inspec-core 2.2.35 → 2.2.41

data/docs/reporters.md

@@ -116,12 +116,12 @@ This reporter includes all information from the rspec runner. Unlike the json re
 
 This renders html code to view your tests in a browser. It includes all the test and summary information.
 
-
 ## Automate Reporter
 
 The automate reporter type is a special reporter used with the Automate 2 suite. To use this reporter you must pass in the correct configuration via a json config `--json-config`.
 
 Example config:
+
 ```json
 "reporter": {
     "automate" : {
@@ -135,27 +135,36 @@ Example config:
 }
 ```
 
-### Mandatory fields:
+### Mandatory fields
+
 #### stdout
+
 This will either suppress or show the automate report in the CLI screen on completion
 
 #### url
+
 This is your Automate 2 url. Append `data-collector/v0/` at the end.
 
 #### token
+
 This is your Automate 2 token. You can generate this token by navigating to the admin tab of A2 and then api keys.
 
 ### Optional fields
+
 #### insecure
+
 This will disable or enable the ssl check when accessing the Automate 2 instance.
 
-PLEASE NOTE: These fields are ONLY needed if you do not have chef-client attached to a chef server running on your node. The fields below will be automaticlly pulled from the chef server.
+PLEASE NOTE: These fields are ONLY needed if you do not have chef-client attached to a chef server running on your node. The fields below will be automatically pulled from the chef server.
 
 #### node_name
+
 This will be the node name which shows up in Automate 2.
 
 #### node_uuid
+
 This overrides the node uuid sent up to Automate 2. On non-chef nodes we will try to generate a static node uuid for you from your hardware. This will almost never be needed unless your working with a unique virtual setup.
 
 #### environment
-This will set the enviroment metadata for Automate 2.
+
+This will set the environment metadata for Automate 2.

data/docs/resources/command.md.erb

@@ -124,6 +124,34 @@ Wix includes several tools -- such as `candle` (preprocesses and compiles source
       end
     end
 
+### Redacting Sensitive Commands
+
+By default the command that is ran is shown in the InSpec output. This can be problematic if the command contains sensitive arguments such as a password. These sensitive parts can be redacted by passing in `redact_regex` and a regular expression to redact. Optionally, you can use 2 capture groups to fine tune what is redacted.
+
+The following examples show how to use `redact_regex`:
+
+    # Example without capture groups
+    describe command('myapp -p secretpassword -d no_redact', redact_regex: /-p .* -d/) do
+      its('exit_status') { should cmp 0 }
+    end
+
+    # Result (no capture groups used)
+    Command: `myapp REDACTED no_redact`
+       ✔  exit_status should cmp == 0
+
+    # Example with capture groups
+    # Each set of parenthesis is a capture group.
+    # Anything in the two capture groups will not be 'REDACTED'
+    describe command('myapp -p secretpassword -d no_redact', redact_regex: /(-p ).*( -d)/) do
+      its('exit_status') { should cmp 0 }
+    end
+
+    # Result (capture groups used)
+    Command: `myapp -p REDACTED -d no_redact`
+       ✔  exit_status should cmp == 0
+
+> For more info/help on regular expressions, we recommend [RegExr](https://regexr.com/)
+
 <br>
 
 ## Matchers

data/docs/resources/registry_key.md.erb

@@ -149,10 +149,13 @@ The `name` matcher tests the value for the specified registry setting:
 
 
 <p class="warning">
-Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. This issue is tracked in <a href="https://github.com/chef/inspec/issues/1281">https://github.com/chef/inspec/issues/1281</a>
+Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a>
 </p>
 
     # instead of:
     # its('explorer.exe') { should eq 'test' }
-    # use the following solution:
+    # either use have_property_value...
     it { should have_property_value('explorer.exe', :string, 'test') }
+
+    # ...or provide the parts of the dot-separated name in an array
+    its(['explorer', 'exe']) { should eq 'test' }

data/docs/resources/xinetd_conf.md.erb

@@ -13,7 +13,7 @@ Use the `xinetd_conf` InSpec audit resource to test services under `/etc/xinet.d
 
