inspec-core 4.33.1 → 4.37.20

Sign up to get free protection for your applications and to get access to all the features.
Files changed (40) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +14 -1
  3. data/inspec-core.gemspec +2 -2
  4. data/lib/inspec/base_cli.rb +2 -2
  5. data/lib/inspec/cli.rb +6 -2
  6. data/lib/inspec/control_eval_context.rb +1 -0
  7. data/lib/inspec/fetcher/local.rb +1 -1
  8. data/lib/inspec/input.rb +39 -4
  9. data/lib/inspec/input_registry.rb +1 -0
  10. data/lib/inspec/objects/input.rb +1 -1
  11. data/lib/inspec/plugin/v2/loader.rb +9 -0
  12. data/lib/inspec/profile_context.rb +1 -1
  13. data/lib/inspec/resources.rb +1 -0
  14. data/lib/inspec/resources/file.rb +4 -5
  15. data/lib/inspec/resources/groups.rb +21 -6
  16. data/lib/inspec/resources/http.rb +1 -1
  17. data/lib/inspec/resources/mssql_session.rb +1 -1
  18. data/lib/inspec/resources/mysql_session.rb +1 -1
  19. data/lib/inspec/resources/pip.rb +1 -1
  20. data/lib/inspec/resources/port.rb +9 -3
  21. data/lib/inspec/resources/registry_key.rb +1 -1
  22. data/lib/inspec/resources/selinux.rb +154 -0
  23. data/lib/inspec/resources/users.rb +1 -1
  24. data/lib/inspec/resources/windows_feature.rb +2 -1
  25. data/lib/inspec/resources/windows_firewall_rule.rb +1 -1
  26. data/lib/inspec/resources/zfs_dataset.rb +7 -3
  27. data/lib/inspec/resources/zfs_pool.rb +7 -3
  28. data/lib/inspec/rule.rb +9 -1
  29. data/lib/inspec/runner.rb +1 -1
  30. data/lib/inspec/utils/erlang_parser.rb +2 -2
  31. data/lib/inspec/utils/filter.rb +7 -7
  32. data/lib/inspec/utils/nginx_parser.rb +3 -3
  33. data/lib/inspec/version.rb +1 -1
  34. data/lib/plugins/inspec-compliance/README.md +125 -2
  35. data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +5 -0
  36. data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +18 -1
  37. data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +23 -8
  38. data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +26 -28
  39. data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +5 -4
  40. metadata +11 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ec42612f75dc95f62517b85b024c039ad15965f7c98dfaecb9494161b9f85611
4
- data.tar.gz: 6373b89393e737cacdcb859ca510758afb9ce7e16d89e90d86877205a3d8d335
3
+ metadata.gz: 0e824612959dfc0663c92583fa5a542300d6953bcd32b28cfabf48b0709b9bf6
4
+ data.tar.gz: 79edead9df8512f94c9472bead2afd509b080f30e68630c912208734dc0b7bf1
5
5
  SHA512:
6
- metadata.gz: f1591b7c166d00fe78037f703eb55292384b2c2b13195db150da008b198424177809078db9509054af664f91aca8bae06f93f41939d808263cc78baf0414f29c
7
- data.tar.gz: 5124bfc3a8b676bd097efc319233fec94d3fd3739b727e1b92678c7929d280c093c46136b80607f166d164e0bd85586b9ce560e2ebed0eadbd7f35d09bd517b9
6
+ metadata.gz: fba880eaf388b7ebb28a731ddaaab23a6c0b4f8a75ee70315c75f68d05445cc32c7c09109e5f9a696d8257111d5cf520409bf2d18079255fc7cce9376a3e87e3
7
+ data.tar.gz: e5bf78b8ee6a067ca8762326093f92c26f97b1c102b0198ec3a494a520bb0a6fc137ff2d6f992e36e3ff690389c2082b3f92484a79266e91e7359a25d8719df7
data/Gemfile CHANGED
@@ -28,7 +28,7 @@ group :omnibus do
28
28
  end
29
29
 
30
30
  group :test do
31
- gem "chefstyle", "~> 1.7.1"
31
+ gem "chefstyle", "~> 2.0.3"
32
32
  gem "concurrent-ruby", "~> 1.0"
33
33
  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
34
34
  gem "json_schemer", ">= 0.2.1", "< 0.2.19"
@@ -48,3 +48,16 @@ end
