From fc1bfc855351a7dbec2b02e7e18dc7d61ea98b35 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Wed, 19 Apr 2017 22:12:05 +0200 Subject: [PATCH 1/2] allow filtering controls Signed-off-by: Dominik Richter --- README.md | 11 +++++++++++ lib/kitchen/verifier/inspec.rb | 1 + spec/kitchen/verifier/inspec_spec.rb | 14 ++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/README.md b/README.md index a6db9a4..e5dec18 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,17 @@ verifier: output: path/to/results/%{platform}_%{suite}_inspec.xml ``` +You can also decide to only run specific controls, instead of a full profile. This is done by specifying a list of controls: + +``` +verifier: + name: inspec + controls: + - control-id1 + - control-id4 + ... +``` + ### Directory Structure By default `kitchen-inspec` expects test to be in `test/integration/%suite%` directory structure (we use Chef as provisioner here): diff --git a/lib/kitchen/verifier/inspec.rb b/lib/kitchen/verifier/inspec.rb index 87d5e6b..3eb2ce2 100644 --- a/lib/kitchen/verifier/inspec.rb +++ b/lib/kitchen/verifier/inspec.rb @@ -186,6 +186,7 @@ def runner_options(transport, state = {}, platform = nil, suite = nil) # rubocop runner_options["format"] = config[:format] unless config[:format].nil? runner_options["output"] = config[:output] % { platform: platform, suite: suite } unless config[:output].nil? runner_options["profiles_path"] = config[:profiles_path] unless config[:profiles_path].nil? + runner_options["controls"] = config[:controls] end end diff --git a/spec/kitchen/verifier/inspec_spec.rb b/spec/kitchen/verifier/inspec_spec.rb index fe722c9..94d7a18 100644 --- a/spec/kitchen/verifier/inspec_spec.rb +++ b/spec/kitchen/verifier/inspec_spec.rb @@ -203,6 +203,20 @@ verifier.call(port: 123) end + it "constructs an Inspec::Runner with a controls filter" do + config[:controls] = %w{a control} + + expect(Inspec::Runner).to receive(:new) + .with( + hash_including( + "controls" => %w{a control} + ) + ) + .and_return(runner) + + verifier.call(port: 123) + end + it "provide platform and test suite to build output path" do allow(Inspec::Runner).to receive(:new).and_return(runner) From 1116e55ec040a8c00acb1f2eb39fa67eee7ec61d Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Wed, 19 Apr 2017 23:56:33 +0200 Subject: [PATCH 2/2] update readme Signed-off-by: Christoph Hartmann --- README.md | 15 ++++++++++----- lib/kitchen/verifier/inspec.rb | 2 +- spec/kitchen/verifier/inspec_spec.rb | 2 +- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e5dec18..9f9c1e5 100644 --- a/README.md +++ b/README.md @@ -71,11 +71,16 @@ verifier: You can also decide to only run specific controls, instead of a full profile. This is done by specifying a list of controls: ``` -verifier: - name: inspec - controls: - - control-id1 - - control-id4 +suites: + - name: supermarket + run_list: + - recipe[apt] + - recipe[ssh-hardening] + verifier: + inspec_tests: + - name: dev-sec/ssh-baseline + controls: + - sshd-46 ... ``` diff --git a/lib/kitchen/verifier/inspec.rb b/lib/kitchen/verifier/inspec.rb index 3eb2ce2..82cb5f4 100644 --- a/lib/kitchen/verifier/inspec.rb +++ b/lib/kitchen/verifier/inspec.rb @@ -186,7 +186,7 @@ def runner_options(transport, state = {}, platform = nil, suite = nil) # rubocop runner_options["format"] = config[:format] unless config[:format].nil? runner_options["output"] = config[:output] % { platform: platform, suite: suite } unless config[:output].nil? runner_options["profiles_path"] = config[:profiles_path] unless config[:profiles_path].nil? - runner_options["controls"] = config[:controls] + runner_options[:controls] = config[:controls] end end diff --git a/spec/kitchen/verifier/inspec_spec.rb b/spec/kitchen/verifier/inspec_spec.rb index 94d7a18..3b97b4c 100644 --- a/spec/kitchen/verifier/inspec_spec.rb +++ b/spec/kitchen/verifier/inspec_spec.rb @@ -209,7 +209,7 @@ expect(Inspec::Runner).to receive(:new) .with( hash_including( - "controls" => %w{a control} + controls: %w{a control} ) ) .and_return(runner)