inspec-core 4.18.100 → 4.19.0

data/lib/inspec/resources/service.rb

@@ -104,6 +104,8 @@ module Inspec::Resources
       os = inspec.os
       platform = os[:name]
 
+      return WindowsSrv.new(inspec) if os.windows?
+
       # Ubuntu
       # @see: https://wiki.ubuntu.com/SystemdForUpstartUsers
       # Ubuntu 15.04 : Systemd
@@ -154,8 +156,6 @@ module Inspec::Resources
         SysV.new(inspec, service_ctl)
       when "mac_os_x"
         LaunchCtl.new(inspec, service_ctl)
-      when "windows"
-        WindowsSrv.new(inspec)
       when "freebsd"
         BSDInit.new(inspec, service_ctl)
       when "arch"

data/lib/inspec/resources/virtualization.rb

@@ -1,9 +1,11 @@
 require "hashie/mash"
+require "inspec/resources/powershell"
 
 module Inspec::Resources
   class Virtualization < Inspec.resource(1)
     name "virtualization"
     supports platform: "unix"
+    supports platform: "windows"
     desc "Use the virtualization InSpec audit resource to test various virtualization platforms."
     example <<~EXAMPLE
       describe virtualization do
@@ -25,7 +27,15 @@ module Inspec::Resources
     def initialize
       # TODO: no need for hashie here... in fact, no reason for a hash at all
       @virtualization_data = Hashie::Mash.new
-      collect_data_linux
+
+      if inspec.os.linux?
+        collect_data_linux
+      elsif inspec.os.windows?
+        collect_data_windows
+      end
+
+      # Allows checking for non-virtualized systems as well
+      @virtualization_data[:physical] = @virtualization_data.empty?
     end
 
     # add helper methods for easy access of properties
@@ -36,6 +46,14 @@ module Inspec::Resources
       end
     end
 
+    def virtual_system?
+      @virtualization_data[:role] == "guest"
+    end
+
+    def physical_system?
+      @virtualization_data[:physical]
+    end
+
     def params
       # TODO: this is broken. cannot return anything but nil
       collect_data_linux
@@ -236,6 +254,39 @@ module Inspec::Resources
       true
     end
 
+    # Detect VMware
+    def detect_vmware
+      return false unless inspec.file("/sys/devices/virtual/dmi/id/product_name").exist?
+
+      product_name = inspec.file("/sys/devices/virtual/dmi/id/product_name").content
+
+      if product_name =~ /^VMware/
+        @virtualization_data[:system] = "vmware"
+        @virtualization_data[:role] = "guest"
+      else
+        return false
+      end
+
+      true
+    end
+
+    # Detect Hyper-V
+    # @see https://gallery.technet.microsoft.com/scriptcenter/Get-MachineType-VM-or-ff43f3a9
+    def detect_hyperv
+      return false unless inspec.file("/sys/devices/virtual/dmi/id/product_name").exist?
+
+      product_name = inspec.file("/sys/devices/virtual/dmi/id/product_name").content
+
+      if product_name.rstrip == "Virtual Machine"
+        @virtualization_data[:system] = "hyper-v"
+        @virtualization_data[:role] = "guest"
+      else
+        return false
+      end
+
+      true
+    end
+
     def collect_data_linux
       # This avoids doing multiple detections in a single test
       return unless @virtualization_data.empty?
@@ -253,7 +304,40 @@ module Inspec::Resources
       return if detect_openvz
       return if detect_openstack
       return if detect_parallels
-      # TODO: where is vmware?
+      return if detect_vmware
+      return if detect_hyperv
+    end
+
+    def windows_computer_system
+      script = "Get-WmiObject -Class Win32_ComputerSystem -ErrorAction Stop | ConvertTo-Json"
+      cmd = inspec.powershell(script)
+
+      JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      nil
+    end
+
+    def collect_data_windows
+      # This avoids doing multiple detections in a single test
+      return unless @virtualization_data.empty?
+
+      case windows_computer_system["Model"]
+      when "Virtual Machine"
+        @virtualization_data[:system] = "hyper-v"
+      when /^VMware/
+        @virtualization_data[:system] = "vmware"
+      when "VirtualBox"
+        @virtualization_data[:system] = "virtualbox"
+      end
+
+      case windows_computer_system[:manufacturer]
+      when "Xen"
+        @virtualization_data[:system] = "xen"
+      when "QEMU"
+        @virtualization_data[:system] = "kvm"
+      end
+
+      @virtualization_data[:role] = "guest" if @virtualization_data[:system]
     end
   end
 end

