inspec-core 4.18.51 → 4.18.85

data/lib/inspec/profile_vendor.rb

@@ -9,8 +9,8 @@ module Inspec
       @profile_path = Pathname.new(File.expand_path(path))
     end
 
-    def vendor!
-      vendor_dependencies
+    def vendor!(opts)
+      vendor_dependencies!(opts)
     end
 
     # The URL fetcher uses a Tempfile to retrieve the vendored
@@ -51,8 +51,10 @@ module Inspec
       }
     end
 
-    def vendor_dependencies
+    def vendor_dependencies!(opts)
+      # This deletes any existing vendor/ directory
       delete_vendored_data
+      warm_vendor_cache_from_archives if opts[:airgap]
       File.write(lockfile, profile.generate_lockfile.to_yaml)
       extract_archives
     end
@@ -80,5 +82,48 @@ module Inspec
         File.delete(filepath)
       end
     end
+
+    # Check top-level profile metadata for any local archives
+    # if present, go ahead and inflate it into the vendor cache.
+    # This will cause subsequent fetchers to hit on the vendor cache,
+    # avoiding a possibly failing fetch under airgapped conditions.
+    def warm_vendor_cache_from_archives
+      # We need to determine the cwd of the profile, to expand the (likely)
+      # relative path of the dependencies. There is no non-invasive way of doing that.
+      profile_cwd = profile.source_reader.target.parent.path
+
+      # list dependencies in profile
+      profile.metadata.dependencies.each do |dep_info|
+        next unless dep_info.key?(:path) # "Local"-type fetchers are identified by the :path key
+
+        # Locate local dep
+        dep_profile_path = File.expand_path(dep_info[:path], profile_cwd)
+        raise(Inspec::FetcherFailure, "Profile dependency local path '#{dep_profile_path}' does not exist") unless File.exist?(dep_profile_path)
+
+        # Determine if it is an archive
+        file_provider = FileProvider.for_path(dep_profile_path)
+        next unless file_provider.is_a?(ZipProvider) || file_provider.is_a?(TarProvider)
+
+        # Place the local dependency in the vendor cache.
+        # Fetchers are in charge of calculating cache keys.
+        fetcher = Inspec::Fetcher::Local.resolve(dep_profile_path)
+        # Use a shorter name here in hopes of dodging windows filesystems path length restrictions
+        actual_dep_profile_cache_dir = "#{cache_path}/#{fetcher.cache_key}"
+        short_dep_profile_cache_dir = "#{cache_path}/short"
+        file_provider.extract(short_dep_profile_cache_dir)
+
+        # The archive (probably) contained a vendor cache of its own.
+        # Since we are warming the fetcher cache, and fetcher caches are one-level
+        # while archive caches are potentially deep, we must flatten the archive cache,
+        # so that all vendor cache entries are top-level.
+        Dir["#{short_dep_profile_cache_dir}/vendor/*"].each do |sub_dep_cache_dir|
+          FileUtils.mv(sub_dep_cache_dir, cache_path)
+        end
+
+        # And finally correctly name the dependency itself.
+        FileUtils.mv(short_dep_profile_cache_dir, actual_dep_profile_cache_dir)
+
+      end
+    end
   end
 end

data/lib/inspec/resource.rb

@@ -1,11 +1,149 @@
 # copyright: 2015, Vulcano Security GmbH
-require "inspec/plugin/v1"
-require "inspec/utils/deprecation/global_method" # for resources
 
