inspec-core 4.21.1 → 4.22.22

data/lib/inspec/resources/postgres.rb

@@ -19,7 +19,7 @@ module Inspec::Resources
         @conf_path = File.join @conf_dir, "postgresql.conf"
       else
         @conf_path = nil
-        return skip_resource "Seems like PostgreSQL is not installed on your system"
+        skip_resource "Seems like PostgreSQL is not installed on your system"
       end
     end
 

data/lib/inspec/resources/postgres_session.rb

@@ -47,7 +47,7 @@ module Inspec::Resources
 
     def query(query, db = [])
       psql_cmd = create_psql_cmd(query, db)
-      cmd = inspec.command(psql_cmd)
+      cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
         Lines.new(out, "PostgreSQL query with errors: #{query}")

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||
@@ -154,7 +154,7 @@ module Inspec::Resources
         end
       when "wrlinux"
         SysV.new(inspec, service_ctl)
-      when "mac_os_x"
+      when "mac_os_x", "darwin"
         LaunchCtl.new(inspec, service_ctl)
       when "freebsd"
         BSDInit.new(inspec, service_ctl)

data/lib/inspec/resources/users.rb

@@ -20,7 +20,7 @@ module Inspec::Resources
         WindowsUser.new(inspec)
       elsif ["darwin"].include?(os[:family])
         DarwinUser.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif ["bsd"].include?(os[:family])
         FreeBSDUser.new(inspec)
       elsif ["aix"].include?(os[:family])
         AixUser.new(inspec)

data/lib/inspec/resources/windows_firewall.rb

@@ -0,0 +1,110 @@
+module Inspec::Resources
+  class WindowsFirewall < Inspec.resource(1)
+    name "windows_firewall"
+    supports platform: "windows"
+    desc "Check properties of the Windows Firewall for a specific profile."
+    example <<~EXAMPLE
+      describe windows_firewall("Public") do
+        it { should be_enabled }
+        its("default_inbound_action") { should_not cmp "NotConfigured" }
+        its("num_rules") { should be 19 }
+      end
+    EXAMPLE
+
+    def initialize(profile = "Public")
+      @profile = profile
+      @state = {}
+
+      load_profile_cmd = load_firewall_profile(profile)
+      cmd = inspec.powershell(load_profile_cmd)
+
+      @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
+    end
+
+    def to_s
+      "Windows Firewall (Profile #{@profile})"
+    end
+
+    def exist?
+      !@state.empty?
+    end
+
+    def enabled?
+      @state["enabled"]
+    end
+
+    def default_inbound_allowed?
+      @state["default_inbound_action"] == "Allow"
+    end
+
+    def default_outbound_allowed?
+      @state["default_outbound_action"] == "Allow"
+    end
+
+    # Access to return values from Powershell via `its("PROPERTY")` and `have_PROPERTY "VALUE"`
+    def method_missing(method_name, *arguments, &_block)
+      property = normalize_for_have_access(method_name)
+
+      if method_name.to_s.start_with? "has_"
+        expected_value = arguments.first
+        respond_to_have(property, expected_value)
+      else
+        access_property(property)
+      end
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      property = normalize_for_have_access(method_name)
+
+      @state.key? property
+    end
+
+    private
+
+    def normalize_for_have_access(property)
+      property.to_s
+        .delete_prefix("has_")
+        .delete_suffix("?")
+    end
+
+    def access_property(property)
+      @state[property]
+    end
+
+    def respond_to_have(property, value)
+      @state[property] == value
+    end
+
+    def load_firewall_profile(profile_name)
+      <<-EOH
+        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        $profile = Get-NetFirewallProfile -Name "#{profile_name}"
+        $count = @($profile | Get-NetFirewallRule).Count
+        ([PSCustomObject]@{
+          profile_name = $profile.Name
+          profile = $profile.Profile.ToString()
+          description = $profile.Description
+          enabled = [bool]::Parse($profile.Enabled.ToString())
+          default_inbound_action = $profile.DefaultInboundAction.ToString()
+          default_outbound_action = $profile.DefaultOutboundAction.ToString()
+
+          allow_inbound_rules = $profile.AllowInboundRules.ToString()
+          allow_local_firewall_rules = $profile.AllowLocalFirewallRules.ToString()
+          allow_local_ipsec_rules = $profile.AllowLocalIPsecRules.ToString()
+          allow_user_apps = $profile.AllowUserApps.ToString()
+          allow_user_ports = $profile.AllowUserPorts.ToString()
+          allow_unicast_response_to_multicast = $profile.AllowUnicastResponseToMulticast.ToString()
+
+          notify_on_listen = $profile.NotifyOnListen.ToString()
+          enable_stealth_mode_for_ipsec = $profile.EnableStealthModeForIPsec.ToString()
+          log_max_size_kilobytes = $profile.LogMaxSizeKilobytes
+          log_allowed = $profile.LogAllowed.ToString()
+          log_blocked = $profile.LogBlocked.ToString()
+          log_ignored = $profile.LogIgnored.ToString()
+
+          num_rules = $count
+        }) | ConvertTo-Json
+      EOH
+    end
+  end
+end

