Add Chef Automate support to inspec compliance login

[jerryaldrichiii]

This provides a single interface for logging into either Chef Automate or Chef Compliance servers. Server type is evaluated at run time via HTTP responses from designated endpoints.

This also moves the login logic from Compliance::ComplianceCLI to a separate set of modules in Compliance::API. Thus removing logic from Thor and allowing for more in depth Unit testing.

This also adds deprecation warnings for login_automate and --usertoken.

This fixes #1795.

Signed-off-by: Jerry Aldrich jerryaldrichiii@gmail.com

[adamleff]

Just flipped through this quickly, some comments and questions, probably worth a Zoom review when it's no longer WIP.

[adamleff]

nit: extra newline at class beginning

[jerryaldrichiii]

Pick all the nits! Fixed.

[adamleff]

It's more idiomatic to return symbols for something like this rather than strings.

return :automate if ...

[jerryaldrichiii]

I always prefer going the idiomatic route. Fixed. Thanks @adamleff!

[adamleff]

You should also add an exception message when raising.

raise CannotDetermineServerType, "Unable to determine if #{url} is a Compliance or Automate server"

[jerryaldrichiii]

Agreed. Fixed.

[adamleff]

I know it's a WIP, to just a reminder to remove this :)

[jerryaldrichiii]

store_access_token returns a string at this time. I will look at the flow and see if we should pass this up as a return from login.

Will investigate.

[adamleff]

Will you be doing the Automate login here too? Probably worth Zooming to review the expected flow, etc. would be good when you're ready :) This mid-method return with no comments as to why is confusing me as to your intentions for this method and how Automate login will be handled.

[jerryaldrichiii]

This redirects to the login method of the ComplianceServer module if the server type is a Compliance server. I was returning here, since this will complete the login. Initially I had it just exit 0 at the end, but that was causing me issues with the Unit tests.

Will investigate.

[clintoncwolfe]

I'd second @adamleff here - If you're switching between two sets of logic, and you've encapsulated one in a module, I'd expect the other logic - for Automate login - to also be encapsulated in a module (presumably Login::AutomateServer).

[jerryaldrichiii]

Originally I thought only to encapsulate the Compliance server stuff because it would be deprecated in the future leaving only Login...but the future is not now. I see your point.

Fixed.

[jerryaldrichiii]

@adamleff let me know what you think of the flow now that I've modified the namespacing.

[adamleff]

Will you ever not have either a dctoken or a token? What happens if token_info is not set?

I'd recommend changing it to something like:

token_info = if options['dctoken']
               { # dctoken stuff }
             else
               { # non-dctoken stuff }
             end

[jerryaldrichiii]

I agree. Fixed.

[jerryaldrichiii]

Agreed, a Zoom review would be helpful! Thanks for the initial feedback @adamleff.

[clintoncwolfe]

We should also update the README docs to reflect that the inspec compliance login_automate command is no longer present. See the README in the bundle. You've already removed it from the Thor-based CLI help, awesome!

[clintoncwolfe]

You don't need the rubocop disable flag here anymore (when you refactored this out, the method became much simpler). You can run a rubocop scan with
bundle exec rake lint

[jerryaldrichiii]

Great find! Fixed.

[jerryaldrichiii]

Agreed, nice catch! Fixed.

[clintoncwolfe]

This may be a matter of taste, but I'd usually have the module name here more deeply namespaced - like Compliance::API::Login . I don't know that we'd ever (within InSpec) have a name collision with a module named Login, but being specific avoids that possibility.

[jerryaldrichiii]

Agreed! Fixed.

[jerryaldrichiii]

@clintoncwolfe I was certain I did a grep -R login_automate at one point and removed all references! Must have stashed and forgot about it somewhere.

Great catch! README.md in bundle is updated. I also removed references to --usertoken in all the places.

[jerryaldrichiii]

Changing this PR to target master. This will not remove support for login_automate or --usertoken. Instead it will provide a deprecation warning. We will remove both in InSpec 2.0.

[adamleff]

This is in great shape, @jerryaldrichiii. I'd like to see a bit of cleanup around where we raise exceptions and keeping method purposes focused. Let me know if any of my feedback is unclear.

[adamleff]

Coercing to a string here seems... weird? We don't need it to be a string here or most of these methods -- only when we store the config to disk. Can we move the coercion there?

[adamleff]

Just tossing out a thought here... I prefer to have exceptions raised at the point of the implementation where "it matters" (for lack of a better phrase). I'd almost prefer to see this method return nil if it can't figure out the server type, and let the caller determine how to handle. That way other methods can use this if needed without having to worry about the stack unwinding on them.

def self.determine_server_type(url, insecure)
  if Compliance::HTTP.get(url + '/compliance/version', nil, insecure).code == '401'
    :automate
  elsif Compliance::HTTP.get(url + '/api/version', nil, insecure).code == '200'
    :compliance
  end
end

[adamleff]

Here is where I'd raise an exception if we don't know the server type since this is actually where an error should be raised to the user:

if options['server_type'] == :compliance
  Login::ComplianceServer.login(options)
elsif options['server_type'] == :automate
  Login::AutomateServer.login(options)
else
  raise CannotDetermineServerType, # .....
end

[adamleff]

I realize I'm being a bit pedantic here, but it feels strange to me to have a method called store_access_token return a string intended to be user-facing messaging.

I'd rather see store_access_token return the Compliance::Configuration object it generated to successfully write the config to disk, and then a method that takes that config object and formats a message to the user. It will keep the concerns of the methods succinct and clear. This honestly just reads like a debug message to me. :)

config = store_access_token(options, token)

# print out a success message to the user
puts format_status_message(config)

[adamleff]

Same feedback as above - I bet there's a good opportunity for reuse here, actually.

[adamleff]

Despite what was in the issue that preceded this PR, we probably don't need this deprecation here since the whole command is deprecated. As long as the inspec compliance login command doesn't accept a --usertoken flag, we're covered.

[jerryaldrichiii]

I made all the changes you suggested @adamleff. Feel free to give it another look! 😄

[adamleff]

Lookin' good, @jerryaldrichiii - thanks!

[chris-rock]

@jerryaldrichiii Awesome work. I just have some mini-questions before we can go forward

[chris-rock]

should we move this file to the api directory too? Feels strange to have a api.rb and api directory. What do you think?

[adamleff]

That's actually pretty standard in Ruby.

[jerryaldrichiii]

Yeah, it's common in Ruby. I'm fine with it if you are @chris-rock.

[chris-rock]

Could this also return 200 if the user is already logged in?

[jerryaldrichiii]

I'm not passing any headers to the GET request so it should always act as if the user is not logged in.

[chris-rock]

Nice separation!

[jerryaldrichiii]

Thanks! Took some work that's for sure 😅

[chris-rock]

Nice clean-up! 👍

[jerryaldrichiii]

Thanks! 😃

[chris-rock]

Works like a charm!