Remove compliance and visibility reporters (#383)

* update docs for chef-server-automate reporter Signed-off-by: Alex Pop <apop@chef.io> * Remove chef-compliance, chef-server-compliance, chef-visibility and chef-server-visibility. Gone! Signed-off-by: Alex Pop <apop@chef.io> * Use 3.9.3 in kitchen test Signed-off-by: Alex Pop <apop@chef.io> * Remove force_inspec_core recipe from chef15 Signed-off-by: Alex Pop <apop@chef.io> * Switch kitchen to hash profiles Signed-off-by: Alex Pop <apop@chef.io>
chef-boneyard · Sep 18, 2019 · aafd15d · aafd15d
1 parent 6f469fd
commit aafd15d
Show file tree

Hide file tree

Showing 29 changed files with 123 additions and 1,149 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -86,7 +86,8 @@ suites:
         json_file:
           location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %>
         profiles:
-          - git: https://github.com/mhedgpeth/attribute-file-exists-profile.git
+          attribute-file-exists-profile:
+            git: https://github.com/mhedgpeth/attribute-file-exists-profile.git
         attributes:
           file: /opt/kitchen/cache/attribute-file-exists.test
   - name: chef-node-enabled
@@ -98,7 +99,8 @@ suites:
         json_file:
           location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %>
         profiles:
-          - url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz
+          demo:
+            url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz
         chef_node_attribute_enabled: true
   - name: chef-node-disabled
     run_list:
@@ -109,7 +111,8 @@ suites:
         json_file:
           location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %>
         profiles:
-          - url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz
+          demo:
+            url: https://github.com/adamleff/inspec-profile-chef-node-attributes/archive/master.tar.gz
   - name: missing-profile-no-fail
     run_list:
       - recipe[test_helper::setup]
@@ -118,7 +121,7 @@ suites:
       audit:
         reporter: json-file
         profiles:
-          - name: ssh-hardening
+          ssh-hardening:
             url: https://github.com/dev-sec/this-is-not-available.zip
     includes:
       - ubuntu-18.04
@@ -131,34 +134,18 @@ suites:
         reporter: json-file
         fail_if_not_present: true
         profiles:
-          - name: ssh-hardening
-            url: https://github.com/dev-sec/this-is-not-available.zip
+          ssh-hardening: https://github.com/dev-sec/this-is-not-available.zip
     includes:
       - ubuntu-18.04
-  - name: compliance # compliance direct reporting
-    run_list:
-      - recipe[audit::default]
-    attributes:
-      audit:
-        server: <%= ENV['COMPLIANCE_API'] %>
-        token: <%= ENV['COMPLIANCE_ACCESSTOKEN'] %>
-        owner: admin
-        profiles:
-          - name: ssh-hardening
-            url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
-          - git: https://github.com/dev-sec/tests-ssh-hardening.git
-          - name: ssh-baseline
-            supermarket: dev-sec/ssh-baseline
   - name: chef15-compatible-inspec
     run_list:
-      - recipe[test_helper::force_inspec_core]
       - recipe[audit::default]
     driver:
       chef_version: 15
     attributes:
       audit:
         reporter: json-file
-        inspec_version: 3.0.9
+        inspec_version: 3.9.3
         fail_if_not_present: true
   - name: gem-install-core-version4
     run_list:

diff --git a/README.md b/README.md
@@ -23,14 +23,6 @@ The `audit` cookbook supports a number of different reporters and fetchers which
 |   ≥ 0.8.0          |   ≥ 1.24.0       |   ≥ 4.0.0                |
 |   ≥ 2              |   ≥ 2.2.102      |   ≥ 7.1.0                |
 
