inspec-core 4.31.0 → 4.37.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: de259f902d4d891726e44204083a9fa2ab6b2b7507914036cc1af230e82dbc6b
-  data.tar.gz: 16d2ce9dbe236411f8169b378c51bedd5e2fc87ee84429b14de8e7312f6576cd
+  metadata.gz: 65d5a9d62e8e76b31b944e42f4ae6fc1784e3823fa578ce8ee439a2270a80816
+  data.tar.gz: 1aa950d1012bd41e061cc58e5693003d9197749c3798d3fb7d50b434c33c13de
 SHA512:
-  metadata.gz: 6f6646ab26611a0d49bce5bb8dd927ac678cb1ab032d5c5de055e5e769ef667f4147f4bae82613450c21c9ca0ebcd99302f33741ba51c95094b45714a6f69303
-  data.tar.gz: c19721ef5d63cedae91fe69103f7f4ec4237ce4e16ab563895eff655b2ff32ec1ba15daf412cf23ed11966a9d94b5941b5c74ac6ba47c4c209f82a5db1240641
+  metadata.gz: 69e11bec35bfef9ccd66679c4c04a65afe7b8e2acb4f20ab1f2643ee594961148b269a21e4e84996053a5d18ae96120063f1cbfe634831488b8b830cb22b9942
+  data.tar.gz: 0476cf2df46ae81d3dd0a797d39190425ef28eeb7d8c36c3157d68d7ae658b1922f02251948fce8e5f2a48305f5c9e6ff520bc39a532e655b7f32284c7c67b46

data/Gemfile

@@ -48,3 +48,16 @@ end
 group :deploy do
   gem "inquirer"
 end
+
+# Only include Test Kitchen support if we are on Ruby 2.7 or higher
+# as chef-zero support requires Ruby 2.6
+# See https://github.com/inspec/inspec/pull/5341
+if Gem.ruby_version >= Gem::Version.new("2.7.0")
+  group :kitchen do
+    gem "berkshelf"
+    gem "test-kitchen", ">= 2.8"
+    gem "kitchen-inspec", ">= 2.0"
+    gem "kitchen-dokken", ">= 2.11"
+    gem "git"
+  end
+end

data/inspec-core.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
       .reject { |f| File.directory?(f) }
 
   # Implementation dependencies
-  spec.add_dependency "chef-telemetry",     "~> 1.0"
+  spec.add_dependency "chef-telemetry",     "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
   spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
@@ -35,7 +35,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mixlib-log",         "~> 3.0"
   spec.add_dependency "sslshake",           "~> 1.2"
   spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.4"
+  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.5"
   spec.add_dependency "faraday_middleware", "~> 1.0"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"

data/lib/inspec/base_cli.rb

@@ -168,9 +168,11 @@ module Inspec
         desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
-      option :command_timeout, type: :numeric, default: 3600,
-        desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
-        long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
+      option :command_timeout, type: :numeric,
+        desc: "Maximum seconds to allow commands to run during execution.",
+        long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
+      option :reporter_include_source, type: :boolean, default: false,
+        desc: "Include full source code of controls in the CLI report"
     end
 
     def self.help(*args)

data/lib/inspec/cli.rb

@@ -218,9 +218,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     Automate:
       ```
-      #{Inspec::Dist::EXEC_NAME} compliance login
+      #{Inspec::Dist::EXEC_NAME} automate login
       #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
       ```
+      `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
+      ```
+      #{Inspec::Dist::EXEC_NAME} compliance login
+      ```
 
     Supermarket:
       ```
@@ -321,10 +325,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
   option :distinct_exit, type: :boolean, default: true,
     desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default).  If disabled, exit 0 on skips and 1 for failures."
-  option :command_timeout, type: :numeric, default: 3600,
-      desc: "Maximum seconds to allow a command to run. Default 3600.",
-      long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error."
+  option :command_timeout, type: :numeric,
+      desc: "Maximum seconds to allow a command to run.",
+      long_desc: "Maximum seconds to allow commands to run. A timed out command is considered an error."
   option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
+  option :input_file, type: :array,
+    desc: "Load one or more input files, a YAML file with values for the shell to use"
+  option :input, type: :array, banner: "name1=value1 name2=value2",
+    desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
   def shell_func
     o = config
     diagnose(o)

