inspec-core 4.18.51 → 4.18.85

data/lib/inspec/dependencies/requirement.rb

@@ -46,7 +46,7 @@ module Inspec
       req
     end
 
-    attr_reader :cwd, :opts, :version_constraints
+    attr_reader :cwd, :opts, :version_constraints, :cache
     def initialize(name, version_constraints, config, opts)
       @name = name
       @version_constraints = Array(version_constraints)

data/lib/inspec/dependencies/resolver.rb

@@ -57,6 +57,16 @@ module Inspec
 
       detect_duplicates(deps, top_level, path_string)
       deps.each do |dep|
+        # Calling dep.resolved_source forces a fetch. Handle any airgap chicanery early.
+        if Inspec::Config.cached[:airgap]
+          begin
+            dep.resolved_source
+          rescue Inspec::FetcherFailure
+            Inspec::Log.debug("Failed to fetch #{dep.name}, falling back to archives if possible")
+            retry if fallback_to_archive_on_fetch_failure(dep)
+          end
+        end
+
         new_seen_items = seen_items.dup
         new_path_string = if path_string.empty?
                             dep.name
@@ -82,5 +92,41 @@ module Inspec
       Inspec::Log.debug("Dependency traversal complete.") if top_level
       graph
     end
+
+    def fallback_to_archive_on_fetch_failure(dep)
+      # This facility is intended to handle situations in which
+      # the failing dependency *is* available in an archive that we have
+      # available as a local dependency. We just need to find the archive and
+      # alter the fetcher to refer to information in the archive.
+      # Note that the vendor cache already should have the archive inflated
+      # for this to work (see warm_cache_from_archives() from profile_vendor.rb)
+      # Refs 4727
+
+      # This is where any existing archives should have been inflated -
+      # that is, this is the vendor cache. Each archive would have a lockfile.
+      cache_path = dep.cache.path
+      worth_retrying = false
+
+      Dir["#{cache_path}/*/inspec.lock"].each do |lockfile_path|
+        lockfile = Inspec::Lockfile.from_file(lockfile_path)
+        dep_set = Inspec::DependencySet.from_lockfile(lockfile, dep.opts)
+        dep2 = dep_set.dep_list[dep.name]
+        next unless dep2
+
+        if dep.opts.key?(:compliance)
+          # This is ugly. The compliance fetcher works differently than the others,
+          # and fails at the resolve stage, not the fetch stage. That means we can't
+          # tweak the fetcher, we have to tweak the deps opts themselves.
+          dep.opts[:sha256] = dep2.opts[:sha256]
+          worth_retrying = true
+        else
+          # All other fetchers can be generalized, because they will survive their constructor.
+          fetcher = dep.fetcher.fetcher # Not the CachedFetcher, but its fetcher
+          made_a_change = fetcher.update_from_opts(dep2.opts)
+        end
+        worth_retrying ||= made_a_change
+      end
+      worth_retrying
+    end
   end
 end

data/lib/inspec/dsl_shared.rb

@@ -8,6 +8,26 @@ module Inspec
       # It is used whenever the `require 'lib'` is not in libraries.
       alias __ruby_require require
 
+      ##
+      # This is our own require override, to be used in
+      # LibraryEvalContext and ControlEvalContext.
+      #
+      # Any top level libraries file (autoloaded) that requires a
+      # second-level libraries file.
+      #
+      # in load_libraries
+      #   in top level libraries file to be autoloaded
+      #     that has a require to a known file that is NOT loaded yet
+      #
+      # ProfileContext#initialize
+      #   -> library_eval_context
+      #
+      # ProfileContext#load_libraries autoload
+      #   -> load_library_file(@library_eval_context)
+      #
+      # probably most of this comment is useless, but it was hard to
+      # discover so I'm adding it for others.
+
       def require(path)
         rbpath = path + ".rb"
         return __ruby_require(path) unless @require_loader.exists?(rbpath)
@@ -23,9 +43,11 @@ module Inspec
         # context that provides the correct plane to evaluate all required files to.
         # It will ensure that embedded calls to `require` still call this
         # method and get loaded from their correct paths.
-        return __inspec_binding.eval(content, path, line) if defined?(__inspec_binding)
-
-        eval(content, TOPLEVEL_BINDING, path, line) # rubocop:disable Security/Eval
+        if defined?(__inspec_binding)
+          __inspec_binding.eval(content, path, line)
+        else
+          eval(content, TOPLEVEL_BINDING, path, line) # rubocop:disable Security/Eval
+        end
       end
     end
   end

