inspec-core 2.1.84 → 2.2.10

data/docs/resources/shadow.md.erb

@@ -8,7 +8,7 @@ platform: linux
 Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only readable by the `root` user. The format for `/etc/shadow` includes:
 
 * A username
-* The password for that user (on newer systems passwords should be stored in `/etc/shadow` )
+* The hashed password for that user
 * The last time a password was changed
 * The minimum number of days a password must exist, before it may be changed
 * The maximum number of days after which a password must be changed
@@ -24,22 +24,26 @@ These entries are defined as a colon-delimited row in the file, one row per user
 
 ## Syntax
 
-A `shadow` resource block declares one (or more) users and associated user information to be tested:
+A `shadow` resource block declares user properties to be tested:
 
     describe shadow do
       its('user') { should_not include 'forbidden_user' }
     end
 
-or with a single query:
+Properties can be used as a single query:
 
     describe shadow.user('root') do
       its('count') { should eq 1 }
     end
 
-or with a filter:
+Use the `.where` method to find properties that match a value:
 
-    describe shadow.filter(min_days: '0', max_days: '99999') do
-      its('count') { should eq 1 }
+    describe shadow.where { min_days == '0' } do
+      its ('user') { should include 'nfs' }
+    end
+
+    describe shadow.where { password =~ /[x|!|*]/ } do
+      its('count') { should eq 0 }
     end
 
 The following properties are available:
@@ -54,8 +58,6 @@ The following properties are available:
 * `expiry_date`
 * `reserved`
 
-Properties can be used as a single query or can be joined together with the `.filter` method.
-
 <br>
 
 ## Examples
@@ -77,31 +79,17 @@ The following examples show how to use this InSpec audit resource.
 
 <br>
 
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### count
-
-The `count` matcher tests the number of times the named user appears in `/etc/shadow`:
-
-    its('count') { should eq 1 }
-
-This matcher is best used in conjunction with filters. For example:
-
-    describe shadow.user('dannos') do
-       its('count') { should eq 1 }
-    end
+## Properties
 
 ### user
 
-The `user` matcher tests if the username exists `/etc/shadow`:
+The `user` property tests if the username exists `/etc/shadow`:
 
     its('user') { should eq 'root' }
 
 ### password
 
-The `password` matcher returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.
+The `password` property returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.
 
 For example:
 
@@ -109,38 +97,56 @@ For example:
 
 ### last_change
 
-The `last_change` matcher tests the last time a password was changed:
+The `last_change` property tests the last time a password was changed:
 
     its('last_change') { should be_empty }
 
 ### min_days
 
-The `min_days` matcher tests the minimum number of days a password must exist, before it may be changed:
+The `min_days` property tests the minimum number of days a password must exist, before it may be changed:
 
     its('min_days') { should eq 0 }
 
 ### max_days
 
-The `max_days` matcher tests the maximum number of days after which a password must be changed:
+The `max_days` property tests the maximum number of days after which a password must be changed:
 
     its('max_days') { should eq 90 }
 
 ### warn_days
 
-The `warn_days` matcher tests the number of days a user is warned about an expiring password:
+The `warn_days` property tests the number of days a user is warned about an expiring password:
 
     its('warn_days') { should eq 7 }
 
 ### inactive_days
 
-The `inactive_days` matcher tests the number of days a user must be inactive before the user account is disabled:
+The `inactive_days` property tests the number of days a user must be inactive before the user account is disabled:
 
     its('inactive_days') { should be_empty }
 
 ### expiry_date
 
-The `expiry_date` matcher tests the number of days a user account has been disabled:
+The `expiry_date` property tests the number of days a user account has been disabled:
 
     its('expiry_date') { should be_empty }
 
+### count
+
+The `count` property tests the number of times the named property appears:
+
+    describe shadow.user('root') do
+      its('count') { should eq 1 }
+    end
+
+This property is best used in conjunction with filters. For example:
 
+    describe shadow.where { password =~ /[x|!|*]/ } do
+      its('count') { should eq 0 }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/x509_certificate.md.erb

@@ -92,7 +92,7 @@ sign the certificate.
     end
 
 
-### validity_in_days (Float)
+### validity\_in\_days (Float)
 
