inspec-core 2.2.78 → 2.2.101

data/lib/inspec.rb

@@ -15,6 +15,10 @@ require 'inspec/runner'
 require 'inspec/shell'
 require 'inspec/formatters'
 require 'inspec/reporters'
+require 'inspec/attribute_registry'
+require 'inspec/rspec_extensions'
+require 'inspec/globals'
+require 'inspec/impact'
 
 require 'inspec/plugin/v2'
 require 'inspec/plugin/v1'

data/lib/inspec/attribute_registry.rb

@@ -0,0 +1,83 @@
+require 'forwardable'
+require 'singleton'
+require 'inspec/objects/attribute'
+
+module Inspec
+  class AttributeRegistry
+    include Singleton
+    extend Forwardable
+
+    attr_reader :list
+    def_delegator :list, :each
+    def_delegator :list, :[]
+    def_delegator :list, :key?, :profile_exist?
+    def_delegator :list, :select
+
+    # These self methods are convenience methods so you dont always
+    # have to specify instance when calling the registry
+    def self.find_attribute(name, profile)
+      instance.find_attribute(name, profile)
+    end
+
+    def self.register_attribute(name, profile, options = {})
+      instance.register_attribute(name, profile, options)
+    end
+
+    def self.register_profile_alias(name, alias_name)
+      instance.register_profile_alias(name, alias_name)
+    end
+
+    def self.list_attributes_for_profile(profile)
+      instance.list_attributes_for_profile(profile)
+    end
+
+    def initialize
+      # this is a collection of profiles which have a value of attribute objects
+      @list = {}
+
+      # this is a list of optional profile name overrides set in the inspec.yml
+      @profile_aliases = {}
+    end
+
+    def find_attribute(name, profile)
+      profile = @profile_aliases[profile] if !profile_exist?(profile) && @profile_aliases[profile]
+      unless profile_exist?(profile)
+        error = Inspec::AttributeRegistry::ProfileError.new
+        error.profile_name = profile
+        raise error, "Profile '#{error.profile_name}' does not have any attributes"
+      end
+
+      unless list[profile].key?(name)
+        error = Inspec::AttributeRegistry::AttributeError.new
+        error.attribute_name = name
+        error.profile_name = profile
+        raise error, "Profile '#{error.profile_name}' does not have a attribute with name '#{error.attribute_name}'"
+      end
+      list[profile][name]
+    end
+
+    def register_attribute(name, profile, options = {})
+      # check for a profile override name
+      if profile_exist?(profile) && list[profile][name] && options.empty?
+        list[profile][name]
+      else
+        list[profile] = {} unless profile_exist?(profile)
+        list[profile][name] = Inspec::Attribute.new(name, options)
+      end
+    end
+
+    def register_profile_alias(name, alias_name)
+      @profile_aliases[name] = alias_name
+    end
+
+    def list_attributes_for_profile(profile)
+      list[profile] = {} unless profile_exist?(profile)
+      list[profile]
+    end
+
+    def __reset
+      @list = {}
+      @profile_aliases = {}
+    end
+  end
+end

data/lib/inspec/base_cli.rb

@@ -8,6 +8,10 @@ require 'inspec/profile_vendor'
 
 module Inspec
   class BaseCLI < Thor
+    class << self
+      attr_accessor :inspec_cli_command
+    end
+
     # https://github.com/erikhuda/thor/issues/244
     def self.exit_on_failure?
       true
@@ -62,6 +66,8 @@ module Inspec
         desc: 'Specifies the bastion port if applicable'
       option :insecure, type: :boolean, default: false,
         desc: 'Disable SSL verification on select targets'
+      option :target_id, type: :string,
+        desc: 'Provide a ID which will be included on reports'
     end
 
     def self.profile_options
@@ -134,7 +140,7 @@ module Inspec
       if opts['reporter'].is_a?(Array)
         reports = {}
         opts['reporter'].each do |report|
-          reporter_name, target = report.split(':')
+          reporter_name, target = report.split(':', 2)
           if target.nil? || target.strip == '-'
             reports[reporter_name] = { 'stdout' => true }
           else
@@ -142,6 +148,7 @@ module Inspec
               'file' => target,
               'stdout' => false,
             }
+            reports[reporter_name]['target_id'] = opts['target_id'] if opts['target_id']
           end
         end
         opts['reporter'] = reports
@@ -152,6 +159,7 @@ module Inspec
         opts['reporter'].each do |reporter_name, config|
           opts['reporter'][reporter_name] = {} if config.nil?
           opts['reporter'][reporter_name]['stdout'] = true if opts['reporter'][reporter_name].empty?
+          opts['reporter'][reporter_name]['target_id'] = opts['target_id'] if opts['target_id']
         end
       end
 
