RubyGems - inspec-core - Versions diffs - 2.1.67 - Mend

inspec-core 2.1.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (412) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +3136 -0
data/Gemfile +56 -0
data/LICENSE +14 -0
data/MAINTAINERS.md +33 -0
data/MAINTAINERS.toml +52 -0
data/README.md +453 -0
data/bin/inspec +12 -0
data/docs/.gitignore +2 -0
data/docs/README.md +40 -0
data/docs/dev/control-eval.md +62 -0
data/docs/dsl_inspec.md +258 -0
data/docs/dsl_resource.md +100 -0
data/docs/glossary.md +99 -0
data/docs/habitat.md +192 -0
data/docs/inspec_and_friends.md +114 -0
data/docs/matchers.md +169 -0
data/docs/migration.md +293 -0
data/docs/platforms.md +119 -0
data/docs/plugin_kitchen_inspec.md +50 -0
data/docs/profiles.md +378 -0
data/docs/reporters.md +105 -0
data/docs/resources/aide_conf.md.erb +76 -0
data/docs/resources/apache.md.erb +67 -0
data/docs/resources/apache_conf.md.erb +68 -0
data/docs/resources/apt.md.erb +71 -0
data/docs/resources/audit_policy.md.erb +47 -0
data/docs/resources/auditd.md.erb +79 -0
data/docs/resources/auditd_conf.md.erb +68 -0
data/docs/resources/bash.md.erb +75 -0
data/docs/resources/bond.md.erb +90 -0
data/docs/resources/bridge.md.erb +57 -0
data/docs/resources/bsd_service.md.erb +67 -0
data/docs/resources/chocolatey_package.md.erb +58 -0
data/docs/resources/command.md.erb +138 -0
data/docs/resources/cpan.md.erb +79 -0
data/docs/resources/cran.md.erb +64 -0
data/docs/resources/crontab.md.erb +89 -0
data/docs/resources/csv.md.erb +54 -0
data/docs/resources/dh_params.md.erb +205 -0
data/docs/resources/directory.md.erb +30 -0
data/docs/resources/docker.md.erb +219 -0
data/docs/resources/docker_container.md.erb +103 -0
data/docs/resources/docker_image.md.erb +94 -0
data/docs/resources/docker_service.md.erb +114 -0
data/docs/resources/elasticsearch.md.erb +242 -0
data/docs/resources/etc_fstab.md.erb +125 -0
data/docs/resources/etc_group.md.erb +75 -0
data/docs/resources/etc_hosts.md.erb +78 -0
data/docs/resources/etc_hosts_allow.md.erb +74 -0
data/docs/resources/etc_hosts_deny.md.erb +74 -0
data/docs/resources/file.md.erb +526 -0
data/docs/resources/filesystem.md.erb +41 -0
data/docs/resources/firewalld.md.erb +107 -0
data/docs/resources/gem.md.erb +79 -0
data/docs/resources/group.md.erb +61 -0
data/docs/resources/grub_conf.md.erb +101 -0
data/docs/resources/host.md.erb +86 -0
data/docs/resources/http.md.erb +197 -0
data/docs/resources/iis_app.md.erb +122 -0
data/docs/resources/iis_site.md.erb +135 -0
data/docs/resources/inetd_conf.md.erb +94 -0
data/docs/resources/ini.md.erb +76 -0
data/docs/resources/interface.md.erb +58 -0
data/docs/resources/iptables.md.erb +64 -0
data/docs/resources/json.md.erb +63 -0
data/docs/resources/kernel_module.md.erb +120 -0
data/docs/resources/kernel_parameter.md.erb +53 -0
data/docs/resources/key_rsa.md.erb +85 -0
data/docs/resources/launchd_service.md.erb +57 -0
data/docs/resources/limits_conf.md.erb +75 -0
data/docs/resources/login_defs.md.erb +71 -0
data/docs/resources/mount.md.erb +69 -0
data/docs/resources/mssql_session.md.erb +60 -0
data/docs/resources/mysql_conf.md.erb +99 -0
data/docs/resources/mysql_session.md.erb +74 -0
data/docs/resources/nginx.md.erb +79 -0
data/docs/resources/nginx_conf.md.erb +138 -0
data/docs/resources/npm.md.erb +60 -0
data/docs/resources/ntp_conf.md.erb +60 -0
data/docs/resources/oneget.md.erb +53 -0
data/docs/resources/oracledb_session.md.erb +52 -0
data/docs/resources/os.md.erb +141 -0
data/docs/resources/os_env.md.erb +91 -0
data/docs/resources/package.md.erb +120 -0
data/docs/resources/packages.md.erb +67 -0
data/docs/resources/parse_config.md.erb +103 -0
data/docs/resources/parse_config_file.md.erb +138 -0
data/docs/resources/passwd.md.erb +141 -0
data/docs/resources/pip.md.erb +67 -0
data/docs/resources/port.md.erb +137 -0
data/docs/resources/postgres_conf.md.erb +79 -0
data/docs/resources/postgres_hba_conf.md.erb +93 -0
data/docs/resources/postgres_ident_conf.md.erb +76 -0
