inspec-core 4.41.20 → 4.52.9

data/lib/inspec/resources/cassandradb_session.rb

@@ -0,0 +1,68 @@
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class CassandradbSession < Inspec.resource(1)
+    name "cassandradb_session"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the cassandradb_session InSpec resource to test commands against an Cassandra database"
+    example <<~EXAMPLE
+      cql = cassandradb_session(user: 'my_user', password: 'password', host: 'host', port: 'port')
+      describe cql.query("SELECT cluster_name FROM system.local") do
+        its('output') { should match /Test Cluster/ }
+      end
+    EXAMPLE
+
+    attr_reader :user, :password, :host, :port
+
+    def initialize(opts = {})
+      @user = opts[:user] || "cassandra"
+      @password = opts[:password] || "cassandra"
+      @host = opts[:host]
+      @port = opts[:port]
+    end
+
+    def query(q)
+      cassandra_cmd = create_cassandra_cmd(q)
+      cmd = inspec.command(cassandra_cmd)
+      out = cmd.stdout + "\n" + cmd.stderr
+      if cmd.exit_status != 0 || out =~ /Unable to connect to any servers/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "Cassandra query with errors: #{out}"
+      else
+        Lines.new(cmd.stdout.strip, "Cassandra query: #{q}")
+      end
+    end
+
+    def to_s
+      "Cassandra DB Session"
+    end
+
+    private
+
+    def create_cassandra_cmd(q)
+      # TODO: simple escape, must be handled by a library
+      # that does this securely
+      escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$')
+
+      # construct the query
+      command = "cqlsh"
+      command += " #{@host}" unless @host.nil?
+      command += " #{@port}" unless @port.nil?
+      command += " -u #{@user}"
+      command += " -p #{@password}"
+      command += " --execute '#{escaped_query}'"
+      command
+    end
+  end
+end

data/lib/inspec/resources/chrony_conf.rb

@@ -0,0 +1,55 @@
+# chrony_conf
+
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
+
+module Inspec::Resources
+  class ChronyConf < Inspec.resource(1)
+    name "chrony_conf"
+    supports platform: "unix"
+    desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/chrony.conf."
+    example <<~EXAMPLE
+      describe chrony_conf do
+        its('server') { should_not cmp nil }
+        its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery' }
+        its('pool') { should include 'pool.ntp.org iburst' }
+        its('driftfile') { should cmp '/var/lib/ntp/drift' }
+        its('allow') { should cmp nil }
+        its('keyfile') { should cmp '/etc/chrony.keys' }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(path = nil)
+      @conf_path = path || "/etc/chrony.conf"
+      @content = read_file_content(@conf_path)
+    end
+
+    def method_missing(name)
+      param = read_params[name.to_s]
+      # extract first value if we have only one value in array
+      return param[0] if param.is_a?(Array) && (param.length == 1)
+
+      param
+    end
+
+    def to_s
+      "chrony.conf"
+    end
+
+    private
+
+    def read_params
+      return @params if defined?(@params)
+
+      # parse the file
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(\S+)\s+(.*)\s*$/,
+        multiple_values: true
+      )
+      @params = conf.params
+    end
+  end
+end

data/lib/inspec/resources/csv.rb

@@ -11,14 +11,28 @@ module Inspec::Resources
       describe csv('example.csv') do
         its('name') { should eq(['John', 'Alice']) }
       end
+
+      describe csv('example.csv', false).params do
+        its[[0]] { should eq (['name', 'col1', 'col2']) }
+      emd
     EXAMPLE
 
+    def initialize(path, headers = true)
+      @headers = headers
+      super(path)
+    end
+
     # override the parse method from JsonConfig
     # Assuming a header row of name,col1,col2, it will output an array of hashes like so:
     #    [
     #      { 'name' => 'row1', 'col1' => 'value1', 'col2' => 'value2' },
     #      { 'name' => 'row2', 'col1' => 'value3', 'col2' => 'value4' }
     #    ]
+    # When headers is set to false it will return data as array of array
+    #    [
+    #      ['name', col1', 'col2'],
+    #      ['row2', 'value3', 'value4']
+    #    ]
     def parse(content)
       require "csv" unless defined?(CSV)
 
@@ -28,10 +42,14 @@ module Inspec::Resources
       end
 
       # implicit conversion of values
-      csv = CSV.new(content, headers: true, converters: %i{all blank_to_nil})
+      csv = CSV.new(content, headers: @headers, converters: %i{all blank_to_nil})
 
       # convert to hash
-      csv.to_a.map(&:to_hash)
+      if @headers
+        csv.to_a.map(&:to_hash)
+      else
+        csv.to_a
+      end
     rescue => e
       raise Inspec::Exceptions::ResourceFailed, "Unable to parse CSV: #{e.message}"
     end
@@ -42,7 +60,12 @@ module Inspec::Resources
     # #value method from JsonConfig (which uses ObjectTraverser.extract_value)
     # doesn't make sense here.
     def value(key)
-      @params.map { |x| x[key.first.to_s] }.compact
+      if @headers
+        @params.map { |x| x[key.first.to_s] }.compact
+      else
+        # when headers is set to false send the array as it is.
+        @params
+      end
     end
 
     private

data/lib/inspec/resources/groups.rb

@@ -22,6 +22,18 @@ module Inspec::Resources
     end
   end
 
+  # Class defined to check for members without case-sensitivity
+  class Members < Array
+    def initialize(group_members)
+      @group_members = group_members
+      super
+    end
+
+    def include?(user)
+      !(@group_members.select { |group_member| group_member.casecmp?(user) }.empty?)
+    end
+  end
+
   class Groups < Inspec.resource(1)
     include GroupManagementSelector
 