data/lib/inspec/fetcher.rb

@@ -43,6 +43,3 @@ end
 require "inspec/fetcher/local"
 require "inspec/fetcher/url"
 require "inspec/fetcher/git"
-
-# TODO: Remove in 4.0 when Compliance fetcher plugin is created
-require "plugins/inspec-compliance/lib/inspec-compliance/api"

data/lib/inspec/fetcher/git.rb

@@ -112,6 +112,10 @@ module Inspec::Fetcher
       source
     end
 
+    def update_from_opts(opts)
+      %i{branch tag ref}.map { |opt_name| update_ivar_from_opt(opt_name, opts) }.any?
+    end
+
     private
 
     def resolved_ref

data/lib/inspec/fetcher/url.rb

@@ -127,8 +127,7 @@ module Inspec::Fetcher
     end
 
     def sha256
-      file = @archive_path || temp_archive_path
-      OpenSSL::Digest::SHA256.digest(File.read(file)).unpack("H*")[0]
+      @archive_shasum ||= OpenSSL::Digest::SHA256.digest(File.read(@archive_path || temp_archive_path)).unpack("H*")[0]
     end
 
     def file_type_from_remote(remote)

data/lib/inspec/file_provider.rb

@@ -66,7 +66,7 @@ module Inspec
   end
 
   class DirProvider < FileProvider
-    attr_reader :files
+    attr_reader :files, :path
     def initialize(path)
       @files = if File.file?(path)
                  [path]
@@ -209,8 +209,10 @@ module Inspec
     def walk_tar(path, &callback)
       tar_file = Zlib::GzipReader.open(path)
       Gem::Package::TarReader.new(tar_file, &callback)
+    rescue => e
+      raise Inspec::Error, "Error opening/processing #{path}: #{e.message}"
     ensure
-      tar_file.close
+      tar_file.close if tar_file
     end
   end # class TarProvider
 

data/lib/inspec/library_eval_context.rb

@@ -1,4 +1,4 @@
-require "inspec/plugin/v1/plugin_types/resource"
+require "inspec/resource"
 require "inspec/dsl_shared"
 
 module Inspec
@@ -12,44 +12,44 @@ module Inspec
   # registry used by all dsl methods bound to the resource registry
   # passed into the #create constructor.
   #
-  #
   class LibraryEvalContext
+    # rubocop:disable Naming/ConstantName
+    Inspec = :nope! # see #initialize below
+    # rubocop:enable Naming/ConstantName
+
+    ##
+    # Include a custom `require` method that gets used when this
+    # context is used to eval source. See lib/inspec/dsl_shared.rb for
+    # more details.
+    include ::Inspec::DSL::RequireOverride
+
     def self.create(registry, require_loader)
-      c = Class.new do
-        extend Inspec::ResourceDSL
-        include Inspec::ResourceBehaviors
-        define_singleton_method :__resource_registry do
-          registry
-        end
-      end
-
-      c2 = Class.new do
-        define_singleton_method :resource do |version|
-          Inspec.validate_resource_dsl_version!(version)
-          c
-        end
-      end
-
-      c3 = Class.new do
-        include Inspec::DSL::RequireOverride
-        def initialize(require_loader)
-          @require_loader = require_loader
-          @inspec_binding = nil
-        end
-
-        def __inspec_binding
-          @inspec_binding
-        end
-      end
-
-      c3.const_set(:Inspec, c2)
-      res = c3.new(require_loader)
-
-      # Provide the local binding for this context which is necessary for
-      # calls to `require` to create all dependent objects in the correct
-      # context.
-      res.instance_variable_set("@inspec_binding", res.instance_eval("binding"))
-      res
+      Class.new(LibraryEvalContext).new(registry, require_loader)
+    end
+
+    # Provide the local binding for this context which is
+    # necessary for calls to `require` to create all dependent
+    # objects in the correct context.
+    attr_accessor :__inspec_binding
+
+    def initialize(registry, require_loader)
+      @require_loader = require_loader
+      # rubocop:disable Style/RedundantSelf
+      self.__inspec_binding = self.instance_eval { binding }
+      # rubocop:enable Style/RedundantSelf
+
+      @res_klass = Class.new ::Inspec::Resource
+      @res_klass.__resource_registry = registry
+
+      # NOTE: this *must* be a subclass of LibraryEvalContext to work
+      self.class.const_set :Inspec, self # BYPASS! See resource below
+    end
+
+    # Fake for Inspec.resource in lib/inspec/resource.rb that provides
+    # our own Resource subclass that has its own private __resource_registry
+    def resource(version)
+      ::Inspec.validate_resource_dsl_version!(version)
+      @res_klass
     end
   end
 end

