inspec-core 4.37.8 → 4.37.30

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d915bf11e35804382285502f46a3a37b35017a10ab34c4e2f78d7420b0e3f589
-  data.tar.gz: b85a4f9cda0e1da7461b6d23248e935ceb6fbb2d9028f5bd9eec0683426c1ec3
+  metadata.gz: 9c945fbd0ce14959ea0286c4bfc5928d547bd7c48dd80828a955585493383476
+  data.tar.gz: c9f3f58a8b68ec6039ef432421150690870ffce295691ad2e9f1b72e31b4802b
 SHA512:
-  metadata.gz: e1925d3c20bcd18a711dfa9d2df7ff98bd522b4afd3fbc8f4c5bc16648e60101fd6984a5a3d4bebf568b2993ec29ecae1ca58380e8d1a5bb55498f335dd144ff
-  data.tar.gz: da6f422af63ddfa51d96b945cc8d34d0bc67d26557114367406108ff43bada35a2c9dd83e4c0c29081cb3a29fe6c545fcd7cf1e8a8d8a4618da1058b6e562883
+  metadata.gz: b75d54fae752d292467fe333a8081c739ae24c2570256b26a6c104893e29a234182018e00d555a31e02cd19f189c7561489b1c2c13b03c4eacca04562b3a3343
+  data.tar.gz: bc67f78180eb7516f28dfae3fc0bcf8a0bb523b05ff3e5aa32df156279797d9d6f3801c00ff347159fc7cdf399d1c6a00cd29a4a506611c53c044eaac5a938dc

data/Gemfile

@@ -20,11 +20,22 @@ end
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
 
+def probably_x86?
+  # We don't currently build on ARM windows, so assume x86 there
+  return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/
+
+  # Otherwise rely on uname -m
+  `uname -m`.match?(/^(x86_64|i\d86)/)
+end
+
 group :omnibus do
   gem "rb-readline"
   gem "appbundler"
   gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
   gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+  if probably_x86?
+    gem "x25519" # ed25519 KEX module, not supported on ARM
+  end
 end
 
 group :test do
@@ -55,6 +66,7 @@ end
 if Gem.ruby_version >= Gem::Version.new("2.7.0")
   group :kitchen do
     gem "berkshelf"
+    gem "chef", ">= 16.0" # Required to allow net-ssh > 6
     gem "test-kitchen", ">= 2.8"
     gem "kitchen-inspec", ">= 2.0"
     gem "kitchen-dokken", ">= 2.11"

data/etc/deprecations.json

@@ -120,6 +120,11 @@
     "object_classes": {
       "action": "warn",
       "suffix": "These classes will be removed in InSpec 5.0."
+    },
+    "cli_option_hook":{
+      "action": "warn",
+      "prefix": "The --hook option is being replaced by the --activator option.",
+      "suffix": "This options will be removed in InSpec 4.0."
     }
   }
 }

data/lib/inspec/base_cli.rb

@@ -181,7 +181,7 @@ module Inspec
       puts "  Patents: chef.io/patents\n\n"
     end
 
-    def self.format_platform_info(params: {}, indent: 0, color: 39)
+    def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true)
       str = ""
       params.each do |item, info|
         data = info
@@ -192,7 +192,7 @@ module Inspec
         # Do not output fields of data is missing ('unknown' is fine)
         next if data.nil?
 
-        data = "\e[1m\e[#{color}m#{data}\e[0m"
+        data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color
         str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
       end
       str

data/lib/inspec/cli.rb

@@ -305,7 +305,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       puts res.to_json
     else
       ui.headline("Platform Details")
-      ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36)
+      ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36, enable_color: ui.color?)
     end
   rescue ArgumentError, RuntimeError, Train::UserError => e
     $stderr.puts e.message

data/lib/inspec/fetcher/local.rb

@@ -3,7 +3,8 @@ require "openssl" unless defined?(OpenSSL)
 module Inspec::Fetcher
   class Local < Inspec.fetcher(1)
     name "local"
-    priority 0
+    priority 1
+    # Priority is used for setting precedence of fetchers. And registry plugin(v1) decides which fetcher to use for loading profiles by using this priority
 
