From 92f0601c70a5f8013f22c081203be98768e8ceb1 Mon Sep 17 00:00:00 2001 From: Alex Pop Date: Thu, 17 Nov 2016 10:45:49 +0000 Subject: [PATCH 1/2] Fix chef-server-visibility collector and introduce chef-server-compliance Signed-off-by: Alex Pop --- .rubocop.yml | 2 ++ README.md | 6 +++--- attributes/default.rb | 14 ++++++-------- examples/chef-server/Vagrantfile | 2 +- examples/wrapper_audit/recipes/default.rb | 2 +- files/default/handler/audit_report.rb | 11 +++++++---- files/default/vendor/chef-server/fetcher.rb | 14 +++++++++++++- libraries/helper.rb | 11 +++++++++++ metadata.rb | 2 +- 9 files changed, 45 insertions(+), 19 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 4f7de144..059fc5da 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -69,3 +69,5 @@ Style/SpaceAroundOperators: Enabled: false Style/IfUnlessModifier: Enabled: false +Style/AccessorMethodName: + Enabled: false diff --git a/README.md b/README.md index fd2a9993..6aba1346 100644 --- a/README.md +++ b/README.md @@ -172,7 +172,7 @@ default["audit"] = { If you want the audit cookbook to retrieve compliance profiles and report to Chef Automate(Visibility) through Chef Server, set the `collector` and `profiles` attributes. -This requires Chef Server version 12.11.0 and Chef Automate 0.6.0 or newer, as well as integration between the two. More details [here](https://docs.chef.io/integrate_compliance_chef_automate.html#collector-chef-server-visibility). +This requires Chef Server version 12.11.1 and Chef Automate 0.6.6 or newer, as well as integration between the two. More details [here](https://docs.chef.io/integrate_compliance_chef_automate.html#collector-chef-server-visibility). Attributes example: @@ -318,8 +318,8 @@ for each one. For example, to report to chef-compliance and write to json file ## Fetcher attribute -To enable reporting to chef-visibility with profiles from chef-compliance, you need to have chef-server integrated with chef-compliance. You can then set the fetcher attribute to 'chef-server'. -This will allow the audit cookbook to fetch the profile from chef-compliance. For example: +To enable reporting to Chef Visibility with profiles from Chef Compliance, you need to have Chef Server integrated with Chef Compliance. You can then set the `fetcher` attribute to 'chef-server'. +This will allow the audit cookbook to fetch profiles stored in Chef Compliance. For example: ```ruby "audit": { diff --git a/attributes/default.rb b/attributes/default.rb index 13eebdab..6f303354 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -16,21 +16,19 @@ # limitations under the License. # inspec gem version to install(e.g. '1.1.0') -default['audit']['inspec_version'] = '1.2.0' +default['audit']['inspec_version'] = '1.5.0' -# URI to alternate gem source (e.g. http://gems.server.com) +# URI to alternate gem source (e.g. 'http://gems.server.com') # root of location must host the *specs.4.8.gz source index default['audit']['inspec_gem_source'] = nil -# collector possible values: chef-server, chef-compliance, chef-visibility, chef-server-visibility, json-file +# collector possible values: 'chef-server-visibility', 'chef-server-compliance', 'chef-compliance', 'chef-visibility', 'json-file' # chef-visibility requires inspec version 0.27.1 or above -default['audit']['collector'] = 'chef-server' +default['audit']['collector'] = 'chef-server-compliance' # It will use an InSpec fetcher that fetches compliance profiles via Chef Server -# from Chef Compliance or Chef Automate. Will be activated by default if the collectors -# 'chef-server' or 'chef-server-visibility' are used -# is used -# fetcher possible values: chef-server +# from Chef Compliance or Chef Automate. Will be activated by default if collector +# 'chef-server-compliance' or 