Class: Inspec::Profile

Inherits:

Object

• Object
• Inspec::Profile

Extended by:

Forwardable

Defined in:

lib/inspec/profile.rb

Instance Attribute Summary

• #backend ⇒ Object readonly

  Returns the value of attribute backend.

• #check_mode ⇒ Object readonly

  Returns the value of attribute check_mode.

• #parent_profile ⇒ Object

  Returns the value of attribute parent_profile.

• #profile_name ⇒ Object

  Returns the value of attribute profile_name.

• #runner_context ⇒ Object readonly

  Returns the value of attribute runner_context.

• #source_reader ⇒ Object readonly

  Returns the value of attribute source_reader.

Class Method Summary

• .copy_deps_into_cache(file_provider, opts) ⇒ Object

  Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well.

• .for_fetcher(fetcher, config) ⇒ Object
• .for_path(path, opts) ⇒ Object
• .for_target(target, opts = {}) ⇒ Object
• .resolve_target(target, cache) ⇒ Object

Instance Method Summary

• #archive(opts) ⇒ Object

  generates a archive of a folder profile assumes that the profile was checked before.

• #check ⇒ Boolean

  Check if the profile is internally well-structured.

• #collect_tests(include_list = @controls) ⇒ Object
• #controls_count ⇒ Object
• #cwd ⇒ Object

  TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.

• #files ⇒ Object
• #filter_controls(controls_array, include_list) ⇒ Object
• #generate_lockfile ⇒ Inspec::Lockfile

  Generate an in-memory lockfile.

• #info(res = params.dup) ⇒ Object

  rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength.

• #info! ⇒ Object

  return info using uncached params.

• #initialize(source_reader, options = {}) ⇒ Profile constructor

  rubocop:disable Metrics/AbcSize.

• #load_dependencies ⇒ Object
• #load_libraries ⇒ Object
• #locked_dependencies ⇒ Object
• #lockfile ⇒ Object
• #lockfile_exists? ⇒ Boolean
• #lockfile_path ⇒ Object
• #name ⇒ Object
• #params ⇒ Object
• #register_metadata_inputs ⇒ Object

  TODO: deprecate.

• #root_path ⇒ Object
• #sha256 ⇒ Type

  Calculate this profile’s SHA256 checksum.

• #supported? ⇒ Boolean

  Is this profile is supported on the current platform of the backend machine and the current inspec version.

• #supports_platform? ⇒ Boolean

  We need to check if we’re using a Mock’d backend for tests to function.

• #supports_runtime? ⇒ Boolean
• #to_s ⇒ Object
• #version ⇒ Object
• #writable? ⇒ Boolean

Constructor Details

#initialize(source_reader, options = {}) ⇒ Profile

rubocop:disable Metrics/AbcSize

# File 'lib/inspec/profile.rb', line 90

def initialize(source_reader, options = {})
  @source_reader = source_reader
  @target = options[:target]
  @logger = options[:logger] || Logger.new(nil)
  @locked_dependencies = options[:dependencies]
  @controls = options[:controls] || []
  @writable = options[:writable] || false
  @profile_id = options[:id]
  @profile_name = options[:profile_name]
  @cache = options[:vendor_cache] || Cache.new
  @input_values = options[:inputs]
  @tests_collected = false
  @libraries_loaded = false
  @check_mode = options[:check_mode] || false
  @parent_profile = options[:parent_profile]
  @legacy_profile_path = options[:profiles_path] || false
  Metadata.finalize(@source_reader.metadata, @profile_id, options)

  # if a backend has already been created, clone it so each profile has its own unique backend object
  # otherwise, create a new backend object
  #
  # This is necessary since we store the RuntimeProfile on the backend object. If a user runs `inspec exec`
  # with multiple profiles, only the RuntimeProfile for the last-loaded profile will be available if
  # we share the backend between profiles.
  #
  # This will cause issues if a profile attempts to load a file via `inspec.profile.file`
  train_options = options.reject { |k, _| k == 'target' } # See https://github.com/chef/inspec/pull/1646
  @backend = options[:backend].nil? ? Inspec::Backend.create(Inspec::Config.new(train_options)) : options[:backend].dup
  @runtime_profile = RuntimeProfile.new(self)
  @backend.profile = @runtime_profile

  @runner_context =
    options[:profile_context] ||
    Inspec::ProfileContext.for_profile(self, @backend, @input_values)

  @supports_platform = metadata.supports_platform?(@backend)
  @supports_runtime = metadata.supports_runtime?
  register_metadata_inputs
end

Instance Attribute Details

#backend ⇒ Object (readonly)

Returns the value of attribute backend.