-#### Chef Compliance
-
-| Chef Compliance version    | InSpec version    | Audit Cookbook version    |
-|----------------------------|-------------------|---------------------------|
-|   ≤ 1.1.23                 |   = 0.20.1        |   = 0.7.0                 |
-|   > 1.1.23                 |   ≥ 0.22.1        |   = 0.8.0                 |
-|   ≥ 1.6.8                  |   ≥ 1.2.0         |   > 1.0.2                 |
-
 #### Chef Infra Client
 
 | Chef Client                | Audit Cookbook version    |
@@ -48,39 +40,13 @@ RuntimeError
 Audit Mode is enabled. The audit cookbook and Audit Mode cannot be used at the same time. Please disable Audit Mode in your client configuration.
 ```
 
-## Deprecation Note:
-
-### Please use `reporter` instead of `collector` attribute
-
-With version 3.1.0 the use of the `collector` attribute is deprecated. Please use `reporter` instead. The `collector` attribute will be removed in the next major version.
-
-```
-default['audit']['collector'] = 'chef-server-compliance'
-```
-
-becomes:
-
-```
-default['audit']['reporter'] = 'chef-server-compliance'
-```
-
-### Use `chef-server-automate` and `chef-automate` instead of `chef-server-visibility` and `chef-visibility`
-
-With version 3.1.0 the reporter attribute deprecates the values `chef-server-visibility` and `chef-visibility`. They have been renamed:
-
- * `chef-server-visibility` => `chef-server-automate`
- * `chef-visibility` => `chef-automate`
-
-The support for values `chef-server-visibility` and `chef-visibility` will be removed in the next major version.
-
-
 ## Overview
 
 ### Component Architecture
 ```
  ┌──────────────────────┐    ┌──────────────────────┐    ┌─────────────────────┐
- │     Chef Client      │    │   Chef Server Proxy  │    │   Chef Compliance   │
- │                      │    │      (optional)      │    │   or Chef Automate  │
+ │     Chef Client      │    │   Chef Server Proxy  │    │    Chef Automate    │
+ │                      │    │      (optional)      │    │                     │
  │ ┌──────────────────┐ │    │                      │    │                     │
  │ │                  │◀┼────┼──────────────────────┼────│  Profiles           │
  │ │  audit cookbook  │ │    │                      │    │                     │
@@ -94,8 +60,8 @@ InSpec Profiles can be hosted from a variety of locations:
 
 ```
  ┌──────────────────────┐                                ┌─────────────────────┐
- │     Chef Client      │     ┌───────────────────────┐  │   Chef Compliance   │
- │                      │  ┌──│ Profiles(Supermarket, │  │   or Chef Automate  │
+ │     Chef Client      │     ┌───────────────────────┐  │    Chef Automate    │
+ │                      │  ┌──│ Profiles(Supermarket, │  │                     │
  │ ┌──────────────────┐ │  │  │ Github, local, etc)   │  │                     │
  │ │                  │◀┼──┘  └───────────────────────┘  │                     │
  │ │  audit cookbook  │◀┼────────────────────────────────│  Profiles           │
@@ -130,23 +96,23 @@ Note on AIX Support:
 Once the cookbook is available in Chef Server, you need to add the `audit::default` recipe to the run-list of each node. The profiles are selected using the `node['audit']['profiles']` attribute. A list of example configurations are documented in [Supported Configurations](docs/supported_configuration.md). Below are some other examples:
 
 ```ruby
-default['audit']['reporter'] = 'chef-server-compliance'
+default['audit']['reporter'] = 'chef-server-automate'
+default['audit']['fetcher'] = 'chef-server'
 
