inspec-core 4.33.1 → 4.37.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +14 -1
- data/inspec-core.gemspec +2 -2
- data/lib/inspec/base_cli.rb +2 -2
- data/lib/inspec/cli.rb +6 -2
- data/lib/inspec/control_eval_context.rb +1 -0
- data/lib/inspec/fetcher/local.rb +1 -1
- data/lib/inspec/input.rb +39 -4
- data/lib/inspec/input_registry.rb +1 -0
- data/lib/inspec/objects/input.rb +1 -1
- data/lib/inspec/plugin/v2/loader.rb +9 -0
- data/lib/inspec/profile_context.rb +1 -1
- data/lib/inspec/resources.rb +1 -0
- data/lib/inspec/resources/file.rb +4 -5
- data/lib/inspec/resources/groups.rb +21 -6
- data/lib/inspec/resources/http.rb +1 -1
- data/lib/inspec/resources/mssql_session.rb +1 -1
- data/lib/inspec/resources/mysql_session.rb +1 -1
- data/lib/inspec/resources/pip.rb +1 -1
- data/lib/inspec/resources/port.rb +9 -3
- data/lib/inspec/resources/registry_key.rb +1 -1
- data/lib/inspec/resources/selinux.rb +154 -0
- data/lib/inspec/resources/users.rb +1 -1
- data/lib/inspec/resources/windows_feature.rb +2 -1
- data/lib/inspec/resources/windows_firewall_rule.rb +1 -1
- data/lib/inspec/resources/zfs_dataset.rb +7 -3
- data/lib/inspec/resources/zfs_pool.rb +7 -3
- data/lib/inspec/rule.rb +9 -1
- data/lib/inspec/runner.rb +1 -1
- data/lib/inspec/utils/erlang_parser.rb +2 -2
- data/lib/inspec/utils/filter.rb +7 -7
- data/lib/inspec/utils/nginx_parser.rb +3 -3
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-compliance/README.md +125 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +5 -0
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +18 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +23 -8
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +26 -28
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +5 -4
- metadata +11 -4
@@ -7,6 +7,11 @@ module InspecPlugins
|
|
7
7
|
require_relative "inspec-compliance/cli"
|
8
8
|
InspecPlugins::Compliance::CLI
|
9
9
|
end
|
10
|
+
|
11
|
+
cli_command :automate do
|
12
|
+
require_relative "inspec-compliance/cli"
|
13
|
+
InspecPlugins::Compliance::CLI
|
14
|
+
end
|
10
15
|
end
|
11
16
|
|
12
17
|
autoload :Configuration, "plugins/inspec-compliance/lib/inspec-compliance/configuration"
|
@@ -170,6 +170,23 @@ module InspecPlugins
|
|
170
170
|
[success, msg, access_token]
|
171
171
|
end
|
172
172
|
|
173
|
+
# Use API access token to validate login using version API
|
174
|
+
def self.authenticate_login_using_version_api(url, api_token, insecure)
|
175
|
+
uri = URI.parse("#{url}/version")
|
176
|
+
req = Net::HTTP::Get.new(uri.path)
|
177
|
+
req["api-token"] = api_token
|
178
|
+
response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure)
|
179
|
+
|
180
|
+
if response.code == "200"
|
181
|
+
msg = "Successfully Logged In"
|
182
|
+
success = true
|
183
|
+
else
|
184
|
+
success = false
|
185
|
+
msg = "Failed to authenticate to #{url} \n\Response code: #{response.code}\nBody: #{response.body}"
|
186
|
+
end
|
187
|
+
[success, msg]
|
188
|
+
end
|
189
|
+
|
173
190
|
# Use username and password to get an API access token
|
174
191
|
def self.get_token_via_password(url, username, password, insecure)
|
175
192
|
uri = URI.parse("#{url}/login")
|
@@ -357,7 +374,7 @@ module InspecPlugins
|
|
357
374
|
|
358
375
|
Inspec::Log.debug(
|
359
376
|
"Received 200 from #{url}#{compliance_endpoint} - " \
|
360
|
-
"assuming target is a #{
|
377
|
+
"assuming target is a #{AUTOMATE_PRODUCT_NAME} server"
|
361
378
|
)
|
362
379
|
true
|
363
380
|
end
|
@@ -9,7 +9,7 @@ module InspecPlugins
|
|
9
9
|
class CannotDetermineServerType < StandardError; end
|
10
10
|
|
11
11
|
def login(options)
|
12
|
-
raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
|
12
|
+
raise ArgumentError, "Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"]
|
13
13
|
|
14
14
|
options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil?
