Class: Inspec::Profile
- Inherits:
-
Object
- Object
- Inspec::Profile
- Extended by:
- Forwardable
- Defined in:
- lib/inspec/profile.rb
Instance Attribute Summary collapse
-
#backend ⇒ Object
readonly
Returns the value of attribute backend.
-
#check_mode ⇒ Object
readonly
Returns the value of attribute check_mode.
-
#parent_profile ⇒ Object
Returns the value of attribute parent_profile.
-
#runner_context ⇒ Object
readonly
Returns the value of attribute runner_context.
-
#source_reader ⇒ Object
readonly
Returns the value of attribute source_reader.
Class Method Summary collapse
-
.copy_deps_into_cache(file_provider, opts) ⇒ Object
Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well.
- .for_fetcher(fetcher, opts) ⇒ Object
- .for_path(path, opts) ⇒ Object
- .for_target(target, opts = {}) ⇒ Object
- .resolve_target(target, cache) ⇒ Object
Instance Method Summary collapse
-
#archive(opts) ⇒ Object
generates a archive of a folder profile assumes that the profile was checked before.
-
#check ⇒ Boolean
Check if the profile is internally well-structured.
- #collect_tests(include_list = @controls) ⇒ Object
- #controls_count ⇒ Object
-
#cwd ⇒ Object
TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.
- #files ⇒ Object
- #filter_controls(controls_array, include_list) ⇒ Object
-
#generate_lockfile ⇒ Inspec::Lockfile
Generate an in-memory lockfile.
- #info(res = params.dup) ⇒ Object
-
#info! ⇒ Object
return info using uncached params.
-
#initialize(source_reader, options = {}) ⇒ Profile
constructor
rubocop:disable Metrics/AbcSize.
- #load_dependencies ⇒ Object
- #load_libraries ⇒ Object
- #locked_dependencies ⇒ Object
- #lockfile ⇒ Object
- #lockfile_exists? ⇒ Boolean
- #lockfile_path ⇒ Object
- #name ⇒ Object
- #params ⇒ Object
- #root_path ⇒ Object
-
#sha256 ⇒ Type
Calculate this profile’s SHA256 checksum.
-
#supported? ⇒ Boolean
Is this profile is supported on the current platform of the backend machine and the current inspec version.
- #supports_platform? ⇒ Boolean
- #supports_runtime? ⇒ Boolean
- #to_s ⇒ Object
- #version ⇒ Object
- #writable? ⇒ Boolean
Constructor Details
#initialize(source_reader, options = {}) ⇒ Profile
rubocop:disable Metrics/AbcSize
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/inspec/profile.rb', line 88 def initialize(source_reader, = {}) @source_reader = source_reader @target = [:target] @logger = [:logger] || Logger.new(nil) @locked_dependencies = [:dependencies] @controls = [:controls] || [] @writable = [:writable] || false @profile_id = [:id] @cache = [:vendor_cache] || Cache.new @attr_values = [:attributes] @tests_collected = false @libraries_loaded = false @check_mode = [:check_mode] || false Metadata.finalize(@source_reader., @profile_id, ) # if a backend has already been created, clone it so each profile has its own unique backend object # otherwise, create a new backend object # # This is necessary since we store the RuntimeProfile on the backend object. If a user runs `inspec exec` # with multiple profiles, only the RuntimeProfile for the last-loaded profile will be available if # we share the backend between profiles. # # This will cause issues if a profile attempts to load a file via `inspec.profile.file` = .reject { |k, _| k == 'target' } # See https://github.com/chef/inspec/pull/1646 @backend = [:backend].nil? ? Inspec::Backend.create() : [:backend].dup @runtime_profile = RuntimeProfile.new(self) @backend.profile = @runtime_profile @runner_context = [:profile_context] || Inspec::ProfileContext.for_profile(self, @backend, @attr_values) @supports_platform = .supports_platform?(@backend) @supports_runtime = .supports_runtime? end |
Instance Attribute Details
#backend ⇒ Object (readonly)
Returns the value of attribute backend.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def backend @backend end |
#check_mode ⇒ Object (readonly)
Returns the value of attribute check_mode.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def check_mode @check_mode end |
#parent_profile ⇒ Object
Returns the value of attribute parent_profile.
82 83 84 |
# File 'lib/inspec/profile.rb', line 82 def parent_profile @parent_profile end |
#runner_context ⇒ Object (readonly)
Returns the value of attribute runner_context.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def runner_context @runner_context end |
#source_reader ⇒ Object (readonly)
Returns the value of attribute source_reader.
