mirror of
https://github.com/inspec/inspec
synced 2025-01-25 19:35:37 +00:00
a4f4fe5231
Signed-off-by: Miah Johnson <miah@chia-pet.org>
386 lines
17 KiB
Ruby
386 lines
17 KiB
Ruby
require "minitest/autorun"
|
|
require "webmock/minitest"
|
|
require "mocha/setup"
|
|
require_relative "../../lib/inspec-compliance/api.rb"
|
|
|
|
describe InspecPlugins::Compliance::API do
|
|
let(:profiles_response) do
|
|
[{ "name" => "apache-baseline",
|
|
"title" => "DevSec Apache Baseline",
|
|
"maintainer" => "DevSec Hardening Framework Team",
|
|
"copyright" => "DevSec Hardening Framework Team",
|
|
"copyright_email" => "hello@dev-sec.io",
|
|
"license" => "Apache 2 license",
|
|
"summary" => "Test-suite for best-practice apache hardening",
|
|
"version" => "2.0.2",
|
|
"supports" => [{ "os-family" => "unix" }],
|
|
"depends" => nil,
|
|
"owner_id" => "admin" },
|
|
{ "name" => "apache-baseline",
|
|
"title" => "DevSec Apache Baseline",
|
|
"maintainer" => "Hardening Framework Team",
|
|
"copyright" => "Hardening Framework Team",
|
|
"copyright_email" => "hello@dev-sec.io",
|
|
"license" => "Apache 2 license",
|
|
"summary" => "Test-suite for best-practice apache hardening",
|
|
"version" => "2.0.1",
|
|
"supports" => [{ "os-family" => "unix" }],
|
|
"depends" => nil,
|
|
"latest_version" => "2.0.2",
|
|
"owner_id" => "admin" },
|
|
{ "name" => "cis-aix-5.3-6.1-level1",
|
|
"title" => "CIS AIX 5.3 and AIX 6.1 Benchmark Level 1",
|
|
"maintainer" => "Chef Software, Inc.",
|
|
"copyright" => "Chef Software, Inc.",
|
|
"copyright_email" => "support@chef.io",
|
|
"license" => "Proprietary, All rights reserved",
|
|
"summary" => "CIS AIX 5.3 and AIX 6.1 Benchmark Level 1 translated from SCAP",
|
|
"version" => "1.1.0",
|
|
"supports" => nil,
|
|
"depends" => nil,
|
|
"latest_version" => "1.1.0-3",
|
|
"owner_id" => "admin" }]
|
|
end
|
|
|
|
describe ".version" do
|
|
let(:headers) { "test-headers" }
|
|
let(:config) do
|
|
{
|
|
"server" => "myserver",
|
|
"insecure" => true,
|
|
}
|
|
end
|
|
|
|
before do
|
|
InspecPlugins::Compliance::API.expects(:get_headers).returns(headers)
|
|
end
|
|
|
|
describe "when a 404 is received" do
|
|
it "should return an empty hash" do
|
|
response = mock
|
|
response.stubs(:code).returns("404")
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with("myserver/version", "test-headers", true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe "when the returned body is nil" do
|
|
it "should return an empty hash" do
|
|
response = mock
|
|
response.stubs(:code).returns("200")
|
|
response.stubs(:body).returns(nil)
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with("myserver/version", "test-headers", true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe "when the returned body is an empty string" do
|
|
it "should return an empty hash" do
|
|
response = mock
|
|
response.stubs(:code).returns("200")
|
|
response.stubs(:body).returns("")
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with("myserver/version", "test-headers", true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe "when the returned body has no version key" do
|
|
it "should return an empty hash" do
|
|
response = mock
|
|
response.stubs(:code).returns("200")
|
|
response.stubs(:body).returns('{"api":"compliance"}')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with("myserver/version", "test-headers", true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe "when the returned body has an empty version key" do
|
|
it "should return an empty hash" do
|
|
response = mock
|
|
response.stubs(:code).returns("200")
|
|
response.stubs(:body).returns('{"api":"compliance","version":""}')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with("myserver/version", "test-headers", true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({})
|
|
end
|
|
end
|
|
|
|
describe "when the returned body has a proper version" do
|
|
it "should return an empty hash" do
|
|
response = mock
|
|
response.stubs(:code).returns("200")
|
|
response.stubs(:body).returns('{"api":"compliance","version":"1.2.3"}')
|
|
InspecPlugins::Compliance::HTTP.expects(:get).with("myserver/version", "test-headers", true).returns(response)
|
|
InspecPlugins::Compliance::API.version(config).must_equal({ "version" => "1.2.3", "api" => "compliance" })
|
|
