Commit graph

148 commits

Author SHA1 Message Date
Adam Leff
6668bf15ea Fix detection of Automate pre-0.8.x in Compliance::API (#1922)
The is_automate_server_pre_080? and is_automate_server_080_and_later?
methods needed some fixing. The Compliance configuration could have
a "version" key that was not nil but was an empty hash, indicating
that it came from a pre-0.8.x Automate server. What we really need
to look for is config['version']['version'] being nil?.

Signed-off-by: Adam Leff <adam@leff.co>
2017-06-13 10:05:09 +02:00
Adam Leff
dda24b9f98 Fix compliance uploads when version is not present
The Compliance::API.version method could potentially return
a hash containing no "version" key but would return an empty
hash upon any expected failure. Downstream callers of the
Compliance::API.version method were looking for a "version"
key to always be present when, in some cases, it would not be.

This change ensures that if a version is not available, there
is no "version" key in the hash, and downstream callers of this
method have been changed to check for nil instead of empty.

Signed-off-by: Adam Leff <adam@leff.co>
2017-06-06 14:49:25 +02:00
Christoph Hartmann
be2453def6 Merge pull request #1875 from ndobson/fixrefreshtoken
Fix version method call for refresh token
2017-05-31 22:05:20 -05:00
Nick Dobson
7a4ff97863 Fix version method call
Signed-off-by: Nick Dobson <nick.dobson@me.com>
2017-05-31 10:44:14 -05:00
Christoph Hartmann
a6ef98c896 verifies that inspec.yml uses licenses in SPDX format
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-31 00:21:05 -05:00
Dominik Richter
a0e8be2568 bugfix: non-url servers with compliance login
Non-url URIs may have lead to broader crashes than initially fixed. Overwrite all URL resolvers in the plugin to work with these non-schema URLs.

Fixes #1473

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-05-30 12:04:21 -04:00
Adam Leff
266f061b9e Habitat Profiles: redirect stderr to stdout
Due to habitat-sh/habitat#2395, we shouldn't try to log stderr output
to a file for now. While this makes for a less-than-awesome UX, it's
better than a process locking up due to a buffer filling up!

This change redirects stderr from InSpec to stdout and adds some
helpful troubleshooting messages. Should InSpec be able to generate
unique exit codes for when controls fail (vs. a Ruby eval failure)
then we can fix this up some more, too.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-29 15:31:26 -04:00
Adam Leff
88581ae3dd
Raise exception if profile target URL cannot be parsed
When attempting to parse the profile out of the target URL, we
were not raising an exception if we failed to do so. Such a situation
could arise if a user's inspec config.json is incorrect either due to
manual editing or failure to re-login after an upgrade past Automate
0.8.0.

This change provides a clear exception if this occurs and also adds
tests for the compliance_profile_name method.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-26 14:30:37 -05:00
Adam Leff
81bfdf2d55
Fix is_automate_server_080_and_later? call
Method name was incorrect (missing `?`) and also was missing
the required config parameter.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-19 21:07:58 -04:00
Seth Thomas
9f30fe1726 Fixing typo on method name
Signed-off-by: Seth Thomas <sthomas@chef.io>
2017-05-19 19:58:46 -04:00
Christoph Hartmann
5cc288d5df support new automate 0.8.0
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-17 15:02:08 +02:00
Elliott Davis
31645968e2 Update hab exporter to use inspec in path over calling to hab sup
Signed-off-by: Elliott Davis <edavis@chef.io>
2017-05-09 20:09:33 -05:00
Ryan Hass
99ebae186b Fix exit status check in hab run hook generator.
The exit status would never return "InSpec run completed successfully"
since the value of $RC was always an integer which never was prefixed
with an "x". This checks the return directly since we currently do not
have any complex logic which warrants the need to check different
return status values where a prefixed return code is necessary.

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
2017-04-28 11:54:13 -07:00
Ryan Hass
4622de7a28 Update habitat plan and hook generators
* Fixed bug with install step where profile would include the .hart
  files from previous builds.
* Updated the generated plan to support plan.sh syntax changes in
  habitat 0.21.0 and later by removing the `pkg_source` and the
  `do_download`, `do_verify`, and `do_unpack` overrides.
* Updated the generate run hook to leverage habitat to perform most of
  the origin, package name, and path variable interpolations.

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
2017-04-28 09:31:11 -07:00
Adam Leff
7a71719f13 Move Habitat sleep time to config file
Because the sleep_time is not written to a config file but instead
only rendered into the run hook, hab-sup doesn't restart the running
process upon any config updates. This change moves the sleep_time to
a settings config file which is read in by the run hook. This will
allow Habitat to restart the InSpec process whenever a user changes
the sleep time.

I also cleaned up the non-zero exit error message to give the user
a better indication as to why the run may have "failed."