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -0,0 +1,137 @@
+module Inspec::Resources
+  class WindowsFirewallRule < Inspec.resource(1)
+    name "windows_firewall_rule"
+    supports platform: "windows"
+    desc "Check properties of a Windows Firewall rule."
+    example <<~EXAMPLE
+      describe windows_firewall_rule("Name") do
+        it { should exist }
+        it { should be_enabled }
+
+        it { should be_outbound}
+        it { should be_tcp }
+        it { should have_remote_port 80 }
+      end
+    EXAMPLE
+
+    def initialize(name)
+      @name = name
+      @state = {}
+
+      query = load_firewall_state(name)
+      cmd = inspec.powershell(query)
+      @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
+    end
+
+    def to_s
+      "Windows Firewall Rule #{@name}"
+    end
+
+    def exist?
+      !@state.empty?
+    end
+
+    def enabled?
+      @state["enabled"]
+    end
+
+    def allowed?
+      @state["action"] == "Allow"
+    end
+
+    def inbound?
+      @state["direction"] == "Inbound"
+    end
+
+    def outbound?
+      ! inbound?
+    end
+
+    def tcp?
+      @state["protocol"] == "TCP"
+    end
+
+    def udp?
+      @state["protocol"] == "UDP"
+    end
+
+    def icmp?
+      @state["protocol"].start_with? "ICMP"
+    end
+
+    def icmpv4?
+      @state["protocol"] == "ICMPv4"
+    end
+
+    def icmpv6?
+      @state["protocol"] == "ICMPv6"
+    end
+
+    # Access to return values from Powershell via `its("PROPERTY")` and `have_PROPERTY? "VALUE"`
+    def method_missing(method_name, *arguments, &_block)
+      property = normalize_for_have_access(method_name)
+
+      if method_name.to_s.start_with? "has_"
+        expected_value = arguments.first
+        respond_to_have(property, expected_value)
+      else
+        access_property(property)
+      end
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      property = normalize_for_have_access(method_name)
+
+      @state.key? property
+    end
+
+    private
+
+    def normalize_for_have_access(property)
+      property.to_s
+        .delete_prefix("has_")
+        .delete_suffix("?")
+    end
+
+    def access_property(property)
+      @state[property]
+    end
+
+    def respond_to_have(property, value)
+      @state[property] == value
+    end
+
+    # Taken from Chef, but changed `firewall_action` to `action` for consistency
+    # @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb
+    def load_firewall_state(rule_name)
+      <<-EOH
+        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        $rule = Get-NetFirewallRule -Name "#{rule_name}"
+        $addressFilter = $rule | Get-NetFirewallAddressFilter
+        $portFilter = $rule | Get-NetFirewallPortFilter
+        $applicationFilter = $rule | Get-NetFirewallApplicationFilter
+        $serviceFilter = $rule | Get-NetFirewallServiceFilter
+        $interfaceTypeFilter = $rule | Get-NetFirewallInterfaceTypeFilter
+        ([PSCustomObject]@{
+          rule_name = $rule.Name
+          description = $rule.Description
+          displayname = $rule.DisplayName
+          group = $rule.Group
+          local_address = $addressFilter.LocalAddress
+          local_port = $portFilter.LocalPort
+          remote_address = $addressFilter.RemoteAddress
+          remote_port = $portFilter.RemotePort
+          direction = $rule.Direction.ToString()
+          protocol = $portFilter.Protocol
+          icmp_type = $portFilter.IcmpType
+          action = $rule.Action.ToString()
+          profile = $rule.Profile.ToString()
+          program = $applicationFilter.Program
+          service = $serviceFilter.Service
+          interface_type = $interfaceTypeFilter.InterfaceType.ToString()
+          enabled = [bool]::Parse($rule.Enabled.ToString())
+        }) | ConvertTo-Json
+      EOH
+    end
+  end
+end

data/lib/inspec/run_data.rb

@@ -47,7 +47,7 @@ module Inspec
     # core reporters have been migrated to plugins. It is probable that new data elements
     # and new Hash compatibility behavior will be added during the core reporter plugin
     # conversion process.
-    SCHEMA_VERSION = "0.1.0".freeze
+    SCHEMA_VERSION = "0.2.0".freeze
 
     def self.compatible_schema?(constraints)
       reqs = Gem::Requirement.create(constraints)

data/lib/inspec/run_data/profile.rb

@@ -15,7 +15,7 @@ module Inspec
       :summary,
       :supports,         # complex local
       :parent_profile,
-      :skip_message,
+      :status_message,
       :waiver_data,      # Undocumented but used in JSON reporter - should not be?
       :title,
       :version
@@ -40,7 +40,7 @@ module Inspec
           title
           version
           parent_profile
-          skip_message
+          status_message
           waiver_data
         }.each do |field|
           self[field] = raw_prof_data[field]
@@ -51,11 +51,11 @@ module Inspec
     class Profile
       # Good candidate for keyword_init, but that is not in 2.4
       Dependency = Struct.new(
-        :name, :path, :status, :skip_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
+        :name, :path, :status, :status_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
       ) do
         include HashLikeStruct
         def initialize(raw_dep_data)
-          %i{name path status skip_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
+          %i{name path status status_message git url supermarket compliance branch tag commit version relative_path}.each { |f| self[f] = raw_dep_data[f] }
         end
       end
 

data/lib/inspec/runner.rb

@@ -115,8 +115,14 @@ module Inspec
           @test_collector.add_profile(requirement.profile)
         end
 
