RFC: Harmonize profile location targets in inspec.yml/kitchen.yml/audit cookbook

[chris-rock]

Currently we use different ways to define profiles locations in InSpec world:

• CLI
• inspec.yml
• inspec.lock
• kitchen.yml
• audit cookbook

CLI:

inspec exec profile/location

inspec.yml (yml format)

name: meta-profile
title: Meta Compliance Profile
maintainer: InSpec Authors
copyright: InSpec Authors
copyright_email: support@chef.io
license: Apache 2
summary: InSpec Profile that is only consuming dependencies
version: 0.2.0
depends:
  - name: hardening/ssh-hardening  # defaults to supermarket
  - name: os-hardening
    url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
  - git: https://github.com/dev-sec/ssl-benchmark.git
  - name: windows-patch-benchmark
    git: https://github.com/chris-rock/windows-patch-benchmark.git
  - name: linux
    compliance: base/linux

git references can be more complex:

depends:
  - git: https://github.com/dev-sec/ssl-benchmark.git
    branch: test

depends:
  - git: https://github.com/dev-sec/ssl-benchmark.git
    tag: v1.0.0

depends:
  - git: https://github.com/dev-sec/ssl-benchmark.git
    ref: e17486c864434c818f96ca13edd2c5a420100a45

inspec.lock (yml format)

---
lockfile_version: 1
depends:
- name: hardening/ssh-hardening
  resolved_source:
    url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.tar.gz
    sha256: 6204d891eaa04c551d8dd44f38c2195808a074778da8b1057770f39b3210b2c1
  version_constraints: ">= 0"
- name: os-hardening
  resolved_source:
    url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
    sha256: 985d5221bf9a6de2e03747dd2dc453138ff06c3fc29a219174487e9042333b90
  version_constraints: ">= 0"
- name: ssl-benchmark
  resolved_source:
    git: https://github.com/dev-sec/ssl-benchmark.git
    ref: e17486c864434c818f96ca13edd2c5a420100a45
  version_constraints: ">= 0"
- name: windows-patch-benchmark
  resolved_source:
    git: https://github.com/chris-rock/windows-patch-benchmark.git
    ref: b20a66ebe0c39dfc02b4523e928ba2376a5bcd24
  version_constraints: ">= 0"

kitchen.yml (yml format)

suites:
  - name: contains_inspec
    run_list:
    ...
    verifier:
      inspec_tests:
        - https://github.com/dev-sec/tests-ssh-hardening
        - https://github.com/dev-sec/tests-os-hardening

audit cookbook (json format)

"profiles" => {
    # org / profile name from Chef Compliance
    "base/linux" => true,
    # supermarket url
    "brewinc/ssh-hardening" => {
      # location where inspec will fetch the profile from
      "source" => "supermarket://hardening/ssh-hardening"
    },
    # local Windows path
    "brewinc/win2012_audit" => {
      # filesystem path
      "source" => "E:/profiles/win2012_audit"
    },
    # github url
    "brewinc/tmp_compliance_profile" => {
      "source" => "https://github.com/nathenharvey/tmp_compliance_profile"
    },
    # disable profile
    "brewinc/tmp_compliance_profile-master" => {
      "source" => "/tmp/tmp_compliance_profile-master",
      "disabled" => true
    }
  }

The goal of this issue is to find a solution that harmonizes the different approaches across tooling so that users are enabled to easily copy&paste profile locations across tools.

Currently the single string-based location in a url based format is not enough, since its not working on cli, kitchen and audit cookbook.

[chris-rock]

Personally I really like the approach we are using for inspec.yml and we discussed that extensively in #888. I would like to use the same approach in kitchen.yml. Therefore instead of:

suites:
  - name: contains_inspec
    run_list:
    ...
    verifier:
      inspec_tests:
        - https://github.com/dev-sec/tests-ssh-hardening
        - https://github.com/dev-sec/tests-os-hardening

we would use:

suites:
  - name: contains_inspec
    run_list:
    ...
    verifier:
      inspec_tests:
        - name: hardening/ssh-hardening  # defaults to supermarket
        - name: os-hardening
          url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
        - git: https://github.com/dev-sec/tests-ssh-hardening.git
        - git: https://github.com/dev-sec/tests-os-hardening.git
        - name: hardening/ssh-hardening 
          supermarket_url: https://supermarket.my.com

In audit cookbook we would just simply convert the yml array into json:

{
  "profiles": [
    {
      "name": "hardening/ssh-hardening"
    },
    {
      "name": "os-hardening",
      "url": "https://github.com/dev-sec/tests-os-hardening/archive/master.zip"
    },
    {
      "git": "https://github.com/dev-sec/tests-ssh-hardening.git"
    },
    {
      "git": "https://github.com/dev-sec/tests-os-hardening.git"
    }
  ]
}

[jeremymv2]

I think there is still some room for clarity around specifying the Supermarket and Compliance server urls. What is the strategy there?

Perhaps:

depends:
  - name: hardening/ssh-hardening  # defaults to supermarket
    supermarket_url: https://supermarket.my.com
  - name: os-hardening
    url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
  - git: https://github.com/dev-sec/ssl-benchmark.git
  - name: windows-patch-benchmark
    git: https://github.com/chris-rock/windows-patch-benchmark.git
  - name: linux
    compliance: base/linux
    compliance_url: https://my.compliance.test

[chris-rock]

@jeremymv2 the first is already available:

depends:
  - name: hardening/ssh-hardening
    supermarket_url: https://supermarket.my.com

The harmonized approach would bring that to all tools. See https://github.com/chef/inspec/blob/master/lib/bundles/inspec-supermarket/target.rb#L16-L21 the inspec supermarket command still needs to be able to do that. Maybe we introduce a inspec supermarket server http://myserver command to store that in our local config

[vjeffrey]

I like this idea a lot. I played around with what it would look like to parse this into an array of urls/profile paths to send to the runner, it's nice and simple; straightforward.

[chris-rock]

This has been implemented in audit cookbook 2.0, kitchen-inspec 0.16