Class: Inspec::Rule

Inherits:

Object

• Object
• Inspec::Rule

Includes:

RSpec::Matchers

Defined in:

lib/inspec/rule.rb

Instance Attribute Summary

• #__waiver_data ⇒ Object readonly

  Returns the value of attribute __waiver_data.

Class Method Summary

• .checks(rule) ⇒ Object
• .merge(dst, src) ⇒ Object

  rubocop:disable Metrics/AbcSize.

• .merge_changes(rule) ⇒ Object
• .merge_count(rule) ⇒ Object
• .prepare_checks(rule) ⇒ Object

  If a rule is marked to be skipped, this creates a dummay array of “checks” with a skip outcome.

• .profile_id(rule) ⇒ Object
• .resource_dsl ⇒ Object

  rubocop:disable Style/TrivialAccessors.

• .rule_id(rule) ⇒ Object
• .set_rule_id(rule, value) ⇒ Object
• .set_skip_rule(rule, value, message = nil, type = :only_if) ⇒ Object
• .skip_status(rule) ⇒ Object
• .with_resource_dsl(resource_dsl) ⇒ Object

  Include any resources from the given resource DSL.

Instance Method Summary

• #desc(v = nil, data = nil) ⇒ Object
• #describe(*values, &block) ⇒ nil|DescribeBase

  Describe will add one or more tests to this control.

• #descriptions(description_hash = nil) ⇒ Object
• #expect(value, &block) ⇒ Object
• #id(*_) ⇒ Object
• #impact(v = nil) ⇒ Object
• #initialize(id, profile_id, opts, &block) ⇒ Rule constructor

  A new instance of Rule.

• #only_if(message = nil) ⇒ nil

  Skip all checks if only_if is false.

• #ref(ref = nil, opts = {}) ⇒ Object
• #source_file ⇒ Object
• #tag(*args) ⇒ Object
• #title(v = nil) ⇒ Object
• #to_s ⇒ Object

Constructor Details

#initialize(id, profile_id, opts, &block) ⇒ Rule

Returns a new instance of Rule.

# File 'lib/inspec/rule.rb', line 35

def initialize(id, profile_id, opts, &block)
  @impact = nil
  @title = nil
  @descriptions = {}
  @refs = []
  @tags = {}

  # not changeable by the user:
  @__code = nil
  @__block = block
  @__source_location = __get_block_source_location(&block)
  @__rule_id = id
  @__profile_id = profile_id
  @__checks = []
  @__skip_rule = {} # { result: true, message: "Why", type: [:only_if, :waiver] }
  @__merge_count = 0
  @__merge_changes = []
  @__skip_only_if_eval = opts[:skip_only_if_eval]

  # evaluate the given definition
  return unless block_given?

  begin
    instance_eval(&block)

    # By applying waivers *after* the instance eval, we assure that
    # waivers have higher precedence than only_if.
    __apply_waivers

  rescue SystemStackError, StandardError => e
    # We've encountered an exception while trying to eval the code inside the
    # control block. We need to prevent the exception from bubbling up, and
    # fail the control. Controls are failed by having a failed resource within
    # them; but since our control block is unsafe (and opaque) to us, let's
    # make a dummy and fail that.
    location = block.source_location.compact.join(":")
    describe "Control Source Code Error" do
      # Rubocop thinks we are raising an exception - we're actually calling RSpec's fail()
      its(location) { fail e.message } # rubocop: disable Style/SignalException
    end
  end
end

Instance Attribute Details

#__waiver_data ⇒ Object (readonly)

Returns the value of attribute __waiver_data.

# File 'lib/inspec/rule.rb', line 34

def __waiver_data
  @__waiver_data
end

Class Method Details

.checks(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 198

def self.checks(rule)
  rule.instance_variable_get(:@__checks)
end

.merge(dst, src) ⇒ Object

rubocop:disable Metrics/AbcSize

# File 'lib/inspec/rule.rb', line 240

def self.merge(dst, src) # rubocop:disable Metrics/AbcSize
  if src.id != dst.id
    # TODO: register an error, this case should not happen
    return
  end

  sp = rule_id(src)
  dp = rule_id(dst)
  if sp != dp
    # TODO: register an error, this case should not happen
    return
  end

  # merge all fields
  dst.impact(src.impact)                 unless src.impact.nil?
  dst.title(src.title)                   unless src.title.nil?
  dst.descriptions(src.descriptions)     unless src.descriptions.nil?
  dst.tag(src.tag)                       unless src.tag.nil?
  dst.ref(src.ref)                       unless src.ref.nil?

  # merge indirect fields
  # checks defined in the source will completely eliminate
  # all checks that were defined in the destination
  sc = checks(src)
  dst.instance_variable_set(:@__checks, sc) unless sc.empty?
  skip_check = skip_status(src)
  sr = skip_check[:result]
  msg = skip_check[:message]
  skip_type = skip_check[:type]
  set_skip_rule(dst, sr, msg, skip_type) unless sr.nil?