end
|
|
end
|
|
end
|
|
|
|
describe "automate/compliance is? checks" do
|
|
describe "when the config has a compliance server_type" do
|
|
it "automate/compliance server is? methods return correctly" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "compliance"
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe "when the config has a automate2 server_type" do
|
|
it "automate/compliance server is? methods return correctly" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "automate2"
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal true
|
|
end
|
|
end
|
|
|
|
describe "when the config has an automate server_type and no version key" do
|
|
it "automate/compliance server is? methods return correctly" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "automate"
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe "when the config has an automate server_type and a version key that is not a hash" do
|
|
it "automate/compliance server is? methods return correctly" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "automate"
|
|
config["version"] = "1.2.3"
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate2_server?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe "when the config has an automate server_type and a version hash with no version" do
|
|
it "automate/compliance server is? methods return correctly" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "automate"
|
|
config["version"] = {}
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal false
|
|
end
|
|
end
|
|
|
|
describe "when the config has an automate server_type and a version hash with a version" do
|
|
it "automate/compliance server is? methods return correctly" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "automate"
|
|
config["version"] = { "version" => "0.8.1" }
|
|
InspecPlugins::Compliance::API.is_compliance_server?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server?(config).must_equal true
|
|
InspecPlugins::Compliance::API.is_automate_server_pre_080?(config).must_equal false
|
|
InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config).must_equal true
|
|
end
|
|
end
|
|
end
|
|
|
|
describe ".server_version_from_config" do
|
|
it "returns nil when the config has no version key" do
|
|
config = {}
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
|
|
end
|
|
|
|
it "returns nil when the version value is not a hash" do
|
|
config = { "version" => "123" }
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
|
|
end
|
|
|
|
it "returns nil when the version value is a hash but has no version key inside" do
|
|
config = { "version" => {} }
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_be_nil
|
|
end
|
|
|
|
it "returns the version if the version value is a hash containing a version" do
|
|
config = { "version" => { "version" => "1.2.3" } }
|
|
InspecPlugins::Compliance::API.server_version_from_config(config).must_equal "1.2.3"
|
|
end
|
|
end
|
|
|
|
describe "profile_split" do
|
|
it "handles a profile without version" do
|
|
InspecPlugins::Compliance::API.profile_split("admin/apache-baseline").must_equal ["admin", "apache-baseline", nil]
|
|
end
|
|
|
|
it "handles a profile with a version" do
|
|
InspecPlugins::Compliance::API.profile_split("admin/apache-baseline#2.0.1").must_equal ["admin", "apache-baseline", "2.0.1"]
|
|
end
|
|
end
|
|
|
|
describe "target_url" do
|
|
it "handles a automate profile with and without version" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "automate"
|
|
config["server"] = "https://myautomate"
|
|
config["version"] = "1.6.99"
|
|
InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline").must_equal "https://myautomate/profiles/admin/apache-baseline/tar"
|
|
InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline#2.0.2").must_equal "https://myautomate/profiles/admin/apache-baseline/version/2.0.2/tar"
|
|
end
|
|
|
|
it "handles a chef-compliance profile with and without version" do
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["server_type"] = "compliance"
|
|
config["server"] = "https://mychefcompliance"
|
|
config["version"] = "1.1.2"
|
|
InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline").must_equal "https://mychefcompliance/owners/admin/compliance/apache-baseline/tar"
|
|
InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline#2.0.2").must_equal "https://mychefcompliance/owners/admin/compliance/apache-baseline/tar"
|
|
end
|
|
end
|
|
|
|
describe "exist?" do
|
|
it "works with profiles returned by Automate" do
|
|
# ruby 2.3.3 has issues running stub_requests properly
|
|
# skipping for that specific version
|
|
return if RUBY_VERSION == "2.3.3"
|
|
|
|
config = InspecPlugins::Compliance::Configuration.new
|
|
config.clean
|
|
config["owner"] = "admin"
|
|
config["server_type"] = "automate"
|
|
config["server"] = "https://myautomate"
|
|
config["version"] = "1.6.99"
|
|
config["automate"] = { "ent" => "automate", "token_type" => "dctoken" }
|
|
config["version"] = { "api" => "compliance", "version" => "0.8.24" }
|
|
|
|
stub_request(:get, "https://myautomate/profiles/admin")
|
|
.with(headers: { "Accept" => "*/*", "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", "Chef-Delivery-Enterprise" => "automate", "User-Agent" => "Ruby", "X-Data-Collector-Token" => "" })
|
|
.to_return(status: 200, body: profiles_response.to_json, headers: {})
|
|
|
|
InspecPlugins::Compliance::API.exist?(config, "admin/apache-baseline").must_equal true
|
|
InspecPlugins::Compliance::API.exist?(config, "admin/apache-baseline#2.0.1").must_equal true
|
|
InspecPlugins::Compliance::API.exist?(config, "admin/apache-baseline#2.0.999").must_equal false
|
|
InspecPlugins::Compliance::API.exist?(config, "admin/missing-in-action").must_equal false
|
|
end
|
|
end
|
|
|
|
describe ".determine_server_type" do
|
|
let(:url) { "https://someserver.onthe.net/" }
|
|
|
|
let(:compliance_endpoint) { "/api/version" }
|
|
let(:automate_endpoint) { "/compliance/version" }
|
|
let(:automate2_endpoint) { "/dex/auth" }
|
|
let(:headers) { nil }
|
|
let(:insecure) { true }
|
|
|
|
let(:good_response) { mock }
|
|
let(:bad_response) { mock }
|
|
|
|
it "returns `:automate2` when a 400 is received from `https://URL/dex/auth`" do
|
|
good_response.stubs(:code).returns("400")
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate2)
|
|
end
|
|
|
|
it "returns `:automate` when a 401 is received from `https://URL/compliance/version`" do
|
|
good_response.stubs(:code).returns("401")
|
|
bad_response.stubs(:code).returns("404")
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate)
|
|
end
|
|
|
|
# Chef Automate currently returns 401 for `/compliance/version` but some
|
|
# versions of OpsWorks Chef Automate return 200 and a Chef Manage page when
|
|
# unauthenticated requests are received.
|
|
it "returns `:automate` when a 200 is received from `https://URL/compliance/version`" do
|
|
bad_response.stubs(:code).returns("404")
|
|
good_response.stubs(:code).returns("200")
|
|
good_response.stubs(:body).returns("Are You Looking For the Chef Server?")
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:automate)
|
|
end
|
|
|
|
it "returns `nil` if a 200 is received from `https://URL/compliance/version` but not redirected to Chef Manage" do
|
|
bad_response.stubs(:code).returns("200")
|
|
bad_response.stubs(:body).returns("No Chef Manage here")
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
|
|
mock_compliance_response = mock
|
|
mock_compliance_response.stubs(:code).returns("404")
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + compliance_endpoint, headers, insecure)
|
|
.returns(mock_compliance_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_be_nil
|
|
end
|
|
|
|
it "returns `:compliance` when a 200 is received from `https://URL/api/version`" do
|
|
good_response.stubs(:code).returns("200")
|
|
bad_response.stubs(:code).returns("404")
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + compliance_endpoint, headers, insecure)
|
|
.returns(good_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_equal(:compliance)
|
|
end
|
|
|
|
it "returns `nil` if it cannot determine the server type" do
|
|
bad_response.stubs(:code).returns("404")
|
|
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate2_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + automate_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
InspecPlugins::Compliance::HTTP.expects(:get)
|
|
.with(url + compliance_endpoint, headers, insecure)
|
|
.returns(bad_response)
|
|
|
|
InspecPlugins::Compliance::API.determine_server_type(url, insecure).must_be_nil
|
|
end
|
|
end
|
|
end
|