Class: Inspec::Profile
- Inherits:
-
Object
- Object
- Inspec::Profile
- Extended by:
- Forwardable
- Defined in:
- lib/inspec/profile.rb
Instance Attribute Summary collapse
-
#backend ⇒ Object
readonly
Returns the value of attribute backend.
-
#check_mode ⇒ Object
readonly
Returns the value of attribute check_mode.
-
#runner_context ⇒ Object
readonly
Returns the value of attribute runner_context.
-
#source_reader ⇒ Object
readonly
Returns the value of attribute source_reader.
Class Method Summary collapse
-
.copy_deps_into_cache(file_provider, opts) ⇒ Object
Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well.
- .for_fetcher(fetcher, opts) ⇒ Object
- .for_path(path, opts) ⇒ Object
- .for_target(target, opts = {}) ⇒ Object
- .resolve_target(target, cache) ⇒ Object
Instance Method Summary collapse
-
#archive(opts) ⇒ Object
generates a archive of a folder profile assumes that the profile was checked before.
-
#check ⇒ Boolean
Check if the profile is internally well-structured.
- #collect_tests(include_list = @controls) ⇒ Object
- #controls_count ⇒ Object
-
#cwd ⇒ Object
TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.
- #files ⇒ Object
- #filter_controls(controls_array, include_list) ⇒ Object
-
#generate_lockfile ⇒ Inspec::Lockfile
Generate an in-memory lockfile.
- #info(res = params.dup) ⇒ Object
-
#info! ⇒ Object
return info using uncached params.
-
#initialize(source_reader, options = {}) ⇒ Profile
constructor
rubocop:disable Metrics/AbcSize.
- #load_dependencies ⇒ Object
- #load_libraries ⇒ Object
- #locked_dependencies ⇒ Object
- #lockfile ⇒ Object
- #lockfile_exists? ⇒ Boolean
- #lockfile_path ⇒ Object
- #name ⇒ Object
- #params ⇒ Object
- #root_path ⇒ Object
-
#sha256 ⇒ Type
Calculate this profile’s SHA256 checksum.
-
#supported? ⇒ Boolean
Is this profile is supported on the current platform of the backend machine and the current inspec version.
- #supports_platform? ⇒ Boolean
- #supports_runtime? ⇒ Boolean
- #to_s ⇒ Object
- #version ⇒ Object
- #writable? ⇒ Boolean
Constructor Details
#initialize(source_reader, options = {}) ⇒ Profile
rubocop:disable Metrics/AbcSize
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/inspec/profile.rb', line 87 def initialize(source_reader, = {}) @source_reader = source_reader @target = [:target] @logger = [:logger] || Logger.new(nil) @locked_dependencies = [:dependencies] @controls = [:controls] || [] @writable = [:writable] || false @profile_id = [:id] @cache = [:vendor_cache] || Cache.new @attr_values = [:attributes] @tests_collected = false @libraries_loaded = false @check_mode = [:check_mode] || false Metadata.finalize(@source_reader., @profile_id, ) # if a backend has already been created, clone it so each profile has its own unique backend object # otherwise, create a new backend object # # This is necessary since we store the RuntimeProfile on the backend object. If a user runs `inspec exec` # with multiple profiles, only the RuntimeProfile for the last-loaded profile will be available if # we share the backend between profiles. # # This will cause issues if a profile attempts to load a file via `inspec.profile.file` = .reject { |k, _| k == 'target' } # See https://github.com/chef/inspec/pull/1646 @backend = [:backend].nil? ? Inspec::Backend.create() : [:backend].dup @runtime_profile = RuntimeProfile.new(self) @backend.profile = @runtime_profile @runner_context = [:profile_context] || Inspec::ProfileContext.for_profile(self, @backend, @attr_values) end |
Instance Attribute Details
#backend ⇒ Object (readonly)
Returns the value of attribute backend.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def backend @backend end |
#check_mode ⇒ Object (readonly)
Returns the value of attribute check_mode.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def check_mode @check_mode end |
