mirror of
https://github.com/inspec/inspec
synced 2024-11-26 22:50:36 +00:00
4aebe87c2e
Signed-off-by: Irving Popovetsky <irving@chef.io>
556 lines
16 KiB
Ruby
556 lines
16 KiB
Ruby
require "helper"
|
|
require "inspec/objects"
|
|
|
|
describe "Objects" do
|
|
describe "Inspec::Test" do
|
|
let(:obj) { Inspec::Test.new }
|
|
it 'constructs a simple resource + its("argument")' do
|
|
obj.qualifier = [["resource"], ["version"]]
|
|
obj.matcher = "cmp >="
|
|
obj.expectation = "2.4.2"
|
|
obj.to_ruby.must_equal '
|
|
describe resource do
|
|
its("version") { should cmp >= "2.4.2" }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
# same as the above test but with it
|
|
it "constructs a simple resource.argument" do
|
|
# [''] forces an 'it' instead of 'its':
|
|
obj.qualifier = [["resource"], ["version"], [""]]
|
|
obj.matcher = "cmp >="
|
|
obj.expectation = "2.4.2"
|
|
obj.to_ruby.must_equal '
|
|
describe resource.version do
|
|
it { should cmp >= "2.4.2" }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with to_s" do
|
|
obj.qualifier = [["resource"], ["to_s"]]
|
|
obj.matcher = "cmp"
|
|
obj.expectation = Regexp.new("^Desc.+$")
|
|
obj.to_ruby.must_equal '
|
|
describe resource.to_s do
|
|
it { should cmp(/^Desc.+$/) }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with to_i" do
|
|
obj.qualifier = [["resource"], ["to_i"]]
|
|
obj.matcher = "cmp >"
|
|
obj.expectation = 3
|
|
obj.to_ruby.must_equal '
|
|
describe resource.to_i do
|
|
it { should cmp > 3 }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with array accessors" do
|
|
obj.qualifier = [["resource"], ["name[2]"]]
|
|
obj.matcher = "exist"
|
|
obj.matcher = "eq"
|
|
obj.expectation = "mytest"
|
|
obj.to_ruby.must_equal '
|
|
describe resource.name[2] do
|
|
it { should eq "mytest" }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with method calls" do
|
|
obj.qualifier = [["resource"], %w{hello world}]
|
|
obj.matcher = "eq"
|
|
obj.expectation = "mytest"
|
|
obj.to_ruby.must_equal '
|
|
describe resource.hello("world") do
|
|
it { should eq "mytest" }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with method calls" do
|
|
obj.qualifier = [["resource"], %w{hello world}]
|
|
obj.matcher = "be_in"
|
|
obj.expectation = %w{mytest mytest2 mytest3}
|
|
obj.to_ruby.must_equal '
|
|
describe resource.hello("world") do
|
|
it { should be_in ["mytest", "mytest2", "mytest3"] }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with method calls" do
|
|
obj.qualifier = [["resource"], %w{hello world}]
|
|
obj.matcher = "be_in"
|
|
obj.negate!
|
|
obj.expectation = %w{mytest2 mytest3 mytest4}
|
|
obj.to_ruby.must_equal '
|
|
describe resource.hello("world") do
|
|
it { should_not be_in ["mytest2", "mytest3", "mytest4"] }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with method calls" do
|
|
obj.qualifier = [['["item1","item2","item3"]']]
|
|
obj.matcher = "be_in"
|
|
obj.expectation = %w{item1 item2 item3 item4 item5}
|
|
obj.to_ruby.must_equal '
|
|
describe ["item1","item2","item3"] do
|
|
it { should be_in ["item1", "item2", "item3", "item4", "item5"] }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource+argument with method calls" do
|
|
obj.qualifier = [["resource"], [:mode]]
|
|
obj.matcher = "cmp"
|
|
obj.expectation = "0755"
|
|
obj.to_ruby.must_equal '
|
|
describe resource do
|
|
its("mode") { should cmp "0755" }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a resource+argument block with method call, matcher and expectation" do
|
|
obj.qualifier = [["command", "ls /etc"], ["exit_status"]]
|
|
obj.matcher = "eq"
|
|
obj.expectation = 0
|
|
|
|
obj.to_ruby.must_equal '
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should eq 0 }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple describe with static data, negated regex matcher and expectation" do
|
|
obj.qualifier = [['"aaa"']]
|
|
obj.matcher = "match"
|
|
obj.negate!
