inspec-core 4.16.0 → 4.17.7

data/lib/inspec/resources/etc_fstab.rb

@@ -57,6 +57,10 @@ module Inspec::Resources
       where { mount_point == "/home" }.entries[0].mount_options
     end
 
+    def to_s
+      "File System Table File (fstab)"
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/etc_hosts.rb

@@ -37,6 +37,10 @@ module Inspec::Resources
       .register_column(:all_host_names, field: "all_host_names")
       .install_filter_methods_on_resource(self, :params)
 
+    def to_s
+      "Hosts File"
+    end
+
     private
 
     def default_hosts_file_path

data/lib/inspec/resources/firewalld.rb

@@ -88,6 +88,10 @@ module Inspec::Resources
       firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
     end
 
+    def to_s
+      "Firewall Rules"
+    end
+
     private
 
     def active_zones

data/lib/inspec/resources/json.rb

@@ -93,10 +93,17 @@ module Inspec::Resources
     end
 
     def load_raw_from_command(command)
-      command_output = inspec.command(command).stdout
-      raise Inspec::Exceptions::ResourceSkipped, "No output from command: #{command}" if command_output.nil? || command_output.empty?
+      result = inspec.command(command)
 
-      command_output
+      return result.stdout unless result.stdout.empty?
+
+      msg = if result.stderr.empty?
+              "No JSON output, STDERR was empty"
+            else
+              "No JSON output, STDERR:\n #{result.stderr}"
+            end
+
+      raise Inspec::Exceptions::ResourceFailed, msg
     end
 
     # for resources the subclass JsonConfig, this allows specification of the resource

data/lib/inspec/resources/mssql_session.rb

@@ -53,7 +53,7 @@ module Inspec::Resources
     end
 
     def query(q) # rubocop:disable Metrics/PerceivedComplexity
-      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
+      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '""').gsub(/\$/, '\\$')
       # surpress 'x rows affected' in SQLCMD with 'set nocount on;'
       cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
       cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?

data/lib/inspec/resources/platform.rb

@@ -1,3 +1,5 @@
+require "inspec/resource"
+
 module Inspec::Resources
   class PlatformResource < Inspec.resource(1)
     name "platform"
@@ -67,19 +69,22 @@ module Inspec::Resources
       return true if supports.nil? || supports.empty?
 
       status = true
-      supports.each do |s|
-        s.each do |k, v|
-          if %i{os_family os-family platform_family platform-family}.include?(k)
-            status = in_family?(v)
-          elsif %i{os platform}.include?(k)
-            status = platform?(v)
-          elsif %i{os_name os-name platform_name platform-name}.include?(k)
-            status = name == v
-          elsif k == :release
-            status = check_release(v)
-          else
-            status = false
-          end
+      supports.each do |support|
+        support.each do |k, v|
+          status =
+            case k
+            when :os_family, :"os-family", :platform_family, :"platform-family" then
+              in_family?(v)
+            when :os, :platform then
+              platform?(v)
+            when :os_name, :"os-name", :platform_name, :"platform-name" then
+              name == v
+            when :release then
+              check_release(v)
+            else
+              false
+            end
+
           break if status == false
         end
         return true if status == true

data/lib/inspec/resources/postfix_conf.rb

@@ -11,7 +11,7 @@ module Inspec::Resources
     def initialize(*opts)
       @params = {}
       if opts.length == 1
-        @raw_content = load_raw_content(opts)
+        @raw_content = load_raw_content(opts[0])
       else
         @raw_content = load_raw_content("/etc/postfix/main.cf")
       end
@@ -22,10 +22,14 @@ module Inspec::Resources
       SimpleConfig.new(content).params
     end
 
+    def to_s
+      "Postfix Mail Transfer Agent"
+    end
+
     private
 
     def resource_base_name
-      "POSTFIX_CONF"
+      "Postfix Config"
     end
   end
 end

data/lib/inspec/resources/security_identifier.rb

@@ -47,6 +47,10 @@ module Inspec::Resources
       @sids.key?(@name)
     end
 
+    def to_s
+      "Security Identifier"
+    end
+
     private
 
     def fetch_sids

data/lib/inspec/resources/sys_info.rb

@@ -13,20 +13,77 @@ module Inspec::Resources
       describe sys_info do
         its('hostname') { should eq 'example.com' }
       end
+
+      describe sys_info do
+        its('fqdn') { should eq 'user.example.com' }
+      end
+
     EXAMPLE
 
