inspec-core 4.31.1 → 4.37.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +14 -1
- data/inspec-core.gemspec +2 -2
- data/lib/inspec/base_cli.rb +5 -3
- data/lib/inspec/cli.rb +12 -4
- data/lib/inspec/control_eval_context.rb +1 -0
- data/lib/inspec/fetcher/local.rb +1 -1
- data/lib/inspec/input.rb +39 -4
- data/lib/inspec/input_registry.rb +1 -0
- data/lib/inspec/objects/input.rb +1 -1
- data/lib/inspec/plugin/v2/loader.rb +9 -0
- data/lib/inspec/profile_context.rb +1 -1
- data/lib/inspec/reporters/cli.rb +63 -0
- data/lib/inspec/resources.rb +1 -0
- data/lib/inspec/resources/command.rb +3 -9
- data/lib/inspec/resources/groups.rb +21 -6
- data/lib/inspec/resources/http.rb +1 -1
- data/lib/inspec/resources/mssql_session.rb +1 -1
- data/lib/inspec/resources/mysql_session.rb +1 -1
- data/lib/inspec/resources/pip.rb +1 -1
- data/lib/inspec/resources/registry_key.rb +1 -1
- data/lib/inspec/resources/selinux.rb +154 -0
- data/lib/inspec/resources/users.rb +1 -1
- data/lib/inspec/resources/windows_feature.rb +2 -1
- data/lib/inspec/resources/windows_firewall_rule.rb +1 -1
- data/lib/inspec/rule.rb +9 -1
- data/lib/inspec/runner.rb +1 -1
- data/lib/inspec/utils/erlang_parser.rb +2 -2
- data/lib/inspec/utils/filter.rb +7 -7
- data/lib/inspec/utils/nginx_parser.rb +3 -3
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-compliance/README.md +125 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +5 -0
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +18 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +23 -8
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +24 -25
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +5 -4
- metadata +11 -4
@@ -7,6 +7,11 @@ module InspecPlugins
|
|
7
7
|
require_relative "inspec-compliance/cli"
|
8
8
|
InspecPlugins::Compliance::CLI
|
9
9
|
end
|
10
|
+
|
11
|
+
cli_command :automate do
|
12
|
+
require_relative "inspec-compliance/cli"
|
13
|
+
InspecPlugins::Compliance::CLI
|
14
|
+
end
|
10
15
|
end
|
11
16
|
|
12
17
|
autoload :Configuration, "plugins/inspec-compliance/lib/inspec-compliance/configuration"
|
@@ -170,6 +170,23 @@ module InspecPlugins
|
|
170
170
|
[success, msg, access_token]
|
171
171
|
end
|
172
172
|
|
173
|
+
# Use API access token to validate login using version API
|
174
|
+
def self.authenticate_login_using_version_api(url, api_token, insecure)
|
175
|
+
uri = URI.parse("#{url}/version")
|
176
|
+
req = Net::HTTP::Get.new(uri.path)
|
177
|
+
req["api-token"] = api_token
|
178
|
+
response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure)
|
179
|
+
|
180
|
+
if response.code == "200"
|
181
|
+
msg = "Successfully Logged In"
|
182
|
+
success = true
|
183
|
+
else
|
184
|
+
success = false
|
185
|
+
msg = "Failed to authenticate to #{url} \n\Response code: #{response.code}\nBody: #{response.body}"
|
186
|
+
end
|
187
|
+
[success, msg]
|
188
|
+
end
|
189
|
+
|
173
190
|
# Use username and password to get an API access token
|
174
191
|
def self.get_token_via_password(url, username, password, insecure)
|
175
192
|
uri = URI.parse("#{url}/login")
|
@@ -357,7 +374,7 @@ module InspecPlugins
|
|
357
374
|
|
358
375
|
Inspec::Log.debug(
|
359
376
|
"Received 200 from #{url}#{compliance_endpoint} - " \
|
360
|
-
"assuming target is a #{
|
377
|
+
"assuming target is a #{AUTOMATE_PRODUCT_NAME} server"
|
361
378
|
)
|
362
379
|
true
|
363
380
|
end
|
@@ -9,7 +9,7 @@ module InspecPlugins
|
|
9
9
|
class CannotDetermineServerType < StandardError; end
|
10
10
|
|
11
11
|
def login(options)
|
12
|
-
raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
|
12
|
+
raise ArgumentError, "Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
|
13
13
|
|
14
14
|
options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil?