data/lib/inspec/control_eval_context.rb

@@ -194,6 +194,7 @@ module Inspec
 
     # Check if the given control exist in the --controls option
     def control_exist_in_controls_list?(id)
+      id_exist_in_list = false
       if profile_config_exist?
         id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
           # Try to see if the inclusion is a regex, and if it matches

data/lib/inspec/input.rb

@@ -19,12 +19,17 @@ module Inspec
       attr_accessor :input_name
       attr_accessor :input_value
       attr_accessor :input_type
+      attr_accessor :input_pattern
     end
 
     class TypeError < Error
       attr_accessor :input_type
     end
 
+    class PatternError < Error
+      attr_accessor :input_pattern
+    end
+
     class RequiredError < Error
       attr_accessor :input_name
     end
@@ -56,7 +61,6 @@ module Inspec
 
       def initialize(properties = {})
         @value_has_been_set = false
-
         properties.each do |prop_name, prop_value|
           if EVENT_PROPERTIES.include? prop_name
             # OK, save the property
@@ -174,7 +178,7 @@ module Inspec
     # are free to go higher.
     DEFAULT_PRIORITY_FOR_VALUE_SET = 60
 
-    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
+    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type, :pattern
 
     def initialize(name, options = {})
       @name = name
@@ -192,7 +196,6 @@ module Inspec
       # debugging record of when and how the value changed.
       @events = []
       events.push make_creation_event(options)
-
       update(options)
     end
 
@@ -213,6 +216,7 @@ module Inspec
     def update(options)
       _update_set_metadata(options)
       normalize_type_restriction!
+      normalize_pattern_restriction!
 
       # Values are set by passing events in; but we can also infer an event.
       if options.key?(:value) || options.key?(:default)
@@ -227,6 +231,7 @@ module Inspec
       events << options[:event] if options.key? :event
 
       enforce_type_restriction!
+      enforce_pattern_restriction!
     end
 
     # We can determine a value:
@@ -268,6 +273,7 @@ module Inspec
       @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
       @type = options[:type] if options.key?(:type)
       @sensitive = options[:sensitive] if options.key?(:sensitive)
+      @pattern = options[:pattern] if options.key?(:pattern)
     end
 
     def make_creation_event(options)
@@ -310,7 +316,9 @@ module Inspec
         file: location.path,
         line: location.lineno
       )
+
       enforce_type_restriction!
+      enforce_pattern_restriction!
     end
 
     def value
@@ -324,7 +332,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value sensitive}.each do |field|
+      %i{description title identifier type required value sensitive pattern}.each do |field|
         val = send(field)
         next if val.nil?
 
@@ -407,6 +415,33 @@ module Inspec
       @type = type_req
     end
 
+    def enforce_pattern_restriction!
+      return unless pattern
+      return unless has_value?
+
+      string_value = current_value(false).to_s
+
+      valid_pattern = string_value.match?(pattern)
+      unless valid_pattern
+        error = Inspec::Input::ValidationError.new
+        error.input_name = @name
+        error.input_value = string_value
+        error.input_pattern = pattern
+        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to pattern '#{error.input_pattern}'."
+      end
+    end
+
+    def normalize_pattern_restriction!
+      return unless pattern
+
+      unless valid_regexp?(pattern)
+        error = Inspec::Input::PatternError.new
+        error.input_pattern = pattern
+        raise error, "Pattern '#{error.input_pattern}' is not a valid regex pattern."
+      end
+      @pattern = pattern
+    end
+
     def valid_numeric?(value)
       Float(value)
       true

data/lib/inspec/input_registry.rb

@@ -325,6 +325,7 @@ module Inspec
         type: input_options[:type],
         required: input_options[:required],
         sensitive: input_options[:sensitive],
+        pattern: input_options[:pattern],
         event: evt
       )
     end

data/lib/inspec/objects/input.rb

@@ -20,7 +20,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value}.each do |field|
+      %i{description title identifier type required value pattern}.each do |field|
         val = send(field)
         next if val.nil?
 

data/lib/inspec/plugin/v2/loader.rb

@@ -117,6 +117,15 @@ module Inspec::Plugin::V2
         # `inspec dosomething` => activate the :dosomething hook
         activate_me ||= cli_args.include?(act.activator_name.to_s)
 