#runner_context ⇒ Object (readonly)
Returns the value of attribute runner_context.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def runner_context @runner_context end |
#source_reader ⇒ Object (readonly)
Returns the value of attribute source_reader.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def source_reader @source_reader end |
Class Method Details
.copy_deps_into_cache(file_provider, opts) ⇒ Object
Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# File 'lib/inspec/profile.rb', line 35 def self.copy_deps_into_cache(file_provider, opts) # filter content cache = file_provider.files.find_all do |entry| entry.start_with?('vendor') end content = Hash[cache.map { |x| [x, file_provider.binread(x)] }] keys = content.keys keys.each do |key| next if content[key].nil? # remove prefix rel = Pathname.new(key).relative_path_from(Pathname.new('vendor')).to_s tar = Pathname.new(opts[:vendor_cache].path).join(rel) FileUtils.mkdir_p tar.dirname.to_s Inspec::Log.debug "Copy #{tar} to cache directory" File.binwrite(tar.to_s, content[key]) end end |
.for_fetcher(fetcher, opts) ⇒ Object
69 70 71 72 73 |
# File 'lib/inspec/profile.rb', line 69 def self.for_fetcher(fetcher, opts) opts[:vendor_cache] = opts[:vendor_cache] || Cache.new path, writable = fetcher.fetch for_path(path, opts.merge(target: fetcher.target, writable: writable)) end |
.for_path(path, opts) ⇒ Object
54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/inspec/profile.rb', line 54 def self.for_path(path, opts) file_provider = FileProvider.for_path(path) rp = file_provider.relative_provider # copy embedded dependecies into global cache copy_deps_into_cache(rp, opts) unless opts[:vendor_cache].nil? reader = Inspec::SourceReader.resolve(rp) if reader.nil? raise("Don't understand inspec profile in #{path}, it " \ "doesn't look like a supported profile structure.") end new(reader, opts) end |
.for_target(target, opts = {}) ⇒ Object
75 76 77 78 79 |
# File 'lib/inspec/profile.rb', line 75 def self.for_target(target, opts = {}) opts[:vendor_cache] = opts[:vendor_cache] || Cache.new fetcher = resolve_target(target, opts[:vendor_cache]) for_fetcher(fetcher, opts) end |
.resolve_target(target, cache) ⇒ Object
27 28 29 30 |
# File 'lib/inspec/profile.rb', line 27 def self.resolve_target(target, cache) Inspec::Log.debug "Resolve #{target} into cache #{cache.path}" Inspec::CachedFetcher.new(target, cache) end |
Instance Method Details
#archive(opts) ⇒ Object
generates a archive of a folder profile assumes that the profile was checked before
328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 |
# File 'lib/inspec/profile.rb', line 328 def archive(opts) # check if file exists otherwise overwrite the archive dst = archive_name(opts) if dst.exist? && !opts[:overwrite] @logger.info "Archive #{dst} exists already. Use --overwrite." return false end # remove existing archive File.delete(dst) if dst.exist? @logger.info "Generate archive #{dst}." # filter files that should not be part of the profile # TODO ignore all .files, but add the files to debug output # display all files that will be part of the archive @logger.debug 'Add the following files to archive:' files.each { |f| @logger.debug ' ' + f } if opts[:zip] # generate zip archive require 'inspec/archive/zip' zag = Inspec::Archive::ZipArchiveGenerator.new zag.archive(root_path, files, dst) else # generate tar archive require 'inspec/archive/tar' tag = Inspec::Archive::TarArchiveGenerator.new tag.archive(root_path, files, dst) end @logger.info 'Finished archive generation.' true end |
#check ⇒ Boolean
Check if the profile is internally well-structured. The logger will be used to print information on errors and warnings which are found.