|
15
15
|
|
@@ -33,7 +33,8 @@ module InspecPlugins
|
|
33
33
|
|
34
34
|
options["url"] = options["server"] + "/api/v0"
|
35
35
|
token = options["dctoken"] || options["token"]
|
36
|
-
|
36
|
+
success, msg = API::Login.authenticate_login(options)
|
37
|
+
success ? store_access_token(options, token) : msg
|
37
38
|
end
|
38
39
|
|
39
40
|
def self.store_access_token(options, token)
|
@@ -52,7 +53,7 @@ module InspecPlugins
|
|
52
53
|
config["version"] = "0"
|
53
54
|
|
54
55
|
config.store
|
55
|
-
config
|
56
|
+
API::Login.configuration_stored_message(config)
|
56
57
|
end
|
57
58
|
|
58
59
|
def self.verify_thor_options(o)
|
@@ -74,7 +75,8 @@ module InspecPlugins
|
|
74
75
|
|
75
76
|
options["url"] = options["server"] + "/compliance"
|
76
77
|
token = options["dctoken"] || options["token"]
|
77
|
-
|
78
|
+
success, msg = API::Login.authenticate_login(options)
|
79
|
+
success ? store_access_token(options, token) : msg
|
78
80
|
end
|
79
81
|
|
80
82
|
def self.store_access_token(options, token)
|
@@ -99,7 +101,7 @@ module InspecPlugins
|
|
99
101
|
config["version"] = InspecPlugins::Compliance::API.version(config)
|
100
102
|
|
101
103
|
config.store
|
102
|
-
config
|
104
|
+
API::Login.configuration_stored_message(config)
|
103
105
|
end
|
104
106
|
|
105
107
|
# Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken`
|
@@ -126,7 +128,8 @@ module InspecPlugins
|
|
126
128
|
options["url"] = options["server"] + "/api"
|
127
129
|
|
128
130
|
if options["user"] && options["token"]
|
129
|
-
|
131
|
+
success, msg = API::Login.authenticate_login(options)
|
132
|
+
success ? compliance_store_access_token(options, options["token"]) : msg
|
130
133
|
elsif options["user"] && options["password"]
|
131
134
|
compliance_login_user_pass(options)
|
132
135
|
elsif options["refresh_token"]
|
@@ -171,7 +174,7 @@ module InspecPlugins
|
|
171
174
|
config["version"] = InspecPlugins::Compliance::API.version(config)
|
172
175
|
|
173
176
|
config.store
|
174
|
-
config
|
177
|
+
API::Login.configuration_stored_message(config)
|
175
178
|
end
|
176
179
|
|
177
180
|
# Compliance login requires `--user` or `--refresh_token`
|
@@ -179,7 +182,7 @@ module InspecPlugins
|
|
179
182
|
def self.compliance_verify_thor_options(o)
|
180
183
|
error_msg = []
|
181
184
|
|
182
|
-
error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
|
185
|
+
error_msg.push("Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil?
|
183
186
|
|
184
187
|
if o["user"].nil? && o["refresh_token"].nil?
|
185
188
|
error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`")
|
@@ -192,6 +195,18 @@ module InspecPlugins
|
|
192
195
|
raise ArgumentError, error_msg.join("\n") unless error_msg.empty?