 The `validity_in_days` property can be used to check that certificates are not in
 danger of expiring soon.
@@ -101,7 +101,7 @@ danger of expiring soon.
       its('validity_in_days') { should be > 30 }
     end
 
-### not_before and not_after (Time)
+### not\_before and not\_after (Time)
 
 The `not_before` and `not_after` properties expose the start and end dates of certificate
 validity. They are exposed as ruby Time class so that date arithmetic can be easily performed.

data/examples/custom-resource/README.md

@@ -0,0 +1,3 @@
+# Example Custom Resource Profile
+
+This example shows the implementation of an InSpec profile with custom resources.

data/examples/custom-resource/controls/example.rb

@@ -0,0 +1,7 @@
+# encoding: utf-8
+
+describe gordon do
+  its('crime_rate') { should be < 5 }
+  it { should have_a_fabulous_mustache }
+end
+

data/examples/custom-resource/inspec.yml

@@ -0,0 +1,8 @@
+name: custom_resource_example
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0

data/examples/custom-resource/libraries/batsignal.rb

@@ -0,0 +1,20 @@
+class Batsignal < Inspec.resource(1)
+  name 'batsignal'
+
+  example "
+      describe batsignal do
+        its('number_of_sightings)') { should eq '4' }
+      end
+  "
+
+  def number_of_sightings
+    local_command_call
+  end
+
+  private
+
+  def local_command_call
+    # call out to a core resource
+    inspec.command('echo 4').stdout.to_i
+  end
+end

data/examples/custom-resource/libraries/gordon.rb

@@ -0,0 +1,21 @@
+class Gordon < Inspec.resource(1)
+  name 'gordon'
+
+  example "
+    describe gordon do
+      its('crime_rate') { should be < 2 }
+      it { should have_a_fabulous_mustache }
+    end
+  "
+
+  def crime_rate
+    # call out ot another custom resource
+    inspec.batsignal.number_of_sightings
+  end
+
+  def has_a_fabulous_mustache?
+    # always true
+    true
+  end
+end
+

data/lib/inspec/reporters/junit.rb

@@ -27,6 +27,7 @@ module Inspec::Reporters
       profile_xml.add_attribute('name', profile[:name])
       profile_xml.add_attribute('tests', count_profile_tests(profile))
       profile_xml.add_attribute('failed', count_profile_failed_tests(profile))
+      profile_xml.add_attribute('failures', count_profile_failed_tests(profile))
 
       profile[:controls].each do |control|
         next if control[:results].nil?

data/lib/inspec/resource.rb

@@ -50,8 +50,16 @@ module Inspec
           define_method id.to_sym do |*args|
             r.new(backend, id.to_s, *args)
           end
+
+          # confirm backend custom resources have access to other custom resources
+          next if backend.respond_to?(id)
+          backend.class.send(:define_method, id.to_sym) do |*args|
+            r.new(backend, id.to_s, *args)
+          end
         end
 
+        # attach backend so we have access to all resources and
+        # the train connection object
         define_method :inspec do
           backend
         end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.1.84'
+  VERSION = '2.2.10'
 end

data/lib/resources/npm.rb

@@ -1,5 +1,7 @@
 # encoding: utf-8
 
+require 'shellwords'
+
 module Inspec::Resources
   class NpmPackage < Inspec.resource(1)
     name 'npm'
@@ -10,17 +12,28 @@ module Inspec::Resources
       describe npm('bower') do
         it { should be_installed }
       end
+
+      describe npm('tar', path: '/path/to/project') do
+        it { should be_installed }
+      end
     "
 
-    def initialize(package_name)
+    def initialize(package_name, opts = {})
       @package_name = package_name
+      @location = opts[:path]
       @cache = nil
     end
 
     def info
       return @info if defined?(@info)
 
