Class: Inspec::BaseCLI

Inherits:

Thor

• Object
• Thor
• Inspec::BaseCLI

Defined in:

lib/inspec/plugin/v2/plugin_types/cli.rb,
lib/inspec/base_cli.rb

Overview

The InSpec load order has this file being loaded before ‘inspec/base_cli` can finish being loaded. So, we must define Inspec::BaseCLI here first to avoid a NameError below.

Direct Known Subclasses

InspecCLI, Plugin::V2::PluginType::CliCommand, Supermarket::SupermarketCLI

Class Attribute Summary

• .inspec_cli_command ⇒ Object

  Returns the value of attribute inspec_cli_command.

Class Method Summary

• .audit_log_options ⇒ Object
• .check_license! ⇒ Object

  EULA acceptance.

• .exec_options ⇒ Object
• .exit_on_failure? ⇒ Boolean

  github.com/erikhuda/thor/issues/244.

• .fetch_and_persist_license ⇒ Object
• .format_platform_info(params: {}, indent: 0, color: 39, enable_color: true) ⇒ Object
• .help(*args) ⇒ Object
• .profile_options ⇒ Object
• .start(given_args = ARGV, config = {}) ⇒ Object
• .supermarket_options ⇒ Object
• .target_options ⇒ Object

  rubocop:disable Metrics/MethodLength.

Class Attribute Details

.inspec_cli_command ⇒ Object

Returns the value of attribute inspec_cli_command.

# File 'lib/inspec/base_cli.rb', line 31

def inspec_cli_command
  @inspec_cli_command
end

Class Method Details

.audit_log_options ⇒ Object

# File 'lib/inspec/base_cli.rb', line 239

def self.audit_log_options
  option :audit_log_location, type: :string,
  desc: "Audit log location to send diagnostic log messages to. (default: '~/.inspec/logs/inspec-audit.log')"
end

.check_license! ⇒ Object

EULA acceptance

# File 'lib/inspec/base_cli.rb', line 67

def self.check_license!
  allowed_commands = ["-h", "--help", "help", "-v", "--version", "version"]

  require "license_acceptance/acceptor"
  begin
    if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
        !ARGV.empty? # Did they supply at least one command?
      license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist(
        Inspec::Dist::EXEC_NAME,
        Inspec::VERSION,
        logger: Inspec::Log
      )
      license_acceptor_output
    end
  rescue LicenseAcceptance::LicenseNotAcceptedError
    Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"
    Inspec::UI.new.exit(:license_not_accepted)
  end
end

.exec_options ⇒ Object

# File 'lib/inspec/base_cli.rb', line 186

def self.exec_options
  target_options
  profile_options
  supermarket_options
  option :controls, type: :array,
    desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
  option :tags, type: :array,
    desc: "A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests."
  option :reporter, type: :array,
    banner: "one two:/output/file/path",
    desc: "Enable one or more output reporters: cli, documentation, html, progress, progress-bar, json, json-min, json-rspec, junit, yaml"
  option :reporter_message_truncation, type: :string,
    desc: "Number of characters to truncate failure messages and code_desc in report data to (default: no truncation)"
  option :reporter_backtrace_inclusion, type: :boolean,
    desc: "Include a code backtrace in report data (default: true)"
  option :input, type: :array, banner: "name1=value1 name2=value2",
    desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
  option :input_file, type: :array,
    desc: "Load one or more input files, a YAML file with values for the profile to use."
  option :waiver_file, type: :array,
    desc: "Load one or more waiver files."
  option :attrs, type: :array,
    desc: "Legacy name for --input-file - deprecated."
  option :create_lockfile, type: :boolean,
    desc: "Write out a lockfile based on this execution (unless one already exists)"
  option :backend_cache, type: :boolean,
    desc: "Allow caching for backend command output. (default: true)."
  option :show_progress, type: :boolean,
    desc: "Show progress while executing tests."
  option :distinct_exit, type: :boolean, default: true,
    desc: "Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures."
  option :silence_deprecations, type: :array,
    banner: "[all]|[GROUP GROUP...]",
    desc: "Suppress deprecation warnings. See install_dir/etc/deprecations.json for a list of GROUPs or use 'all'."
  option :diff, type: :boolean, default: true,
    desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
  option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
    desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
  option :filter_empty_profiles, type: :boolean, default: false,
    desc: "Filter empty profiles (profiles without controls) from the report."
  option :filter_waived_controls, type: :boolean,
    desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores the `run` setting of the waiver file."
  option :retain_waiver_data, type: :boolean,
    desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
  option :command_timeout, type: :numeric,
    desc: "Maximum seconds to allow commands to run during execution.",
    long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
  option :reporter_include_source, type: :boolean, default: false,
    desc: "Include full source code of controls in the CLI report"
  option :enhanced_outcomes, type: :boolean,
    desc: "Show enhanced outcomes in output"
end

