diff options
author | Pete Higgins <pete@peterhiggins.org> | 2020-11-20 17:47:04 -0800 |
---|---|---|
committer | Pete Higgins <pete@peterhiggins.org> | 2020-12-01 16:12:04 -0800 |
commit | f52ed3298edb9f77500d63e01cd8bf7bdd6c34e8 (patch) | |
tree | 42888df2b89dd4e779e4276d1403cfe3bc8da997 | |
parent | 902bd99f7f2a0c468aa987e9bcf190027df658d9 (diff) | |
download | chef-f52ed3298edb9f77500d63e01cd8bf7bdd6c34e8.tar.gz |
Warn if unsupported audit-cookbook config values are present.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
-rw-r--r-- | lib/chef/audit/default_attributes.rb | 38 | ||||
-rw-r--r-- | lib/chef/audit/runner.rb | 22 | ||||
-rw-r--r-- | spec/unit/audit/runner_spec.rb | 22 |
3 files changed, 44 insertions, 38 deletions
diff --git a/lib/chef/audit/default_attributes.rb b/lib/chef/audit/default_attributes.rb index 41b450ef37..b1d1353e49 100644 --- a/lib/chef/audit/default_attributes.rb +++ b/lib/chef/audit/default_attributes.rb @@ -17,15 +17,6 @@ class Chef module Audit module DefaultAttributes DEFAULTS = { - # Controls the inspec gem version to install and execution. Example values: '1.1.0', 'latest' - # Starting with Chef Infra Client 15, only the embedded InSpec gem can be used and this attribute will be ignored - "inspec_version" => nil, - - # sets URI to alternate gem source - # example values: nil, 'https://mygem.server.com' - # notes: the root of the URL must host the *specs.4.8.gz source index - "inspec_gem_source" => nil, - # If enabled, a cache is built for all backend calls. This should only be # disabled if you are expecting unique results from the same backend call. "inspec_backend_cache" => true, @@ -45,28 +36,6 @@ class Chef # allow for connections to HTTPS endpoints using self-signed ssl certificates "insecure" => nil, - # Optional for 'chef-server-automate' reporter - # defaults to Chef Server org if not defined - "owner" => nil, - - # raise exception if Automate API endpoint is unreachable - # while fetching profiles or posting a report - "raise_if_unreachable" => true, - - # fail converge if downloaded profile is not present - # https://github.com/chef-cookbooks/audit/issues/166 - "fail_if_not_present" => false, - - "interval" => { - # control how often inspec scans are run, if not on every node converge - # notes: false value will result in running inspec scan every converge - "enabled" => false, - - # controls how often inspec scans are run (in minutes) - # notes: only used if interval is enabled above - "time" => 1440, - }, - # controls verbosity of inspec runner "quiet" => true, @@ -77,13 +46,6 @@ class Chef # Attributes used to run the given profiles "attributes" => {}, - # Set this to false if you don't want ['audit']['attributes'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes. - "attributes_save" => true, - - # If enabled, a hash of the Chef "node" object will be sent to InSpec in an attribute - # named `chef_node` - "chef_node_attribute_enabled" => false, - # Set this to the path of a YAML waiver file you wish to apply # See https://www.inspec.io/docs/reference/waivers/ "waiver_file" => nil, diff --git a/lib/chef/audit/runner.rb b/lib/chef/audit/runner.rb index af387a5def..16c5b0e87f 100644 --- a/lib/chef/audit/runner.rb +++ b/lib/chef/audit/runner.rb @@ -55,7 +55,29 @@ class Chef ### Below code adapted from audit cookbook's files/default/handler/audit_report.rb + DEPRECATED_CONFIG_VALUES = %w{ + attributes_save + chef_node_attribute_enabled + fail_if_not_present + inspec_gem_source + inspec_version + interval + owner + raise_if_unreachable + }.freeze + + def warn_for_deprecated_config_values! + deprecated_config_values = (audit_attributes.keys & DEPRECATED_CONFIG_VALUES) + + if deprecated_config_values.any? + values = deprecated_config_values.sort.map { |v| "'#{v}'" }.join(", ") + logger.warn "audit-cookbook config values #{values} are not supported in Chef Infra's audit mode." + end + end + def report(report = generate_report) + warn_for_deprecated_config_values! + if report.empty? logger.error "Audit report was not generated properly, skipped reporting" return diff --git a/spec/unit/audit/runner_spec.rb b/spec/unit/audit/runner_spec.rb index f227742b6c..45fee29734 100644 --- a/spec/unit/audit/runner_spec.rb +++ b/spec/unit/audit/runner_spec.rb @@ -88,4 +88,26 @@ describe Chef::Audit::Runner do expect { runner.inspec_profiles }.to raise_error(/Inspec profiles specified in an unrecognized format, expected a hash of hashes./) end end + + describe "#warn_for_deprecated_config_values!" do + it "logs a warning when deprecated config values are present" do + node.default["audit"]["owner"] = "my_org" + node.default["audit"]["inspec_version"] = "90210" + + expect(logger).to receive(:warn).with(/config values 'inspec_version', 'owner' are not supported/) + + runner.warn_for_deprecated_config_values! + end + + it "does not log a warning with no deprecated config values" do + node.default["audit"]["profiles"]["linux-baseline"] = { + 'compliance': "user/linux-baseline", + 'version': "2.1.0", + } + + expect(logger).not_to receive(:warn) + + runner.warn_for_deprecated_config_values! + end + end end |