 An `xinetd_conf` resource block declares settings found in a `xinetd.conf` file for the named service:
 
-    describe xinetd_conf('service_name') do
+    describe xinetd_conf.services('service_name') do
       it { should be_enabled } # or be_disabled
       its('setting') { should eq 'value' }
     end

data/docs/ruby_usage.md

@@ -61,7 +61,6 @@ to process the output of `ls` executed on the target system, use
 Similarly, use `inspec.file(PATH)` to access files or directories from
 remote systems in your tests or custom resources.
 
-
 ## Using rubygems
 
 Ruby gems are self-contained programs and libraries. If you create a custom
@@ -158,7 +157,8 @@ When writing tests you can not use standard ruby methods to shellout as it tries
 However, the `command` resource has a `.stdout` method that will allow you to manipulate the results.
 Using the above example, you could check the writes on several subdirectories.
 
-### Example 1:
+### Example 1
+
 ```ruby
 $ inspec shell
 Welcome to the interactive InSpec Shell
@@ -179,7 +179,8 @@ Version: (not specified)
 Test Summary: 1 successful, 0 failures, 0 skipped
 ```
 
-### Example 2:
+### Example 2
+
 ```ruby
 $ inspec shell
 Welcome to the interactive InSpec Shell

data/lib/bundles/inspec-init.rb

@@ -5,4 +5,8 @@
 libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
+module Init
+  autoload :Profile, 'inspec-init/profile'
+end
+
 require 'inspec-init/cli'

data/lib/bundles/inspec-init/cli.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 
 require 'pathname'
+require_relative 'renderer'
 
 module Init
   class CLI < Inspec::BaseCLI
@@ -15,85 +16,21 @@ module Init
       namespace
     end
 
-    # read template directoy
+    # Look in the 'template' directory, and register a subcommand
+    # for each template directory found there.
     template_dir = File.join(File.dirname(__FILE__), 'templates')
     Dir.glob(File.join(template_dir, '*')) do |template|
-      relative = Pathname.new(template).relative_path_from(Pathname.new(template_dir))
+      template_name = Pathname.new(template).relative_path_from(Pathname.new(template_dir)).to_s
 
       # register command for the template
-      desc "#{relative} NAME", "Create a new #{relative}"
+      desc "#{template_name} NAME", "Create a new #{template_name}"
       option :overwrite, type: :boolean, default: false,
-         desc: 'Overwrites existing directory'
-      define_method relative.to_s.to_sym do |name|
-        generator(relative.to_s, { name: name }, options)
+        desc: 'Overwrites existing directory'
+      define_method template_name.to_sym do |name_for_new_structure|
+        renderer = Init::Renderer.new(self, options)
+        renderer.render_with_values(template_name, name: name_for_new_structure)
       end
     end
-
-    private
-
-    # 1. iterate over all files
-    # 2. read content in erb
-    # 3. write to target
-    def generator(type, attributes = {}, options = {}) # rubocop:disable Metrics/AbcSize
-      # path of this script
-      dir = File.dirname(__FILE__)
-      # look for template directory
-      base_dir = File.join(dir, 'templates', type)
-      # prepare glob for all subdirectories and files
-      template = File.join(base_dir, '**', '{*,.*}')
-      # Use the name attribute to define the path to the profile.
-      profile_path = attributes[:name]
-      # Use slashes (\, /) to split up the name into an Array then use the last entry
-      # to reset the name of the profile.
-      attributes[:name] = attributes[:name].split(%r{\\|\/}).last
-      # Generate the full target path on disk
-      target = Pathname.new(Dir.pwd).join(profile_path)
-      puts "Create new #{type} at #{mark_text(target)}"
-
-      # check that the directory does not exist
-      if File.exist?(target) && !options['overwrite']
-        error "#{mark_text(target)} exists already, use --overwrite"
-        exit 1
-      end
-
-      # ensure that target directory is available