data/docs/resources/postgres_session.md.erb +69 -0
data/docs/resources/powershell.md.erb +102 -0
data/docs/resources/processes.md.erb +109 -0
data/docs/resources/rabbitmq_config.md.erb +41 -0
data/docs/resources/registry_key.md.erb +158 -0
data/docs/resources/runit_service.md.erb +57 -0
data/docs/resources/security_policy.md.erb +47 -0
data/docs/resources/service.md.erb +121 -0
data/docs/resources/shadow.md.erb +146 -0
data/docs/resources/ssh_config.md.erb +73 -0
data/docs/resources/sshd_config.md.erb +83 -0
data/docs/resources/ssl.md.erb +119 -0
data/docs/resources/sys_info.md.erb +42 -0
data/docs/resources/systemd_service.md.erb +57 -0
data/docs/resources/sysv_service.md.erb +57 -0
data/docs/resources/upstart_service.md.erb +57 -0
data/docs/resources/user.md.erb +140 -0
data/docs/resources/users.md.erb +127 -0
data/docs/resources/vbscript.md.erb +55 -0
data/docs/resources/virtualization.md.erb +57 -0
data/docs/resources/windows_feature.md.erb +47 -0
data/docs/resources/windows_hotfix.md.erb +53 -0
data/docs/resources/windows_task.md.erb +95 -0
data/docs/resources/wmi.md.erb +81 -0
data/docs/resources/x509_certificate.md.erb +151 -0
data/docs/resources/xinetd_conf.md.erb +156 -0
data/docs/resources/xml.md.erb +85 -0
data/docs/resources/yaml.md.erb +69 -0
data/docs/resources/yum.md.erb +98 -0
data/docs/resources/zfs_dataset.md.erb +53 -0
data/docs/resources/zfs_pool.md.erb +47 -0
data/docs/ruby_usage.md +203 -0
data/docs/shared/matcher_be.md.erb +1 -0
data/docs/shared/matcher_cmp.md.erb +43 -0
data/docs/shared/matcher_eq.md.erb +3 -0
data/docs/shared/matcher_include.md.erb +1 -0
data/docs/shared/matcher_match.md.erb +1 -0
data/docs/shell.md +217 -0
data/examples/README.md +8 -0
data/examples/inheritance/README.md +65 -0
data/examples/inheritance/controls/example.rb +14 -0
data/examples/inheritance/inspec.yml +15 -0
data/examples/kitchen-ansible/.kitchen.yml +25 -0
data/examples/kitchen-ansible/Gemfile +19 -0
data/examples/kitchen-ansible/README.md +53 -0
data/examples/kitchen-ansible/files/nginx.repo +6 -0
data/examples/kitchen-ansible/tasks/main.yml +16 -0
data/examples/kitchen-ansible/test/integration/default/default.yml +5 -0
data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -0
data/examples/kitchen-chef/.kitchen.yml +20 -0
data/examples/kitchen-chef/Berksfile +3 -0
data/examples/kitchen-chef/Gemfile +19 -0
data/examples/kitchen-chef/README.md +27 -0
data/examples/kitchen-chef/metadata.rb +7 -0
data/examples/kitchen-chef/recipes/default.rb +6 -0
data/examples/kitchen-chef/recipes/nginx.rb +30 -0
data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -0
data/examples/kitchen-puppet/.kitchen.yml +23 -0
data/examples/kitchen-puppet/Gemfile +20 -0
data/examples/kitchen-puppet/Puppetfile +25 -0
data/examples/kitchen-puppet/README.md +53 -0
data/examples/kitchen-puppet/manifests/site.pp +33 -0
data/examples/kitchen-puppet/metadata.json +11 -0
data/examples/kitchen-puppet/modules/.gitkeep +0 -0
data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -0
data/examples/meta-profile/README.md +37 -0
data/examples/meta-profile/controls/example.rb +13 -0
data/examples/meta-profile/inspec.yml +13 -0
data/examples/profile-attribute.yml +2 -0
data/examples/profile-attribute/README.md +14 -0
data/examples/profile-attribute/controls/example.rb +11 -0
data/examples/profile-attribute/inspec.yml +8 -0
data/examples/profile-sensitive/README.md +29 -0
data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -0
data/examples/profile-sensitive/controls/sensitive.rb +9 -0
data/examples/profile-sensitive/inspec.yml +8 -0
data/examples/profile/README.md +48 -0
data/examples/profile/controls/example.rb +23 -0
data/examples/profile/controls/gordon.rb +36 -0
data/examples/profile/controls/meta.rb +34 -0
data/examples/profile/inspec.yml +10 -0
data/examples/profile/libraries/gordon_config.rb +59 -0
data/inspec-core.gemspec +43 -0
data/lib/bundles/README.md +3 -0
data/lib/bundles/inspec-artifact.rb +7 -0