data/lib/inspec/resources/x509_certificate.rb

@@ -59,7 +59,7 @@ module Inspec::Resources
     def fingerprint
       return if @cert.nil?
 
-      OpenSSL::Digest::SHA1.new(@cert.to_der).to_s
+      OpenSSL::Digest.new("SHA1", @cert.to_der).to_s
     end
 
     def serial

data/lib/inspec/rule.rb

@@ -332,7 +332,7 @@ module Inspec
       input_name = @__rule_id # TODO: control ID slugging
       registry = Inspec::InputRegistry.instance
       input = registry.inputs_by_profile.dig(__profile_id, input_name)
-      return unless input
+      return unless input && input.has_value? && input.value.is_a?(Hash)
 
       # An InSpec Input is a datastructure that tracks a profile parameter
       # over time. Its value can be set by many sources, and it keeps a
@@ -353,9 +353,13 @@ module Inspec
       # if so, is it in the future?
       expiry = __waiver_data["expiration_date"]
       if expiry
-        if expiry.is_a?(Date)
-          # It appears that yaml.rb automagically parses dates for us
-          if expiry < Date.today # If the waiver expired, return - no skip applied
+        # YAML will automagically give us a Date or a Time.
+        # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
+        # A string that does not represent a valid time results in the date 0000-01-01.
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+          expiry = expiry.to_time if expiry.is_a? Date
+          expiry = Time.new(expiry) if expiry.is_a? String
+          if expiry < Time.now # If the waiver expired, return - no skip applied
             __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
             return
           end

data/lib/inspec/run_data.rb

@@ -0,0 +1,64 @@
+
+module Inspec
+  module HashLikeStruct
+    def keys
+      members
+    end
+
+    def key?(item)
+      members.include?(item)
+    end
+  end
+
+  RunData = Struct.new(
+    :controls,     # Array of Inspec::RunData::Control (flattened)
+    :other_checks,
+    :profiles,     # Array of Inspec::RunData::Profile
+    :platform,     # Inspec::RunData::Platform
+    :statistics,   # Inspec::RunData::Statistics
+    :version       # String
+  ) do
+    include HashLikeStruct
+    def initialize(raw_run_data)
+      self.controls   = raw_run_data[:controls].map { |c| Inspec::RunData::Control.new(c) }
+      self.profiles   = raw_run_data[:profiles].map { |p| Inspec::RunData::Profile.new(p) }
+      self.statistics = Inspec::RunData::Statistics.new(raw_run_data[:statistics])
+      self.platform   = Inspec::RunData::Platform.new(raw_run_data[:platform])
+      self.version    = raw_run_data[:version]
+    end
+  end
+
+  class RunData
+
+    # This is the data layout version of RunData.
+    # We plan to follow a data-oriented version of semver:
+    #  patch: fixing a bug in the provenance or description of a data element, no key changes
+    #  minor: adding new data elements
+    #  major: deleting or renaming data elements
+    # Less than major version 1.0.0, the API is considered unstable.
+    # The current plan is to bump the major version to 1.0.0 when all of the existing
+    # core reporters have been migrated to plugins. It is probable that new data elements
+    # and new Hash compatibility behavior will be added during the core reporter plugin
+    # conversion process.
+    SCHEMA_VERSION = "0.1.0".freeze
+
+    def self.compatible_schema?(constraints)
+      reqs = Gem::Requirement.create(constraints)
+      reqs.satisfied_by?(Gem::Version.new(SCHEMA_VERSION))
+    end
+
+    Platform = Struct.new(
+      :name, :release, :target
+    ) do
+      include HashLikeStruct
+      def initialize(raw_plat_data)
+        %i{name release target}.each { |f| self[f] = raw_plat_data[f] || "" }
+      end
+    end
+  end
+end
+
+require_relative "run_data/result"
+require_relative "run_data/control"
+require_relative "run_data/profile"
+require_relative "run_data/statistics"