-        tests = profile.collect_tests
-        all_controls += tests unless tests.nil?
+        begin
+          tests = profile.collect_tests
+          all_controls += tests unless tests.nil?
+        rescue Inspec::Exceptions::ProfileLoadFailed => e
+          Inspec::Log.error "Failed to load profile #{profile.name}: #{e}"
+          profile.set_status_message e.to_s
+          next
+        end
       end
 
       all_controls.each do |rule|

data/lib/inspec/runner_rspec.rb

@@ -90,9 +90,12 @@ module Inspec
       return @rspec_exit_code if @formatter.results.empty?
 
       stats = @formatter.results[:statistics][:controls]
+      load_failures = @formatter.results[:profiles]&.select { |p| p[:status] == "failed" }&.any?
       skipped = @formatter.results.dig(:profiles, 0, :status) == "skipped"
-      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped
+      if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0 && !skipped && !load_failures
         0
+      elsif load_failures
+        @conf["distinct_exit"] ? 102 : 1
       elsif stats[:failed][:total] > 0
         @conf["distinct_exit"] ? 100 : 1
       elsif stats[:skipped][:total] > 0 || skipped

data/lib/inspec/schema.rb

@@ -147,6 +147,8 @@ module Inspec
         "license" => { "type" => "string", "optional" => true },
         "summary" => { "type" => "string", "optional" => true },
         "status" => { "type" => "string", "optional" => false },
+        "status_message" => { "type" => "string", "optional" => true },
+        # skip_message is deprecated, status_message should be used to store the reason for skipping
         "skip_message" => { "type" => "string", "optional" => true },
 
         "supports" => {

data/lib/inspec/schema/exec_json.rb

@@ -83,7 +83,7 @@ module Inspec
         "required" => %w{name sha256 supports attributes groups controls},
         # Name is mandatory in inspec.yml.
         # supports, controls, groups, and attributes are always present, even if empty
-        # sha256, status, skip_message
+        # sha256, status, status_message
         "properties" => {
           # These are provided in inspec.yml
           "name" => Primitives::STRING,
@@ -100,10 +100,11 @@ module Inspec
           "description" => Primitives::STRING,
           "inspec_version" => Primitives::STRING,
 
-          # These are generated at runtime, and all except skip_message are guaranteed
+          # These are generated at runtime, and all except status_message and skip_message are guaranteed
           "sha256" => Primitives::STRING,
           "status" => Primitives::STRING,
-          "skip_message" => Primitives::STRING, # If skipped, why
+          "status_message" => Primitives::STRING, # If skipped or failed to load, why
+          "skip_message" => Primitives::STRING,   # Deprecated field storing reason for skipping. status_message should be used instead.
           "controls" => Primitives.array(CONTROL.ref),
           "groups" => Primitives.array(Primitives::CONTROL_GROUP.ref),
           "attributes" => Primitives.array(Primitives::INPUT),

data/lib/inspec/schema/primitives.rb

@@ -160,7 +160,7 @@ module Inspec
           "url" => URL,
           "branch" => STRING,
           "path" => STRING,
-          "skip_message" => STRING,
+          "status_message" => STRING,
           "status" => STRING,
           "git" => URL,
           "supermarket" => STRING,

data/lib/inspec/utils/parser.rb

@@ -84,7 +84,7 @@ module Inspec
         end
 
         # parse device and type
-        mount_options    = { device: mount[0], type: mount[4] }
+        mount_options = { device: mount[0], type: mount[4] }
 
         if compatibility == false
           # parse options as array

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.21.1".freeze
+  VERSION = "4.22.22".freeze
 end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb

@@ -22,7 +22,7 @@ module InspecPlugins
       # return all compliance profiles available for the user
       # the user is either specified in the options hash or by default
       # the username of the account is used that is logged in
-      def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
+      def self.profiles(config, profile_filter = nil) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
         owner = config["owner"] || config["user"]
 
         # Chef Compliance
@@ -81,13 +81,13 @@ module InspecPlugins
           mapped_profiles.select! do |p|
             (!ver || p["version"] == ver) && (!id || p["name"] == id)
           end
-          return msg, mapped_profiles
+          [msg, mapped_profiles]
         when "401"
           msg = "401 Unauthorized. Please check your token."
-          return msg, []
+          [msg, []]
         else
           msg = "An unexpected error occurred (HTTP #{response_code}): #{response.message}"
-          return msg, []
+          [msg, []]
         end
       end