Class: Inspec::Profile

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Defined in:
lib/inspec/profile.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(source_reader, options = {}) ⇒ Profile

rubocop:disable Metrics/AbcSize



89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'lib/inspec/profile.rb', line 89

def initialize(source_reader, options = {})
  @source_reader = source_reader
  @target = options[:target]
  @logger = options[:logger] || Logger.new(nil)
  @locked_dependencies = options[:dependencies]
  @controls = options[:controls] || []
  @writable = options[:writable] || false
  @profile_id = options[:id]
  @profile_name = options[:profile_name]
  @cache = options[:vendor_cache] || Cache.new
  @attr_values = options[:attributes]
  @tests_collected = false
  @libraries_loaded = false
  @check_mode = options[:check_mode] || false
  @parent_profile = options[:parent_profile]
  @legacy_profile_path = options[:profiles_path] || false
  Metadata.finalize(@source_reader., @profile_id, options)

  # if a backend has already been created, clone it so each profile has its own unique backend object
  # otherwise, create a new backend object
  #
  # This is necessary since we store the RuntimeProfile on the backend object. If a user runs `inspec exec`
  # with multiple profiles, only the RuntimeProfile for the last-loaded profile will be available if
  # we share the backend between profiles.
  #
  # This will cause issues if a profile attempts to load a file via `inspec.profile.file`
  train_options = options.reject { |k, _| k == 'target' } # See https://github.com/chef/inspec/pull/1646
  @backend = options[:backend].nil? ? Inspec::Backend.create(train_options) : options[:backend].dup
  @runtime_profile = RuntimeProfile.new(self)
  @backend.profile = @runtime_profile

  @runner_context =
    options[:profile_context] ||
    Inspec::ProfileContext.for_profile(self, @backend, @attr_values)

  @supports_platform = .supports_platform?(@backend)
  @supports_runtime = .supports_runtime?
  
end

Instance Attribute Details

#backendObject (readonly)

Returns the value of attribute backend.



82
83
84
# File 'lib/inspec/profile.rb', line 82

def backend
  @backend
end

#check_modeObject (readonly)

Returns the value of attribute check_mode.



82
83
84
# File 'lib/inspec/profile.rb', line 82

def check_mode
  @check_mode
end

#parent_profileObject

Returns the value of attribute parent_profile.



83
84
85
# File 'lib/inspec/profile.rb', line 83

def parent_profile
  @parent_profile
end

#profile_nameObject

Returns the value of attribute profile_name.



83
84
85
# File 'lib/inspec/profile.rb', line 83

def profile_name
  @profile_name
end

#runner_contextObject (readonly)

Returns the value of attribute runner_context.



82
83
84
# File 'lib/inspec/profile.rb', line 82

def runner_context
  @runner_context
end

#source_readerObject (readonly)

Returns the value of attribute source_reader.



82
83
84
# File 'lib/inspec/profile.rb', line 82

def source_reader
  @source_reader
end

Class Method Details

.copy_deps_into_cache(file_provider, opts) ⇒ Object

Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/inspec/profile.rb', line 36

def self.copy_deps_into_cache(file_provider, opts)
  # filter content
  cache = file_provider.files.find_all do |entry|
    entry.start_with?('vendor')
  end
  content = Hash[cache.map { |x| [x, file_provider.binread(x)] }]
  keys = content.keys
  keys.each do |key|
    next if content[key].nil?
    # remove prefix
    rel = Pathname.new(key).relative_path_from(Pathname.new('vendor')).to_s
    tar = Pathname.new(opts[:vendor_cache].path).join(rel)

    FileUtils.mkdir_p tar.dirname.to_s
    Inspec::Log.debug "Copy #{tar} to cache directory"
    File.binwrite(tar.to_s, content[key])
  end
end

.for_fetcher(fetcher, opts) ⇒ Object



70
71
72
73
74
# File 'lib/inspec/profile.rb', line 70

def self.for_fetcher(fetcher, opts)
  opts[:vendor_cache] = opts[:vendor_cache] || Cache.new
  path, writable = fetcher.fetch
  for_path(path, opts.merge(target: fetcher.target, writable: writable))
end