48
48
  group :deploy do
49
49
  gem "inquirer"
50
50
  end
51
+
52
+ # Only include Test Kitchen support if we are on Ruby 2.7 or higher
53
+ # as chef-zero support requires Ruby 2.6
54
+ # See https://github.com/inspec/inspec/pull/5341
55
+ if Gem.ruby_version >= Gem::Version.new("2.7.0")
56
+ group :kitchen do
57
+ gem "berkshelf"
58
+ gem "test-kitchen", ">= 2.8"
59
+ gem "kitchen-inspec", ">= 2.0"
60
+ gem "kitchen-dokken", ">= 2.11"
61
+ gem "git"
62
+ end
63
+ end
data/inspec-core.gemspec CHANGED
@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
23
23
  .reject { |f| File.directory?(f) }
24
24
 
25
25
  # Implementation dependencies
26
- spec.add_dependency "chef-telemetry", "~> 1.0"
26
+ spec.add_dependency "chef-telemetry", "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
27
27
  spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
28
28
  spec.add_dependency "thor", ">= 0.20", "< 2.0"
29
29
  spec.add_dependency "method_source", ">= 0.8", "< 2.0"
@@ -35,7 +35,7 @@ Gem::Specification.new do |spec|
35
35
  spec.add_dependency "mixlib-log", "~> 3.0"
36
36
  spec.add_dependency "sslshake", "~> 1.2"
37
37
  spec.add_dependency "parallel", "~> 1.9"
38
- spec.add_dependency "faraday", ">= 0.9.0", "< 1.4"
38
+ spec.add_dependency "faraday", ">= 0.9.0", "< 1.5"
39
39
  spec.add_dependency "faraday_middleware", "~> 1.0"
40
40
  spec.add_dependency "tty-table", "~> 0.10"
41
41
  spec.add_dependency "tty-prompt", "~> 0.17"
data/lib/inspec/base_cli.rb CHANGED
@@ -181,7 +181,7 @@ module Inspec
181
181
  puts " Patents: chef.io/patents\n\n"
182
182
  end
183
183
 
184
- def self.format_platform_info(params: {}, indent: 0, color: 39)
184
+ def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true)
185
185
  str = ""
186
186
  params.each do |item, info|
187
187
  data = info
@@ -192,7 +192,7 @@ module Inspec
192
192
  # Do not output fields of data is missing ('unknown' is fine)
193
193
  next if data.nil?
194
194
 
195
- data = "\e[1m\e[#{color}m#{data}\e[0m"
195
+ data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color
196
196
  str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
197
197
  end
198
198
  str
data/lib/inspec/cli.rb CHANGED
@@ -218,9 +218,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
218
218
 
219
219
  Automate:
220
220
  ```
221
- #{Inspec::Dist::EXEC_NAME} compliance login
221
+ #{Inspec::Dist::EXEC_NAME} automate login
222
222
  #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
223
223
  ```
224
+ `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
225
+ ```
226
+ #{Inspec::Dist::EXEC_NAME} compliance login
227
+ ```
224
228
 
225
229
  Supermarket:
226
230
  ```
@@ -301,7 +305,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
301
305
  puts res.to_json
302
306
  else
303
307
  ui.headline("Platform Details")
304
- ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36)
308
+ ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36, enable_color: ui.color?)
305
309
  end
306
310
  rescue ArgumentError, RuntimeError, Train::UserError => e
307
311
  $stderr.puts e.message
data/lib/inspec/control_eval_context.rb CHANGED
@@ -194,6 +194,7 @@ module Inspec
194
194
 
195
195
  # Check if the given control exist in the --controls option
196
196
  def control_exist_in_controls_list?(id)
197
+ id_exist_in_list = false
197
198
  if profile_config_exist?