data/lib/bundles/inspec-artifact/README.md +1 -0
data/lib/bundles/inspec-artifact/cli.rb +277 -0
data/lib/bundles/inspec-compliance.rb +16 -0
data/lib/bundles/inspec-compliance/.kitchen.yml +20 -0
data/lib/bundles/inspec-compliance/README.md +193 -0
data/lib/bundles/inspec-compliance/api.rb +360 -0
data/lib/bundles/inspec-compliance/api/login.rb +193 -0
data/lib/bundles/inspec-compliance/bootstrap.sh +41 -0
data/lib/bundles/inspec-compliance/cli.rb +260 -0
data/lib/bundles/inspec-compliance/configuration.rb +103 -0
data/lib/bundles/inspec-compliance/http.rb +125 -0
data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
data/lib/bundles/inspec-compliance/support.rb +36 -0
data/lib/bundles/inspec-compliance/target.rb +106 -0
data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -0
data/lib/bundles/inspec-habitat.rb +12 -0
data/lib/bundles/inspec-habitat/cli.rb +36 -0
data/lib/bundles/inspec-habitat/log.rb +10 -0
data/lib/bundles/inspec-habitat/profile.rb +391 -0
data/lib/bundles/inspec-init.rb +8 -0
data/lib/bundles/inspec-init/README.md +31 -0
data/lib/bundles/inspec-init/cli.rb +97 -0
data/lib/bundles/inspec-init/templates/profile/README.md +3 -0
data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -0
data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -0
data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
data/lib/bundles/inspec-supermarket.rb +13 -0
data/lib/bundles/inspec-supermarket/README.md +45 -0
data/lib/bundles/inspec-supermarket/api.rb +84 -0
data/lib/bundles/inspec-supermarket/cli.rb +73 -0
data/lib/bundles/inspec-supermarket/target.rb +34 -0
data/lib/fetchers/git.rb +163 -0
data/lib/fetchers/local.rb +74 -0
data/lib/fetchers/mock.rb +35 -0
data/lib/fetchers/url.rb +247 -0
data/lib/inspec.rb +24 -0
data/lib/inspec/archive/tar.rb +29 -0
data/lib/inspec/archive/zip.rb +19 -0
data/lib/inspec/backend.rb +93 -0
data/lib/inspec/base_cli.rb +368 -0
data/lib/inspec/cached_fetcher.rb +66 -0
data/lib/inspec/cli.rb +292 -0
data/lib/inspec/completions/bash.sh.erb +45 -0
data/lib/inspec/completions/fish.sh.erb +34 -0
data/lib/inspec/completions/zsh.sh.erb +61 -0
data/lib/inspec/control_eval_context.rb +179 -0
data/lib/inspec/dependencies/cache.rb +72 -0
data/lib/inspec/dependencies/dependency_set.rb +92 -0
data/lib/inspec/dependencies/lockfile.rb +115 -0
data/lib/inspec/dependencies/requirement.rb +123 -0
data/lib/inspec/dependencies/resolver.rb +86 -0
data/lib/inspec/describe.rb +27 -0
data/lib/inspec/dsl.rb +66 -0
data/lib/inspec/dsl_shared.rb +33 -0
data/lib/inspec/env_printer.rb +157 -0
data/lib/inspec/errors.rb +14 -0
data/lib/inspec/exceptions.rb +12 -0
data/lib/inspec/expect.rb +45 -0
data/lib/inspec/fetcher.rb +45 -0
data/lib/inspec/file_provider.rb +275 -0
data/lib/inspec/formatters.rb +3 -0
data/lib/inspec/formatters/base.rb +259 -0
data/lib/inspec/formatters/json_rspec.rb +20 -0
data/lib/inspec/formatters/show_progress.rb +12 -0
data/lib/inspec/library_eval_context.rb +58 -0
data/lib/inspec/log.rb +11 -0
data/lib/inspec/metadata.rb +247 -0
data/lib/inspec/method_source.rb +24 -0
data/lib/inspec/objects.rb +14 -0
data/lib/inspec/objects/attribute.rb +75 -0
data/lib/inspec/objects/control.rb +61 -0
data/lib/inspec/objects/describe.rb +92 -0
data/lib/inspec/objects/each_loop.rb +36 -0
data/lib/inspec/objects/list.rb +15 -0
data/lib/inspec/objects/or_test.rb +40 -0
data/lib/inspec/objects/ruby_helper.rb +15 -0
data/lib/inspec/objects/tag.rb +27 -0
data/lib/inspec/objects/test.rb +87 -0
data/lib/inspec/objects/value.rb +27 -0
data/lib/inspec/plugins.rb +60 -0
data/lib/inspec/plugins/cli.rb +24 -0
data/lib/inspec/plugins/fetcher.rb +86 -0
data/lib/inspec/plugins/resource.rb +135 -0
data/lib/inspec/plugins/secret.rb +15 -0
data/lib/inspec/plugins/source_reader.rb +40 -0
data/lib/inspec/polyfill.rb +12 -0
data/lib/inspec/profile.rb +513 -0
data/lib/inspec/profile_context.rb +208 -0
data/lib/inspec/profile_vendor.rb +66 -0
data/lib/inspec/reporters.rb +60 -0
data/lib/inspec/reporters/automate.rb +76 -0