.exit_on_failure? ⇒ Boolean

github.com/erikhuda/thor/issues/244

Returns:

• (Boolean)

# File 'lib/inspec/base_cli.rb', line 88

def self.exit_on_failure?
  true
end

.fetch_and_persist_license ⇒ Object

# File 'lib/inspec/base_cli.rb', line 43

def self.fetch_and_persist_license
  allowed_commands = ["-h", "--help", "help", "-v", "--version", "version", "license"]
  begin
    if (allowed_commands & ARGV.map(&:downcase)).empty? && !ARGV.empty?
      license_keys = ChefLicensing.fetch_and_persist

      # Only if EULA acceptance or license key args are present. And licenses are successfully persisted, do clean exit.
      if ARGV.select { |arg| !(arg.include? "--chef-license") }.empty? && !(license_keys.nil? || license_keys.empty?)
        Inspec::UI.new.exit
      end
    end
  rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
    Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without valid licenses."
    Inspec::UI.new.exit(:license_not_set)
  rescue ChefLicensing::SoftwareNotEntitled
    Inspec::Log.error "License is not entitled to use InSpec."
    Inspec::UI.new.exit(:license_not_entitled)
  rescue ChefLicensing::Error => e
    Inspec::Log.error e.message
    Inspec::UI.new.exit(:usage_error)
  end
end

.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true) ⇒ Object

# File 'lib/inspec/base_cli.rb', line 274

def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true)
  str = ""
  params.each do |item, info|
    data = info

    # Format Array for better output if applicable
    data = data.join(", ") if data.is_a?(Array)

    # Do not output fields of data is missing ('unknown' is fine)
    next if data.nil?

    data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color
    str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
  end
  str
end

.help(*args) ⇒ Object

# File 'lib/inspec/base_cli.rb', line 244

def self.help(*args)
  super(*args)
  if Inspec::Dist::EXEC_NAME == "inspec"
    puts <<~CHEF_LICENSE_HELP
      Chef Compliance has three tiers of licensing:

      * Free-Tier
        Users are limited to audit maximum of 10 targets
        Entitled for personal or non-commercial use

      * Trial
        Entitled for unlimited number of targets
        Entitled for 30 days only
        Entitled for commercial use

      * Commercial
        Entitled for purchased number of targets
        Entitled for period of subscription purchased
        Entitled for commercial use

      inspec license add: This command helps users to generate or add an additional license (not applicable to local licensing service)

      For more information please visit:
      www.chef.io/licensing/faqs
    CHEF_LICENSE_HELP
  end
  puts "\nAbout #{Inspec::Dist::PRODUCT_NAME}:"
  puts "  Patents: chef.io/patents\n\n"
end

.profile_options ⇒ Object

# File 'lib/inspec/base_cli.rb', line 170

def self.profile_options
  option :profiles_path, type: :string,
    desc: "Folder which contains referenced profiles."
  option :vendor_cache, type: :string,
    desc: "Use the given path for caching dependencies, (default: ~/.inspec/cache)."
  option :auto_install_gems, type: :boolean, default: false,
    desc: "Auto installs gem dependencies of the profile or resource pack."
  option :allow_unsigned_profiles, type: :boolean, default: false,
    desc: "Allow unsigned profiles to be used in InSpec command."
end