     def self.resolve(target)
       if target.is_a?(String)

data/lib/inspec/fetcher/mock.rb

@@ -6,9 +6,11 @@ module Inspec::Fetcher
     priority 0
 
     def self.resolve(target)
-      return nil unless target.is_a? Hash
-
-      new(target)
+      if (target.is_a? Hash) && ((target.keys & %i{cwd path backend}).empty?)
+        new(target)
+      else
+        nil
+      end
     end
 
     def initialize(data)

data/lib/inspec/resources/file.rb

@@ -136,10 +136,10 @@ module Inspec::Resources
     alias sticky? sticky
 
     def more_permissive_than?(max_mode = nil)
-      raise Inspec::Exceptions::ResourceFailed, "The file" + file.path + "doesn't seem to exist" unless exist?
-      raise ArgumentError, "You must proivde a value for the `maximum allowable permission` for the file." if max_mode.nil?
-      raise ArgumentError, "You must proivde the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
-      raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
+      return nil unless exist?
+      raise ArgumentError, "You must provide a value for the `maximum allowable permission` for the file." if max_mode.nil?
+      raise ArgumentError, "You must provide the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
+      raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-digit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
 
       # Using the files mode and a few bit-wise calculations we can ensure a
       # file is no more permisive than desired.
@@ -160,7 +160,6 @@ module Inspec::Resources
 
       max_mode = max_mode.to_i(8)
       inv_mode = 0777 ^ max_mode
-
       inv_mode & file.mode != 0
     end
 

data/lib/inspec/resources/mysql_session.rb

@@ -44,10 +44,14 @@ module Inspec::Resources
       @port = port
       @socket = socket
       init_fallback if user.nil? || pass.nil?
-      skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? || @pass.nil?
+      raise Inspec::Exceptions::ResourceFailed, "Can't run MySQL SQL checks without authentication." if @user.nil? || @pass.nil?
+
+      test_connection
     end
 
     def query(q, db = "")
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
       mysql_cmd = create_mysql_cmd(q, db)
       cmd = if !@pass.nil?
               inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
@@ -56,7 +60,7 @@ module Inspec::Resources
             end
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/
-        Lines.new(out, "MySQL query with errors: #{q}", cmd.exit_status)
+        raise Inspec::Exceptions::ResourceFailed, "MySQL query with errors: #{out}"
       else
         Lines.new(cmd.stdout.strip, "MySQL query: #{q}", cmd.exit_status)
       end
@@ -68,6 +72,12 @@ module Inspec::Resources
 
     private
 
+    # Querying on the database to make sure conneciton can be established. If not this will set the resource exception
+    # message which we raise before querying on the database using mysql_session object.
+    def test_connection
+      query("select now()")
+    end
+
     def escape_string(query)
       Shellwords.escape(query)
     end

data/lib/inspec/resources/port.rb

@@ -54,7 +54,7 @@ module Inspec::Resources
     def port_manager_for_os
       os = inspec.os
       if os.linux?
-        LinuxPorts.new(inspec)
+        LinuxPorts.new(inspec, @port)
       elsif os.aix?
         # AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
         #      and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
@@ -102,8 +102,9 @@ module Inspec::Resources
   # }]
   class PortsInfo
     attr_reader :inspec
-    def initialize(inspec)
+    def initialize(inspec, port = nil)
       @inspec = inspec
+      @port = port
     end
   end
 
@@ -394,7 +395,12 @@ module Inspec::Resources
     def ports_via_ss
       return nil unless inspec.command("ss").exist?
 