+        # Only one compliance command to be activated at one time.
+        # Since both commands are defined in the same class,
+        # activators were not getting fetched uniquely.
+        if cli_args.include?("automate") && act.activator_name.to_s.eql?("compliance")
+          activate_me = false
+        elsif cli_args.include?("compliance") && act.activator_name.to_s.eql?("automate")
+          activate_me = false
+        end
+
         # OK, activate.
         if activate_me
           act.activate

data/lib/inspec/profile_context.rb

@@ -91,7 +91,7 @@ module Inspec
     end
 
     def all_controls
-      ret = @rules.values
+      ret = @rules.values.compact
       ret += @control_subcontexts.map(&:all_rules).flatten
       ret
     end

data/lib/inspec/reporters/cli.rb

@@ -41,12 +41,14 @@ module Inspec::Reporters
     MULTI_TEST_CONTROL_SUMMARY_MAX_LEN = 60
 
     def render
+      @src_extent_map = {}
       run_data[:profiles].each do |profile|
         if profile[:status] == "skipped"
           platform = run_data[:platform]
           output("Skipping profile: '#{profile[:name]}' on unsupported platform: '#{platform[:name]}/#{platform[:release]}'.")
           next
         end
+        read_control_source(profile)
         @control_count = 0
         output("")
         print_profile_header(profile)
@@ -89,6 +91,7 @@ module Inspec::Reporters
         next if control.results.nil?
 
         output(format_control_header(control))
+        output(format_control_source(control)) if Inspec::Config.cached[:reporter_include_source]
         control.results.each do |result|
           output(format_result(control, result, :standard))
           @control_count += 1
@@ -127,6 +130,62 @@ module Inspec::Reporters
       )
     end
 
+    def format_control_source(control)
+      src = @control_source[control.id]
+      message  = "Control Source from #{src[:path]}:#{src[:start]}..#{src[:end]}\n"
+      message += src[:content]
+      format_message(
+        color: "skipped",
+        indentation: 5,
+        message: message
+      )
+    end
+
+    def read_control_source(profile)
+      return unless Inspec::Config.cached[:reporter_include_source]
+
+      @control_source = {}
+      src_extent_map = {}
+
+      # First pass: build map of paths => ids => [start]
+      all_unique_controls.each do |control|
+        id = control[:id]
+        path = control[:source_location][:ref]
+        start = control[:source_location][:line]
+        next if path.nil? || start.nil?
+
+        src_extent_map[path] ||= []
+        src_extent_map[path] << { start: start, id: id }
+      end
+
+      # Now sort the controls by their starting line in their control file
+      src_extent_map.values.each do |extent_list|
+        extent_list.sort! { |a, b| a[:start] <=> b[:start] }
+      end
+
+      # Third pass: Read in files and split into lines
+      src_extent_map.keys.each do |path|
+        control_file_lines = File.read(path).lines # TODO error handling
+        last_line_in_file = control_file_lines.count
+        extent_list = src_extent_map[path]
+        extent_list.each_with_index do |extent, idx|
+          if idx == extent_list.count - 1 # Last entry
+            extent[:end] = last_line_in_file
+          else
+            extent[:end] = extent_list[idx + 1][:start] - 1
+          end
+
+          @control_source[extent[:id]] =
+            {
+              path: path,
+              start: extent[:start],
+              end: extent[:end],
+              content: control_file_lines.slice(extent[:start] - 1, extent[:end] - extent[:start] + 1).join(""),
+            }
+        end
+      end
+    end
+
     def format_result(control, result, type)
       impact = control.impact_string_for_result(result)
 
@@ -312,6 +371,10 @@ module Inspec::Reporters
         data[:impact]
       end
 
+      def source_location
+        data[:source_location]
+      end
+
       def anonymous?
         id.start_with?("(generated from ")
       end

data/lib/inspec/resources.rb

@@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config"
 require "inspec/resources/registry_key"
 require "inspec/resources/security_identifier"
 require "inspec/resources/security_policy"
+require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"

data/lib/inspec/resources/command.rb

@@ -31,16 +31,11 @@ module Inspec::Resources
       end
 
       @command = cmd
-
-      cli_timeout = Inspec::Config.cached["command_timeout"].to_i
+      cli_timeout = Inspec::Config.cached["command_timeout"]&.to_i
       # Can access this via Inspec::InspecCLI.commands["exec"].options[:command_timeout].default,
       # but that may not be loaded for kitchen-inspec and other pure gem consumers
-      default_cli_timeout = 3600
-      if cli_timeout != default_cli_timeout
-        @timeout = cli_timeout
-      else
-        @timeout = options[:timeout]&.to_i || default_cli_timeout
-      end
+      cli_timeout = nil if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value
+      @timeout = cli_timeout || options[:timeout]&.to_i
 
