diff --git a/README.md b/README.md index c452c7af..411b1b99 100644 --- a/README.md +++ b/README.md @@ -118,14 +118,14 @@ default['audit']['profiles']['ssh2'] = { } ``` -#### Attributes +#### Inputs -You can also pass in [InSpec Attributes](https://www.inspec.io/docs/reference/profiles/) to your audit run. Do this by defining the attributes: +You can also pass in [InSpec Inputs](https://www.inspec.io/docs/reference/inputs/) to your audit run. Do this by defining the attributes: ```ruby -default['audit']['attributes'] = { - first_attribute: 'some value', - second_attribute: 'another value', +default['audit']['inputs'] = { + first_input: 'some value', + second_input: 'another value', } ``` diff --git a/attributes/default.rb b/attributes/default.rb index f44de796..37dca801 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -70,15 +70,19 @@ # See README.md for details default['audit']['profiles'] = {} -# Attributes used to run the given profiles +# Inputs used to run the given profiles +default['audit']['inputs'] = {} +# Inputs were formerly called attributes; this is provided for backwards +# compatibility but will be merged into default['audit']['inputs']. +# To be removed in a major version change. default['audit']['attributes'] = {} -# Set this to false if you don't want ['audit']['attributes'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes. -default['audit']['attributes_save'] = true +# Set this to false if you don't want ['audit']['inputs'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes. +default['audit']['inputs_save'] = true # TODO: legacy attribute support? -# If enabled, a hash of the Chef "node" object will be sent to InSpec in an attribute +# If enabled, a hash of the Chef "node" object will be sent to InSpec in an input # named `chef_node` -default['audit']['chef_node_attribute_enabled'] = false +default['audit']['chef_node_input_enabled'] = false # TODO: legacy attribute support? # The location of the json-file output: # /cookbooks/audit/inspec-.json diff --git a/files/default/handler/audit_report.rb b/files/default/handler/audit_report.rb index 2592b155..d512c8ef 100644 --- a/files/default/handler/audit_report.rb +++ b/files/default/handler/audit_report.rb @@ -47,10 +47,10 @@ def report quiet = node['audit']['quiet'] fetcher = node['audit']['fetcher'] - attributes = node.run_state['audit_attributes'].to_h + inputs = node.run_state['audit_inputs'].to_h - # add chef node data as an attribute if enabled - attributes['chef_node'] = chef_node_attribute_data if node['audit']['chef_node_attribute_enabled'] + # add chef node data as an input if enabled + inputs['chef_node'] = chef_node_attribute_data if node['audit']['chef_node_input_enabled'] # TODO legacy option support # load inspec, supermarket bundle and compliance bundle load_needed_dependencies @@ -76,7 +76,7 @@ def report end # return hash of opts to be used by runner - opts = get_opts(reporter_format, quiet, attributes) + opts = get_opts(reporter_format, quiet, inputs) # instantiate inspec runner with given options and run profiles; return report report = call(opts, profiles) @@ -144,7 +144,7 @@ def load_automate_fetcher require 'chef-automate/fetcher' end - def get_opts(reporter, quiet, attributes) + def get_opts(reporter, quiet, inputs) output = quiet ? ::File::NULL : $stdout Chef::Log.debug "Reporter is [#{reporter}]" opts = { @@ -154,7 +154,7 @@ def get_opts(reporter, quiet, attributes) 'output' => output, 'logger' => Chef::Log, # Use chef-client log level for inspec run, backend_cache: node['audit']['inspec_backend_cache'], - attributes: attributes, + inputs: inputs, } opts end diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 35f551a3..cc469c31 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -94,7 +94,7 @@ suites: url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip - name: ssh-baseline supermarket: dev-sec/ssh-baseline - - name: inspec-attributes + - name: inputs run_list: - recipe[test_helper::setup] - recipe[test_helper::create_file] @@ -105,10 +105,25 @@ suites: json_file: location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> profiles: - attribute-file-exists-profile: - git: https://github.com/mhedgpeth/attribute-file-exists-profile.git - attributes: - file: /opt/kitchen/cache/attribute-file-exists.test + input-file-exists-profile: + git: https://github.com/inspec/input-file-exists-profile.git + inputs: + test_file_path: /opt/kitchen/cache/file-exists.test + - name: inputs-legacy + run_list: + - recipe[test_helper::setup] + - recipe[test_helper::create_file] + - recipe[audit::default] + attributes: + audit: + reporter: json-file + json_file: + location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> + profiles: + input-file-exists-profile: + git: https://github.com/inspec/input-file-exists-profile.git + attributes: # Note legacy name for inputs + test_file_path: /opt/kitchen/cache/file-exists.test - name: chef-node-enabled run_list: - recipe[audit::default] @@ -118,9 +133,9 @@ suites: json_file: location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> profiles: - demo: - url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz - chef_node_attribute_enabled: true + inspec-test-profile-chef-node-input: + url: https://github.com/inspec/inspec-test-profile-chef-node-input/archive/1.0.0.tar.gz + chef_node_input_enabled: true - name: chef-node-disabled run_list: - recipe[audit::default] @@ -130,8 +145,8 @@ suites: json_file: location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> profiles: - demo: - url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz + inspec-test-profile-chef-node-input: + url: https://github.com/inspec/inspec-test-profile-chef-node-input/archive/1.0.0.tar.gz - name: missing-profile-no-fail run_list: - recipe[test_helper::setup] diff --git a/libraries/helper.rb b/libraries/helper.rb index b8a07397..f2aac4e5 100644 --- a/libraries/helper.rb +++ b/libraries/helper.rb @@ -116,11 +116,18 @@ def cookbook_handler_path File.expand_path('../../files/default/handler', __FILE__) end - # Copies ['audit']['attributes'] into run_state for the audit_handler to read them later - # Deletes ['audit']['attributes'] if instructed by ['audit']['attributes_save'] - def copy_audit_attributes - node.run_state['audit_attributes'] = node['audit']['attributes'] - node.rm('audit', 'attributes') unless node['audit']['attributes_save'] + # Copies ['audit']['inputs'] into run_state for the audit_handler to read them later + # Deletes ['audit']['inputs'] if instructed by ['audit']['inputs_save'] + def copy_audit_inputs + # Handle legacy option name + unless node['audit']['attributes'].empty? + Chef::Log.warn("node['audit']['attributes'] is deprecated - please use node['audit']['inputs']. Merging...") + node.default['audit']['inputs'].merge!(node['audit']['attributes']) + node.default['audit']['attributes'].clear + end + + node.run_state['audit_inputs'] = node['audit']['inputs'] + node.rm('audit', 'inputs') unless node['audit']['inputs_save'] # TODO legacy option end def load_audit_handler diff --git a/recipes/default.rb b/recipes/default.rb index a5c4aefd..8821d8ce 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -30,5 +30,5 @@ include_recipe 'audit::inspec' # Call helper methods located in libraries/helper.rb -copy_audit_attributes +copy_audit_inputs load_audit_handler diff --git a/test/cookbooks/test_helper/recipes/create_file.rb b/test/cookbooks/test_helper/recipes/create_file.rb index 52229819..695cb1b0 100644 --- a/test/cookbooks/test_helper/recipes/create_file.rb +++ b/test/cookbooks/test_helper/recipes/create_file.rb @@ -1,5 +1,6 @@ # ensures that the file defined by attributes exists, so its associated profile will pass +file_path = node['audit']['inputs']['test_file_path'] || node['audit']['attributes']['test_file_path'] -file node['audit']['attributes']['file'] do +file file_path do action :create end diff --git a/test/integration/inspec-attributes/default.rb b/test/integration/inputs-legacy/default.rb similarity index 57% rename from test/integration/inspec-attributes/default.rb rename to test/integration/inputs-legacy/default.rb index 4de7a343..f21f4b40 100644 --- a/test/integration/inspec-attributes/default.rb +++ b/test/integration/inputs-legacy/default.rb @@ -9,11 +9,11 @@ results << r end end -attribute_control = results.find { |x| x['code_desc'] == 'File /opt/kitchen/cache/attribute-file-exists.test should exist' } -attribute_control = {} if attribute_control.nil? +input_control = results.find { |x| x['code_desc'] == 'File /opt/kitchen/cache/file-exists.test is expected to exist' } +input_control = {} if input_control.nil? -describe 'attribute control' do +describe 'input control' do it 'status should be passed' do - expect(attribute_control['status']).to eq('passed') + expect(input_control['status']).to eq('passed') end end diff --git a/test/integration/inputs/default.rb b/test/integration/inputs/default.rb new file mode 100644 index 00000000..f21f4b40 --- /dev/null +++ b/test/integration/inputs/default.rb @@ -0,0 +1,19 @@ +# get most recent json-file output +json_file = command('ls -t /tmp/inspec-*.json').stdout.lines.first.chomp + +# ensure the control we expect is present and passed +controls = json(json_file).profiles.first['controls'] +results = [] +controls.each do |c| + c['results'].each do |r| + results << r + end +end +input_control = results.find { |x| x['code_desc'] == 'File /opt/kitchen/cache/file-exists.test is expected to exist' } +input_control = {} if input_control.nil? + +describe 'input control' do + it 'status should be passed' do + expect(input_control['status']).to eq('passed') + end +end