inspec-core 4.33.1 → 4.36.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec42612f75dc95f62517b85b024c039ad15965f7c98dfaecb9494161b9f85611
-  data.tar.gz: 6373b89393e737cacdcb859ca510758afb9ce7e16d89e90d86877205a3d8d335
+  metadata.gz: 2c3d7a6b401a4a92a2dbe1342499857065d9643baeed19d2b1e5af77672be3d8
+  data.tar.gz: 907c48ac504a9a8588e41a65edfbafc3726c17ce59c5a5a8b3e5c83000fa08db
 SHA512:
-  metadata.gz: f1591b7c166d00fe78037f703eb55292384b2c2b13195db150da008b198424177809078db9509054af664f91aca8bae06f93f41939d808263cc78baf0414f29c
-  data.tar.gz: 5124bfc3a8b676bd097efc319233fec94d3fd3739b727e1b92678c7929d280c093c46136b80607f166d164e0bd85586b9ce560e2ebed0eadbd7f35d09bd517b9
+  metadata.gz: 5685428db9251aae0e26db8cc0ab81f247115aa70152472421e560cf97c17486e8f656a9be158ba3fbaa00bb078a1fb12eb5077a6d16a4883b052a9aba5c0869
+  data.tar.gz: baf44fe69d48134e7d6a8760ceb245c10a29a6e423d8afda68ac35225bba6f7a7a0e21f815d5f4b7fb4206b6f4080b01b9e5be16f1e2f030b2f594c53c215b22

data/inspec-core.gemspec

@@ -35,7 +35,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mixlib-log",         "~> 3.0"
   spec.add_dependency "sslshake",           "~> 1.2"
   spec.add_dependency "parallel",           "~> 1.9"
-  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.4"
+  spec.add_dependency "faraday",            ">= 0.9.0", "< 1.5"
   spec.add_dependency "faraday_middleware", "~> 1.0"
   spec.add_dependency "tty-table",          "~> 0.10"
   spec.add_dependency "tty-prompt",         "~> 0.17"

data/lib/inspec/control_eval_context.rb

@@ -194,6 +194,7 @@ module Inspec
 
     # Check if the given control exist in the --controls option
     def control_exist_in_controls_list?(id)
+      id_exist_in_list = false
       if profile_config_exist?
         id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
           # Try to see if the inclusion is a regex, and if it matches

data/lib/inspec/input.rb

@@ -19,12 +19,17 @@ module Inspec
       attr_accessor :input_name
       attr_accessor :input_value
       attr_accessor :input_type
+      attr_accessor :input_pattern
     end
 
     class TypeError < Error
       attr_accessor :input_type
     end
 
+    class PatternError < Error
+      attr_accessor :input_pattern
+    end
+
     class RequiredError < Error
       attr_accessor :input_name
     end
@@ -56,7 +61,6 @@ module Inspec
 
       def initialize(properties = {})
         @value_has_been_set = false
-
         properties.each do |prop_name, prop_value|
           if EVENT_PROPERTIES.include? prop_name
             # OK, save the property
@@ -174,7 +178,7 @@ module Inspec
     # are free to go higher.
     DEFAULT_PRIORITY_FOR_VALUE_SET = 60
 
-    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
+    attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type, :pattern
 
     def initialize(name, options = {})
       @name = name
@@ -192,7 +196,6 @@ module Inspec
       # debugging record of when and how the value changed.
       @events = []
       events.push make_creation_event(options)
-
       update(options)
     end
 
@@ -213,6 +216,7 @@ module Inspec
     def update(options)
       _update_set_metadata(options)
       normalize_type_restriction!
+      normalize_pattern_restriction!
 
       # Values are set by passing events in; but we can also infer an event.
       if options.key?(:value) || options.key?(:default)
@@ -227,6 +231,7 @@ module Inspec
       events << options[:event] if options.key? :event
 
       enforce_type_restriction!
+      enforce_pattern_restriction!
     end
 
     # We can determine a value:
@@ -268,6 +273,7 @@ module Inspec
       @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
       @type = options[:type] if options.key?(:type)
       @sensitive = options[:sensitive] if options.key?(:sensitive)
+      @pattern = options[:pattern] if options.key?(:pattern)
     end
 
     def make_creation_event(options)
@@ -310,7 +316,9 @@ module Inspec
         file: location.path,
         line: location.lineno
       )
+
       enforce_type_restriction!
+      enforce_pattern_restriction!
     end
 
     def value
@@ -324,7 +332,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value sensitive}.each do |field|
+      %i{description title identifier type required value sensitive pattern}.each do |field|
         val = send(field)
         next if val.nil?
 