'chef-server-visibility' is used. Possible values: 'chef-server' default['audit']['fetcher'] = nil # Attributes server, insecure and token/refresh_token are only needed for the 'chef-compliance' collector diff --git a/examples/chef-server/Vagrantfile b/examples/chef-server/Vagrantfile index 410c117b..268914a8 100644 --- a/examples/chef-server/Vagrantfile +++ b/examples/chef-server/Vagrantfile @@ -35,7 +35,7 @@ Vagrant.configure(2) do |config| chef.add_recipe 'audit::default' chef.json = { audit: { - collector: "chef-server", + collector: "chef-server-compliance", insecure: true, profiles: [{ name: "linux", diff --git a/examples/wrapper_audit/recipes/default.rb b/examples/wrapper_audit/recipes/default.rb index 54e62f51..dd3f4b19 100644 --- a/examples/wrapper_audit/recipes/default.rb +++ b/examples/wrapper_audit/recipes/default.rb @@ -9,7 +9,7 @@ # how you would setup chef-client to send converge data to your # Chef Visibility server. include_recipe 'visibility_win::chef_client_config' -# Set the collector to chef-visibility instead of the default chef-server. +# Set the collector to chef-visibility instead of the default chef-server-compliance. node.default['audit']['collector'] = 'chef-visibility' # Execute the community audit cookbook with the collector set include_recipe 'audit::default' diff --git a/files/default/handler/audit_report.rb b/files/default/handler/audit_report.rb index b7608013..8622be75 100644 --- a/files/default/handler/audit_report.rb +++ b/files/default/handler/audit_report.rb @@ -6,8 +6,8 @@ class Handler # Creates a compliance audit report class AuditReport < ::Chef::Handler def report - # ensure reporters is array - reporters = handle_reporters(node['audit']['collector']) + # get reporter(s) from attributes as an array + reporters = get_reporters(node['audit']) # collect attribute values server = node['audit']['server'] @@ -24,7 +24,10 @@ def report load_needed_dependencies # detect if we run in a chef client with chef server - load_chef_fetcher if reporters.include?('chef-server') || reporters.include?('chef-server-visibility') || node['audit']['fetcher'] == 'chef-server' + load_chef_fetcher if reporters.include?('chef-server') || + reporters.include?('chef-server-compliance') || + reporters.include?('chef-server-visibility') || + node['audit']['fetcher'] == 'chef-server' # iterate through reporters reporters.each do |reporter| @@ -161,7 +164,7 @@ def send_report(reporter, server, user, profiles, report) else Chef::Log.warn "unable to determine chef-server url required by inspec report collector '#{reporter}'. Skipping..." end - elsif reporter == 'chef-server' + elsif reporter == 'chef-server-compliance' || reporter == 'chef-server' # chef-server is legacy reporter chef_url = server || base_chef_server_url chef_org = Chef::Config[:chef_server_url].split('/').last if chef_url diff --git a/files/default/vendor/chef-server/fetcher.rb b/files/default/vendor/chef-server/fetcher.rb index d6c72f6e..bf06aca1 100644 --- a/files/default/vendor/chef-server/fetcher.rb +++ b/files/default/vendor/chef-server/fetcher.rb @@ -49,6 +49,18 @@ def self.chef_server_org Chef::Config[:chef_server_url].split('/').last end + def self.url_prefix + if defined?(Chef) && + defined?(Chef.node) && + defined?(Chef.node.attributes) && + Chef.node.attributes['audit'] && + get_reporters(Chef.node.attributes['audit']).include?