data/lib/inspec/reporters/base.rb +25 -0
data/lib/inspec/reporters/cli.rb +356 -0
data/lib/inspec/reporters/json.rb +116 -0
data/lib/inspec/reporters/json_min.rb +48 -0
data/lib/inspec/reporters/junit.rb +78 -0
data/lib/inspec/require_loader.rb +33 -0
data/lib/inspec/resource.rb +190 -0
data/lib/inspec/rule.rb +280 -0
data/lib/inspec/runner.rb +345 -0
data/lib/inspec/runner_mock.rb +41 -0
data/lib/inspec/runner_rspec.rb +175 -0
data/lib/inspec/runtime_profile.rb +26 -0
data/lib/inspec/schema.rb +213 -0
data/lib/inspec/secrets.rb +19 -0
data/lib/inspec/secrets/yaml.rb +30 -0
data/lib/inspec/shell.rb +220 -0
data/lib/inspec/shell_detector.rb +90 -0
data/lib/inspec/source_reader.rb +29 -0
data/lib/inspec/version.rb +8 -0
data/lib/matchers/matchers.rb +339 -0
data/lib/resources/aide_conf.rb +151 -0
data/lib/resources/apache.rb +48 -0
data/lib/resources/apache_conf.rb +149 -0
data/lib/resources/apt.rb +149 -0
data/lib/resources/audit_policy.rb +63 -0
data/lib/resources/auditd.rb +231 -0
data/lib/resources/auditd_conf.rb +46 -0
data/lib/resources/bash.rb +35 -0
data/lib/resources/bond.rb +69 -0
data/lib/resources/bridge.rb +122 -0
data/lib/resources/chocolatey_package.rb +78 -0
data/lib/resources/command.rb +73 -0
data/lib/resources/cpan.rb +58 -0
data/lib/resources/cran.rb +64 -0
data/lib/resources/crontab.rb +169 -0
data/lib/resources/csv.rb +56 -0
data/lib/resources/dh_params.rb +77 -0
data/lib/resources/directory.rb +25 -0
data/lib/resources/docker.rb +236 -0
data/lib/resources/docker_container.rb +89 -0
data/lib/resources/docker_image.rb +83 -0
data/lib/resources/docker_object.rb +57 -0
data/lib/resources/docker_service.rb +90 -0
data/lib/resources/elasticsearch.rb +169 -0
data/lib/resources/etc_fstab.rb +94 -0
data/lib/resources/etc_group.rb +154 -0
data/lib/resources/etc_hosts.rb +66 -0
data/lib/resources/etc_hosts_allow_deny.rb +112 -0
data/lib/resources/file.rb +298 -0
data/lib/resources/filesystem.rb +31 -0
data/lib/resources/firewalld.rb +143 -0
data/lib/resources/gem.rb +70 -0
data/lib/resources/groups.rb +215 -0
data/lib/resources/grub_conf.rb +227 -0
data/lib/resources/host.rb +306 -0
data/lib/resources/http.rb +253 -0
data/lib/resources/iis_app.rb +101 -0
data/lib/resources/iis_site.rb +148 -0
data/lib/resources/inetd_conf.rb +54 -0
data/lib/resources/ini.rb +29 -0
data/lib/resources/interface.rb +129 -0
data/lib/resources/iptables.rb +80 -0
data/lib/resources/json.rb +111 -0
data/lib/resources/kernel_module.rb +107 -0
data/lib/resources/kernel_parameter.rb +58 -0
data/lib/resources/key_rsa.rb +63 -0
data/lib/resources/limits_conf.rb +46 -0
data/lib/resources/login_def.rb +57 -0
data/lib/resources/mount.rb +88 -0
data/lib/resources/mssql_session.rb +101 -0
data/lib/resources/mysql.rb +82 -0
data/lib/resources/mysql_conf.rb +127 -0
data/lib/resources/mysql_session.rb +85 -0
data/lib/resources/nginx.rb +96 -0
data/lib/resources/nginx_conf.rb +226 -0
data/lib/resources/npm.rb +48 -0
data/lib/resources/ntp_conf.rb +51 -0
data/lib/resources/oneget.rb +71 -0
data/lib/resources/oracledb_session.rb +139 -0
data/lib/resources/os.rb +36 -0
data/lib/resources/os_env.rb +86 -0
data/lib/resources/package.rb +370 -0
data/lib/resources/packages.rb +111 -0
data/lib/resources/parse_config.rb +112 -0
data/lib/resources/passwd.rb +76 -0
data/lib/resources/pip.rb +130 -0
data/lib/resources/platform.rb +109 -0
data/lib/resources/port.rb +771 -0
data/lib/resources/postgres.rb +131 -0
data/lib/resources/postgres_conf.rb +114 -0
data/lib/resources/postgres_hba_conf.rb +90 -0
data/lib/resources/postgres_ident_conf.rb +79 -0
data/lib/resources/postgres_session.rb +71 -0
data/lib/resources/powershell.rb +67 -0
data/lib/resources/processes.rb +204 -0
data/lib/resources/rabbitmq_conf.rb +51 -0
data/lib/resources/registry_key.rb +297 -0
data/lib/resources/security_policy.rb +180 -0
data/lib/resources/service.rb +794 -0
data/lib/resources/shadow.rb +159 -0
data/lib/resources/ssh_conf.rb +97 -0
data/lib/resources/ssl.rb +99 -0