# File 'lib/inspec/profile.rb', line 83

def backend
  @backend
end

#check_mode ⇒ Object (readonly)

Returns the value of attribute check_mode.

# File 'lib/inspec/profile.rb', line 83

def check_mode
  @check_mode
end

#parent_profile ⇒ Object

Returns the value of attribute parent_profile.

# File 'lib/inspec/profile.rb', line 84

def parent_profile
  @parent_profile
end

#profile_name ⇒ Object

Returns the value of attribute profile_name.

# File 'lib/inspec/profile.rb', line 84

def profile_name
  @profile_name
end

#runner_context ⇒ Object (readonly)

Returns the value of attribute runner_context.

# File 'lib/inspec/profile.rb', line 83

def runner_context
  @runner_context
end

#source_reader ⇒ Object (readonly)

Returns the value of attribute source_reader.

# File 'lib/inspec/profile.rb', line 83

def source_reader
  @source_reader
end

Class Method Details

.copy_deps_into_cache(file_provider, opts) ⇒ Object

Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well

# File 'lib/inspec/profile.rb', line 36

def self.copy_deps_into_cache(file_provider, opts)
  # filter content
  cache = file_provider.files.find_all do |entry|
    entry.start_with?('vendor')
  end
  content = Hash[cache.map { |x| [x, file_provider.binread(x)] }]
  keys = content.keys
  keys.each do |key|
    next if content[key].nil?
    # remove prefix
    rel = Pathname.new(key).relative_path_from(Pathname.new('vendor')).to_s
    tar = Pathname.new(opts[:vendor_cache].path).join(rel)

    FileUtils.mkdir_p tar.dirname.to_s
    Inspec::Log.debug "Copy #{tar} to cache directory"
    File.binwrite(tar.to_s, content[key])
  end
end

.for_fetcher(fetcher, config) ⇒ Object

# File 'lib/inspec/profile.rb', line 70

def self.for_fetcher(fetcher, config)
  opts = config.respond_to?(:final_options) ? config.final_options : config
  opts[:vendor_cache] = opts[:vendor_cache] || Cache.new
  path, writable = fetcher.fetch
  for_path(path, opts.merge(target: fetcher.target, writable: writable))
end

.for_path(path, opts) ⇒ Object

# File 'lib/inspec/profile.rb', line 55

def self.for_path(path, opts)
  file_provider = FileProvider.for_path(path)
  rp = file_provider.relative_provider

  # copy embedded dependencies into global cache
  copy_deps_into_cache(rp, opts) unless opts[:vendor_cache].nil?

  reader = Inspec::SourceReader.resolve(rp)
  if reader.nil?
    raise("Don't understand inspec profile in #{path}, it " \
         "doesn't look like a supported profile structure.")
  end
  new(reader, opts)
end

.for_target(target, opts = {}) ⇒ Object

# File 'lib/inspec/profile.rb', line 77

def self.for_target(target, opts = {})
  opts[:vendor_cache] = opts[:vendor_cache] || Cache.new
  fetcher = resolve_target(target, opts[:vendor_cache])
  for_fetcher(fetcher, opts)
end

.resolve_target(target, cache) ⇒ Object

# File 'lib/inspec/profile.rb', line 28

def self.resolve_target(target, cache)
  Inspec::Log.debug "Resolve #{target} into cache #{cache.path}"
  Inspec::CachedFetcher.new(target, cache)
end

Instance Method Details

#archive(opts) ⇒ Object

generates a archive of a folder profile assumes that the profile was checked before

# File 'lib/inspec/profile.rb', line 441

def archive(opts)
  # check if file exists otherwise overwrite the archive
  dst = archive_name(opts)
  if dst.exist? && !opts[:overwrite]
    @logger.info "Archive #{dst} exists already. Use --overwrite."
    return false
  end

  # remove existing archive
  File.delete(dst) if dst.exist?
  @logger.info "Generate archive #{dst}."

  # filter files that should not be part of the profile
  # TODO ignore all .files, but add the files to debug output

  # display all files that will be part of the archive
  @logger.debug 'Add the following files to archive:'
  files.each { |f| @logger.debug '    ' + f }

  if opts[:zip]
    # generate zip archive
    require 'inspec/archive/zip'
    zag = Inspec::Archive::ZipArchiveGenerator.new
    zag.archive(root_path, files, dst)
  else
    # generate tar archive
    require 'inspec/archive/tar'
    tag = Inspec::Archive::TarArchiveGenerator.new
    tag.archive(root_path, files, dst)
  end

  @logger.info 'Finished archive generation.'
  true
end

#check ⇒ Boolean

Check if the profile is internally well-structured. The logger will be used to print information on errors and warnings which are found.