       if options[:redact_regex]
         unless options[:redact_regex].is_a?(Regexp)

data/lib/inspec/resources/groups.rb

@@ -49,10 +49,11 @@ module Inspec::Resources
 
     filter = FilterTable.create
     filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-    filter.register_column(:names, field: "name")
-      .register_column(:gids,      field: "gid")
-      .register_column(:domains,   field: "domain")
-      .register_column(:members,   field: "members", style: :simple)
+    filter.register_column(:names,       field: "name")
+      .register_column(:gids,            field: "gid")
+      .register_column(:domains,         field: "domain")
+      .register_column(:members,         field: "members", style: :simple)
+      .register_column(:members_array,   field: "members_array", style: :simple)
     filter.install_filter_methods_on_resource(self, :collect_group_details)
 
     def to_s
@@ -63,7 +64,13 @@ module Inspec::Resources
 
     # collects information about every group
     def collect_group_details
-      return @groups_cache ||= @group_provider.groups unless @group_provider.nil?
+      unless @group_provider.nil?
+        modified_groups_info = @group_provider.groups
+        unless modified_groups_info.empty?
+          modified_groups_info.each { |hashmap| hashmap["members_array"] = hashmap["members"].is_a?(Array) ? hashmap["members"] : hashmap["members"]&.split(",") }
+        end
+        return @groups_cache ||= modified_groups_info
+      end
 
       []
     end
@@ -111,7 +118,11 @@ module Inspec::Resources
     end
 
     def members
-      flatten_entry(group_info, "members")
+      flatten_entry(group_info, "members") || empty_value_for_members
+    end
+
+    def members_array
+      flatten_entry(group_info, "members_array") || []
     end
 
     def local
@@ -141,6 +152,10 @@ module Inspec::Resources
       group = @group.dup
       @groups_cache ||= inspec.groups.where { name == group }
     end
+
+    def empty_value_for_members
+      inspec.os.windows? ? [] : ""
+    end
   end
 
   class GroupInfo

data/lib/inspec/resources/selinux.rb

@@ -0,0 +1,154 @@
+require "inspec/resources/command"
+require "inspec/utils/filter"
+
+module Inspec::Resources
+  class SelinuxModuleFilter
+    # use filtertable for SELinux Modules
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:status, field: :status)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:priorities , field: :priority)
+    filter.register_custom_matcher(:enabled?) { |x| x.states[0] == "enabled" }
+    filter.register_custom_matcher(:installed?) { |x| x.status[0] == "installed" }
+    filter.install_filter_methods_on_resource(self, :modules)
+
+    attr_reader :modules
+    def initialize(modules)
+      @modules = modules
+    end
+
+    def to_s
+      "SELinux modules"
+    end
+  end
+
+  class SelinuxBooleanFilter
+    # use filtertable for SELinux Booleans
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:defaults, field: :default)
+    filter.register_custom_matcher(:on?) { |x| x.states[0] == "on" }
+    filter.install_filter_methods_on_resource(self, :booleans)
+
+    attr_reader :booleans
+    def initialize(booleans)
+      @booleans = booleans
+    end
+
+    def to_s
+      "SELinux booleans"
+    end
+  end
+
+  class Selinux < Inspec.resource(1)
+    name "selinux"
+    supports platform: "linux"
+
+    desc "Use the selinux Chef InSpec resource to test the configuration data of the SELinux policy, SELinux modules, and SELinux booleans."
+
+    example <<~EXAMPLE
+      describe selinux do
+        it { should be_installed }
+        it { should be_disabled }
+        it { should be_permissive }
+        it { should be_enforcing }
+      end
+
+      describe selinux do
+        its('policy') { should eq "targeted"}
+      end
+
+      describe selinux.modules.where("zebra") do
+        it { should exist }
+        it { should be_installed }
+        it { should be_enabled }
+      end
+
+      describe selinux.modules.where(status: "installed") do
+        it { should exist }
+        its('count') { should cmp 404 }
+      end
+
+      describe selinux.booleans.where(name: "xend_run_blktap") do
+        it { should be_on }
+      end
+
+      describe selinux.booleans.where { name == "xend_run_blktap" && state == "on" } do
+       it { should exist }
+      end
+    EXAMPLE
+
+    def initialize(selinux_path = "/etc/selinux/config")
+      @path = selinux_path
+      cmd = inspec.command("sestatus")
+
+      if cmd.exit_status != 0
+        # `sestatus` command not found error message comes in stdout so handling both here
+        out = cmd.stdout + "\n" + cmd.stderr
+        return skip_resource "Skipping resource: #{out}"
+      end
+
+      result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase
+      @data = Hash[result.scan(/([^:]+):([^,]+)[,$]/)]
+    end
+
+    def installed?
+      inspec.file(@path).exist?
+    end
+
+    def disabled?
+      @data["selinuxstatus"] == "disabled"
+    end
+
+    def enforcing?
+      @data["currentmode"] == "enforcing"
+    end
+
+    def permissive?
+      @data["currentmode"] == "permissive"
+    end
+
+    def policy
+      @data["loadedpolicyname"]
+    end
+
+    def modules
+      SelinuxModuleFilter.new(parse_modules)
+    end
+
+    def booleans
+      SelinuxBooleanFilter.new(parse_booleans)
+    end
+
+    def to_s
+      "SELinux"
+    end
+
+    private
+
+    def parse_modules
+      raw_modules = inspec.command("semodule -lfull").stdout
+      r_modules = []
+      raw_modules.each_line do |entry|
+        data = entry.split.map(&:strip)
+        state = data.length == 4 ? data[3] : "enabled"
+        r_modules.push({ name: data[1], status: "installed", state: state, priority: data[0] })
+      end
+      r_modules
+    end
+
+    def parse_booleans
+      raw_booleans = inspec.command("semanage boolean -l -n").stdout
+      r_booleans = []
+      raw_booleans.each_line do |entry|
+        data = entry.scan(/([^(,)]+)/).flatten.map(&:strip)
+        r_booleans.push({ name: data[0], state: data[1], default: data[2] })
+      end
+      r_booleans
+    end
+  end
+end

