Merge pull request #1116 from chef/ssd/write-lockfiles

Always write lockfiles for local top-level profiles

lib/fetchers/local.rb

@@ -55,6 +55,10 @@ def archive_path
       @target
     end
 
+    def writable?
+      File.directory?(@target)
+    end
+
     def cache_key
       sha256.to_s
     end

lib/inspec/base_cli.rb

@@ -60,6 +60,8 @@ def self.exec_options
         desc: 'Load attributes file (experimental)'
       option :cache, type: :string,
         desc: 'Use the given path for caching dependencies. (default: ~/.inspec/cache)'
+      option :create_lockfile, type: :boolean, default: true,
+        desc: 'Write out a lockfile based on this execution (unless one already exists)'
     end
 
     private

lib/inspec/plugins/fetcher.rb

@@ -24,6 +24,10 @@ def self.plugin_registry
         Inspec::Fetcher
       end
 
+      def writable?
+        false
+      end
+
       #
       # The path to the archive on disk.  This can be passed to a
       # FileProvider to get access to the files in the fetched

lib/inspec/profile.rb

@@ -40,7 +40,7 @@ def self.resolve_target(target, cache = nil)
 
       if cache.exists?(cache_key)
         Inspec::Log.debug "Using cached dependency for #{target}"
-        cache.prefered_entry_for(cache_key)
+        [cache.prefered_entry_for(cache_key), false]
       else
         fetcher.fetch(cache.base_path_for(fetcher.cache_key))
         if target.respond_to?(:key?) && target.key?(:sha256)
@@ -58,7 +58,7 @@ def self.resolve_target(target, cache = nil)
           end
         end
 
-        fetcher.archive_path
+        [fetcher.archive_path, fetcher.writable?]
       end
     end
 
@@ -73,7 +73,8 @@ def self.for_path(path, opts)
     end
 
     def self.for_target(target, opts = {})
-      for_path(resolve_target(target, opts[:cache]), opts.merge(target: target))
+      path, writable = resolve_target(target, opts[:cache])
+      for_path(path, opts.merge(target: target, writable: writable))
     end
 
     attr_reader :source_reader, :backend, :runner_context
@@ -87,6 +88,7 @@ def initialize(source_reader, options = {})
       @logger = options[:logger] || Logger.new(nil)
       @locked_dependencies = options[:dependencies]
       @controls = options[:controls] || []
+      @writable = options[:writable] || false
       @profile_id = options[:id]
       @cache = options[:cache] || Cache.new
       @backend = options[:backend] || Inspec::Backend.create(options)
@@ -107,6 +109,10 @@ def version
       metadata.params[:version]
     end
 
+    def writable? # rubocop:disable Style/TrivialAccessors
+      @writable
+    end
+
     #
     # Is this profile is supported on the current platform of the
     # backend machine and the current inspec version.

lib/inspec/runner.rb

@@ -42,6 +42,7 @@ def initialize(conf = {})
       @target_profiles = []
       @controls = @conf[:controls] || []
       @ignore_supports = @conf[:ignore_supports]
+      @create_lockfile = @conf[:create_lockfile]
       @cache = Inspec::Cache.new(@conf[:cache])
       @test_collector = @conf.delete(:test_collector) || begin
         require 'inspec/runner_rspec'
@@ -77,6 +78,7 @@ def load
 
       @target_profiles.each do |profile|
         @test_collector.add_profile(profile)
+        write_lockfile(profile) if @create_lockfile
         profile.locked_dependencies
         profile.load_libraries
         @attributes |= profile.runner_context.attributes
@@ -94,6 +96,18 @@ def run(with = nil)
       run_tests(with)
     end
 
