inspec-core 4.38.9 → 4.49.0

data/lib/inspec/resources/opa_cli.rb

@@ -0,0 +1,43 @@
+require "inspec/resources/opa"
+
+module Inspec::Resources
+  class OpaCli < Opa
+    name "opa_cli"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    def initialize(opts = {})
+      @opa_executable_path = opts[:opa_executable_path] || "opa" # if this path is not provided then we will assume that it's been set in the ENV PATH
+      @policy = opts[:policy] || nil
+      @data = opts[:data] || nil
+      @query = opts[:query] || nil
+      if (@policy.nil? || @policy.empty?) || (@data.nil? || @data.empty?) || (@query.nil? || @query.empty?)
+        fail_resource "OPA policy, data and query are mandatory."
+      end
+      @content = load_result
+      super(@content)
+    end
+
+    def allow
+      @content["result"][0]["expressions"][0]["value"] if @content["result"][0]["expressions"][0]["text"].include?("allow")
+    end
+
+    def to_s
+      "OPA cli"
+    end
+
+    private
+
+    def load_result
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      result = inspec.command("#{@opa_executable_path} eval -i '#{@data}' -d '#{@policy}' '#{@query}'")
+      if result.exit_status == 0
+        result.stdout.gsub("\n", "")
+      else
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing OPA query: #{error}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/oracle.rb

@@ -0,0 +1,66 @@
+require "inspec/resources/powershell"
+
+module Inspec::Resources
+  class Oracle < Inspec.resource(1)
+    name "oracle"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'oracle' resource is a helper for the 'oracledb_listener_conf'"
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "redhat", "linux", "suse"
+        determine_conf_dir_and_path_in_linux
+      when "windows"
+        determine_conf_dir_and_path_in_windows
+      end
+    end
+
+    def to_s
+      "OracleDB"
+    end
+
+    private
+
+    def determine_conf_dir_and_path_in_linux
+      oracle_home = inspec.os_env("ORACLE_HOME").content
+
+      if oracle_home.nil? || oracle_home.empty?
+        warn "$ORACLE_HOME env value not set in the system"
+        nil
+      else
+        conf_path = "#{oracle_home}/network/admin/listener.ora"
+        if !inspec.file(conf_path).exist?
+          warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory"
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading listener settings: #{e}"
+    end
+
+    def determine_conf_dir_and_path_in_windows
+      oracle_home = inspec.os_env("ORACLE_HOME").content
+
+      if oracle_home.nil? || oracle_home.empty?
+        warn "ORACLE_HOME env value not set in the system"
+        nil
+      else
+        conf_path = "#{oracle_home}\\network\\admin\\listener.ora"
+        if !inspec.file(conf_path).exist?
+          warn "No oracle listener settings found in ORACLE_HOME\\network\\admin directory"
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading listener settings: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_conf.rb

@@ -0,0 +1,40 @@
+require "inspec/resources/oracledb_session"
+
+module Inspec::Resources
+  class OracledbConf < Inspec.resource(1)
+    name "oracledb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the oracledb_conf InSpec audit resource to test the database settings for Oracle DB"
+    example <<~EXAMPLE
+      describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
+        its("audit_sys_operations") { should cmp "true" }
+        its("sql92_security") { should cmp "true" }
+      end
+    EXAMPLE
+
+    attr_reader :oracledb_session
+
+    def initialize(opts = {})
+      @oracledb_session = inspec.oracledb_session(opts)
+    end
+
+    def method_missing(name)
+      setting = name.to_s.upcase
+      determine_database_setting(setting)
+    end
+
+    def to_s
+      "Oracle DB Configuration"
+    end
+
+    private
+
+    def determine_database_setting(setting)
+      sql_query = oracledb_session.query("SELECT UPPER(VALUE) AS UPPER_VALUE FROM V$SYSTEM_PARAMETER WHERE UPPER(NAME) = '#{setting}'")
+      sql_query.row(0).column("UPPER_VALUE").value
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Errors fetching database settings for Oracle database: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_listener_conf.rb