-      cmd = inspec.command("npm ls -g --json #{@package_name}")
+      if @location
+        npm = "cd #{Shellwords.escape @location} && npm"
+      else
+        npm = 'npm -g'
+      end
+
+      cmd = inspec.command("#{npm} ls --json #{@package_name}")
       @info = {
         name: @package_name,
         type: 'npm',

data/lib/resources/package.rb

@@ -270,7 +270,7 @@ module Inspec::Resources
       # Find the package
       cmd = inspec.command <<-EOF.gsub(/^\s*/, '')
         Get-ItemProperty (@("#{search_paths.join('", "')}") | Where-Object { Test-Path $_ }) |
-        Where-Object { $_.DisplayName -like "#{package_name}" -or $_.PSChildName -like "#{package_name}" } |
+        Where-Object { $_.DisplayName -match "^\\s*#{package_name}\\s*$" -or $_.PSChildName -match "^\\s*#{package_name}\\s*$" } |
         Select-Object -Property DisplayName,DisplayVersion | ConvertTo-Json
       EOF
 

data/lib/utils/filter.rb

@@ -4,7 +4,8 @@
 # author: Christoph Hartmann
 
 module FilterTable
-  module Show; end
+  # This is used as a sentinel value in custom property filtering
+  module NoCriteriaProvided; end
 
   class ExceptionCatcher
     def initialize(original_resource, original_exception)
@@ -82,60 +83,139 @@ module FilterTable
   end
 
   class Table
-    attr_reader :params, :resource
-    def initialize(resource, params, filters)
-      @resource = resource
-      @params = params
-      @params = [] if @params.nil?
-      @filters = filters
+    attr_reader :raw_data, :resource_instance, :criteria_string
+    def initialize(resource_instance, raw_data, criteria_string)
+      @resource_instance = resource_instance
+      @raw_data = raw_data
+      @raw_data = [] if @raw_data.nil?
+      @criteria_string = criteria_string
+      @populated_lazy_columns = {}
     end
 
+    # Filter the raw data based on criteria (as method params) or by evaling a
+    # block; then construct a new Table of the same class as ourselves,
+    # wrapping the filtered data, and return it.
     def where(conditions = {}, &block)
       return self if !conditions.is_a?(Hash)
       return self if conditions.empty? && !block_given?
 
-      filters = ''
-      table = @params
-      conditions.each do |field, condition|
-        filters += " #{field} == #{condition.inspect}"
-        table = filter_lines(table, field, condition)
+      # Initialize the details of the new Table.
+      new_criteria_string = criteria_string
+      filtered_raw_data = raw_data
+
+      # If we were provided params, interpret them as criteria to be evaluated
+      # against the raw data. Criteria are assumed to be hash keys.
+      conditions.each do |raw_field_name, desired_value|
+        raise(ArgumentError, "'#{raw_field_name}' is not a recognized criterion - expected one of #{list_fields.join(', ')}'") unless field?(raw_field_name)
+        populate_lazy_field(raw_field_name, desired_value) if is_field_lazy?(raw_field_name)
+        new_criteria_string += " #{raw_field_name} == #{desired_value.inspect}"
+        filtered_raw_data = filter_raw_data(filtered_raw_data, raw_field_name, desired_value)
       end
 
+      # If we were given a block, make a special Struct for each row, that has an accessor
+      # for each field declared using `register_custom_property`, then instance-eval the block
+      # against the struct.
       if block_given?
-        table = table.find_all { |e| new_entry(e, '').instance_eval(&block) }
+        # Perform the filtering.
+        filtered_raw_data = filtered_raw_data.find_all { |row_as_hash| create_eval_context_for_row(row_as_hash, '').instance_eval(&block) }
+        # Try to interpret the block for updating the stringification.
         src = Trace.new
-        src.instance_eval(&block)
-        filters += Trace.to_ruby(src)
+        # Swallow any exceptions raised here.
+        # See https://github.com/chef/inspec/issues/2929
+        begin
+          src.instance_eval(&block)
+        rescue # rubocop: disable Lint/HandleExceptions
+          # Yes, robocop, ignoring all exceptions is normally
+          # a bad idea.  Here, an exception just means we don't
+          # understand what was in a `where` block, so we can't
+          # meaningfully sytringify it.  We still have a decent
+          # default stringification.
+        end
+        new_criteria_string += Trace.to_ruby(src)
       end
 
-      self.class.new(@resource, table, @filters + filters)
+      self.class.new(resource, filtered_raw_data, new_criteria_string)
     end
 
-    def new_entry(*_)
+    def create_eval_context_for_row(*_)
       raise "#{self.class} must not be used on its own. It must be inherited "\
-           'and the #new_entry method must be implemented. This is an internal '\
+           'and the #create_eval_context_for_row method must be implemented. This is an internal '\
            'error and should not happen.'
     end
 
