-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds cops to detect Chef Vault usage. #762
Changes from 5 commits
36687f1
652c3db
a364fab
1515aac
809ac77
5e5a0ad
b5a4c79
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -1929,6 +1929,25 @@ ChefEffortless/CookbookUsesDatabags: | |||||
Exclude: | ||||||
- '**/metadata.rb' | ||||||
- '**/Berksfile' | ||||||
|
||||||
# https://github.com/chef/cookstyle/issues/346 | ||||||
ChefEffortless/ChefVaultUsed: | ||||||
Description: Cookbook uses Chef Vault, which cannot be used in the Effortless Infra pattern | ||||||
StyleGuide: '#chefeffortlesscookbookuseschefvault' | ||||||
Enabled: false | ||||||
VersionAdded: '6.19.2' | ||||||
Exclude: | ||||||
- '**/metadata.rb' | ||||||
- '**/Berksfile' | ||||||
|
||||||
# https://github.com/chef/cookstyle/issues/346 | ||||||
ChefEffortless/DependsChefVault: | ||||||
Description: Cookbook depends on Chef Vault, which cannot be used in the Effortless Infra pattern | ||||||
StyleGuide: '#chefeffortlesscookbookdependschefvault' | ||||||
Enabled: false | ||||||
VersionAdded: '6.19.2' | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
Include: | ||||||
- '**/metadata.rb' | ||||||
|
||||||
ChefEffortless/CookbookUsesEnvironments: | ||||||
Description: Cookbook uses environments, which cannot be used in the Effortless Infra pattern | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -178,3 +178,70 @@ Exclude | `**/metadata.rb`, `**/Berksfile` | Array | |||||
### References | ||||||
|
||||||
* [https://rubystyle.guide#chefeffortlesssearchforenvironmentsorroles](https://rubystyle.guide#chefeffortlesssearchforenvironmentsorroles) | ||||||
|
||||||
## ChefEffortless/DependsChefVault | ||||||
|
||||||
Enabled by default | Supports autocorrection | Target Chef Version | ||||||
--- | --- | --- | ||||||
Disabled | No | All Versions | ||||||
|
||||||
Chef Vault is not supported in the Effortless pattern, so usage of Chef Vault must be shifted to another secrets management solution before leveraging the Effortless pattern. | ||||||
|
||||||
### Examples | ||||||
|
||||||
```ruby | ||||||
# bad | ||||||
depends 'chef-vault' | ||||||
``` | ||||||
|
||||||
### Configurable attributes | ||||||
|
||||||
Name | Default value | Configurable values | ||||||
--- | --- | --- | ||||||
VersionAdded | `6.19.2` | String | ||||||
Include | `**/metadata.rb`| Array | ||||||
|
||||||
### References | ||||||
|
||||||
* [https://rubystyle.guide#chefeffortlessdependschefvault](ttps://rubystyle.guide#chefeffortlessdependschefvault) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good catch! Fixed that up. |
||||||
|
||||||
## ChefEffortless/ChefVaultUsed | ||||||
|
||||||
Enabled by default | Supports autocorrection | Target Chef Version | ||||||
--- | --- | --- | ||||||
Disabled | No | All Versions | ||||||
|
||||||
Chef Vault is not supported in the Effortless pattern, so usage of Chef Vault must be shifted to another secrets management solution before leveraging the Effortless pattern. | ||||||
|
||||||
### Examples | ||||||
|
||||||
```Ruby | ||||||
# bad | ||||||
require 'chef-vault' | ||||||
|
||||||
# bad | ||||||
ChefVault::Item | ||||||
|
||||||
# bad | ||||||
include_recipe 'chef-vault' | ||||||
|
||||||
# bad | ||||||
chef_gem 'chef-vault' | ||||||
|
||||||
# bad | ||||||
chef_vault_item_for_environment(arg, arg1) | ||||||
|
||||||
# bad | ||||||
chef_vault_item(arg, arg1) | ||||||
``` | ||||||
|
||||||
### Configurable attributes | ||||||
|
||||||
Name | Default value | Configurable values | ||||||
--- | --- | --- | ||||||
VersionAdded | `6.19.2` | String | ||||||
Exclude | `**/metadata.rb`, `**/Berksfile`| Array | ||||||
|
||||||
### References | ||||||
|
||||||
* [https://rubystyle.guide#chefeffortlessdependschefvault](ttps://rubystyle.guide#chefeffortlessdependschefvault) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed this one up! Thanks! |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,87 @@ | ||||||
# frozen_string_literal: true | ||||||
# | ||||||
# Copyright:: 2019, Chef Software Inc. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# | ||||||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
# you may not use this file except in compliance with the License. | ||||||
# You may obtain a copy of the License at | ||||||
# | ||||||
# http://www.apache.org/licenses/LICENSE-2.0 | ||||||
# | ||||||
# Unless required by applicable law or agreed to in writing, software | ||||||
# distributed under the License is distributed on an "AS IS" BASIS, | ||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||
# See the License for the specific language governing permissions and | ||||||
# limitations under the License. | ||||||
# | ||||||
|
||||||
module RuboCop | ||||||
module Cop | ||||||
module Chef | ||||||
module ChefEffortless | ||||||
# Cookbook:: Chef Vault does not work with Effortless | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed that up. |
||||||
# | ||||||
# @example | ||||||
# | ||||||
# # bad | ||||||
# require 'chef-vault' | ||||||
# | ||||||
# # bad | ||||||
# ChefVault::Item | ||||||
# | ||||||
# # bad | ||||||
# include_recipe 'chef-vault' | ||||||
# | ||||||
# # bad | ||||||
# chef_gem 'chef-vault' | ||||||
# | ||||||
# # bad | ||||||
# chef_vault_item_for_environment(arg, arg1) | ||||||
# | ||||||
# # bad | ||||||
# chef_vault_item(arg, arg1) | ||||||
# | ||||||
class ChefVaultUsed < Base | ||||||