@@ -0,0 +1,123 @@
+require "inspec/utils/object_traversal"
+require "inspec/utils/simpleconfig"
+require "inspec/utils/find_files"
+require "inspec/utils/file_reader"
+require "inspec/resources/oracle"
+
+module Inspec::Resources
+  class OracledbListenerConf < Inspec.resource(1)
+    name "oracledb_listener_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the oracledb_listener_conf InSpec audit resource to test the listener settings for Oracle DB"
+    example <<~EXAMPLE
+      describe oracledb_listener_conf do
+        its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' }
+      end
+    EXAMPLE
+
+    include FindFiles
+    include FileReader
+    include ObjectTraverser
+
+    def initialize(conf_path = nil)
+      oracle = nil
+      if conf_path.nil?
+        oracle = inspec.oracle
+        @conf_path = oracle.conf_path
+      else
+        @conf_path = conf_path
+      end
+
+      if oracle && oracle.resource_failed?
+        raise oracle.resource_exception_message
+      elsif @conf_path.nil?
+        return skip_resource "Oracle Listener conf path is not set"
+      end
+
+      @conf_dir = File.expand_path(File.dirname(@conf_path))
+      @files_contents = {}
+      @content = nil
+      @params = nil
+      read_content
+    end
+
+    def content
+      @content ||= read_content
+    end
+
+    def params(*opts)
+      @params || read_content
+      res = @params
+      opts.each do |opt|
+        res = res[opt] unless res.nil?
+      end
+      res
+    end
+
+    def value(key)
+      extract_value(key, @params)
+    end
+
+    def method_missing(*keys)
+      keys.shift if keys.is_a?(Array) && keys[0] == :[]
+      param = value(keys)
+      return nil if param.nil?
+      # extract first value if we have only one value in array
+      return param[0] if param.length == 1
+
+      param
+    end
+
+    def to_s
+      "Oracle Listener Configuration"
+    end
+
+    private
+
+    def read_content
+      @content = ""
+      @params = {}
+
+      to_read = [@conf_path]
+      until to_read.empty?
+        base_dir = File.dirname(to_read[0])
+        raw_conf = read_file(to_read[0])
+        @content += raw_conf
+
+        opts = {
+          assignment_regex: /^\s*([^=]*?)\s*=\s*[']?\s*(.*?)\s*[']?\s*$/,
+        }
+        params = SimpleConfig.new(raw_conf, opts).params
+        @params.merge!(params)
+
+        to_read = to_read.drop(1)
+        # see if there is more config files to include
+
+        to_read += include_files(params, base_dir).find_all do |fp|
+          not @files_contents.key? fp
+        end
+      end
+      @content
+    end
+
+    def include_files(params, base_dir)
+      include_files = Array(params["include"]) || []
+      include_files += Array(params["include_if_exists"]) || []
+      include_files.map! do |f|
+        Pathname.new(f).absolute? ? f : File.join(base_dir, f)
+      end
+
+      dirs = Array(params["include_dir"]) || []
+      dirs.each do |dir|
+        dir = File.join(base_dir, dir) if dir[0] != "/"
+        include_files += find_files(dir, depth: 1, type: "file")
+      end
+      include_files
+    end
+
+    def read_file(path)
+      @files_contents[path] ||= read_file_content(path)
+    end
+  end
+end

data/lib/inspec/resources/oracledb_session.rb

@@ -42,6 +42,7 @@ module Inspec::Resources
     end
 
     def query(sql)
+      raise Inspec::Exceptions::ResourceSkipped, "#{resource_exception_message}" if resource_skipped?
       raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
 
       if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
@@ -78,7 +79,14 @@ module Inspec::Resources
     # using a db_role
     # su, using a db_role
     def command_builder(format_options, query)
-      verified_query = verify_query(query)
+      if @db_role.nil? || @su_user.nil?
+        verified_query = verify_query(query)
+      else
+        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
+        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
+        verified_query = verify_query(escaped_query)
+      end
+
       sql_prefix, sql_postfix = "", ""
       if inspec.os.windows?
         sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | }
@@ -87,11 +95,14 @@ module Inspec::Resources
       end
 
       if @db_role.nil?
-        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}"
+        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
-        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}"
+        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
       else
-        "su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"
+        # oracle_query_string is echoed to be able to extract the query output clearly
+        # su - su_user in certain versions of oracle returns a message
+        # Example of msg with query output: The Oracle base remains unchanged with value /oracle\n\nVALUE\n3\n
+        %{su - #{@su_user} -c "echo 'oracle_query_string'; env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
       end
     end
 
