17 15:02:08 +02:00
Elliott Davis
31645968e2 Update hab exporter to use inspec in path over calling to hab sup
Signed-off-by: Elliott Davis <edavis@chef.io>
2017-05-09 20:09:33 -05:00
Ryan Hass
99ebae186b Fix exit status check in hab run hook generator.
The exit status would never return "InSpec run completed successfully"
since the value of $RC was always an integer which never was prefixed
with an "x". This checks the return directly since we currently do not
have any complex logic which warrants the need to check different
return status values where a prefixed return code is necessary.

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
2017-04-28 11:54:13 -07:00
Ryan Hass
4622de7a28 Update habitat plan and hook generators
* Fixed bug with install step where profile would include the .hart
  files from previous builds.
* Updated the generated plan to support plan.sh syntax changes in
  habitat 0.21.0 and later by removing the `pkg_source` and the
  `do_download`, `do_verify`, and `do_unpack` overrides.
* Updated the generate run hook to leverage habitat to perform most of
  the origin, package name, and path variable interpolations.

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
2017-04-28 09:31:11 -07:00
Adam Leff
7a71719f13 Move Habitat sleep time to config file
Because the sleep_time is not written to a config file but instead
only rendered into the run hook, hab-sup doesn't restart the running
process upon any config updates. This change moves the sleep_time to
a settings config file which is read in by the run hook. This will
allow Habitat to restart the InSpec process whenever a user changes
the sleep time.

I also cleaned up the non-zero exit error message to give the user
a better indication as to why the run may have "failed."

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-14 12:01:25 -04:00
Christoph Hartmann
effd0dd9f8 harmonize compliance profiles view with supermarket views (#1654)
* harmonize profiles view with supermarket plugin

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-13 11:24:17 -04:00
Adam Leff
9b472e1b59
Habitat packages should run as root
Many InSpec resources require root access to properly scan. Let's
default the run user to root until we need to accommodate different
options.

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-13 10:34:47 -04:00
Jeremy J. Miller
735b67ab8a allow Automate profile dependencies
Signed-off-by: Jeremy J. Miller <jm@chef.io>
2017-04-11 16:45:24 -04:00
Ryan Larson
0e187f6117 Feature/fix ability to pass in supermarket url (#1595)
* Enable customization of supermarket_url

It looks like this was originally supposed to work, but at some point
the default value was put in the method body rather than in the method
parameters.

This change allows you to configure the supermarket_url in test kitchen
like so:

```
verifier:
  inspec_tests:
  - name: linux-hardening
    supermarket: som3guy/apache-disa-stig
    supermarket_url: https://my.supermarket.com
```

Signed-off-by: Ryan Larson <ryan.mango.larson@gmail.com>
2017-03-29 12:42:24 -04:00
Adam Leff
e1c664272e Break out profile vendor activities into separate class
Per PR feedback, `Inspec::ProfileVendor` is created to centralize
the logic and data of vendoring profile dependencies. The `BaseCLI`
class and the `Habitat::Profile` class have been modified to use it

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
8269d0da9e Support vendored profiles in Habitat-packaged profiles
This change adds support in Habitat-packaged profiles for
profiles that depend on other profiles. When `inspec habitat
profile create` or `inspec habitat profile upload` is run,
it will see if the profile's dependencies have been vendored
yet, and if not, it will vendor them before creating the
habitat artifact.

For the git and URL fetchers, more explicit creation of the
target directories for the vendored profiles is done. This
is implicitly done via normal CLI interactions a user may
go through, but in our case, we want to ensure those directories
are there before the fetchers try to write out content.

By adding this support, we also fix a bug experienced in Habitat
where a profile that was packaged before an `inspec exec` was run
for the profile would cause a failure in Habitat. This is caused
by `inspec exec` doing a vendor of the dependencies if necessary
and generating the inspec.lock file. In Habitat, the package dir
is not writable by the hab user and InSpec would fail to run due
to an inability to write out an inspec.lock.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
90b0ce08c5 Remove errant puts in inspec habitat CLI command
Left a `puts` behind during some testing that made its way into
a PR. Removing it!

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-28 22:57:08 +02:00
Adam Leff
9550137605 Write Habitat-driven InSpec output to svc_var directory
When running a InSpec profile built with Habitat, we now
write the formatter/reporter data to a JSON file in the
pkg.svc_var_path rather than STDOUT. This will allow for
programmatic collection of this data and future enhancements
to allow this data to be passed around a Habitat ring.

This also corrects an issue creating a Habitat profile if the
profile had never been in the local InSpec cache. By setting a
mock Backend when creating the profile object, similarly to what
the archivers do, this issue is avoided.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-02 17:45:16 -05:00
Christoph Hartmann
71cc62c757 use -- for description of inspec login_automate
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-03-02 12:30:33 +01:00
Adam Leff
0342cca62e Adding a Habitat profile artifact creator
Two new commands have been created:

 * inspec habitat profile create /path/to/profile
 * inspec habitat profile upload /path/to/profile

The `create` command creates a Habitat artifact that contains the contents
of the Habitat profile found at the provided path. This will be used later
in some Habitat + InSpec integrations.

The `upload` command does the same create process but then uploads the
resulting artifact to the Habitat Depot.

Signed-off-by: Adam Leff <adam@leff.co>
2017-02-23 18:25:22 -05:00
Dominik Richter
b86201d6df Merge pull request #1478 from chef/tduffield/relax-rubocop-pin
Use RuboCop 0.39.0 (same as chefstyle)
2017-02-09 00:09:48 +01:00
Tom Duffield
1ea83f526c Address rubocop violations
Signed-off-by: Tom Duffield <tom@chef.io>
2017-02-08 16:49:16 -06:00
Dominik Richter
d4243b3558 map url to https for compliance plugin
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-02-08 23:29:58 +01:00
Dominik Richter
8c48e81b10 bugfix: warn users about insecure login requirements
Fixes https://github.com/chef/inspec/issues/1469

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-02-08 08:47:31 +01:00
Montague, Brent
463f3ff09f Refactor after revisions requested from @chris-rock
Signed-off-by: Montague, Brent <brent@bmontague.com>
2017-01-25 14:33:34 -05:00
Montague, Brent
caa554b467 Updated compliance api requests to actually use refresh token correctly
We do not store a token in the config file but rather generate one on
each commmand.  This is just a first pass and needs some work.

Signed-off-by: Montague, Brent <brent@bmontague.com>
2017-01-25 14:33:34 -05:00
Christoph Hartmann
8015f1191c implement download of profiles
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-01-05 13:31:36 +01:00
Christoph Hartmann
fc6ab8d6f9 print name for supermarket profiles 2016-12-22 09:48:53 +01:00
Christoph Hartmann
7a0aa49986 use cached profile for compliance dependencies if vendored
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2016-12-08 10:11:55 +00:00