+    def write_lockfile(profile)
+      return false if !profile.writable?
+
+      if profile.lockfile_exists?
+        Inspec::Log.debug "Using existing lockfile #{profile.lockfile_path}"
+      else
+        Inspec::Log.debug "Creating lockfile: #{profile.lockfile_path}"
+        lockfile = profile.generate_lockfile
+        File.write(profile.lockfile_path, lockfile.to_yaml)
+      end
+    end
+
     def run_tests(with = nil)
       @test_collector.run(with)
     end

test/functional/gitfetcher_test.rb

@@ -37,7 +37,7 @@
   end
 
   it 'executes a profile with a git based dependency' do
-    out = inspec("exec #{@profile_dir}")
+    out = inspec("exec #{@profile_dir} --no-create-lockfile")
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
   end

test/functional/inspec_exec_json_test.rb

@@ -8,21 +8,21 @@
   include FunctionalHelper
 
   it 'can execute a simple file with the json formatter' do
-    out = inspec('exec ' + example_control + ' --format json')
+    out = inspec('exec ' + example_control + ' --format json --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     JSON.load(out.stdout).must_be_kind_of Hash
   end
 
   it 'can execute the profile with the json formatter' do
-    out = inspec('exec ' + example_profile + ' --format json')
+    out = inspec('exec ' + example_profile + ' --format json --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     JSON.load(out.stdout).must_be_kind_of Hash
   end
 
   describe 'execute a profile with json formatting' do
-    let(:json) { JSON.load(inspec('exec ' + example_profile + ' --format json').stdout) }
+    let(:json) { JSON.load(inspec('exec ' + example_profile + ' --format json --no-create-lockfile').stdout) }
     let(:profile) { json['profiles'][0] }
     let(:controls) { profile['controls'] }
     let(:ex1) { controls.find { |x| x['id'] == 'tmp-1.0' } }
@@ -115,7 +115,7 @@
   end
 
   describe 'with a profile that is not supported on this OS/platform' do
-    let(:out) { inspec('exec ' + File.join(profile_path, 'skippy-profile-os') + ' --format json') }
+    let(:out) { inspec('exec ' + File.join(profile_path, 'skippy-profile-os') + ' --format json --no-create-lockfile') }
     let(:json) { JSON.load(out.stdout) }
 
     # TODO: failure handling in json formatters...

test/functional/inspec_exec_jsonmin_test.rb

@@ -8,21 +8,21 @@
   include FunctionalHelper
 
   it 'can execute the profile with the mini json formatter' do
-    out = inspec('exec ' + example_profile + ' --format json-min')
+    out = inspec('exec ' + example_profile + ' --format json-min --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     JSON.load(out.stdout).must_be_kind_of Hash
   end
 
   it 'can execute a simple file with the mini json formatter' do
-    out = inspec('exec ' + example_control + ' --format json-min')
+    out = inspec('exec ' + example_control + ' --format json-min --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     JSON.load(out.stdout).must_be_kind_of Hash
   end
 
   describe 'execute a profile with mini json formatting' do
-    let(:json) { JSON.load(inspec('exec ' + example_profile + ' --format json-min').stdout) }
+    let(:json) { JSON.load(inspec('exec ' + example_profile + ' --format json-min --no-create-lockfile').stdout) }
     let(:controls) { json['controls'] }
     let(:ex1) { controls.find{|x| x['id'] == 'tmp-1.0'} }
     let(:ex2) { controls.find{|x| x['id'] =~ /generated/} }

test/functional/inspec_exec_test.rb

@@ -8,7 +8,7 @@
   include FunctionalHelper
 
   it 'can execute the profile' do
-    out = inspec('exec ' + example_profile)
+    out = inspec('exec ' + example_profile  + ' --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     stdout = out.stdout.force_encoding(Encoding::UTF_8)
@@ -23,7 +23,7 @@
   end
 
   it 'executes a minimum metadata-only profile' do
-    out = inspec('exec ' + File.join(profile_path, 'simple-metadata'))
+    out = inspec('exec ' + File.join(profile_path, 'simple-metadata') + ' --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     out.stdout.must_equal "
@@ -39,7 +39,7 @@
   end
 