-      FileUtils.mkdir_p(target)
-
-      # iterate over files and write to target path
-      Dir.glob(template) do |file|
-        relative = Pathname.new(file).relative_path_from(Pathname.new(base_dir))
-        destination = Pathname.new(target).join(relative)
-        if File.directory?(file)
-          li "Create directory #{mark_text(relative)}"
-          FileUtils.mkdir_p(destination)
-        elsif File.file?(file)
-          li "Create file #{mark_text(relative)}"
-          # read & render content
-          content = render(File.read(file), attributes)
-          # write file content
-          File.write(destination, content)
-        else
-          puts "Ignore #{file}, because its not an file or directoy"
-        end
-      end
-    end
-
-    # This is a render helper to bind hash values to a ERB template
-    def render(content, hash)
-      # create a new binding class
-      cls = Class.new do
-        hash.each do |key, value|
-          define_method key.to_sym do
-            value
-          end
-        end
-        # expose binding
-        define_method :bind do
-          binding
-        end
-      end
-      ERB.new(content).result(cls.new.bind)
-    end
   end
 
   # register the subcommand to Inspec CLI registry

data/lib/bundles/inspec-init/renderer.rb

@@ -0,0 +1,79 @@
+require 'fileutils'
+require 'erb'
+
+module Init
+  class Renderer
+    # Creates a renderer able to render the given template type
+    # 1. iterate over all files
+    # 2. read content in erb
+    # 3. write to full_destination_root_path
+
+    attr_reader :overwrite_mode, :ui
+    def initialize(cli_ui, cli_options = {})
+      @ui = cli_ui
+      @overwrite_mode = cli_options['overwrite']
+    end
+
+    # rubocop: disable Metrics/AbcSize
+    def render_with_values(template_type, template_values = {})
+      # look for template directory
+      base_dir = File.join(File.dirname(__FILE__), 'templates', template_type)
+      # prepare glob for all subdirectories and files
+      template_glob = File.join(base_dir, '**', '{*,.*}')
+      # Use the name attribute to define the path to the profile.
+      profile_path = template_values[:name]
+      # Use slashes (\, /) to split up the name into an Array then use the last entry
+      # to reset the name of the profile.
+      template_values[:name] = template_values[:name].split(%r{\\|\/}).last
+      # Generate the full full_destination_root_path path on disk
+      full_destination_root_path = Pathname.new(Dir.pwd).join(profile_path)
+      ui.plain_text "Create new #{template_type} at #{ui.mark_text(full_destination_root_path)}"
+
+      # check that the directory does not exist
+      if File.exist?(full_destination_root_path) && !overwrite_mode
+        ui.plain_text "#{ui.mark_text(full_destination_root_path)} exists already, use --overwrite"
+        ui.exit(1)
+      end
+
+      # ensure that full_destination_root_path directory is available
+      FileUtils.mkdir_p(full_destination_root_path)
+
+      # iterate over files and write to full_destination_root_path
+      Dir.glob(template_glob) do |file|
+        relative_destination_item_path = Pathname.new(file).relative_path_from(Pathname.new(base_dir))
+        full_destination_item_path = Pathname.new(full_destination_root_path).join(relative_destination_item_path)
+        if File.directory?(file)
+          ui.li "Create directory #{ui.mark_text(relative_destination_item_path)}"
+          FileUtils.mkdir_p(full_destination_item_path)
+        elsif File.file?(file)
+          ui.li "Create file #{ui.mark_text(relative_destination_item_path)}"
+          # read & render content
+          content = render(File.read(file), template_values)
+          # write file content
+          File.write(full_destination_item_path, content)
+        else
+          ui.plain_text "Ignore #{file}, because its not an file or directoy"
+        end