.for_path(path, opts) ⇒ Object



55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/inspec/profile.rb', line 55

def self.for_path(path, opts)
  file_provider = FileProvider.for_path(path)
  rp = file_provider.relative_provider

  # copy embedded dependencies into global cache
  copy_deps_into_cache(rp, opts) unless opts[:vendor_cache].nil?

  reader = Inspec::SourceReader.resolve(rp)
  if reader.nil?
    raise("Don't understand inspec profile in #{path}, it " \
         "doesn't look like a supported profile structure.")
  end
  new(reader, opts)
end

.for_target(target, opts = {}) ⇒ Object



76
77
78
79
80
# File 'lib/inspec/profile.rb', line 76

def self.for_target(target, opts = {})
  opts[:vendor_cache] = opts[:vendor_cache] || Cache.new
  fetcher = resolve_target(target, opts[:vendor_cache])
  for_fetcher(fetcher, opts)
end

.resolve_target(target, cache) ⇒ Object



28
29
30
31
# File 'lib/inspec/profile.rb', line 28

def self.resolve_target(target, cache)
  Inspec::Log.debug "Resolve #{target} into cache #{cache.path}"
  Inspec::CachedFetcher.new(target, cache)
end

Instance Method Details

#archive(opts) ⇒ Object

generates a archive of a folder profile assumes that the profile was checked before



440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
# File 'lib/inspec/profile.rb', line 440

def archive(opts)
  # check if file exists otherwise overwrite the archive
  dst = archive_name(opts)
  if dst.exist? && !opts[:overwrite]
    @logger.info "Archive #{dst} exists already. Use --overwrite."
    return false
  end

  # remove existing archive
  File.delete(dst) if dst.exist?
  @logger.info "Generate archive #{dst}."

  # filter files that should not be part of the profile
  # TODO ignore all .files, but add the files to debug output

  # display all files that will be part of the archive
  @logger.debug 'Add the following files to archive:'
  files.each { |f| @logger.debug '    ' + f }

  if opts[:zip]
    # generate zip archive
    require 'inspec/archive/zip'
    zag = Inspec::Archive::ZipArchiveGenerator.new
    zag.archive(root_path, files, dst)
  else
    # generate tar archive
    require 'inspec/archive/tar'
    tag = Inspec::Archive::TarArchiveGenerator.new
    tag.archive(root_path, files, dst)
  end

  @logger.info 'Finished archive generation.'
  true
end

#checkBoolean

Check if the profile is internally well-structured. The logger will be used to print information on errors and warnings which are found.

Returns:

  • (Boolean)

    true if no errors were found, false otherwise



332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
# File 'lib/inspec/profile.rb', line 332

def check # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
  # initial values for response object
  result = {
    summary: {
      valid: false,
      timestamp: Time.now.iso8601,
      location: @target,
      profile: nil,
      controls: 0,
    },
    errors: [],
    warnings: [],
  }

  entry = lambda { |file, line, column, control, msg|
    {
      file: file,
      line: line,
      column: column,
      control_id: control,
      msg: msg,
    }
  }

  warn = lambda { |file, line, column, control, msg|
    @logger.warn(msg)
    result[:warnings].push(entry.call(file, line, column, control, msg))
  }

  error = lambda { |file, line, column, control, msg|
    @logger.error(msg)
    result[:errors].push(entry.call(file, line, column, control, msg))
  }

  @logger.info "Checking profile in #{@target}"
  meta_path = @source_reader.target.abs_path(@source_reader..ref)

  # verify metadata
  m_errors, m_warnings = .valid
  m_errors.each { |msg| error.call(meta_path, 0, 0, nil, msg) }
  m_warnings.each { |msg| warn.call(meta_path, 0, 0, nil, msg) }
  m_unsupported = .unsupported
  m_unsupported.each { |u| warn.call(meta_path, 0, 0, nil, "doesn't support: #{u}") }
  @logger.info 'Metadata OK.' if m_errors.empty? && m_unsupported.empty?