+    def resource
+      resource_instance
+    end
+
+    def params
+      # TODO: consider deprecating
+      raw_data
+    end
+
     def entries
-      f = @resource.to_s + @filters.to_s + ' one entry'
-      @params.map do |line|
-        new_entry(line, f)
+      row_criteria_string = resource.to_s + criteria_string + ' one entry'
+      raw_data.map do |row|
+        create_eval_context_for_row(row, row_criteria_string)
       end
     end
 
-    def get_field(field)
-      @params.map do |line|
-        line[field]
+    def get_column_values(field)
+      raw_data.map do |row|
+        row[field]
       end
     end
 
+    def list_fields
+      @__fields_in_raw_data ||= raw_data.reduce([]) do |fields, row|
+        fields.concat(row.keys).uniq
+      end
+    end
+
+    def field?(proposed_field)
+      # Currently we only know about a field if it is present in a at least one row of the raw data.
+      # If we have no rows in the raw data, assume all fields are acceptable (and rely on failing to match on value, nil)
+      return true if raw_data.empty?
+      list_fields.include?(proposed_field) || is_field_lazy?(proposed_field)
+    end
+
     def to_s
-      @resource.to_s + @filters
+      resource.to_s + criteria_string
     end
 
     alias inspect to_s
 
+    def populate_lazy_field(field_name, criterion)
+      return unless is_field_lazy?(field_name)
+      return if field_populated?(field_name)
+      raw_data.each do |row|
+        next if row.key?(field_name) # skip row if pre-existing data is present
+        callback_for_lazy_field(field_name).call(row, criterion, self)
+      end
+      mark_lazy_field_populated(field_name)
+    end
+
+    def is_field_lazy?(sought_field_name)
+      custom_properties_schema.values.any? do |property_struct|
+        sought_field_name == property_struct.field_name && \
+          property_struct.opts[:lazy]
+      end
+    end
+
+    def callback_for_lazy_field(field_name)
+      return unless is_field_lazy?(field_name)
+      custom_properties_schema.values.find do |property_struct|
+        property_struct.field_name == field_name
+      end.opts[:lazy]
+    end
+
+    def field_populated?(field_name)
+      @populated_lazy_columns[field_name]
+    end
+
+    def mark_lazy_field_populated(field_name)
+      @populated_lazy_columns[field_name] = true
+    end
+
     private
 
     def matches_float(x, y)
@@ -159,111 +239,189 @@ module FilterTable
       x === y # rubocop:disable Style/CaseEquality
     end
 
-    def filter_lines(table, field, condition)
-      m = case condition
-          when Float   then method(:matches_float)
-          when Integer then method(:matches_int)
-          when Regexp  then method(:matches_regex)
-          else              method(:matches)
-          end
-
-      table.find_all do |line|
-        next unless line.key?(field)
-        m.call(line[field], condition)
+    def filter_raw_data(current_raw_data, field, desired_value)
+      method_ref = case desired_value
+                   when Float   then method(:matches_float)
+                   when Integer then method(:matches_int)
+                   when Regexp  then method(:matches_regex)
+                   else              method(:matches)
+                   end
+
+      current_raw_data.find_all do |row|
+        next unless row.key?(field)
+        method_ref.call(row[field], desired_value)
       end
     end
   end
 
   class Factory
-    Connector = Struct.new(:field_name, :block, :opts)
+    CustomPropertyType = Struct.new(:field_name, :block, :opts)
 
     def initialize
-      @accessors = []
-      @connectors = {}
-      @resource = nil
+      @filter_methods = [:where, :entries, :raw_data]
+      @custom_properties = {}
+      register_custom_matcher(:exist?) { |table| !table.raw_data.empty? }
+      register_custom_property(:count) { |table|  table.raw_data.count }
+
+      @resource = nil # TODO: this variable is never initialized
     end
 