|
15
15
|
|
@@ -33,7 +33,8 @@ module InspecPlugins
|
|
33
33
|
|
34
34
|
options["url"] = options["server"] + "/api/v0"
|
35
35
|
token = options["dctoken"] || options["token"]
|
36
|
-
|
36
|
+
success, msg = API::Login.authenticate_login(options)
|
37
|
+
success ? store_access_token(options, token) : msg
|
37
38
|
end
|
38
39
|
|
39
40
|
def self.store_access_token(options, token)
|
@@ -52,7 +53,7 @@ module InspecPlugins
|
|
52
53
|
config["version"] = "0"
|
53
54
|
|
54
55
|
config.store
|
55
|
-
config
|
56
|
+
API::Login.configuration_stored_message(config)
|
56
57
|
end
|
57
58
|
|
58
59
|
def self.verify_thor_options(o)
|
@@ -74,7 +75,8 @@ module InspecPlugins
|
|
74
75
|
|
75
76
|
options["url"] = options["server"] + "/compliance"
|
76
77
|
token = options["dctoken"] || options["token"]
|
77
|
-
|
78
|
+
success, msg = API::Login.authenticate_login(options)
|
79
|
+
success ? store_access_token(options, token) : msg
|
78
80
|
end
|
79
81
|
|
80
82
|
def self.store_access_token(options, token)
|
@@ -99,7 +101,7 @@ module InspecPlugins
|
|
99
101
|
config["version"] = InspecPlugins::Compliance::API.version(config)
|
100
102
|
|
101
103
|
config.store
|
102
|
-
config
|
104
|
+
API::Login.configuration_stored_message(config)
|
103
105
|
end
|
104
106
|
|
105
107
|
# Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
|
@@ -126,7 +128,8 @@ module InspecPlugins
|
|
126
128
|
options["url"] = options["server"] + "/api"
|
127
129
|
|
128
130
|
if options["user"] && options["token"]
|
129
|
-
|
131
|
+
success, msg = API::Login.authenticate_login(options)
|
132
|
+
success ? compliance_store_access_token(options, options["token"]) : msg
|
130
133
|
elsif options["user"] && options["password"]
|
131
134
|
compliance_login_user_pass(options)
|
132
135
|
elsif options["refresh_token"]
|
@@ -171,7 +174,7 @@ module InspecPlugins
|
|
171
174
|
config["version"] = InspecPlugins::Compliance::API.version(config)
|
172
175
|
|
173
176
|
config.store
|
174
|
-
config
|
177
|
+
API::Login.configuration_stored_message(config)
|
175
178
|
end
|
176
179
|
|
177
180
|
# Compliance login requires `--user` or `--refresh_token`
|
@@ -179,7 +182,7 @@ module InspecPlugins
|
|
179
182
|
def self.compliance_verify_thor_options(o)
|
180
183
|
error_msg = []
|
181
184
|
|
182
|
-
error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
|
185
|
+
error_msg.push("Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
|
183
186
|
|
184
187
|
if o["user"].nil? && o["refresh_token"].nil?