  # only run the vendor check if the legacy profile-path is not used as argument
  if @legacy_profile_path == false
    # verify that a lockfile is present if we have dependencies
    if !.dependencies.empty?
      error.call(meta_path, 0, 0, nil, 'Your profile needs to be vendored with `inspec vendor`.') if !lockfile_exists?
    end

    if lockfile_exists?
      # verify if metadata and lockfile are out of sync
      if lockfile.deps.size != .dependencies.size
        error.call(meta_path, 0, 0, nil, 'inspec.yml and inspec.lock are out-of-sync. Please re-vendor with `inspec vendor`.')
      end

      # verify if metadata and lockfile have the same dependency names
      .dependencies.each { |dep|
        # Skip if the dependency does not specify a name
        next if dep[:name].nil?

        # TODO: should we also verify that the soure is the same?
        if !lockfile.deps.map { |x| x[:name] }.include? dep[:name]
          error.call(meta_path, 0, 0, nil, "Cannot find #{dep[:name]} in lockfile. Please re-vendor with `inspec vendor`.")
        end
      }
    end
  end

  # extract profile name
  result[:summary][:profile] = .params[:name]

  count = controls_count
  result[:summary][:controls] = count
  if count == 0
    warn.call(nil, nil, nil, nil, 'No controls or tests were defined.')
  else
    @logger.info("Found #{count} controls.")
  end

  # iterate over hash of groups
  params[:controls].each { |id, control|
    sfile = control[:source_location][:ref]
    sline = control[:source_location][:line]
    error.call(sfile, sline, nil, id, 'Avoid controls with empty IDs') if id.nil? or id.empty?
    next if id.start_with? '(generated '
    warn.call(sfile, sline, nil, id, "Control #{id} has no title") if control[:title].to_s.empty?
    warn.call(sfile, sline, nil, id, "Control #{id} has no descriptions") if control[:descriptions][:default].to_s.empty?
    warn.call(sfile, sline, nil, id, "Control #{id} has impact > 1.0") if control[:impact].to_f > 1.0
    warn.call(sfile, sline, nil, id, "Control #{id} has impact < 0.0") if control[:impact].to_f < 0.0
    warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? or control[:checks].empty?
  }

  # profile is valid if we could not find any error
  result[:summary][:valid] = result[:errors].empty?

  @logger.info 'Control definitions OK.' if result[:warnings].empty?
  result
end

#collect_tests(include_list = @controls) ⇒ Object



187
188
189
190
191
192
193
194
195
196
197
198
199
200
# File 'lib/inspec/profile.rb', line 187

def collect_tests(include_list = @controls)
  unless @tests_collected
    return unless supports_platform?
    locked_dependencies.each(&:collect_tests)

    tests.each do |path, content|
      next if content.nil? || content.empty?
      abs_path = source_reader.target.abs_path(path)
      @runner_context.load_control_file(content, abs_path, nil)
    end
    @tests_collected = true
  end
  filter_controls(@runner_context.all_rules, include_list)
end

#controls_countObject



434
435
436
# File 'lib/inspec/profile.rb', line 434

def controls_count
  params[:controls].values.length
end

#cwdObject

TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.



500
501
502
# File 'lib/inspec/profile.rb', line 500

def cwd
  @target.is_a?(String) && File.directory?(@target) ? @target : './'
end

#filesObject



491
492
493
# File 'lib/inspec/profile.rb', line 491

def files
  @source_reader.target.files
end

#filter_controls(controls_array, include_list) ⇒ Object



202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# File 'lib/inspec/profile.rb', line 202

def filter_controls(controls_array, include_list)
  return controls_array if include_list.nil? || include_list.empty?

  # Check for anything that might be a regex in the list, and make it official
  include_list.each_with_index do |inclusion, index|
    next if inclusion.is_a?(Regexp)
    # Insist the user wrap the regex in slashes to demarcate it as a regex
    next unless inclusion.start_with?('/') && inclusion.end_with?('/')
    inclusion = inclusion[1..-2] # Trim slashes
    begin
      re = Regexp.new(inclusion)
      include_list[index] = re
    rescue RegexpError => e
      warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
      include_list[index] = nil
    end
  end
  include_list.compact!

  controls_array.select do |c|
    id = ::Inspec::Rule.rule_id(c)
    include_list.any? do |inclusion|
      # Try to see if the inclusion is a regex, and if it matches
      inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
    end
  end
end

#generate_lockfileInspec::Lockfile

Generate an in-memory lockfile. This won’t render the lock file to disk, it must be explicitly written to disk by the caller.