@@ -101,9 +112,15 @@ module Inspec::Resources
     end
 
     def parse_csv_result(stdout)
-      output = stdout.sub(/\r/, "").strip
+      output = stdout.split("oracle_query_string")[-1]
+      # comma_query_sub replaces the csv delimiter "," in the output.
+      # Handles CSV parsing of data like this (DROP,3) etc
+      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
-      CSV.parse(output, headers: true, header_converters: converter).map { |row| Hashie::Mash.new(row.to_h) }
+      CSV.parse(output, headers: true, header_converters: converter).map do |row|
+        revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
+        Hashie::Mash.new([revised_row].to_h)
+      end
     end
   end
 end

data/lib/inspec/resources/postgres_session.rb

@@ -40,14 +40,13 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil, port = nil)
+    def initialize(user, pass, host = nil, port = nil, socket_path = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
       @port = port || 5432
+      @socket_path = socket_path
       raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
-
-      test_connection
     end
 
     def query(query, db = [])
@@ -65,20 +64,26 @@ module Inspec::Resources
 
     private
 
-    def test_connection
-      query("select now()\;")
-    end
-
     def escaped_query(query)
       Shellwords.escape(query)
     end
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
-      if inspec.os.windows?
-        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+
+      if @socket_path && !inspec.os.windows?
+        # Socket path and empty host in the connection string establishes socket connection
+        # Socket connection only enabled for non-windows platforms
+        # Windows does not support unix domain sockets
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
       else
-        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+        # Host in connection string establishes tcp/ip connection
+        if inspec.os.windows?
+          warn "Socket based connection not supported in windows, connecting using host" if @socket_path
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+        else
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+        end
       end
     end
   end

data/lib/inspec/resources/registry_key.rb

@@ -105,7 +105,7 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
-    # returns nil, if not existant or value
+    # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
       # can use it to query for keys with . characters in them

data/lib/inspec/resources/security_identifier.rb

@@ -57,14 +57,14 @@ module Inspec::Resources
       @sids = {}
       case @type
       when :group
-        sid_data = wmi_results(:group)
+        sid_data = cim_results(:group)
       when :user
-        sid_data = wmi_results(:user)
+        sid_data = cim_results(:user)
       when :unspecified
         # try group first, then user
-        sid_data = wmi_results(:group)
+        sid_data = cim_results(:group)
         if sid_data.empty?
-          sid_data = wmi_results(:user)
+          sid_data = cim_results(:user)
         end
       else
         raise "Unhandled entity type '#{@type}'"
@@ -72,20 +72,14 @@ module Inspec::Resources
       sid_data.each { |sid| @sids[sid[1]] = sid[2] }
     end
 
-    def wmi_results(type)
-      query = "wmic "
+    def cim_results(type)
       case type
       when :group
-        query += "group"
+        cmd = "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID | Where-Object { $_.Name -eq '#{@name}' -and { $_.SIDType -eq 4 -or $_.SIDType -eq 5 } } | ConvertTo-Csv -NoTypeInformation"
       when :user
-        query += "useraccount"
+        cmd = "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID, SIDType | Where-Object { $_.Name -eq '#{@name}' -and $_.SIDType -eq 1 } | ConvertTo-Csv -NoTypeInformation"
       end
-      query += " where 'Name=\"#{@name}\"' get Name\",\"SID /format:csv"
-      # Example output:
-      #     inspec> command("wmic useraccount where 'Name=\"Administrator\"' get Name\",\"SID /format:csv").stdout
-      #     => "\r\n\r\nNode,Name,SID\r\n\r\nComputer1,Administrator,S-1-5-21-650485088-1194226989-968533923-500\r\n\r\n"
-      # Remove the \r characters, split on \n\n, ignore the CSV header row
-      inspec.command(query).stdout.strip.tr("\r", "").split("\n\n")[1..-1].map { |entry| entry.split(",") }
+      inspec.command(cmd).stdout.strip.gsub("\"", "").tr("\r", "").split("\n")[1..-1].map { |entry| entry.split(",") }
     end
   end
 end

