Add waiver-file support (#398)

Add waiver-file support
chef-boneyard · Dec 20, 2019 · 6a5f22d · 6a5f22d
2 parents c59ec37 + 81a5b1c
commit 6a5f22d
Show file tree

Hide file tree

Showing 9 changed files with 88 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -129,6 +129,10 @@ default['audit']['attributes'] = {
 }
 ```
 
+#### Waivers
+
+You can use Chef InSpec's [Waiver Feature](https://www.inspec.io/docs/reference/waivers/) to mark individual failing controls as being administratively accepted, either on a temporary or permanent basis. Prepare a waiver YAML file, and use your Chef Infra cookbooks to deliver the file to your converging node (for example, using [cookbook_file](https://docs.chef.io/resource_cookbook_file.html) or [remote_file](https://docs.chef.io/resource_remote_file.html)). Then set the attribute `default['audit']['waiver_file']` to the location of the waiver file on the local node, and Chef InSpec will apply the waivers.
+
 ### Reporting
 
 #### Reporting to Chef Automate via Chef Server

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -80,6 +80,10 @@
 # named `chef_node`
 default['audit']['chef_node_attribute_enabled'] = false
 
+# Set this to the path of a YAML waiver file you wish to apply
+# See https://www.inspec.io/docs/reference/waivers/
+default['audit']['waiver_file'] = nil
+
 # The location of the json-file output:
 # <chef_cache_path>/cookbooks/audit/inspec-<YYYYMMDDHHMMSS>.json
 default['audit']['json_file']['location'] =

diff --git a/files/default/handler/audit_report.rb b/files/default/handler/audit_report.rb
@@ -147,6 +147,8 @@ def load_automate_fetcher
       def get_opts(reporter, quiet, attributes)
         output = quiet ? ::File::NULL : $stdout
         Chef::Log.debug "Reporter is [#{reporter}]"
+        # You can pass nil (no waiver files), one file, or an array. InSpec expects an Array regardless.
+        waivers = Array(node['audit']['waiver_file'])
         opts = {
           'report' => true,
           'format' => reporter, # For compatibility with older versions of inspec. TODO: Remove this line from Q2 2019
@@ -155,6 +157,7 @@ def get_opts(reporter, quiet, attributes)
           'logger' => Chef::Log, # Use chef-client log level for inspec run,
           backend_cache: node['audit']['inspec_backend_cache'],
           attributes: attributes,
+          waiver_file: waivers,
         }
         opts
       end

diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml
@@ -208,3 +208,17 @@ suites:
             url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
           ssh-baseline:
             supermarket: dev-sec/ssh-baseline
+  - name: waivers
+    run_list:
+      - recipe[test_helper::setup]
+      - recipe[test_helper::setup_waiver_fixture]
+      - recipe[audit::default]
+    attributes:
+      audit:
+        reporter: json-file
+        json_file:
+          location: <%= File.join('/tmp', Time.now.utc.strftime('inspec-%Y%m%d%H%M%S.json')) %>
+        waiver_file: <%= File.join('/tmp', 'waivers-fixture', 'waivers', 'waivers.yaml') %>
+        profiles:
+          waiver-test-profile:
+            path: <%= File.join('/tmp', 'waivers-fixture') %>
diff --git a/test/cookbooks/test_helper/files/waivers-fixture/controls/waiver-check.rb b/test/cookbooks/test_helper/files/waivers-fixture/controls/waiver-check.rb
@@ -0,0 +1,16 @@
+
+# Some of these controls are waivered by the file waivers/waivers.yaml
+
+# control-01 is normal, should pass
+control "control-01" do
+  describe "the expected value" do
+    it { should cmp "the expected value" }
+  end
+end
+
+# control-02 is permanently waivered, should be skipped
+control "control-02" do
+  describe "the expected value" do
+    it { should cmp "the expected value" }
+  end
+end
diff --git a/test/cookbooks/test_helper/files/waivers-fixture/inspec.yml b/test/cookbooks/test_helper/files/waivers-fixture/inspec.yml
@@ -0,0 +1,6 @@
+name: waivers-fixture
+license: Apache-2.0
+summary: A simple profile to verify waiver functionality under audit cookbook
+version: 0.1.0
+supports:
+  platform: os
diff --git a/test/cookbooks/test_helper/files/waivers-fixture/waivers/waivers.yaml b/test/cookbooks/test_helper/files/waivers-fixture/waivers/waivers.yaml
@@ -0,0 +1,4 @@
+---
+control-02:
+  justification: It must be waivered for this test
+  run: false
diff --git a/test/cookbooks/test_helper/recipes/setup_waiver_fixture.rb b/test/cookbooks/test_helper/recipes/setup_waiver_fixture.rb
@@ -0,0 +1,19 @@
+
+[
+  "controls",
+  "waivers",
+].each do |subdir|
+  directory "#{node["audit"]["profiles"]["waiver-test-profile"]["path"]}/#{subdir}" do
+    recursive true
+  end
+end
+
+[
+  "inspec.yml",
+  "controls/waiver-check.rb",
+  "waivers/waivers.yaml",
+].each do |file|
+  cookbook_file "#{node["audit"]["profiles"]["waiver-test-profile"]["path"]}/#{file}" do
+    source "waivers-fixture/#{file}"
+  end
+end
diff --git a/test/integration/waivers/default.rb b/test/integration/waivers/default.rb
@@ -0,0 +1,18 @@
+# get most recent json-file output
+json_file = command('ls -t /tmp/inspec-*.json').stdout.lines.first.chomp
+controls = json(json_file).profiles.first['controls']
+
+# The test fixture has two controls - the first should pass,
+# the second should be a skip with a waiver justification
+
+control "the unwaivered control" do
+  describe controls[0]['results'][0]['status'] do
+    it { should cmp "passed" }
+  end
+end
+
+control "the waivered control" do
+  describe controls[1]['results'][0]['status'] do
+    it { should cmp "skipped" }
+  end
+end