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -105,7 +105,7 @@ module Inspec::Resources
     # @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb
     def load_firewall_state(rule_name)
       <<-EOH
-        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        Get-TypeData -TypeName System.Array | Remove-TypeData # workaround for PS bug here: https://bit.ly/2SRMQ8M
         $rule = Get-NetFirewallRule -Name "#{rule_name}"
         $addressFilter = $rule | Get-NetFirewallAddressFilter
         $portFilter = $rule | Get-NetFirewallPortFilter

data/lib/inspec/rule.rb

@@ -180,7 +180,15 @@ module Inspec
         options[:priority] ||= 20
         options[:provider] = :inline_control_code
         evt = Inspec::Input.infer_event(options)
-        Inspec::InputRegistry.find_or_register_input(input_name, __profile_id, event: evt).value
+        Inspec::InputRegistry.find_or_register_input(
+          input_name,
+          __profile_id,
+          type: options[:type],
+          required: options[:required],
+          description: options[:description],
+          pattern: options[:pattern],
+          event: evt
+        ).value
       end
     end
 

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.31.0".freeze
+  VERSION = "4.37.0".freeze
 end

data/lib/plugins/inspec-compliance/README.md

@@ -6,24 +6,50 @@ This extensions offers the following features:
  - execute profiles directly from Chef Automate/Chef Compliance locally
  - upload a local profile to Chef Automate/Chef Compliance
 
+`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way.
+
 To use the CLI, this InSpec add-on adds the following commands:
 
+ * `$ inspec automate login` - authentication of the API token against Chef Automate/Chef Compliance
+ * `$ inspec automate profiles` - list all available Compliance profiles
+ * `$ inspec exec compliance://profile` - runs a Compliance profile
+ * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
+ 
+ Similar to these CLI commands are:
+
  * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
  * `$ inspec compliance profiles` - list all available Compliance profiles
- * `$ inspec exec compliance://profile` - runs a Compliance profile
  * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
  * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
 
 Compliance profiles can be executed in two ways:
 
-- via compliance exec: `inspec compliance exec profile`
+- via compliance exec: `inspec automate exec profile` or `inspec compliance exec profile`
 - via compliance scheme: `inspec exec compliance://profile`
 