Parameters:

  • vendor_path (String)

    Path to the on-disk vendor dir

Returns:



519
520
521
522
523
# File 'lib/inspec/profile.rb', line 519

def generate_lockfile
  res = Inspec::DependencySet.new(cwd, @cache, nil, @backend)
  res.vendor(.dependencies)
  Inspec::Lockfile.from_dependency_set(res)
end

#info(res = params.dup) ⇒ Object

rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength



270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
# File 'lib/inspec/profile.rb', line 270

def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
  # add information about the controls
  res[:controls] = res[:controls].map do |id, rule|
    next if id.to_s.empty?
    data = rule.dup
    data.delete(:checks)
    data[:impact] ||= 0.5
    data[:impact] = 1.0 if data[:impact] > 1.0
    data[:impact] = 0.0 if data[:impact] < 0.0
    data[:id] = id

    # if the code field is empty try and pull info from dependencies
    if data[:code].empty? && parent_profile.nil?
      locked_dependencies.dep_list.each do |_name, dep|
        profile = dep.profile
        code = Inspec::MethodSource.code_at(data[:source_location], profile.source_reader)
        data[:code] = code unless code.nil? || code.empty?
        break if !data[:code].empty?
      end
    end
    data
  end.compact

  # resolve hash structure in groups
  res[:groups] = res[:groups].map do |id, group|
    group[:id] = id
    group
  end

  # add information about the required attributes
  if res[:attributes].nil? || res[:attributes].empty?
    # convert to array for backwords compatability
    res[:attributes] = []
  else
    res[:attributes] = res[:attributes].values.map(&:to_hash)
  end
  res[:sha256] = sha256
  res[:parent_profile] = parent_profile unless parent_profile.nil?

  if !supports_platform?
    res[:status] = 'skipped'
    msg = "Skipping profile: '#{name}' on unsupported platform: '#{backend.platform.name}/#{backend.platform.release}'."
    res[:skip_message] = msg
  else
    res[:status] = 'loaded'
  end

  # convert legacy os-* supports to their platform counterpart
  if res[:supports] && !res[:supports].empty?
    res[:supports].each do |support|
      support[:"platform-family"] = support.delete(:"os-family") if support.key?(:"os-family")
      support[:"platform-name"] = support.delete(:"os-name") if support.key?(:"os-name")
    end
  end

  res
end

#info!Object

return info using uncached params



266
267
268
# File 'lib/inspec/profile.rb', line 266

def info!
  info(load_params.dup)
end

#load_dependenciesObject



525
526
527
528
529
530
531
532
533
# File 'lib/inspec/profile.rb', line 525

def load_dependencies
  config = {
    cwd: cwd,
    cache: @cache,
    backend: @backend,
    parent_profile: name,
  }
  Inspec::DependencySet.from_lockfile(lockfile, config, { attributes: @attr_values })
end

#load_librariesObject



230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
# File 'lib/inspec/profile.rb', line 230

def load_libraries
  return @runner_context if @libraries_loaded

  locked_dependencies.dep_list.each_with_index do |(_name, dep), i|
    d = dep.profile
    # this will force a dependent profile load so we are only going to add
    # this metadata if the parent profile is supported.
    if supports_platform? && !d.supports_platform?
      # since ruby 1.9 hashes are ordered so we can just use index values here
      .dependencies[i][:status] = 'skipped'
      msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
      .dependencies[i][:skip_message] = msg
      next
    elsif .dependencies[i]
      # Currently wrapper profiles will load all dependencies, and then we
      # load them again when we dive down. This needs to be re-done.
      .dependencies[i][:status] = 'loaded'
    end
    c = d.load_libraries
    @runner_context.add_resources(c)
  end

  libs = libraries.map do |path, content|
    [content, path]
  end

  @runner_context.load_libraries(libs)
  @libraries_loaded = true
  @runner_context
end

