Fix OWCA detection for compliance login
#2401
Conversation
jerryaldrichiii
force-pushed
the
ja/fix-owca-detection
branch
4 times, most recently
from
44e1622 to
b4352f3
Compare
OpsWorks Chef Automate currently returns a 200 for the `/compliance/version` endpoint and redirects to the Chef Manage page. This adds support to `inspec compliance login` to accept this as valid behavior and continue with the login. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
jerryaldrichiii
force-pushed
the
ja/fix-owca-detection
branch
from
b4352f3 to
60ba103
Compare
| # Chef Automate currently returns 401 for `/compliance/version` but some | ||
| # versions of OpsWorks Chef Automate return 200 and a Chef Manage page when | ||
| # unauthenticated requests are received. | ||
| it 'returns `:automate` when a 200 is received from `https://URL/compliance/version`' do |
There was a problem hiding this comment.
Can we add a test that checks that it returns nil if we hit the server, get a 200, but do not get the Chef Manage page? That's the other edge case here.
There was a problem hiding this comment.
Can do! Great suggestion.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
|
@adamleff I added some debug messages for |
jerryaldrichiii
force-pushed
the
ja/fix-owca-detection
branch
from
b873d92 to
441663c
Compare
lib/bundles/inspec-compliance/api.rb
Outdated
| :automate | ||
| elsif Compliance::HTTP.get(url + '/api/version', nil, insecure).code == '200' | ||
| :compliance | ||
| return :automate if target_is_automate_server?(url, insecure) |
There was a problem hiding this comment.
Given that this is a pretty short method now that you've broken things out, I think it's totally fine to leave this as an if...elsif structure. No short-circuiting needed. In fact, I think it reads cleaner:
if target_is_automate_server?(url, insecure)
:automate
elsif target_is_compliance_server?(url, insecure)
:compliance
else
Inspec::Log.debug('Could not determine server type using known endpoints')
nil
endThere was a problem hiding this comment.
I agree, will fix.
lib/bundles/inspec-compliance/api.rb
Outdated
| 'Continuing with detection attempts', | ||
| ) | ||
| return false | ||
| end | ||
| end |
There was a problem hiding this comment.
We'll return nil if we get a non-200 / non-401 status code. I think we should have a default else in the case statement that's just false
And if you do that, you can eliminate the return statements in 269, 279, and 286 and just have them be true or false accordingly. The returns are superfluous.
There was a problem hiding this comment.
Ah! Great catch. I will make it so.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
lib/bundles/inspec-compliance/api.rb
Outdated
| else | ||
| Inspec::Log.debug( | ||
| "Received neither 200 nor 401 from #{url}#{automate_endpoint}. " \ | ||
| 'Continuing with detection attempts', |
There was a problem hiding this comment.
This assumes that whatever called this method has additional detection attempts to make :)
A better message, to keep it contained, would be "Received unexpected status code #{response.code} from #{url}#{automate_endpoint} - assuming this is not an Automate server."
... and whoever is calling can determine whether there are additional detection attempts to make, and now the user gets to see what status code they actually got.
There was a problem hiding this comment.
Ah, great catch. Fixing now.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
jerryaldrichiii
force-pushed
the
ja/fix-owca-detection
branch
from
bebbb87 to
7d4066a
Compare
This adds detection logic for logging into OpsWorks Chef Automate via
inspec compliance login.Currently, the OWCA
/compliance/versionendpoint returns a 200 code instead of a 401. This is due to a redirect when doing a GET request without authentication headers. This may change in the future, but I recommend leaving this in to support older versions.Would welcome thoughts on the matter though.
Fixes #2375