data/lib/resources/sys_info.rb +28 -0
data/lib/resources/toml.rb +32 -0
data/lib/resources/users.rb +654 -0
data/lib/resources/vbscript.rb +68 -0
data/lib/resources/virtualization.rb +247 -0
data/lib/resources/windows_feature.rb +84 -0
data/lib/resources/windows_hotfix.rb +35 -0
data/lib/resources/windows_task.rb +102 -0
data/lib/resources/wmi.rb +110 -0
data/lib/resources/x509_certificate.rb +137 -0
data/lib/resources/xinetd.rb +106 -0
data/lib/resources/xml.rb +46 -0
data/lib/resources/yaml.rb +43 -0
data/lib/resources/yum.rb +180 -0
data/lib/resources/zfs_dataset.rb +60 -0
data/lib/resources/zfs_pool.rb +49 -0
data/lib/source_readers/flat.rb +39 -0
data/lib/source_readers/inspec.rb +75 -0
data/lib/utils/command_wrapper.rb +27 -0
data/lib/utils/convert.rb +12 -0
data/lib/utils/database_helpers.rb +77 -0
data/lib/utils/enumerable_delegation.rb +9 -0
data/lib/utils/erlang_parser.rb +192 -0
data/lib/utils/file_reader.rb +25 -0
data/lib/utils/filter.rb +273 -0
data/lib/utils/filter_array.rb +27 -0
data/lib/utils/find_files.rb +47 -0
data/lib/utils/hash.rb +41 -0
data/lib/utils/json_log.rb +18 -0
data/lib/utils/latest_version.rb +22 -0
data/lib/utils/modulator.rb +12 -0
data/lib/utils/nginx_parser.rb +105 -0
data/lib/utils/object_traversal.rb +49 -0
data/lib/utils/parser.rb +274 -0
data/lib/utils/pkey_reader.rb +15 -0
data/lib/utils/plugin_registry.rb +93 -0
data/lib/utils/simpleconfig.rb +120 -0
data/lib/utils/spdx.rb +13 -0
data/lib/utils/spdx.txt +344 -0
metadata +713 -0

data/lib/bundles/inspec-compliance.rb ADDED

@@ -0,0 +1,16 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+module Compliance
+  autoload :Configuration, 'inspec-compliance/configuration'
+  autoload :HTTP, 'inspec-compliance/http'
+  autoload :Support, 'inspec-compliance/support'
+  autoload :API, 'inspec-compliance/api'
+end
+require 'inspec-compliance/cli'
+require 'inspec-compliance/target'

data/lib/bundles/inspec-compliance/.kitchen.yml ADDED

@@ -0,0 +1,20 @@
+---
+driver:
+  name: vagrant
+  synced_folders:
+    - ['../../../', '/inspec']
+  network:
+    - ['private_network', {ip: '192.168.251.2'}]
+provisioner:
+  name: shell
+verifier:
+  name: inspec
+platforms:
+  - name: ubuntu-14.04
+suites:
+  - name: default
+    run_list:
+    attributes:

data/lib/bundles/inspec-compliance/README.md ADDED

@@ -0,0 +1,193 @@
+# InSpec Extension for Chef Compliance
+This extensions offers the following features:
+ - list available profiles in Chef Automate/Chef Compliance
+ - execute profiles directly from Chef Automate/Chef Compliance locally
+ - upload a local profile to Chef Automate/Chef Compliance
+To use the CLI, this InSpec add-on adds the following commands:
+ * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
+ * `$ inspec compliance profiles` - list all available Compliance profiles
+ * `$ inspec exec compliance://profile` - runs a Compliance profile
+ * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
+Compliance profiles can be executed in two ways:
+- via compliance exec: `inspec compliance exec profile`
+- via compliance scheme: `inspec exec compliance://profile`
+## Usage
+### Command options
+```
+$ inspec compliance
+Commands:
+  inspec compliance download PROFILE  # downloads a profile from Chef Compliance
+  inspec compliance exec PROFILE      # executes a Chef Compliance profile
+  inspec compliance help [COMMAND]    # Describe subcommands or one specific subcommand
+  inspec compliance login SERVER      # Log in to a Chef Automate/Chef Compliance SERVER
+  inspec compliance logout            # user logout from Chef Compliance
+  inspec compliance profiles          # list all available profiles in Chef Compliance
+  inspec compliance upload PATH       # uploads a local profile to Chef Compliance
+  inspec compliance version           # displays the version of the Chef Compliance server
+```
+### Login with Chef Automate2
+You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui.
