inspec-core 4.32.0 → 4.37.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a32d0575d09a6902a6a3fbce06ed7aaf7757e3604039334ecc9aa9adc9830298
-  data.tar.gz: 3df4dd2409d4456c4f42fe666bddd9407c3eadff754f852206bbcd81927967b2
+  metadata.gz: 72cf7b34a66e5b4d2e79329b3530d14e16f5d6eaf75b76322d8e926655573ed4
+  data.tar.gz: dd99f49c67c10ca4d97f464331aab65cf286f5ffa355526b8dc39c62ef0620f6
 SHA512:
-  metadata.gz: 298d75a54ef15d4f880eff7b049d361281511ca3705476550747c4f863ac3d97325fd1796cf99de4af44e179a0003c04db142ed3fda59547cd82dad3a4ec57ca
-  data.tar.gz: 14733ae7b9dbeec40c07654d83a65eed7e2d81dc18b2c9c813de4a99465b13117d0c2dbde25e6b51b26cf275c49cf78ac3eba8a991eb59e6914414f812fe89b2
+  metadata.gz: 2dc77b50b2fa6bc122ac9458030c6a905e56dfbee365dfe21118ec5d26eb87fc0019b035a0e5860c4863289a50a82a8528745db9c1318567d39971cfe90100be
+  data.tar.gz: a53f07e9e2b52be166ca2c33afa68db9c424efb6f47e3fd4b741f913e6d667a6f57a5f59ec835ec7ed23caf88c9c60ee10a23f1f000e2c931b5535777934eeb3

data/Gemfile

@@ -28,7 +28,7 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 1.7.1"
+  gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
   gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
@@ -48,3 +48,16 @@ end
 group :deploy do
   gem "inquirer"
 end
+
+# Only include Test Kitchen support if we are on Ruby 2.7 or higher
+# as chef-zero support requires Ruby 2.6
+# See https://github.com/inspec/inspec/pull/5341
+if Gem.ruby_version >= Gem::Version.new("2.7.0")
+  group :kitchen do
+    gem "berkshelf"
+    gem "test-kitchen", ">= 2.8"
+    gem "kitchen-inspec", ">= 2.0"
+    gem "kitchen-dokken", ">= 2.11"
+    gem "git"
+  end
+end

data/inspec-core.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
       .reject { |f| File.directory?(f) }
 
   # Implementation dependencies
-  spec.add_dependency "chef-telemetry",     "~> 1.0"
+  spec.add_dependency "chef-telemetry",     "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
   spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
@@ -35,7 +35,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mixlib-log",         "~> 3.0"
   spec.add_dependency "sslshake",           "~> 1.2"
   spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.4"
+  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.5"
   spec.add_dependency "faraday_middleware", "~> 1.0"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"

data/lib/inspec/base_cli.rb

@@ -168,9 +168,11 @@ module Inspec
         desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
-      option :command_timeout, type: :numeric, default: 3600,
-        desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
-        long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
+      option :command_timeout, type: :numeric,
+        desc: "Maximum seconds to allow commands to run during execution.",
+        long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
+      option :reporter_include_source, type: :boolean, default: false,
+        desc: "Include full source code of controls in the CLI report"
     end
 
     def self.help(*args)

data/lib/inspec/cli.rb

@@ -218,9 +218,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
     Automate:
       ```
-      #{Inspec::Dist::EXEC_NAME} compliance login
+      #{Inspec::Dist::EXEC_NAME} automate login
       #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
       ```
+      `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
+      ```
+      #{Inspec::Dist::EXEC_NAME} compliance login
+      ```
 
