diff options
| author | Lamont Granquist <lamont@scriptkiddie.org> | 2021-01-13 22:07:04 -0800 |
|---|---|---|
| committer | Lamont Granquist <lamont@scriptkiddie.org> | 2021-01-13 22:07:04 -0800 |
| commit | 7419a2dca82c5f168da97c0f84cabeb5078b9411 (patch) | |
| tree | 3a952217ec16a75831838b22e74b49f7ff33b85e /spec | |
| parent | 351273388a150423ea0bd51dba155584d31445d0 (diff) | |
| download | chef-7419a2dca82c5f168da97c0f84cabeb5078b9411.tar.gz | |
Compliance Phase: even better audit cookbook detectionlcg/better-auditcb-detection
This detects if the audit cookbook's library files have been parsed,
which is mildly brittle but this constant has been stable back to 2017.
This catches the case where a site:
1. Has the audit cookbook as a cookbook dependency so it is in the run_list.
2. The wrapper cookbook is loading the attributes.
3. But the audit cookbook is not run every time and is controlled by
"include_recipe" with a conditional wrapper.
It may also catch cases where the site uses a named_run_list in a
PolicyFile since the cookbook set is the same no matter what named_run_list
you are running (pretty sure that's a feature of how PolicyFiles work).
What it can't do is catch old-style override run_lists with the audit
cookbook normally not in the cookbook set at all. That is quite
literally impossible to detect.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/unit/compliance/runner_spec.rb | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/spec/unit/compliance/runner_spec.rb b/spec/unit/compliance/runner_spec.rb index 26c7008ccd..d982174e67 100644 --- a/spec/unit/compliance/runner_spec.rb +++ b/spec/unit/compliance/runner_spec.rb @@ -12,29 +12,28 @@ describe Chef::Compliance::Runner do end describe "#enabled?" do + it "is true if the node attributes have audit profiles and the audit cookbook is not present" do node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } - node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos } expect(runner).to be_enabled end it "is false if the node attributes have audit profiles and the audit cookbook is present" do + stub_const("::Reporter::ChefAutomate", true) node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } - node.automatic["recipes"] = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos } expect(runner).not_to be_enabled end it "is false if the node attributes do not have audit profiles and the audit cookbook is not present" do node.normal["audit"]["profiles"] = {} - node.automatic["recipes"] = %w{ fancy_cookbook::fanciness tacobell::nachos } expect(runner).not_to be_enabled end it "is false if the node attributes do not have audit profiles and the audit cookbook is present" do - node.normal["audit"]["profiles"] = {} + stub_const("::Reporter::ChefAutomate", true) node.automatic["recipes"] = %w{ audit::default fancy_cookbook::fanciness tacobell::nachos } expect(runner).not_to be_enabled |