237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 |
# File 'lib/inspec/profile.rb', line 237 def check # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength # initial values for response object result = { summary: { valid: false, timestamp: Time.now.iso8601, location: @target, profile: nil, controls: 0, }, errors: [], warnings: [], } entry = lambda { |file, line, column, control, msg| { file: file, line: line, column: column, control_id: control, msg: msg, } } warn = lambda { |file, line, column, control, msg| @logger.warn(msg) result[:warnings].push(entry.call(file, line, column, control, msg)) } error = lambda { |file, line, column, control, msg| @logger.error(msg) result[:errors].push(entry.call(file, line, column, control, msg)) } @logger.info "Checking profile in #{@target}" = @source_reader.target.abs_path(@source_reader..ref) if =~ /metadata\.rb$/ warn.call(@target, 0, 0, nil, 'The use of `metadata.rb` is deprecated. Use `inspec.yml`.') end # verify metadata m_errors, m_warnings = .valid m_errors.each { |msg| error.call(, 0, 0, nil, msg) } m_warnings.each { |msg| warn.call(, 0, 0, nil, msg) } m_unsupported = .unsupported m_unsupported.each { |u| warn.call(, 0, 0, nil, "doesn't support: #{u}") } @logger.info 'Metadata OK.' if m_errors.empty? && m_unsupported.empty? # extract profile name result[:summary][:profile] = .params[:name] # check if the profile is using the old test directory instead of the # new controls directory if @source_reader.tests.keys.any? { |x| x =~ %r{^test/$} } warn.call(@target, 0, 0, nil, 'Profile uses deprecated `test` directory, rename it to `controls`.') end count = controls_count result[:summary][:controls] = count if count == 0 warn.call(nil, nil, nil, nil, 'No controls or tests were defined.') else @logger.info("Found #{count} controls.") end # iterate over hash of groups params[:controls].each { |id, control| sfile = control[:source_location][:ref] sline = control[:source_location][:line] error.call(sfile, sline, nil, id, 'Avoid controls with empty IDs') if id.nil? or id.empty? next if id.start_with? '(generated ' warn.call(sfile, sline, nil, id, "Control #{id} has no title") if control[:title].to_s.empty? warn.call(sfile, sline, nil, id, "Control #{id} has no description") if control[:desc].to_s.empty? warn.call(sfile, sline, nil, id, "Control #{id} has impact > 1.0") if control[:impact].to_f > 1.0 warn.call(sfile, sline, nil, id, "Control #{id} has impact < 0.0") if control[:impact].to_f < 0.0 warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? or control[:checks].empty? } # profile is valid if we could not find any error result[:summary][:valid] = result[:errors].empty? @logger.info 'Control definitions OK.' if result[:warnings].empty? result end |
#collect_tests(include_list = @controls) ⇒ Object
160 161 162 163 164 165 166 167 168 169 170 171 172 |
# File 'lib/inspec/profile.rb', line 160 def collect_tests(include_list = @controls) if !@tests_collected locked_dependencies.each(&:collect_tests) tests.each do |path, content| next if content.nil? || content.empty? abs_path = source_reader.target.abs_path(path) @runner_context.load_control_file(content, abs_path, nil) end @tests_collected = true end filter_controls(@runner_context.all_rules, include_list) end |
#controls_count ⇒ Object
322 323 324 |
# File 'lib/inspec/profile.rb', line 322 def controls_count params[:controls].values.length end |
#cwd ⇒ Object
TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.
388 389 390 |
# File 'lib/inspec/profile.rb', line 388 def cwd @target.is_a?(String) && File.directory?(@target) ? @target : './' end |
#files ⇒ Object
379 380 381 |
# File 'lib/inspec/profile.rb', line 379 def files @source_reader.target.files end |
#filter_controls(controls_array, include_list) ⇒ Object
174 175 176 177 178 179 180 |
# File 'lib/inspec/profile.rb', line 174 def filter_controls(controls_array, include_list) return controls_array if include_list.nil? || include_list.empty? controls_array.select do |c| id = ::Inspec::Rule.rule_id(c) include_list.include?(id) end end |
#generate_lockfile ⇒ Inspec::Lockfile
Generate an in-memory lockfile. This won’t render the lock file to disk, it must be explicitly written to disk by the caller.