 
+
+
 ## Usage
 
 ### Command options
 
+```
+$ inspec automate
+Commands:
+  inspec automate download PROFILE  # downloads a profile from Chef Compliance
+  inspec automate exec PROFILE      # executes a Chef Compliance profile
+  inspec automate help [COMMAND]    # Describe subcommands or one specific subcommand
+  inspec automate login SERVER      # Log in to a Chef Automate/Chef Compliance SERVER
+  inspec automate logout            # user logout from Chef Compliance
+  inspec automate profiles          # list all available profiles in Chef Compliance
+  inspec automate upload PATH       # uploads a local profile to Chef Compliance
+  inspec automate version           # displays the version of the Chef Compliance server
+```
+
+or
+
 ```
 $ inspec compliance
 Commands:
@@ -41,6 +67,12 @@ Commands:
 
 You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui.
 
+```
+$ inspec automate login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
+```
+
+or
+
 ```
 $ inspec compliance login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
 ```
@@ -63,6 +95,12 @@ Example:
 
 You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
 
+```
+$ inspec automate login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
+```
+
+or
+
 ```
 $ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
 ```
@@ -75,12 +113,42 @@ You will need an access token for authentication. You can retrieve one via:
 
 You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
 
+```
+$ inspec automate login https://compliance.test --user admin --insecure --token '...'
+```
+
+or
+
 ```
 $ inspec compliance login https://compliance.test --user admin --insecure --token '...'
 ```
 
 ### List available profiles via Chef Compliance / Automate
 
+```
+ $ inspec automate profiles
+Available profiles:
+-------------------
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+
+or
+
 ```
 $ inspec compliance profiles
 Available profiles:
@@ -105,6 +173,47 @@ Available profiles:
 
 ### Upload a profile to Chef Compliance / Automate
 
+```
+$ inspec automate version
+Chef Compliance version: 1.0.11
+➜  inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec automate upload examples/profile
+I, [2016-05-06T14:27:20.907547 #37592]  INFO -- : Checking profile in examples/profile
+I, [2016-05-06T14:27:20.907668 #37592]  INFO -- : Metadata OK.
+I, [2016-05-06T14:27:20.968584 #37592]  INFO -- : Found 4 controls.
+I, [2016-05-06T14:27:20.968638 #37592]  INFO -- : Control definitions OK.
+Profile is valid
+Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
+I, [2016-05-06T14:27:21.020017 #37592]  INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
+I, [2016-05-06T14:27:21.024837 #37592]  INFO -- : Finished archive generation.
+Start upload to admin/profile
+Uploading to Chef Compliance
+Successfully uploaded profile
+
+# display all profiles
+$ inspec automate profiles
+Available profiles:
+-------------------
+ * admin/profile
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+
+or
+
 ```
 $ inspec compliance version
 Chef Compliance version: 1.0.11
@@ -168,17 +277,31 @@ $ inspec exec compliance://admin/apache-baseline#2.0.1
 ```
 
 Download a specific version(2.0.2) of a profile when logged in with Automate:
+```
+$ inspec automate download compliance://admin/apache-baseline#2.0.2
+```
+
+or
+
 ```
 $ inspec compliance download compliance://admin/apache-baseline#2.0.2
 ```
 
 ### To Logout from Chef Compliance
 
+```
+$ inspec automate logout
+Successfully logged out
+```
+
+or
+
 ```
 $ inspec compliance logout
 Successfully logged out
 ```
 
+
 ## Integration Tests
 
 At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:

data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb

@@ -7,6 +7,11 @@ module InspecPlugins
         require_relative "inspec-compliance/cli"
         InspecPlugins::Compliance::CLI
       end
+
+      cli_command :automate do
+        require_relative "inspec-compliance/cli"
+        InspecPlugins::Compliance::CLI
+      end
     end
 
     autoload :Configuration, "plugins/inspec-compliance/lib/inspec-compliance/configuration"

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb

@@ -357,7 +357,7 @@ module InspecPlugins
 
         Inspec::Log.debug(
           "Received 200 from #{url}#{compliance_endpoint} - " \
-          "assuming target is a #{COMPLIANCE_PRODUCT_NAME} server"
+          "assuming target is a #{AUTOMATE_PRODUCT_NAME} server"
         )
         true
       end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb

@@ -9,7 +9,7 @@ module InspecPlugins
         class CannotDetermineServerType < StandardError; end
 
         def login(options)
-          raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
+          raise ArgumentError, "Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
 
           options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil?
 