|
193
196
|
end
|
194
197
|
end
|
198
|
+
|
199
|
+
def self.authenticate_login(options)
|
200
|
+
InspecPlugins::Compliance::API.authenticate_login_using_version_api(
|
201
|
+
options["url"],
|
202
|
+
options["token"],
|
203
|
+
options["insecure"]
|
204
|
+
)
|
205
|
+
end
|
206
|
+
|
207
|
+
def self.configuration_stored_message(config)
|
208
|
+
"Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'"
|
209
|
+
end
|
195
210
|
end
|
196
211
|
end
|
197
212
|
end
|
@@ -6,41 +6,38 @@ module InspecPlugins
|
|
6
6
|
module Compliance
|
7
7
|
class CLI < Inspec.plugin(2, :cli_command)
|
8
8
|
include Inspec::Dist
|
9
|
-
|
10
|
-
subcommand_desc "compliance SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands"
|
9
|
+
subcommand_desc "automate SUBCOMMAND or compliance SUBCOMMAND", "#{AUTOMATE_PRODUCT_NAME} commands"
|
11
10
|
|
12
11
|
# desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER'
|
13
|
-
desc "login", "Log in to a #{
|
12
|
+
desc "login", "Log in to a #{AUTOMATE_PRODUCT_NAME} SERVER"
|
14
13
|
long_desc <<-LONGDESC
|
15
|
-
`login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME}
|
14
|
+
`login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} Server
|
16
15
|
|
17
|
-
You need to a token for communication. More information about token retrieval
|
16
|
+
You need to have a token for communication. More information about token retrieval
|
18
17
|
is available at:
|
19
|
-
https://docs.chef.io/
|
20
|
-
https://docs.chef.io/api_compliance.html#obtaining-an-api-token
|
18
|
+
https://docs.chef.io/automate/api_tokens
|
21
19
|
LONGDESC
|
22
20
|
option :insecure, aliases: :k, type: :boolean,
|
23
21
|
desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
|
24
22
|
option :user, type: :string, required: false,
|
25
23
|
desc: "Username"
|
26
24
|
option :password, type: :string, required: false,
|
27
|
-
desc: "Password (#{
|
25
|
+
desc: "Password (#{AUTOMATE_PRODUCT_NAME} Only)"
|
28
26
|
option :token, type: :string, required: false,
|
29
27
|
desc: "Access token"
|
30
28
|
option :refresh_token, type: :string, required: false,
|
31
|
-
desc: "#{
|
29
|
+
desc: "#{AUTOMATE_PRODUCT_NAME} refresh token (#{AUTOMATE_PRODUCT_NAME} Only)"
|
32
30
|
option :dctoken, type: :string, required: false,
|
33
31
|
desc: "Data Collector token (#{AUTOMATE_PRODUCT_NAME} Only)"
|
34
32
|
option :ent, type: :string, required: false,
|
35
33
|
desc: "Enterprise for #{AUTOMATE_PRODUCT_NAME} reporting (#{AUTOMATE_PRODUCT_NAME} Only)"
|
36
34
|
def login(server)
|
37
35
|
options["server"] = server
|
38
|
-
InspecPlugins::Compliance::API.login(options)
|
39
|
-
|
40
|
-
puts "Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'"
|
36
|
+
login_response = InspecPlugins::Compliance::API.login(options)
|
37
|
+
puts login_response
|
41
38
|
end
|
42
39
|
|
43
|
-
desc "profiles", "list all available profiles in #{
|
40
|
+
desc "profiles", "list all available profiles in #{AUTOMATE_PRODUCT_NAME}"
|
44
41
|
option :owner, type: :string, required: false,
|
45
42
|
desc: "owner whose profiles to list"
|
46
43
|
def profiles
|
@@ -65,11 +62,11 @@ module InspecPlugins
|
|
65
62
|
exit 1
|
66
63
|
end
|
67
64
|
rescue InspecPlugins::Compliance::ServerConfigurationMissing
|
68
|
-
$stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME}
|
65
|
+
$stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
|
69
66
|
exit 1
|
70
67
|
end
|
71
68
|
|
72
|
-
desc "exec PROFILE", "executes a #{
|
69
|
+
desc "exec PROFILE", "executes a #{AUTOMATE_PRODUCT_NAME} profile"
|
73
70
|
exec_options
|
74
71
|
def exec(*tests)
|
75
72
|
compliance_config = InspecPlugins::Compliance::Configuration.new
|
@@ -91,7 +88,7 @@ module InspecPlugins
|
|
91
88
|
exit 1
|
92
89
|
end
|
93
90
|
|
94
|
-
desc "download PROFILE", "downloads a profile from #{
|
91
|
+
desc "download PROFILE", "downloads a profile from #{AUTOMATE_PRODUCT_NAME}"
|
95
92
|
option :name, type: :string,
|
96
93
|
desc: "Name of the archive filename (file type will be added)"
|
97
94
|
def download(profile_name)
|
@@ -116,12 +113,12 @@ module InspecPlugins
|
|
116
113
|
file_name = fetcher.fetch(o.name || id)
|
117
114
|
puts "Profile stored to #{file_name}"
|
118
115
|
else
|
119
|
-
puts "Profile #{profile_name} is not available in #{
|
116
|
+
puts "Profile #{profile_name} is not available in #{AUTOMATE_PRODUCT_NAME}."
