summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPete Higgins <pete@peterhiggins.org>2020-11-20 17:47:04 -0800
committerPete Higgins <pete@peterhiggins.org>2020-12-01 16:12:04 -0800
commitf52ed3298edb9f77500d63e01cd8bf7bdd6c34e8 (patch)
tree42888df2b89dd4e779e4276d1403cfe3bc8da997
parent902bd99f7f2a0c468aa987e9bcf190027df658d9 (diff)
downloadchef-f52ed3298edb9f77500d63e01cd8bf7bdd6c34e8.tar.gz
Warn if unsupported audit-cookbook config values are present.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
-rw-r--r--lib/chef/audit/default_attributes.rb38
-rw-r--r--lib/chef/audit/runner.rb22
-rw-r--r--spec/unit/audit/runner_spec.rb22
3 files changed, 44 insertions, 38 deletions
diff --git a/lib/chef/audit/default_attributes.rb b/lib/chef/audit/default_attributes.rb
index 41b450ef37..b1d1353e49 100644
--- a/lib/chef/audit/default_attributes.rb
+++ b/lib/chef/audit/default_attributes.rb
@@ -17,15 +17,6 @@ class Chef
module Audit
module DefaultAttributes
DEFAULTS = {
- # Controls the inspec gem version to install and execution. Example values: '1.1.0', 'latest'
- # Starting with Chef Infra Client 15, only the embedded InSpec gem can be used and this attribute will be ignored
- "inspec_version" => nil,
-
- # sets URI to alternate gem source
- # example values: nil, 'https://mygem.server.com'
- # notes: the root of the URL must host the *specs.4.8.gz source index
- "inspec_gem_source" => nil,
-
# If enabled, a cache is built for all backend calls. This should only be
# disabled if you are expecting unique results from the same backend call.
"inspec_backend_cache" => true,
@@ -45,28 +36,6 @@ class Chef
# allow for connections to HTTPS endpoints using self-signed ssl certificates
"insecure" => nil,
- # Optional for 'chef-server-automate' reporter
- # defaults to Chef Server org if not defined
- "owner" => nil,
-
- # raise exception if Automate API endpoint is unreachable
- # while fetching profiles or posting a report
- "raise_if_unreachable" => true,
-
- # fail converge if downloaded profile is not present
- # https://github.com/chef-cookbooks/audit/issues/166
- "fail_if_not_present" => false,
-
- "interval" => {
- # control how often inspec scans are run, if not on every node converge
- # notes: false value will result in running inspec scan every converge
- "enabled" => false,
-
- # controls how often inspec scans are run (in minutes)
- # notes: only used if interval is enabled above
- "time" => 1440,
- },
-
# controls verbosity of inspec runner
"quiet" => true,
@@ -77,13 +46,6 @@ class Chef
# Attributes used to run the given profiles
"attributes" => {},
- # Set this to false if you don't want ['audit']['attributes'] to be saved in the node object and stored in Chef Server or Automate. Useful if you are passing sensitive data to the inspec profile via the attributes.
- "attributes_save" => true,
-
- # If enabled, a hash of the Chef "node" object will be sent to InSpec in an attribute
- # named `chef_node`
- "chef_node_attribute_enabled" => false,
-
# Set this to the path of a YAML waiver file you wish to apply
# See https://www.inspec.io/docs/reference/waivers/
"waiver_file" => nil,
diff --git a/lib/chef/audit/runner.rb b/lib/chef/audit/runner.rb
index af387a5def..16c5b0e87f 100644
--- a/lib/chef/audit/runner.rb
+++ b/lib/chef/audit/runner.rb
@@ -55,7 +55,29 @@ class Chef
### Below code adapted from audit cookbook's files/default/handler/audit_report.rb
+ DEPRECATED_CONFIG_VALUES = %w{
+ attributes_save
+ chef_node_attribute_enabled
+ fail_if_not_present
+ inspec_gem_source
+ inspec_version
+ interval
+ owner
+ raise_if_unreachable
+ }.freeze
+
+ def warn_for_deprecated_config_values!
+ deprecated_config_values = (audit_attributes.keys & DEPRECATED_CONFIG_VALUES)
+
+ if deprecated_config_values.any?
+ values = deprecated_config_values.sort.map { |v| "'#{v}'" }.join(", ")
+ logger.warn "audit-cookbook config values #{values} are not supported in Chef Infra's audit mode."
+ end
+ end
+
def report(report = generate_report)
+ warn_for_deprecated_config_values!
+
if report.empty?
logger.error "Audit report was not generated properly, skipped reporting"
return
diff --git a/spec/unit/audit/runner_spec.rb b/spec/unit/audit/runner_spec.rb
index f227742b6c..45fee29734 100644
--- a/spec/unit/audit/runner_spec.rb
+++ b/spec/unit/audit/runner_spec.rb
@@ -88,4 +88,26 @@ describe Chef::Audit::Runner do
expect { runner.inspec_profiles }.to raise_error(/Inspec profiles specified in an unrecognized format, expected a hash of hashes./)
end
end
+
+ describe "#warn_for_deprecated_config_values!" do
+ it "logs a warning when deprecated config values are present" do
+ node.default["audit"]["owner"] = "my_org"
+ node.default["audit"]["inspec_version"] = "90210"
+
+ expect(logger).to receive(:warn).with(/config values 'inspec_version', 'owner' are not supported/)
+
+ runner.warn_for_deprecated_config_values!
+ end
+
+ it "does not log a warning with no deprecated config values" do
+ node.default["audit"]["profiles"]["linux-baseline"] = {
+ 'compliance': "user/linux-baseline",
+ 'version': "2.1.0",
+ }
+
+ expect(logger).not_to receive(:warn)
+
+ runner.warn_for_deprecated_config_values!
+ end
+ end
end