|
185
188
|
error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`")
|
@@ -192,6 +195,18 @@ module InspecPlugins
|
|
192
195
|
raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
|
193
196
|
end
|
194
197
|
end
|
198
|
+
|
199
|
+
def self.authenticate_login(options)
|
200
|
+
InspecPlugins::Compliance::API.authenticate_login_using_version_api(
|
201
|
+
options["url"],
|
202
|
+
options["token"],
|
203
|
+
options["insecure"]
|
204
|
+
)
|
205
|
+
end
|
206
|
+
|
207
|
+
def self.configuration_stored_message(config)
|
208
|
+
"Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'"
|
209
|
+
end
|
195
210
|
end
|
196
211
|
end
|
197
212
|
end
|
@@ -6,13 +6,12 @@ module InspecPlugins
|
|
6
6
|
module Compliance
|
7
7
|
class CLI < Inspec.plugin(2, :cli_command)
|
8
8
|
include Inspec::Dist
|
9
|
-
|
10
|
-
subcommand_desc "compliance SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands"
|
9
|
+
subcommand_desc "automate SUBCOMMAND or compliance SUBCOMMAND", "#{AUTOMATE_PRODUCT_NAME} commands"
|
11
10
|
|
12
11
|
# desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
|
13
|
-
desc "login", "Log in to a #{
|
12
|
+
desc "login", "Log in to a #{AUTOMATE_PRODUCT_NAME} SERVER"
|
14
13
|
long_desc <<-LONGDESC
|
15
|
-
`login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME}
|
14
|
+
`login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} Server
|
16
15
|
|
17
16
|
You need to a token for communication. More information about token retrieval
|
18
17
|
is available at:
|
@@ -24,23 +23,22 @@ module InspecPlugins
|
|
24
23
|
option :user, type: :string, required: false,
|
25
24
|
desc: "Username"
|
26
25
|
option :password, type: :string, required: false,
|
27
|
-
desc: "Password (#{
|
26
|
+
desc: "Password (#{AUTOMATE_PRODUCT_NAME} Only)"
|
28
27
|
option :token, type: :string, required: false,
|
29
28
|
desc: "Access token"
|
30
29
|
option :refresh_token, type: :string, required: false,
|
31
|
-
desc: "#{
|
30
|
+
desc: "#{AUTOMATE_PRODUCT_NAME} refresh token (#{AUTOMATE_PRODUCT_NAME} Only)"
|
32
31
|
option :dctoken, type: :string, required: false,
|
33
32
|
desc: "Data Collector token (#{AUTOMATE_PRODUCT_NAME} Only)"
|
34
33
|
option :ent, type: :string, required: false,
|
35
34
|
desc: "Enterprise for #{AUTOMATE_PRODUCT_NAME} reporting (#{AUTOMATE_PRODUCT_NAME} Only)"
|
36
35
|
def login(server)
|
37
36
|
options["server"] = server
|
38
|
-
InspecPlugins::Compliance::API.login(options)
|
39
|
-
|
40
|
-
puts "Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'"
|
37
|
+
login_response = InspecPlugins::Compliance::API.login(options)
|
38
|
+
puts login_response
|
41
39
|
end
|
42
40
|
|
43
|
-
desc "profiles", "list all available profiles in #{
|
41
|
+
desc "profiles", "list all available profiles in #{AUTOMATE_PRODUCT_NAME}"
|
44
42
|
option :owner, type: :string, required: false,
|
45
43
|
desc: "owner whose profiles to list"
|
46
44
|
def profiles
|
@@ -65,11 +63,11 @@ module InspecPlugins
|
|
65
63
|
exit 1
|
66
64
|
end
|
67
65
|
rescue InspecPlugins::Compliance::ServerConfigurationMissing
|
68
|
-
$stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME}
|
66
|
+
$stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
|
69
67
|
exit 1
|
70
68
|
end
|
71
69
|
|
72
|
-
desc "exec PROFILE", "executes a #{
|
70
|
+
desc "exec PROFILE", "executes a #{AUTOMATE_PRODUCT_NAME} profile"
|
73
71
|
exec_options
|
74
72
|
def exec(*tests)
|
75
73
|
compliance_config = InspecPlugins::Compliance::Configuration.new
|
@@ -91,7 +89,7 @@ module InspecPlugins
|
|
91
89
|
exit 1
|
92
90
|
end
|
93
91
|
|
94
|
-
desc "download PROFILE", "downloads a profile from #{
|
92
|
+
desc "download PROFILE", "downloads a profile from #{AUTOMATE_PRODUCT_NAME}"
|
95
93
|
option :name, type: :string,
|
96
94
|
desc: "Name of the archive filename (file type will be added)"
|
97
95
|
def download(profile_name)
|
@@ -116,12 +114,12 @@ module InspecPlugins
|
|
116
114
|
file_name = fetcher.fetch(o.name || id)
|
117
115
|
puts "Profile stored to #{file_name}"
|
118
116
|
else
|
119
|
-
puts "Profile #{profile_name} is not available in #{
|
117
|
+
puts "Profile #{profile_name} is not available in #{AUTOMATE_PRODUCT_NAME}."