   it 'executes a metadata-only profile' do
-    out = inspec('exec ' + File.join(profile_path, 'complete-metadata'))
+    out = inspec('exec ' + File.join(profile_path, 'complete-metadata') + ' --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     out.stdout.must_equal "
@@ -55,14 +55,14 @@
   end
 
   it "executes a profile and reads attributes" do
-    out = inspec("exec #{File.join(examples_path, 'profile-attribute')} --attrs #{File.join(examples_path, "profile-attribute.yml")}")
+    out = inspec("exec #{File.join(examples_path, 'profile-attribute')} --no-create-lockfile --attrs #{File.join(examples_path, "profile-attribute.yml")}")
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     out.stdout.force_encoding(Encoding::UTF_8).must_include "Summary: \e[32m2 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m"
   end
 
   it 'executes a specs-only profile' do
-    out = inspec('exec ' + File.join(profile_path, 'spec_only'))
+    out = inspec('exec ' + File.join(profile_path, 'spec_only') + ' --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 1
     out.stdout.force_encoding(Encoding::UTF_8).must_include "Target:  local://"
@@ -76,22 +76,22 @@
   end
 
   it 'executes only specified controls' do
-    out = inspec('exec ' + example_profile + ' --controls tmp-1.0')
+    out = inspec('exec ' + example_profile + ' --no-create-lockfile --controls tmp-1.0')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     out.stdout.must_include "\nProfile Summary: \e[32m1 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m\n"
   end
 
   it 'can execute a simple file with the default formatter' do
-    out = inspec('exec ' + example_control)
+    out = inspec('exec ' + example_control  + ' --no-create-lockfile')
     out.stderr.must_equal ''
     out.exit_status.must_equal 0
     out.stdout.must_include "\nProfile Summary: \e[32m1 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m\n"
     out.stdout.must_include "\nTest Summary: \e[32m2 successful\e[0m, \e[31m0 failures\e[0m"
   end
 
   describe 'with a profile that is not supported on this OS/platform' do
-    let(:out) { inspec('exec ' + File.join(profile_path, 'skippy-profile-os')) }
+    let(:out) { inspec('exec ' + File.join(profile_path, 'skippy-profile-os') + ' --no-create-lockfile') }
     let(:json) { JSON.load(out.stdout) }
 
     it 'exits with an error' do
@@ -101,7 +101,7 @@
   end
 
   describe 'with a profile that is supported on this version of inspec' do
-    let(:out) { inspec('exec ' + File.join(profile_path, 'supported_inspec')) }
+    let(:out) { inspec('exec ' + File.join(profile_path, 'supported_inspec') + ' --no-create-lockfile') }
 
     it 'exits cleanly' do
       out.stderr.must_equal ''
@@ -110,7 +110,7 @@
   end
 
   describe 'with a profile that is not supported on this version of inspec' do
-    let(:out) { inspec('exec ' + File.join(profile_path, 'unsupported_inspec')) }
+    let(:out) { inspec('exec ' + File.join(profile_path, 'unsupported_inspec') + ' --no-create-lockfile') }
 
     it 'does not support this profile' do
       out.exit_status.must_equal 1
@@ -119,15 +119,15 @@
   end
 
   describe 'with a profile that loads a library and reference' do
-    let(:out) { inspec('exec ' + File.join(profile_path, 'library')) }
+    let(:out) { inspec('exec ' + File.join(profile_path, 'library') + ' --no-create-lockfile') }
 
     it 'executes the profile without error' do
       out.exit_status.must_equal 0
     end
   end
 
   describe 'given a profile with controls and anonymous describe blocks' do
-    let(:out) { inspec('exec ' + example_control) }
+    let(:out) { inspec('exec ' + example_control + ' --no-create-lockfile') }
 
     it 'prints the control results, then the anonymous describe block results' do
       out.stdout.force_encoding(Encoding::UTF_8).must_equal "
@@ -146,15 +146,15 @@
   end
 
