Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide option to avoid saving the inspec attributes to the node object #374

Merged
merged 3 commits into from
Jun 21, 2019
Merged

Provide option to avoid saving the inspec attributes to the node object #374

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f30c4fa
Provide option to avoid saving the inspec attributes to the node object
alexpop Jun 20, 2019
6dd9a31
Update README and add tests for the audit attributes removal
alexpop Jun 21, 2019
d63ad35
Keep the style cops happy
alexpop Jun 21, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .rubocop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,6 @@ Naming/AccessorMethodName:
Exclude:
- 'examples/chef-server/Vagrantfile'
- 'spec/unit/report/audit_report_spec.rb'

Style/BracesAroundHashParameters:
Enabled: false
19 changes: 13 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -597,13 +597,20 @@ Please let us know if you have any [issues](https://github.com/chef-cookbooks/au

## Run the tests for this cookbook:

Install [Chef Development Kit](https://downloads.chef.io/chefdk) on your machine.

```bash
bundle install
bundle exec rake style
# run all ChefSpec tests
bundle exec rspec
# run a specific test
bundle exec rspec ./spec/unit/libraries/automate_spec.rb
# Install webmock gem needed by rspec
chef gem install webmock

# Run style checks
rake style

# Run all unit and ChefSpec tests
rspec

# Run a specific test
rspec ./spec/unit/libraries/automate_spec.rb
```

## How to release the `audit` cookbook
Expand Down
3 changes: 3 additions & 0 deletions attributes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@
# Attributes used to run the given profiles
default['audit']['attributes'] = {}

# Set this to false if you don't want ['audit']['attributes'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes.
default['audit']['attributes_save'] = true

# If enabled, a hash of the Chef "node" object will be sent to InSpec in an attribute
# named `chef_node`
default['audit']['chef_node_attribute_enabled'] = false
Expand Down
3 changes: 2 additions & 1 deletion files/default/handler/audit_report.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,8 @@ def report
end
quiet = node['audit']['quiet']
fetcher = node['audit']['fetcher']
attributes = node['audit']['attributes'].to_h

attributes = node.run_state['audit_attributes'].to_h
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going from a Mash to a Hash going to cause any issues? (I know it was a .to_h before, but I'm curious)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nobody reported issues with it and tests are showing the expected values.


# add chef node data as an attribute if enabled
attributes['chef_node'] = chef_node_attribute_data if node['audit']['chef_node_attribute_enabled']
Expand Down
7 changes: 7 additions & 0 deletions libraries/helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,13 @@ def cookbook_handler_path
File.expand_path('../../files/default/handler', __FILE__)
end

# Copies ['audit']['attributes'] into run_state for the audit_handler to read them later
# Deletes ['audit']['attributes'] if instructed by ['audit']['attributes_save']
def copy_audit_attributes
node.run_state['audit_attributes'] = node['audit']['attributes']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmmmm....yasss.

node.rm('audit', 'attributes') unless node['audit']['attributes_save']
end

def load_audit_handler
libpath = ::File.join(cookbook_handler_path, 'audit_report')
Chef::Log.info("loading handler from #{libpath}")
Expand Down
2 changes: 1 addition & 1 deletion metadata.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
license 'Apache-2.0'
description 'Allows for fetching and executing compliance profiles, and reporting its results'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '7.7.0'
version '7.8.0'

source_url 'https://github.com/chef-cookbooks/audit'
issues_url 'https://github.com/chef-cookbooks/audit/issues'
Expand Down
2 changes: 2 additions & 0 deletions recipes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,6 @@

include_recipe 'audit::inspec'

# Call helper methods located in libraries/helper.rb
copy_audit_attributes
load_audit_handler
35 changes: 35 additions & 0 deletions spec/unit/recipes/default_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,4 +175,39 @@
expect { chef_run }.to_not raise_error
end
end

context 'when audit attributes are not removed' do
let(:chef_run) do
runner = ChefSpec::ServerRunner.new(platform: 'centos', version: '6.9')
runner.node.override['audit']['attributes']['my-inspec-attribute'] = 'ok'
runner.converge(described_recipe)
end
it 'still contains the audit attributes after converge' do
expect(chef_run.node.attributes['audit']['attributes']).to eq({ 'my-inspec-attribute' => 'ok' })
end
it 'should contain the inspec attributes in the run_state' do
expect(chef_run.node.run_state['audit_attributes']).to eq({ 'my-inspec-attribute' => 'ok' })
end
it 'should not raise an exception' do
expect { chef_run }.to_not raise_error
end
end

context 'when audit attributes are removed' do
let(:chef_run) do
runner = ChefSpec::ServerRunner.new(platform: 'centos', version: '6.9')
runner.node.override['audit']['attributes']['my-inspec-attribute'] = 'ok'
runner.node.override['audit']['attributes_save'] = false
runner.converge(described_recipe)
end
it 'should not contain the audit attributes after converge' do
expect(chef_run.node.attributes['audit']['attributes']).to eq(nil)
end
it 'should contain the inspec attributes in the run_state' do
expect(chef_run.node.run_state['audit_attributes']).to eq({ 'my-inspec-attribute' => 'ok' })
end
it 'should not raise an exception' do
expect { chef_run }.to_not raise_error
end
end
end