Merge pull request #57 from chef-cookbooks/chris-rock/example

test-kitchen example for Chef Compliance direct reporting

examples/kitchen/.kitchen.linux.yml

@@ -0,0 +1,30 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: chef_zero
+
+verifier:
+  name: inspec
+  sudo: true
+
+platforms:
+- name: bento/centos-7.2
+- name: bento/ubuntu-14.04
+
+suites:
+  - name: default
+    run_list:
+      - recipe[os-hardening]
+      - recipe[ssh-hardening]
+      - recipe[audit::default]
+    attributes:
+      audit:
+        server: <%= ENV['COMPLIANCE_API'] %>
+        token: <%= ENV['COMPLIANCE_ACCESSTOKEN'] %>
+        owner: admin
+        profiles:
+          base/linux: true
+          brewinc/ssh-hardening:
+            source: supermarket://hardening/ssh-hardening

examples/kitchen/.kitchen.win.yml

@@ -0,0 +1,25 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: chef_zero
+
+verifier:
+  name: inspec
+  sudo: true
+
+platforms:
+- name: windows-2012r2
+
+suites:
+  - name: windows
+    run_list:
+      - recipe[audit::default]
+    attributes:
+      audit:
+        server: <%= ENV['COMPLIANCE_API'] %>
+        token: <%= ENV['COMPLIANCE_ACCESSTOKEN'] %>
+        owner: admin
+        profiles:
+          base/windows: true

examples/kitchen/Berksfile

@@ -0,0 +1,6 @@
+# encoding: utf-8
+source 'https://supermarket.chef.io'
+
+cookbook 'os-hardening', git: 'https://github.com/dev-sec/chef-os-hardening.git'
+cookbook 'ssh-hardening', git: 'https://github.com/dev-sec/chef-ssh-hardening.git'
+cookbook 'audit', path: '../../'

examples/kitchen/Gemfile

@@ -0,0 +1,7 @@
+# encoding: utf-8
+source 'https://rubygems.org'
+
+gem 'berkshelf', '~> 3.3.0'
+gem 'test-kitchen', '~> 1.6'
+gem 'kitchen-vagrant'
+gem 'kitchen-inspec', '~> 0.9'

examples/kitchen/README.md

@@ -0,0 +1,59 @@
+# Example: Test-Kitchen
+
+This example demonstrates the usage of the audit cookbook with test-kitchen. In order to use it, we expect to have `COMPLIANCE_API` and `COMPLIANCE_ACCESSTOKEN` available as environment variables.
+
+```
+export COMPLIANCE_API='https://compliance.test/api/'
+export COMPLIANCE_ACCESSTOKEN='eyJh..GTA'
+```
+
+## Converge Linux
+
+```
+
+$ KITCHEN_YAML=.kitchen.linux.yml kitchen list
+Instance                   Driver   Provisioner  Verifier  Transport  Last Action
+default-bento-centos-72    Vagrant  ChefZero     Inspec    Ssh        <Not Created>
+default-bento-ubuntu-1404  Vagrant  ChefZero     Inspec    Ssh        <Not Created>
+
+$ KITCHEN_YAML=.kitchen.linux.yml kitchen converge
+-----> Starting Kitchen (v1.8.0)
+-----> Converging <default-bento-centos-72>...
+
+...
+
+-----> Converging <default-bento-ubuntu-1404>
+
+...
+
+-----> Kitchen is finished. (0m35.94s)
+
+# destroy the instances
+$ KITCHEN_YAML=.kitchen.linux.yml kitchen destroy
+```
+
+## Converge Windows
+
+```
+$ KITCHEN_YAML=.kitchen.win.yml kitchen list
+Instance                Driver   Provisioner  Verifier  Transport  Last Action
+windows-windows-2012r2  Vagrant  ChefZero     Inspec    Winrm      <Not Created>
+
+$ KITCHEN_YAML=.kitchen.win.yml kitchen kitchen converge
+-----> Starting Kitchen (v1.8.0)
+-----> Converging <windows-2012r2>
+
+...
+
+-----> Kitchen is finished. (0m35.94s)
+
+
+# destroy the instances
+$ KITCHEN_YAML=.kitchen.win.yml kitchen destroy
+
+```
+
+
+Now, the node reports are available in Chef Compliance:
+
+![Chef Compliance Reports](cc_report.png "Chef Compliance Reports")

libraries/profile.rb

@@ -66,6 +66,7 @@ class ComplianceProfile < Chef::Resource # rubocop:disable Metrics/ClassLength
       if access_token # go direct
         reqpath ="owners/#{o}/compliance/#{p}/tar"
         url = construct_url(server, reqpath)
+        Chef::Log.info "Load profile from: #{url}"
 
         tf = Tempfile.new('foo', Dir.tmpdir, 'wb+')
         tf.binmode
@@ -83,6 +84,7 @@ class ComplianceProfile < Chef::Resource # rubocop:disable Metrics/ClassLength
       else # go through Chef::ServerAPI
         reqpath ="organizations/#{org}/owners/#{o}/compliance/#{p}/tar"
         url = construct_url(base_chef_server_url + '/compliance/', reqpath)
+        Chef::Log.info "Load profile from: #{url}"
 
         Chef::Config[:verify_api_cert] = false # FIXME
         Chef::Config[:ssl_verify_mode] = :verify_none # FIXME
@@ -92,7 +94,16 @@ class ComplianceProfile < Chef::Resource # rubocop:disable Metrics/ClassLength
           rest.binmode_streaming_request(url)
         end
       end
-      FileUtils.cp(tf.path, path) unless tf.nil? # mv replaced due to Errno::EACCES:
+
+      case node['platform']
+      when 'windows'
+        # mv replaced due to Errno::EACCES:
+        # https://bugs.ruby-lang.org/issues/10865
+        FileUtils.cp(tf.path, path) unless tf.nil?
+      else
+        FileUtils.mv(tf.path, path) unless tf.nil?
+      end
+
     end
   end
 

libraries/report.rb

@@ -43,6 +43,7 @@ class ComplianceReport < Chef::Resource
         url = construct_url(server, ::File.join('/owners', o, 'inspec'))
         req = Net::HTTP::Post.new(url, { 'Authorization' => "Bearer #{token}" })
         req.body = blob.to_json
+        Chef::Log.info "Report to: #{url}"
 
         opts = { use_ssl: url.scheme == 'https',
                  verify_mode: OpenSSL::SSL::VERIFY_NONE, # FIXME
@@ -57,6 +58,8 @@ class ComplianceReport < Chef::Resource
         Chef::Config[:ssl_verify_mode] = :verify_none
 
         url = construct_url(base_chef_server_url + '/compliance/', ::File.join('organizations', o, 'inspec'))
+        Chef::Log.info "Report to: #{url}"
+
         rest = Chef::ServerAPI.new(url, Chef::Config)
         with_http_rescue do
           rest.post(url, blob)