@@ -407,6 +415,33 @@ module Inspec
       @type = type_req
     end
 
+    def enforce_pattern_restriction!
+      return unless pattern
+      return unless has_value?
+
+      string_value = current_value(false).to_s
+
+      valid_pattern = string_value.match?(pattern)
+      unless valid_pattern
+        error = Inspec::Input::ValidationError.new
+        error.input_name = @name
+        error.input_value = string_value
+        error.input_pattern = pattern
+        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to pattern '#{error.input_pattern}'."
+      end
+    end
+
+    def normalize_pattern_restriction!
+      return unless pattern
+
+      unless valid_regexp?(pattern)
+        error = Inspec::Input::PatternError.new
+        error.input_pattern = pattern
+        raise error, "Pattern '#{error.input_pattern}' is not a valid regex pattern."
+      end
+      @pattern = pattern
+    end
+
     def valid_numeric?(value)
       Float(value)
       true

data/lib/inspec/input_registry.rb

@@ -325,6 +325,7 @@ module Inspec
         type: input_options[:type],
         required: input_options[:required],
         sensitive: input_options[:sensitive],
+        pattern: input_options[:pattern],
         event: evt
       )
     end

data/lib/inspec/objects/input.rb

@@ -20,7 +20,7 @@ module Inspec
 
     def to_hash
       as_hash = { name: name, options: {} }
-      %i{description title identifier type required value}.each do |field|
+      %i{description title identifier type required value pattern}.each do |field|
         val = send(field)
         next if val.nil?
 

data/lib/inspec/resources.rb

@@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config"
 require "inspec/resources/registry_key"
 require "inspec/resources/security_identifier"
 require "inspec/resources/security_policy"
+require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"

data/lib/inspec/resources/groups.rb

@@ -49,10 +49,11 @@ module Inspec::Resources
 
     filter = FilterTable.create
     filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-    filter.register_column(:names, field: "name")
-      .register_column(:gids,      field: "gid")
-      .register_column(:domains,   field: "domain")
-      .register_column(:members,   field: "members", style: :simple)
+    filter.register_column(:names,       field: "name")
+      .register_column(:gids,            field: "gid")
+      .register_column(:domains,         field: "domain")
+      .register_column(:members,         field: "members", style: :simple)
+      .register_column(:members_array,   field: "members_array", style: :simple)
     filter.install_filter_methods_on_resource(self, :collect_group_details)
 
     def to_s
@@ -63,7 +64,13 @@ module Inspec::Resources
 
     # collects information about every group
     def collect_group_details
-      return @groups_cache ||= @group_provider.groups unless @group_provider.nil?
+      unless @group_provider.nil?
+        modified_groups_info = @group_provider.groups
+        unless modified_groups_info.empty?
+          modified_groups_info.each { |hashmap| hashmap["members_array"] = hashmap["members"].is_a?(Array) ? hashmap["members"] : hashmap["members"]&.split(",") }
+        end
+        return @groups_cache ||= modified_groups_info
+      end
 
       []
     end
@@ -111,7 +118,11 @@ module Inspec::Resources
     end
 
     def members
-      flatten_entry(group_info, "members")
+      flatten_entry(group_info, "members") || empty_value_for_members
+    end
+
+    def members_array
+      flatten_entry(group_info, "members_array") || []
     end
 
     def local
@@ -141,6 +152,10 @@ module Inspec::Resources
       group = @group.dup
       @groups_cache ||= inspec.groups.where { name == group }
     end
+
+    def empty_value_for_members
+      inspec.os.windows? ? [] : ""
+    end
   end
 