 # You may use an array of hashes (shown here) or hash of hashes (shown below)
 default['audit']['profiles'].push(
-    # Profile from Chef Compliance
+    # Profile from Chef Automate
     {
       'name': 'linux',
       'compliance': 'base/linux'
     },
-    # Profile from Chef Compliance at a particular version
+    # Profile from Chef Automate at a particular version
     {
       'name': 'linux-baseline',
       'compliance': 'user/linux-baseline',
       'version': '2.1.0'
     },
     # Profile from Supermarket
-    # note: If reporting to Compliance, first upload the Supermarket profile to Chef Compliance.
     # note: Artifactory's Supermarket implementation—"Chef Cookbook repository"—does not support InSpec compliance profiles at this time
     {
       'name': 'ssh',
@@ -217,46 +183,6 @@ default['audit']['profiles'].push(
 )
 ```
 
-
-#### Direct reporting to Chef Compliance
-
-To retrieve compliance profiles and report directly to Chef Compliance, set the `reporter`, `server`, `owner`, `refresh_token` and `profiles` attributes.
-
- * `reporter` - 'chef-compliance' to report to Chef Compliance
- * `server` - url of Chef Compliance server with `/api`
- * `owner` - Chef Compliance user or organization that will receive this scan report
- * `refresh_token` - refresh token for Chef Compliance API (https://github.com/chef/inspec/issues/690)
-   * note: A UI logout revokes the refresh_token. Workaround by logging in once in a private browser session, grab the token and then close the browser without logging out
- * `insecure` - a `true` value will skip the SSL certificate verification when retrieving access token. Default value is `false`
-
-```ruby
-default['audit']['reporter'] = 'chef-compliance'
-default['audit']['server'] = 'https://compliance-fqdn/api'
-default['audit']['owner'] = 'my-comp-org'
-default['audit']['refresh_token'] = '5/4T...g=='
-default['audit']['profiles'].push(
-  {
-    'name': 'windows',
-    'compliance': 'base/windows',
-  }
-)
-```
-
-Instead of a refresh token, it is also possible to use a `token` that expires in 12h after its creation.
-
-```ruby
-default['audit']['reporter'] = 'chef-compliance'
-default['audit']['server'] = 'https://compliance-fqdn/api'
-default['audit']['owner'] = 'my-comp-org'
-default['audit']['token'] = 'eyJ........................YQ'
-default['audit']['profiles'].push(
-  {
-    'name': 'windows',
-    'compliance': 'base/windows',
-  }
-)
-```
-
 #### Direct reporting to Chef Automate
 
 To report directly to Chef Automate, set the `reporter` attribute to 'chef-automate' and specify where to fetch the `profiles` from.
@@ -332,7 +258,7 @@ Note that detection of non-compliance will immediately terminate the Chef Client
 #### Multiple Reporters
 
 To enable multiple reporters, simply define multiple reporters with all the necessary information
-for each one.  For example, to report to chef-compliance and write to json file on disk:
+for each one.  For example, to report to Chef Automate and write to json file on disk:
 
 ```ruby
 default['audit']['reporter'] = ['chef-server-automate', 'json-file']
@@ -346,11 +272,11 @@ default['audit']['profiles'].push(
 
 ### Profile Fetcher
 
-#### Fetch profiles from Chef Automate/Chef Compliance via Chef Server
+#### Fetch profiles from Chef Automate via Chef Server
 
-To enable reporting to Chef Automate with profiles from Chef Compliance or Chef Automate, you need to have Chef Server integrated with [Chef Compliance or Chef Automate](https://docs.chef.io/integrate_compliance_chef_automate.html#collector-chef-server-automate). You can then set the `fetcher` attribute to 'chef-server'.
+To enable reporting to Chef Automate with profiles from Chef Automate, you need to have Chef Server integrated with [Chef Automate](https://docs.chef.io/integrate_compliance_chef_automate.html#collector-chef-server-automate). You can then set the `fetcher` attribute to 'chef-server'.
 
-This allows the audit cookbook to fetch profiles stored in Chef Compliance. For example:
+This allows the audit cookbook to fetch profiles stored in Chef Automate. For example:
 
 ```ruby
 default['audit']['reporter'] = 'chef-server-automate'
@@ -378,37 +304,17 @@ default['audit']['profiles'].push(
 )
 ```
 
-## Profile Upload to Compliance Server
-
-In order to support build cookbook mode, the `compliance_profile` resource has an `upload` action that allows uploading a compressed
-InSpec compliance profile to the Compliance Server.
-
-Simply include the `upload` recipe in the run_list, with attribute overrides for the `audit` hash like so:
-
-```ruby
-default['audit']['server'] = 'https://compliance-server.test/api'
-default['audit']['reporter'] = 'chef-compliance'
-default['audit']['refresh_token'] = '21/XMEK3...'
-default['audit']['profiles'].push(
-  {
-    'name': 'ssh',
-    'compliance': 'base/ssh'
-  }
-)
-```
-
 ## Relationship with Chef Audit Mode
 