@@ -295,6 +303,7 @@ module Inspec
       # start with default options if we have any
       opts = BaseCLI.default_options[type] unless type.nil? || BaseCLI.default_options[type].nil?
       opts['type'] = type unless type.nil?
+      Inspec::BaseCLI.inspec_cli_command = type
 
       # merge in any options from json-config
       json_config = options_json

data/lib/inspec/cli.rb

@@ -35,6 +35,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   def json(target)
     o = opts.dup
     diagnose(o)
+    o['log_location'] = STDERR
+    configure_logger(o)
+
     o[:backend] = Inspec::Backend.create(target: 'mock://')
     o[:check_mode] = true
     o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
@@ -119,6 +122,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: 'Overwrite existing vendored dependencies and lockfile.'
   def vendor(path = nil)
     o = opts.dup
+    configure_logger(o)
+    o[:logger] = Logger.new(STDOUT)
+    o[:logger].level = get_log_level(o.log_level)
+
     vendor_deps(path, o)
   end
 
@@ -141,7 +148,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     o[:logger] = Logger.new(STDOUT)
     o[:logger].level = get_log_level(o.log_level)
     o[:backend] = Inspec::Backend.create(target: 'mock://')
-    o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
+
+    # Force vendoring with overwrite when archiving
+    vendor_options = o.dup
+    vendor_options[:overwrite] = true
+    vendor_deps(path, vendor_options)
 
     profile = Inspec::Profile.for_target(path, o)
     result = profile.check

data/lib/inspec/control_eval_context.rb

@@ -19,11 +19,16 @@ module Inspec
     #
     # @param [ResourcesDSL] resources_dsl which has all resources to attach
     # @return [RuleContext] the inner context of rules
-    def self.rule_context(resources_dsl)
+    def self.rule_context(resources_dsl, profile_id)
       require 'rspec/core/dsl'
       Class.new(Inspec::Rule) do
         include RSpec::Core::DSL
         with_resource_dsl resources_dsl
+
+        # allow attributes to be accessed within control blocks
+        define_method :attribute do |name|
+          Inspec::AttributeRegistry.find_attribute(name, profile_id).value
+        end
       end
     end
 
@@ -36,9 +41,9 @@ module Inspec
     # @param outer_dsl [OuterDSLClass]
     # @return [ProfileContextClass]
     def self.create(profile_context, resources_dsl) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-      rule_class = rule_context(resources_dsl)
       profile_context_owner = profile_context
       profile_id = profile_context.profile_id
+      rule_class = rule_context(resources_dsl, profile_id)
 
       Class.new do # rubocop:disable Metrics/BlockLength
         include Inspec::DSL
@@ -137,8 +142,12 @@ module Inspec
         end
 
         # method for attributes; import attribute handling
-        define_method :attribute do |name, options|
-          profile_context_owner.register_attribute(name, options)
+        define_method :attribute do |name, options = {}|
+          if options.empty?
+            Inspec::AttributeRegistry.find_attribute(name, profile_id).value
+          else
+            profile_context_owner.register_attribute(name, options)
+          end
         end
 
         define_method :skip_control do |id|

data/lib/inspec/dependencies/cache.rb

@@ -18,7 +18,7 @@ module Inspec
   class Cache
     attr_reader :path
     def initialize(path = nil)
-      @path = path || File.join(Dir.home, '.inspec', 'cache')
+      @path = path || File.join(Inspec.config_dir, 'cache')
       FileUtils.mkdir_p(@path) unless File.directory?(@path)
     end
 

