Ignore inspec_version for chef client >= 15 (#378)

* Ignore inspec_version for chef client >= 15

Signed-off-by: Alex Pop <alexpop@users.noreply.github.com>

* Update readme for version requirements

Signed-off-by: Alex Pop <alexpop@users.noreply.github.com>

README.md

@@ -31,11 +31,11 @@ The `audit` cookbook supports a number of different reporters and fetchers which
 |   > 1.1.23                 |   ≥ 0.22.1        |   = 0.8.0                 |
 |   ≥ 1.6.8                  |   ≥ 1.2.0         |   > 1.0.2                 |
 
-#### Chef Client
+#### Chef Infra Client
 
 | Chef Client                | Audit Cookbook version    |
 |----------------------------|---------------------------|
-|   >= 15.0.293              |   >= 7.7.0                |
+|   >= 15                    |   >= 8.0.0                |
 
 Note:
 When used with Chef Client 15 and above, the Audit cookbook _must_ be >= 7.7.0. Otherwise, you will see the following failure.
@@ -117,6 +117,8 @@ Also beginning with version 3.x of the `audit` cookbook, the default version of
 
 To install a different version of the InSpec gem, or to force installation of the gem, set the `node['audit']['inspec_version']` attribute to the version you wish to be installed.
 
+**Starting with Chef Infra Client 15, only the embedded InSpec gem can be used and the `inspec_version` attribute will be ignored.**
+
 Note on AIX Support:
 
  * InSpec is only supported via the bundled InSpec gem shipped with version >= 13 of the chef-client package.
@@ -130,9 +132,6 @@ Once the cookbook is available in Chef Server, you need to add the `audit::defau
 ```ruby
 default['audit']['reporter'] = 'chef-server-compliance'
 
-# Omit this to use the latest InSpec
-default['audit']['inspec_version'] = '1.29.0'
-
 # You may use an array of hashes (shown here) or hash of hashes (shown below)
 default['audit']['profiles'].push(
     # Profile from Chef Compliance
@@ -620,14 +619,15 @@ rspec ./spec/unit/libraries/automate_spec.rb
 
 Releasing a new cookbook version:
 
-1. version bump the metadata.rb and updated changelog (`bundle exec rake changelog`)
-2. Get your changes merged into master
-3. Go to the `audit` cookbook directory and pull from master
-4. Run `bundle install`
-5. Use stove to publish the cookbook(including git version tag). You must point to the private key of your hosted chef user. For example:
+1. Install changelog gem: `chef gem install github_changelog_generator`
+2. version bump the metadata.rb and updated changelog (`rake changelog`)
+3. Get your changes merged into master
+4. Go to the `audit` cookbook directory and pull from master
+5. Run `bundle install`
+6. Use stove to publish the cookbook(including git version tag). You must point to the private key of your hosted chef user. For example:
 
   ```
-  bundle exec stove --username apop --key ~/git/chef-repo/.chef/apop.pem
+  stove --username apop --key ~/git/chef-repo/.chef/apop.pem
   ```
 
 ## License

attributes/default.rb

@@ -15,8 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# controls inspec gem version to install
-# example values: '1.1.0', 'latest'
+# Controls the inspec gem version to install and execution. Example values: '1.1.0', 'latest'
+# Starting with Chef Infra Client 15, only the embedded InSpec gem can be used and this attribute will be ignored
 default['audit']['inspec_version'] = nil
 
 # sets URI to alternate gem source

metadata.rb

@@ -5,7 +5,7 @@
 license 'Apache-2.0'
 description 'Allows for fetching and executing compliance profiles, and reporting its results'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '7.8.0'
+version '8.0.0'
 
 source_url 'https://github.com/chef-cookbooks/audit'
 issues_url 'https://github.com/chef-cookbooks/audit/issues'

resources/inspec_gem.rb

@@ -19,6 +19,7 @@
     if new_resource.version == installed_version
       installation_required = false
       Chef::Log.info("inspec_gem: not installing Chef-InSpec. Requested version #{new_resource.version} already installed")
+      return
     end
   end
 
@@ -37,7 +38,7 @@
   elsif new_resource.version.nil?
     Chef::Log.info('inspec_gem: not installing Chef-InSpec. No Chef-Inspec version specified')
   elsif !compatible_version
-    Chef::Log.info("inspec_gem: not installing Chef-InSpec. Requested version #{new_resource.version} is not compatible with chef-client #{Chef::VERSION}")
+    Chef::Log.warn("inspec_gem: not installing Chef-InSpec. Requested version #{new_resource.version} is not compatible with chef-client #{Chef::VERSION}")
   end
 end
 
@@ -79,18 +80,18 @@ def compatible_with_client?(gem_version)
     # No version specified so they will get the latest
     return true if gem_version.nil?
 
-    requirement = if chef_15?
-                    # Chef-15 requires train 2.0 which was added in Inspec 4
-                    Gem::Requirement.new('>= 4')
-                  else
-                    # min version required to run the audit handler
-                    Gem::Requirement.new(['>= 1.25.1'])
-                  end
-
-    requirement.satisfied_by?(Gem::Version.new(gem_version))
+    if chef_gte_15?
+      # Chef-15 can only run with the version of inspec-core and train-core that's being bundled with
+      # It's pinned here: grep "inspec-" /opt/chef/bin/chef-client
+      Chef::Log.warn('inspec_gem: Chef Infra Client >= 15 detected, can only use the embedded InSpec gem!!!')
+      false
+    else
+      # min version required to run the audit handler
+      Gem::Requirement.new(['>= 1.25.1']).satisfied_by?(Gem::Version.new(gem_version))
+    end
   end
 
-  def chef_15?
+  def chef_gte_15?
     Gem::Requirement.new('>= 15').satisfied_by?(Gem::Version.new(Chef::VERSION))
   end
 

spec/unit/libraries/helpers_spec.rb

@@ -5,6 +5,7 @@
 
 require 'spec_helper'
 require_relative '../../../libraries/helper'
+require_relative '../../../files/default/handler/audit_report'
 
 describe ReportHelpers do
   let(:helpers) { Class.new { extend ReportHelpers } }