|
|
obj.expectation = Regexp.new("^aa.*")
|
|
|
|
obj.to_ruby.must_equal '
|
|
describe "aaa" do
|
|
it { should_not match(/^aa.*/) }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a resource+argument block without a property call" do
|
|
obj.qualifier = [%w{service avahi-daemon}]
|
|
obj.qualifier.push(["info['properties']['UnitFileState']"])
|
|
obj.expectation = "enabled"
|
|
obj.matcher = "eq"
|
|
obj.to_ruby.must_equal '
|
|
describe service("avahi-daemon").info[\'properties\'][\'UnitFileState\'] do
|
|
it { should eq "enabled" }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a simple resource + only_if" do
|
|
obj.qualifier = [["resource"], ["version"]]
|
|
obj.matcher = "cmp >="
|
|
obj.expectation = "2.4.2"
|
|
obj.only_if = "package('ntp').installed?"
|
|
obj.to_ruby.must_equal '
|
|
only_if { package(\'ntp\').installed? }
|
|
describe resource do
|
|
its("version") { should cmp >= "2.4.2" }
|
|
end
|
|
'.strip
|
|
end
|
|
end
|
|
|
|
describe "Inspec::EachLoop, each_loop" do
|
|
it "constructs an each loop to match listening addresses" do
|
|
loop_obj = Inspec::EachLoop.new
|
|
loop_obj.qualifier = [["port", 25]]
|
|
loop_obj.qualifier.push(["addresses"])
|
|
obj = Inspec::Test.new
|
|
obj.matcher = "match"
|
|
obj.negate!
|
|
obj.expectation = "0.0.0.0"
|
|
loop_obj.add_test(obj)
|
|
loop_obj.to_ruby.must_equal '
|
|
port(25).addresses.each do |entry|
|
|
describe entry do
|
|
it { should_not match "0.0.0.0" }
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
end
|
|
|
|
describe "Inspec::List" do
|
|
it "constructs a list filtering test" do
|
|
list_obj = Inspec::List.new([["passwd"]])
|
|
list_obj.qualifier.push(["where { user =~ /^(?!root|sync|shutdown|halt).*$/ }"])
|
|
|
|
obj = Inspec::Test.new
|
|
obj.qualifier = list_obj.qualifier
|
|
obj.matcher = "be_empty"
|
|
obj.qualifier.push(["entries"])
|
|
obj.negate!
|
|
obj.to_ruby.must_equal '
|
|
describe passwd.where { user =~ /^(?!root|sync|shutdown|halt).*$/ } do
|
|
its("entries") { should_not be_empty }
|
|
end
|
|
'.strip
|
|
end
|
|
end
|
|
|
|
describe "Inspec::OrTest and Inspec::Control" do
|
|
let(:obj1) do
|
|
obj1 = Inspec::Test.new
|
|
obj1.qualifier = [["command", "ls /etc"], ["exit_status"]]
|
|
obj1.matcher = "eq"
|
|
obj1.expectation = 0
|
|
obj1
|
|
end
|
|
let(:obj2) do
|
|
obj2 = obj1.dup
|
|
obj2.negate!
|
|
obj2.expectation = 100
|
|
obj2
|
|
end
|
|
|
|
it "constructs a simple describe.one block wrapping two tests" do
|
|
or_obj = Inspec::OrTest.new([obj1, obj2])
|
|
or_obj.to_ruby.must_equal '
|
|
describe.one do
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should eq 0 }
|
|
end
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should_not eq 100 }
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "negates a describe.one block, wow!" do
|
|
or_obj = Inspec::OrTest.new([obj1, obj2])
|
|
or_obj.negate!
|
|
or_obj.to_ruby.must_equal '
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should_not eq 0 }
|
|
end
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should eq 100 }
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "loops a describe.one block, ooooooo!" do
|
|
res = Inspec::EachLoop.new
|
|
res.qualifier.push(["(1..5)"])
|
|
# already defined in the let block:
|
|
obj1.matcher = "eq entity"
|
|
obj2.matcher = "eq entity"
|
|
obj1.remove_expectation
|
|
obj2.remove_expectation
|
|
|
|
or_obj = Inspec::OrTest.new([obj1, obj2])
|
|
res.tests = [or_obj]
|
|
|
|
res.to_ruby.must_equal '
|
|
(1..5).each do |entry|
|
|
describe.one do
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should eq entity }
|
|
end
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should_not eq entity }
|
|
end
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a control" do
|
|
control = Inspec::Control.new
|
|
control.add_test(obj1)
|
|
control.id = "sample.control.id"
|
|
control.title = "Sample Control Important Title"
|
|
control.descriptions = {
|
|
default: "The most critical control the world has ever seen",
|
|
rationale: "It is needed to save the planet",
|
|
'more info': "Insert clever joke here",
|
|
}
|
|
control.refs = ["simple ref", { ref: "title", url: "my url" }]
|
|
control.impact = 1.0
|
|
control.to_ruby.must_equal '
|
|
control "sample.control.id" do
|
|
title "Sample Control Important Title"
|
|
desc "The most critical control the world has ever seen"
|
|
desc "rationale", "It is needed to save the planet"
|
|
desc "more info", "Insert clever joke here"
|
|
impact 1.0
|
|
ref "simple ref"
|
|
ref ({:ref=>"title", :url=>"my url"})
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should eq 0 }
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a control with only_if" do
|
|
control = Inspec::Control.new
|
|
control.add_test(obj1)
|
|
control.only_if = "package('ntp').installed?"