   describe 'given a profile with an anonymous describe block' do
-    let(:out) { inspec('exec ' + failure_control) }
+    let(:out) { inspec('exec ' + failure_control + ' --no-create-lockfile') }
 
     it 'prints the exception message when a test has a syntax error' do
       out.stdout.must_include "undefined method `should_nota' "
     end
   end
 
   describe 'given an inherited profile that has more that one test per control block' do
-    let(:out) { inspec('exec ' + simple_inheritance) }
+    let(:out) { inspec('exec ' + simple_inheritance + ' --no-create-lockfile') }
 
     it 'should print all the results' do
       out.stdout.force_encoding(Encoding::UTF_8).must_include "✖  tmp-1.0: Create /tmp directory (1 failed)\e[0m"
@@ -165,7 +165,7 @@
   end
 
   describe 'when passing in two profiles given an inherited profile that has more that one test per control block' do
-    let(:out) { inspec('exec ' + File.join(profile_path, 'dependencies', 'profile_d') + ' ' + simple_inheritance) }
+    let(:out) { inspec('exec ' + File.join(profile_path, 'dependencies', 'profile_d') + ' ' + simple_inheritance + ' --no-create-lockfile') }
 
     it 'should print all the results' do
       out.stdout.force_encoding(Encoding::UTF_8).must_include "✖  tmp-1.0: Create /tmp directory (1 failed)\e[0m"
@@ -178,7 +178,7 @@
 
   describe 'using namespaced resources' do
     it 'works' do
-      out = inspec('exec ' + File.join(profile_path, 'dependencies', 'resource-namespace'))
+      out = inspec('exec ' + File.join(profile_path, 'dependencies', 'resource-namespace') + ' --no-create-lockfile')
       out.stderr.must_equal ''
       out.exit_status.must_equal 0
       out.stdout.force_encoding(Encoding::UTF_8).must_include "Summary: \e[32m5 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m\n"
@@ -187,7 +187,7 @@
 
   describe "with a 2-level dependency tree" do
     it 'correctly runs tests from the whole tree' do
-      out = inspec('exec ' + File.join(profile_path, 'dependencies', 'inheritance'))
+      out = inspec('exec ' + File.join(profile_path, 'dependencies', 'inheritance') + ' --no-create-lockfile')
       out.stderr.must_equal ''
       out.exit_status.must_equal 0
       out.stdout.force_encoding(Encoding::UTF_8).must_include "Summary: \e[32m6 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m\n"
@@ -196,19 +196,19 @@
 
   describe 'when using profiles on the supermarket' do
     it 'can run supermarket profiles directly from the command line' do
-      out = inspec("exec supermarket://nathenharvey/tmp-compliance-profile")
+      out = inspec("exec supermarket://nathenharvey/tmp-compliance-profile --no-create-lockfile")
       out.stdout.force_encoding(Encoding::UTF_8).must_include "Summary: \e[32m2 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m\n"
     end
 
     it 'can run supermarket profiles from inspec.yml' do
-      out = inspec("exec #{File.join(profile_path, 'supermarket-dep')}")
+      out = inspec("exec #{File.join(profile_path, 'supermarket-dep')} --no-create-lockfile")
       out.stdout.force_encoding(Encoding::UTF_8).must_include "Summary: \e[32m2 successful\e[0m, \e[31m0 failures\e[0m, \e[37m0 skipped\e[0m\n"
     end
   end
 
   describe 'when a dependency does not support our backend platform' do
     it 'skips the controls from that profile' do
-      out = inspec("exec #{File.join(profile_path, 'profile-support-skip')}")
+      out = inspec("exec #{File.join(profile_path, 'profile-support-skip')} --no-create-lockfile")
       out.stdout.force_encoding(Encoding::UTF_8).must_include "Summary: \e[32m0 successful\e[0m, \e[31m0 failures\e[0m, \e[37m2 skipped\e[0m\n"
     end
   end