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-14 12:01:25 -04:00
Christoph Hartmann
effd0dd9f8 harmonize compliance profiles view with supermarket views (#1654)
* harmonize profiles view with supermarket plugin

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-13 11:24:17 -04:00
Adam Leff
9b472e1b59
Habitat packages should run as root
Many InSpec resources require root access to properly scan. Let's
default the run user to root until we need to accommodate different
options.

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-13 10:34:47 -04:00
Jeremy J. Miller
735b67ab8a allow Automate profile dependencies
Signed-off-by: Jeremy J. Miller <jm@chef.io>
2017-04-11 16:45:24 -04:00
Ryan Larson
0e187f6117 Feature/fix ability to pass in supermarket url (#1595)
* Enable customization of supermarket_url

It looks like this was originally supposed to work, but at some point
the default value was put in the method body rather than in the method
parameters.

This change allows you to configure the supermarket_url in test kitchen
like so:

```
verifier:
  inspec_tests:
  - name: linux-hardening
    supermarket: som3guy/apache-disa-stig
    supermarket_url: https://my.supermarket.com
```

Signed-off-by: Ryan Larson <ryan.mango.larson@gmail.com>
2017-03-29 12:42:24 -04:00
Adam Leff
e1c664272e Break out profile vendor activities into separate class
Per PR feedback, `Inspec::ProfileVendor` is created to centralize
the logic and data of vendoring profile dependencies. The `BaseCLI`
class and the `Habitat::Profile` class have been modified to use it

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
8269d0da9e Support vendored profiles in Habitat-packaged profiles
This change adds support in Habitat-packaged profiles for
profiles that depend on other profiles. When `inspec habitat
profile create` or `inspec habitat profile upload` is run,
it will see if the profile's dependencies have been vendored
yet, and if not, it will vendor them before creating the
habitat artifact.

For the git and URL fetchers, more explicit creation of the
target directories for the vendored profiles is done. This
is implicitly done via normal CLI interactions a user may
go through, but in our case, we want to ensure those directories
are there before the fetchers try to write out content.

By adding this support, we also fix a bug experienced in Habitat
where a profile that was packaged before an `inspec exec` was run
for the profile would cause a failure in Habitat. This is caused
by `inspec exec` doing a vendor of the dependencies if necessary
and generating the inspec.lock file. In Habitat, the package dir
is not writable by the hab user and InSpec would fail to run due
to an inability to write out an inspec.lock.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
90b0ce08c5 Remove errant puts in inspec habitat CLI command
Left a `puts` behind during some testing that made its way into
a PR. Removing it!

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-28 22:57:08 +02:00
Adam Leff
9550137605 Write Habitat-driven InSpec output to svc_var directory
When running a InSpec profile built with Habitat, we now
write the formatter/reporter data to a JSON file in the
pkg.svc_var_path rather than STDOUT. This will allow for
programmatic collection of this data and future enhancements
to allow this data to be passed around a Habitat ring.

This also corrects an issue creating a Habitat profile if the
profile had never been in the local InSpec cache. By setting a
mock Backend when creating the profile object, similarly to what
the archivers do, this issue is avoided.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-02 17:45:16 -05:00
Christoph Hartmann
71cc62c757 use -- for description of inspec login_automate
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-03-02 12:30:33 +01:00
Adam Leff
0342cca62e Adding a Habitat profile artifact creator
Two new commands have been created:

 * inspec habitat profile create /path/to/profile
 * inspec habitat profile upload /path/to/profile

The `create` command creates a Habitat artifact that contains the contents
of the Habitat profile found at the provided path. This will be used later
in some Habitat + InSpec integrations.

The `upload` command does the same create process but then uploads the
resulting artifact to the Habitat Depot.

Signed-off-by: Adam Leff <adam@leff.co>
2017-02-23 18:25:22 -05:00
Dominik Richter
b86201d6df Merge pull request #1478 from chef/tduffield/relax-rubocop-pin
Use RuboCop 0.39.0 (same as chefstyle)
2017-02-09 00:09:48 +01:00
Tom Duffield
1ea83f526c Address rubocop violations
Signed-off-by: Tom Duffield <tom@chef.io>
2017-02-08 16:49:16 -06:00
Dominik Richter
d4243b3558 map url to https for compliance plugin
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-02-08 23:29:58 +01:00
Dominik Richter
8c48e81b10 bugfix: warn users about insecure login requirements
Fixes https://github.com/chef/inspec/issues/1469

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-02-08 08:47:31 +01:00
Montague, Brent
463f3ff09f Refactor after revisions requested from @chris-rock
Signed-off-by: Montague, Brent <brent@bmontague.com>
2017-01-25 14:33:34 -05:00
Montague, Brent
caa554b467 Updated compliance api requests to actually use refresh token correctly
We do not store a token in the config file but rather generate one on
each commmand.  This is just a first pass and needs some work.