     Supermarket:
       ```
@@ -321,9 +325,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
   option :distinct_exit, type: :boolean, default: true,
     desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default).  If disabled, exit 0 on skips and 1 for failures."
-  option :command_timeout, type: :numeric, default: 3600,
-      desc: "Maximum seconds to allow a command to run. Default 3600.",
-      long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error."
+  option :command_timeout, type: :numeric,
+      desc: "Maximum seconds to allow a command to run.",
+      long_desc: "Maximum seconds to allow commands to run. A timed out command is considered an error."
   option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
   option :input_file, type: :array,
     desc: "Load one or more input files, a YAML file with values for the shell to use"

data/lib/inspec/control_eval_context.rb

@@ -194,6 +194,7 @@ module Inspec
 
     # Check if the given control exist in the --controls option
     def control_exist_in_controls_list?(id)
+      id_exist_in_list = false
       if profile_config_exist?
         id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
           # Try to see if the inclusion is a regex, and if it matches

data/lib/inspec/fetcher/local.rb

@@ -31,7 +31,7 @@ module Inspec::Fetcher
         target = target.gsub(%r{^file://}, "")
       else
         # support for windows paths
-        target = target.tr('\\', "/")
+        target = target.tr("\\", "/")
       end
 
       target if File.exist?(File.expand_path(target))

data/lib/inspec/input.rb

@@ -19,12 +19,17 @@ module Inspec
       attr_accessor :input_name
       attr_accessor :input_value
       attr_accessor :input_type
+      attr_accessor :input_pattern
     end
 
     class TypeError < Error
       attr_accessor :input_type
     end
 
+    class PatternError < Error
+      attr_accessor :input_pattern
+    end
+
     class RequiredError < Error
       attr_accessor :input_name
     end
@@ -56,7 +61,6 @@ module Inspec
 
       def initialize(properties = {})
         @value_has_been_set = false
-
         properties.each do |prop_name, prop_value|
           if EVENT_PROPERTIES.include? prop_name
             # OK, save the property
@@ -174,7 +178,7 @@ module Inspec
     # are free to go higher.
     DEFAULT_PRIORITY_FOR_VALUE_SET = 60
 
-    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
+    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type, :pattern
 
     def initialize(name, options = {})
       @name = name
@@ -192,7 +196,6 @@ module Inspec
       # debugging record of when and how the value changed.
       @events = []
       events.push make_creation_event(options)
-
       update(options)
     end
 
@@ -213,6 +216,7 @@ module Inspec
     def update(options)
       _update_set_metadata(options)
       normalize_type_restriction!
+      normalize_pattern_restriction!
 
       # Values are set by passing events in; but we can also infer an event.
       if options.key?(:value) || options.key?(:default)
@@ -227,6 +231,7 @@ module Inspec
       events << options[:event] if options.key? :event
 
       enforce_type_restriction!
+      enforce_pattern_restriction!
     end
 
     # We can determine a value:
@@ -268,6 +273,7 @@ module Inspec
       @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
       @type = options[:type] if options.key?(:type)
       @sensitive = options[:sensitive] if options.key?(:sensitive)
+      @pattern = options[:pattern] if options.key?(:pattern)
     end
 
     def make_creation_event(options)
@@ -310,7 +316,9 @@ module Inspec
         file: location.path,
         line: location.lineno
       )
+
       enforce_type_restriction!
+      enforce_pattern_restriction!
     end
 
     def value
@@ -324,7 +332,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value sensitive}.each do |field|
+      %i{description title identifier type required value sensitive pattern}.each do |field|
         val = send(field)
         next if val.nil?
 
@@ -407,6 +415,33 @@ module Inspec
       @type = type_req
     end
 
+    def enforce_pattern_restriction!
+      return unless pattern
+      return unless has_value?
+
+      string_value = current_value(false).to_s
+
+      valid_pattern = string_value.match?(pattern)
+      unless valid_pattern
+        error = Inspec::Input::ValidationError.new
+        error.input_name = @name
+        error.input_value = string_value
+        error.input_pattern = pattern
+        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to pattern '#{error.input_pattern}'."
+      end
+    end
+
+    def normalize_pattern_restriction!
+      return unless pattern
+
+      unless valid_regexp?(pattern)
+        error = Inspec::Input::PatternError.new
+        error.input_pattern = pattern
+        raise error, "Pattern '#{error.input_pattern}' is not a valid regex pattern."
+      end
+      @pattern = pattern
+    end
+
     def valid_numeric?(value)
       Float(value)
       true

data/lib/inspec/input_registry.rb

@@ -325,6 +325,7 @@ module Inspec
         type: input_options[:type],
         required: input_options[:required],
         sensitive: input_options[:sensitive],
+        pattern: input_options[:pattern],
         event: evt
       )
     end

data/lib/inspec/objects/input.rb

@@ -20,7 +20,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value}.each do |field|
+      %i{description title identifier type required value pattern}.each do |field|
         val = send(field)
         next if val.nil?
 