#locked_dependenciesObject



475
476
477
# File 'lib/inspec/profile.rb', line 475

def locked_dependencies
  @locked_dependencies ||= load_dependencies
end

#lockfileObject



504
505
506
507
508
509
510
# File 'lib/inspec/profile.rb', line 504

def lockfile
  @lockfile ||= if lockfile_exists?
                  Inspec::Lockfile.from_content(@source_reader.target.read('inspec.lock'))
                else
                  generate_lockfile
                end
end

#lockfile_exists?Boolean

Returns:

  • (Boolean)


479
480
481
# File 'lib/inspec/profile.rb', line 479

def lockfile_exists?
  @source_reader.target.files.include?('inspec.lock')
end

#lockfile_pathObject



483
484
485
# File 'lib/inspec/profile.rb', line 483

def lockfile_path
  File.join(cwd, 'inspec.lock')
end

#nameObject



141
142
143
# File 'lib/inspec/profile.rb', line 141

def name
  .params[:name]
end

#paramsObject



183
184
185
# File 'lib/inspec/profile.rb', line 183

def params
  @params ||= load_params
end

#register_metadata_attributesObject



129
130
131
132
133
134
135
136
137
138
139
# File 'lib/inspec/profile.rb', line 129

def 
  if .params.key?(:attributes) && .params[:attributes].is_a?(Array)
    .params[:attributes].each do |attribute|
      attr_dup = attribute.dup
      name = attr_dup.delete(:name)
      @runner_context.register_attribute(name, attr_dup)
    end
  elsif .params.key?(:attributes)
    Inspec::Log.warn 'Attributes must be defined as an Array. Skipping current definition.'
  end
end

#root_pathObject



487
488
489
# File 'lib/inspec/profile.rb', line 487

def root_path
  @source_reader.target.prefix
end

#sha256Type

Calculate this profile’s SHA256 checksum. Includes metadata, dependencies, libraries, data files, and controls.

Returns:

  • (Type)

    description of returned object



539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
# File 'lib/inspec/profile.rb', line 539

def sha256
  # get all dependency checksums
  deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]

  res = OpenSSL::Digest::SHA256.new
  files = source_reader.tests.to_a + source_reader.libraries.to_a +
          source_reader.data_files.to_a +
          [['inspec.yml', source_reader..content]] +
          [['inspec.lock.deps', YAML.dump(deps)]]

  files.sort_by { |a| a[0] }
       .map { |f| res << f[0] << "\0" << f[1] << "\0" }

  res.digest.unpack('H*')[0]
end

#supported?Boolean

Is this profile is supported on the current platform of the backend machine and the current inspec version.

Returns:

  • (Boolean)


159
160
161
# File 'lib/inspec/profile.rb', line 159

def supported?
  supports_platform? && supports_runtime?
end

#supports_platform?Boolean

We need to check if we’re using a Mock’d backend for tests to function.

Returns:

  • (Boolean)


165
166
167
168
169
170
171
172
173
174
# File 'lib/inspec/profile.rb', line 165

def supports_platform?
  if @supports_platform.nil?
    @supports_platform = .supports_platform?(@backend)
  end
  if @backend.backend.class.to_s == 'Train::Transports::Mock::Connection'
    @supports_platform = true
  end

  @supports_platform
end

#supports_runtime?Boolean

Returns:

  • (Boolean)


176
177
178
179
180
181
# File 'lib/inspec/profile.rb', line 176

def supports_runtime?
  if @supports_runtime.nil?
    @supports_runtime = .supports_runtime?
  end
  @supports_runtime
end

#to_sObject



261
262
263
# File 'lib/inspec/profile.rb', line 261

def to_s
  "Inspec::Profile<#{name}>"
end

#versionObject



145
146
147
# File 'lib/inspec/profile.rb', line 145

def version
  .params[:version]
end

#writable?Boolean

Returns:

  • (Boolean)


149
150
151
# File 'lib/inspec/profile.rb', line 149

def writable?
  @writable
end