|
120
118
|
exit 1
|
121
119
|
end
|
122
120
|
end
|
123
121
|
|
124
|
-
desc "upload PATH", "uploads a local profile to #{
|
122
|
+
desc "upload PATH", "uploads a local profile to #{AUTOMATE_PRODUCT_NAME}"
|
125
123
|
option :overwrite, type: :boolean, default: false,
|
126
124
|
desc: "Overwrite existing profile on Server."
|
127
125
|
option :owner, type: :string, required: false,
|
@@ -167,7 +165,7 @@ module InspecPlugins
|
|
167
165
|
|
168
166
|
# determine user information
|
169
167
|
if (config["token"].nil? && config["refresh_token"].nil?) || config["user"].nil?
|
170
|
-
error.call("Please login via `#{EXEC_NAME}
|
168
|
+
error.call("Please login via `#{EXEC_NAME} #{subcommand_name} login`")
|
171
169
|
end
|
172
170
|
|
173
171
|
# read profile name from inspec.yml
|
@@ -202,11 +200,8 @@ module InspecPlugins
|
|
202
200
|
puts "Start upload to #{config["owner"]}/#{profile_name}"
|
203
201
|
pname = ERB::Util.url_encode(profile_name)
|
204
202
|
|
205
|
-
|
206
|
-
|
207
|
-
else
|
208
|
-
puts "Uploading to #{COMPLIANCE_PRODUCT_NAME}"
|
209
|
-
end
|
203
|
+
puts "Uploading to #{AUTOMATE_PRODUCT_NAME}"
|
204
|
+
|
210
205
|
success, msg = InspecPlugins::Compliance::API.upload(config, config["owner"], pname, archive_path)
|
211
206
|
|
212
207
|
# delete temp file if it was temporary generated
|
@@ -221,7 +216,7 @@ module InspecPlugins
|
|
221
216
|
end
|
222
217
|
end
|
223
218
|
|
224
|
-
desc "version", "displays the version of the #{
|
219
|
+
desc "version", "displays the version of the #{AUTOMATE_PRODUCT_NAME} server"
|
225
220
|
def version
|
226
221
|
config = InspecPlugins::Compliance::Configuration.new
|
227
222
|
info = InspecPlugins::Compliance::API.version(config)
|
@@ -233,11 +228,11 @@ module InspecPlugins
|
|
233
228
|
exit 1
|
234
229
|
end
|
235
230
|
rescue InspecPlugins::Compliance::ServerConfigurationMissing
|
236
|
-
puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME}
|
231
|
+
puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
|
237
232
|
exit 1
|
238
233
|
end
|
239
234
|
|
240
|
-
desc "logout", "user logout from #{
|
235
|
+
desc "logout", "user logout from #{AUTOMATE_PRODUCT_NAME}"
|
241
236
|
def logout
|
242
237
|
config = InspecPlugins::Compliance::Configuration.new
|
243
238
|
unless config.supported?(:oidc) || config["token"].nil? || config["server_type"] == "automate"
|
@@ -258,9 +253,13 @@ module InspecPlugins
|
|
258
253
|
|
259
254
|
def loggedin(config)
|
260
255
|
serverknown = !config["server"].nil?
