From b2f56ba7ec603297aeb6254bc9779e13c42f9892 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 2 Dec 2019 13:30:38 -0500 Subject: [PATCH 1/5] Update test setup to use a repo we control, and rename to attributes to inputs. Tests fail. Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 10 +++++----- test/cookbooks/test_helper/recipes/create_file.rb | 2 +- .../{inspec-attributes => inputs}/default.rb | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) rename test/integration/{inspec-attributes => inputs}/default.rb (57%) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 35f551a3..ff8f7a55 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -94,7 +94,7 @@ suites: url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip - name: ssh-baseline supermarket: dev-sec/ssh-baseline - - name: inspec-attributes + - name: inputs run_list: - recipe[test_helper::setup] - recipe[test_helper::create_file] @@ -105,10 +105,10 @@ suites: json_file: location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> profiles: - attribute-file-exists-profile: - git: https://github.com/mhedgpeth/attribute-file-exists-profile.git - attributes: - file: /opt/kitchen/cache/attribute-file-exists.test + input-file-exists-profile: + git: https://github.com/inspec/input-file-exists-profile.git + inputs: + test_file_path: /opt/kitchen/cache/file-exists.test - name: chef-node-enabled run_list: - recipe[audit::default] diff --git a/test/cookbooks/test_helper/recipes/create_file.rb b/test/cookbooks/test_helper/recipes/create_file.rb index 52229819..55b6d1ec 100644 --- a/test/cookbooks/test_helper/recipes/create_file.rb +++ b/test/cookbooks/test_helper/recipes/create_file.rb @@ -1,5 +1,5 @@ # ensures that the file defined by attributes exists, so its associated profile will pass -file node['audit']['attributes']['file'] do +file node['audit']['inputs']['test_file_path'] do action :create end diff --git a/test/integration/inspec-attributes/default.rb b/test/integration/inputs/default.rb similarity index 57% rename from test/integration/inspec-attributes/default.rb rename to test/integration/inputs/default.rb index 4de7a343..f21f4b40 100644 --- a/test/integration/inspec-attributes/default.rb +++ b/test/integration/inputs/default.rb @@ -9,11 +9,11 @@ results << r end end -attribute_control = results.find { |x| x['code_desc'] == 'File /opt/kitchen/cache/attribute-file-exists.test should exist' } -attribute_control = {} if attribute_control.nil? +input_control = results.find { |x| x['code_desc'] == 'File /opt/kitchen/cache/file-exists.test is expected to exist' } +input_control = {} if input_control.nil? -describe 'attribute control' do +describe 'input control' do it 'status should be passed' do - expect(attribute_control['status']).to eq('passed') + expect(input_control['status']).to eq('passed') end end From 9ed183e79bb20fd1f4d9e48e12d5523c74006a7e Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 3 Dec 2019 13:01:24 -0500 Subject: [PATCH 2/5] Working implementation of input rename, no backward compatibility Signed-off-by: Clinton Wolfe --- attributes/default.rb | 12 ++++++------ files/default/handler/audit_report.rb | 12 ++++++------ libraries/helper.rb | 10 +++++----- recipes/default.rb | 2 +- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index f44de796..f4538ce5 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -70,15 +70,15 @@ # See README.md for details default['audit']['profiles'] = {} -# Attributes used to run the given profiles -default['audit']['attributes'] = {} +# Inputs used to run the given profiles +default['audit']['inputs'] = {} # TODO: legacy attribute support -# Set this to false if you don't want ['audit']['attributes'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes. -default['audit']['attributes_save'] = true +# Set this to false if you don't want ['audit']['inputs'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes. +default['audit']['inputs_save'] = true # TODO: legacy attribute support? -# If enabled, a hash of the Chef "node" object will be sent to InSpec in an attribute +# If enabled, a hash of the Chef "node" object will be sent to InSpec in an input # named `chef_node` -default['audit']['chef_node_attribute_enabled'] = false +default['audit']['chef_node_input_enabled'] = false # TODO: legacy attribute support? # The location of the json-file output: # /cookbooks/audit/inspec-.json diff --git a/files/default/handler/audit_report.rb b/files/default/handler/audit_report.rb index 2592b155..d512c8ef 100644 --- a/files/default/handler/audit_report.rb +++ b/files/default/handler/audit_report.rb @@ -47,10 +47,10 @@ def report quiet = node['audit']['quiet'] fetcher = node['audit']['fetcher'] - attributes = node.run_state['audit_attributes'].to_h + inputs = node.run_state['audit_inputs'].to_h - # add chef node data as an attribute if enabled - attributes['chef_node'] = chef_node_attribute_data if node['audit']['chef_node_attribute_enabled'] + # add chef node data as an input if enabled + inputs['chef_node'] = chef_node_attribute_data if node['audit']['chef_node_input_enabled'] # TODO legacy option support # load inspec, supermarket bundle and compliance bundle load_needed_dependencies @@ -76,7 +76,7 @@ def report end # return hash of opts to be used by runner - opts = get_opts(reporter_format, quiet, attributes) + opts = get_opts(reporter_format, quiet, inputs) # instantiate inspec runner with given options and run profiles; return report report = call(opts, profiles) @@ -144,7 +144,7 @@ def load_automate_fetcher require 'chef-automate/fetcher' end - def get_opts(reporter, quiet, attributes) + def get_opts(reporter, quiet, inputs) output = quiet ? ::File::NULL : $stdout Chef::Log.debug "Reporter is [#{reporter}]" opts = { @@ -154,7 +154,7 @@ def get_opts(reporter, quiet, attributes) 'output' => output, 'logger' => Chef::Log, # Use chef-client log level for inspec run, backend_cache: node['audit']['inspec_backend_cache'], - attributes: attributes, + inputs: inputs, } opts end diff --git a/libraries/helper.rb b/libraries/helper.rb index b8a07397..555394bf 100644 --- a/libraries/helper.rb +++ b/libraries/helper.rb @@ -116,11 +116,11 @@ def cookbook_handler_path File.expand_path('../../files/default/handler', __FILE__) end - # Copies ['audit']['attributes'] into run_state for the audit_handler to read them later - # Deletes ['audit']['attributes'] if instructed by ['audit']['attributes_save'] - def copy_audit_attributes - node.run_state['audit_attributes'] = node['audit']['attributes'] - node.rm('audit', 'attributes') unless node['audit']['attributes_save'] + # Copies ['audit']['inputs'] into run_state for the audit_handler to read them later + # Deletes ['audit']['inputs'] if instructed by ['audit']['inputs_save'] + def copy_audit_inputs + node.run_state['audit_inputs'] = node['audit']['inputs'] # TODO legacy option + node.rm('audit', 'inputs') unless node['audit']['inputs_save'] # TODO legacy option end def load_audit_handler diff --git a/recipes/default.rb b/recipes/default.rb index a5c4aefd..8821d8ce 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -30,5 +30,5 @@ include_recipe 'audit::inspec' # Call helper methods located in libraries/helper.rb -copy_audit_attributes +copy_audit_inputs load_audit_handler From 93e7d56472ebadb08db2734bcf25523f4899d441 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 3 Dec 2019 13:34:29 -0500 Subject: [PATCH 3/5] Update chef node data passthru tests, now passing on inspec repos Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index ff8f7a55..325aee6b 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -118,9 +118,9 @@ suites: json_file: location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> profiles: - demo: - url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz - chef_node_attribute_enabled: true + inspec-test-profile-chef-node-input: + url: https://github.com/inspec/inspec-test-profile-chef-node-input/archive/1.0.0.tar.gz + chef_node_input_enabled: true - name: chef-node-disabled run_list: - recipe[audit::default] @@ -130,8 +130,8 @@ suites: json_file: location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> profiles: - demo: - url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz + inspec-test-profile-chef-node-input: + url: https://github.com/inspec/inspec-test-profile-chef-node-input/archive/1.0.0.tar.gz - name: missing-profile-no-fail run_list: - recipe[test_helper::setup] From 2495d3943b5fbefaf831228701da451e598e5626 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 3 Dec 2019 14:16:07 -0500 Subject: [PATCH 4/5] Backwards compatibility for attributes option Signed-off-by: Clinton Wolfe --- attributes/default.rb | 6 +++++- kitchen.dokken.yml | 15 +++++++++++++++ libraries/helper.rb | 9 ++++++++- .../test_helper/recipes/create_file.rb | 3 ++- test/integration/inputs-legacy/default.rb | 19 +++++++++++++++++++ 5 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 test/integration/inputs-legacy/default.rb diff --git a/attributes/default.rb b/attributes/default.rb index f4538ce5..37dca801 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -71,7 +71,11 @@ default['audit']['profiles'] = {} # Inputs used to run the given profiles -default['audit']['inputs'] = {} # TODO: legacy attribute support +default['audit']['inputs'] = {} +# Inputs were formerly called attributes; this is provided for backwards +# compatibility but will be merged into default['audit']['inputs']. +# To be removed in a major version change. +default['audit']['attributes'] = {} # Set this to false if you don't want ['audit']['inputs'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes. default['audit']['inputs_save'] = true # TODO: legacy attribute support? diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 325aee6b..cc469c31 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -109,6 +109,21 @@ suites: git: https://github.com/inspec/input-file-exists-profile.git inputs: test_file_path: /opt/kitchen/cache/file-exists.test + - name: inputs-legacy + run_list: + - recipe[test_helper::setup] + - recipe[test_helper::create_file] + - recipe[audit::default] + attributes: + audit: + reporter: json-file + json_file: + location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %> + profiles: + input-file-exists-profile: + git: https://github.com/inspec/input-file-exists-profile.git + attributes: # Note legacy name for inputs + test_file_path: /opt/kitchen/cache/file-exists.test - name: chef-node-enabled run_list: - recipe[audit::default] diff --git a/libraries/helper.rb b/libraries/helper.rb index 555394bf..f2aac4e5 100644 --- a/libraries/helper.rb +++ b/libraries/helper.rb @@ -119,7 +119,14 @@ def cookbook_handler_path # Copies ['audit']['inputs'] into run_state for the audit_handler to read them later # Deletes ['audit']['inputs'] if instructed by ['audit']['inputs_save'] def copy_audit_inputs - node.run_state['audit_inputs'] = node['audit']['inputs'] # TODO legacy option + # Handle legacy option name + unless node['audit']['attributes'].empty? + Chef::Log.warn("node['audit']['attributes'] is deprecated - please use node['audit']['inputs']. Merging...") + node.default['audit']['inputs'].merge!(node['audit']['attributes']) + node.default['audit']['attributes'].clear + end + + node.run_state['audit_inputs'] = node['audit']['inputs'] node.rm('audit', 'inputs') unless node['audit']['inputs_save'] # TODO legacy option end diff --git a/test/cookbooks/test_helper/recipes/create_file.rb b/test/cookbooks/test_helper/recipes/create_file.rb index 55b6d1ec..695cb1b0 100644 --- a/test/cookbooks/test_helper/recipes/create_file.rb +++ b/test/cookbooks/test_helper/recipes/create_file.rb @@ -1,5 +1,6 @@ # ensures that the file defined by attributes exists, so its associated profile will pass +file_path = node['audit']['inputs']['test_file_path'] || node['audit']['attributes']['test_file_path'] -file node['audit']['inputs']['test_file_path'] do +file file_path do action :create end diff --git a/test/integration/inputs-legacy/default.rb b/test/integration/inputs-legacy/default.rb new file mode 100644 index 00000000..f21f4b40 --- /dev/null +++ b/test/integration/inputs-legacy/default.rb @@ -0,0 +1,19 @@ +# get most recent json-file output +json_file = command('ls -t /tmp/inspec-*.json').stdout.lines.first.chomp + +# ensure the control we expect is present and passed +controls = json(json_file).profiles.first['controls'] +results = [] +controls.each do |c| + c['results'].each do |r| + results << r + end +end +input_control = results.find { |x| x['code_desc'] == 'File /opt/kitchen/cache/file-exists.test is expected to exist' } +input_control = {} if input_control.nil? + +describe 'input control' do + it 'status should be passed' do + expect(input_control['status']).to eq('passed') + end +end From 53c79fb898efe91ad0e0318cfe4d11c80053d4ed Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 3 Dec 2019 14:27:56 -0500 Subject: [PATCH 5/5] Update README with input rename Signed-off-by: Clinton Wolfe --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c452c7af..411b1b99 100644 --- a/README.md +++ b/README.md @@ -118,14 +118,14 @@ default['audit']['profiles']['ssh2'] = { } ``` -#### Attributes +#### Inputs -You can also pass in [InSpec Attributes](https://www.inspec.io/docs/reference/profiles/) to your audit run. Do this by defining the attributes: +You can also pass in [InSpec Inputs](https://www.inspec.io/docs/reference/inputs/) to your audit run. Do this by defining the attributes: ```ruby -default['audit']['attributes'] = { - first_attribute: 'some value', - second_attribute: 'another value', +default['audit']['inputs'] = { + first_input: 'some value', + second_input: 'another value', } ```