+    %w{ domain fqdn ip_address short }.each do |opt|
+      define_method(opt.to_sym) do
+        hostname(opt)
+      end
+    end
+
     # returns the hostname of the local system
-    def hostname
+    def hostname(opt = nil)
       os = inspec.os
-      if os.linux? || os.darwin?
-        inspec.command("hostname").stdout.chomp
+      if os.linux?
+        linux_hostname(opt)
+      elsif os.darwin?
+        mac_hostname(opt)
       elsif os.windows?
-        inspec.powershell("$env:computername").stdout.chomp
+        if !opt.nil?
+          skip_resource "The `sys_info.hostname` resource is not supported with that option on your OS."
+        else
+          inspec.powershell("$env:computername").stdout.chomp
+        end
       else
         skip_resource "The `sys_info.hostname` resource is not supported on your OS yet."
       end
     end
 
+    def linux_hostname(opt = nil)
+      if !opt.nil?
+        opt = case opt
+              when "f", "long", "fqdn", "full"
+                " -f"
+              when "d", "domain"
+                " -d"
+              when "i", "ip_address"
+                " -I"
+              when "s", "short"
+                " -s"
+              else
+                "ERROR"
+              end
+      end
+      if opt == "ERROR"
+        skip_resource "The `sys_info.hostname` resource is not supported with that option on your OS."
+      else
+        inspec.command("hostname#{opt}").stdout.chomp
+      end
+    end
+
+    def mac_hostname(opt = nil)
+      if !opt.nil?
+        opt = case opt
+              when "f", "long", "fqdn", "full"
+                " -f"
+              when "s", "short"
+                " -s"
+              else
+                "ERROR"
+              end
+      end
+      if opt == "ERROR"
+        skip_resource "The `sys_info.hostname` resource is not supported with that option on your OS."
+      else
+        inspec.command("hostname#{opt}").stdout.chomp
+      end
+    end
+
     # returns the Manufacturer of the local system
     def manufacturer
       os = inspec.os
@@ -54,5 +111,9 @@ module Inspec::Resources
         skip_resource "The `sys_info.model` resource is not supported on your OS yet."
       end
     end
+
+    def to_s
+      "System Information"
+    end
   end
 end

data/lib/inspec/resources/user.rb

@@ -0,0 +1 @@
+require "inspec/resources/users"

data/lib/inspec/rule.rb

@@ -1,10 +1,12 @@
 # copyright: 2015, Dominik Richter
 
 require "method_source"
+require "date"
 require "inspec/describe"
 require "inspec/expect"
 require "inspec/resource"
 require "inspec/resources/os"
+require "inspec/input_registry"
 
 module Inspec
   class Rule
@@ -28,6 +30,7 @@ module Inspec
       @resource_dsl
     end
 
+    attr_reader :__waiver_data
     def initialize(id, profile_id, opts, &block)
       @impact = nil
       @title = nil
@@ -42,7 +45,7 @@ module Inspec
       @__rule_id = id
       @__profile_id = profile_id
       @__checks = []
-      @__skip_rule = {}
+      @__skip_rule = {} # { result: true, message: "Why", type: [:only_if, :waiver] }
       @__merge_count = 0
       @__merge_changes = []
       @__skip_only_if_eval = opts[:skip_only_if_eval]
@@ -52,6 +55,11 @@ module Inspec
 
       begin
         instance_eval(&block)
+
+        # By applying waivers *after* the instance eval, we assure that
+        # waivers have higher precedence than only_if.
+        __apply_waivers
+
       rescue StandardError => e
         # We've encountered an exception while trying to eval the code inside the
         # control block. We need to prevent the exception from bubbling up, and
@@ -141,6 +149,7 @@ module Inspec
       return if @__skip_only_if_eval == true
 
       @__skip_rule[:result] ||= !yield
+      @__skip_rule[:type] = :only_if
       @__skip_rule[:message] = message
     end
 
@@ -193,9 +202,9 @@ module Inspec
       rule.instance_variable_get(:@__skip_rule)
     end
 
-    def self.set_skip_rule(rule, value, message = nil)
+    def self.set_skip_rule(rule, value, message = nil, type = :only_if)
       rule.instance_variable_set(:@__skip_rule,
-        { result: value, message: message })
+        { result: value, message: message, type: type })
     end
 
     def self.merge_count(rule)
@@ -206,14 +215,16 @@ module Inspec
       rule.instance_variable_get(:@__merge_changes)
     end
 
+    # If a rule is marked to be skipped, this
+    # creates a dummay array of "checks" with a skip outcome
     def self.prepare_checks(rule)
       skip_check = skip_status(rule)
       return checks(rule) unless skip_check[:result].eql?(true)
 
       if skip_check[:message]
-        msg = "Skipped control due to only_if condition: #{skip_check[:message]}"
+        msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
       else
-        msg = "Skipped control due to only_if condition."
+        msg = "Skipped control due to #{skip_check[:type]} condition."
       end
 
       # TODO: we use os as the carrier here, but should consider
@@ -251,7 +262,8 @@ module Inspec
       skip_check = skip_status(src)
       sr = skip_check[:result]
       msg = skip_check[:message]
-      set_skip_rule(dst, sr, msg) unless sr.nil?
+      skip_type = skip_check[:type]
+      set_skip_rule(dst, sr, msg, skip_type) unless sr.nil?
 
