Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial control isolation support #973

Merged
merged 3 commits into from
Aug 25, 2016
Merged

Initial control isolation support #973

merged 3 commits into from
Aug 25, 2016

Conversation

stevendanna
Copy link
Contributor

@stevendanna stevendanna commented Aug 24, 2016
edited
Loading

The goal of this change is to provide an isolated view of the available
profiles when the user calls the include_controls or require_controls
APIs. Namely,

  • A profile should only be able to reference profiles that are part of
    its transitive dependency tree. That is, if the dependency tree for a
    profile looks like the following:

    A
    |- B --> C
    |
    |- D --> E

    Then profile B should only be able to see profile C and fail if it
    tries to reference A, D, or E.

  • The same profile should be include-able at different versions from
    different parts of the tree without conflict. That is, if the
    dependency tree for a profile looks like the following:

    A
    |- B --> C@1.0
    |
    |- D --> C@2.0

    Then profile B should see the 1.0 version of C and profile D should
    see the 2.0 profile C with respect to the included controls.

To achieve these goals we:

  • Ensure that we construct ProfileContext objects with respect to the
    correct dependencies in Inspec::DSL.
  • Provide a method of accessing all transitively defined rules on a
    ProfileContext without pushing all of the rules onto the same global
    namespace.

This does not yet handle attributes or libraries.

@stevendanna stevendanna changed the title Ensure spec loading only references dependencies of the given profile WIP: Ensure spec loading only references dependencies of the given profile Aug 24, 2016
@stevendanna stevendanna changed the title WIP: Ensure spec loading only references dependencies of the given profile Ensure spec loading only references dependencies of the given profile Aug 24, 2016
@stevendanna
Copy link
Contributor Author

stevendanna commented Aug 24, 2016
edited
Loading

Partially fixes #958 by ensuring that the profile context that we load during include_control and require control uses the dependencies for the given profile, not for the parent profiles.

@stevendanna stevendanna changed the title Ensure spec loading only references dependencies of the given profile Initial control isolation support Aug 25, 2016
chris-rock
chris-rock reviewed Aug 25, 2016
View reviewed changes
lib/inspec/profile_context.rb
def all_rules
ret = @rules.values
ret += @subcontexts.map(&:all_rules).flatten
ret
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah nice :-)

@chris-rock
Copy link
Contributor

This is a great improvement @stevendanna Thanks 💯

stevendanna and others added 3 commits August 25, 2016 14:42
@stevendanna @chris-rock
Initial control isolation support
6034ece 
The goal of this change is to provide an isolated view of the available
profiles when the user calls the include_controls or require_controls
APIs.  Namely,

- A profile should only be able to reference profiles that are part of
  its transitive dependency tree. That is, if the dependency tree for a
  profile looks like the following:

  A
  |- B --> C
  |
  |- D --> E

  Then profile B should only be able to see profile C and fail if it
  tries to reference A, D, or E.

- The same profile should be include-able at different versions from
  different parts of the tree without conflict.  That is, if the
  dependency tree for a profile looks like the following:

  A
  |- B --> C@1.0
  |
  |- D --> C@2.0

  Then profile B should see the 1.0 version of C and profile D should
  see the 2.0 profile C with respect to the included controls.

To achieve these goals we:

- Ensure that we construct ProfileContext objects with respect to the
  correct dependencies in Inspec::DSL.

- Provide a method of accessing all transitively defined rules on a
  ProfileContext without pushing all of the rules onto the same global
  namespace.

This does not yet handle attributes or libraries.
@stevendanna @chris-rock
Minor refactor of Inspec::Profile#load_checks_params
fd87b67
@chris-rock
switch from os-hardening to ssh-hardening profile
64a5a4d
@chris-rock chris-rock merged commit 40a7206 into master Aug 25, 2016
@chris-rock
Copy link
Contributor

There is a known issue https://github.com/chef-cookbooks/compat_resource, therefore we ignore the errors in our kitchen tests

@chris-rock chris-rock deleted the ssd/isolate-loading-1 branch August 25, 2016 12:54
@chris-rock chris-rock modified the milestone: 0.32.0 Aug 25, 2016
@chris-rock
Copy link
Contributor

related to #888

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.32.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stevendanna @chris-rock @chef-supermarket