+```
+$ inspec compliance login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
+```
+### Login with Chef Automate
+You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
+```
+$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
+```
+### Login with Chef Compliance
+You will need an access token for authentication. You can retrieve one via:
+![Chef Compliance Token](images/cc-token.png)
+You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
+```
+$ inspec compliance login https://compliance.test --user admin --insecure --token '...'
+```
+### List available profiles via Chef Compliance / Automate
+```
+$ inspec compliance profiles
+Available profiles:
+-------------------
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+### Upload a profile to Chef Compliance / Automate
+```
+$ inspec compliance version
+Chef Compliance version: 1.0.11
+➜  inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec compliance upload examples/profile
+I, [2016-05-06T14:27:20.907547 #37592]  INFO -- : Checking profile in examples/profile
+I, [2016-05-06T14:27:20.907668 #37592]  INFO -- : Metadata OK.
+I, [2016-05-06T14:27:20.968584 #37592]  INFO -- : Found 4 controls.
+I, [2016-05-06T14:27:20.968638 #37592]  INFO -- : Control definitions OK.
+Profile is valid
+Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
+I, [2016-05-06T14:27:21.020017 #37592]  INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
+I, [2016-05-06T14:27:21.024837 #37592]  INFO -- : Finished archive generation.
+Start upload to admin/profile
+Uploading to Chef Compliance
+Successfully uploaded profile
+# display all profiles
+$ inspec compliance profiles
+Available profiles:
+-------------------
+ * admin/profile
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+### Run a profile from Chef Compliance / Chef Automate on Workstation
+```
+$ inspec exec compliance://admin/profile
+.*...
+Pending: (Failures listed here are expected and do not affect your suite's status)
+  1) gordon_config Can't find file "/tmp/gordon/config.yaml"
+     # Not yet implemented
+     # ./lib/inspec/runner.rb:157
+Finished in 0.02862 seconds (files took 0.62628 seconds to load)
+5 examples, 0 failures, 1 pending
+```
+Exec a specific version(2.0.1) of a profile when logged in with Automate:
+```
+$ inspec exec compliance://admin/apache-baseline#2.0.1
+```
+Download a specific version(2.0.2) of a profile when logged in with Automate:
+```
+$ inspec compliance download compliance://admin/apache-baseline#2.0.2
+```
+### To Logout from Chef Compliance
+```
+$ inspec compliance logout
+Successfully logged out
+```
+## Integration Tests
+At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:
+ * run `kitchen converge`
+ * open https://192.168.251.2 and log in with user `admin` and password `admin`
+ * click on user->about and obtain the access token and the refresh token
+ * run `kitchen verify` with the required env variables:
+```
+# both token need to be set, since the test suite runs for each token type
+export COMPLIANCE_ACCESSTOKEN='mycompliancetoken'
+export COMPLIANCE_REFRESHTOKEN='myrefreshtoken'
+kitchen verify
+-----> Starting Kitchen (v1.7.3)
+-----> Verifying <default-ubuntu-1404>...
+       Search `/Users/chartmann/Development/compliance/inspec/lib/bundles/inspec-compliance/test/integration/default` for tests
+..................................
+Finished in 6.35 seconds (files took 0.40949 seconds to load)
+34 examples, 0 failures
+       Finished verifying <default-ubuntu-1404> (0m6.62s).
+-----> Kitchen is finished. (0m7.02s)
+zlib(finalizer): the stream was freed prematurely.
+```

data/lib/bundles/inspec-compliance/api.rb ADDED

@@ -0,0 +1,360 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+require 'net/http'
+require 'uri'
+require 'json'
+require_relative 'api/login'
+module Compliance
+  class ServerConfigurationMissing < StandardError; end
+  # API Implementation does not hold any state by itself,
+  # everything will be stored in local Configuration store
+  class API
+    extend Compliance::API::Login
+    # return all compliance profiles available for the user
+    # the user is either specified in the options hash or by default
+    # the username of the account is used that is logged in
+    def self.profiles(config) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
+      owner = config['owner'] || config['user']
+      # Chef Compliance
+      if is_compliance_server?(config)
+        url = "#{config['server']}/user/compliance"
+      # Chef Automate2
+      elsif is_automate2_server?(config)
+        url = "#{config['server']}/compliance/profiles/search"
+      # Chef Automate
+      elsif is_automate_server?(config)
+        url = "#{config['server']}/profiles/#{owner}"
+      else
+        raise ServerConfigurationMissing
+      end
+      headers = get_headers(config)
+      if is_automate2_server?(config)
+        body = { owner: owner }.to_json
+        response = Compliance::HTTP.post_with_headers(url, headers, body, config['insecure'])
+      else
+        response = Compliance::HTTP.get(url, headers, config['insecure'])
+      end
+      data = response.body
+      response_code = response.code
+      case response_code
+      when '200'
+        msg = 'success'
+        profiles = JSON.parse(data)
+        # iterate over profiles
+        if is_compliance_server?(config)
+          mapped_profiles = []
+          profiles.values.each { |org|
+            mapped_profiles += org.values
+          }
+        # Chef Automate pre 0.8.0
+        elsif is_automate_server_pre_080?(config)
+          mapped_profiles = profiles.values.flatten
+        elsif is_automate2_server?(config)
+          mapped_profiles = []
+          profiles['profiles'].each { |p|
+            mapped_profiles << p
+          }
+        else
+          mapped_profiles = profiles.map { |e|
+            e['owner_id'] = owner
+            e
+          }
+        end
+        return msg, mapped_profiles
+      when '401'
+        msg = '401 Unauthorized. Please check your token.'