       # Save merge history
       dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)
@@ -267,6 +279,56 @@ module Inspec
       @__checks.push([describe_or_expect, values, block])
     end
 
+    # Look for an input with a matching ID, and if found, apply waiver
+    # skipping logic. Basically, if we have a current waiver, and it says
+    # to skip, we'll replace all the checks with a dummy check (same as
+    # only_if mechanism)
+    # Double underscore: not intended to be called as part of the DSL
+    def __apply_waivers
+      input_name = @__rule_id # TODO: control ID slugging
+      registry = Inspec::InputRegistry.instance
+      input = registry.inputs_by_profile.dig(@__profile_id, input_name)
+      return unless input
+
+      # An InSpec Input is a datastructure that tracks a profile parameter
+      # over time. Its value can be set by many sources, and it keeps a
+      # log of each "set" event so that when it is collapsed to a value,
+      # it can determine the correct (highest priority) value.
+      # Store in an instance variable for.. later reading???
+      @__waiver_data = input.value
+      __waiver_data["skipped_due_to_waiver"] = false
+      __waiver_data["message"] = ""
+
+      # Waivers should have a hash value with keys possibly including skip and
+      # expiration_date. We only care here if it has a skip key and it
+      # is yes-like, since all non-skipped waiver operations are handled
+      # during reporting phase.
+      return unless __waiver_data.key?("skip") && __waiver_data["skip"]
+
+      # OK, the intent is to skip. Does it have an expiration date, and
+      # if so, is it in the future?
+      expiry = __waiver_data["expiration_date"]
+      if expiry
+        if expiry.is_a?(Date)
+          # It appears that yaml.rb automagically parses dates for us
+          if expiry < Date.today # If the waiver expired, return - no skip applied
+            __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
+            return
+          end
+        else
+          ui = Inspec::UI.new
+          ui.error("Unable to parse waiver expiration date '#{expiry}' for control #{@__rule_id}")
+          ui.exit(:usage_error)
+        end
+      end
+
+      # OK, apply a skip.
+      @__skip_rule[:result] = true
+      @__skip_rule[:type] = :waiver
+      @__skip_rule[:message] = __waiver_data["justification"]
+      __waiver_data["skipped_due_to_waiver"] = true
+    end
+
     #
     # Takes a block and returns a block that will run the given block
     # with access to the resource_dsl of the current class. This is to

data/lib/inspec/runner.rb

@@ -9,7 +9,6 @@ require "inspec/metadata"
 require "inspec/config"
 require "inspec/dependencies/cache"
 require "inspec/dist"
-require "inspec/resources"
 require "inspec/reporters"
 require "inspec/runner_rspec"
 # spec requirements
@@ -57,6 +56,12 @@ module Inspec
         RunnerRspec.new(@conf)
       end
 
+      if @conf[:waiver_file]
+        waivers = @conf.delete(:waiver_file)
+        @conf[:input_file] ||= []
+        @conf[:input_file].concat waivers
+      end
+
       # About reading inputs:
       #   @conf gets passed around a lot, eventually to
       # Inspec::InputRegistry.register_external_inputs.

data/lib/inspec/runner_rspec.rb

@@ -171,6 +171,7 @@ module Inspec
       metadata[:descriptions] = rule.descriptions
       metadata[:code] = rule.instance_variable_get(:@__code)
       metadata[:source_location] = rule.instance_variable_get(:@__source_location)
+      metadata[:waiver_data] = rule.__waiver_data
     end
   end
 end

data/lib/inspec/shell.rb

@@ -112,6 +112,7 @@ module Inspec
           #{print_target_info}
         EOF
       elsif topic == "resources"
+        require "inspec/resources"
         resources.sort.each do |resource|
           puts " - #{resource}"
         end
@@ -134,7 +135,13 @@ module Inspec
         info += "https://www.inspec.io/docs/reference/resources/#{topic}\n\n"
         puts info
       else
-        puts "The resource #{topic} does not exist. For a list of valid resources, type: help resources"
+        begin
+          require "inspec/resources/#{topic}"
+          help topic
+        rescue LoadError
+          # TODO: stderr!
+          puts "The resource #{topic} does not exist. For a list of valid resources, type: help resources"
+        end
       end
     end
 

data/lib/inspec/utils/pkey_reader.rb

@@ -1,4 +1,4 @@
-require "inspec/objects/input"
+require "inspec/input"
 
 module PkeyReader
   def read_pkey(filecontent, passphrase)