# encoding: utf-8 # author: Adam Leff require 'inspec/profile_vendor' require 'mixlib/shellout' require 'tomlrb' module Habitat class Profile attr_reader :options, :path, :profile def self.create(path, options = {}) creator = new(path, options) hart_file = creator.create creator.copy(hart_file) ensure creator.delete_work_dir end def self.setup(path) new(path).setup end def self.upload(path, options = {}) uploader = new(path, options) uploader.upload ensure uploader.delete_work_dir end def initialize(path, options = {}) @path = path @options = options log_level = options.fetch('log_level', 'info') Habitat::Log.level(log_level.to_sym) end def create Habitat::Log.info("Creating a Habitat artifact for profile: #{path}") validate_habitat_installed validate_habitat_origin create_profile_object verify_profile vendor_profile_dependencies copy_profile_to_work_dir create_habitat_directories(work_dir) create_plan(work_dir) create_run_hook(work_dir) create_settings_file(work_dir) create_default_config(work_dir) # returns the path to the .hart file in the work directory build_hart rescue => e Habitat::Log.debug(e.backtrace.join("\n")) exit_with_error( 'Unable to generate Habitat artifact.', "#{e.class} -- #{e.message}", ) end def copy(hart_file) validate_output_dir Habitat::Log.info("Copying artifact to #{output_dir}...") copy_hart(hart_file) end def upload validate_habitat_auth_token hart_file = create upload_hart(hart_file) rescue => e Habitat::Log.debug(e.backtrace.join("\n")) exit_with_error( 'Unable to upload Habitat artifact.', "#{e.class} -- #{e.message}", ) end def delete_work_dir Habitat::Log.debug("Deleting work directory #{work_dir}") FileUtils.rm_rf(work_dir) if Dir.exist?(work_dir) end def setup Habitat::Log.info("Setting up profile at #{path} for Habitat...") create_profile_object verify_profile vendor_profile_dependencies create_habitat_directories(path) create_plan(path) create_run_hook(path) create_settings_file(path) create_default_config(path) end private def create_profile_object @profile = Inspec::Profile.for_target( path, backend: Inspec::Backend.create(target: 'mock://'), ) end def verify_profile Habitat::Log.info('Checking to see if the profile is valid...') unless profile.check[:summary][:valid] exit_with_error('Profile check failed. Please fix the profile before creating a Habitat artifact.') end Habitat::Log.info('Profile is valid.') end def vendor_profile_dependencies profile_vendor = Inspec::ProfileVendor.new(path) if profile_vendor.lockfile.exist? && profile_vendor.cache_path.exist? Habitat::Log.info("Profile's dependencies are already vendored, skipping vendor process.") else Habitat::Log.info("Vendoring the profile's dependencies...") profile_vendor.vendor! Habitat::Log.info('Ensuring all vendored content has read permissions...') profile_vendor.make_readable # refresh the profile object since the profile now has new files create_profile_object end end def validate_habitat_installed Habitat::Log.info('Checking to see if Habitat is installed...') cmd = Mixlib::ShellOut.new('hab --version') cmd.run_command exit_with_error('Unable to run Habitat commands.', cmd.stderr) if cmd.error? end def validate_habitat_origin exit_with_error( 'Unable to determine Habitat origin name.', 'Run `hab setup` or set the HAB_ORIGIN environment variable.', ) if habitat_origin.nil? end def validate_habitat_auth_token exit_with_error( 'Unable to determine Habitat auth token for publishing.', 'Run `hab setup` or set the HAB_AUTH_TOKEN environment variable.', ) if habitat_auth_token.nil? end def validate_output_dir exit_with_error("Output directory #{output_dir} is not a directory or does not exist.") unless File.directory?(output_dir) end def work_dir return @work_dir if @work_dir @work_dir ||= Dir.mktmpdir('inspec-habitat-exporter') Habitat::Log.debug("Generated work directory #{@work_dir}") @work_dir end def create_habitat_directories(parent_directory) [ File.join(parent_directory, 'habitat'), File.join(parent_directory, 'habitat', 'config'), File.join(parent_directory, 'habitat', 'hooks'), ].each do |dir| Dir.mkdir(dir) unless Dir.exist?(dir) end end def copy_profile_to_work_dir Habitat::Log.info('Copying profile contents to the work directory...') profile.files.each do |f| src = File.join(profile.root_path, f) dst = File.join(work_dir, f) if File.directory?