+      end
+    end
+    # rubocop: enable Metrics/AbcSize
+
+    # This is a render helper to bind hash values to a ERB template
+    # ERB provides result_with_hash in ruby 2.5.0+, which does exactly this
+    def render(template_content, hash)
+      # create a new binding class
+      cls = Class.new do
+        hash.each do |key, value|
+          define_method key.to_sym do
+            value
+          end
+        end
+        # expose binding
+        define_method :bind do
+          binding
+        end
+      end
+      ERB.new(template_content).result(cls.new.bind)
+    end
+  end
+end

data/lib/inspec/base_cli.rb

@@ -210,6 +210,31 @@ module Inspec
       str
     end
 
+    # These need to be public methods on any BaseCLI instance,
+    # but Thor interprets all methods as subcommands.  The no_commands block
+    # treats them as regular methods.
+    no_commands do
+      def mark_text(text)
+        "\e[0;36m#{text}\e[0m"
+      end
+
+      def headline(title)
+        puts "\n== #{title}\n\n"
+      end
+
+      def li(entry)
+        puts " #{mark_text('*')} #{entry}"
+      end
+
+      def exit(code)
+        Kernel.exit code
+      end
+
+      def plain_text(msg)
+        puts msg
+      end
+    end
+
     private
 
     def suppress_log_output?(opts)
@@ -363,17 +388,5 @@ module Inspec
       end
       o[:logger].level = get_log_level(o.log_level)
     end
-
-    def mark_text(text)
-      "\e[0;36m#{text}\e[0m"
-    end
-
-    def headline(title)
-      puts "\n== #{title}\n\n"
-    end
-
-    def li(entry)
-      puts " #{mark_text('*')} #{entry}"
-    end
   end
 end

data/lib/inspec/objects/describe.rb

@@ -11,7 +11,14 @@ module Inspec
       end
 
       def to_ruby
-        itsy = its.nil? ? 'it' : 'its(' + its.to_s.inspect + ')'
+        itsy = 'it'
+        unless its.nil?
+          if its.is_a? Array
+            itsy = 'its(' + its.inspect + ')'
+          else
+            itsy = 'its(' + its.to_s.inspect + ')'
+          end
+        end
         naughty = negated ? '_not' : ''
         xpect = if expectation.nil?
                   ''

data/lib/inspec/plugins/resource.rb

@@ -90,8 +90,8 @@ module Inspec
 
         def check_supports
           status = inspec.platform.supported?(@supports)
-          skip_msg = "Resource #{@__resource_name__.capitalize} is not supported on platform #{inspec.platform.name}/#{inspec.platform.release}."
-          skip_resource(skip_msg) unless status
+          fail_msg = "Resource #{@__resource_name__.capitalize} is not supported on platform #{inspec.platform.name}/#{inspec.platform.release}."
+          fail_resource(fail_msg) unless status
           status
         end
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.2.35'
+  VERSION = '2.2.41'
 end

data/lib/resources/command.rb

@@ -22,11 +22,22 @@ module Inspec::Resources
 
     attr_reader :command
 
-    def initialize(cmd)
+    def initialize(cmd, options = {})
       if cmd.nil?
         raise 'InSpec `command` was called with `nil` as the argument. This is not supported. Please provide a valid command instead.'
       end
+
       @command = cmd
+
+      if options[:redact_regex]
+        unless options[:redact_regex].is_a?(Regexp)
+          # Make sure command is replaced so sensitive output isn't shown
+          @command = 'ERROR'
+          raise Inspec::Exceptions::ResourceFailed,
+                'The `redact_regex` option must be a regular expression'
+        end
+        @redact_regex = options[:redact_regex]
+      end
     end
 
     def result
@@ -67,7 +78,11 @@ module Inspec::Resources
     end
 
     def to_s
-      "Command #{@command}"
+      output = "Command: `#{@command}`"
+      # Redact output if the `redact_regex` option is passed
+      # If no capture groups are passed then `\1` and `\2` are ignored
+      output.gsub!(@redact_regex, '\1REDACTED\2') unless @redact_regex.nil?
+      output
     end
   end
 end