Class: Inspec::Rule

Inherits:

Object

• Object
• Inspec::Rule

Includes:

RSpec::Matchers

Defined in:

lib/inspec/rule.rb

Instance Attribute Summary

• #__profile_id ⇒ Object readonly

  Returns the value of attribute __profile_id.

• #__waiver_data ⇒ Object readonly

  Returns the value of attribute __waiver_data.

• #na_impact_freeze ⇒ Object

  Returns the value of attribute na_impact_freeze.

• #resource_dsl ⇒ Object

  Returns the value of attribute resource_dsl.

Class Method Summary

• .checks(rule) ⇒ Object
• .merge(dst, src) ⇒ Object

  rubocop:disable Metrics/AbcSize.

• .merge_changes(rule) ⇒ Object
• .merge_count(rule) ⇒ Object
• .na_status(rule) ⇒ Object
• .prepare_checks(rule) ⇒ Object

  If a rule is marked to be skipped, this creates a dummay array of “checks” with a skip outcome.

• .profile_id(rule) ⇒ Object
• .rule_id(rule) ⇒ Object

  TODO: figure out why these violations exist and nuke them.

• .set_rule_id(rule, value) ⇒ Object
• .set_skip_rule(rule, value, message = nil, type = :only_if) ⇒ Object
• .skip_status(rule) ⇒ Object

Instance Method Summary

• #attribute(name, options = {}) ⇒ Object
• #desc(v = nil, data = nil) ⇒ Object
• #describe(*values, &block) ⇒ nil|DescribeBase

  Describe will add one or more tests to this control.

• #descriptions(description_hash = nil) ⇒ Object
• #expect(value, &block) ⇒ Object
• #id(*_) ⇒ Object
• #impact(v = nil) ⇒ Object
• #initialize(id, profile_id, resource_dsl, opts, &block) ⇒ Rule constructor

  A new instance of Rule.

• #input(input_name, options = {}) ⇒ Object

  allow attributes to be accessed within control blocks.

• #input_object(input_name) ⇒ Object

  Find the Input object, but don’t collapse to a value.

• #method_missing(method_name, *arguments, &block) ⇒ Object

  Support for Control DSL plugins.

• #only_applicable_if(message = nil) ⇒ Object
• #only_if(message = nil, impact: nil) ⇒ nil

  Skip all checks if only_if is false.

• #ref(ref = nil, opts = {}) ⇒ Object
• #source_file ⇒ Object
• #tag(*args) ⇒ Object
• #title(v = nil) ⇒ Object
• #to_s ⇒ Object

Constructor Details

#initialize(id, profile_id, resource_dsl, opts, &block) ⇒ Rule

Returns a new instance of Rule.

# File 'lib/inspec/rule.rb', line 22

def initialize(id, profile_id, resource_dsl, opts, &block)
  @impact = nil
  @title = nil
  @descriptions = {}
  @refs = []
  @tags = {}

  @resource_dsl = resource_dsl
  extend resource_dsl # TODO: remove! do it via method_missing

  # not changeable by the user:
  @__code = nil
  @__block = block
  @__source_location = __get_block_source_location(&block)
  @__rule_id = id
  @__profile_id = profile_id
  @__checks = []
  @__skip_rule = {} # { result: true, message: "Why", type: [:only_if, :waiver] }
  @__merge_count = 0
  @__merge_changes = []
  @__skip_only_if_eval = opts[:skip_only_if_eval]
  @__na_rule = {}

  # evaluate the given definition
  return unless block_given?

  begin
    instance_eval(&block)

    # By applying waivers *after* the instance eval, we assure that
    # waivers have higher precedence than only_if.
    __apply_waivers

  rescue SystemStackError, StandardError => e
    # We've encountered an exception while trying to eval the code inside the
    # control block. We need to prevent the exception from bubbling up, and
    # fail the control. Controls are failed by having a failed resource within
    # them; but since our control block is unsafe (and opaque) to us, let's
    # make a dummy and fail that.
    location = block.source_location.compact.join(":")
    describe "Control Source Code Error" do
      # Rubocop thinks we are raising an exception - we're actually calling RSpec's fail()
      its(location) { fail e.message } # rubocop: disable Style/SignalException
    end
  end
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method

#method_missing(method_name, *arguments, &block) ⇒ Object

Support for Control DSL plugins. This is called when an unknown method is encountered within a control block.

# File 'lib/inspec/rule.rb', line 228

def method_missing(method_name, *arguments, &block)
  # Check to see if there is a control_dsl plugin activator hook with the method name
  registry = Inspec::Plugin::V2::Registry.instance
  hook = registry.find_activators(plugin_type: :control_dsl, activator_name: method_name).first
  if hook
    # OK, load the hook if it hasn't been already.  We'll then know a module,
    # which we can then inject into the context
    hook.activate

    # Inject the module's methods into the context.
    # implementation_class is the field name, but this is actually a module.
    self.class.include(hook.implementation_class)
    # Now that the module is loaded, it defined one or more methods
    # (presumably the one we were looking for.)
    # We still haven't called it, so do so now.
    send(method_name, *arguments, &block)
  else
    begin
      Inspec::DSL.method_missing_resource(inspec, method_name, *arguments)
    rescue LoadError
      super
    end
  end
end

Instance Attribute Details

#__profile_id ⇒ Object (readonly)

Returns the value of attribute __profile_id.