-    def connect(resource, table_accessor) # rubocop:disable Metrics/AbcSize
-      # create the table structure
-      connectors = @connectors
-      struct_fields = connectors.values.map(&:field_name)
-      connector_blocks = connectors.map do |method, c|
-        [method.to_sym, create_connector(c)]
+    def install_filter_methods_on_resource(resource_class, raw_data_fetcher_method_name) # rubocop: disable Metrics/AbcSize, Metrics/MethodLength
+      # A context in which you can access the fields as accessors
+      non_block_struct_fields = @custom_properties.values.reject(&:block).map(&:field_name)
+      row_eval_context_type = Struct.new(*non_block_struct_fields.map(&:to_sym)) do
+        attr_accessor :criteria_string
+        attr_accessor :filter_table
+        def to_s
+          @criteria_string || super
+        end
+      end unless non_block_struct_fields.empty?
+
+      properties_to_define = @custom_properties.map do |method_name, custom_property_structure|
+        { method_name: method_name, method_body: create_custom_property_body(custom_property_structure) }
       end
 
-      # the struct to hold single items from the #entries method
-      entry_struct = Struct.new(*struct_fields.map(&:to_sym)) do
-        attr_accessor :__filter
-        def to_s
-          @__filter || super
+      # Define the filter table subclass
+      custom_properties = @custom_properties # We need a local var, not an instance var, for a closure below
+      table_class = Class.new(Table) {
+        # Install each custom property onto the FilterTable subclass
+        properties_to_define.each do |property_info|
+          define_method property_info[:method_name], &property_info[:method_body]
         end
-      end unless struct_fields.empty?
 
-      # the main filter table
-      table = Class.new(Table) {
-        connector_blocks.each do |x|
-          define_method x[0], &x[1]
+        define_method :custom_properties_schema do
+          custom_properties
         end
 
-        define_method :new_entry do |hashmap, filter = ''|
-          return entry_struct.new if hashmap.nil?
-          res = entry_struct.new(*struct_fields.map { |x| hashmap[x] })
-          res.__filter = filter
-          res
+        # Install a method that can wrap all the fields into a context with accessors
+        define_method :create_eval_context_for_row do |row_as_hash, criteria_string = ''|
+          return row_eval_context_type.new if row_as_hash.nil?
+          context = row_eval_context_type.new(*non_block_struct_fields.map { |field| row_as_hash[field] })
+          context.criteria_string = criteria_string
+          context.filter_table = self
+          context
         end
       }
 
+      # Now that the table class is defined and the row eval context struct is defined,
+      # extend the row eval context struct to support triggering population of lazy fields
+      # in where blocks. To do that, we'll need a reference to the table (which
+      # knows which fields are populated, and how to populate them) and we'll need to
+      # override the getter method for each lazy field, so it will trigger
+      # population if needed.  Keep in mind we don't have to adjust the constructor
+      # args of the row struct; also the Struct class will already have provided
+      # a setter for each field.
+      @custom_properties.values.each do |property_info|
+        next unless property_info.opts[:lazy]
+        field_name = property_info.field_name.to_sym
+        row_eval_context_type.send(:define_method, field_name) do
+          unless filter_table.field_populated?(field_name)
+            filter_table.populate_lazy_field(field_name, NoCriteriaProvided) # No access to criteria here
+            # OK, the underlying raw data has the value in the first row
+            # (because we would trigger population only on the first row)
+            # We could just return the value, but we need to set it on this Struct in case it is referenced multiple times
+            # in the where block.
+            self[field_name] = filter_table.raw_data[0][field_name]
+          end
+          # Now return the value using the Struct getter, whether newly populated or not
+          self[field_name]
+        end
+      end
+
       # Define all access methods with the parent resource
       # These methods will be configured to return an `ExceptionCatcher` object
       # that will always return the original exception, but only when called
       # upon. This will allow method chains in `describe` statements to pass the
       # `instance_eval` when loaded and only throw-and-catch the exception when
       # the tests are run.
-      accessors = @accessors + @connectors.keys
-      accessors.each do |method_name|
-        resource.send(:define_method, method_name.to_sym) do |*args, &block|
+      methods_to_install_on_resource_class = @filter_methods + @custom_properties.keys
+      methods_to_install_on_resource_class.each do |method_name|
+        resource_class.send(:define_method, method_name.to_sym) do |*args, &block|
           begin
-            filter = table.new(self, method(table_accessor).call, ' with')
-            filter.method(method_name.to_sym).call(*args, &block)
+            # self here is the resource instance
+            filter_table_instance = table_class.new(self, method(raw_data_fetcher_method_name).call, ' with')
+            filter_table_instance.method(method_name.to_sym).call(*args, &block)
           rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e
-            FilterTable::ExceptionCatcher.new(resource, e)
+            FilterTable::ExceptionCatcher.new(resource_class, e)
           end
         end
       end
     end
 