 module Inspec
   class ProfileNotFound < StandardError; end
 
   class Resource
+    def self.name(value = nil)
+      return @name unless value
+
+      @name = value
+
+      __register(value, self)
+    end
+
+    def self.desc(value = nil)
+      return find_class_instance_variable(:@description) unless value
+
+      @description = value
+    end
+
+    def self.example(value = nil)
+      return find_class_instance_variable(:@example) unless value
+
+      @example = value
+    end
+
+    def self.supports(criteria = nil)
+      return if criteria.nil?
+
+      key = @name.to_sym
+
+      # HACK: this is broken!!! this is global where the rest are localized to registry
+      Inspec::Resource.support_registry[key] ||= []
+      Inspec::Resource.support_registry[key].push(criteria)
+    end
+
+    # TODO: this is pretty terrible and is only here to work around
+    # the idea that we've trained resource authors to make initialize
+    # methods w/o calling super.
+
+    def supersuper_initialize(backend, name)
+      @resource_skipped = false
+      @resource_failed = false
+      # TODO remove this (or the support_registry) (again?)
+      @supports = Inspec::Resource.support_registry[name.to_sym]
+      @resource_exception_message = nil
+
+      # attach the backend to this instance
+      @__backend_runner__ = backend
+      @__resource_name__ = name
+
+      check_supported!
+
+      yield
+    rescue Inspec::Exceptions::ResourceSkipped => e
+      skip_resource(e.message)
+    rescue Inspec::Exceptions::ResourceFailed => e
+      fail_resource(e.message)
+    rescue NotImplementedError => e
+      fail_resource(e.message) unless @resource_failed
+    rescue NoMethodError => e
+      skip_resource(e.message) unless @resource_failed
+    end
+
+    def check_supported!
+      backend = @__backend_runner__
+      name = @__resource_name__
+
+      supported = @supports ? check_supports : true # check_supports has side effects!
+      test_backend = defined?(Train::Transports::Mock::Connection) && backend.backend.class == Train::Transports::Mock::Connection
+      # raise unless we are supported or in test
+      unless supported || test_backend
+        msg = "Unsupported resource/backend combination: %s / %s. Exiting." %
+          [name, backend.platform.name]
+        raise ArgumentError, msg
+      end
+    end
+
+    # Support for Resource DSL plugins.
+    # This is called when an unknown method is encountered
+    # within a resource class definition.
+    # Even tho this is defined as an instance method, it gets added to
+    # the class via `extend`, so this is actually a class defintion.
+    def self.method_missing(method_name, *arguments, &block)
+      require "inspec/plugin/v2"
+      # Check to see if there is a resource_dsl plugin activator hook with the method name
+      registry = Inspec::Plugin::V2::Registry.instance
+      hook = registry.find_activators(plugin_type: :resource_dsl, activator_name: method_name).first
+      if hook
+        # OK, load the hook if it hasn't been already.  We'll then know a module,
+        # which we can then inject into the resource
+        hook.activate
+        # Inject the module's methods into the resource as class methods.
+        # implementation_class is the field name, but this is actually a module.
+        extend(hook.implementation_class)
+        # Now that the module is loaded, it defined one or more methods
+        # (presumably the one we were looking for.)
+        # We still haven't called it, so do so now.
+        send(method_name, *arguments, &block)
+      else
+        # If we couldn't find a plugin to match, maybe something up above has it,
+        # or maybe it is just a unknown method error.
+        super
+      end
+    end
+
+    ############################################################
+    # Infrastructure / Bookkeeping
+
+    def self.__register(name, resource_klass)
+      cl = Class.new(resource_klass) do # TODO: remove
+        # As best I can figure out, this anonymous class only exists
+        # because we're trying to avoid having resources with
+        # initialize methods from having to call super, which is,
+        # quite frankly, dumb. Avoidable even with some simple
+        # documentation.
+        def initialize(backend, name, *args)
+          supersuper_initialize(backend, name) do
+            super(*args)
+          end
+        end
+      end
+
+      reg = __resource_registry rescue nil
+      reg = self.__resource_registry = Inspec::Resource.registry unless reg
+
+      # Warn if a resource pack is overwriting a core resource.
+      # Suppress warning if the resource is an AWS resource, see #3822
+
+      if reg.key?(name) && !name.start_with?("aws_")
+        Inspec::Log.warn("Overwriting resource #{name}. To reference a specific version of #{name} use the resource() method")
+      end
+
+      reg[name] = cl
+    end # __register
+
+    def self.__resource_registry
+      # rubocop:disable Style/AndOr
+      find_class_instance_variable(:@__resource_registry) or
+        raise("__resource_registry not set!")
+    end
+
+    def self.__resource_registry=(o)
+      @__resource_registry = o
+    end
+
     def self.default_registry
       @default_registry ||= {}
     end
@@ -16,8 +154,8 @@ module Inspec
     end
 
     # TODO: these are keyed off of symbols
-    def self.supports
-      @supports ||= {}
+    def self.support_registry
+      @support_registry ||= {}
     end
 
     def self.new_registry
@@ -47,48 +185,51 @@ module Inspec
       end
     end
 
-    # Creates the inner DSL which includes all resources for
-    # creating tests. It is always connected to one target,
-    # which is specified via the backend argument.
-    #
-    # @param backend [BackendRunner] exposing the target to resources
-    # @return [ResourcesDSL]
-    def self.create_dsl(profile_context)
-      backend = profile_context.backend
-      my_registry = profile_context.resource_registry
+    def to_s
+      @__resource_name__
+    end
+
+    def self.toggle_inspect
+      has_inspect = instance_method(:inspect).source_location
+      unless has_inspect
+        define_method :inspect do
+          to_s
+        end
+      else
+        undef_method :inspect
+      end
+    end
 
-      Module.new do
-        define_method :resource_class do |profile_name, resource_name|
-          inner_context = if profile_name == profile_context.profile_id
-                            profile_context
-                          else
-                            profile_context.subcontext_by_name(profile_name)
-                          end
+    attr_reader :resource_exception_message
 
-          raise ProfileNotFound, "Cannot find profile named: #{profile_name}" if inner_context.nil?
+    def skip_resource(message)
+      @resource_skipped = true
+      @resource_exception_message = message
+    end
 
-          inner_context.resource_registry[resource_name]
-        end
+    def resource_skipped?
+      @resource_skipped
+    end
 
-        my_registry.each do |id, r|
-          define_method id.to_sym do |*args|
-            r.new(backend, id.to_s, *args)
-          end
+    def fail_resource(message)
+      @resource_failed = true
+      @resource_exception_message = message
+    end
 