# File 'lib/inspec/rule.rb', line 20

def __profile_id
  @__profile_id
end

#__waiver_data ⇒ Object (readonly)

Returns the value of attribute __waiver_data.

# File 'lib/inspec/rule.rb', line 18

def __waiver_data
  @__waiver_data
end

#na_impact_freeze ⇒ Object

Returns the value of attribute na_impact_freeze.

# File 'lib/inspec/rule.rb', line 19

def na_impact_freeze
  @na_impact_freeze
end

#resource_dsl ⇒ Object

Returns the value of attribute resource_dsl.

# File 'lib/inspec/rule.rb', line 19

def resource_dsl
  @resource_dsl
end

Class Method Details

.checks(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 266

def self.checks(rule)
  rule.instance_variable_get(:@__checks)
end

.merge(dst, src) ⇒ Object

rubocop:disable Metrics/AbcSize

# File 'lib/inspec/rule.rb', line 322

def self.merge(dst, src) # rubocop:disable Metrics/AbcSize
  if src.id != dst.id
    # TODO: register an error, this case should not happen
    return
  end

  sp = rule_id(src)
  dp = rule_id(dst)
  if sp != dp
    # TODO: register an error, this case should not happen
    return
  end

  # merge all fields
  dst.impact(src.impact)                 unless src.impact.nil?
  dst.title(src.title)                   unless src.title.nil?
  dst.descriptions(src.descriptions)     unless src.descriptions.nil?
  dst.tag(src.tag)                       unless src.tag.nil?
  dst.ref(src.ref)                       unless src.ref.nil?

  # merge indirect fields
  # checks defined in the source will completely eliminate
  # all checks that were defined in the destination
  sc = checks(src)
  dst.instance_variable_set(:@__checks, sc) unless sc.empty?
  skip_check = skip_status(src)
  sr = skip_check[:result]
  msg = skip_check[:message]
  skip_type = skip_check[:type]
  set_skip_rule(dst, sr, msg, skip_type) unless sr.nil?

  # Save merge history
  dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)
  dst.instance_variable_set(
    :@__merge_changes,
    merge_changes(dst) << src.instance_variable_get(:@__source_location)
  )
end

.merge_changes(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 291

def self.merge_changes(rule)
  rule.instance_variable_get(:@__merge_changes)
end

.merge_count(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 287

def self.merge_count(rule)
  rule.instance_variable_get(:@__merge_count)
end

.na_status(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 274

def self.na_status(rule)
  rule.instance_variable_get(:@__na_rule)
end

.prepare_checks(rule) ⇒ Object

If a rule is marked to be skipped, this creates a dummay array of “checks” with a skip outcome

# File 'lib/inspec/rule.rb', line 297

def self.prepare_checks(rule)
  skip_check = skip_status(rule)
  na_check = na_status(rule)
  return checks(rule) unless skip_check[:result].eql?(true) || na_check[:result].eql?(true)

  resource = rule.noop
  if skip_check[:result].eql?(true)
    if skip_check[:message]
      msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
    else
      msg = "Skipped control due to #{skip_check[:type]} condition."
    end
    resource.skip_resource(msg)
  else
    if na_check[:message]
      msg = "N/A control due to #{na_check[:type]} condition: #{na_check[:message]}"
    else
      msg = "N/A control due to #{na_check[:type]} condition."
    end
    resource.fail_resource(msg)
  end

  [["describe", [resource], nil]]
end

.profile_id(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 262

def self.profile_id(rule)
  rule.instance_variable_get(:@__profile_id)
end

.rule_id(rule) ⇒ Object

TODO: figure out why these violations exist and nuke them.

# File 'lib/inspec/rule.rb', line 254

def self.rule_id(rule)
  rule.instance_variable_get(:@__rule_id)
end

.set_rule_id(rule, value) ⇒ Object

# File 'lib/inspec/rule.rb', line 258

def self.set_rule_id(rule, value)
  rule.instance_variable_set(:@__rule_id, value)
end

.set_skip_rule(rule, value, message = nil, type = :only_if) ⇒ Object

# File 'lib/inspec/rule.rb', line 278

def self.set_skip_rule(rule, value, message = nil, type = :only_if)
  rule.instance_variable_set(:@__skip_rule,
                             {
                               result: value,
                               message: message,
                               type: type,
                             })
end

.skip_status(rule) ⇒ Object

# File 'lib/inspec/rule.rb', line 270

def self.skip_status(rule)
  rule.instance_variable_get(:@__skip_rule)
end

Instance Method Details

#attribute(name, options = {}) ⇒ Object

# File 'lib/inspec/rule.rb', line 220

def attribute(name, options = {})
  Inspec.deprecate(:attrs_dsl, "Input name: #{name}, Profile: #{__profile_id}")
  input(name, options)
end