data/lib/inspec/plugin/v1/plugin_types/fetcher.rb

@@ -65,6 +65,33 @@ module Inspec
         raise "Fetcher #{self} does not implement `cache_key()`. This is required for terminal fetchers."
       end
 
+      #
+      # This optional method may be used after a failed fetch. If the fetcher
+      # can be updated with information that might lead to a successful
+      # retrieval of alternative content, this method may be called.
+      #
+      #  Default implementation makes a peculiar assumption that the class has
+      # a ivar named @archive_shasum and you have a fetcher opt that pairs with
+      # it named sha256, and those are the only two that matter for updating.
+      #
+      # Return TrueClass if the fetcher was updated and a retry is in order
+      # Return FalseClass if the update contained no useful information
+      # and a retry should not be attempted
+      def update_from_opts(opts)
+        changed = @archive_shasum != opts[:sha256]
+        @archive_shasum = opts[:sha256]
+        changed
+      end
+
+      # Helper for above; usful when the subclass ivars whose
+      # names exactly match the names of the fetcher options.
+      def update_ivar_from_opt(opt_name, opts)
+        ivar_sym = "@#{opt_name}".to_sym
+        changed = instance_variable_get(ivar_sym) != opts[opt_name]
+        instance_variable_set(ivar_sym, opts[opt_name])
+        changed
+      end
+
       #
       # relative_target is provided to keep compatibility with 3rd
       # party plugins.

data/lib/inspec/plugin/v1/plugins.rb

@@ -5,7 +5,6 @@ module Inspec
   # NOTE: the autoloading here is rendered moot by the fact that
   # all core plugins are `require`'d by the base inspec.rb
   module Plugins
-    autoload :Resource, "inspec/plugin/v1/plugin_types/resource"
     autoload :CLI, "inspec/plugin/v1/plugin_types/cli"
     autoload :Fetcher, "inspec/plugin/v1/plugin_types/fetcher"
     autoload :SourceReader, "inspec/plugin/v1/plugin_types/source_reader"

data/lib/inspec/profile.rb

@@ -250,6 +250,7 @@ module Inspec
         # this metadata if the parent profile is supported.
         if supports_platform? && !d.supports_platform?
           # since ruby 1.9 hashes are ordered so we can just use index values here
+          # TODO: NO! this is a violation of encapsulation to an extreme
           metadata.dependencies[i][:status] = "skipped"
           msg = "Skipping profile: '#{d.name}' on unsupported platform: '#{d.backend.platform.name}/#{d.backend.platform.release}'."
           metadata.dependencies[i][:skip_message] = msg
@@ -259,13 +260,14 @@ module Inspec
           # load them again when we dive down. This needs to be re-done.
           metadata.dependencies[i][:status] = "loaded"
         end
-        c = d.load_libraries
+
+        # rubocop:disable Layout/ExtraSpacing
+        c = d.load_libraries                           # !!!RECURSE!!!
         @runner_context.add_resources(c)
       end
 
-      libs = libraries.map do |path, content|
-        [content, path]
-      end
+      # TODO: why?!? we own both sides of this code
+      libs = libraries.map(&:reverse)
 
       @runner_context.load_libraries(libs)
       @libraries_loaded = true
@@ -312,11 +314,11 @@ module Inspec
       end
 
