inspec-core 4.37.23 → 4.38.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c9e4ef72fd93cf8c9de6cf6a6b14473388a1df8edee971d3e9db0dc89e31a756
-  data.tar.gz: 79ab3e58e1f574f6bd34aff949a965ed7c01744745cb09eba4768a420f9fe60b
+  metadata.gz: 17449ad4c9680511a8fc11c6fdb11d9ece550a7942c9e734c95eac0d41913d9f
+  data.tar.gz: ae5055ccc9bebd1aed4f22da4ad4dcd1be31e1bd2b5707e7b5fb088c916eda08
 SHA512:
-  metadata.gz: c1254e07b8263b7f97c53a3a3768db4fd50692d49defe607e2f7ceb42fce86c6a53909472e0b28fe7cbb58cfcdb6255dd549adaca18836ba2475f8644dab4153
-  data.tar.gz: 8b45db91165ebd6a9af3102a4a4f60e9cf1fd404f5cc28452cc4df92e1554cce42a009e40b6a11de1d13569bada66a270d344076965138d32e52aea045a8ca52
+  metadata.gz: 6cec299ca48d7ca4c3fb9b3eecc79c8687541fbd83fc79e837ed13d2abb4bcb861f747782a68bf90f7e1083443a671079a1368a97e9f552e249e456616a92059
+  data.tar.gz: 287e2d79dbc494c83d6f8b8046e0f9c54632c5a13ec75ac69b603bdf9fe9b6a89ff86c9c8f025f7e04372490adb1ffa5a5a7fc10f3ecab1e7fabd70f71f6767d

data/Gemfile

@@ -55,6 +55,7 @@ end
 if Gem.ruby_version >= Gem::Version.new("2.7.0")
   group :kitchen do
     gem "berkshelf"
+    gem "chef", ">= 16.0" # Required to allow net-ssh > 6
     gem "test-kitchen", ">= 2.8"
     gem "kitchen-inspec", ">= 2.0"
     gem "kitchen-dokken", ">= 2.11"

data/lib/inspec/fetcher/local.rb

@@ -3,7 +3,8 @@ require "openssl" unless defined?(OpenSSL)
 module Inspec::Fetcher
   class Local < Inspec.fetcher(1)
     name "local"
-    priority 0
+    priority 1
+    # Priority is used for setting precedence of fetchers. And registry plugin(v1) decides which fetcher to use for loading profiles by using this priority
 
     def self.resolve(target)
       if target.is_a?(String)

data/lib/inspec/fetcher/mock.rb

@@ -6,9 +6,11 @@ module Inspec::Fetcher
     priority 0
 
     def self.resolve(target)
-      return nil unless target.is_a? Hash
-
-      new(target)
+      if (target.is_a? Hash) && ((target.keys & %i{cwd path backend}).empty?)
+        new(target)
+      else
+        nil
+      end
     end
 
     def initialize(data)

data/lib/inspec/resources.rb

@@ -71,6 +71,8 @@ require "inspec/resources/key_rsa"
 require "inspec/resources/ksh"
 require "inspec/resources/limits_conf"
 require "inspec/resources/login_defs"
+require "inspec/resources/mongodb"
+require "inspec/resources/mongodb_conf"
 require "inspec/resources/mount"
 require "inspec/resources/mssql_session"
 require "inspec/resources/mysql"

data/lib/inspec/resources/mongodb.rb

@@ -0,0 +1,65 @@
+module Inspec::Resources
+  class Mongodb < Inspec.resource(1)
+    name "mongodb"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'mongodb' resource is a helper for the 'mongodb_conf' & 'mongodb_session' resources.  Please use those instead."
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "fedora", "redhat", "linux", "suse"
+        init_linux
+      when "darwin"
+        init_macos
+      when "windows"
+        init_windows
+      end
+    end
+
+    def to_s
+      "MongoDB"
+    end
+
+    private
+
+    def init_linux
+      @conf_path = "/etc/mongod.conf"
+    end
+
+    def init_macos
+      @conf_path = "/usr/local/etc/mongod.conf"
+    end
+
+    def init_windows
+      dir = "C:\\Program Files\\MongoDB\\Server"
+      @version = version_from_dir(dir)
+      unless @version.to_s.empty?
+        @conf_path = "#{dir}\\#{@version}\\bin\\mongod.cfg"
+      end
+    end
+
+    def version_from_dir(dir)
+      dirs = inspec.command("Get-ChildItem -Path \"#{dir}\" -Name").stdout
+      entries = dirs.lines.count
+      case entries
+      when 0
+        warn "Could not determine version of installed MongoDB by inspecting #{dir}"
+        nil
+      when 1
+        dir_to_version(dirs)
+      else
+        warn "Multiple versions of MongoDB installed or incorrect base dir #{dir}"
+        first = dir_to_version(dirs.lines.first)
+        warn "Using the first version found: #{first}"
+        first
+      end
+    end
+
+    def dir_to_version(dir)
+      dir.chomp.split("/").last
+    end
+  end
+end