#desc(v = nil, data = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 96

def desc(v = nil, data = nil)
  return @descriptions[:default] if v.nil?

  if data.nil?
    @descriptions[:default] = unindent(v)
  else
    @descriptions[v.to_sym] = unindent(data)
  end
end

#describe(*values, &block) ⇒ nil|DescribeBase

Describe will add one or more tests to this control. There is 2 ways of calling it:

describe resource do ... end

or

describe.one do ... end

Parameters:

• Resource (any) —

  to be describe, string, or nil

• An (Proc) —

  optional block containing tests for the described resource

Returns:

• (nil|DescribeBase) —

  if called without arguments, returns DescribeBase

# File 'lib/inspec/rule.rb', line 176

def describe(*values, &block)
  if values.empty? && !block_given?
    dsl = resource_dsl
    Class.new(DescribeBase) do
      include dsl
    end.new(method(:__add_check))
  else
    __add_check("describe", values, with_dsl(block))
  end
end

#descriptions(description_hash = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 106

def descriptions(description_hash = nil)
  return @descriptions if description_hash.nil?

  @descriptions.merge!(description_hash)
end

#expect(value, &block) ⇒ Object

# File 'lib/inspec/rule.rb', line 187

def expect(value, &block)
  target = Inspec::Expect.new(value, &with_dsl(block))
  __add_check("expect", [value], target)
  target
end

#id(*_) ⇒ Object

# File 'lib/inspec/rule.rb', line 73

def id(*_)
  # never overwrite the ID
  @id
end

#impact(v = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 78

def impact(v = nil)
  # N/A impact freeze is required when only_applicable_if block has reset impact value to zero"
  unless na_impact_freeze
    if v.is_a?(String)
      @impact = Inspec::Impact.impact_from_string(v)
    elsif !v.nil?
      @impact = v
    end
  end

  @impact
end

#input(input_name, options = {}) ⇒ Object

allow attributes to be accessed within control blocks

# File 'lib/inspec/rule.rb', line 194

def input(input_name, options = {})
  if options.empty?
    # Simply an access, no event here
    Inspec::InputRegistry.find_or_register_input(input_name, __profile_id).value
  else
    options[:priority] ||= 20
    options[:provider] = :inline_control_code
    evt = Inspec::Input.infer_event(options)
    Inspec::InputRegistry.find_or_register_input(
      input_name,
      __profile_id,
      type: options[:type],
      required: options[:required],
      description: options[:description],
      pattern: options[:pattern],
      event: evt
    ).value
  end
end

#input_object(input_name) ⇒ Object

Find the Input object, but don’t collapse to a value. Will return nil on a miss.

# File 'lib/inspec/rule.rb', line 216

def input_object(input_name)
  Inspec::InputRegistry.find_or_register_input(input_name, __profile_id)
end

#only_applicable_if(message = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 152

def only_applicable_if(message = nil)
  return unless block_given?
  return if yield

  impact(0.0)
  self.na_impact_freeze = true # this flag prevents impact value to reset to any other value

  @__na_rule[:result] ||= !yield
  @__na_rule[:type] = :only_applicable_if
  @__na_rule[:message] = message
end

#only_if(message = nil, impact: nil) ⇒ nil

Skip all checks if only_if is false

Parameters:

• &block (Type) —

  returns true if tests are added, false otherwise

Returns:

• (nil)

# File 'lib/inspec/rule.rb', line 142

def only_if(message = nil, impact: nil)
  return unless block_given?
  return if @__skip_only_if_eval == true

  self.impact(impact) if impact && !yield
  @__skip_rule[:result] ||= !yield
  @__skip_rule[:type] = :only_if
  @__skip_rule[:message] = message
end

#ref(ref = nil, opts = {}) ⇒ Object

# File 'lib/inspec/rule.rb', line 112

def ref(ref = nil, opts = {})
  return @refs if ref.nil? && opts.empty?

  if opts.empty? && ref.is_a?(Hash)
    opts = ref
  else
    opts[:ref] = ref
  end
  @refs.push(opts)
end

#source_file ⇒ Object

# File 'lib/inspec/rule.rb', line 134

def source_file
  @__file
end

#tag(*args) ⇒ Object

# File 'lib/inspec/rule.rb', line 123

def tag(*args)
  args.each do |arg|
    if arg.is_a?(Hash)
      @tags.merge!(arg)
    else
      @tags[arg] ||= nil
    end
  end
  @tags
end

#title(v = nil) ⇒ Object

# File 'lib/inspec/rule.rb', line 91

def title(v = nil)
  @title = v unless v.nil?
  @title
end

#to_s ⇒ Object

# File 'lib/inspec/rule.rb', line 69

def to_s
  Inspec::Rule.rule_id(self)
end