Skip to content

Commit

Permalink
Fix chef-server-visibility collector and introduce chef-server-compli…
Browse files Browse the repository at this point in the history
…ance

Signed-off-by: Alex Pop <apop@chef.io>
  • Loading branch information
alexpop committed Nov 23, 2016
1 parent ad4388b commit 92f0601
Show file tree
Hide file tree
Showing 9 changed files with 45 additions and 19 deletions.
2 changes: 2 additions & 0 deletions .rubocop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,5 @@ Style/SpaceAroundOperators:
Enabled: false
Style/IfUnlessModifier:
Enabled: false
Style/AccessorMethodName:
Enabled: false
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ default["audit"] = {

If you want the audit cookbook to retrieve compliance profiles and report to Chef Automate(Visibility) through Chef Server, set the `collector` and `profiles` attributes.

This requires Chef Server version 12.11.0 and Chef Automate 0.6.0 or newer, as well as integration between the two. More details [here](https://docs.chef.io/integrate_compliance_chef_automate.html#collector-chef-server-visibility).
This requires Chef Server version 12.11.1 and Chef Automate 0.6.6 or newer, as well as integration between the two. More details [here](https://docs.chef.io/integrate_compliance_chef_automate.html#collector-chef-server-visibility).

Attributes example:

Expand Down Expand Up @@ -318,8 +318,8 @@ for each one. For example, to report to chef-compliance and write to json file