|
|
control.id = "sample.control.id"
|
|
control.title = "Sample Control Important Title"
|
|
control.descriptions = {
|
|
default: "The most critical control the world has ever seen",
|
|
rationale: "It is needed to save the planet",
|
|
'more info': "Insert clever joke here",
|
|
}
|
|
control.refs = ["simple ref", { ref: "title", url: "my url" }]
|
|
control.impact = 1.0
|
|
control.to_ruby.must_equal '
|
|
control "sample.control.id" do
|
|
title "Sample Control Important Title"
|
|
desc "The most critical control the world has ever seen"
|
|
desc "rationale", "It is needed to save the planet"
|
|
desc "more info", "Insert clever joke here"
|
|
impact 1.0
|
|
ref "simple ref"
|
|
ref ({:ref=>"title", :url=>"my url"})
|
|
only_if { package(\'ntp\').installed? }
|
|
describe command("ls /etc") do
|
|
its("exit_status") { should eq 0 }
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "constructs a multiline desc in a control with indentation" do
|
|
control = Inspec::Control.new
|
|
control.descriptions[:default] = "Multiline\n control"
|
|
control.to_ruby.must_equal '
|
|
control nil do
|
|
desc "
|
|
Multiline
|
|
control
|
|
"
|
|
end
|
|
'.strip
|
|
end
|
|
|
|
it "ignores empty control descriptions" do
|
|
control = Inspec::Control.new
|
|
x = '
|
|
control nil do
|
|
end
|
|
'.strip
|
|
|
|
control.descriptions[:default] = ""
|
|
control.to_ruby.must_equal x
|
|
|
|
control.descriptions[:default] = nil
|
|
control.to_ruby.must_equal x
|
|
end
|
|
|
|
it "handles non-string descriptions" do
|
|
control = Inspec::Control.new
|
|
control.descriptions[:default] = 123
|
|
control.to_ruby.must_equal '
|
|
control nil do
|
|
desc "123"
|
|
end
|
|
'.strip
|
|
end
|
|
end
|
|
|
|
describe "Inspec::Variable, take #1" do
|
|
it "constructs a control with variable to instantiate a resource only once" do
|
|
control = Inspec::Control.new
|
|
variable = Inspec::Value.new([["command", "which grep"]])
|
|
variable_id = variable.name_variable.to_s
|
|
|
|
obj1 = Inspec::Test.new
|
|
obj1.variables.push(variable)
|
|
obj1.qualifier.push([variable_id])
|
|
obj1.qualifier.push(["exit_status"])
|
|
obj1.matcher = "eq"
|
|
obj1.expectation = 0
|
|
control.add_test(obj1)
|
|
|
|
obj2 = Inspec::Test.new
|
|
obj2.qualifier.push([variable_id.to_s])
|
|
obj2.qualifier.push(["stdout"])
|
|
obj2.matcher = "contain"
|
|
obj2.expectation = "grep"
|
|
control.add_test(obj2)
|
|
|
|
control.id = "variable.control.id"
|
|
control.title = "Variable Control Important Title"
|
|
control.descriptions[:default] = "The most variable control the world has ever seen"
|
|
control.impact = 1.0
|
|
control.to_ruby.must_equal '
|
|
control "variable.control.id" do
|
|
title "Variable Control Important Title"
|
|
desc "The most variable control the world has ever seen"
|
|
impact 1.0
|
|
a = command("which grep")
|
|
describe a do
|
|
its("exit_status") { should eq 0 }
|
|
end
|
|
describe a do
|
|
its("stdout") { should contain "grep" }
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
end
|
|
|
|
describe "Inspec::Variable, take #2" do
|
|
it "constructs a control with variable, loop and var reference" do
|
|
control = Inspec::Control.new
|
|
command_value = %r{^/usr/bin/chrony}
|
|
pid_filter = ">"
|
|
pid_value = 0
|
|
loopy = Inspec::EachLoop.new
|
|
loopy.qualifier = [["processes", command_value]]
|
|
loopy.qualifier.push(["where { pid #{pid_filter} #{pid_value} }.entries"])
|
|
obj = loopy.add_test
|
|
|
|
variable = Inspec::Value.new([['passwd.where { user == "_chrony" }.uids.first']])
|
|
variable_id = variable.name_variable.to_s
|
|
obj.variables.push(variable)