Returns:

• (Boolean) —

  true if no errors were found, false otherwise

# File 'lib/inspec/profile.rb', line 333

def check # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
  # initial values for response object
  result = {
    summary: {
      valid: false,
      timestamp: Time.now.iso8601,
      location: @target,
      profile: nil,
      controls: 0,
    },
    errors: [],
    warnings: [],
  }

  entry = lambda { |file, line, column, control, msg|
    {
      file: file,
      line: line,
      column: column,
      control_id: control,
      msg: msg,
    }
  }

  warn = lambda { |file, line, column, control, msg|
    @logger.warn(msg)
    result[:warnings].push(entry.call(file, line, column, control, msg))
  }

  error = lambda { |file, line, column, control, msg|
    @logger.error(msg)
    result[:errors].push(entry.call(file, line, column, control, msg))
  }

  @logger.info "Checking profile in #{@target}"
  meta_path = @source_reader.target.abs_path(@source_reader.metadata.ref)

  # verify metadata
  m_errors, m_warnings = metadata.valid
  m_errors.each { |msg| error.call(meta_path, 0, 0, nil, msg) }
  m_warnings.each { |msg| warn.call(meta_path, 0, 0, nil, msg) }
  m_unsupported = metadata.unsupported
  m_unsupported.each { |u| warn.call(meta_path, 0, 0, nil, "doesn't support: #{u}") }
  @logger.info 'Metadata OK.' if m_errors.empty? && m_unsupported.empty?

  # only run the vendor check if the legacy profile-path is not used as argument
  if @legacy_profile_path == false
    # verify that a lockfile is present if we have dependencies
    if !metadata.dependencies.empty?
      error.call(meta_path, 0, 0, nil, 'Your profile needs to be vendored with `inspec vendor`.') if !lockfile_exists?
    end

    if lockfile_exists?
      # verify if metadata and lockfile are out of sync
      if lockfile.deps.size != metadata.dependencies.size
        error.call(meta_path, 0, 0, nil, 'inspec.yml and inspec.lock are out-of-sync. Please re-vendor with `inspec vendor`.')
      end

      # verify if metadata and lockfile have the same dependency names
      metadata.dependencies.each { |dep|
        # Skip if the dependency does not specify a name
        next if dep[:name].nil?

        # TODO: should we also verify that the soure is the same?
        if !lockfile.deps.map { |x| x[:name] }.include? dep[:name]
          error.call(meta_path, 0, 0, nil, "Cannot find #{dep[:name]} in lockfile. Please re-vendor with `inspec vendor`.")
        end
      }
    end
  end

  # extract profile name
  result[:summary][:profile] = metadata.params[:name]

  count = controls_count
  result[:summary][:controls] = count
  if count == 0
    warn.call(nil, nil, nil, nil, 'No controls or tests were defined.')
  else
    @logger.info("Found #{count} controls.")
  end

  # iterate over hash of groups
  params[:controls].each { |id, control|
    sfile = control[:source_location][:ref]
    sline = control[:source_location][:line]
    error.call(sfile, sline, nil, id, 'Avoid controls with empty IDs') if id.nil? or id.empty?
    next if id.start_with? '(generated '
    warn.call(sfile, sline, nil, id, "Control #{id} has no title") if control[:title].to_s.empty?
    warn.call(sfile, sline, nil, id, "Control #{id} has no descriptions") if control[:descriptions][:default].to_s.empty?
    warn.call(sfile, sline, nil, id, "Control #{id} has impact > 1.0") if control[:impact].to_f > 1.0
    warn.call(sfile, sline, nil, id, "Control #{id} has impact < 0.0") if control[:impact].to_f < 0.0
    warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? or control[:checks].empty?
  }

  # profile is valid if we could not find any error
  result[:summary][:valid] = result[:errors].empty?

  @logger.info 'Control definitions OK.' if result[:warnings].empty?
  result
end

#collect_tests(include_list = @controls) ⇒ Object

# File 'lib/inspec/profile.rb', line 188

def collect_tests(include_list = @controls)
  unless @tests_collected
    return unless supports_platform?
    locked_dependencies.each(&:collect_tests)

    tests.each do |path, content|
      next if content.nil? || content.empty?
      abs_path = source_reader.target.abs_path(path)
      @runner_context.load_control_file(content, abs_path, nil)
    end
    @tests_collected = true
  end
  filter_controls(@runner_context.all_rules, include_list)
end

#controls_count ⇒ Object

# File 'lib/inspec/profile.rb', line 435

def controls_count
  params[:controls].values.length
end

#cwd ⇒ Object

TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.