|
120
117
|
exit 1
|
121
118
|
end
|
122
119
|
end
|
123
120
|
|
124
|
-
desc "upload PATH", "uploads a local profile to #{
|
121
|
+
desc "upload PATH", "uploads a local profile to #{AUTOMATE_PRODUCT_NAME}"
|
125
122
|
option :overwrite, type: :boolean, default: false,
|
126
123
|
desc: "Overwrite existing profile on Server."
|
127
124
|
option :owner, type: :string, required: false,
|
@@ -167,7 +164,7 @@ module InspecPlugins
|
|
167
164
|
|
168
165
|
# determine user information
|
169
166
|
if (config["token"].nil? && config["refresh_token"].nil?) || config["user"].nil?
|
170
|
-
error.call("Please login via `#{EXEC_NAME}
|
167
|
+
error.call("Please login via `#{EXEC_NAME} #{subcommand_name} login`")
|
171
168
|
end
|
172
169
|
|
173
170
|
# read profile name from inspec.yml
|
@@ -202,11 +199,8 @@ module InspecPlugins
|
|
202
199
|
puts "Start upload to #{config["owner"]}/#{profile_name}"
|
203
200
|
pname = ERB::Util.url_encode(profile_name)
|
204
201
|
|
205
|
-
|
206
|
-
|
207
|
-
else
|
208
|
-
puts "Uploading to #{COMPLIANCE_PRODUCT_NAME}"
|
209
|
-
end
|
202
|
+
puts "Uploading to #{AUTOMATE_PRODUCT_NAME}"
|
203
|
+
|
210
204
|
success, msg = InspecPlugins::Compliance::API.upload(config, config["owner"], pname, archive_path)
|
211
205
|
|
212
206
|
# delete temp file if it was temporary generated
|
@@ -221,7 +215,7 @@ module InspecPlugins
|
|
221
215
|
end
|
222
216
|
end
|
223
217
|
|
224
|
-
desc "version", "displays the version of the #{
|
218
|
+
desc "version", "displays the version of the #{AUTOMATE_PRODUCT_NAME} server"
|
225
219
|
def version
|
226
220
|
config = InspecPlugins::Compliance::Configuration.new
|
227
221
|
info = InspecPlugins::Compliance::API.version(config)
|
@@ -233,11 +227,11 @@ module InspecPlugins
|
|
233
227
|
exit 1
|
234
228
|
end
|
235
229
|
rescue InspecPlugins::Compliance::ServerConfigurationMissing
|
236
|
-
puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME}
|
230
|
+
puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
|
237
231
|
exit 1
|
238
232
|
end
|
239
233
|
|
240
|
-
desc "logout", "user logout from #{
|
234
|
+
desc "logout", "user logout from #{AUTOMATE_PRODUCT_NAME}"
|
241
235
|
def logout
|
242
236
|
config = InspecPlugins::Compliance::Configuration.new
|
243
237
|
unless config.supported?(:oidc) || config["token"].nil? || config["server_type"] == "automate"
|
@@ -258,9 +252,13 @@ module InspecPlugins
|
|
258
252
|
|
259
253
|
def loggedin(config)
|
260
254
|
serverknown = !config["server"].nil?