  # Save merge history
  dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)
  dst.instance_variable_set(
    :@__merge_changes,
    merge_changes(dst) << src.instance_variable_get(:@__source_location)
  )
end

.merge_changes(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 219

def self.merge_changes(rule)
  rule.instance_variable_get(:@__merge_changes)
end

.merge_count(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 215

def self.merge_count(rule)
  rule.instance_variable_get(:@__merge_count)
end

.prepare_checks(rule) ⇒ Object

If a rule is marked to be skipped, this creates a dummay array of “checks” with a skip outcome

# File 'lib/inspec/rule.rb', line 225

def self.prepare_checks(rule)
  skip_check = skip_status(rule)
  return checks(rule) unless skip_check[:result].eql?(true)

  if skip_check[:message]
    msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
  else
    msg = "Skipped control due to #{skip_check[:type]} condition."
  end

  resource = rule.noop
  resource.skip_resource(msg)
  [["describe", [resource], nil]]
end

.profile_id(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 194

def self.profile_id(rule)
  rule.instance_variable_get(:@__profile_id)
end

.resource_dsl ⇒ Object

rubocop:disable Style/TrivialAccessors

# File 'lib/inspec/rule.rb', line 30

def self.resource_dsl # rubocop:disable Style/TrivialAccessors
  @resource_dsl
end

.rule_id(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 186

def self.rule_id(rule)
  rule.instance_variable_get(:@__rule_id)
end

.set_rule_id(rule, value) ⇒ Object

# File 'lib/inspec/rule.rb', line 190

def self.set_rule_id(rule, value)
  rule.instance_variable_set(:@__rule_id, value)
end

.set_skip_rule(rule, value, message = nil, type = :only_if) ⇒ Object

# File 'lib/inspec/rule.rb', line 206

def self.set_skip_rule(rule, value, message = nil, type = :only_if)
  rule.instance_variable_set(:@__skip_rule,
                             {
                               result: value,
                               message: message,
                               type: type,
                             })
end

.skip_status(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 202

def self.skip_status(rule)
  rule.instance_variable_get(:@__skip_rule)
end

.with_resource_dsl(resource_dsl) ⇒ Object

Include any resources from the given resource DSL. The passed resource_dsl will also be included in any Inspec::Expect objects we make.

# File 'lib/inspec/rule.rb', line 24

def self.with_resource_dsl(resource_dsl)
  include resource_dsl
  @resource_dsl = resource_dsl
  true
end

Instance Method Details

#desc(v = nil, data = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 102

def desc(v = nil, data = nil)
  return @descriptions[:default] if v.nil?

  if data.nil?
    @descriptions[:default] = unindent(v)
  else
    @descriptions[v.to_sym] = unindent(data)
  end
end

#describe(*values, &block) ⇒ nil|DescribeBase

Describe will add one or more tests to this control. There is 2 ways of calling it:

describe resource do ... end

or

describe.one do ... end

Parameters:

• Resource (any) —

  to be describe, string, or nil

• An (Proc) —

  optional block containing tests for the described resource

Returns:

• (nil|DescribeBase) —

  if called without arguments, returns DescribeBase

# File 'lib/inspec/rule.rb', line 169

def describe(*values, &block)
  if values.empty? && !block_given?
    dsl = self.class.ancestors[1]
    Class.new(DescribeBase) do
      include dsl
    end.new(method(:__add_check))
  else
    __add_check("describe", values, with_dsl(block))
  end
end

#descriptions(description_hash = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 112

def descriptions(description_hash = nil)
  return @descriptions if description_hash.nil?

  @descriptions.merge!(description_hash)
end

#expect(value, &block) ⇒ Object

# File 'lib/inspec/rule.rb', line 180

def expect(value, &block)
  target = Inspec::Expect.new(value, &with_dsl(block))
  __add_check("expect", [value], target)
  target
end

#id(*_) ⇒ Object

# File 'lib/inspec/rule.rb', line 82

def id(*_)
  # never overwrite the ID
  @id
end

#impact(v = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 87

def impact(v = nil)
  if v.is_a?(String)
    @impact = Inspec::Impact.impact_from_string(v)
  elsif !v.nil?
    @impact = v
  end

  @impact
end

#only_if(message = nil) ⇒ nil

Skip all checks if only_if is false

Parameters:

• &block (Type) —

  returns true if tests are added, false otherwise

Returns:

• (nil)

# File 'lib/inspec/rule.rb', line 148

def only_if(message = nil)
  return unless block_given?
  return if @__skip_only_if_eval == true

  @__skip_rule[:result] ||= !yield
  @__skip_rule[:type] = :only_if
  @__skip_rule[:message] = message
end

#ref(ref = nil, opts = {}) ⇒ Object

# File 'lib/inspec/rule.rb', line 118

def ref(ref = nil, opts = {})
  return @refs if ref.nil? && opts.empty?

  if opts.empty? && ref.is_a?(Hash)
    opts = ref
  else
    opts[:ref] = ref
  end
  @refs.push(opts)
end

#source_file ⇒ Object

# File 'lib/inspec/rule.rb', line 140

def source_file
  @__file
end

#tag(*args) ⇒ Object

# File 'lib/inspec/rule.rb', line 129

def tag(*args)
  args.each do |arg|
    if arg.is_a?(Hash)
      @tags.merge!(arg)
    else
      @tags[arg] ||= nil
    end
  end
  @tags
end

#title(v = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 97

def title(v = nil)
  @title = v unless v.nil?
  @title
end

#to_s ⇒ Object

# File 'lib/inspec/rule.rb', line 78

def to_s
  Inspec::Rule.rule_id(self)
end