data/lib/inspec/run_data/control.rb

@@ -0,0 +1,83 @@
+module Inspec
+  class RunData
+    Control = Struct.new(
+      :code,            # String
+      :desc,            # String
+      :descriptions,    # Hash with custom keys
+      :id,              # String
+      :impact,          # Float
+      :refs,            # Complex local
+      :results,         # complex standalone
+      :source_location, # Complex local
+      :tags,            # Hash with custom keys
+      :title,           # String
+      :waiver_data      # Complex local
+    ) do
+      include HashLikeStruct
+      def initialize(raw_ctl_data)
+        self.refs = (raw_ctl_data[:refs] || []).map { |r| Inspec::RunData::Control::Ref.new(r) }
+        self.results = (raw_ctl_data[:results] || []).map { |r| Inspec::RunData::Result.new(r) }
+        self.source_location = Inspec::RunData::Control::SourceLocation.new(raw_ctl_data[:source_location] || {})
+        self.waiver_data = Inspec::RunData::Control::WaiverData.new(raw_ctl_data[:waiver_data] || {})
+
+        [
+          :code,            # String
+          :desc,            # String
+          :descriptions,    # Hash with custom keys
+          :id,              # String
+          :impact,          # Float
+          :tags,            # Hash with custom keys
+          :title,           # String
+        ].each do |field|
+          self[field] = raw_ctl_data[field]
+        end
+      end
+    end
+
+    class Control
+      Ref = Struct.new(
+        :url, :ref
+      ) do
+        include HashLikeStruct
+        def initialize(raw_ref_data)
+          %i{url ref}.each { |f| self[f] = raw_ref_data[f] }
+        end
+      end
+
+      SourceLocation = Struct.new(
+        :line, :ref
+      ) do
+        include HashLikeStruct
+        def initialize(raw_sl_data)
+          %i{line ref}.each { |f| self[f] = raw_sl_data[f] }
+        end
+      end
+
+      # {
+      #   "expiration_date"=>#<Date: 2077-06-01 ((2479821j,0s,0n),+0s,2299161j)>,
+      #   "justification"=>"Lack of imagination",
+      #   "run"=>false,
+      #   "skipped_due_to_waiver"=>true,
+      #   "message"=>""}
+      WaiverData = Struct.new(
+        :expiration_date,
+        :justification,
+        :run,
+        :skipped_due_to_waiver,
+        :message
+      ) do
+        include HashLikeStruct
+        def initialize(raw_wv_data)
+          # These have string keys in the raw data!
+          %i{
+            expiration_date
+            justification
+            run
+            skipped_due_to_waiver
+            message
+          }.each { |f| self[f] = raw_wv_data[f.to_s] }
+        end
+      end
+    end
+  end
+end

