mirror of
https://github.com/inspec/inspec
synced 2024-12-25 04:23:15 +00:00
cb12ada2fe
* Move compliance pluging to v2 system. * Update kitchen-inspec to test. * Add legacy require patsh. * Fix unit test Signed-off-by: Jared Quick <jquick@chef.io>
385 lines
17 KiB
Ruby
385 lines
17 KiB
Ruby
require 'minitest/autorun'
|
|
require 'mocha/setup'
|
|
require_relative '../../lib/inspec-compliance/api.rb'
|
|
|
|
describe InspecPlugins::Compliance::API do
|
|
let(:profiles_response) do
|
|
[{ 'name'=>'apache-baseline',
|
|
'title'=>'DevSec Apache Baseline',
|
|
'maintainer'=>'DevSec Hardening Framework Team',
|
|
'copyright'=>'DevSec Hardening Framework Team',
|
|
'copyright_email'=>'hello@dev-sec.io',
|
|
'license'=>'Apache 2 license',
|
|
'summary'=>'Test-suite for best-practice apache hardening',
|
|
'version'=>'2.0.2',
|
|
'supports'=>[{ 'os-family'=>'unix' }],
|
|
'depends'=>nil,
|
|
'owner_id'=>'admin' },
|
|
{ 'name'=>'apache-baseline',
|
|
'title'=>'DevSec Apache Baseline',
|
|
'maintainer'=>'Hardening Framework Team',
|
|
'copyright'=>'Hardening Framework Team',
|
|
'copyright_email'=>'hello@dev-sec.io',
|
|
'license'=>'Apache 2 license',
|
|
'summary'=>'Test-suite for best-practice apache hardening',
|
|
'version'=>'2.0.1',
|
|
'supports'=>[{ 'os-family'=>'unix' }],
|
|
'depends'=>nil,
|
|
'latest_version'=>'2.0.2',
|
|
'owner_id'=>'admin' },
|
|
{ 'name'=>'cis-aix-5.3-6.1-level1',
|
|
'title'=>'CIS AIX 5.3 and AIX 6.1 Benchmark Level 1',
|
|
'maintainer'=>'Chef Software, Inc.',
|
|
'copyright'=>'Chef Software, Inc.',
|
|
'copyright_email'=>'support@chef.io',
|
|
'license'=>'Proprietary, All rights reserved',
|
|
'summary'=>'CIS AIX 5.3 and AIX 6.1 Benchmark Level 1 translated from SCAP',
|
|
'version'=>'1.1.0',
|
|
'supports'=>nil,
|
|
'depends'=>nil,
|
|
'latest_version'=>'1.1.0-3',
|
|
'owner_id'=>'admin' }]
|
|
end
|
|
|
|
describe '.version' do
|
|
let(:headers) { 'test-headers' }
|
|
let(:config) do
|
|
{
|
|
'server' => 'myserver',
|
|
'insecure' => true,
|
|
}
|
|
end
|
|
|
|
before do
|
|
InspecPlugins::Compliance::API.expects(:get_headers).returns(headers)
|
|
end
|
|
|
|
describe 'when a 404 is received' do
|
|
it 'should return an empty hash' do
|
|
response = mock
|
|
response.stubs(:code).returns('404')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe 'when the returned body is nil' do
|
|
it 'should return an empty hash' do
|
|
response = mock
|
|
response.stubs(:code).returns('200')
|
|
response.stubs(:body).returns(nil)
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe 'when the returned body is an empty string' do
|
|
it 'should return an empty hash' do
|
|
response = mock
|
|
response.stubs(:code).returns('200')
|
|
response.stubs(:body).returns('')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe 'when the returned body has no version key' do
|
|
it 'should return an empty hash' do
|
|
response = mock
|
|
response.stubs(:code).returns('200')
|
|
response.stubs(:body).returns('{"api":"compliance"}')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe 'when the returned body has an empty version key' do
|
|
it 'should return an empty hash' do
|
|
response = mock
|
|
response.stubs(:code).returns('200')
|
|
response.stubs(:body).returns('{"api":"compliance","version":""}')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe 'when the returned body has a proper version' do
|
|
it 'should return an empty hash' do
|
|
response = mock
|
|
response.stubs(:code).returns('200')
|
|
response.stubs(:body).returns('{"api":"compliance","version":"1.2.3"}')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with('myserver/version', 'test-headers', true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({ 'version' => '1.2.3', 'api' => 'compliance' })
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'automate/compliance is? checks' do
|
|
describe 'when the config has a compliance server_type' do
|
|
it 'automate/compliance server is? methods return correctly' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'compliance'
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe 'when the config has a automate2 server_type' do
|
|
it 'automate/compliance server is? methods return correctly' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'automate2'
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal true
|
|
end
|
|
end
|
|
|
|
describe 'when the config has an automate server_type and no version key' do
|
|
it 'automate/compliance server is? methods return correctly' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'automate'
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe 'when the config has an automate server_type and a version key that is not a hash' do
|
|
it 'automate/compliance server is? methods return correctly' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'automate'
|
|
config['version'] = '1.2.3'
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe 'when the config has an automate server_type and a version hash with no version' do
|
|
it 'automate/compliance server is? methods return correctly' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'automate'
|
|
config['version'] = {}
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe 'when the config has an automate server_type and a version hash with a version' do
|
|
it 'automate/compliance server is? methods return correctly' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'automate'
|
|
config['version'] = { 'version' => '0.8.1' }
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal true
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '.server_version_from_config' do
|
|
it 'returns nil when the config has no version key' do
|
|
config = {}
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
|
|
end
|
|
|
|
it 'returns nil when the version value is not a hash' do
