inspec-core 4.3.2 → 4.6.3

data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb

@@ -1,12 +1,10 @@
-# encoding: utf-8
-
-require 'utils/parser'
-require 'utils/file_reader'
+require "inspec/utils/parser"
+require "inspec/utils/file_reader"
 
 module Inspec::Resources
   class EtcHostsAllow < Inspec.resource(1)
-    name 'etc_hosts_allow'
-    supports platform: 'unix'
+    name "etc_hosts_allow"
+    supports platform: "unix"
     desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
           the client will allow. Controlled by the /etc/hosts.allow file.'
     example <<~EXAMPLE
@@ -22,23 +20,23 @@ module Inspec::Resources
     include FileReader
 
     def initialize(hosts_allow_path = nil)
-      @conf_path      = hosts_allow_path || '/etc/hosts.allow'
+      @conf_path      = hosts_allow_path || "/etc/hosts.allow"
       @content        = nil
       @params         = nil
       read_content
     end
 
     filter = FilterTable.create
-    filter.register_column(:daemon,      field: 'daemon')
-          .register_column(:client_list, field: 'client_list')
-          .register_column(:options,     field: 'options')
+    filter.register_column(:daemon,      field: "daemon")
+          .register_column(:client_list, field: "client_list")
+          .register_column(:options,     field: "options")
 
     filter.install_filter_methods_on_resource(self, :params)
 
     private
 
     def read_content
-      @content = ''
+      @content = ""
       @params  = {}
       @content = split_daemons(read_file(@conf_path))
       @params  = parse_conf(@content)
@@ -47,10 +45,10 @@ module Inspec::Resources
     def split_daemons(content)
       split_daemons_list = []
       content.each do |line|
-        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-        next unless data != ''
-        data.split(':')[0].split(',').each do |daemon|
-          split_daemons_list.push("#{daemon} : " + line.split(':', 2)[1])
+        data, = parse_comment_line(line, comment_char: "#", standalone_comments: false)
+        next unless data != ""
+        data.split(":")[0].split(",").each do |daemon|
+          split_daemons_list.push("#{daemon} : " + line.split(":", 2)[1])
         end
       end
       split_daemons_list
@@ -58,8 +56,8 @@ module Inspec::Resources
 
     def parse_conf(content)
       content.map do |line|
-        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-        parse_line(data) unless data == ''
+        data, = parse_comment_line(line, comment_char: "#", standalone_comments: false)
+        parse_line(data) unless data == ""
       end.compact
     end
 
@@ -67,17 +65,17 @@ module Inspec::Resources
       daemon, clients_and_options = line.split(/:\s+/, 2)
       daemon = daemon.strip
 
-      clients_and_options ||= ''
+      clients_and_options ||= ""
       clients, options = clients_and_options.split(/\s+:\s+/, 2)
       client_list = clients.split(/,/).map(&:strip)
 
-      options ||= ''
+      options ||= ""
       options_list = options.split(/:\s+/).map(&:strip)
 
       {
-        'daemon'      => daemon,
-        'client_list' => client_list,
-        'options'     => options_list,
+        "daemon" => daemon,
+        "client_list" => client_list,
+        "options" => options_list,
       }
     end
 
@@ -87,8 +85,8 @@ module Inspec::Resources
   end
 
   class EtcHostsDeny < EtcHostsAllow
-    name 'etc_hosts_deny'
-    supports platform: 'unix'
+    name "etc_hosts_deny"
+    supports platform: "unix"
     desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
           the client will deny. Controlled by the /etc/hosts.deny file.'
     example <<~EXAMPLE
@@ -99,12 +97,12 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(path = nil)
-      return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?
-      super(path || '/etc/hosts.deny')
+      return skip_resource "`etc_hosts_deny` is not supported on your OS" unless inspec.os.linux?
+      super(path || "/etc/hosts.deny")
     end
 
     def to_s
-      'hosts.deny Configuration'
+      "hosts.deny Configuration"
     end
   end
 end

data/lib/{resources → inspec/resources}/file.rb

@@ -1,7 +1,7 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'shellwords'
+require "shellwords"
+require "inspec/utils/parser"
 
 module Inspec::Resources
   module FilePermissionsSelector
@@ -14,14 +14,15 @@ module Inspec::Resources
     end
   end
 