+        return msg, []
+      else
+        msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
+        return msg, []
+      end
+    end
+    # return the server api version
+    # NB this method does not use Compliance::Configuration to allow for using
+    # it before we know the version (e.g. oidc or not)
+    def self.version(config)
+      url = config['server']
+      insecure = config['insecure']
+      raise ServerConfigurationMissing if url.nil?
+      headers = get_headers(config)
+      response = Compliance::HTTP.get(url+'/version', headers, insecure)
+      return {} if response.code == '404'
+      data = response.body
+      return {} if data.nil? || data.empty?
+      parsed = JSON.parse(data)
+      return {} unless parsed.key?('version') && !parsed['version'].empty?
+      parsed
+    end
+    # verifies that a profile
+    def self.exist?(config, profile)
+      owner, id, ver = profile_split(profile)
+      # ensure that we do not manipulate the configuration object
+      user_config = config.dup
+      user_config['owner'] = owner
+      _msg, profiles = Compliance::API.profiles(user_config)
+      if !profiles.empty?
+        profiles.any? do |p|
+          profile_owner = p['owner_id'] || p['owner']
+          profile_owner == owner &&
+            p['name'] == id &&
+            (ver.nil? || p['version'] == ver)
+        end
+      else
+        false
+      end
+    end
+    def self.upload(config, owner, profile_name, archive_path)
+      # Chef Compliance
+      if is_compliance_server?(config)
+        url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
+      # Chef Automate pre 0.8.0
+      elsif is_automate_server_pre_080?(config)
+        url = "#{config['server']}/#{owner}"
+      elsif is_automate2_server?(config)
+        url = "#{config['server']}/compliance/profiles?owner=#{owner}"
+      # Chef Automate
+      else
+        url = "#{config['server']}/profiles/#{owner}"
+      end
+      headers = get_headers(config)
+      if is_automate2_server?(config)
+        res = Compliance::HTTP.post_multipart_file(url, headers, archive_path, config['insecure'])
+      else
+        res = Compliance::HTTP.post_file(url, headers, archive_path, config['insecure'])
+      end
+      [res.is_a?(Net::HTTPSuccess), res.body]
+    end
+    # Use username and refresh_token to get an API access token
+    def self.get_token_via_refresh_token(url, refresh_token, insecure)
+      uri = URI.parse("#{url}/login")
+      req = Net::HTTP::Post.new(uri.path)
+      req.body = { token: refresh_token }.to_json
+      access_token = nil
+      response = Compliance::HTTP.send_request(uri, req, insecure)
+      data = response.body
+      if response.code == '200'
+        begin
+          tokendata = JSON.parse(data)
+          access_token = tokendata['access_token']
+          msg = 'Successfully fetched API access token'
+          success = true
+        rescue JSON::ParserError => e
+          success = false
+          msg = e.message
+        end
+      else
+        success = false
+        msg = "Failed to authenticate to #{url} \n\
+  Response code: #{response.code}\n  Body: #{response.body}"
+      end
+      [success, msg, access_token]
+    end
+    # Use username and password to get an API access token
+    def self.get_token_via_password(url, username, password, insecure)
+      uri = URI.parse("#{url}/login")
+      req = Net::HTTP::Post.new(uri.path)
+      req.body = { userid: username, password: password }.to_json
+      access_token = nil
+      response = Compliance::HTTP.send_request(uri, req, insecure)
+      data = response.body
+      if response.code == '200'
+        access_token = data
+        msg = 'Successfully fetched an API access token valid for 12 hours'
+        success = true
+      else
+        success = false
+        msg = "Failed to authenticate to #{url} \n\
+  Response code: #{response.code}\n  Body: #{response.body}"
+      end
+      [success, msg, access_token]
+    end
+    def self.get_headers(config)
+      token = get_token(config)
+      if is_automate_server?(config) || is_automate2_server?(config)
+        headers = { 'chef-delivery-enterprise' => config['automate']['ent'] }
+        if config['automate']['token_type'] == 'dctoken'
+          headers['x-data-collector-token'] = token
+        else
+          headers['chef-delivery-user'] = config['user']
+          headers['chef-delivery-token'] = token
+        end
+      else
+        headers = { 'Authorization' => "Bearer #{token}" }
+      end
+      headers
+    end
+    def self.get_token(config)
+      return config['token'] unless config['refresh_token']
+      _success, _msg, token = get_token_via_refresh_token(config['server'], config['refresh_token'], config['insecure'])
+      token
+    end
+    def self.target_url(config, profile)
+      owner, id, ver = profile_split(profile)
+      return "#{config['server']}/compliance/profiles/tar" if is_automate2_server?(config)
+      return "#{config['server']}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
+      if ver.nil?