data/lib/inspec/dependencies/dependency_set.rb

@@ -47,7 +47,7 @@ module Inspec
     end
 
     attr_reader :vendor_path
-    attr_writer :dep_list
+    attr_accessor :dep_list
     # initialize
     #
     # @param cwd [String] current working directory for relative path includes

data/lib/inspec/dependencies/requirement.rb

@@ -121,8 +121,9 @@ module Inspec
       if !@dependencies.nil? && !@dependencies.empty?
         opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end
+      opts[:profile_name] = @name
+      opts[:parent_profile] = @parent_profile
       @profile = Inspec::Profile.for_fetcher(fetcher, opts)
-      @profile.parent_profile = @parent_profile
       @profile
     end
   end

data/lib/inspec/errors.rb

@@ -11,4 +11,31 @@ module Inspec
   class DuplicateDep < Error; end
   class FetcherFailure < Error; end
   class ReporterError < Error; end
+  class ImpactError < Error; end
+
+  class Attribute
+    class Error < Inspec::Error; end
+    class ValidationError < Error
+      attr_accessor :attribute_name
+      attr_accessor :attribute_value
+      attr_accessor :attribute_type
+    end
+    class TypeError < Error
+      attr_accessor :attribute_type
+    end
+    class RequiredError < Error
+      attr_accessor :attribute_name
+    end
+  end
+
+  class AttributeRegistry
+    class Error < Inspec::Error; end
+    class ProfileError < Error
+      attr_accessor :profile_name
+    end
+    class AttributeError < Error
+      attr_accessor :profile_name
+      attr_accessor :attribute_name
+    end
+  end
 end

data/lib/inspec/file_provider.rb

@@ -105,6 +105,22 @@ module Inspec
       end
     end
 
+    def extract(destination_path = '.')
+      FileUtils.mkdir_p(destination_path)
+
+      Zip::File.open(@path) do |archive|
+        archive.each do |file|
+          final_path = File.join(destination_path, file.name)
+
+          # This removes the top level directory (and any other files) to ensure
+          # extracted files do not conflict.
+          FileUtils.remove_entry(final_path) if File.exist?(final_path)
+
+          archive.extract(file, final_path)
+        end
+      end
+    end
+
     def read(file)
       @contents[file] ||= read_from_zip(file)
     end
@@ -150,6 +166,24 @@ module Inspec
       end
     end
 
+    def extract(destination_path = '.')
+      FileUtils.mkdir_p(destination_path)
+
+      walk_tar(@path) do |files|
+        files.each do |file|
+          next unless @files.include?(file.full_name)
+          final_path = File.join(destination_path, file.full_name)
+
+          # This removes the top level directory (and any other files) to ensure
+          # extracted files do not conflict.
+          FileUtils.remove_entry(final_path) if File.exist?(final_path)
+
+          FileUtils.mkdir_p(File.dirname(final_path))
+          File.open(final_path, 'wb') { |f| f.write(file.read) }
+        end
+      end
+    end
+
     def read(file)
       @contents[file] ||= read_from_tar(file)
     end
@@ -157,7 +191,10 @@ module Inspec
     private
 
     def walk_tar(path, &callback)
-      Gem::Package::TarReader.new(Zlib::GzipReader.open(path), &callback)
+      tar_file = Zlib::GzipReader.open(path)
+      Gem::Package::TarReader.new(tar_file, &callback)
+    ensure
+      tar_file.close
     end
 
     def read_from_tar(file)

data/lib/inspec/globals.rb

@@ -0,0 +1,5 @@
+module Inspec
+  def self.config_dir
+    ENV['INSPEC_CONFIG_DIR'] ? ENV['INSPEC_CONFIG_DIR'] : File.join(Dir.home, '.inspec')
+  end
+end