81 82 83 |
# File 'lib/inspec/profile.rb', line 81 def source_reader @source_reader end |
Class Method Details
.copy_deps_into_cache(file_provider, opts) ⇒ Object
Check if the profile contains a vendored cache, move content into global cache TODO: use relative file provider TODO: use source reader for Cache as well
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# File 'lib/inspec/profile.rb', line 35 def self.copy_deps_into_cache(file_provider, opts) # filter content cache = file_provider.files.find_all do |entry| entry.start_with?('vendor') end content = Hash[cache.map { |x| [x, file_provider.binread(x)] }] keys = content.keys keys.each do |key| next if content[key].nil? # remove prefix rel = Pathname.new(key).relative_path_from(Pathname.new('vendor')).to_s tar = Pathname.new(opts[:vendor_cache].path).join(rel) FileUtils.mkdir_p tar.dirname.to_s Inspec::Log.debug "Copy #{tar} to cache directory" File.binwrite(tar.to_s, content[key]) end end |
.for_fetcher(fetcher, opts) ⇒ Object
69 70 71 72 73 |
# File 'lib/inspec/profile.rb', line 69 def self.for_fetcher(fetcher, opts) opts[:vendor_cache] = opts[:vendor_cache] || Cache.new path, writable = fetcher.fetch for_path(path, opts.merge(target: fetcher.target, writable: writable)) end |
.for_path(path, opts) ⇒ Object
54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/inspec/profile.rb', line 54 def self.for_path(path, opts) file_provider = FileProvider.for_path(path) rp = file_provider.relative_provider # copy embedded dependecies into global cache copy_deps_into_cache(rp, opts) unless opts[:vendor_cache].nil? reader = Inspec::SourceReader.resolve(rp) if reader.nil? raise("Don't understand inspec profile in #{path}, it " \ "doesn't look like a supported profile structure.") end new(reader, opts) end |
.for_target(target, opts = {}) ⇒ Object
75 76 77 78 79 |
# File 'lib/inspec/profile.rb', line 75 def self.for_target(target, opts = {}) opts[:vendor_cache] = opts[:vendor_cache] || Cache.new fetcher = resolve_target(target, opts[:vendor_cache]) for_fetcher(fetcher, opts) end |
.resolve_target(target, cache) ⇒ Object
27 28 29 30 |
# File 'lib/inspec/profile.rb', line 27 def self.resolve_target(target, cache) Inspec::Log.debug "Resolve #{target} into cache #{cache.path}" Inspec::CachedFetcher.new(target, cache) end |
Instance Method Details
#archive(opts) ⇒ Object
generates a archive of a folder profile assumes that the profile was checked before
353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 |
# File 'lib/inspec/profile.rb', line 353 def archive(opts) # check if file exists otherwise overwrite the archive dst = archive_name(opts) if dst.exist? && !opts[:overwrite] @logger.info "Archive #{dst} exists already. Use --overwrite." return false end # remove existing archive File.delete(dst) if dst.exist? @logger.info "Generate archive #{dst}." # filter files that should not be part of the profile # TODO ignore all .files, but add the files to debug output # display all files that will be part of the archive @logger.debug 'Add the following files to archive:' files.each { |f| @logger.debug ' ' + f } if opts[:zip] # generate zip archive require 'inspec/archive/zip' zag = Inspec::Archive::ZipArchiveGenerator.new zag.archive(root_path, files, dst) else # generate tar archive require 'inspec/archive/tar' tag = Inspec::Archive::TarArchiveGenerator.new tag.archive(root_path, files, dst) end @logger.info 'Finished archive generation.' true end |
#check ⇒ Boolean
Check if the profile is internally well-structured. The logger will be used to print information on errors and warnings which are found.
