Merge pull request #238 from chef-cookbooks/adamleff/raise-when-dual-…

…audit Fail Chef run if Audit Mode is enabled
chef-boneyard · Jun 14, 2017 · 6015954 · 6015954
2 parents 0d0717d + e41d0e9
commit 6015954
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/recipes/default.rb b/recipes/default.rb
@@ -17,6 +17,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# The "audit cookbook" and Chef's own "Audit Mode" are not compatible
+# due to global state management done by RSpec which is used by both
+# implementations. To prevent unexpected results, the audit cookbook
+# will prevent Chef from continuing if Audit Mode is not disabled.
+unless Chef::Config[:audit_mode] == :disabled
+  raise 'Audit Mode is enabled. The audit cookbook and Audit Mode' \
+    ' cannot be used at the same time. Please disable Audit Mode' \
+    ' in your client configuration.'
+end
+
 include_recipe 'audit::inspec'
 
 load_audit_handler
diff --git a/spec/unit/recipes/default_spec.rb b/spec/unit/recipes/default_spec.rb
@@ -176,4 +176,20 @@
       expect { chef_run }.to_not raise_error
     end
   end
+
+  context 'when audit_mode is enabled' do
+    let(:chef_run) do
+      runner = ChefSpec::ServerRunner.new(platform: 'centos', version: '6.5')
+      runner.node.override['audit']['collector'] = 'json-file'
+      runner.node.override['audit']['profiles'] = [
+        { 'name': 'linux', 'compliance': 'base/linux' },
+      ]
+      Chef::Config[:audit_mode] = :enabled
+      runner.converge(described_recipe)
+    end
+
+    it 'raises an exception' do
+      expect { chef_run }.to raise_error(RuntimeError)
+    end
+  end
 end