@@ -179,7 +179,7 @@ module InspecPlugins
           def self.compliance_verify_thor_options(o)
             error_msg = []
 
-            error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
+            error_msg.push("Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
 
             if o["user"].nil? && o["refresh_token"].nil?
               error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`")

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -6,13 +6,12 @@ module InspecPlugins
   module Compliance
     class CLI < Inspec.plugin(2, :cli_command)
       include Inspec::Dist
-
-      subcommand_desc "compliance SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands"
+      subcommand_desc "automate SUBCOMMAND or compliance SUBCOMMAND", "#{AUTOMATE_PRODUCT_NAME} commands"
 
       # desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
-      desc "login", "Log in to a #{COMPLIANCE_PRODUCT_NAME}/#{AUTOMATE_PRODUCT_NAME} SERVER"
+      desc "login", "Log in to a #{AUTOMATE_PRODUCT_NAME} SERVER"
       long_desc <<-LONGDESC
-        `login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} or a #{COMPLIANCE_PRODUCT_NAME} Server
+        `login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} Server
 
         You need to a token for communication. More information about token retrieval
         is available at:
@@ -24,11 +23,11 @@ module InspecPlugins
       option :user, type: :string, required: false,
         desc: "Username"
       option :password, type: :string, required: false,
-        desc: "Password (#{COMPLIANCE_PRODUCT_NAME} Only)"
+        desc: "Password (#{AUTOMATE_PRODUCT_NAME} Only)"
       option :token, type: :string, required: false,
         desc: "Access token"
       option :refresh_token, type: :string, required: false,
-        desc: "#{COMPLIANCE_PRODUCT_NAME} refresh token (#{COMPLIANCE_PRODUCT_NAME} Only)"
+        desc: "#{AUTOMATE_PRODUCT_NAME} refresh token (#{AUTOMATE_PRODUCT_NAME} Only)"
       option :dctoken, type: :string, required: false,
         desc: "Data Collector token (#{AUTOMATE_PRODUCT_NAME} Only)"
       option :ent, type: :string, required: false,
@@ -40,7 +39,7 @@ module InspecPlugins
         puts "Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'"
       end
 
-      desc "profiles", "list all available profiles in #{COMPLIANCE_PRODUCT_NAME}"
+      desc "profiles", "list all available profiles in #{AUTOMATE_PRODUCT_NAME}"
       option :owner, type: :string, required: false,
         desc: "owner whose profiles to list"
       def profiles
@@ -65,11 +64,11 @@ module InspecPlugins
           exit 1
         end
       rescue InspecPlugins::Compliance::ServerConfigurationMissing
-        $stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} compliance login`"
+        $stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
         exit 1
       end
 
-      desc "exec PROFILE", "executes a #{COMPLIANCE_PRODUCT_NAME} profile"
+      desc "exec PROFILE", "executes a #{AUTOMATE_PRODUCT_NAME} profile"
       exec_options
       def exec(*tests)
         compliance_config = InspecPlugins::Compliance::Configuration.new
@@ -91,7 +90,7 @@ module InspecPlugins
         exit 1
       end
 
-      desc "download PROFILE", "downloads a profile from #{COMPLIANCE_PRODUCT_NAME}"
+      desc "download PROFILE", "downloads a profile from #{AUTOMATE_PRODUCT_NAME}"
       option :name, type: :string,
         desc: "Name of the archive filename (file type will be added)"
       def download(profile_name)
@@ -116,12 +115,12 @@ module InspecPlugins
           file_name = fetcher.fetch(o.name || id)
           puts "Profile stored to #{file_name}"
         else
-          puts "Profile #{profile_name} is not available in #{COMPLIANCE_PRODUCT_NAME}."
+          puts "Profile #{profile_name} is not available in #{AUTOMATE_PRODUCT_NAME}."
           exit 1
         end
       end
 
-      desc "upload PATH", "uploads a local profile to #{COMPLIANCE_PRODUCT_NAME}"
+      desc "upload PATH", "uploads a local profile to #{AUTOMATE_PRODUCT_NAME}"
       option :overwrite, type: :boolean, default: false,
         desc: "Overwrite existing profile on Server."
       option :owner, type: :string, required: false,
@@ -167,7 +166,7 @@ module InspecPlugins
 
         # determine user information
         if (config["token"].nil? && config["refresh_token"].nil?) || config["user"].nil?
-          error.call("Please login via `#{EXEC_NAME} compliance login`")
+          error.call("Please login via `#{EXEC_NAME} #{subcommand_name} login`")
         end
 
         # read profile name from inspec.yml
@@ -202,11 +201,8 @@ module InspecPlugins
         puts "Start upload to #{config["owner"]}/#{profile_name}"
         pname = ERB::Util.url_encode(profile_name)
 