198
199
  id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
199
200
  # Try to see if the inclusion is a regex, and if it matches
data/lib/inspec/fetcher/local.rb CHANGED
@@ -31,7 +31,7 @@ module Inspec::Fetcher
31
31
  target = target.gsub(%r{^file://}, "")
32
32
  else
33
33
  # support for windows paths
34
- target = target.tr('\\', "/")
34
+ target = target.tr("\\", "/")
35
35
  end
36
36
 
37
37
  target if File.exist?(File.expand_path(target))
data/lib/inspec/input.rb CHANGED
@@ -19,12 +19,17 @@ module Inspec
19
19
  attr_accessor :input_name
20
20
  attr_accessor :input_value
21
21
  attr_accessor :input_type
22
+ attr_accessor :input_pattern
22
23
  end
23
24
 
24
25
  class TypeError < Error
25
26
  attr_accessor :input_type
26
27
  end
27
28
 
29
+ class PatternError < Error
30
+ attr_accessor :input_pattern
31
+ end
32
+
28
33
  class RequiredError < Error
29
34
  attr_accessor :input_name
30
35
  end
@@ -56,7 +61,6 @@ module Inspec
56
61
 
57
62
  def initialize(properties = {})
58
63
  @value_has_been_set = false
59
-
60
64
  properties.each do |prop_name, prop_value|
61
65
  if EVENT_PROPERTIES.include? prop_name
62
66
  # OK, save the property
@@ -174,7 +178,7 @@ module Inspec
174
178
  # are free to go higher.
175
179
  DEFAULT_PRIORITY_FOR_VALUE_SET = 60
176
180
 
177
- attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type
181
+ attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type, :pattern
178
182
 
179
183
  def initialize(name, options = {})
180
184
  @name = name
@@ -192,7 +196,6 @@ module Inspec
192
196
  # debugging record of when and how the value changed.
193
197
  @events = []
194
198
  events.push make_creation_event(options)
195
-
196
199
  update(options)
197
200
  end
198
201
 
@@ -213,6 +216,7 @@ module Inspec
213
216
  def update(options)
214
217
  _update_set_metadata(options)
215
218
  normalize_type_restriction!
219
+ normalize_pattern_restriction!
216
220
 
217
221
  # Values are set by passing events in; but we can also infer an event.
218
222
  if options.key?(:value) || options.key?(:default)
@@ -227,6 +231,7 @@ module Inspec
227
231
  events << options[:event] if options.key? :event
228
232
 
229
233
  enforce_type_restriction!
234
+ enforce_pattern_restriction!
230
235
  end
231
236
 
232
237
  # We can determine a value:
@@ -268,6 +273,7 @@ module Inspec
268
273
  @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
269
274
  @type = options[:type] if options.key?(:type)
270
275
  @sensitive = options[:sensitive] if options.key?(:sensitive)
276
+ @pattern = options[:pattern] if options.key?(:pattern)
271
277
  end
272
278
 
273
279
  def make_creation_event(options)
@@ -310,7 +316,9 @@ module Inspec
310
316
  file: location.path,
311
317
  line: location.lineno
312
318
  )
319
+
313
320
  enforce_type_restriction!
321
+ enforce_pattern_restriction!
314
322
  end
315
323
 
316
324
  def value
@@ -324,7 +332,7 @@ module Inspec
324
332
 
325
333
  def to_hash
326
334
  as_hash = { name: name, options: {} }
327
- %i{description title identifier type required value sensitive}.each do |field|
335
+ %i{description title identifier type required value sensitive pattern}.each do |field|
328
336
  val = send(field)
329
337
  next if val.nil?
330
338
 
@@ -407,6 +415,33 @@ module Inspec
407
415
  @type = type_req
408
416
  end
409
417
 
418
+ def enforce_pattern_restriction!
419
+ return unless pattern
420
+ return unless has_value?
421
+
422
+ string_value = current_value(false).to_s
423
+
424
+ valid_pattern = string_value.match?(pattern)
425
+ unless valid_pattern
426
+ error = Inspec::Input::ValidationError.new
427
+ error.input_name = @name
428
+ error.input_value = string_value
429
+ error.input_pattern = pattern
430
+ raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to pattern '#{error.input_pattern}'."
431
+ end
432
+ end
433
+
434
+ def normalize_pattern_restriction!
435
+ return unless pattern
436
+
437
+ unless valid_regexp?(pattern)
438
+ error = Inspec::Input::PatternError.new
439
+ error.input_pattern = pattern
440
+ raise error, "Pattern '#{error.input_pattern}' is not a valid regex pattern."
441
+ end
442
+ @pattern = pattern
443
+ end
444
+
410
445
  def valid_numeric?(value)
411
446
  Float(value)
412
447
  true
data/lib/inspec/input_registry.rb CHANGED
@@ -325,6 +325,7 @@ module Inspec
325
325
  type: input_options[:type],
326
326
  required: input_options[:required],
327
327
  sensitive: input_options[:sensitive],
328
+ pattern: input_options[:pattern],
328
329
  event: evt
329
330
  )
330
331
  end
data/lib/inspec/objects/input.rb CHANGED
@@ -20,7 +20,7 @@ module Inspec
20
20
 
21
21
  def to_hash
22
22
  as_hash = { name: name, options: {} }
23
- %i{description title identifier type required value}.each do |field|
23
+ %i{description title identifier type required value pattern}.each do |field|
24
24
  val = send(field)
25
25
  next if val.nil?