MSG = 'Chef Vault usage is not supported in the Effortless pattern' | ||||||
RESTRICT_ON_SEND = [:chef_vault_item, | ||||||
:chef_vault_item_for_environment, | ||||||
:include_recipe, | ||||||
:require, | ||||||
:chef_gem].freeze | ||||||
|
||||||
def_node_matcher :require?, <<-PATTERN | ||||||
(send nil? { :require :include_recipe :chef_gem } | ||||||
(str "chef-vault")) | ||||||
PATTERN | ||||||
|
||||||
def_node_matcher :vault_const?, <<-PATTERN | ||||||
(const | ||||||
(const nil? :ChefVault) | ||||||
:Item) | ||||||
PATTERN | ||||||
|
||||||
def_node_matcher :chef_vault_item_for_environment?, <<-PATTERN | ||||||
(send nil? :chef_vault_item_for_environment _ _) | ||||||
PATTERN | ||||||
|
||||||
def_node_matcher :chef_vault_item?, <<-PATTERN | ||||||
(send nil? :chef_vault_item _ _) | ||||||
PATTERN | ||||||
|
||||||
def on_send(node) | ||||||
return unless require?(node) || | ||||||
chef_vault_item_for_environment?(node) || | ||||||
chef_vault_item?(node) | ||||||
add_offense(node.loc.expression, message: MSG, severity: :refactor) | ||||||
end | ||||||
|
||||||
def on_const(node) | ||||||
vault_const?(node) do | ||||||
add_offense(node.loc.expression, message: MSG, severity: :refactor) | ||||||
end | ||||||
end | ||||||
end | ||||||
end | ||||||
end | ||||||
end | ||||||
end |
Original file line number | Diff line number | Diff line change | ||||||
---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,46 @@ | ||||||||
# frozen_string_literal: true | ||||||||
# | ||||||||
# Copyright:: 2019, Chef Software Inc. | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might as well toss an author block up there as well to give yourself some street cred |
||||||||
# | ||||||||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||||||||
# you may not use this file except in compliance with the License. | ||||||||
# You may obtain a copy of the License at | ||||||||
# | ||||||||
# http://www.apache.org/licenses/LICENSE-2.0 | ||||||||
# | ||||||||
# Unless required by applicable law or agreed to in writing, software | ||||||||
# distributed under the License is distributed on an "AS IS" BASIS, | ||||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||||
# See the License for the specific language governing permissions and | ||||||||
# limitations under the License. | ||||||||
# | ||||||||
|
||||||||
module RuboCop | ||||||||
module Cop | ||||||||
module Chef | ||||||||
module ChefEffortless | ||||||||
# Cookbook:: metadata.rb Chef Vault does not work with Effortless | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ack! Sorry, that was careless of me. Fixed. |
||||||||
# | ||||||||
# @example | ||||||||
# | ||||||||
# # bad | ||||||||
# depends 'chef-vault' | ||||||||
# | ||||||||
class DependsChefVault < Base | ||||||||
MSG = 'Chef Vault usage is not supported in the Effortless pattern' | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good call! Done! |
||||||||
|
||||||||
def_node_matcher :depends?, <<-PATTERN | ||||||||
(send nil? :depends | ||||||||
(str "chef-vault")) | ||||||||
PATTERN | ||||||||
|
||||||||
def on_send(node) | ||||||||
depends?(node) do | ||||||||
add_offense(node.loc.expression, message: MSG, severity: :refactor) | ||||||||
end | ||||||||
end | ||||||||
end | ||||||||
end | ||||||||
end | ||||||||
end | ||||||||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# frozen_string_literal: true | ||
# | ||
# Copyright:: 2020, Chef Software, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
|
||
require 'spec_helper' | ||
|
||
describe RuboCop::Cop::Chef::ChefEffortless::ChefVaultUsed, :config do | ||
subject(:cop) { described_class.new(config) } | ||
|
||
it 'registers an offense when requiring chef-vault' do | ||
expect_offense(<<~RUBY) | ||
require 'chef-vault' | ||
^^^^^^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
|
||
it 'registers an offense when requiring chef-vault' do | ||
expect_offense(<<~RUBY) | ||
include_recipe 'chef-vault' | ||
^^^^^^^^^^^^^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
|
||
it 'registers an offense when chef-vault is installed in a cookbook' do | ||
expect_offense(<<~RUBY) | ||
chef_gem 'chef-vault' | ||
^^^^^^^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
|
||
it 'registers an offense when ChefVault::Item constant is used' do | ||
expect_offense(<<~RUBY) | ||
ChefVault::Item.load | ||
^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
|
||
it 'registers an offense when #chef_vault_item is used' do | ||
expect_offense(<<~RUBY) | ||
chef_vault_item("secrets", "dbpassword") | ||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
|
||
it 'registers an offense when #chef_vault_item is used' do | ||
expect_offense(<<~RUBY) | ||
chef_vault_item_for_environment('secrets', 'passwords') | ||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# frozen_string_literal: true | ||
# | ||
# Copyright:: 2020, Chef Software, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
|
||
require 'spec_helper' | ||
|
||
describe RuboCop::Cop::Chef::ChefEffortless::DependsChefVault, :config do | ||
subject(:cop) { described_class.new(config) } | ||
|
||
it 'registers an offense when requiring chef-vault' do | ||
expect_offense(<<~RUBY) | ||
depends 'chef-vault' | ||
^^^^^^^^^^^^^^^^^^^^ Chef Vault usage is not supported in the Effortless pattern | ||
RUBY | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.