## Fetcher attribute

To enable reporting to chef-visibility with profiles from chef-compliance, you need to have chef-server integrated with chef-compliance. You can then set the fetcher attribute to 'chef-server'.
This will allow the audit cookbook to fetch the profile from chef-compliance. For example:
To enable reporting to Chef Visibility with profiles from Chef Compliance, you need to have Chef Server integrated with Chef Compliance. You can then set the `fetcher` attribute to 'chef-server'.
This will allow the audit cookbook to fetch profiles stored in Chef Compliance. For example:

```ruby
"audit": {
Expand Down
14 changes: 6 additions & 8 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,19 @@
# limitations under the License.

# inspec gem version to install(e.g. '1.1.0')
default['audit']['inspec_version'] = '1.2.0'
default['audit']['inspec_version'] = '1.5.0'

# URI to alternate gem source (e.g. http://gems.server.com)
# URI to alternate gem source (e.g. 'http://gems.server.com')
# root of location must host the *specs.4.8.gz source index
default['audit']['inspec_gem_source'] = nil

# collector possible values: chef-server, chef-compliance, chef-visibility, chef-server-visibility, json-file
# collector possible values: 'chef-server-visibility', 'chef-server-compliance', 'chef-compliance', 'chef-visibility', 'json-file'
# chef-visibility requires inspec version 0.27.1 or above
default['audit']['collector'] = 'chef-server'
default['audit']['collector'] = 'chef-server-compliance'

# It will use an InSpec fetcher that fetches compliance profiles via Chef Server
# from Chef Compliance or Chef Automate. Will be activated by default if the collectors
# 'chef-server' or 'chef-server-visibility' are used
# is used
# fetcher possible values: chef-server
# from Chef Compliance or Chef Automate. Will be activated by default if collector
# 'chef-server-compliance' or 'chef-server-visibility' is used. Possible values: 'chef-server'
default['audit']['fetcher'] = nil

# Attributes server, insecure and token/refresh_token are only needed for the 'chef-compliance' collector
Expand Down
2 changes: 1 addition & 1 deletion examples/chef-server/Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Vagrant.configure(2) do |config|
chef.add_recipe 'audit::default'
chef.json = {
audit: {
collector: "chef-server",
collector: "chef-server-compliance",
insecure: true,
profiles: [{
name: "linux",
Expand Down
2 changes: 1 addition & 1 deletion examples/wrapper_audit/recipes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
# how you would setup chef-client to send converge data to your
# Chef Visibility server.
include_recipe 'visibility_win::chef_client_config'
# Set the collector to chef-visibility instead of the default chef-server.
# Set the collector to chef-visibility instead of the default chef-server-compliance.
node.default['audit']['collector'] = 'chef-visibility'
# Execute the community audit cookbook with the collector set
include_recipe 'audit::default'
11 changes: 7 additions & 4 deletions files/default/handler/audit_report.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ class Handler
# Creates a compliance audit report
class AuditReport < ::Chef::Handler
def report
# ensure reporters is array
reporters = handle_reporters(node['audit']['collector'])
# get reporter(s) from attributes as an array
reporters = get_reporters(node['audit'])

# collect attribute values
server = node['audit']['server']
Expand All @@ -24,7 +24,10 @@ def report
load_needed_dependencies

# detect if we run in a chef client with chef server
load_chef_fetcher if reporters.include?('chef-server') || reporters.include?('chef-server-visibility') || node['audit']['fetcher'] == 'chef-server'
load_chef_fetcher if reporters.include?('chef-server') ||
reporters.include?('chef-server-compliance') ||
reporters.include?('chef-server-visibility') ||
node['audit']['fetcher'] == 'chef-server'

# iterate through reporters
reporters.each do |reporter|
Expand Down Expand Up @@ -161,7 +164,7 @@ def send_report(reporter, server, user, profiles, report)
else
Chef::Log.warn "unable to determine chef-server url required by inspec report collector '#{reporter}'. Skipping..."
end
elsif reporter == 'chef-server'
elsif reporter == 'chef-server-compliance' || reporter == 'chef-server' # chef-server is legacy reporter
chef_url = server || base_chef_server_url
chef_org = Chef::Config[:chef_server_url].split('/').last
if chef_url
Expand Down
14 changes: 13 additions & 1 deletion files/default/vendor/chef-server/fetcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,18 @@ def self.chef_server_org
Chef::Config[:chef_server_url].split('/').last
end

def self.url_prefix
if defined?(Chef) &&
defined?(Chef.node) &&
defined?(Chef.node.attributes) &&
Chef.node.attributes['audit'] &&
get_reporters(Chef.node.attributes['audit']).include?('chef-server-visibility')
''
else
'/compliance'
end
end

def self.target_url(profile, config)
o, p = profile.split('/')
reqpath ="organizations/#{chef_server_org}/owners/#{o}/compliance/#{p}/tar"
Expand All @@ -58,7 +70,7 @@ def self.target_url(profile, config)
Chef::Config[:ssl_verify_mode] = :verify_none
end

construct_url(chef_server_url_base + '/compliance/', reqpath)
construct_url(chef_server_url_base + url_prefix + '/', reqpath)
end

#
Expand Down
11 changes: 11 additions & 0 deletions libraries/helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,17 @@ def load_audit_handler
require libpath
Chef::Config.send('report_handlers') << Chef::Handler::AuditReport.new
end

# taking node['audit'] as parameter so that it can be called from the chef-server fetcher as well
# audit['collector'] is the legacy reporter,
# deprecated in favour of ['audit']['reporter']
def get_reporters(audit)
if audit['collector'] && audit['reporter'].nil?
Chef::Log.warn("node ['audit']['collector'] is deprecated and will be removed from the next major version of the cookbook. Please use node ['audit']['reporter']")
return handle_reporters(audit['collector'])
end
handle_reporters(audit['reporter'])
end
end

::Chef::Recipe.send(:include, ReportHelpers)
2 changes: 1 addition & 1 deletion metadata.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
license 'Apache 2.0'
description 'Allows for fetching and executing compliance profiles, and reporting its results'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '2.2.0'
version '2.3.0'

source_url 'https://github.com/chef-cookbooks/audit'
issues_url 'https://github.com/chef-cookbooks/audit/issues'
Expand Down

0 comments on commit 92f0601

Please sign in to comment.