Signed-off-by: Montague, Brent <brent@bmontague.com>
2017-01-25 14:33:34 -05:00
Christoph Hartmann
8015f1191c implement download of profiles
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-01-05 13:31:36 +01:00
Christoph Hartmann
fc6ab8d6f9 print name for supermarket profiles 2016-12-22 09:48:53 +01:00
Christoph Hartmann
7a0aa49986 use cached profile for compliance dependencies if vendored
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2016-12-08 10:11:55 +00:00
Victoria Jeffrey
0991cd142f move vendor_deps to base_cli
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-12-01 15:29:47 +01:00
Victoria Jeffrey
b110c1fba5 Vendor profile when uploading to chef-compliance
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 18:24:12 +01:00
Victoria Jeffrey
d8b512ec8c refactor headers retrieval into get_headers method
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 18:10:33 +01:00
Victoria Jeffrey
60009b292b address comments
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 13:27:50 +01:00
Victoria Jeffrey
bdf5eae15e Extend inspec compliance cli to support automate backend
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
2016-11-30 13:27:50 +01:00
Robb Kidd
ae474b894e update supermarket profile search to use new type param
Reverts the work-around that pulls down the latest 100 tools
and filters for type == 'compliance_profile' in the client.

Go back to using tool-search with the new type parameter.

Omit start:0 because that's the default.

Keep the number of items returned at 100, which is more than the
default 10.

Signed-off-by: Robb Kidd <robb@thekidds.org>
2016-11-12 15:45:19 -05:00
Jerry Aldrich III
cafa35e5ce Change Inpsec to Inspec
Signed-off-by: Jerry Aldrich III <jerry@chef.io>
2016-11-08 11:20:32 -06:00
Dave Parfitt
51378d326b adds profile signing/verification
Signed-off-by: Dave Parfitt <dparfitt@chef.io>
2016-10-27 14:44:10 +02:00
Alex Pop
d40ee684f8 supermarket tools get and filter by tool_type (#1254)
Signed-off-by: Alex Pop <apop@chef.io>
2016-10-26 15:42:43 +02:00
Steven Danna
76ef897d80 Improve error messages from compliance fetcher
Signed-off-by: Steven Danna <steve@chef.io>
2016-09-26 01:57:58 +02:00
Alex Pop
624849d418 removed unsupported legacy login and replaced it with the current username/password login option. a bit of refactoring around error checking and error/success output content 2016-09-19 23:08:42 +02:00
Steven Danna
4d2d0f2b67
Typo supermarket -> compliance
Signed-off-by: Steven Danna <steve@chef.io>
2016-09-09 14:46:36 +01:00
Steven Danna
120b3d895a
Allow supermarket:// and compliance:// in inspec.yml
Signed-off-by: Steven Danna <steve@chef.io>
2016-09-09 14:14:37 +01:00
Steven Danna
85cbe713d7
Add GitFetcher and rework Fetchers+SourceReaders
This adds a new git fetcher. In doing so, it also refactors how the
fetchers work a bit to better support fetchers that need to resolve
user-provided sources to fully specified sources appropriate for a
lockfile.