-      cmd = inspec.command("ss -tulpen")
+      if @port.nil?
+        cmd = inspec.command("ss -tulpen")
+      else
+        cmd = inspec.command("ss -tulpen '( dport = #{@port} or sport = #{@port} )'")
+      end
+
       return nil unless cmd.exit_status.to_i == 0
 
       ports = []

data/lib/inspec/resources/postgres_session.rb

@@ -45,14 +45,19 @@ module Inspec::Resources
       @pass = pass
       @host = host || "localhost"
       @port = port || 5432
+      raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
+
+      test_connection
     end
 
     def query(query, db = [])
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
-        Lines.new(out, "PostgreSQL query with errors: #{query}")
+        raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}"
       else
         Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end
@@ -60,6 +65,10 @@ module Inspec::Resources
 
     private
 
+    def test_connection
+      query("select now()")
+    end
+
     def escaped_query(query)
       Shellwords.escape(query)
     end

data/lib/inspec/resources/windows_feature.rb

@@ -83,7 +83,7 @@ module Inspec::Resources
         feature_info = {
           name: result.match(feature_name_regex).captures[0].chomp,
           description: result.match(description_regex).captures[0].chomp,
-          installed: result.match(state_regex).captures[0].chomp == 'Enabled',
+          installed: result.match(state_regex).captures[0].chomp == "Enabled",
         }
       end
 

data/lib/inspec/resources/zfs_dataset.rb

@@ -16,16 +16,20 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(zfs_dataset)
-      return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd?
+      return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux?
 
       @zfs_dataset = zfs_dataset
+      find_zfs = inspec.command("which zfs")
+      @zfs_cmd = find_zfs.stdout.strip
+
+      return skip_resource "zfs is not installed" if find_zfs.exit_status != 0
 
       @params = gather
     end
 
     # method called by 'it { should exist }'
     def exists?
-      inspec.command("/sbin/zfs get -Hp all #{@zfs_dataset}").exit_status == 0
+      inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}").exit_status == 0
     end
 
     def mounted?
@@ -39,7 +43,7 @@ module Inspec::Resources
     end
 
     def gather
-      cmd = inspec.command("/sbin/zfs get -Hp all #{@zfs_dataset}")
+      cmd = inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}")
       return nil if cmd.exit_status.to_i != 0
 
       # parse data

data/lib/inspec/resources/zfs_pool.rb

@@ -15,16 +15,20 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(zfs_pool)
-      return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd?
+      return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux?
 
       @zfs_pool = zfs_pool
+      find_zpool = inspec.command("which zpool")
+      @zpool_cmd = find_zpool.stdout.strip
+
+      return skip_resource "zfs is not installed" if find_zpool.exit_status != 0
 
       @params = gather
     end
 
     # method called by 'it { should exist }'
     def exists?
-      inspec.command("/sbin/zpool get -Hp all #{@zfs_pool}").exit_status == 0
+      inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0
     end
 
     def to_s
@@ -32,7 +36,7 @@ module Inspec::Resources
     end
 
     def gather
-      cmd = inspec.command("/sbin/zpool get -Hp all #{@zfs_pool}")
+      cmd = inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}")
       return nil if cmd.exit_status.to_i != 0
 
       # parse data

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.37.8".freeze
+  VERSION = "4.37.30".freeze
 end

data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb

@@ -24,16 +24,8 @@ module InspecPlugins
       # the username of the account is used that is logged in
       def self.profiles(config, profile_filter = nil) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
         owner = config["owner"] || config["user"]
-
-        # Chef Compliance
-        if is_compliance_server?(config)
-          url = "#{config["server"]}/user/compliance"
-        # Chef Automate2
-        elsif is_automate2_server?(config)
+        if is_automate2_server?(config)
           url = "#{config["server"]}/compliance/profiles/search"
-        # Chef Automate
-        elsif is_automate_server?(config)
-          url = "#{config["server"]}/profiles/#{owner}"
         else
           raise ServerConfigurationMissing
         end
@@ -45,12 +37,9 @@ module InspecPlugins
           id, ver = nil
         end
 