+  # TODO: rename file_resource.rb
   class FileResource < Inspec.resource(1)
     include FilePermissionsSelector
     include LinuxMountParser
 
-    name 'file'
-    supports platform: 'unix'
-    supports platform: 'windows'
-    desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
+    name "file"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors."
     example <<~EXAMPLE
       describe file('path') do
         it { should exist }
@@ -48,45 +49,45 @@ module Inspec::Resources
       product_version file_version version? md5sum sha256sum
       path basename source source_path uid gid
     }.each do |m|
-      define_method m.to_sym do |*args|
-        file.method(m.to_sym).call(*args)
+      define_method m do |*args|
+        file.send(m, *args)
       end
     end
 
     def content
       res = file.content
       return nil if res.nil?
-      res.force_encoding('utf-8')
+      res.force_encoding("utf-8")
     end
 
     def contain(*_)
-      raise 'Contain is not supported. Please use standard RSpec matchers.'
+      raise "Contain is not supported. Please use standard RSpec matchers."
     end
 
     def readable?(by_usergroup, by_specific_user)
       return false unless exist?
-      return skip_resource '`readable?` is not supported on your OS yet.' if @perms_provider.nil?
+      return skip_resource "`readable?` is not supported on your OS yet." if @perms_provider.nil?
 
-      file_permission_granted?('read', by_usergroup, by_specific_user)
+      file_permission_granted?("read", by_usergroup, by_specific_user)
     end
 
     def writable?(by_usergroup, by_specific_user)
       return false unless exist?
-      return skip_resource '`writable?` is not supported on your OS yet.' if @perms_provider.nil?
+      return skip_resource "`writable?` is not supported on your OS yet." if @perms_provider.nil?
 
-      file_permission_granted?('write', by_usergroup, by_specific_user)
+      file_permission_granted?("write", by_usergroup, by_specific_user)
     end
 
     def executable?(by_usergroup, by_specific_user)
       return false unless exist?
-      return skip_resource '`executable?` is not supported on your OS yet.' if @perms_provider.nil?
+      return skip_resource "`executable?` is not supported on your OS yet." if @perms_provider.nil?
 
-      file_permission_granted?('execute', by_usergroup, by_specific_user)
+      file_permission_granted?("execute", by_usergroup, by_specific_user)
     end
 
     def allowed?(permission, opts = {})
       return false unless exist?
-      return skip_resource '`allowed?` is not supported on your OS yet.' if @perms_provider.nil?
+      return skip_resource "`allowed?` is not supported on your OS yet." if @perms_provider.nil?
 
       file_permission_granted?(permission, opts[:by], opts[:by_user])
     end
@@ -98,7 +99,7 @@ module Inspec::Resources
       return file.mounted? if expected_options.nil?
 
       # deprecation warning, this functionality will be removed in future version
-      Inspec.deprecate(:file_resource_be_mounted_matchers, 'The file resource `be_mounted.with` and `be_mounted.only_with` matchers are deprecated. Please use the `mount` resource instead')
+      Inspec.deprecate(:file_resource_be_mounted_matchers, "The file resource `be_mounted.with` and `be_mounted.only_with` matchers are deprecated. Please use the `mount` resource instead")
 
       # we cannot read mount data on non-Linux systems
       return nil if !inspec.os.linux?
@@ -134,10 +135,10 @@ module Inspec::Resources
     alias sticky? sticky
 
     def more_permissive_than?(max_mode = nil)
-      raise Inspec::Exceptions::ResourceFailed, 'The file' + file.path + 'doesn\'t seem to exist' unless exist?
-      raise ArgumentError, 'You must proivde a value for the `maximum allowable permission` for the file.' if max_mode.nil?
-      raise ArgumentError, 'You must proivde the `maximum permission target` as a `String`, you provided: ' + max_mode.class.to_s unless max_mode.is_a?(String)
-      raise ArgumentError, 'The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`' unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
+      raise Inspec::Exceptions::ResourceFailed, "The file" + file.path + "doesn't seem to exist" unless exist?
+      raise ArgumentError, "You must proivde a value for the `maximum allowable permission` for the file." if max_mode.nil?
+      raise ArgumentError, "You must proivde the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
+      raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
 