262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
# File 'lib/inspec/profile.rb', line 262 def check # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength # initial values for response object result = { summary: { valid: false, timestamp: Time.now.iso8601, location: @target, profile: nil, controls: 0, }, errors: [], warnings: [], } entry = lambda { |file, line, column, control, msg| { file: file, line: line, column: column, control_id: control, msg: msg, } } warn = lambda { |file, line, column, control, msg| @logger.warn(msg) result[:warnings].push(entry.call(file, line, column, control, msg)) } error = lambda { |file, line, column, control, msg| @logger.error(msg) result[:errors].push(entry.call(file, line, column, control, msg)) } @logger.info "Checking profile in #{@target}" = @source_reader.target.abs_path(@source_reader..ref) if =~ /metadata\.rb$/ warn.call(@target, 0, 0, nil, 'The use of `metadata.rb` is deprecated. Use `inspec.yml`.') end # verify metadata m_errors, m_warnings = .valid m_errors.each { |msg| error.call(, 0, 0, nil, msg) } m_warnings.each { |msg| warn.call(, 0, 0, nil, msg) } m_unsupported = .unsupported m_unsupported.each { |u| warn.call(, 0, 0, nil, "doesn't support: #{u}") } @logger.info 'Metadata OK.' if m_errors.empty? && m_unsupported.empty? # extract profile name result[:summary][:profile] = .params[:name] # check if the profile is using the old test directory instead of the # new controls directory if @source_reader.tests.keys.any? { |x| x =~ %r{^test/$} } warn.call(@target, 0, 0, nil, 'Profile uses deprecated `test` directory, rename it to `controls`.') end count = controls_count result[:summary][:controls] = count if count == 0 warn.call(nil, nil, nil, nil, 'No controls or tests were defined.') else @logger.info("Found #{count} controls.") end # iterate over hash of groups params[:controls].each { |id, control| sfile = control[:source_location][:ref] sline = control[:source_location][:line] error.call(sfile, sline, nil, id, 'Avoid controls with empty IDs') if id.nil? or id.empty? next if id.start_with? '(generated ' warn.call(sfile, sline, nil, id, "Control #{id} has no title") if control[:title].to_s.empty? warn.call(sfile, sline, nil, id, "Control #{id} has no description") if control[:desc].to_s.empty? warn.call(sfile, sline, nil, id, "Control #{id} has impact > 1.0") if control[:impact].to_f > 1.0 warn.call(sfile, sline, nil, id, "Control #{id} has impact < 0.0") if control[:impact].to_f < 0.0 warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? or control[:checks].empty? } # profile is valid if we could not find any error result[:summary][:valid] = result[:errors].empty? @logger.info 'Control definitions OK.' if result[:warnings].empty? result end |
#collect_tests(include_list = @controls) ⇒ Object
164 165 166 167 168 169 170 171 172 173 174 175 176 |
# File 'lib/inspec/profile.rb', line 164 def collect_tests(include_list = @controls) if !@tests_collected locked_dependencies.each(&:collect_tests) tests.each do |path, content| next if content.nil? || content.empty? abs_path = source_reader.target.abs_path(path) @runner_context.load_control_file(content, abs_path, nil) end @tests_collected = true end filter_controls(@runner_context.all_rules, include_list) end |
#controls_count ⇒ Object
347 348 349 |
# File 'lib/inspec/profile.rb', line 347 def controls_count params[:controls].values.length end |
#cwd ⇒ Object
TODO(ssd): Relative path handling really needs to be carefully thought through, especially with respect to relative paths in tarballs.
413 414 415 |
# File 'lib/inspec/profile.rb', line 413 def cwd @target.is_a?(String) && File.directory?(@target) ? @target : './' end |
#files ⇒ Object
404 405 406 |
# File 'lib/inspec/profile.rb', line 404 def files @source_reader.target.files end |
#filter_controls(controls_array, include_list) ⇒ Object
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 |
# File 'lib/inspec/profile.rb', line 178 def filter_controls(controls_array, include_list) return controls_array if include_list.nil? || include_list.empty? # Check for anything that might be a regex in the list, and make it official include_list.each_with_index do |inclusion, index| next if inclusion.is_a?(Regexp) # Insist the user wrap the regex in slashes to demarcate it as a regex next unless inclusion.start_with?('/') && inclusion.end_with?('/') inclusion = inclusion[1..-2] # Trim slashes begin re = Regexp.new(inclusion) include_list[index] = re rescue RegexpError => e warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.}" include_list[index] = nil end end include_list.compact! controls_array.select do |c| id = ::Inspec::Rule.rule_id(c) include_list.any? do |inclusion| # Try to see if the inclusion is a regex, and if it matches inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id) end end end |
#generate_lockfile ⇒ Inspec::Lockfile
Generate an in-memory lockfile. This won’t render the lock file to disk, it must be explicitly written to disk by the caller.