|
|
obj.qualifier = [["user(entry.user)"], ["uid"]]
|
|
obj.matcher = "cmp #{variable_id}"
|
|
|
|
control.add_test(obj)
|
|
control.id = "variable.control.id"
|
|
control.impact = 0.1
|
|
control.to_ruby.must_equal '
|
|
control "variable.control.id" do
|
|
impact 0.1
|
|
a = passwd.where { user == "_chrony" }.uids.first
|
|
describe user(entry.user) do
|
|
its("uid") { should cmp a }
|
|
end
|
|
end
|
|
'.strip
|
|
end
|
|
end
|
|
|
|
describe "Inspec::Tag" do
|
|
it "constructs a tag with key and value" do
|
|
control = Inspec::Control.new
|
|
|
|
res1 = { name: "key", value: "value" }
|
|
tag1 = Inspec::Tag.new(res1[:name], res1[:value])
|
|
tag1.to_hash.must_equal res1
|
|
control.add_tag(tag1)
|
|
|
|
res2 = { name: "key2'", value: "value'" }
|
|
tag2 = Inspec::Tag.new(res2[:name], res2[:value])
|
|
tag2.to_hash.must_equal res2
|
|
control.add_tag(tag2)
|
|
|
|
res3 = { name: "key3\"", value: "value\"" }
|
|
tag3 = Inspec::Tag.new(res3[:name], res3[:value])
|
|
tag3.to_hash.must_equal res3
|
|
control.add_tag(tag3)
|
|
|
|
res4 = { name: "key4", value: %w{a b} }
|
|
tag4 = Inspec::Tag.new(res4[:name], res4[:value])
|
|
tag4.to_hash.must_equal res4
|
|
control.add_tag(tag4)
|
|
|
|
control.id = "tag.control.id"
|
|
control.to_ruby.must_equal '
|
|
control "tag.control.id" do
|
|
tag key: "value"
|
|
tag key2\': "value\'"
|
|
tag key3": "value\""
|
|
tag key4: ["a", "b"]
|
|
end
|
|
'.strip
|
|
|
|
control_hash = {
|
|
id: "tag.control.id",
|
|
title: nil,
|
|
descriptions: {},
|
|
impact: nil,
|
|
tests: [],
|
|
tags: [{
|
|
name: "key",
|
|
value: "value",
|
|
}, {
|
|
name: "key2'",
|
|
value: "value'",
|
|
}, {
|
|
name: "key3\"",
|
|
value: "value\"",
|
|
}, {
|
|
name: "key4",
|
|
value: %w{a b},
|
|
}],
|
|
}
|
|
control.to_hash.must_equal control_hash
|
|
end
|
|
end
|
|
|
|
describe "Inspec::Input" do
|
|
describe "to_ruby method" do
|
|
it "generates the code for the input" do
|
|
input = Inspec::Input.new("application_port", description: "The port my application uses", value: 80)
|
|
|
|
ruby_code = input.to_ruby
|
|
ruby_code.must_include "attr_application_port = " # Should assign to a var
|
|
# Should have the DSL call. This should be attribute(), not input(), for the
|
|
# foreseeable future, to maintain backwards compatibility.
|
|
ruby_code.must_include "attribute('application_port'"
|
|
ruby_code.must_include "value: 80"
|
|
ruby_code.must_include "default: 80"
|
|
ruby_code.must_include "description: 'The port my application uses'"
|
|
|
|
# Try to eval the code to verify that the generated code was valid ruby.
|
|
# Note that the input() method is part of the DSL, so we need to
|
|
# alter the call into something that can respond - the constructor will do
|
|
ruby_code_for_eval = ruby_code.sub(/attribute\(/, "Inspec::Input.new(")
|
|
|
|
# This will throw exceptions if there is a problem
|
|
new_attr = eval(ruby_code_for_eval) # rubocop:disable Security/Eval # Could use ripper!
|
|
new_attr.value.must_equal 80
|
|
end
|
|
end
|
|
|
|
# TODO - deprecate this, not sure it is used
|
|
describe "to_hash method" do
|
|
it "generates a similar hash" do
|
|
ipt = Inspec::Input.new(
|
|
"some_attr",
|
|
description: "The port my application uses",
|
|
value: 80,
|
|
identifier: "app_port",
|
|
required: false,
|
|
type: "numeric"
|
|
)
|
|
expected = {
|
|
name: "some_attr",
|
|
options: {
|
|
description: "The port my application uses",
|
|
value: 80,
|
|
identifier: "app_port",
|
|
required: false,
|
|
type: "Numeric", # This gets normalized
|
|
},
|
|
}
|
|
ipt.to_hash.must_equal expected
|
|
end
|
|
end
|
|
end
|
|
end
|