407 408 409 410 411 |
# File 'lib/inspec/profile.rb', line 407 def generate_lockfile res = Inspec::DependencySet.new(cwd, @cache, nil, @backend) res.vendor(.dependencies) Inspec::Lockfile.from_dependency_set(res) end |
#info(res = params.dup) ⇒ Object
208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 |
# File 'lib/inspec/profile.rb', line 208 def info(res = params.dup) # add information about the controls res[:controls] = res[:controls].map do |id, rule| next if id.to_s.empty? data = rule.dup data.delete(:checks) data[:impact] ||= 0.5 data[:impact] = 1.0 if data[:impact] > 1.0 data[:impact] = 0.0 if data[:impact] < 0.0 data[:id] = id data end.compact # resolve hash structure in groups res[:groups] = res[:groups].map do |id, group| group[:id] = id group end # add information about the required attributes res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty? res[:sha256] = sha256 res end |
#info! ⇒ Object
return info using uncached params
204 205 206 |
# File 'lib/inspec/profile.rb', line 204 def info! info(load_params.dup) end |
#load_dependencies ⇒ Object
413 414 415 |
# File 'lib/inspec/profile.rb', line 413 def load_dependencies Inspec::DependencySet.from_lockfile(lockfile, cwd, @cache, @backend, { attributes: @attr_values }) end |
#load_libraries ⇒ Object
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 |
# File 'lib/inspec/profile.rb', line 182 def load_libraries return @runner_context if @libraries_loaded locked_dependencies.each do |d| c = d.load_libraries @runner_context.add_resources(c) end libs = libraries.map do |path, content| [content, path] end @runner_context.load_libraries(libs) @libraries_loaded = true @runner_context end |
#locked_dependencies ⇒ Object
363 364 365 |
# File 'lib/inspec/profile.rb', line 363 def locked_dependencies @locked_dependencies ||= load_dependencies end |
#lockfile ⇒ Object
392 393 394 395 396 397 398 |
# File 'lib/inspec/profile.rb', line 392 def lockfile @lockfile ||= if lockfile_exists? Inspec::Lockfile.from_content(@source_reader.target.read('inspec.lock')) else generate_lockfile end end |
#lockfile_exists? ⇒ Boolean
367 368 369 |
# File 'lib/inspec/profile.rb', line 367 def lockfile_exists? @source_reader.target.files.include?('inspec.lock') end |
#lockfile_path ⇒ Object
371 372 373 |
# File 'lib/inspec/profile.rb', line 371 def lockfile_path File.join(cwd, 'inspec.lock') end |
#name ⇒ Object
120 121 122 |
# File 'lib/inspec/profile.rb', line 120 def name .params[:name] end |
#params ⇒ Object
156 157 158 |
# File 'lib/inspec/profile.rb', line 156 def params @params ||= load_params end |
#root_path ⇒ Object
375 376 377 |
# File 'lib/inspec/profile.rb', line 375 def root_path @source_reader.target.prefix end |
#sha256 ⇒ Type
Calculate this profile’s SHA256 checksum. Includes metadata, dependencies, libraries, data files, and controls.
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 |
# File 'lib/inspec/profile.rb', line 421 def sha256 # get all dependency checksums deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }] res = OpenSSL::Digest::SHA256.new files = source_reader.tests.to_a + source_reader.libraries.to_a + source_reader.data_files.to_a + [['inspec.yml', source_reader..content]] + [['inspec.lock.deps', YAML.dump(deps)]] files.sort_by { |a| a[0] } .map { |f| res << f[0] << "\0" << f[1] << "\0" } res.digest.unpack('H*')[0] end |
#supported? ⇒ Boolean
Is this profile is supported on the current platform of the backend machine and the current inspec version.
138 139 140 |
# File 'lib/inspec/profile.rb', line 138 def supported? supports_platform? && supports_runtime? end |
#supports_platform? ⇒ Boolean
142 143 144 145 146 147 |
# File 'lib/inspec/profile.rb', line 142 def supports_platform? if @supports_platform.nil? @supports_platform = .supports_platform?(@backend) end @supports_platform end |
#supports_runtime? ⇒ Boolean
149 150 151 152 153 154 |
# File 'lib/inspec/profile.rb', line 149 def supports_runtime? if @supports_runtime.nil? @supports_runtime = .supports_runtime? end @supports_runtime end |
#to_s ⇒ Object
199 200 201 |
# File 'lib/inspec/profile.rb', line 199 def to_s "Inspec::Profile<#{name}>" end |
#version ⇒ Object
124 125 126 |
# File 'lib/inspec/profile.rb', line 124 def version .params[:version] end |
#writable? ⇒ Boolean
128 129 130 |
# File 'lib/inspec/profile.rb', line 128 def writable? @writable end |