       # Using the files mode and a few bit-wise calculations we can ensure a
       # file is no more permisive than desired.
@@ -156,10 +157,10 @@ module Inspec::Resources
       # to or less permissive than the desired mode (PASS). Otherwise, the files
       # mode is more permissive than the desired mode (FAIL).
 
-      max_mode = max_mode.rjust(4, '0')
-      binary_desired_mode = format('%04b', max_mode).to_i(2)
-      desired_mode_inverse = (binary_desired_mode ^ 0b111111111)
-      (desired_mode_inverse & file.mode).zero? ? false : true
+      max_mode = max_mode.to_i(8)
+      inv_mode = 0777 ^ max_mode
+
+      inv_mode & file.mode != 0
     end
 
     def to_s
@@ -169,7 +170,7 @@ module Inspec::Resources
     private
 
     def file_permission_granted?(access_type, by_usergroup, by_specific_user)
-      raise '`file_permission_granted?` is not supported on your OS' if @perms_provider.nil?
+      raise "`file_permission_granted?` is not supported on your OS" if @perms_provider.nil?
       if by_specific_user.nil? || by_specific_user.empty?
         @perms_provider.check_file_permission_by_mask(file, access_type, by_usergroup, by_specific_user)
       else
@@ -188,22 +189,22 @@ module Inspec::Resources
   class UnixFilePermissions < FilePermissions
     def permission_flag(access_type)
       case access_type
-      when 'read'
-        'r'
-      when 'write'
-        'w'
-      when 'execute'
-        'x'
+      when "read"
+        "r"
+      when "write"
+        "w"
+      when "execute"
+        "x"
       else
-        raise 'Invalid access_type provided'
+        raise "Invalid access_type provided"
       end
     end
 
     def usergroup_for(usergroup, specific_user)
-      if usergroup == 'others'
-        'other'
+      if usergroup == "others"
+        "other"
       elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
-        'all'
+        "all"
       else
         usergroup
       end
@@ -213,7 +214,7 @@ module Inspec::Resources
       usergroup = usergroup_for(usergroup, specific_user)
       flag = permission_flag(access_type)
       mask = file.unix_mode_mask(usergroup, flag)
-      raise 'Invalid usergroup/owner provided' if mask.nil?
+      raise "Invalid usergroup/owner provided" if mask.nil?
       (file.mode & mask) != 0
     end
 
@@ -228,7 +229,7 @@ module Inspec::Resources
       elsif inspec.os.hpux?
         perm_cmd = "su #{user} -c \"test -#{flag} #{path}\""
       else
-        return skip_resource 'The `file` resource does not support `by_user` on your OS.'
+        return skip_resource "The `file` resource does not support `by_user` on your OS."
       end
 
       cmd = inspec.command(perm_cmd)
@@ -238,11 +239,11 @@ module Inspec::Resources
 
   class WindowsFilePermissions < FilePermissions
     def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
-      raise '`check_file_permission_by_mask` is not supported on Windows'
+      raise "`check_file_permission_by_mask` is not supported on Windows"
     end
 
     def more_permissive_than?(*)
-      raise Inspec::Exceptions::ResourceSkipped, 'The `more_permissive_than?` matcher is not supported on your OS yet.'
+      raise Inspec::Exceptions::ResourceSkipped, "The `more_permissive_than?` matcher is not supported on your OS yet."
     end
 
     def check_file_permission_by_user(access_type, user, path)
@@ -250,14 +251,14 @@ module Inspec::Resources
       access_rule = convert_to_powershell_array(access_rule)
 
       cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
-      cmd.stdout.chomp == '0' ? false : true
+      cmd.stdout.chomp == "0" ? false : true
     end
 