(f) Habitat::Log.debug("Creating directory #{dst}") FileUtils.mkdir_p(dst) else Habitat::Log.debug("Copying file #{src} to #{dst}") FileUtils.cp_r(src, dst) end end end def create_plan(directory) plan_file = File.join(directory, 'habitat', 'plan.sh') Habitat::Log.info("Generating Habitat plan at #{plan_file}...") File.write(plan_file, plan_contents) end def create_run_hook(directory) run_hook_file = File.join(directory, 'habitat', 'hooks', 'run') Habitat::Log.info("Generating a Habitat run hook at #{run_hook_file}...") File.write(run_hook_file, run_hook_contents) end def create_settings_file(directory) settings_file = File.join(directory, 'habitat', 'config', 'settings.sh') Habitat::Log.info("Generating a settings file at #{settings_file}...") File.write(settings_file, "SLEEP_TIME={{cfg.sleep_time}}\n") end def create_default_config(directory) default_toml = File.join(directory, 'habitat', 'default.toml') Habitat::Log.info("Generating Habitat's default.toml configuration...") File.write(default_toml, 'sleep_time = 300') end def build_hart Habitat::Log.info('Building our Habitat artifact...') env = { 'TERM' => 'vt100', 'HAB_ORIGIN' => habitat_origin, 'HAB_NONINTERACTIVE' => 'true', } env['RUST_LOG'] = 'debug' if Habitat::Log.level == :debug # TODO: Would love to use Mixlib::ShellOut here, but it doesn't # seem to preserve the STDIN tty, and docker gets angry. Dir.chdir(work_dir) do unless system(env, 'hab pkg build .') exit_with_error('Unable to build the Habitat artifact.') end end hart_files = Dir.glob(File.join(work_dir, 'results', '*.hart')) if hart_files.length > 1 exit_with_error('More than one Habitat artifact was created which was not expected.') elsif hart_files.empty? exit_with_error('No Habitat artifact was created.') end hart_files.first end def copy_hart(working_dir_hart) hart_basename = File.basename(working_dir_hart) dst = File.join(output_dir, hart_basename) FileUtils.cp(working_dir_hart, dst) dst end def upload_hart(hart_file) Habitat::Log.info('Uploading the Habitat artifact to our Depot...') env = { 'TERM' => 'vt100', 'HAB_AUTH_TOKEN' => habitat_auth_token, 'HAB_NONINTERACTIVE' => 'true', } env['HAB_DEPOT_URL'] = ENV['HAB_DEPOT_URL'] if ENV['HAB_DEPOT_URL'] cmd = Mixlib::ShellOut.new("hab pkg upload #{hart_file}", env: env) cmd.run_command if cmd.error? exit_with_error( 'Unable to upload Habitat artifact to the Depot.', cmd.stdout, cmd.stderr, ) end Habitat::Log.info('Upload complete!') end def habitat_origin ENV['HAB_ORIGIN'] || habitat_cli_config['origin'] end def habitat_auth_token ENV['HAB_AUTH_TOKEN'] || habitat_cli_config['auth_token'] end def habitat_cli_config return @cli_config if @cli_config config_file = File.join(ENV['HOME'], '.hab', 'etc', 'cli.toml') return {} unless File.exist?(config_file) @cli_config = Tomlrb.load_file(config_file) end def output_dir options[:output_dir] || Dir.pwd end def exit_with_error(*errors) errors.each do |error_msg| Habitat::Log.error(error_msg) end exit 1 end def package_name "inspec-profile-#{profile.name}" end def plan_contents plan = <<~EOL pkg_name=#{package_name} pkg_version=#{profile.version} pkg_origin=#{habitat_origin} pkg_deps=(chef/inspec core/ruby core/hab) pkg_svc_user=root EOL plan += "pkg_license='#{profile.metadata.params[:license]}'\n\n" if profile.metadata.params[:license] plan += <<~EOL do_build() { cp -vr $PLAN_CONTEXT/../* $HAB_CACHE_SRC_PATH/$pkg_dirname } do_install() { local profile_contents local excludes profile_contents=($(ls)) excludes=(habitat results *.hart) for item in ${excludes[@]}; do profile_contents=(${profile_contents[@]/$item/}) done mkdir ${pkg_prefix}/dist cp -r ${profile_contents[@]} ${pkg_prefix}/dist/ } EOL plan end def run_hook_contents <<~EOL #!/bin/sh # redirect stderr to stdout # ultimately, we'd like to log this somewhere useful, but due to # https://github.com/habitat-sh/habitat/issues/2395, we need to # avoid doing that for now. exec 2>&1 # InSpec will try to create a .cache directory in the user's home directory # so this needs to be someplace writeable by the hab user export HOME={{pkg.svc_var_path}} PROFILE_IDENT="{{pkg.origin}}/{{pkg.name}}" RESULTS_DIR="{{pkg.svc_var_path}}/inspec_results" RESULTS_FILE="${RESULTS_DIR}/{{pkg.name}}.json" # Create a directory for inspec formatter output mkdir -p {{pkg.svc_var_path}}/inspec_results while true; do echo "Executing InSpec for ${PROFILE_IDENT}" inspec exec {{pkg.path}}/dist --format=json > ${RESULTS_FILE} if [ $? -eq 0 ]; then echo "InSpec run completed successfully." else echo "InSpec run did not complete successfully. If you do not see any errors above," echo "control failures were detected. Check the InSpec results here for details:" echo ${RESULTS_FILE} echo "Otherwise, troubleshoot any errors shown above." fi source {{pkg.svc_config_path}}/settings.sh echo "sleeping for ${SLEEP_TIME} seconds" sleep ${SLEEP_TIME} done EOL end end end