-          # confirm backend custom resources have access to other custom resources
-          next if backend.respond_to?(id)
+    def resource_failed?
+      @resource_failed
+    end
 
-          backend.class.send(:define_method, id.to_sym) do |*args|
-            r.new(backend, id.to_s, *args)
-          end
-        end
+    def check_supports
+      require "inspec/resources/platform"
+      status = inspec.platform.supported?(@supports)
+      fail_msg = "Resource `#{@__resource_name__}` is not supported on platform #{inspec.platform.name}/#{inspec.platform.release}."
+      fail_resource(fail_msg) unless status
+      status
+    end
 
-        # attach backend so we have access to all resources and
-        # the train connection object
-        define_method :inspec do
-          backend
-        end
-      end
+    def inspec
+      @__backend_runner__
     end
   end
 
@@ -99,8 +240,7 @@ module Inspec
   # @return [Resource] base class for creating a new resource
   def self.resource(version)
     validate_resource_dsl_version!(version)
-    require "inspec/plugin/v1/plugin_types/resource"
-    Inspec::Plugins::Resource
+    Inspec::Resource
   end
 
   def self.validate_resource_dsl_version!(version)
@@ -108,6 +248,17 @@ module Inspec
   end
 end
 
+class Module
+  # Any use of this is an anti-pattern caused by our use of negligent
+  # design and metaprogramming nonsense. We should work it out... but
+  # there are many hurdles in our way.
+  def find_class_instance_variable(k)
+    (ancestors - Object.ancestors)
+      .find { |cls| cls.instance_variable_defined?(k) }
+      &.instance_variable_get(k)
+  end
+end
+
 # Many resources use FilterTable.
 require "inspec/utils/filter"
 # conflicts with global `gem` method so we need to pre-load this.

data/lib/inspec/resources/aide_conf.rb

@@ -24,7 +24,7 @@ module Inspec::Resources
 
     attr_reader :params
 
-    include CommentParser
+    include Inspec::Utils::CommentParser
     include FileReader
 
     def initialize(aide_conf_path = nil)

data/lib/inspec/resources/apache_conf.rb

@@ -7,9 +7,9 @@ require "inspec/utils/file_reader"
 module Inspec::Resources
   class ApacheConf < Inspec.resource(1)
     name "apache_conf"
-    supports platform: "linux"
-    supports platform: "debian"
-    desc "Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform."
+    supports platform: "unix"
+
+    desc "Use the apache_conf InSpec audit resource to test the configuration settings for Apache. The configuration settings may vary significantly from platform to platform."
     example <<~EXAMPLE
       describe apache_conf do
         its('setting_name') { should eq 'value' }
@@ -26,6 +26,7 @@ module Inspec::Resources
       @files_contents = {}
       @content = nil
       @params = nil
+
       read_content
     end
 
@@ -34,7 +35,6 @@ module Inspec::Resources
     end
 
     def params(*opts)
-      @params || read_content
       res = @params
       opts.each do |opt|
         res = res[opt] unless res.nil?
@@ -43,21 +43,11 @@ module Inspec::Resources
     end
 
     def method_missing(name)
-      # ensure params are loaded
-      @params || read_content
-
-      # extract values
-      @params[name.to_s] unless @params.nil?
+      @params[name.to_s]
     end
 
     def filter_comments(data)
-      content = ""
-      data.each_line do |line|
-        unless line.match(/^\s*#/)
-          content << line
-        end
-      end
-      content
+      data.lines.grep_v(/^\s*#/).join
     end
 
     def read_content
@@ -86,7 +76,7 @@ module Inspec::Resources
         ).params
 
         # Capture any characters between quotes that are not escaped in values
-        params.values.map! do |value|
+        params.values.each do |value|
           value.map! do |sub_value|
             sub_value[/(?<=["|'])(?:\\.|[^"'\\])*(?=["|'])/] || sub_value
           end
@@ -128,15 +118,8 @@ module Inspec::Resources
     end
 
     def conf_dir
-      if inspec.os.debian?
-        File.dirname(conf_path)
-      else
-        # On RHEL-based systems, the configuration is usually in a /conf directory
-        # that contains the primary config file. We assume the "config path" is the
-        # directory that contains the /conf directory, such as /etc/httpd, so that
-        # the conf.d directory can be properly located.
-        Pathname.new(File.dirname(conf_path)).parent.to_s
-      end
+      # apparently apache conf keys are case insensitive
+      @params["ServerRoot"] || @params["serverroot"]
     end
 
     def to_s
@@ -145,12 +128,13 @@ module Inspec::Resources
 
     private
 
+    PATHS = ["/etc/apache2/apache2.conf",
+             "/etc/httpd/conf/httpd.conf"]
+      .map(&:freeze)
+      .freeze
+
     def default_conf_path
-      if inspec.os.debian?
-        "/etc/apache2/apache2.conf"
-      else
-        "/etc/httpd/conf/httpd.conf"
-      end
+      @default ||= PATHS.find { |path| inspec.file(path).exist? }
     end
   end
 end