     private
 
     def convert_to_powershell_array(arr)
       if arr.empty?
-        '@()'
+        "@()"
       else
         %{@('#{arr.join("', '")}')}
       end
@@ -272,59 +273,59 @@ module Inspec::Resources
       names = translate_common_perms(access_type)
       names ||= translate_granular_perms(access_type)
       names ||= translate_uncommon_perms(access_type)
-      raise 'Invalid access_type provided' unless names
+      raise "Invalid access_type provided" unless names
 
       names
     end
 
     def translate_common_perms(access_type)
       case access_type
-      when 'full-control'
+      when "full-control"
         %w{FullControl}
-      when 'modify'
-        translate_perm_names('full-control') + %w{Modify}
-      when 'read'
-        translate_perm_names('modify') + %w{ReadAndExecute Read}
-      when 'write'
-        translate_perm_names('modify') + %w{Write}
-      when 'execute'
-        translate_perm_names('modify') + %w{ReadAndExecute ExecuteFile Traverse}
-      when 'delete'
-        translate_perm_names('modify') + %w{Delete}
+      when "modify"
+        translate_perm_names("full-control") + %w{Modify}
+      when "read"
+        translate_perm_names("modify") + %w{ReadAndExecute Read}
+      when "write"
+        translate_perm_names("modify") + %w{Write}
+      when "execute"
+        translate_perm_names("modify") + %w{ReadAndExecute ExecuteFile Traverse}
+      when "delete"
+        translate_perm_names("modify") + %w{Delete}
       end
     end
 
     def translate_uncommon_perms(access_type)
       case access_type
-      when 'delete-subdirectories-and-files'
-        translate_perm_names('full-control') + %w{DeleteSubdirectoriesAndFiles}
-      when 'change-permissions'
-        translate_perm_names('full-control') + %w{ChangePermissions}
-      when 'take-ownership'
-        translate_perm_names('full-control') + %w{TakeOwnership}
-      when 'synchronize'
-        translate_perm_names('full-control') + %w{Synchronize}
+      when "delete-subdirectories-and-files"
+        translate_perm_names("full-control") + %w{DeleteSubdirectoriesAndFiles}
+      when "change-permissions"
+        translate_perm_names("full-control") + %w{ChangePermissions}
+      when "take-ownership"
+        translate_perm_names("full-control") + %w{TakeOwnership}
+      when "synchronize"
+        translate_perm_names("full-control") + %w{Synchronize}
       end
     end
 
     def translate_granular_perms(access_type)
       case access_type
-      when 'write-data', 'create-files'
-        translate_perm_names('write') + %w{WriteData CreateFiles}
-      when 'append-data', 'create-directories'
-        translate_perm_names('write') + %w{CreateDirectories AppendData}
-      when 'write-extended-attributes'
-        translate_perm_names('write') + %w{WriteExtendedAttributes}
-      when 'write-attributes'
-        translate_perm_names('write') + %w{WriteAttributes}
-      when 'read-data', 'list-directory'
-        translate_perm_names('read') + %w{ReadData ListDirectory}
-      when 'read-attributes'
-        translate_perm_names('read') + %w{ReadAttributes}
-      when 'read-extended-attributes'
-        translate_perm_names('read') + %w{ReadExtendedAttributes}
-      when 'read-permissions'
-        translate_perm_names('read') + %w{ReadPermissions}
+      when "write-data", "create-files"
+        translate_perm_names("write") + %w{WriteData CreateFiles}
+      when "append-data", "create-directories"
+        translate_perm_names("write") + %w{CreateDirectories AppendData}
+      when "write-extended-attributes"
+        translate_perm_names("write") + %w{WriteExtendedAttributes}
+      when "write-attributes"
+        translate_perm_names("write") + %w{WriteAttributes}
+      when "read-data", "list-directory"
+        translate_perm_names("read") + %w{ReadData ListDirectory}
+      when "read-attributes"
+        translate_perm_names("read") + %w{ReadAttributes}
+      when "read-extended-attributes"
+        translate_perm_names("read") + %w{ReadExtendedAttributes}
+      when "read-permissions"
+        translate_perm_names("read") + %w{ReadPermissions}
       end
     end
   end