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-09 14:14:36 +01:00
Alex Pop
8dcd71374b Raise error when an invalid URI is received 2016-09-05 14:44:01 +01:00
Kartik Null Cating-Subramanian
1243d9475d Rubocoooop! 2016-08-25 14:22:15 -04:00
Kartik Null Cating-Subramanian
33ae22d313 Support controls and describe blocks in InSpec shell 2016-08-19 19:07:23 +02:00
Christoph Hartmann
af04a0f5ba implement workaround for thor 2016-08-18 20:50:49 +02:00
Victoria Jeffrey
b98c3e243e give accurate information for inspec compliance login --help 2016-08-18 20:00:27 +02:00
Christoph Hartmann
cf784ded7c update exit codes 2016-08-18 19:40:08 +02:00
Victoria Jeffrey
c3d245fafd fail gracefully on inspec compliance profiles when bad token is provided 2016-08-18 19:35:29 +02:00
Victoria Jeffrey
24a2c5c356 return token stored message on login 2016-08-18 16:47:34 +02:00
Christoph Hartmann
502aef54fd use bundler instead of gem, to speed up integration testing for different versions 2016-08-18 16:32:45 +02:00
Victoria Jeffrey
bdb1d913d9 Remove false username/passwd msg from inspec compliance login 2016-08-17 17:15:52 +02:00
Victoria Jeffrey
b75b8ab4a9 inspec compliance version fails gracefully when server config info is missing 2016-08-17 17:00:53 +02:00
Christoph Hartmann
96754cac6c fix integration tests for Chef Compliance 2016-08-17 13:51:26 +02:00
Christoph Hartmann
8a17cb6b5b update readme for bundles 2016-06-29 08:14:36 +02:00
Christoph Hartmann
1c2fd97a39 fix: remove non-existent class 2016-05-10 13:18:33 +02:00
Christoph Hartmann
6e93a13000 show error if user is not logged in to compliance server 2016-05-06 13:47:22 +02:00
Christoph Hartmann
46f38b51d0 add integration tests for compliance plugin 2016-04-29 01:12:53 +02:00
Christoph Hartmann
8678ab6625 fix compliance plugin 2016-04-29 00:39:25 +02:00
Christoph Hartmann
3007aef248 add function tests for compliance command 2016-04-13 16:55:14 -04:00
Christoph Hartmann
07c359431f fix: make the plugin compatible with all versions of chef compliance 2016-04-13 16:27:57 -04:00
Christoph Hartmann
01bec4cd1e merge cli commands login, api_token and token to login 2016-04-13 16:27:57 -04:00
Stephan Renatus
54db2625eb inspec-compliance: restore compat with pre-1.0 2016-04-13 16:27:57 -04:00
Stephan Renatus
71e1372b5e fix rubocop 2016-04-13 16:27:57 -04:00
Stephan Renatus
4004dfbb3c inspec-compliance: update README 2016-04-13 16:27:57 -04:00
Stephan Renatus
7b740a2f9d inspec-compliance: style 2016-04-13 16:27:57 -04:00
Stephan Renatus
e0bd2bb595 inspec-compliance: work with compliance 1.0 2016-04-13 16:27:57 -04:00
Julian Tabel
bd594f3608 added apipath cli option to inspec compliance with default to /api 2016-03-29 10:49:48 +02:00
Stephan Renatus
be93f25e6e inspec-compliance: url_encode profile names 2016-03-24 23:47:41 +01:00
Stephan Renatus
f19b3f632f inspec-compliance: fix upload of profiles 2016-03-23 16:13:23 +01:00
Dominik Richter
f6bd7ed3b8 unify exec options 2016-03-06 15:07:12 +01:00
Christoph Hartmann
d4554771da adds a insecure option for the compliance plugin to work with self-signed ssl 2016-03-01 20:51:23 +01:00
Christoph Hartmann
bc2cde6b29 make supermarket command more robust 2016-03-01 13:26:36 +01:00
Alex Pop
051ac89376 make PROFILE required and update usage info 2016-03-01 10:27:22 +00:00
Christoph Hartmann
acdae94201 add missing supermarket loader 2016-02-29 19:28:53 +01:00
Christoph Hartmann
9ea68471e5 fix cc upload 2016-02-22 21:14:50 +01:00
Dominik Richter
5cabb7d273 migrate inspec-supermarket target to fetcher 2016-02-22 12:06:37 +01:00
Dominik Richter
9c3f336d06 migrate inspec-compliance target to fetcher 2016-02-22 11:24:36 +01:00
Dominik Richter
e4c3c9370b fix detection with new profile/runner scheme 2016-02-22 11:24:36 +01:00
Dominik Richter
1e1e473cb0 replace target-helper with fetcher+reader 2016-02-22 11:24:35 +01:00
Christoph Hartmann
3f6b89e24d extend github url support 2016-02-19 09:12:25 +01:00
Dominik Richter
17d4e1dc3c simplify url-construction of inspec-compliance 2016-02-18 14:25:55 +01:00
Stephan Renatus
d2469d9519 inspec-compliance: ensure file permissions when saving config 2016-02-17 10:46:06 +01:00
Christoph Hartmann
96d02ba4a2 add inspec profile as example 2016-02-14 21:27:40 +01:00
Christoph Hartmann
b967af3c89 rename generate to init 2016-02-14 21:26:37 +01:00
Christoph Hartmann
f281f9c351 implement generate cli command 2016-02-14 19:38:58 +01:00
Christoph Hartmann
796af68a69 Fix supermarket cli registration 2016-02-09 15:22:29 +01:00
Dominik Richter
e56321f6c7 semantics: rename CLI plugins registry -> subcommands
Basically make sure everyone understands these are only subcommands. we might consider adding plugins for options or existing commands instead of new subcommands. this just ensures everyone knows what registry is for
2016-02-09 01:20:38 +01:00
Christoph Hartmann
b33129fbf5 implement supermarket extension 2016-02-08 20:06:07 +01:00
Christoph Hartmann
b7a88dbd7a fix linting and unit test 2016-02-05 16:57:51 +01:00
Christoph Hartmann
7e88f56917 move plugin to bundles 2016-02-05 14:48:55 +01:00
Christoph Hartmann
589db0bcd0 add registry for cli plugins 2016-02-05 14:06:55 +01:00