habitat_packages
Use the habitat_package
(singular) InSpec audit resource to perform in-depth auditing of a single package.
Use the habitat_packages
(plural) InSpec audit resource to list Habitat packages, and perform bulk operations.
Availability
Status: EXPERIMENTAL
This resource, like all of the inspec-habitat resource pack, is in the early stages of research and development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the inspec-habitat project.
Connecting to Habitat
To configure inspec
to be able to communicate with Chef Habitat, be sure to follow the instructions regarding configuring the connection options. This will prevent ‘unsupported platform’ errors.
Examples
Ensure httpd and memcached are installed
describe habitat_packages do
its('names') { should include 'httpd' }
its('names') { should include 'memcached' }
end
Ensure all packages were updated since January 1, 2018
describe habitat_packages.where { release <= '20180101000000' } do
it { should_not exist }
end
Search for packages, then examine them in detail using habitat_package
# Use the plural resource as a data lookup (not as a test)...
habitat_packages.where { origin != 'core' }.habitat_package_params.each do |params|
# ... then use the singular resource to do in-depth testing
describe habitat_package(params) do
# ...
end
end
Limitations
API versus CLI access
Habitat exposes certain data via the CLI, and other data via the HTTP Gateway API. This resource is not available via the API; you must provide CLI credentials to use the resource. See the train-habitat documentation for more details.
If you use this resource without the CLI, this resource will always return zero matches.
Availability
Installation
This resource is in the inspec-habitat
resource pack. You can use this resource by setting an InSpec profile dependency on the resource pack. See inspec-habitat instructions.
Version
This resource was first available in version 0.1.0 of the resource pack.
Resource Parameters
Resource parameters are arguments passed to the resource in the control code.
This resource does not accept resource parameters, which is typical for plural resources.
Filter Criteria
Filter criteria are used to select which packages you wish to examine. If no filter criteria are used, all packages are selected.
name
String. The (unqualified) name of the package under consideration.
# No packages named *ftp* permitted
describe habitat_packages.where(name: /ftp/) do
it { should_not exist }
end
origin
String. The name of the origin that created the package under consideration.
# Examine only packages released by Chef
describe habitat_packages.where(origin: 'bad-origin') do
it { should_not exist }
end
release
String. A 14-digit timestamp, in the format YYYYMMDDHHMmmSS
. The timestamp reflects the time at which the package backing the package was released. These strings are sortable and comparable.
# Examine packages older than Jan 1 2018
describe habitat_packages.where { release < '20180101000000' } do
it { should_not exist }
end
# Examine packages older than 1 year
describe habitat_packages.where { Date.parse(release[0..7]) < Date.today - 365 } do
it { should_not exist }
end
# Another way
describe habitat_packages.where { release < (Date.today - 365).strftime('%Y%m%d000000') } do
it { should_not exist }
end
Properties
Use properties to create tests that compare an expected value to the actual value.
count
Number. The count of packages that matched the filter criteria.
# Expect 12 total
describe habitat_packages do
its(count) { should cmp 12 }
end
habitatpackageparams
Array
of Hash
es. Returns a list of a set of options that can be passed directly to habitat_package
(singular) to load an individual package for in-depth analysis.
# Use the plural resource as a data lookup (not as a test)...
habitat_packages.where { origin != 'core' }.habitat_package_params.each do |params|
# ... then use the singular resource to do in-depth testing
describe habitat_package(params) do
its('release') { should_not be < '201904090000' }
end
end
names
Array of strings. The unqualified name of the package, such as ‘httpd’. This list is de-duplicated, though a name is almost always unique anyway.
describe habitat_packages do
its('names') { should include 'httpd' }
its('names') { should include 'memcached' }
its('names') { should_not include 'telnetd' }
end
origins
Array of strings. The names of the origins that created the matched packages. This list is de-duplicated.
# Only allow core and mycorp-packaged packages
describe habitat_packages do
its('origins') { should include 'core' }
its('origins') { should include 'mycorp' }
# Advanced usage - count an array-valued property
its('origins', 'count') { should cmp 2 }
end
releases
Array of strings. Each string is a 14-digit timestamp, in the format YYYYMMDDHHMmmSS
. The timestamp reflects the time at which the package backing the package was released. These strings are sortable and comparable. This list is de-duplicated.
# We had a bad Monday
describe habitat_packages do
its('releases') { should_not include '20180325000000' }
end
Matchers
Use matchers to create tests that test a true or false question.
InSpec includes a number of universal matchers.
This resource does not define any resource-specific matchers.