26
26
 
data/lib/inspec/plugin/v2/loader.rb CHANGED
@@ -117,6 +117,15 @@ module Inspec::Plugin::V2
117
117
  # `inspec dosomething` => activate the :dosomething hook
118
118
  activate_me ||= cli_args.include?(act.activator_name.to_s)
119
119
 
120
+ # Only one compliance command to be activated at one time.
121
+ # Since both commands are defined in the same class,
122
+ # activators were not getting fetched uniquely.
123
+ if cli_args.include?("automate") && act.activator_name.to_s.eql?("compliance")
124
+ activate_me = false
125
+ elsif cli_args.include?("compliance") && act.activator_name.to_s.eql?("automate")
126
+ activate_me = false
127
+ end
128
+
120
129
  # OK, activate.
121
130
  if activate_me
122
131
  act.activate
data/lib/inspec/profile_context.rb CHANGED
@@ -91,7 +91,7 @@ module Inspec
91
91
  end
92
92
 
93
93
  def all_controls
94
- ret = @rules.values
94
+ ret = @rules.values.compact
95
95
  ret += @control_subcontexts.map(&:all_rules).flatten
96
96
  ret
97
97
  end
data/lib/inspec/resources.rb CHANGED
@@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config"
103
103
  require "inspec/resources/registry_key"
104
104
  require "inspec/resources/security_identifier"
105
105
  require "inspec/resources/security_policy"
106
+ require "inspec/resources/selinux"
106
107
  require "inspec/resources/service"
107
108
  require "inspec/resources/shadow"
108
109
  require "inspec/resources/ssh_config"
data/lib/inspec/resources/file.rb CHANGED
@@ -136,10 +136,10 @@ module Inspec::Resources
136
136
  alias sticky? sticky
137
137
 
138
138
  def more_permissive_than?(max_mode = nil)
139
- raise Inspec::Exceptions::ResourceFailed, "The file" + file.path + "doesn't seem to exist" unless exist?
140
- raise ArgumentError, "You must proivde a value for the `maximum allowable permission` for the file." if max_mode.nil?
141
- raise ArgumentError, "You must proivde the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
142
- raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
139
+ return nil unless exist?
140
+ raise ArgumentError, "You must provide a value for the `maximum allowable permission` for the file." if max_mode.nil?
141
+ raise ArgumentError, "You must provide the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
142
+ raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-digit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
143
143
 
144
144
  # Using the files mode and a few bit-wise calculations we can ensure a
145
145
  # file is no more permisive than desired.
@@ -160,7 +160,6 @@ module Inspec::Resources
160
160
 
161
161
  max_mode = max_mode.to_i(8)
162
162
  inv_mode = 0777 ^ max_mode
163
-
164
163
  inv_mode & file.mode != 0
165
164
  end
166
165
 
data/lib/inspec/resources/groups.rb CHANGED
@@ -49,10 +49,11 @@ module Inspec::Resources
49
49
 
50
50
  filter = FilterTable.create
51
51
  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
52
- filter.register_column(:names, field: "name")
53
- .register_column(:gids, field: "gid")
54
- .register_column(:domains, field: "domain")
55
- .register_column(:members, field: "members", style: :simple)
52
+ filter.register_column(:names, field: "name")
53
+ .register_column(:gids, field: "gid")
54
+ .register_column(:domains, field: "domain")
55
+ .register_column(:members, field: "members", style: :simple)
56
+ .register_column(:members_array, field: "members_array", style: :simple)
56
57
  filter.install_filter_methods_on_resource(self, :collect_group_details)
57
58
 
58
59
  def to_s
@@ -63,7 +64,13 @@ module Inspec::Resources
63
64
 
64
65
  # collects information about every group
65
66
  def collect_group_details
66
- return @groups_cache ||= @group_provider.groups unless @group_provider.nil?
67
+ unless @group_provider.nil?
68
+ modified_groups_info = @group_provider.groups
69
+ unless modified_groups_info.empty?