-        if is_automate2_server?(config)
-          body = { owner: owner, name: id }.to_json
-          response = InspecPlugins::Compliance::HTTP.post_with_headers(url, headers, body, config["insecure"])
-        else
-          response = InspecPlugins::Compliance::HTTP.get(url, headers, config["insecure"])
-        end
+        body = { owner: owner, name: id }.to_json
+        response = InspecPlugins::Compliance::HTTP.post_with_headers(url, headers, body, config["insecure"])
+
         data = response.body
         response_code = response.code
         case response_code
@@ -58,25 +47,12 @@ module InspecPlugins
           msg = "success"
           profiles = JSON.parse(data)
           # iterate over profiles
-          if is_compliance_server?(config)
-            mapped_profiles = []
-            profiles.values.each do |org|
-              mapped_profiles += org.values
-            end
-          # Chef Automate pre 0.8.0
-          elsif is_automate_server_pre_080?(config)
-            mapped_profiles = profiles.values.flatten
-          elsif is_automate2_server?(config)
-            mapped_profiles = []
-            profiles["profiles"].each do |p|
-              mapped_profiles << p
-            end
-          else
-            mapped_profiles = profiles.map do |e|
-              e["owner_id"] = owner
-              e
-            end
+
+          mapped_profiles = []
+          profiles["profiles"].each do |p|
+            mapped_profiles << p
           end
+
           # filter by name and version if they were specified in profile_filter
           mapped_profiles.select! do |p|
             (!ver || p["version"] == ver) && (!id || p["name"] == id)
@@ -120,26 +96,9 @@ module InspecPlugins
       end
 
       def self.upload(config, owner, profile_name, archive_path)
-        # Chef Compliance
-        if is_compliance_server?(config)
-          url = "#{config["server"]}/owners/#{owner}/compliance/#{profile_name}/tar"
-        # Chef Automate pre 0.8.0
-        elsif is_automate_server_pre_080?(config)
-          url = "#{config["server"]}/#{owner}"
-        elsif is_automate2_server?(config)
-          url = "#{config["server"]}/compliance/profiles?owner=#{owner}"
-        # Chef Automate
-        else
-          url = "#{config["server"]}/profiles/#{owner}"
-        end
-
+        url = "#{config["server"]}/compliance/profiles?owner=#{owner}"
         headers = get_headers(config)
-        if is_automate2_server?(config)
-          res = InspecPlugins::Compliance::HTTP.post_multipart_file(url, headers, archive_path, config["insecure"])
-        else
-          res = InspecPlugins::Compliance::HTTP.post_file(url, headers, archive_path, config["insecure"])
-        end
-
+        res = InspecPlugins::Compliance::HTTP.post_multipart_file(url, headers, archive_path, config["insecure"])
         [res.is_a?(Net::HTTPSuccess), res.body]
       end
 
@@ -210,16 +169,12 @@ module InspecPlugins
 
       def self.get_headers(config)
         token = get_token(config)
-        if is_automate_server?(config) || is_automate2_server?(config)
-          headers = { "chef-delivery-enterprise" => config["automate"]["ent"] }
-          if config["automate"]["token_type"] == "dctoken"
-            headers["x-data-collector-token"] = token
-          else
-            headers["chef-delivery-user"] = config["user"]
-            headers["chef-delivery-token"] = token
-          end
+        headers = { "chef-delivery-enterprise" => config["automate"]["ent"] }
+        if config["automate"]["token_type"] == "dctoken"
+          headers["x-data-collector-token"] = token
         else
-          headers = { "Authorization" => "Bearer #{token}" }
+          headers["chef-delivery-user"] = config["user"]
+          headers["chef-delivery-token"] = token
         end
         headers
       end
@@ -232,16 +187,7 @@ module InspecPlugins
       end
 
       def self.target_url(config, profile)
-        owner, id, ver = profile_split(profile)
-
-        return "#{config["server"]}/compliance/profiles/tar" if is_automate2_server?(config)
-        return "#{config["server"]}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
-
-        if ver.nil?
-          "#{config["server"]}/profiles/#{owner}/#{id}/tar"
-        else
-          "#{config["server"]}/profiles/#{owner}/#{id}/version/#{ver}/tar"
-        end
+        "#{config["server"]}/compliance/profiles/tar"
       end
 
       def self.profile_split(profile)
@@ -260,33 +206,6 @@ module InspecPlugins
         uri.to_s.sub(%r{^compliance:\/\/}, "")
       end
 