data/lib/{resources → inspec/resources}/filesystem.rb

@@ -1,9 +1,11 @@
+require "inspec/resources/command"
+
 module Inspec::Resources
   class FileSystemResource < Inspec.resource(1)
-    name 'filesystem'
-    supports platform: 'linux'
-    supports platform: 'windows'
-    desc 'Use the filesystem InSpec resource to test file system'
+    name "filesystem"
+    supports platform: "linux"
+    supports platform: "windows"
+    desc "Use the filesystem InSpec resource to test file system"
     example <<~EXAMPLE
       describe filesystem('/') do
         its('size_kb') { should be >= 32000 }
@@ -32,7 +34,7 @@ module Inspec::Resources
       elsif os.windows?
         @fsman = WindowsFileSystemResource.new(inspec)
       else
-        raise Inspec::Exceptions::ResourceSkipped, 'The `filesystem` resource is not supported on your OS yet.'
+        raise Inspec::Exceptions::ResourceSkipped, "The `filesystem` resource is not supported on your OS yet."
       end
     end
 
@@ -52,7 +54,7 @@ module Inspec::Resources
     end
 
     def size
-      Inspec.deprecate(:property_filesystem_size, 'The `size` property did not reliably use the correct units. Please use `size_kb` instead.')
+      Inspec.deprecate(:property_filesystem_size, "The `size` property did not reliably use the correct units. Please use `size_kb` instead.")
       if inspec.os.windows?
         # On windows, we had a bug prior to #3767 in which the
         # 'size' value was be scaled to GB in powershell.
@@ -93,8 +95,11 @@ module Inspec::Resources
   class LinuxFileSystemResource < FsManagement
     def info(partition)
       cmd = inspec.command("df #{partition} -T")
-      raise Inspec::Exceptions::ResourceFailed, "Unable to get available space for partition #{partition}" if cmd.stdout.nil? || cmd.stdout.empty? || !cmd.exit_status.zero?
-      value = cmd.stdout.split(/\n/)[1].strip.split(' ')
+      if cmd.stdout.nil? || cmd.stdout.empty? || cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed,
+          "Unable to get available space for partition #{partition}"
+      end
+      value = cmd.stdout.split(/\n/)[1].strip.split(" ")
       {
         name: partition,
         size_kb: value[2].to_i,
@@ -106,26 +111,26 @@ module Inspec::Resources
 
   class WindowsFileSystemResource < FsManagement
     def info(partition)
-      cmd = inspec.command <<-EOF.gsub(/^\s*/, '')
+      cmd = inspec.command <<-EOF.gsub(/^\s*/, "")
         $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='#{partition}'"
         $disk.Size = $disk.Size / 1KB
         $disk.FreeSpace = $disk.FreeSpace / 1KB
         $disk | select -property DeviceID,Size,FileSystem,FreeSpace | ConvertTo-Json
       EOF
 
-      raise Inspec::Exceptions::ResourceSkipped, "Unable to get available space for partition #{partition}" if cmd.stdout == '' || cmd.exit_status.to_i != 0
+      raise Inspec::Exceptions::ResourceSkipped, "Unable to get available space for partition #{partition}" if cmd.stdout == "" || cmd.exit_status.to_i != 0
       begin
         fs = JSON.parse(cmd.stdout)
       rescue JSON::ParserError => e
         raise Inspec::Exceptions::ResourceFailed,
-              'Failed to parse JSON from Powershell. ' \
+              "Failed to parse JSON from Powershell. " \
               "Error: #{e}"
       end
       {
-        name: fs['DeviceID'],
-        size_kb: fs['Size'].to_i,
-        free_kb: fs['FreeSpace'].to_i,
-        type: fs['FileSystem'],
+        name: fs["DeviceID"],
+        size_kb: fs["Size"].to_i,
+        free_kb: fs["FreeSpace"].to_i,
+        type: fs["FileSystem"],
       }
     end
   end