.start(given_args = ARGV, config = {}) ⇒ Object

# File 'lib/inspec/base_cli.rb', line 34

def self.start(given_args = ARGV, config = {})
  if Inspec::Dist::EXEC_NAME == "inspec"
    check_license! if config[:enforce_license] || config[:enforce_license].nil?
    fetch_and_persist_license
  end

  super(given_args, config)
end

.supermarket_options ⇒ Object

# File 'lib/inspec/base_cli.rb', line 181

def self.supermarket_options
  option :supermarket_url, type: :string,
    desc: "Specify the URL of a private Chef Supermarket."
end

.target_options ⇒ Object

rubocop:disable Metrics/MethodLength

# File 'lib/inspec/base_cli.rb', line 92

def self.target_options # rubocop:disable Metrics/MethodLength
  option :target, aliases: :t, type: :string,
    desc: "Simple targeting option using URIs, e.g. ssh://user:pass@host:port"
  option :backend, aliases: :b, type: :string,
    desc: "Choose a backend: local, ssh, winrm, docker."
  option :host, type: :string,
    desc: "Specify a remote host which is tested."
  option :port, aliases: :p, type: :numeric,
    desc: "Specify the login port for a remote scan."
  option :user, type: :string,
    desc: "The login user for a remote scan."
  option :password, type: :string, lazy_default: -1,
    desc: "Login password for a remote scan, if required."
  option :enable_password, type: :string, lazy_default: -1,
    desc: "Password for enable mode on Cisco IOS devices."
  option :key_files, aliases: :i, type: :array,
    desc: "Login key or certificate file for a remote scan."
  option :path, type: :string,
    desc: "Login path to use when connecting to the target (WinRM)."
  option :sudo, type: :boolean,
    desc: "Run scans with sudo. Only activates on Unix and non-root user."
  option :sudo_password, type: :string, lazy_default: -1,
    desc: "Specify a sudo password, if it is required."
  option :sudo_options, type: :string,
    desc: "Additional sudo options for a remote scan."
  option :sudo_command, type: :string,
    desc: "Alternate command for sudo."
  option :shell, type: :boolean,
    desc: "Run scans in a subshell. Only activates on Unix."
  option :shell_options, type: :string,
    desc: "Additional shell options."
  option :shell_command, type: :string,
    desc: "Specify a particular shell to use."
  option :ssl, type: :boolean,
    desc: "Use SSL for transport layer encryption (WinRM)."
  option :ssl_peer_fingerprint, type: :string,
    desc: "Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM)."
  option :self_signed, type: :boolean,
    desc: "Allow remote scans with self-signed certificates (WinRM)."
  option :ca_trust_file, type: :string,
    desc: "Specify CA certificate required for SSL authentication (WinRM)."
  option :client_cert, type: :string,
    desc: "Specify client certificate for SSL authentication"
  option :client_key, type: :string,
    desc: "Specify client key required with client cert for SSL authentication"
  option :client_key_pass, type: :string, lazy_default: -1,
    desc: "Specify client cert password, if required for SSL authentication"
  option :winrm_transport, type: :string, default: "negotiate",
    desc: "Specify which transport to use, defaults to negotiate (WinRM)."
  option :winrm_disable_sspi, type: :boolean,
    desc: "Whether to use disable sspi authentication, defaults to false (WinRM)."
  option :winrm_basic_auth_only, type: :boolean,
    desc: "Whether to use basic authentication, defaults to false (WinRM)."
  option :config, type: :string,
    desc: "Read configuration from JSON file (`-` reads from stdin)."
  option :json_config, type: :string, hide: true
  option :proxy_command, type: :string,
    desc: "Specifies the command to use to connect to the server."
  option :bastion_host, type: :string,
    desc: "Specifies the bastion host if applicable."
  option :bastion_user, type: :string,
    desc: "Specifies the bastion user if applicable."
  option :bastion_port, type: :string,
    desc: "Specifies the bastion port if applicable."
  option :insecure, type: :boolean, default: false,
    desc: "Disable SSL verification on select targets."
  option :target_id, type: :string,
    desc: "Provide an ID which will be included on reports - deprecated"
  option :winrm_shell_type, type: :string, default: "powershell",
    desc: "Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM)."
  option :docker_url, type: :string,
    desc: "Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows."
  option :ssh_config_file, type: :array,
    desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config."
  option :podman_url, type: :string,
    desc: "Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user)."
end