-        if InspecPlugins::Compliance::API.is_automate_server?(config) || InspecPlugins::Compliance::API.is_automate2_server?(config)
-          puts "Uploading to #{AUTOMATE_PRODUCT_NAME}"
-        else
-          puts "Uploading to #{COMPLIANCE_PRODUCT_NAME}"
-        end
+        puts "Uploading to #{AUTOMATE_PRODUCT_NAME}"
+
         success, msg = InspecPlugins::Compliance::API.upload(config, config["owner"], pname, archive_path)
 
         # delete temp file if it was temporary generated
@@ -221,7 +217,7 @@ module InspecPlugins
         end
       end
 
-      desc "version", "displays the version of the #{COMPLIANCE_PRODUCT_NAME} server"
+      desc "version", "displays the version of the #{AUTOMATE_PRODUCT_NAME} server"
       def version
         config = InspecPlugins::Compliance::Configuration.new
         info = InspecPlugins::Compliance::API.version(config)
@@ -233,11 +229,11 @@ module InspecPlugins
           exit 1
         end
       rescue InspecPlugins::Compliance::ServerConfigurationMissing
-        puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} compliance login`"
+        puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
         exit 1
       end
 
-      desc "logout", "user logout from #{COMPLIANCE_PRODUCT_NAME}"
+      desc "logout", "user logout from #{AUTOMATE_PRODUCT_NAME}"
       def logout
         config = InspecPlugins::Compliance::Configuration.new
         unless config.supported?(:oidc) || config["token"].nil? || config["server_type"] == "automate"
@@ -258,9 +254,13 @@ module InspecPlugins
 
       def loggedin(config)
         serverknown = !config["server"].nil?
-        puts "You need to login first with `#{EXEC_NAME} compliance login`" unless serverknown
+        puts "You need to login first with `#{EXEC_NAME} #{subcommand_name} login`" unless serverknown
         serverknown
       end
+
+      def subcommand_name
+        @_invocations[Inspec::InspecCLI]&.first || "automate"
+      end
     end
 
     # register the subcommand to InSpec CLI registry

data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb

@@ -34,13 +34,13 @@ module InspecPlugins
         if config["token"].nil? && config["refresh_token"].nil?
           if config["server_type"] == "automate"
             server = "automate"
-            msg = "#{EXEC_NAME} compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
+            msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
           elsif config["server_type"] == "automate2"
             server = "automate2"
-            msg = "#{EXEC_NAME} compliance login https://your_automate2_server --user USER --token APITOKEN"
+            msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate2_server --user USER --token APITOKEN"
           else
             server = "compliance"
-            msg = "#{EXEC_NAME} compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
+            msg = "#{EXEC_NAME} [automate|compliance] login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
           end
           raise Inspec::FetcherFailure, <<~EOF
 
@@ -112,7 +112,7 @@ module InspecPlugins
       end
 
       def to_s
-        "#{COMPLIANCE_PRODUCT_NAME} Profile Loader"
+        "#{AUTOMATE_PRODUCT_NAME} Profile Loader"
       end
 
       private
@@ -136,6 +136,7 @@ module InspecPlugins
         if m.nil?
           raise "Unable to determine compliance profile name. This can be caused by " \
             "an incorrect server in your configuration. Try to login to compliance " \
+            "via the `#{EXEC_NAME} automate login` command or " \
             "via the `#{EXEC_NAME} compliance login` command."
         end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.31.0
+  version: 4.37.0
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-07 00:00:00.000000000 Z
+date: 2021-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -17,6 +17,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -24,6 +27,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.8
 - !ruby/object:Gem::Dependency
   name: license-acceptance
   requirement: !ruby/object:Gem::Requirement
@@ -223,7 +229,7 @@ dependencies:
         version: 0.9.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -233,7 +239,7 @@ dependencies:
         version: 0.9.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: faraday_middleware
   requirement: !ruby/object:Gem::Requirement
@@ -586,6 +592,7 @@ files:
 - lib/inspec/resources/script.rb
 - lib/inspec/resources/security_identifier.rb
 - lib/inspec/resources/security_policy.rb
+- lib/inspec/resources/selinux.rb
 - lib/inspec/resources/service.rb
 - lib/inspec/resources/shadow.rb
 - lib/inspec/resources/ssh_config.rb