   class GroupInfo

data/lib/inspec/resources/selinux.rb

@@ -0,0 +1,154 @@
+require "inspec/resources/command"
+require "inspec/utils/filter"
+
+module Inspec::Resources
+  class SelinuxModuleFilter
+    # use filtertable for SELinux Modules
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:status, field: :status)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:priorities , field: :priority)
+    filter.register_custom_matcher(:enabled?) { |x| x.states[0] == "enabled" }
+    filter.register_custom_matcher(:installed?) { |x| x.status[0] == "installed" }
+    filter.install_filter_methods_on_resource(self, :modules)
+
+    attr_reader :modules
+    def initialize(modules)
+      @modules = modules
+    end
+
+    def to_s
+      "SELinux modules"
+    end
+  end
+
+  class SelinuxBooleanFilter
+    # use filtertable for SELinux Booleans
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:defaults, field: :default)
+    filter.register_custom_matcher(:on?) { |x| x.states[0] == "on" }
+    filter.install_filter_methods_on_resource(self, :booleans)
+
+    attr_reader :booleans
+    def initialize(booleans)
+      @booleans = booleans
+    end
+
+    def to_s
+      "SELinux booleans"
+    end
+  end
+
+  class Selinux < Inspec.resource(1)
+    name "selinux"
+    supports platform: "linux"
+
+    desc "Use the selinux Chef InSpec resource to test the configuration data of the SELinux policy, SELinux modules, and SELinux booleans."
+
+    example <<~EXAMPLE
+      describe selinux do
+        it { should be_installed }
+        it { should be_disabled }
+        it { should be_permissive }
+        it { should be_enforcing }
+      end
+
+      describe selinux do
+        its('policy') { should eq "targeted"}
+      end
+
+      describe selinux.modules.where("zebra") do
+        it { should exist }
+        it { should be_installed }
+        it { should be_enabled }
+      end
+
+      describe selinux.modules.where(status: "installed") do
+        it { should exist }
+        its('count') { should cmp 404 }
+      end
+
+      describe selinux.booleans.where(name: "xend_run_blktap") do
+        it { should be_on }
+      end
+
+      describe selinux.booleans.where { name == "xend_run_blktap" && state == "on" } do
+       it { should exist }
+      end
+    EXAMPLE
+
+    def initialize(selinux_path = "/etc/selinux/config")
+      @path = selinux_path
+      cmd = inspec.command("sestatus")
+
+      if cmd.exit_status != 0
+        # `sestatus` command not found error message comes in stdout so handling both here
+        out = cmd.stdout + "\n" + cmd.stderr
+        return skip_resource "Skipping resource: #{out}"
+      end
+
+      result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase
+      @data = Hash[result.scan(/([^:]+):([^,]+)[,$]/)]
+    end
+
+    def installed?
+      inspec.file(@path).exist?
+    end
+
+    def disabled?
+      @data["selinuxstatus"] == "disabled"
+    end
+
+    def enforcing?
+      @data["currentmode"] == "enforcing"
+    end
+
+    def permissive?
+      @data["currentmode"] == "permissive"
+    end
+
+    def policy
+      @data["loadedpolicyname"]
+    end
+
+    def modules
+      SelinuxModuleFilter.new(parse_modules)
+    end
+
+    def booleans
+      SelinuxBooleanFilter.new(parse_booleans)
+    end
+
+    def to_s
+      "SELinux"
+    end
+
+    private
+
+    def parse_modules
+      raw_modules = inspec.command("semodule -lfull").stdout
+      r_modules = []
+      raw_modules.each_line do |entry|
+        data = entry.split.map(&:strip)
+        state = data.length == 4 ? data[3] : "enabled"
+        r_modules.push({ name: data[1], status: "installed", state: state, priority: data[0] })
+      end
+      r_modules
+    end
+
+    def parse_booleans
+      raw_booleans = inspec.command("semanage boolean -l -n").stdout
+      r_booleans = []
+      raw_booleans.each_line do |entry|
+        data = entry.scan(/([^(,)]+)/).flatten.map(&:strip)
+        r_booleans.push({ name: data[0], state: data[1], default: data[2] })
+      end
+      r_booleans
+    end
+  end
+end

data/lib/inspec/rule.rb

@@ -180,7 +180,15 @@ module Inspec
         options[:priority] ||= 20
         options[:provider] = :inline_control_code
         evt = Inspec::Input.infer_event(options)
-        Inspec::InputRegistry.find_or_register_input(input_name, __profile_id, event: evt).value
+        Inspec::InputRegistry.find_or_register_input(
+          input_name,
+          __profile_id,
+          type: options[:type],
+          required: options[:required],
+          description: options[:description],
+          pattern: options[:pattern],
+          event: evt
+        ).value
       end
     end
 

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.33.1".freeze
+  VERSION = "4.36.4".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.33.1
+  version: 4.36.4
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-20 00:00:00.000000000 Z
+date: 2021-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -223,7 +223,7 @@ dependencies:
         version: 0.9.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -233,7 +233,7 @@ dependencies:
         version: 0.9.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: faraday_middleware
   requirement: !ruby/object:Gem::Requirement
@@ -586,6 +586,7 @@ files:
 - lib/inspec/resources/script.rb
 - lib/inspec/resources/security_identifier.rb
 - lib/inspec/resources/security_policy.rb
+- lib/inspec/resources/selinux.rb
 - lib/inspec/resources/service.rb
 - lib/inspec/resources/shadow.rb
 - lib/inspec/resources/ssh_config.rb