# File 'lib/inspec/profile.rb', line 501

def cwd
  @target.is_a?(String) && File.directory?(@target) ? @target : './'
end

#files ⇒ Object

# File 'lib/inspec/profile.rb', line 492

def files
  @source_reader.target.files
end

#filter_controls(controls_array, include_list) ⇒ Object

# File 'lib/inspec/profile.rb', line 203

def filter_controls(controls_array, include_list)
  return controls_array if include_list.nil? || include_list.empty?

  # Check for anything that might be a regex in the list, and make it official
  include_list.each_with_index do |inclusion, index|
    next if inclusion.is_a?(Regexp)
    # Insist the user wrap the regex in slashes to demarcate it as a regex
    next unless inclusion.start_with?('/') && inclusion.end_with?('/')
    inclusion = inclusion[1..-2] # Trim slashes
    begin
      re = Regexp.new(inclusion)
      include_list[index] = re
    rescue RegexpError => e
      warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
      include_list[index] = nil
    end
  end
  include_list.compact!

  controls_array.select do |c|
    id = ::Inspec::Rule.rule_id(c)
    include_list.any? do |inclusion|
      # Try to see if the inclusion is a regex, and if it matches
      inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
    end
  end
end

#generate_lockfile ⇒ Inspec::Lockfile

Generate an in-memory lockfile. This won’t render the lock file to disk, it must be explicitly written to disk by the caller.

Parameters:

• vendor_path (String) —

  Path to the on-disk vendor dir

Returns:

• (Inspec::Lockfile)

# File 'lib/inspec/profile.rb', line 520

def generate_lockfile
  res = Inspec::DependencySet.new(cwd, @cache, nil, @backend)
  res.vendor(metadata.dependencies)
  Inspec::Lockfile.from_dependency_set(res)
end

#info(res = params.dup) ⇒ Object

rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength

# File 'lib/inspec/profile.rb', line 271

def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
  # add information about the controls
  res[:controls] = res[:controls].map do |id, rule|
    next if id.to_s.empty?
    data = rule.dup
    data.delete(:checks)
    data[:impact] ||= 0.5
    data[:impact] = 1.0 if data[:impact] > 1.0
    data[:impact] = 0.0 if data[:impact] < 0.0
    data[:id] = id

    # if the code field is empty try and pull info from dependencies
    if data[:code].empty? && parent_profile.nil?
      locked_dependencies.dep_list.each do |_name, dep|
        profile = dep.profile
        code = Inspec::MethodSource.code_at(data[:source_location], profile.source_reader)
        data[:code] = code unless code.nil? || code.empty?
        break if !data[:code].empty?
      end
    end
    data
  end.compact

  # resolve hash structure in groups
  res[:groups] = res[:groups].map do |id, group|
    group[:id] = id
    group
  end

  # add information about the required inputs
  if res[:inputs].nil? || res[:inputs].empty?
    # convert to array for backwards compatability
    res[:inputs] = []
  else
    res[:inputs] = res[:inputs].values.map(&:to_hash)
  end
  res[:sha256] = sha256
  res[:parent_profile] = parent_profile unless parent_profile.nil?

  if !supports_platform?
    res[:status] = 'skipped'
    msg = "Skipping profile: '#{name}' on unsupported platform: '#{backend.platform.name}/#{backend.platform.release}'."
    res[:skip_message] = msg
  else
    res[:status] = 'loaded'
  end

  # convert legacy os-* supports to their platform counterpart
  if res[:supports] && !res[:supports].empty?
    res[:supports].each do |support|
      support[:"platform-family"] = support.delete(:"os-family") if support.key?(:"os-family")
      support[:"platform-name"] = support.delete(:"os-name") if support.key?(:"os-name")
    end
  end

  res
end

#info! ⇒ Object

return info using uncached params

# File 'lib/inspec/profile.rb', line 267

def info!
  info(load_params.dup)
end

#load_dependencies ⇒ Object

# File 'lib/inspec/profile.rb', line 526

def load_dependencies
  config = {
    cwd: cwd,
    cache: @cache,
    backend: @backend,
    parent_profile: name,
  }
  Inspec::DependencySet.from_lockfile(lockfile, config, { inputs: @input_values })
end