data/lib/inspec/impact.rb

@@ -0,0 +1,34 @@
+# encoding: utf-8
+
+# Impact scores based off CVSS 3.0
+module Inspec::Impact
+  IMPACT_SCORES = {
+    'none'     => 0.0,
+    'low'      => 0.01,
+    'medium'   => 0.4,
+    'high'     => 0.7,
+    'critical' => 0.9,
+  }.freeze
+
+  def self.impact_from_string(value)
+    # return if its a number
+    return value if is_number?(value)
+    raise Inspec::ImpactError, "'#{value}' is not a valid impact name. Valid impact names: none, low, medium, high, critical." unless IMPACT_SCORES.key?(value.downcase)
+    IMPACT_SCORES[value]
+  end
+
+  def self.is_number?(value)
+    Float(value)
+    true
+  rescue
+    false
+  end
+
+  def self.string_from_impact(value)
+    value = value.to_f
+    raise Inspec::ImpactError, "'#{value}' is not a valid impact score. Valid impact scores: [0.0 - 1.0]." if value < 0 || value > 1
+    IMPACT_SCORES.reverse_each do |name, impact|
+      return name if value >= impact
+    end
+  end
+end

data/lib/inspec/objects/attribute.rb

@@ -3,7 +3,16 @@
 module Inspec
   class Attribute
     attr_accessor :name
-    attr_writer :value
+
+    VALID_TYPES = %w{
+      String
+      Numeric
+      Regexp
+      Array
+      Hash
+      Boolean
+      Any
+    }.freeze
 
     DEFAULT_ATTRIBUTE = Class.new do
       def initialize(name)
@@ -16,7 +25,6 @@ module Inspec
           "Use --attrs to provide a value for '#{@name}' or specify a default  "\
           "value with `attribute('#{@name}', default: 'somedefault', ...)`.",
         )
-
         self
       end
 
@@ -28,16 +36,22 @@ module Inspec
     def initialize(name, options = {})
       @name = name
       @opts = options
+      validate_value_type(default) if @opts.key?(:type) && @opts.key?(:default)
       @value = nil
     end
 
-    # implicit call is done by inspec to determine the value of an attribute
-    def value
-      @value.nil? ? default : @value
+    def value=(new_value)
+      validate_value_type(new_value) if @opts.key?(:type)
+      @value = new_value
     end
 
-    def default
-      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new(@name)
+    def value
+      if @value.nil?
+        validate_required(@value) if @opts[:required] == true
+        @value = default
+      else
+        @value
+      end
     end
 
     def title
@@ -71,5 +85,76 @@ module Inspec
     def to_s
       "Attribute #{@name} with #{@value}"
     end
+
+    private
+
+    def validate_required(value)
+      # value will be set already if a secrets file was passed in
+      if (!@opts.key?(:default) && value.nil?) || (@opts[:default].nil? && value.nil?)
+        error = Inspec::Attribute::RequiredError.new
+        error.attribute_name = @name
+        raise error, "Attribute '#{error.attribute_name}' is required and does not have a value."
+      end
+    end
+
+    def validate_type(type)
+      type = type.capitalize
+      abbreviations = {
+        'Num' => 'Numeric',
+        'Regex' => 'Regexp',
+      }
+      type = abbreviations[type] if abbreviations.key?(type)
+      if !VALID_TYPES.include?(type)
+        error = Inspec::Attribute::TypeError.new
+        error.attribute_type = type
+        raise error, "Type '#{error.attribute_type}' is not a valid attribute type."
+      end
+      type
+    end
+
+    def valid_numeric?(value)
+      Float(value)
+      true
+    rescue
+      false
+    end
+
+    def valid_regexp?(value)
+      # check for invalid regex syntex
+      Regexp.new(value)
+      true
+    rescue
+      false
+    end
+
+    # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def validate_value_type(value)
+      type = validate_type(@opts[:type])
+      return if type == 'Any'
+
+      invalid_type = false
+      if type == 'Regexp'
+        invalid_type = true if !value.is_a?(String) || !valid_regexp?(value)
+      elsif type == 'Numeric'
+        invalid_type = true if !valid_numeric?(value)
+      elsif type == 'Boolean'
+        invalid_type = true if ![true, false].include?(value)
+      elsif value.is_a?(Module.const_get(type)) == false
+        invalid_type = true
+      end
+
+      if invalid_type == true
+        error = Inspec::Attribute::ValidationError.new
+        error.attribute_name = @name
+        error.attribute_value = value
+        error.attribute_type = type
+        raise error, "Attribute '#{error.attribute_name}' with value '#{error.attribute_value}' does not validate to type '#{error.attribute_type}'."
+      end
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+    def default
+      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new(@name)
+    end
   end
 end