432 433 434 435 436 |
# File 'lib/inspec/profile.rb', line 432 def generate_lockfile res = Inspec::DependencySet.new(cwd, @cache, nil, @backend) res.vendor(.dependencies) Inspec::Lockfile.from_dependency_set(res) end |
#info(res = params.dup) ⇒ Object
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 |
# File 'lib/inspec/profile.rb', line 232 def info(res = params.dup) # add information about the controls res[:controls] = res[:controls].map do |id, rule| next if id.to_s.empty? data = rule.dup data.delete(:checks) data[:impact] ||= 0.5 data[:impact] = 1.0 if data[:impact] > 1.0 data[:impact] = 0.0 if data[:impact] < 0.0 data[:id] = id data end.compact # resolve hash structure in groups res[:groups] = res[:groups].map do |id, group| group[:id] = id group end # add information about the required attributes res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty? res[:sha256] = sha256 res[:parent_profile] = parent_profile unless parent_profile.nil? res end |
#info! ⇒ Object
return info using uncached params
228 229 230 |
# File 'lib/inspec/profile.rb', line 228 def info! info(load_params.dup) end |
#load_dependencies ⇒ Object
438 439 440 441 442 443 444 445 446 |
# File 'lib/inspec/profile.rb', line 438 def load_dependencies config = { cwd: cwd, cache: @cache, backend: @backend, parent_profile: name, } Inspec::DependencySet.from_lockfile(lockfile, config, { attributes: @attr_values }) end |
#load_libraries ⇒ Object
206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 |
# File 'lib/inspec/profile.rb', line 206 def load_libraries return @runner_context if @libraries_loaded locked_dependencies.each do |d| c = d.load_libraries @runner_context.add_resources(c) end libs = libraries.map do |path, content| [content, path] end @runner_context.load_libraries(libs) @libraries_loaded = true @runner_context end |
#locked_dependencies ⇒ Object
388 389 390 |
# File 'lib/inspec/profile.rb', line 388 def locked_dependencies @locked_dependencies ||= load_dependencies end |
#lockfile ⇒ Object
417 418 419 420 421 422 423 |
# File 'lib/inspec/profile.rb', line 417 def lockfile @lockfile ||= if lockfile_exists? Inspec::Lockfile.from_content(@source_reader.target.read('inspec.lock')) else generate_lockfile end end |
#lockfile_exists? ⇒ Boolean
392 393 394 |
# File 'lib/inspec/profile.rb', line 392 def lockfile_exists? @source_reader.target.files.include?('inspec.lock') end |
#lockfile_path ⇒ Object
396 397 398 |
# File 'lib/inspec/profile.rb', line 396 def lockfile_path File.join(cwd, 'inspec.lock') end |
#name ⇒ Object
124 125 126 |
# File 'lib/inspec/profile.rb', line 124 def name .params[:name] end |
#params ⇒ Object
160 161 162 |
# File 'lib/inspec/profile.rb', line 160 def params @params ||= load_params end |
#root_path ⇒ Object
400 401 402 |
# File 'lib/inspec/profile.rb', line 400 def root_path @source_reader.target.prefix end |
#sha256 ⇒ Type
Calculate this profile’s SHA256 checksum. Includes metadata, dependencies, libraries, data files, and controls.
452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 |
# File 'lib/inspec/profile.rb', line 452 def sha256 # get all dependency checksums deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }] res = OpenSSL::Digest::SHA256.new files = source_reader.tests.to_a + source_reader.libraries.to_a + source_reader.data_files.to_a + [['inspec.yml', source_reader..content]] + [['inspec.lock.deps', YAML.dump(deps)]] files.sort_by { |a| a[0] } .map { |f| res << f[0] << "\0" << f[1] << "\0" } res.digest.unpack('H*')[0] end |
#supported? ⇒ Boolean
Is this profile is supported on the current platform of the backend machine and the current inspec version.
142 143 144 |
# File 'lib/inspec/profile.rb', line 142 def supported? supports_platform? && supports_runtime? end |
#supports_platform? ⇒ Boolean
146 147 148 149 150 151 |
# File 'lib/inspec/profile.rb', line 146 def supports_platform? if @supports_platform.nil? @supports_platform = .supports_platform?(@backend) end @supports_platform end |
#supports_runtime? ⇒ Boolean
153 154 155 156 157 158 |
# File 'lib/inspec/profile.rb', line 153 def supports_runtime? if @supports_runtime.nil? @supports_runtime = .supports_runtime? end @supports_runtime end |
#to_s ⇒ Object
223 224 225 |
# File 'lib/inspec/profile.rb', line 223 def to_s "Inspec::Profile<#{name}>" end |
#version ⇒ Object
128 129 130 |
# File 'lib/inspec/profile.rb', line 128 def version .params[:version] end |
#writable? ⇒ Boolean
132 133 134 |
# File 'lib/inspec/profile.rb', line 132 def writable? @writable end |