70
+ modified_groups_info.each { |hashmap| hashmap["members_array"] = hashmap["members"].is_a?(Array) ? hashmap["members"] : hashmap["members"]&.split(",") }
71
+ end
72
+ return @groups_cache ||= modified_groups_info
73
+ end
67
74
 
68
75
  []
69
76
  end
@@ -111,7 +118,11 @@ module Inspec::Resources
111
118
  end
112
119
 
113
120
  def members
114
- flatten_entry(group_info, "members")
121
+ flatten_entry(group_info, "members") || empty_value_for_members
122
+ end
123
+
124
+ def members_array
125
+ flatten_entry(group_info, "members_array") || []
115
126
  end
116
127
 
117
128
  def local
@@ -141,6 +152,10 @@ module Inspec::Resources
141
152
  group = @group.dup
142
153
  @groups_cache ||= inspec.groups.where { name == group }
143
154
  end
155
+
156
+ def empty_value_for_members
157
+ inspec.os.windows? ? [] : ""
158
+ end
144
159
  end
145
160
 
146
161
  class GroupInfo
data/lib/inspec/resources/http.rb CHANGED
@@ -56,7 +56,7 @@ module Inspec::Resources
56
56
  end
57
57
 
58
58
  def body
59
- @worker.body
59
+ @worker.body&.force_encoding(Encoding::UTF_8)
60
60
  end
61
61
 
62
62
  def http_method
data/lib/inspec/resources/mssql_session.rb CHANGED
@@ -58,7 +58,7 @@ module Inspec::Resources
58
58
  end
59
59
 
60
60
  def query(q) # rubocop:disable Metrics/PerceivedComplexity
61
- escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '""').gsub(/\$/, '\\$')
61
+ escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '""').gsub(/\$/, '\\$')
62
62
  # surpress 'x rows affected' in SQLCMD with 'set nocount on;'
63
63
  cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
64
64
  cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
data/lib/inspec/resources/mysql_session.rb CHANGED
@@ -75,7 +75,7 @@ module Inspec::Resources
75
75
  def create_mysql_cmd(q, db = "")
76
76
  # TODO: simple escape, must be handled by a library
77
77
  # that does this securely
78
- escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
78
+ escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$')
79
79
 
80
80
  # construct the query
81
81
  command = "mysql"
data/lib/inspec/resources/pip.rb CHANGED
@@ -117,7 +117,7 @@ module Inspec::Resources
117
117
  if defined?(windows_paths["Python"]) && pipcmd.nil?
118
118
  return nil if windows_paths["Pip"].nil?
119
119
 
120
- pipdir = windows_paths["Python"].split('\\')
120
+ pipdir = windows_paths["Python"].split("\\")
121
121
  # remove python.exe
122
122
  pipdir.pop
123
123
  pipcmd = pipdir.push("Scripts").push("pip.exe").join("/")
data/lib/inspec/resources/port.rb CHANGED
@@ -54,7 +54,7 @@ module Inspec::Resources
54
54
  def port_manager_for_os
55
55
  os = inspec.os
56
56
  if os.linux?
57
- LinuxPorts.new(inspec)
57
+ LinuxPorts.new(inspec, @port)
58
58
  elsif os.aix?
59
59
  # AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
60
60
  # and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
@@ -102,8 +102,9 @@ module Inspec::Resources
102
102
  # }]
103
103
  class PortsInfo
104
104
  attr_reader :inspec
105
- def initialize(inspec)
105
+ def initialize(inspec, port = nil)
106
106
  @inspec = inspec
107
+ @port = port
107
108
  end
108
109
  end
109
110
 
@@ -394,7 +395,12 @@ module Inspec::Resources
394
395
  def ports_via_ss
395
396
  return nil unless inspec.command("ss").exist?
396
397
 
397
- cmd = inspec.command("ss -tulpen")
398
+ if @port.nil?
399
+ cmd = inspec.command("ss -tulpen")
400
+ else
401
+ cmd = inspec.command("ss -tulpen '( dport = #{@port} or sport = #{@port} )'")
402
+ end
403
+
398
404
  return nil unless cmd.exit_status.to_i == 0
399
405
 
400
406
  ports = []
data/lib/inspec/resources/registry_key.rb CHANGED
@@ -281,7 +281,7 @@ module Inspec::Resources
281
281
  key = @options[:key]
282
282
  return "" unless key
283
283
 
284
- key.start_with?('\\') ? key : "\\#{key}"
284
+ key.start_with?("\\") ? key : "\\#{key}"
285
285
  end
286
286
  end
287
287