diff options
| author | Tim Smith <tsmith@chef.io> | 2021-03-05 16:00:49 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-05 16:00:49 -0800 |
| commit | 72614b8dfb95f92f0b9351ae3a2413335fc33f32 (patch) | |
| tree | 07e091447d013f6a7af2cb56ab255add00af75ba | |
| parent | cd045c668d04c132e276de003047fe2789543e36 (diff) | |
| parent | f540edd7b7c647f308caf6a95e1bbdbcbf842734 (diff) | |
| download | chef-72614b8dfb95f92f0b9351ae3a2413335fc33f32.tar.gz | |
Merge pull request #11147 from chef/backport_compliance
Signed-off-by: Tim Smith <tsmith@chef.io>
| -rw-r--r-- | lib/chef/compliance/default_attributes.rb | 8 | ||||
| -rw-r--r-- | lib/chef/compliance/runner.rb | 7 | ||||
| -rw-r--r-- | spec/unit/compliance/runner_spec.rb | 36 |
3 files changed, 48 insertions, 3 deletions
diff --git a/lib/chef/compliance/default_attributes.rb b/lib/chef/compliance/default_attributes.rb index 9b368d4f64..6f508e8c26 100644 --- a/lib/chef/compliance/default_attributes.rb +++ b/lib/chef/compliance/default_attributes.rb @@ -1,5 +1,5 @@ # Author:: Stephan Renatus <srenatus@chef.io> -# Copyright:: (c) 2016-2019, Chef Software Inc. <legal@chef.io> +# Copyright:: Copyright (c) Chef Software Inc. <legal@chef.io> # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -87,7 +87,11 @@ class Chef # If enabled, a hash representation of the Chef Infra node object will be sent to Chef InSpec in an input # named `chef_node`. - "chef_node_attribute_enabled" => false + "chef_node_attribute_enabled" => false, + + # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have + # profies defined but do not have the audit cookbook enabled. + "compliance_phase" => nil ) end end diff --git a/lib/chef/compliance/runner.rb b/lib/chef/compliance/runner.rb index 871d86ea23..114cd5afef 100644 --- a/lib/chef/compliance/runner.rb +++ b/lib/chef/compliance/runner.rb @@ -22,8 +22,13 @@ class Chef logger.debug("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}") logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}") + logger.debug("#{self.class}##{__method__}: compliance phase attr? #{node["audit"]["compliance_phase"]}") - inspec_profiles.any? && !audit_cookbook_present + if node["audit"]["compliance_phase"].nil? + inspec_profiles.any? && !audit_cookbook_present + else + node["audit"]["compliance_phase"] + end end def node=(node) diff --git a/spec/unit/compliance/runner_spec.rb b/spec/unit/compliance/runner_spec.rb index d982174e67..d166f467c8 100644 --- a/spec/unit/compliance/runner_spec.rb +++ b/spec/unit/compliance/runner_spec.rb @@ -19,6 +19,13 @@ describe Chef::Compliance::Runner do expect(runner).to be_enabled end + it "is false if the node attributes have audit profiles and the audit cookbook is not present, and the compliance mode attribute is false" do + node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } + node.normal["audit"]["compliance_phase"] = false + + expect(runner).not_to be_enabled + end + it "is false if the node attributes have audit profiles and the audit cookbook is present" do stub_const("::Reporter::ChefAutomate", true) node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } @@ -26,6 +33,14 @@ describe Chef::Compliance::Runner do expect(runner).not_to be_enabled end + it "is true if the node attributes have audit profiles and the audit cookbook is present, and the complince mode attribute is true" do + stub_const("::Reporter::ChefAutomate", true) + node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } + node.normal["audit"]["compliance_phase"] = true + + expect(runner).to be_enabled + end + it "is false if the node attributes do not have audit profiles and the audit cookbook is not present" do node.normal["audit"]["profiles"] = {} @@ -43,6 +58,27 @@ describe Chef::Compliance::Runner do node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos } expect(runner).not_to be_enabled end + + it "is true if the node attributes do not have audit profiles and the audit cookbook is not present, and the complince mode attribute is true" do + node.normal["audit"]["profiles"] = {} + node.normal["audit"]["compliance_phase"] = true + + expect(runner).to be_enabled + end + + it "is true if the node attributes do not have audit profiles and the audit cookbook is present, and the complince mode attribute is true" do + stub_const("::Reporter::ChefAutomate", true) + node.automatic["recipes"] = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos } + node.normal["audit"]["compliance_phase"] = true + + expect(runner).to be_enabled + end + + it "is true if the node attributes do not have audit attributes and the audit cookbook is not present, and the complince mode attribute is true" do + node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos } + node.normal["audit"]["compliance_phase"] = true + expect(runner).to be_enabled + end end describe "#inspec_profiles" do |