data/lib/inspec/resources/mongodb_conf.rb

@@ -0,0 +1,39 @@
+require "inspec/resources/json"
+require "inspec/resources/mongodb"
+
+module Inspec::Resources
+  class MongodbConf < JsonConfig
+    name "mongodb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the mongodb_conf InSpec audit resource to test the contents of the configuration file for MongoDB, typically located at `/etc/mongod.conf` or `C:\\Program Files\\MongoDB\\Server\\<version>\\bin\\mongod.cfg`, depending on the platform."
+    example <<~EXAMPLE
+      describe mongodb_conf do
+        its(["storage", "dbPath"]) { should eq "/var/lib/mongodb" }
+        its(["net", "port"]) { should eq 27017 }
+      end
+    EXAMPLE
+
+    def initialize(conf_path = nil)
+      @conf_path = conf_path || inspec.mongodb.conf_path
+
+      if @conf_path.nil?
+        return skip_resource "MongoDB conf path is not set."
+      end
+
+      super(@conf_path)
+    end
+
+    private
+
+    def parse(content)
+      YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse `mongod.conf` or `mongod.cfg` file: #{e.message}"
+    end
+
+    def resource_base_name
+      "MongoDB Configuration"
+    end
+  end
+end

data/lib/inspec/resources/mssql_session.rb

@@ -42,11 +42,7 @@ module Inspec::Resources
       @local_mode = opts[:local_mode]
       unless local_mode?
         @host = opts[:host] || "localhost"
-        if opts.key?(:port)
-          @port = opts[:port]
-        else
-          @port = "1433"
-        end
+        @port = opts[:port]
       end
       @instance = opts[:instance]
       @db_name = opts[:db_name]

data/lib/inspec/resources/mysql_session.rb

@@ -44,10 +44,14 @@ module Inspec::Resources
       @port = port
       @socket = socket
       init_fallback if user.nil? || pass.nil?
-      skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? || @pass.nil?
+      raise Inspec::Exceptions::ResourceFailed, "Can't run MySQL SQL checks without authentication." if @user.nil? || @pass.nil?
+
+      test_connection
     end
 
     def query(q, db = "")
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
       mysql_cmd = create_mysql_cmd(q, db)
       cmd = if !@pass.nil?
               inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
@@ -56,7 +60,7 @@ module Inspec::Resources
             end
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/
-        Lines.new(out, "MySQL query with errors: #{q}", cmd.exit_status)
+        raise Inspec::Exceptions::ResourceFailed, "MySQL query with errors: #{out}"
       else
         Lines.new(cmd.stdout.strip, "MySQL query: #{q}", cmd.exit_status)
       end
@@ -68,6 +72,12 @@ module Inspec::Resources
 
     private
 
+    # Querying on the database to make sure conneciton can be established. If not this will set the resource exception
+    # message which we raise before querying on the database using mysql_session object.
+    def test_connection
+      query("select now()")
+    end
+
     def escape_string(query)
       Shellwords.escape(query)
     end

data/lib/inspec/resources/oracledb_session.rb

@@ -38,11 +38,12 @@ module Inspec::Resources
       @sqlcl_bin = opts[:sqlcl_bin] || nil
       @sqlplus_bin = opts[:sqlplus_bin] || "sqlplus"
       skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user
-      fail_resource "Can't run Oracle checks without authentication" unless su_user && (user || password)
-      fail_resource "You must provide a service name for the session" unless service
+      fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password)
     end
 
     def query(sql)
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
       if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
         @bin = @sqlcl_bin
         format_options = "set sqlformat csv\nSET FEEDBACK OFF"
@@ -53,8 +54,17 @@ module Inspec::Resources
 
       command = command_builder(format_options, sql)
       inspec_cmd = inspec.command(command)
+      out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
 
-      DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
+      if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
+        raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
+      else
+        begin
+          DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
+        rescue
+          raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
+        end
+      end
     end
 
     def to_s
@@ -77,11 +87,11 @@ module Inspec::Resources
       end
 
       if @db_role.nil?
-        %{#{sql_prefix}#{bin} "#{user}"/"#{password}"@#{host}:#{port}/#{@service}#{sql_postfix}}
+        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}"
       elsif @su_user.nil?
-        %{#{sql_prefix}#{bin} "#{user}"/"#{password}"@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
+        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}"
       else
-        %{su - #{@su_user} -c "env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
+        "su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"
       end
     end
 

data/lib/inspec/resources/postgres.rb

@@ -4,6 +4,8 @@ module Inspec::Resources
   class Postgres < Inspec.resource(1)
     name "postgres"
     supports platform: "unix"
+    supports platform: "windows"
+
     desc "The 'postgres' resource is a helper for the 'postgres_conf', 'postgres_hba_conf', 'postgres_ident_conf' & 'postgres_session' resources.  Please use those instead."
 
     attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster
@@ -43,11 +45,17 @@ module Inspec::Resources
           @conf_dir = "/etc/postgresql/#{@version}/#{@cluster}"
           @data_dir = "/var/lib/postgresql/#{@version}/#{@cluster}"
         end
+      elsif inspec.os.windows?
+        dir = "C:\\Program Files\\PostgreSQL"
+        @version = version_from_psql || version_from_dir_windows(dir)
+        unless @version.to_s.empty?
+          @data_dir = "#{dir}\\#{@version}\\data\\"
+        end
       else
         @version = version_from_psql
         if @version.to_s.empty?
           if inspec.directory("/var/lib/pgsql/data").exist?
-            warn "Unable to determine PostgreSQL version: psql did not return" \
+            Inspec::Log.warn "Unable to determine PostgreSQL version: psql did not return" \
                  "a version number and unversioned data directories were found."
           else
             @version = version_from_dir("/var/lib/pgsql")
@@ -69,13 +77,13 @@ module Inspec::Resources
 
     def verify_dirs
       unless inspec.directory(@conf_dir).exist?
-        warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
+        Inspec::Log.warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
           "Postgresql may not be installed or we've misidentified the configuration " \
           "directory."
       end
 
       unless inspec.directory(@data_dir).exist?
-        warn "Default postgresql data directory: #{@data_dir} does not exist. " \
+        Inspec::Log.warn "Default postgresql data directory: #{@data_dir} does not exist. " \
           "Postgresql may not be installed or we've misidentified the data " \
           "directory."
       end
@@ -84,7 +92,15 @@ module Inspec::Resources
     def version_from_psql
       return unless inspec.command("psql").exist?
 
-      inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip
+      version = inspec.command("psql --version").stdout.strip.split(" ")[2].split(".")
+
+      unless version.empty?
+        if version.first.to_i >= 10
+          version.first
+        else
+          "#{version[0]}.#{version[1]}"
+        end
+      end
     end
 
     def locate_data_dir_location_by_version(ver = @version)
@@ -100,7 +116,7 @@ module Inspec::Resources
       data_dir_loc = dir_list.detect { |i| inspec.directory(i).exist? }
 
       if data_dir_loc.nil?
-        warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
+        Inspec::Log.warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
         execute "psql -t -A -p <port> -h <host> -c "show hba_file";" as the PostgreSQL
         DBA to find the non-standard data_dir location.'
       end
@@ -112,15 +128,32 @@ module Inspec::Resources
       entries = dirs.lines.count
       case entries
       when 0
-        warn "Could not determine version of installed postgresql by inspecting #{dir}"
+        Inspec::Log.warn "Could not determine version of installed postgresql by inspecting #{dir}"
+        nil
+      when 1
+        Inspec::Log.warn "Using #{dirs}: #{dir_to_version(dirs)}"
+        dir_to_version(dirs)
+      else
+        Inspec::Log.warn "Multiple versions of postgresql installed or incorrect base dir #{dir}"
+        first = dir_to_version(dirs.lines.first)
+        Inspec::Log.warn "Using the first version found: #{first}"
+        first
+      end
+    end
+
+    def version_from_dir_windows(dir)
+      dirs = inspec.command("Get-ChildItem -Path \"#{dir}\" -Name").stdout
+      entries = dirs.lines.count
+      case entries
+      when 0
+        Inspec::Log.warn "Could not determine version of installed PostgreSQL by inspecting #{dir}"
         nil
       when 1
-        warn "Using #{dirs}: #{dir_to_version(dirs)}"
         dir_to_version(dirs)
       else
-        warn "Multiple versions of postgresql installed or incorrect base dir #{dir}"
+        Inspec::Log.warn "Multiple versions of PostgreSQL installed or incorrect base dir #{dir}"
         first = dir_to_version(dirs.lines.first)
-        warn "Using the first version found: #{first}"
+        Inspec::Log.warn "Using the first version found: #{first}"
         first
       end
     end
@@ -137,13 +170,13 @@ module Inspec::Resources
       else
         dirs = inspec.command("ls -d #{dir}/*/").stdout.lines
         if dirs.empty?
-          warn "No postgresql clusters configured or incorrect base dir #{dir}"
+          Inspec::Log.warn "No postgresql clusters configured or incorrect base dir #{dir}"
           return nil
         end
         first = dirs.first.chomp.split("/").last
         if dirs.count > 1
-          warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
-          warn "Using the first directory found: #{first}"
+          Inspec::Log.warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
+          Inspec::Log.warn "Using the first directory found: #{first}"
         end
         first
       end

data/lib/inspec/resources/postgres_conf.rb

@@ -22,6 +22,8 @@ module Inspec::Resources
     include FileReader
     include ObjectTraverser
 