+        "#{config['server']}/profiles/#{owner}/#{id}/tar"
+      else
+        "#{config['server']}/profiles/#{owner}/#{id}/version/#{ver}/tar"
+      end
+    end
+    def self.profile_split(profile)
+      owner, id = profile.split('/')
+      id, version = id.split('#')
+      [owner, id, version]
+    end
+    # returns a parsed url for `admin/profile` or `compliance://admin/profile`
+    def self.sanitize_profile_name(profile)
+      if URI(profile).scheme == 'compliance'
+        uri = URI(profile)
+      else
+        uri = URI("compliance://#{profile}")
+      end
+      uri.to_s.sub(%r{^compliance:\/\/}, '')
+    end
+    def self.is_compliance_server?(config)
+      config['server_type'] == 'compliance'
+    end
+    def self.is_automate_server_pre_080?(config)
+      # Automate versions before 0.8.x do not have a valid version in the config
+      return false unless config['server_type'] == 'automate'
+      server_version_from_config(config).nil?
+    end
+    def self.is_automate_server_080_and_later?(config)
+      # Automate versions 0.8.x and later will have a "version" key in the config
+      # that is properly parsed out via server_version_from_config below
+      return false unless config['server_type'] == 'automate'
+      !server_version_from_config(config).nil?
+    end
+    def self.is_automate2_server?(config)
+      config['server_type'] == 'automate2'
+    end
+    def self.is_automate_server?(config)
+      config['server_type'] == 'automate'
+    end
+    def self.server_version_from_config(config)
+      # Automate versions 0.8.x and later will have a "version" key in the config
+      # that looks like: "version":{"api":"compliance","version":"0.8.24"}
+      return nil unless config.key?('version')
+      return nil unless config['version'].is_a?(Hash)
+      config['version']['version']
+    end
+    def self.determine_server_type(url, insecure)
+      if target_is_automate2_server?(url, insecure)
+        :automate2
+      elsif target_is_automate_server?(url, insecure)
+        :automate
+      elsif target_is_compliance_server?(url, insecure)
+        :compliance
+      else
+        Inspec::Log.debug('Could not determine server type using known endpoints')
+        nil
+      end
+    end
+    def self.target_is_automate2_server?(url, insecure)
+      automate_endpoint = '/dex/auth'
+      response = Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
+      if response.code == '400'
+        Inspec::Log.debug(
+          "Received 400 from #{url}#{automate_endpoint} - " \
+          'assuming target is a Chef Automate2 instance',
+        )
+        true
+      else
+        false
+      end
+    end
+    def self.target_is_automate_server?(url, insecure)
+      automate_endpoint = '/compliance/version'
+      response = Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
+      case response.code
+      when '401'
+        Inspec::Log.debug(
+          "Received 401 from #{url}#{automate_endpoint} - " \
+          'assuming target is a Chef Automate instance',
+        )
+        true
+      when '200'
+        # Chef Automate currently returns 401 for `/compliance/version` but some
+        # versions of OpsWorks Chef Automate return 200 and a Chef Manage page
+        # when unauthenticated requests are received.
+        if response.body.include?('Are You Looking For the Chef Server?')
+          Inspec::Log.debug(
+            "Received 200 from #{url}#{automate_endpoint} - " \
+            'assuming target is an OpsWorks Chef Automate instance',
+          )
+          true
+        else
+          Inspec::Log.debug(
+            "Received 200 from #{url}#{automate_endpoint} " \
+            'but did not receive the Chef Manage page - ' \
+            'assuming target is not a Chef Automate instance',
+          )
+          false
+        end
+      else
+        Inspec::Log.debug(
+          "Received unexpected status code #{response.code} " \
+          "from #{url}#{automate_endpoint} - " \
+          'assuming target is not a Chef Automate instance',
+        )
+        false
+      end
+    end
+    def self.target_is_compliance_server?(url, insecure)
+      # All versions of Chef Compliance return 200 for `/api/version`
+      compliance_endpoint = '/api/version'
+      response = Compliance::HTTP.get(url + compliance_endpoint, nil, insecure)
+      return false unless response.code == '200'
+      Inspec::Log.debug(
+        "Received 200 from #{url}#{compliance_endpoint} - " \
+        'assuming target is a Compliance server',
+      )
+      true
+    end
+  end
+end