-    def add_accessor(method_name)
+    alias connect install_filter_methods_on_resource
+
+    # TODO: This should almost certainly be privatized.  Every FilterTable client should get :entries and :where;
+    # InSpec core resources do not define anything else, other than azure_generic_resource, which is likely a mis-use.
+    def register_filter_method(method_name)
       if method_name.nil?
-        throw RuntimeError, "Called filter.add_delegator for resource #{@resource} with method name nil!"
+        # TODO: @resource is never initialized
+        throw RuntimeError, "Called filter.add_accessor for resource #{@resource} with method name nil!"
+      end
+      if @filter_methods.include? method_name.to_sym
+        # TODO: issue deprecation warning?
+      else
+        @filter_methods.push(method_name.to_sym)
       end
-      @accessors.push(method_name)
       self
     end
 
-    def add(method_name, opts = {}, &block)
-      if method_name.nil?
+    alias add_accessor register_filter_method
+
+    def register_custom_property(property_name, opts = {}, &property_implementation)
+      if property_name.nil?
+        # TODO: @resource is never initialized
         throw RuntimeError, "Called filter.add for resource #{@resource} with method name nil!"
       end
 
-      @connectors[method_name.to_sym] =
-        Connector.new(opts[:field] || method_name, block, opts)
+      if @custom_properties.key?(property_name.to_sym)
+        # TODO: issue deprecation warning?
+      else
+        @custom_properties[property_name.to_sym] =
+          CustomPropertyType.new(opts[:field] || property_name, property_implementation, opts)
+      end
       self
     end
 
-    private
+    alias add register_custom_property
+    alias register_column register_custom_property
+    alias register_custom_matcher register_custom_property
 
-    def create_connector(c)
-      return ->(cond = Show) { c.block.call(self, cond) } if !c.block.nil?
+    private
 
-      lambda { |condition = Show, &cond_block|
-        if condition == Show && !block_given?
-          r = where(nil).get_field(c.field_name)
-          r = r.flatten.uniq.compact if c.opts[:style] == :simple
-          r
-        else
-          where({ c.field_name => condition }, &cond_block)
+    # This provides the implementation for methods requested using
+    # register_custom_property(:some_method_name, opts, &block)
+    # Some usage in the wild involves people passing a desired value to the generated method, like:
+    #  things.ids(23)
+    # I'm calling this the 'filter_criterion_value'. I speculate that a default value is
+    # provided here so that users can meaningfully query for nil.
+    def create_custom_property_body(custom_property_struct)
+      if !custom_property_struct.block.nil?
+        # If the custom method provided its own block, rely on it.
+        lambda do |filter_criteria_value = NoCriteriaProvided|
+          # Here self is an instance of the FilterTable subclass that wraps the raw data.
+          # Call the block with two args - the table instance, and any filter criteria value.
+          custom_property_struct.block.call(self, filter_criteria_value)
         end
-      }
+      else
+        # No block definition, so the property was registered using (field: :some_field)
+        # This does however support passing a block to this method, and filtering using it, like Enumerable#select.
+        lambda do |filter_criteria_value = NoCriteriaProvided, &cond_block|
+          if filter_criteria_value == NoCriteriaProvided && !block_given?
+            # No second-order block given.  Just return an array of the values in the selected column.
+            result = where(nil)
+            if custom_property_struct.opts[:lazy]
+              result.populate_lazy_field(custom_property_struct.field_name, filter_criteria_value)
+            end
+            result = where(nil).get_column_values(custom_property_struct.field_name) # TODO: the where(nil). is likely unneeded
+            result = result.flatten.uniq.compact if custom_property_struct.opts[:style] == :simple
+            result
+          else
+            # A secondary block was provided.  Rely on where() to execute the block, while also filtering on any single value
+            # Suspected bug: if filter_criteria_value == NoCriteriaProvided, this is unlikely to match - see hash condition handling in where() above.
+            where(custom_property_struct.field_name => filter_criteria_value, &cond_block)
+          end
+        end
+      end
     end
   end