#load_libraries ⇒ Object

# File 'lib/inspec/profile.rb', line 231

def load_libraries
  return @runner_context if @libraries_loaded

  locked_dependencies.dep_list.each_with_index do |(_name, dep), i|
    d = dep.profile
    # this will force a dependent profile load so we are only going to add
    # this metadata if the parent profile is supported.
    if supports_platform? && !d.supports_platform?
      # since ruby 1.9 hashes are ordered so we can just use index values here
      metadata.dependencies[i][:status] = 'skipped'
      msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
      metadata.dependencies[i][:skip_message] = msg
      next
    elsif metadata.dependencies[i]
      # Currently wrapper profiles will load all dependencies, and then we
      # load them again when we dive down. This needs to be re-done.
      metadata.dependencies[i][:status] = 'loaded'
    end
    c = d.load_libraries
    @runner_context.add_resources(c)
  end

  libs = libraries.map do |path, content|
    [content, path]
  end

  @runner_context.load_libraries(libs)
  @libraries_loaded = true
  @runner_context
end

#locked_dependencies ⇒ Object

# File 'lib/inspec/profile.rb', line 476

def locked_dependencies
  @locked_dependencies ||= load_dependencies
end

#lockfile ⇒ Object

# File 'lib/inspec/profile.rb', line 505

def lockfile
  @lockfile ||= if lockfile_exists?
                  Inspec::Lockfile.from_content(@source_reader.target.read('inspec.lock'))
                else
                  generate_lockfile
                end
end

#lockfile_exists? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inspec/profile.rb', line 480

def lockfile_exists?
  @source_reader.target.files.include?('inspec.lock')
end

#lockfile_path ⇒ Object

# File 'lib/inspec/profile.rb', line 484

def lockfile_path
  File.join(cwd, 'inspec.lock')
end

#name ⇒ Object

# File 'lib/inspec/profile.rb', line 142

def name
  metadata.params[:name]
end

#params ⇒ Object

# File 'lib/inspec/profile.rb', line 184

def params
  @params ||= load_params
end

#register_metadata_inputs ⇒ Object

TODO: deprecate

# File 'lib/inspec/profile.rb', line 130

def register_metadata_inputs # TODO: deprecate
  if metadata.params.key?(:attributes) && metadata.params[:attributes].is_a?(Array)
    metadata.params[:attributes].each do |attribute|
      attr_dup = attribute.dup
      name = attr_dup.delete(:name)
      @runner_context.register_input(name, attr_dup)
    end
  elsif metadata.params.key?(:attributes)
    Inspec::Log.warn 'Inputs must be defined as an Array. Skipping current definition.'
  end
end

#root_path ⇒ Object

# File 'lib/inspec/profile.rb', line 488

def root_path
  @source_reader.target.prefix
end

#sha256 ⇒ Type

Calculate this profile’s SHA256 checksum. Includes metadata, dependencies, libraries, data files, and controls.

Returns:

• (Type) —

  description of returned object

# File 'lib/inspec/profile.rb', line 540

def sha256
  # get all dependency checksums
  deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]

  res = OpenSSL::Digest::SHA256.new
  files = source_reader.tests.to_a + source_reader.libraries.to_a +
          source_reader.data_files.to_a +
          [['inspec.yml', source_reader.metadata.content]] +
          [['inspec.lock.deps', YAML.dump(deps)]]

  files.sort_by { |a| a[0] }
       .map { |f| res << f[0] << "\0" << f[1] << "\0" }

  res.digest.unpack('H*')[0]
end

#supported? ⇒ Boolean

Is this profile is supported on the current platform of the backend machine and the current inspec version.

Returns:

• (Boolean)

# File 'lib/inspec/profile.rb', line 160

def supported?
  supports_platform? && supports_runtime?
end

#supports_platform? ⇒ Boolean

We need to check if we’re using a Mock’d backend for tests to function.

Returns:

• (Boolean)

# File 'lib/inspec/profile.rb', line 166

def supports_platform?
  if @supports_platform.nil?
    @supports_platform = metadata.supports_platform?(@backend)
  end
  if @backend.backend.class.to_s == 'Train::Transports::Mock::Connection'
    @supports_platform = true
  end

  @supports_platform
end

#supports_runtime? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inspec/profile.rb', line 177

def supports_runtime?
  if @supports_runtime.nil?
    @supports_runtime = metadata.supports_runtime?
  end
  @supports_runtime
end

#to_s ⇒ Object

# File 'lib/inspec/profile.rb', line 262

def to_s
  "Inspec::Profile<#{name}>"
end

#version ⇒ Object

# File 'lib/inspec/profile.rb', line 146

def version
  metadata.params[:version]
end

#writable? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inspec/profile.rb', line 150

def writable?
  @writable
end