Merge pull request #85 from chef-cookbooks/chris-rock/compliance_refr…

…esh_token

improve compliance refresh token handling

Gemfile

@@ -9,12 +9,12 @@ end
 
 group :test do
   gem 'rake', '~> 10'
+  gem 'berkshelf', '~> 3.3.0'
   gem 'chefspec',  '~> 4.3.0'
   gem 'coveralls', '~> 0.8.2', require: false
 end
 
 group :integration do
-  gem 'berkshelf', '~> 3.3.0'
   gem 'test-kitchen', '~> 1.6'
   gem 'kitchen-dokken'
   gem 'kitchen-inspec', '~> 0.9'

Rakefile

@@ -29,6 +29,7 @@ end
 
 desc 'Run all style checks'
 task style: ['style:chef', 'style:ruby']
+task lint: ['style']
 
 # ChefSpec
 begin

examples/kitchen/.kitchen.linux.yml

@@ -27,6 +27,10 @@ suites:
         refresh_token:  <%= ENV['COMPLIANCE_REFRESHTOKEN'] %>
         insecure: true
         owner: admin
+        # fail converge if downloaded profile is not present
+        fail_if_not_present: true
+        # fail converge after posting report if any audits have failed
+        fail_if_any_audits_failed: false
         profiles:
           base/linux: true
           brewinc/ssh-hardening:

examples/kitchen/.kitchen.win.yml

@@ -39,5 +39,9 @@ suites:
         refresh_token:  <%= ENV['COMPLIANCE_REFRESHTOKEN'] %>
         insecure: true
         owner: admin
+        # fail converge if downloaded profile is not present
+        fail_if_not_present: true
+        # fail converge after posting report if any audits have failed
+        fail_if_any_audits_failed: false
         profiles:
           base/windows: true

libraries/compliance.rb

@@ -0,0 +1,11 @@
+# encoding: utf-8
+
+# exchanges a refresh token into an access token
+def retrieve_access_token(server_url, refresh_token, insecure)
+  require 'inspec'
+  require 'bundles/inspec-compliance/api'
+  require 'bundles/inspec-compliance/http'
+  _success, _msg, access_token = Compliance::API.post_refresh_token(server_url, refresh_token, insecure)
+  # TODO: we return always the access token, without proper error handling
+  access_token
+end

libraries/helper.rb

@@ -45,17 +45,11 @@ def with_http_rescue(&block)
       end
       return response
     rescue Net::HTTPServerException => e
+      Chef::Log.error e
       handle_http_error_code(e.response.code)
     end
   end
 
-  # exchanges a refresh token into an access token
-  def retrieve_access_token(server_url, refresh_token, insecure)
-    _success, _msg, access_token = Compliance::API.post_refresh_token(server_url, refresh_token, insecure)
-    # TODO we return always the access token, without proper error handling
-    return access_token
-  end
-
   # Returns the uuid for the current converge
   def run_id
     return unless run_context &&

libraries/inspec.rb

@@ -0,0 +1,38 @@
+# encoding: utf-8
+class Audit
+  class Resource
+    class ChefInspec < Chef::Resource
+      resource_name :inspec
+
+      property :version, String, default: 'latest'
+
+      default_action :install
+
+      # installs inspec if required
+      action :install do
+        converge_by 'install/update inspec' do
+          chef_gem 'inspec' do
+            version new_resource.version if new_resource.version != 'latest'
+            compile_time true
+            action :install
+          end
+        end
+
+        converge_by 'verifies the inspec version' do
+          verify_inspec_version version
+        end
+      end
+
+      def verify_inspec_version(inspec_version)
+        require 'inspec'
+        # check we have the right inspec version
+        if Inspec::VERSION != inspec_version && inspec_version !='latest'
+          Chef::Log.warn "Wrong version of inspec (#{Inspec::VERSION}), please "\
+            'remove old versions (/opt/chef/embedded/bin/gem uninstall inspec).'
+        else
+          Chef::Log.warn "Using inspec version: (#{Inspec::VERSION})"
+        end
+      end
+    end
+  end
+end