data/lib/inspec/resources/security_policy.rb

@@ -147,7 +147,7 @@ module Inspec::Resources
 
     # extracts the values, this methods detects:
     # numbers and SIDs and optimizes them for further usage
-    def extract_value(val)
+    def extract_value(key, val)
       if val =~ /^\d+$/
         val.to_i
       # special handling for SID array
@@ -166,14 +166,15 @@ module Inspec::Resources
       elsif !(m = /^\"(.*)\"$/.match(val)).nil?
         m[1]
       else
-        val
+        # When there is Registry Values we are not spliting the value for backward compatibility
+        key.include?("\\") ? val : val.split(",")
       end
     end
 
     def convert_hash(hash)
       new_hash = {}
       hash.each do |k, v|
-        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
+        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(k, v)
         new_hash[k.strip] = value
       end
       new_hash

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific", "rocky", "almalinux"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||
@@ -152,6 +152,12 @@ module Inspec::Resources
         else
           SysV.new(inspec, service_ctl || "/sbin/service")
         end
+      when "alibaba"
+        if os[:release].to_i >= 3
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || "/sbin/service")
+        end
       when "wrlinux"
         SysV.new(inspec, service_ctl)
       when "mac_os_x", "darwin"

data/lib/inspec/resources/sybase_conf.rb

@@ -0,0 +1,37 @@
+require "inspec/resources/sybase_session"
+
+module Inspec::Resources
+  class SybaseConf < Inspec.resource(1)
+    name "sybase_conf"
+    supports platform: "unix"
+    # supports platform: "windows" # TODO
+    desc "Use the sybase_conf InSpec resource to test Sybase config settings"
+    example <<~EXAMPLE
+      describe sybase_conf("max memory", password: 'password', server: 'SYBASE') do
+        its("run_value") { should cmp 180224 }
+      end
+    EXAMPLE
+
+    attr_reader :conf_param, :sql_query
+    def initialize(conf_param_name, opts = {})
+      @conf_param = conf_param_name
+      opts[:username] ||= "sa"
+      opts[:database] ||= "master"
+      sql_session = inspec.sybase_session(opts)
+      @sql_query = sql_session.query("sp_configure \"#{conf_param}\"")
+    end
+
+    def run_value
+      sql_query.row(0).column("Run Value").value
+    end
+
+    def config_value
+      sql_query.row(0).column("Config Value").value
+    end
+
+    def to_s
+      "Sybase Conf #{conf_param}"
+    end
+
+  end
+end