|
261
|
-
puts "You need to login first with `#{EXEC_NAME}
|
256
|
+
puts "You need to login first with `#{EXEC_NAME} #{subcommand_name} login`" unless serverknown
|
262
257
|
serverknown
|
263
258
|
end
|
259
|
+
|
260
|
+
def subcommand_name
|
261
|
+
@_invocations[Inspec::InspecCLI]&.first || "automate"
|
262
|
+
end
|
264
263
|
end
|
265
264
|
|
266
265
|
# register the subcommand to InSpec CLI registry
|
@@ -34,13 +34,13 @@ module InspecPlugins
|
|
34
34
|
if config["token"].nil? && config["refresh_token"].nil?
|
35
35
|
if config["server_type"] == "automate"
|
36
36
|
server = "automate"
|
37
|
-
msg = "#{EXEC_NAME} compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
|
37
|
+
msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
|
38
38
|
elsif config["server_type"] == "automate2"
|
39
39
|
server = "automate2"
|
40
|
-
msg = "#{EXEC_NAME} compliance login https://your_automate2_server --user USER --token APITOKEN"
|
40
|
+
msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate2_server --user USER --token APITOKEN"
|
41
41
|
else
|
42
42
|
server = "compliance"
|
43
|
-
msg = "#{EXEC_NAME} compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
|
43
|
+
msg = "#{EXEC_NAME} [automate|compliance] login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
|
44
44
|
end
|
45
45
|
raise Inspec::FetcherFailure, <<~EOF
|
46
46
|
|
@@ -112,7 +112,7 @@ module InspecPlugins
|
|
112
112
|
end
|
113
113
|
|
114
114
|
def to_s
|
115
|
-
"#{
|
115
|
+
"#{AUTOMATE_PRODUCT_NAME} Profile Loader"
|
116
116
|
end
|
117
117
|
|
118
118
|
private
|
@@ -136,6 +136,7 @@ module InspecPlugins
|
|
136
136
|
if m.nil?
|
137
137
|
raise "Unable to determine compliance profile name. This can be caused by " \
|
138
138
|
"an incorrect server in your configuration. Try to login to compliance " \
|
139
|
+
"via the `#{EXEC_NAME} automate login` command or " \
|
139
140
|
"via the `#{EXEC_NAME} compliance login` command."
|
140
141
|
end
|
141
142
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.37.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-05-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -17,6 +17,9 @@ dependencies:
|
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
19
|
version: '1.0'
|
20
|
+
- - ">="
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: 1.0.8
|
20
23
|
type: :runtime
|
21
24
|
prerelease: false
|
22
25
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -24,6 +27,9 @@ dependencies:
|
|
24
27
|
- - "~>"
|
25
28
|
- !ruby/object:Gem::Version
|
26
29
|
version: '1.0'
|
30
|
+
- - ">="
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: 1.0.8
|
27
33
|
- !ruby/object:Gem::Dependency
|
28
34
|
name: license-acceptance
|
29
35
|
requirement: !ruby/object:Gem::Requirement
|
@@ -223,7 +229,7 @@ dependencies:
|
|
223
229
|
version: 0.9.0
|
224
230
|
- - "<"
|
225
231
|
- !ruby/object:Gem::Version
|
226
|
-
version: '1.
|
232
|
+
version: '1.5'
|
227
233
|
type: :runtime
|
228
234
|
prerelease: false
|
229
235
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -233,7 +239,7 @@ dependencies:
|
|
233
239
|
version: 0.9.0
|
234
240
|
- - "<"
|
235
241
|
- !ruby/object:Gem::Version
|
236
|
-
version: '1.
|
242
|
+
version: '1.5'
|
237
243
|
- !ruby/object:Gem::Dependency
|
238
244
|
name: faraday_middleware
|
239
245
|
requirement: !ruby/object:Gem::Requirement
|
@@ -586,6 +592,7 @@ files:
|
|
586
592
|
- lib/inspec/resources/script.rb
|
587
593
|
- lib/inspec/resources/security_identifier.rb
|
588
594
|
- lib/inspec/resources/security_policy.rb
|
595
|
+
- lib/inspec/resources/selinux.rb
|
589
596
|
- lib/inspec/resources/service.rb
|
590
597
|
- lib/inspec/resources/shadow.rb
|
591
598
|
- lib/inspec/resources/ssh_config.rb
|