Warn if unsupported audit-cookbook config values are present.

Signed-off-by: Pete Higgins <pete@peterhiggins.org>

3 files changed, 44 insertions, 38 deletions

diff --git a/lib/chef/audit/default_attributes.rb b/lib/chef/audit/default_attributes.rb
index 41b450ef37..b1d1353e49 100644
--- a/lib/chef/audit/default_attributes.rb
+++ b/lib/chef/audit/default_attributes.rb
@@ -17,15 +17,6 @@ class Chef
   module Audit
     module DefaultAttributes
       DEFAULTS = {
-        # Controls the inspec gem version to install and execution. Example values: '1.1.0', 'latest'
-        # Starting with Chef Infra Client 15, only the embedded InSpec gem can be used and this attribute will be ignored
-        "inspec_version" => nil,
-
-        # sets URI to alternate gem source
-        # example values: nil, 'https://mygem.server.com'
-        # notes: the root of the URL must host the *specs.4.8.gz source index
-        "inspec_gem_source" => nil,
-
         # If enabled, a cache is built for all backend calls. This should only be
         # disabled if you are expecting unique results from the same backend call.
         "inspec_backend_cache" => true,
@@ -45,28 +36,6 @@ class Chef
         # allow for connections to HTTPS endpoints using self-signed ssl certificates
         "insecure" => nil,
 
-        # Optional for 'chef-server-automate' reporter
-        # defaults to Chef Server org if not defined
-        "owner" => nil,
-
-        # raise exception if Automate API endpoint is unreachable
-        # while fetching profiles or posting a report
-        "raise_if_unreachable" => true,
-
-        # fail converge if downloaded profile is not present
-        # https://github.com/chef-cookbooks/audit/issues/166
-        "fail_if_not_present" => false,
-
-        "interval" => {
-          # control how often inspec scans are run, if not on every node converge
-          # notes: false value will result in running inspec scan every converge
-          "enabled" => false,
-
-          # controls how often inspec scans are run (in minutes)
-          # notes: only used if interval is enabled above
-          "time" => 1440,
-        },
-
         # controls verbosity of inspec runner
         "quiet" => true,
 
@@ -77,13 +46,6 @@ class Chef
         # Attributes used to run the given profiles
         "attributes" => {},
 
-        # Set this to false if you don't want ['audit']['attributes'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes.
-        "attributes_save" => true,
-
-        # If enabled, a hash of the Chef "node" object will be sent to InSpec in an attribute
-        # named `chef_node`
-        "chef_node_attribute_enabled" => false,
-
         # Set this to the path of a YAML waiver file you wish to apply
         # See https://www.inspec.io/docs/reference/waivers/
         "waiver_file" => nil,
diff --git a/lib/chef/audit/runner.rb b/lib/chef/audit/runner.rb
index af387a5def..16c5b0e87f 100644
--- a/lib/chef/audit/runner.rb
+++ b/lib/chef/audit/runner.rb
@@ -55,7 +55,29 @@ class Chef
 
       ### Below code adapted from audit cookbook's files/default/handler/audit_report.rb
 
+      DEPRECATED_CONFIG_VALUES = %w{
+        attributes_save
+        chef_node_attribute_enabled
+        fail_if_not_present
+        inspec_gem_source
+        inspec_version
+        interval
+        owner
+        raise_if_unreachable
+      }.freeze
+
+      def warn_for_deprecated_config_values!
+        deprecated_config_values = (audit_attributes.keys & DEPRECATED_CONFIG_VALUES)
+
+        if deprecated_config_values.any?
+          values = deprecated_config_values.sort.map { |v| "'#{v}'" }.join(", ")
+          logger.warn "audit-cookbook config values #{values} are not supported in Chef Infra's audit mode."
+        end
+      end
+
       def report(report = generate_report)
+        warn_for_deprecated_config_values!
+
         if report.empty?
           logger.error "Audit report was not generated properly, skipped reporting"
           return
diff --git a/spec/unit/audit/runner_spec.rb b/spec/unit/audit/runner_spec.rb
index f227742b6c..45fee29734 100644
--- a/spec/unit/audit/runner_spec.rb
+++ b/spec/unit/audit/runner_spec.rb
@@ -88,4 +88,26 @@ describe Chef::Audit::Runner do
       expect { runner.inspec_profiles }.to raise_error(/Inspec profiles specified in an unrecognized format, expected a hash of hashes./)
     end
   end
+
+  describe "#warn_for_deprecated_config_values!" do
+    it "logs a warning when deprecated config values are present" do
+      node.default["audit"]["owner"] = "my_org"
+      node.default["audit"]["inspec_version"] = "90210"
+
+      expect(logger).to receive(:warn).with(/config values 'inspec_version', 'owner' are not supported/)
+
+      runner.warn_for_deprecated_config_values!
+    end
+
+    it "does not log a warning with no deprecated config values" do
+      node.default["audit"]["profiles"]["linux-baseline"] = {
+        'compliance': "user/linux-baseline",
+        'version': "2.1.0",
+      }
+
+      expect(logger).not_to receive(:warn)
+
+      runner.warn_for_deprecated_config_values!
+    end
+  end
 end