data/lib/inspec/plugin/v2/loader.rb

@@ -117,6 +117,15 @@ module Inspec::Plugin::V2
         # `inspec dosomething` => activate the :dosomething hook
         activate_me ||= cli_args.include?(act.activator_name.to_s)
 
+        # Only one compliance command to be activated at one time.
+        # Since both commands are defined in the same class,
+        # activators were not getting fetched uniquely.
+        if cli_args.include?("automate") && act.activator_name.to_s.eql?("compliance")
+          activate_me = false
+        elsif cli_args.include?("compliance") && act.activator_name.to_s.eql?("automate")
+          activate_me = false
+        end
+
         # OK, activate.
         if activate_me
           act.activate

data/lib/inspec/profile_context.rb

@@ -91,7 +91,7 @@ module Inspec
     end
 
     def all_controls
-      ret = @rules.values
+      ret = @rules.values.compact
       ret += @control_subcontexts.map(&:all_rules).flatten
       ret
     end

data/lib/inspec/reporters/cli.rb

@@ -41,12 +41,14 @@ module Inspec::Reporters
     MULTI_TEST_CONTROL_SUMMARY_MAX_LEN = 60
 
     def render
+      @src_extent_map = {}
       run_data[:profiles].each do |profile|
         if profile[:status] == "skipped"
           platform = run_data[:platform]
           output("Skipping profile: '#{profile[:name]}' on unsupported platform: '#{platform[:name]}/#{platform[:release]}'.")
           next
         end
+        read_control_source(profile)
         @control_count = 0
         output("")
         print_profile_header(profile)
@@ -89,6 +91,7 @@ module Inspec::Reporters
         next if control.results.nil?
 
         output(format_control_header(control))
+        output(format_control_source(control)) if Inspec::Config.cached[:reporter_include_source]
         control.results.each do |result|
           output(format_result(control, result, :standard))
           @control_count += 1
@@ -127,6 +130,62 @@ module Inspec::Reporters
       )
     end
 
+    def format_control_source(control)
+      src = @control_source[control.id]
+      message  = "Control Source from #{src[:path]}:#{src[:start]}..#{src[:end]}\n"
+      message += src[:content]
+      format_message(
+        color: "skipped",
+        indentation: 5,
+        message: message
+      )
+    end
+
+    def read_control_source(profile)
+      return unless Inspec::Config.cached[:reporter_include_source]
+
+      @control_source = {}
+      src_extent_map = {}
+
+      # First pass: build map of paths => ids => [start]
+      all_unique_controls.each do |control|
+        id = control[:id]
+        path = control[:source_location][:ref]
+        start = control[:source_location][:line]
+        next if path.nil? || start.nil?
+
+        src_extent_map[path] ||= []
+        src_extent_map[path] << { start: start, id: id }
+      end
+
+      # Now sort the controls by their starting line in their control file
+      src_extent_map.values.each do |extent_list|
+        extent_list.sort! { |a, b| a[:start] <=> b[:start] }
+      end
+
+      # Third pass: Read in files and split into lines
+      src_extent_map.keys.each do |path|
+        control_file_lines = File.read(path).lines # TODO error handling
+        last_line_in_file = control_file_lines.count
+        extent_list = src_extent_map[path]
+        extent_list.each_with_index do |extent, idx|
+          if idx == extent_list.count - 1 # Last entry
+            extent[:end] = last_line_in_file
+          else
+            extent[:end] = extent_list[idx + 1][:start] - 1
+          end
+
+          @control_source[extent[:id]] =
+            {
+              path: path,
+              start: extent[:start],
+              end: extent[:end],
+              content: control_file_lines.slice(extent[:start] - 1, extent[:end] - extent[:start] + 1).join(""),
+            }
+        end
+      end
+    end
+
     def format_result(control, result, type)
       impact = control.impact_string_for_result(result)
 