 The following tables compares the [Chef Client audit mode](https://docs.chef.io/ctl_chef_client.html#run-in-audit-mode) with this `audit` cookbook.
 
 |                                          | audit mode | audit cookbook |
 |------------------------------------------|------------|----------------|
-| Works with Chef Compliance               | No         | Yes            |
 | Execution Engine                         | [Serverspec](http://serverspec.org/) | [InSpec](https://github.com/chef/inspec) |
-| Execute InSpec Compliance Profiles       | No         | Yes            |
+| Execute InSpec Profiles                  | No         | Yes            |
 | Execute tests embedded in Chef recipes   | Yes        | No             |
 
-Eventually the `audit` cookbook will replace audit mode. The only drawback is that you will not be able to execute tests in Chef recipes, but since you will be running these tests in production, you will want to have a straightforward, consistent process by which you include these tests throughout your development lifecycle. Within Chef Compliance, this is a profile.
+Eventually the `audit` cookbook will replace audit mode. The only drawback is that you will not be able to execute tests in Chef recipes, but since you will be running these tests in production, you will want to have a straightforward, consistent process by which you include these tests throughout your development lifecycle. Within Chef Automate, this is a profile.
 
 ### Migrating from audit mode to audit cookbook:
 

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -29,40 +29,26 @@
 default['audit']['inspec_backend_cache'] = true
 
 # controls where inspec scan reports are sent
-# possible values: 'chef-server-automate', 'chef-server-compliance', 'chef-compliance', 'chef-automate', 'json-file'
+# possible values: 'chef-server-automate', 'chef-automate', 'json-file'
 # notes: 'chef-automate' requires inspec version 0.27.1 or greater
 # deprecated: 'chef-visibility' is replaced with 'chef-automate'
+# deprecated: 'chef-compliance' is replaced with 'chef-automate'
 # deprecated: 'chef-server-visibility' is replaced with 'chef-server-automate'
-default['audit']['reporter'] = 'chef-server-compliance'
+default['audit']['reporter'] = 'json-file'
 
-# controls reporting to Chef Automate with profiles from Chef Compliance or Chef Automate
+# controls where inspec profiles are fetched from, Chef Automate or via Chef Server
 # possible values: nil, 'chef-server', 'chef-automate'
-# notes: requires Chef Server ingtegrated with Chef Compliance
 default['audit']['fetcher'] = nil
 
-# url of Chef Compliance server API endpoint
-# example values: nil, 'https://comp-server.example.com/api'
-# notes: only required for 'chef-compliance' reporter
-default['audit']['server'] = nil
-
-# refresh token from the "About" dialogue in Chef Compliance UI
-# notes: used only for the 'chef-compliance' reporter
-default['audit']['refresh_token'] = nil
-
-# token from the "About" dialogue in Chef Compliance UI
-# notes: used only for the 'chef-compliance' reporter. This token expires 12h after creation
-default['audit']['token'] = nil
-
 # allow for connections to HTTPS endpoints using self-signed ssl certificates
 default['audit']['insecure'] = nil
 
-# Chef Compliance organization to post the report to
-# notes: only needed for the 'chef-compliance' reporter, optional for 'chef-server-compliance' and 'chef-server-automate'
+# Optional for 'chef-server-automate' reporter
 # defaults to Chef Server org if not defined
 default['audit']['owner'] = nil
 
-# raise exception if Compliance API endpoint is unreachable
-# while fetching profiles or posting report
+# raise exception if Automate API endpoint is unreachable
+# while fetching profiles or posting a report
 default['audit']['raise_if_unreachable'] = true
 
 # fail converge if downloaded profile is not present
@@ -80,9 +66,6 @@
 # controls verbosity of inspec runner
 default['audit']['quiet'] = true
 
-# controls whether or not existing profile is overwritten when using upload recipe
-default['audit']['overwrite'] = true
-
 # Chef Inspec Compliance profiles to be used for scan of node
 # See README.md for details
 default['audit']['profiles'] = {}