summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLamont Granquist <lamont@scriptkiddie.org>2021-02-26 12:00:56 -0800
committerLamont Granquist <lamont@scriptkiddie.org>2021-02-26 12:00:56 -0800
commit77a02393d7301d4e864a82751fab72e4764ee96f (patch)
treed90fb2e7c4ad323a8e18e10767d6d8247218bc46
parent6fb4dae4f722ee28e17d6b4354c3b6f3fb01946e (diff)
downloadchef-77a02393d7301d4e864a82751fab72e4764ee96f.tar.gz
Extend node["audit"]["compliance_phase"] to assert phase on or offlcg/compliance-phase-attr2
The nil default is now the magic behavior while true or false asserts it and overrides the magic. Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
-rw-r--r--lib/chef/compliance/default_attributes.rb5
-rw-r--r--lib/chef/compliance/runner.rb7
-rw-r--r--spec/unit/compliance/runner_spec.rb35
3 files changed, 41 insertions, 6 deletions
diff --git a/lib/chef/compliance/default_attributes.rb b/lib/chef/compliance/default_attributes.rb
index 16c5c078e7..bf64a99369 100644
--- a/lib/chef/compliance/default_attributes.rb
+++ b/lib/chef/compliance/default_attributes.rb
@@ -89,8 +89,9 @@ class Chef
# named `chef_node`.
"chef_node_attribute_enabled" => false,
- # Should the built-in compliance phase run.
- "compliance_phase" => true
+ # Should the built-in compliance phase run. True and false force the behavior. Nil does magic based on if you have
+ # profies defined but do not have the audit cookbook enabled.
+ "compliance_phase" => nil
)
end
end
diff --git a/lib/chef/compliance/runner.rb b/lib/chef/compliance/runner.rb
index 8ffa4b65d7..50b8ff561a 100644
--- a/lib/chef/compliance/runner.rb
+++ b/lib/chef/compliance/runner.rb
@@ -23,8 +23,13 @@ class Chef
logger.debug("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}")
logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}")
+ logger.debug("#{self.class}##{__method__}: compliance phase attr? #{node["audit"]["compliance_phase"]}")
- inspec_profiles.any? && !audit_cookbook_present && node["audit"]["compliance_phase"]
+ if node["audit"]["compliance_phase"].nil?
+ inspec_profiles.any? && !audit_cookbook_present
+ else
+ node["audit"]["compliance_phase"]
+ end
end
def node=(node)
diff --git a/spec/unit/compliance/runner_spec.rb b/spec/unit/compliance/runner_spec.rb
index d46d756b0e..d166f467c8 100644
--- a/spec/unit/compliance/runner_spec.rb
+++ b/spec/unit/compliance/runner_spec.rb
@@ -19,11 +19,11 @@ describe Chef::Compliance::Runner do
expect(runner).to be_enabled
end
- it "is false if the node attributes have audit profiles and the audit cookbook is not present, and the compliance mode attribute is unset" do
+ it "is false if the node attributes have audit profiles and the audit cookbook is not present, and the compliance mode attribute is false" do
node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
- node.normal["audit"]["compliance_mode"] = false
+ node.normal["audit"]["compliance_phase"] = false
- expect(runner).to be_enabled
+ expect(runner).not_to be_enabled
end
it "is false if the node attributes have audit profiles and the audit cookbook is present" do
@@ -33,6 +33,14 @@ describe Chef::Compliance::Runner do
expect(runner).not_to be_enabled
end
+ it "is true if the node attributes have audit profiles and the audit cookbook is present, and the complince mode attribute is true" do
+ stub_const("::Reporter::ChefAutomate", true)
+ node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" }
+ node.normal["audit"]["compliance_phase"] = true
+
+ expect(runner).to be_enabled
+ end
+
it "is false if the node attributes do not have audit profiles and the audit cookbook is not present" do
node.normal["audit"]["profiles"] = {}
@@ -50,6 +58,27 @@ describe Chef::Compliance::Runner do
node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos }
expect(runner).not_to be_enabled
end
+
+ it "is true if the node attributes do not have audit profiles and the audit cookbook is not present, and the complince mode attribute is true" do
+ node.normal["audit"]["profiles"] = {}
+ node.normal["audit"]["compliance_phase"] = true
+
+ expect(runner).to be_enabled
+ end
+
+ it "is true if the node attributes do not have audit profiles and the audit cookbook is present, and the complince mode attribute is true" do
+ stub_const("::Reporter::ChefAutomate", true)
+ node.automatic["recipes"] = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos }
+ node.normal["audit"]["compliance_phase"] = true
+
+ expect(runner).to be_enabled
+ end
+
+ it "is true if the node attributes do not have audit attributes and the audit cookbook is not present, and the complince mode attribute is true" do
+ node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos }
+ node.normal["audit"]["compliance_phase"] = true
+ expect(runner).to be_enabled
+ end
end
describe "#inspec_profiles" do