@@ -312,6 +371,10 @@ module Inspec::Reporters
         data[:impact]
       end
 
+      def source_location
+        data[:source_location]
+      end
+
       def anonymous?
         id.start_with?("(generated from ")
       end

data/lib/inspec/resources.rb

@@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config"
 require "inspec/resources/registry_key"
 require "inspec/resources/security_identifier"
 require "inspec/resources/security_policy"
+require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"

data/lib/inspec/resources/command.rb

@@ -31,17 +31,11 @@ module Inspec::Resources
       end
 
       @command = cmd
-
-      cli_timeout = Inspec::Config.cached["command_timeout"].to_i
+      cli_timeout = Inspec::Config.cached["command_timeout"]&.to_i
       # Can access this via Inspec::InspecCLI.commands["exec"].options[:command_timeout].default,
       # but that may not be loaded for kitchen-inspec and other pure gem consumers
-      default_cli_timeout = 3600
-      cli_timeout = default_cli_timeout if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value
-      if cli_timeout != default_cli_timeout
-        @timeout = cli_timeout
-      else
-        @timeout = options[:timeout]&.to_i || default_cli_timeout
-      end
+      cli_timeout = nil if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value
+      @timeout = cli_timeout || options[:timeout]&.to_i
 
       if options[:redact_regex]
         unless options[:redact_regex].is_a?(Regexp)

data/lib/inspec/resources/file.rb

@@ -136,10 +136,10 @@ module Inspec::Resources
     alias sticky? sticky
 
     def more_permissive_than?(max_mode = nil)
-      raise Inspec::Exceptions::ResourceFailed, "The file" + file.path + "doesn't seem to exist" unless exist?
-      raise ArgumentError, "You must proivde a value for the `maximum allowable permission` for the file." if max_mode.nil?
-      raise ArgumentError, "You must proivde the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
-      raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
+      return nil unless exist?
+      raise ArgumentError, "You must provide a value for the `maximum allowable permission` for the file." if max_mode.nil?
+      raise ArgumentError, "You must provide the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
+      raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-digit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
 
       # Using the files mode and a few bit-wise calculations we can ensure a
       # file is no more permisive than desired.
@@ -160,7 +160,6 @@ module Inspec::Resources
 
       max_mode = max_mode.to_i(8)
       inv_mode = 0777 ^ max_mode
-
       inv_mode & file.mode != 0
     end
 

data/lib/inspec/resources/groups.rb

@@ -49,10 +49,11 @@ module Inspec::Resources
 
     filter = FilterTable.create
     filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-    filter.register_column(:names, field: "name")
-      .register_column(:gids,      field: "gid")
-      .register_column(:domains,   field: "domain")
-      .register_column(:members,   field: "members", style: :simple)
+    filter.register_column(:names,       field: "name")
+      .register_column(:gids,            field: "gid")
+      .register_column(:domains,         field: "domain")
+      .register_column(:members,         field: "members", style: :simple)
+      .register_column(:members_array,   field: "members_array", style: :simple)
     filter.install_filter_methods_on_resource(self, :collect_group_details)
 
     def to_s
@@ -63,7 +64,13 @@ module Inspec::Resources
 
     # collects information about every group
     def collect_group_details
-      return @groups_cache ||= @group_provider.groups unless @group_provider.nil?
+      unless @group_provider.nil?
+        modified_groups_info = @group_provider.groups
+        unless modified_groups_info.empty?
+          modified_groups_info.each { |hashmap| hashmap["members_array"] = hashmap["members"].is_a?(Array) ? hashmap["members"] : hashmap["members"]&.split(",") }
+        end
+        return @groups_cache ||= modified_groups_info
+      end
 
       []
     end
@@ -111,7 +118,11 @@ module Inspec::Resources
     end
 
     def members
-      flatten_entry(group_info, "members")
+      flatten_entry(group_info, "members") || empty_value_for_members
+    end
+
+    def members_array
+      flatten_entry(group_info, "members_array") || []
     end
 
     def local
@@ -141,6 +152,10 @@ module Inspec::Resources
       group = @group.dup
       @groups_cache ||= inspec.groups.where { name == group }
     end
+
+    def empty_value_for_members
+      inspec.os.windows? ? [] : ""
+    end
   end
 
   class GroupInfo