('chef-server-visibility') + '' + else + '/compliance' + end + end + def self.target_url(profile, config) o, p = profile.split('/') reqpath ="organizations/#{chef_server_org}/owners/#{o}/compliance/#{p}/tar" @@ -58,7 +70,7 @@ def self.target_url(profile, config) Chef::Config[:ssl_verify_mode] = :verify_none end - construct_url(chef_server_url_base + '/compliance/', reqpath) + construct_url(chef_server_url_base + url_prefix + '/', reqpath) end # diff --git a/libraries/helper.rb b/libraries/helper.rb index 398399c6..23324c2d 100644 --- a/libraries/helper.rb +++ b/libraries/helper.rb @@ -118,6 +118,17 @@ def load_audit_handler require libpath Chef::Config.send('report_handlers') << Chef::Handler::AuditReport.new end + + # taking node['audit'] as parameter so that it can be called from the chef-server fetcher as well + # audit['collector'] is the legacy reporter, + # deprecated in favour of ['audit']['reporter'] + def get_reporters(audit) + if audit['collector'] && audit['reporter'].nil? + Chef::Log.warn("node ['audit']['collector'] is deprecated and will be removed from the next major version of the cookbook. Please use node ['audit']['reporter']") + return handle_reporters(audit['collector']) + end + handle_reporters(audit['reporter']) + end end ::Chef::Recipe.send(:include, ReportHelpers) diff --git a/metadata.rb b/metadata.rb index 35bc09cc..f7ef2bbc 100644 --- a/metadata.rb +++ b/metadata.rb @@ -5,7 +5,7 @@ license 'Apache 2.0' description 'Allows for fetching and executing compliance profiles, and reporting its results' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.0' +version '2.3.0' source_url 'https://github.com/chef-cookbooks/audit' issues_url 'https://github.com/chef-cookbooks/audit/issues' From 74bd4a040e3b877c6cdff35dd12a8ec2b766d04d Mon Sep 17 00:00:00 2001 From: Alex Pop Date: Wed, 23 Nov 2016 11:08:20 +0000 Subject: [PATCH 2/2] break url_prefix and remove the deprecation log message for now Signed-off-by: Alex Pop --- files/default/vendor/chef-server/fetcher.rb | 14 +++++++++----- libraries/helper.rb | 5 +++-- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/files/default/vendor/chef-server/fetcher.rb b/files/default/vendor/chef-server/fetcher.rb index bf06aca1..0ca2ba70 100644 --- a/files/default/vendor/chef-server/fetcher.rb +++ b/files/default/vendor/chef-server/fetcher.rb @@ -50,17 +50,21 @@ def self.chef_server_org end def self.url_prefix - if defined?(Chef) && - defined?(Chef.node) && - defined?(Chef.node.attributes) && - Chef.node.attributes['audit'] && - get_reporters(Chef.node.attributes['audit']).include?('chef-server-visibility') + if chef_server_visibility? '' else '/compliance' end end + def self.chef_server_visibility? + attributes_exist? && Chef.node.attributes['audit'] && get_reporters(Chef.node.attributes['audit']).include?('chef-server-visibility') + end + + def self.attributes_exist? + defined?(Chef) && defined?(Chef.node) && defined?(Chef.node.attributes) + end + def self.target_url(profile, config) o, p = profile.split('/') reqpath ="organizations/#{chef_server_org}/owners/#{o}/compliance/#{p}/tar" diff --git a/libraries/helper.rb b/libraries/helper.rb index 23324c2d..ed1c446f 100644 --- a/libraries/helper.rb +++ b/libraries/helper.rb @@ -121,10 +121,11 @@ def load_audit_handler # taking node['audit'] as parameter so that it can be called from the chef-server fetcher as well # audit['collector'] is the legacy reporter, - # deprecated in favour of ['audit']['reporter'] + # deprecated in favour of audit['reporter'] def get_reporters(audit) if audit['collector'] && audit['reporter'].nil? - Chef::Log.warn("node ['audit']['collector'] is deprecated and will be removed from the next major version of the cookbook. Please use node ['audit']['reporter']") + # TODO: uncomment the log warn once Chris +1's the change and we update attributes and README as well. + # Chef::Log.warn("node ['audit']['collector'] is deprecated and will be removed from the next major version of the cookbook. Please use node ['audit']['reporter']") return handle_reporters(audit['collector']) end handle_reporters(audit['reporter'])