|
261
|
-
puts "You need to login first with `#{EXEC_NAME}
|
255
|
+
puts "You need to login first with `#{EXEC_NAME} #{subcommand_name} login`" unless serverknown
|
262
256
|
serverknown
|
263
257
|
end
|
258
|
+
|
259
|
+
def subcommand_name
|
260
|
+
@_invocations[Inspec::InspecCLI]&.first || "automate"
|
261
|
+
end
|
264
262
|
end
|
265
263
|
|
266
264
|
# register the subcommand to InSpec CLI registry
|
@@ -34,13 +34,13 @@ module InspecPlugins
|
|
34
34
|
if config["token"].nil? && config["refresh_token"].nil?
|
35
35
|
if config["server_type"] == "automate"
|
36
36
|
server = "automate"
|
37
|
-
msg = "#{EXEC_NAME} compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
|
37
|
+
msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN"
|
38
38
|
elsif config["server_type"] == "automate2"
|
39
39
|
server = "automate2"
|
40
|
-
msg = "#{EXEC_NAME} compliance login https://your_automate2_server --user USER --token APITOKEN"
|
40
|
+
msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate2_server --user USER --token APITOKEN"
|
41
41
|
else
|
42
42
|
server = "compliance"
|
43
|
-
msg = "#{EXEC_NAME} compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
|
43
|
+
msg = "#{EXEC_NAME} [automate|compliance] login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
|
44
44
|
end
|
45
45
|
raise Inspec::FetcherFailure, <<~EOF
|
46
46
|
|
@@ -112,7 +112,7 @@ module InspecPlugins
|
|
112
112
|
end
|
113
113
|
|
114
114
|
def to_s
|
115
|
-
"#{
|
115
|
+
"#{AUTOMATE_PRODUCT_NAME} Profile Loader"
|
116
116
|
end
|
117
117
|
|
118
118
|
private
|
@@ -136,6 +136,7 @@ module InspecPlugins
|
|
136
136
|
if m.nil?
|
137
137
|
raise "Unable to determine compliance profile name. This can be caused by " \
|
138
138
|
"an incorrect server in your configuration. Try to login to compliance " \
|
139
|
+
"via the `#{EXEC_NAME} automate login` command or " \
|
139
140
|
"via the `#{EXEC_NAME} compliance login` command."
|
140
141
|
end
|
141
142
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.37.20
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-05-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -17,6 +17,9 @@ dependencies:
|
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
19
|
version: '1.0'
|
20
|
+
- - ">="
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: 1.0.8
|
20
23
|
type: :runtime
|
21
24
|
prerelease: false
|
22
25
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -24,6 +27,9 @@ dependencies:
|
|
24
27
|
- - "~>"
|
25
28
|
- !ruby/object:Gem::Version
|
26
29
|
version: '1.0'
|
30
|
+
- - ">="
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: 1.0.8
|
27
33
|
- !ruby/object:Gem::Dependency
|
28
34
|
name: license-acceptance
|
29
35
|
requirement: !ruby/object:Gem::Requirement
|
@@ -223,7 +229,7 @@ dependencies:
|
|
223
229
|
version: 0.9.0
|
224
230
|
- - "<"
|
225
231
|
- !ruby/object:Gem::Version
|
226
|
-
version: '1.
|
232
|
+
version: '1.5'
|
227
233
|
type: :runtime
|
228
234
|
prerelease: false
|
229
235
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -233,7 +239,7 @@ dependencies:
|
|
233
239
|
version: 0.9.0
|
234
240
|
- - "<"
|
235
241
|
- !ruby/object:Gem::Version
|
236
|
-
version: '1.
|
242
|
+
version: '1.5'
|
237
243
|
- !ruby/object:Gem::Dependency
|
238
244
|
name: faraday_middleware
|
239
245
|
requirement: !ruby/object:Gem::Requirement
|
@@ -586,6 +592,7 @@ files:
|
|
586
592
|
- lib/inspec/resources/script.rb
|
587
593
|
- lib/inspec/resources/security_identifier.rb
|
588
594
|
- lib/inspec/resources/security_policy.rb
|
595
|
+
- lib/inspec/resources/selinux.rb
|
589
596
|
- lib/inspec/resources/service.rb
|
590
597
|
- lib/inspec/resources/shadow.rb
|
591
598
|
- lib/inspec/resources/ssh_config.rb
|