-      def self.is_compliance_server?(config)
-        config["server_type"] == "compliance"
-      end
-
-      def self.is_automate_server_pre_080?(config)
-        # Automate versions before 0.8.x do not have a valid version in the config
-        return false unless config["server_type"] == "automate"
-
-        server_version_from_config(config).nil?
-      end
-
-      def self.is_automate_server_080_and_later?(config)
-        # Automate versions 0.8.x and later will have a "version" key in the config
-        # that is properly parsed out via server_version_from_config below
-        return false unless config["server_type"] == "automate"
-
-        !server_version_from_config(config).nil?
-      end
-
-      def self.is_automate2_server?(config)
-        config["server_type"] == "automate2"
-      end
-
-      def self.is_automate_server?(config)
-        config["server_type"] == "automate"
-      end
-
       def self.server_version_from_config(config)
         # Automate versions 0.8.x and later will have a "version" key in the config
         # that looks like: "version":{"api":"compliance","version":"0.8.24"}
@@ -296,87 +215,8 @@ module InspecPlugins
         config["version"]["version"]
       end
 
-      def self.determine_server_type(url, insecure)
-        if target_is_automate2_server?(url, insecure)
-          :automate2
-        elsif target_is_automate_server?(url, insecure)
-          :automate
-        elsif target_is_compliance_server?(url, insecure)
-          :compliance
-        else
-          Inspec::Log.debug("Could not determine server type using known endpoints")
-          nil
-        end
-      end
-
-      def self.target_is_automate2_server?(url, insecure)
-        automate_endpoint = "/dex/auth"
-        response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
-        if response.code == "400"
-          Inspec::Log.debug(
-            "Received 400 from #{url}#{automate_endpoint} - " \
-            "assuming target is a #{AUTOMATE_PRODUCT_NAME}2 instance"
-          )
-          true
-        else
-          Inspec::Log.debug(
-            "Received #{response.code} from #{url}#{automate_endpoint} - " \
-            "assuming target is not an #{AUTOMATE_PRODUCT_NAME}2 instance"
-          )
-          false
-        end
-      end
-
-      def self.target_is_automate_server?(url, insecure)
-        automate_endpoint = "/compliance/version"
-        response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure)
-        case response.code
-        when "401"
-          Inspec::Log.debug(
-            "Received 401 from #{url}#{automate_endpoint} - " \
-            "assuming target is a #{AUTOMATE_PRODUCT_NAME} instance"
-          )
-          true
-        when "200"
-          # Chef Automate currently returns 401 for `/compliance/version` but some
-          # versions of OpsWorks Chef Automate return 200 and a Chef Manage page
-          # when unauthenticated requests are received.
-          if response.body.include?("Are You Looking For the #{SERVER_PRODUCT_NAME}?")
-            Inspec::Log.debug(
-              "Received 200 from #{url}#{automate_endpoint} - " \
-              "assuming target is an #{AUTOMATE_PRODUCT_NAME} instance"
-            )
-            true
-          else
-            Inspec::Log.debug(
-              "Received 200 from #{url}#{automate_endpoint} " \
-              "but did not receive the Chef Manage page - " \
-              "assuming target is not a #{AUTOMATE_PRODUCT_NAME} instance"
-            )
-            false
-          end
-        else
-          Inspec::Log.debug(
-            "Received unexpected status code #{response.code} " \
-            "from #{url}#{automate_endpoint} - " \
-            "assuming target is not a #{AUTOMATE_PRODUCT_NAME} instance"
-          )
-          false
-        end
-      end
-
-      def self.target_is_compliance_server?(url, insecure)
-        # All versions of Chef Compliance return 200 for `/api/version`
-        compliance_endpoint = "/api/version"
-
-        response = InspecPlugins::Compliance::HTTP.get(url + compliance_endpoint, nil, insecure)
-        return false unless response.code == "200"
-
-        Inspec::Log.debug(
-          "Received 200 from #{url}#{compliance_endpoint} - " \
-          "assuming target is a #{AUTOMATE_PRODUCT_NAME} server"
-        )
-        true
+      def self.is_automate2_server?(config)
+        config["server_type"] == "automate2"
       end
     end
   end