data/lib/inspec/resources/sybase_session.rb

@@ -0,0 +1,111 @@
+require "inspec/resources/command"
+require "inspec/utils/database_helpers"
+require "hashie/mash"
+require "csv" unless defined?(CSV)
+require "tempfile" unless defined?(Tempfile)
+
+module Inspec::Resources
+  # STABILITY: Experimental
+  # This resource needs further testing and refinement
+  #
+  class SybaseSession < Inspec.resource(1)
+    name "sybase_session"
+    supports platform: "unix"
+    # supports platform: "windows" # TODO
+    desc "Use the sybase_session InSpec resource to test commands against an Sybase database"
+    example <<~EXAMPLE
+      sql = sybase_session(username: 'my_user', password: 'password', server: 'SYBASE', database: 'pubs2')
+      describe sql.query(\"SELECT * FROM authors\").row(0).column('au_lname') do
+        its('value') { should eq 'Smith' }
+      end
+    EXAMPLE
+
+    # TODO: allow to set -I interfaces file
+    # TODO: allow to customize -s column separator
+    attr_reader :bin, :col_sep, :database, :password, :server, :sybase_home, :username
+
+    def initialize(opts = {})
+      @username = opts[:username]
+      @password = opts[:password]
+      @database = opts[:database]
+      @server = opts[:server]
+      @sybase_home = opts[:sybase_home] || "/opt/sap"
+      @bin = opts[:bin] || "isql"
+      @col_sep = "|"
+
+      fail_resource "Can't run Sybase checks without authentication" unless username && password
+      fail_resource "You must provide a server name for the session" unless server
+      fail_resource "You must provide a database name for the session" unless database
+      fail_resource "Cannot find #{bin} CLI tool" unless inspec.command(bin).exist?
+    end
+
+    def query(sql)
+      # We must write the SQl to a temp file on the remote target
+      # try to get a temp path
+      sql_file_path = upload_sql_file(sql)
+
+      # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
+      command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      isql_cmd = inspec.command(command)
+
+      # Check for isql errors
+      res = isql_cmd.exit_status
+      raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0
+      # isql is ill-behaved, and returns 0 on error
+      raise Inspec::Exceptions::ResourceFailed.new("isql exited with error '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless isql_cmd.stderr == ""
+      # check stdout for error messages when stderr is empty "Msg 102, Level 15, State 181:\nServer 'SYBASE', Line 1:\nIncorrect syntax near '.'.\n"
+      raise Inspec::Exceptions::ResourceFailed.new("isql exited with error #{isql_cmd.stdout}") if isql_cmd.stdout.match?(/Msg\s\d+,\sLevel\s\d+,\sState\s\d+/)
+
+      # Clean up temporary file
+      rm_cmd = inspec.command("rm #{sql_file_path}")
+      res = rm_cmd.exit_status # TODO: handle
+      raise Inspec::Exceptions::ResourceFailed.new("Unable to delete temproary SQL input file at #{sql_file_path}: #{rm_cmd.stderr}") unless res == 0
+
+      DatabaseHelper::SQLQueryResult.new(isql_cmd, parse_csv_result(isql_cmd.stdout))
+    end
+
+    def to_s
+      "Sybase Session"
+    end
+
+    private
+
+    def parse_csv_result(stdout)
+      output = stdout.gsub(/\r/, "").strip
+      lines = output.lines
+      # Remove second row (all dashes) and last 2 rows (blank and summary lines)
+      trimmed_output = ([lines[0]] << lines.slice(2..-3)).join("")
+      header_converter = Proc.new do |header|
+        # This is here to suppress a warning from Hashie::Mash when it encounters a
+        # header column that ends up with the name "default", which happens when using the
+        # sybase_conf resource. It does mean that aly query whose output field includes the name
+        # Default (exactly) will get renamed to default_value, but that seems unlikely.
+        if header.match?(/^Default\s+$/)
+          "default_value"
+        else
+          header.downcase.strip
+        end
+      end
+      field_converter = ->(field) { field&.strip }
+      CSV.parse(trimmed_output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) }
+    end
+
+    def upload_sql_file(sql)
+      remote_temp_dir = "/tmp"
+      remote_file_path = nil
+      local_temp_file = Tempfile.new(["sybase", ".sql"])
+      begin
+        local_temp_file.write("#{sql}\n")
+        local_temp_file.write("go\n")
+        local_temp_file.flush
+        filename = File.basename(local_temp_file.path)
+        remote_file_path = "#{remote_temp_dir}/#{filename}"
+        inspec.backend.upload([local_temp_file.path], remote_temp_dir)
+      ensure
+        local_temp_file.close
+        local_temp_file.unlink
+      end
+      remote_file_path
+    end
+  end
+end

data/lib/inspec/resources/users.rb

@@ -204,7 +204,9 @@ module Inspec::Resources
     alias group groupname
 
     def groups
-      identity[:groups] unless identity.nil?
+      unless identity.nil?
+        inspec.os.windows? ? UserGroups.new(identity[:groups]) : identity[:groups]
+      end
     end
 
     def home
@@ -314,6 +316,18 @@ module Inspec::Resources
     end
   end
 
+  # Class defined to compare for groups without case-sensitivity
+  class UserGroups < Array
+    def initialize(user_groups)
+      @user_groups = user_groups
+      super
+    end
+
+    def include?(group)
+      !(@user_groups.select { |user_group| user_group.casecmp?(group) }.empty?)
+    end
+  end
+
   # This is an abstract class that every user provoider has to implement.
   # A user provider implements a system abstracts and helps the InSpec resource
   # hand-over system specific behavior to those providers
@@ -622,7 +636,7 @@ module Inspec::Resources
       name, _domain = parse_windows_account(username)
       return if collect_user_details.nil?
 
-      res = collect_user_details.select { |user| user[:username] == name }
+      res = collect_user_details.select { |user| user[:username].casecmp? name }
       res[0] unless res.empty?
     end