       # add information about the required inputs
-      if res[:inputs].nil? || res[:inputs].empty?
+      if params[:inputs].nil? || params[:inputs].empty?
         # convert to array for backwards compatability
         res[:inputs] = []
       else
-        res[:inputs] = res[:inputs].values.map(&:to_hash)
+        res[:inputs] = params[:inputs].values.map(&:to_hash)
       end
       res[:sha256] = sha256
       res[:parent_profile] = parent_profile unless parent_profile.nil?

data/lib/inspec/profile_context.rb

@@ -13,6 +13,7 @@ module Inspec
       new(profile.name, backend, { "profile" => profile, "check_mode" => profile.check_mode })
     end
 
+    attr_reader :library_eval_context
     attr_reader :backend, :profile_name, :profile_id, :resource_registry
     attr_accessor :rules
     def initialize(profile_id, backend, conf)
@@ -52,14 +53,18 @@ module Inspec
     end
 
     def to_resources_dsl
-      Inspec::Resource.create_dsl(self)
+      DomainSpecificLunacy.create_dsl(self)
     end
 
     def control_eval_context
-      @control_eval_context ||= begin
-                                  ctx = Inspec::ControlEvalContext.create(self, to_resources_dsl)
-                                  ctx.new(@backend, @conf, dependencies, @require_loader, @skip_only_if_eval)
-                                end
+      @control_eval_context ||=
+        Inspec::ControlEvalContext.new(self,
+                                       to_resources_dsl,
+                                       @backend,
+                                       @conf,
+                                       dependencies,
+                                       @require_loader,
+                                       @skip_only_if_eval)
     end
 
     def reload_dsl
@@ -121,10 +126,14 @@ module Inspec
 
       libs.sort_by! { |l| l[1] } # Sort on source path so load order is deterministic
       libs.each do |content, source, line|
+        next unless source.end_with?(".rb")
+
         path = source
         if source.start_with?(lib_prefix)
           path = source.sub(lib_prefix, "")
-          autoloads.push(path) if File.dirname(path) == "."
+          no_subdir = File.dirname(path) == "."
+
+          autoloads.push(path) if no_subdir
         end
 
         @require_loader.add(path, content, source, line)
@@ -132,10 +141,10 @@ module Inspec
 
       # load all files directly that are flat inside the libraries folder
       autoloads.each do |path|
-        next unless path.end_with?(".rb")
-
-        load_library_file(*@require_loader.load(path)) unless @require_loader.loaded?(path)
+        load_library_file(*@require_loader.load(path)) unless
+          @require_loader.loaded?(path)
       end
+
       reload_dsl
     end
 
@@ -199,5 +208,61 @@ module Inspec
 
       pid.to_s + "/" + rid.to_s
     end
+
+    module DomainSpecificLunacy
+      def self.create_dsl(profile_context)
+        Module.new do
+          include DomainSpecificLunacy
+          add_methods(profile_context)
+        end
+      end
+
+      def self.included(mod)
+        mod.extend ClassMethods
+      end
+
+      def resource_class(profile_name, resource_name)
+        inner_context = if profile_name == profile_context.profile_id
+                          profile_context
+                        else
+                          profile_context.subcontext_by_name(profile_name)
+                        end
+
+        raise ProfileNotFound, "Cannot find profile named: #{profile_name}" if inner_context.nil?
+
+        inner_context.resource_registry[resource_name]
+      end
+
+      module ClassMethods
+        def add_methods(profile_context)
+          backend = profile_context.backend
+
+          define_method(:profile_context) { profile_context }
+          define_method(:inspec) { backend }
+
+          add_registry_methods(profile_context)
+        end
+
+        def add_registry_methods(profile_context)
+          be = profile_context.backend
+          bec = be.class
+
+          registry = profile_context.resource_registry
+          registry.each do |id, r|
+            define_method(id) { |*args| r.new(be, id.to_s, *args) }
+
+            next if be.respond_to?(id)
+
+            bec.define_method(id) { |*args| r.new(be, id.to_s, *args) }
+          end
+        end # add_resource_methods
+      end # ClassMethods
+    end # DomainSpecificLunacy
+  end # ProfileContext
+end
+
+if RUBY_VERSION < "2.5"
+  class Module
+    public :define_method
   end
 end