data/lib/inspec/run_data/profile.rb

@@ -0,0 +1,109 @@
+module Inspec
+  class RunData
+    Profile = Struct.new(
+      :controls,         # complex standalone
+      :copyright,
+      :copyright_email,
+      :depends,          # complex local
+      :groups,           # complex local
+      :inputs,           # complex local
+      :license,
+      :maintainer,
+      :name,
+      :sha256,
+      :status,
+      :summary,
+      :supports,         # complex local
+      :parent_profile,
+      :skip_message,
+      :waiver_data,      # Undocumented but used in JSON reporter - should not be?
+      :title,
+      :version
+    ) do
+      include HashLikeStruct
+      def initialize(raw_prof_data)
+        self.controls = (raw_prof_data[:controls] || []).map { |c| Inspec::RunData::Control.new(c) }
+        self.depends  = (raw_prof_data[:depends]  || []).map { |d| Inspec::RunData::Profile::Dependency.new(d) }
+        self.groups   = (raw_prof_data[:groups]   || []).map { |g| Inspec::RunData::Profile::Group.new(g) }
+        self.inputs   = (raw_prof_data[:inputs]   || []).map { |i| Inspec::RunData::Profile::Input.new(i) }
+        self.supports = (raw_prof_data[:supports] || []).map { |s| Inspec::RunData::Profile::Support.new(s) }
+
+        %i{
+          copyright
+          copyright_email
+          license
+          maintainer
+          name
+          sha256
+          status
+          summary
+          title
+          version
+          parent_profile
+          skip_message
+          waiver_data
+        }.each do |field|
+          self[field] = raw_prof_data[field]
+        end
+      end
+    end
+
+    class Profile
+      # Good candidate for keyword_init, but that is not in 2.4
+      Dependency = Struct.new(
+        :name, :path, :status, :skip_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
+      ) do
+        include HashLikeStruct
+        def initialize(raw_dep_data)
+          %i{name path status skip_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
+        end
+      end
+
+      Support = Struct.new(
+        #  snake case
+        :platform_family, :platform_name, :release, :platform
+      ) do
+        include HashLikeStruct
+        def initialize(raw_sup_data)
+          %i{release platform}.each { |f| self[f] = raw_sup_data[f] }
+          self.platform_family = raw_sup_data[:"platform-family"]
+          self.platform_name = raw_sup_data[:"platform-name"]
+        end
+      end
+
+      # Good candidate for keyword_init, but that is not in 2.4
+      Group = Struct.new(
+        :title, :controls, :id
+      ) do
+        include HashLikeStruct
+        def initialize(raw_grp_data)
+          %i{title id}.each { |f| self[f] = raw_grp_data[f] }
+          [:controls].each { |f| self[f] = raw_grp_data[f] || [] }
+        end
+      end
+
+      Input = Struct.new(
+        :name, :options
+      ) do
+        include HashLikeStruct
+        def initialize(raw_input_data)
+          self.name = raw_input_data[:name]
+          self.options = Inspec::RunData::Profile::Input::Options.new(raw_input_data[:options])
+        end
+      end
+      class Input
+        Options = Struct.new(
+          # There are probably others
+          :value,
+          :type,
+          :required
+        ) do
+          include HashLikeStruct
+          def initialize(raw_opts_data)
+            %i{value type required}.each { |f| self[f] = raw_opts_data[f] }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/inspec/run_data/result.rb

@@ -0,0 +1,40 @@
+module Inspec
+  class RunData
+    Result = Struct.new(
+      :message,             # Human-friendly test failure message
+      :code_desc,           # Generated test description
+      :expectation_message, # a substring of code_desc
+      :resource_name,       # We try to determine this
+      :run_time,            # Float seconds execution time
+      :skip_message,        # String
+      :start_time,          # DateTime
+      :status, # String
+      :resource_title, # Ugly internals
+      # :waiver_data,       # Undocumented tramp data / not exposed in this API
+      :resource, # Undocumented, what is this
+      :exception,
+      :backtrace
+    ) do
+      include HashLikeStruct
+      def initialize(raw_res_data)
+        [
+          :status,              # String
+          :code_desc,           # Generated test description
+          :expectation_message, # a substring of code_desc
+          :skip_message,        # String
+          :run_time,
+          :start_time,
+          :resource_title,
+          :resource,
+          :exception,
+          :backtrace,
+          :message,
+        ].each do |field|
+          self[field] = raw_res_data[field]
+        end
+
+        self.resource_name = raw_res_data[:resource_title].instance_variable_get(:@__resource_name__)&.to_s
+      end
+    end
+  end
+end