|
|
config = { 'version' => '123' }
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
|
|
end
|
|
|
|
it 'returns nil when the version value is a hash but has no version key inside' do
|
|
config = { 'version' => {} }
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
|
|
end
|
|
|
|
it 'returns the version if the version value is a hash containing a version' do
|
|
config = { 'version' => { 'version' => '1.2.3' } }
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_equal '1.2.3'
|
|
end
|
|
end
|
|
|
|
describe 'profile_split' do
|
|
it 'handles a profile without version' do
|
|
InspecPlugins::Compliance::API.profile_split('admin/apache-baseline').must_equal ['admin', 'apache-baseline', nil]
|
|
end
|
|
|
|
it 'handles a profile with a version' do
|
|
InspecPlugins::Compliance::API.profile_split('admin/apache-baseline#2.0.1').must_equal ['admin', 'apache-baseline', '2.0.1']
|
|
end
|
|
end
|
|
|
|
describe 'target_url' do
|
|
it 'handles a automate profile with and without version' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'automate'
|
|
config['server'] = 'https://myautomate'
|
|
config['version'] = '1.6.99'
|
|
InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline').must_equal 'https://myautomate/profiles/admin/apache-baseline/tar'
|
|
InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline#2.0.2').must_equal 'https://myautomate/profiles/admin/apache-baseline/version/2.0.2/tar'
|
|
end
|
|
|
|
it 'handles a chef-compliance profile with and without version' do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['server_type'] = 'compliance'
|
|
config['server'] = 'https://mychefcompliance'
|
|
config['version'] = '1.1.2'
|
|
InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline').must_equal 'https://mychefcompliance/owners/admin/compliance/apache-baseline/tar'
|
|
InspecPlugins::Compliance::API.target_url(config, 'admin/apache-baseline#2.0.2').must_equal 'https://mychefcompliance/owners/admin/compliance/apache-baseline/tar'
|
|
end
|
|
end
|
|
|
|
describe 'exist?' do
|
|
it 'works with profiles returned by Automate' do
|
|
# ruby 2.3.3 has issues running stub_requests properly
|
|
# skipping for that specific version
|
|
return if RUBY_VERSION = '2.3.3'
|
|
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config['owner'] = 'admin'
|
|
config['server_type'] = 'automate'
|
|
config['server'] = 'https://myautomate'
|
|
config['version'] = '1.6.99'
|
|
config['automate'] = { 'ent'=>'automate', 'token_type'=>'dctoken' }
|
|
config['version'] = { 'api'=> 'compliance', 'version'=>'0.8.24' }
|
|
|
|
stub_request(:get, 'https://myautomate/profiles/admin')
|
|
.with(headers: { 'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Chef-Delivery-Enterprise'=>'automate', 'User-Agent'=>'Ruby', 'X-Data-Collector-Token'=>'' })
|
|
.to_return(status: 200, body: profiles_response.to_json, headers: {})
|
|
|
|
InspecPlugins::Compliance::API.exist?(config, 'admin/apache-baseline').must_equal true
|
|
InspecPlugins::Compliance::API.exist?(config, 'admin/apache-baseline#2.0.1').must_equal true
|
|
InspecPlugins::Compliance::API.exist?(config, 'admin/apache-baseline#2.0.999').must_equal false
|
|
InspecPlugins::Compliance::API.exist?(config, 'admin/missing-in-action').must_equal false
|
|
end
|
|
end
|
|
|
|
describe '.determine_server_type' do
|
|
let(:url) { 'https://someserver.onthe.net/' }
|
|
|
|
let(:compliance_endpoint) { '/api/version' }
|
|
let(:automate_endpoint) { '/compliance/version' }
|
|
let(:automate2_endpoint) { '/dex/auth' }
|
|
let(:headers) { nil }
|
|
let(:insecure) { true }
|
|
|
|
let(:good_response) { mock }
|
|
let(:bad_response) { mock }
|
|
|
|
it 'returns `:automate2` when a 400 is received from `https://URL/dex/auth`' do
|
|
good_response.stubs(:code).returns('400')
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate2)
|
|
end
|
|
|
|
it 'returns `:automate` when a 401 is received from `https://URL/compliance/version`' do
|
|
good_response.stubs(:code).returns('401')
|
|
bad_response.stubs(:code).returns('404')
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate)
|
|
end
|
|
|
|
# Chef Automate currently returns 401 for `/compliance/version` but some
|
|
# versions of OpsWorks Chef Automate return 200 and a Chef Manage page when
|
|
# unauthenticated requests are received.
|
|
it 'returns `:automate` when a 200 is received from `https://URL/compliance/version`' do
|
|
bad_response.stubs(:code).returns('404')
|
|
good_response.stubs(:code).returns('200')
|
|
good_response.stubs(:body).returns('Are You Looking For the Chef Server?')
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate)
|
|
end
|
|
|
|
it 'returns `nil` if a 200 is received from `https://URL/compliance/version` but not redirected to Chef Manage' do
|
|
bad_response.stubs(:code).returns('200')
|
|
bad_response.stubs(:body).returns('No Chef Manage here')
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
|
|
mock_compliance_response = mock
|
|
mock_compliance_response.stubs(:code).returns('404')
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + compliance_endpoint, headers, insecure)
|
|
.returns(mock_compliance_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_be_nil
|
|
end
|
|
|
|
it 'returns `:compliance` when a 200 is received from `https://URL/api/version`' do
|
|
good_response.stubs(:code).returns('200')
|
|
bad_response.stubs(:code).returns('404')
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + compliance_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:compliance)
|
|
end
|
|
|
|
it 'returns `nil` if it cannot determine the server type' do
|
|
bad_response.stubs(:code).returns('404')
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + compliance_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_be_nil
|
|
end
|
|
end
|
|
end
|