+    attr_accessor :conf_path
+
     def initialize(conf_path = nil)
       @conf_path = conf_path || inspec.postgres.conf_path
       if @conf_path.nil?

data/lib/inspec/resources/postgres_hba_conf.rb

@@ -5,6 +5,7 @@ module Inspec::Resources
   class PostgresHbaConf < Inspec.resource(1)
     name "postgres_hba_conf"
     supports platform: "unix"
+    supports platform: "windows"
     desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
           authentication data defined in the pg_hba.conf file.'
     example <<~EXAMPLE
@@ -19,7 +20,7 @@ module Inspec::Resources
 
     # @todo add checks to ensure that we have data in our file
     def initialize(hba_conf_path = nil)
-      @conf_file = hba_conf_path || File.expand_path("pg_hba.conf", inspec.postgres.conf_dir)
+      @conf_file = hba_conf_path || File.join(inspec.postgres.conf_dir, "pg_hba.conf")
       @content = ""
       @params = {}
       read_content

data/lib/inspec/resources/postgres_ident_conf.rb

@@ -5,6 +5,7 @@ module Inspec::Resources
   class PostgresIdentConf < Inspec.resource(1)
     name "postgres_ident_conf"
     supports platform: "unix"
+    supports platform: "windows"
     desc 'Use the postgres_ident_conf InSpec audit resource to test the client
           authentication data is controlled by a pg_ident.conf file.'
     example <<~EXAMPLE
@@ -18,7 +19,7 @@ module Inspec::Resources
     attr_reader :params, :conf_file
 
     def initialize(ident_conf_path = nil)
-      @conf_file = ident_conf_path || File.expand_path("pg_ident.conf", inspec.postgres.conf_dir)
+      @conf_file = ident_conf_path || File.join(inspec.postgres.conf_dir, "pg_ident.conf")
       @content = nil
       @params = nil
       read_content

data/lib/inspec/resources/postgres_session.rb

@@ -12,7 +12,7 @@ module Inspec::Resources
     end
 
     def lines
-      output.split("\n")
+      output.split("\n").map(&:strip)
     end
 
     def to_s
@@ -45,14 +45,19 @@ module Inspec::Resources
       @pass = pass
       @host = host || "localhost"
       @port = port || 5432
+      raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
+
+      test_connection
     end
 
     def query(query, db = [])
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
       psql_cmd = create_psql_cmd(query, db)
-      cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
+      cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
-        Lines.new(out, "PostgreSQL query with errors: #{query}")
+        raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}"
       else
         Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end
@@ -60,13 +65,21 @@ module Inspec::Resources
 
     private
 
+    def test_connection
+      query("select now()\;")
+    end
+
     def escaped_query(query)
       Shellwords.escape(query)
     end
 
     def create_psql_cmd(query, db = [])
-      dbs = db.map { |x| "-d #{x}" }.join(" ")
-      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}"
+      dbs = db.map { |x| "#{x}" }.join(" ")
+      if inspec.os.windows?
+        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+      else
+        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+      end
     end
   end
 end

data/lib/inspec/rule.rb

@@ -360,7 +360,7 @@ module Inspec
         # A string that does not represent a valid time results in the date 0000-01-01.
         if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
           expiry = expiry.to_time if expiry.is_a? Date
-          expiry = Time.new(expiry) if expiry.is_a? String
+          expiry = Time.parse(expiry) if expiry.is_a? String
           if expiry < Time.now # If the waiver expired, return - no skip applied
             __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
             return

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.37.23".freeze
+  VERSION = "4.38.9".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.37.23
+  version: 4.38.9
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-31 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -554,6 +554,8 @@ files:
 - lib/inspec/resources/limits_conf.rb
 - lib/inspec/resources/linux_kernel_parameter.rb
 - lib/inspec/resources/login_defs.rb
+- lib/inspec/resources/mongodb.rb
+- lib/inspec/resources/mongodb_conf.rb
 - lib/inspec/resources/mount.rb
 - lib/inspec/resources/mssql_session.rb
 - lib/inspec/resources/mysql.rb