inspec/lib/bundles/inspec-compliance/target.rb
Josh Hudson 2d44b6e5e0 Cached profiles with Compliance Fetcher (#3221)
* Leverage existance check in Compliance::Fetcher.resolve to not re-download locally cached profiles
* Move logic from Compliance::API.exist? to Compliance::API.profiles to reuse code in cases where we need to access profiles' metadata directly.
* Declare @upstream_sha256 if target is a string
* Handle other fetchers that don't support upstream_sha256 within Inspec::CachedFetcher.initialize
* Add initialize for Compliance::Fetcher to not pollute Fetchers::Url with its logic
* Add Compliance::Fetcher.sha256 to leverage upstream_sha256 instead of relying on inherited method from Fetchers::Url
* Revert changes to cached fetcher that are unnecessary after refactor
* Pacify the god of ruby syntax
* Move Compliance::API.profiles filtering logic to end of method to leverage normalization of mapped_profiles
* Add and update unit tests to support caching with Compliance::Fetcher.upstream_sha256

Signed-off-by: Josh Hudson <jhudson@chef.io>
2018-08-28 09:11:38 -04:00

143 lines
5 KiB
Ruby

# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter
require 'uri'
require 'inspec/fetcher'
require 'inspec/errors'
# InSpec Target Helper for Chef Compliance
# reuses UrlHelper, but it knows the target server and the access token already
# similar to `inspec exec http://localhost:2134/owners/%base%/compliance/%ssh%/tar --user %token%`
module Compliance
class Fetcher < Fetchers::Url
name 'compliance'
priority 500
attr_reader :upstream_sha256
def initialize(target, opts)
super(target, opts)
if target.is_a?(Hash) && target.key?(:url)
@target = target[:url]
@upstream_sha256 = target[:sha256]
elsif target.is_a?(String)
@target = target
@upstream_sha256 = ''
end
end
def sha256
upstream_sha256.empty? ? super : upstream_sha256
end
def self.check_compliance_token(config)
if config['token'].nil? && config['refresh_token'].nil?
if config['server_type'] == 'automate'
server = 'automate'
msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
elsif config['server_type'] == 'automate2'
server = 'automate2'
msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
else
server = 'compliance'
msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
end
raise Inspec::FetcherFailure, <<~EOF
Cannot fetch #{uri} because your #{server} token has not been
configured.
Please login using
#{msg}
EOF
end
end
def self.get_target_uri(target)
if target.is_a?(String) && URI(target).scheme == 'compliance'
URI(target)
elsif target.respond_to?(:key?) && target.key?(:compliance)
URI("compliance://#{target[:compliance]}")
end
end
def self.resolve(target)
uri = get_target_uri(target)
return nil if uri.nil?
config = Compliance::Configuration.new
profile = Compliance::API.sanitize_profile_name(uri)
profile_fetch_url = Compliance::API.target_url(config, profile)
# we have detailed information available in our lockfile, no need to ask the server
if target.respond_to?(:key?) && target.key?(:sha256)
profile_checksum = target[:sha256]
else
check_compliance_token(config)
# verifies that the target e.g base/ssh exists
# Call profiles directly instead of exist? to capture the results
# so we can access the upstream sha256 from the results.
_msg, profile_result = Compliance::API.profiles(config, profile)
if profile_result.empty?
raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
else
# Guarantee sorting by verison and grab the latest.
# If version was specified, it will be the first and only result.
# Note we are calling the sha256 as a string, not a symbol since
# it was returned as json from the Compliance API.
profile_info = profile_result.sort_by { |x| Gem::Version.new(x['version']) }[0]
profile_checksum = profile_info.key?('sha256') ? profile_info['sha256'] : ''
end
end
# We need to pass the token to the fetcher
config['token'] = Compliance::API.get_token(config)
# Needed for automate2 post request
profile_stub = profile || target[:compliance]
config['profile'] = Compliance::API.profile_split(profile_stub)
new({ url: profile_fetch_url, sha256: profile_checksum }, config)
rescue URI::Error => _e
nil
end
# We want to save compliance: in the lockfile rather than url: to
# make sure we go back through the Compliance API handling.
def resolved_source
@resolved_source ||= {
compliance: compliance_profile_name,
url: @target,
sha256: sha256,
}
end
def to_s
'Chef Compliance Profile Loader'
end
private
# determine the owner_id and the profile name from the url
def compliance_profile_name
m = if Compliance::API.is_automate_server_pre_080?(@config)
%r{^#{@config['server']}/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
elsif Compliance::API.is_automate_server_080_and_later?(@config)
%r{^#{@config['server']}/profiles/(?<owner>[^/]+)/(?<id>[^/]+)/tar$}
else
%r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}
end.match(@target)
if Compliance::API.is_automate2_server?(@config)
m = {}
m[:owner] = @config['profile'][0]
m[:id] = @config['profile'][1]
end
raise 'Unable to determine compliance profile name. This can be caused by ' \
'an incorrect server in your configuration. Try to login to compliance ' \
'via the `inspec compliance login` command.' if m.nil?
"#{m[:owner]}/#{m[:id]}"
end
end
end