@@ -82,6 +94,7 @@ module Inspec::Resources
   #   its('gid') { should eq 0 }
   # end
   #
+
   class Group < Inspec.resource(1)
     include GroupManagementSelector
 
@@ -118,11 +131,13 @@ module Inspec::Resources
     end
 
     def members
-      flatten_entry(group_info, "members") || empty_value_for_members
+      members_list = flatten_entry(group_info, "members") || empty_value_for_members
+      inspec.os.windows? ? Members.new(members_list) : members_list
     end
 
     def members_array
-      flatten_entry(group_info, "members_array") || []
+      members_list = flatten_entry(group_info, "members_array") || []
+      inspec.os.windows? ? Members.new(members_list) : members_list
     end
 
     def local
@@ -150,7 +165,11 @@ module Inspec::Resources
     def group_info
       # we need a local copy for the block
       group = @group.dup
-      @groups_cache ||= inspec.groups.where { name == group }
+      if inspec.os.windows?
+        @groups_cache ||= inspec.groups.where { name.casecmp?(group) }
+      else
+        @groups_cache ||= inspec.groups.where { name == group }
+      end
     end
 
     def empty_value_for_members

data/lib/inspec/resources/http.rb

@@ -11,6 +11,7 @@ module Inspec::Resources
   class Http < Inspec.resource(1)
     name "http"
     supports platform: "unix"
+    supports platform: "windows"
     desc "Use the http InSpec audit resource to test http call."
     example <<~EXAMPLE
       describe http('http://localhost:8080/ping', auth: {user: 'user', pass: 'test'}, params: {format: 'html'}) do
@@ -104,6 +105,7 @@ module Inspec::Resources
           opts[:data]
         end
 
+        # not supported on Windows
         def open_timeout
           opts.fetch(:open_timeout, 60)
         end
@@ -117,7 +119,11 @@ module Inspec::Resources
         end
 
         def max_redirects
-          opts.fetch(:max_redirects, 0)
+          opts.fetch(:max_redirects, nil)
+        end
+
+        def proxy
+          opts.fetch(:proxy, nil)
         end
       end
 
@@ -139,12 +145,18 @@ module Inspec::Resources
         def response
           return @response if @response
 
+          Faraday.ignore_env_proxy = true if proxy == "disable"
+
           conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
             builder.request :url_encoded
-            builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects if max_redirects > 0
+            builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
             builder.adapter Faraday.default_adapter
           end
 
+          unless proxy == "disable" || proxy.nil?
+            conn.proxy = proxy
+          end
+
           # set basic authentication
           conn.basic_auth username, password unless username.nil? || password.nil?
 
@@ -162,98 +174,167 @@ module Inspec::Resources
         attr_reader :inspec
 
         def initialize(inspec, http_method, url, opts)
-          unless inspec.command("curl").exist?
+          http_cmd = inspec.os.windows? ? "Invoke-WebRequest" : "curl"
+          unless inspec.command(http_cmd).exist?
             raise Inspec::Exceptions::ResourceSkipped,
-                  "curl is not available on the target machine"
+                  "#{http_cmd} is not available on the target machine"
           end
-
-          @ran_curl = false
+          @ran_http = false
           @inspec = inspec
           super(http_method, url, opts)
         end
 
         def status
-          run_curl
+          run_http
           @status
         end
 
         def body
-          run_curl
+          run_http
           @body&.strip
         end
 
         def response_headers
-          run_curl
+          run_http
           @response_headers
         end
 
         private
 
-        def run_curl
-          return if @ran_curl
+        def run_http
+          return if @ran_http
 
-          cmd_result = inspec.command(curl_command)
+          cmd_result = inspec.command(http_command)
           response = cmd_result.stdout
-          @ran_curl = true
+          @ran_http = true
           return if response.nil? || cmd_result.exit_status != 0
 
-          # strip any carriage returns to normalize output
-          response.delete!("\r")
+          if inspec.os.windows?
+            response = JSON.parse(response)
 
-          # split the prelude (status line and headers) and the body
-          prelude, remainder = response.split("\n\n", 2)
-          loop do
-            break unless remainder =~ %r{^HTTP/}
+            @status = response["StatusCode"]
+            @body = response["Content"]
 
-            prelude, remainder = remainder.split("\n\n", 2)
-          end
-          @body = remainder
-          prelude = prelude.lines
-
-          # grab the status off of the first line of the prelude
-          status_line = prelude.shift
-          @status = status_line.split(" ", 3)[1].to_i
-
-          # parse the rest of the prelude which will be all the HTTP headers
-          @response_headers = {}
-          prelude.each do |line|
-            line.strip!
-            key, value = line.split(":", 2)
-            @response_headers[key] = value.strip
+            @response_headers = {}
+            response["Headers"].each do |name, value|
+              @response_headers["#{name}"] = value
+            end
+          else
+            # strip any carriage returns to normalize output
+            response.delete!("\r")
+
+            # split the prelude (status line and headers) and the body
+            prelude, remainder = response.split("\n\n", 2)
+            loop do
+              break unless remainder =~ %r{^HTTP/}
+
+              prelude, remainder = remainder.split("\n\n", 2)
+            end
+            @body = remainder
+            prelude = prelude.lines
+
+            # grab the status off of the first line of the prelude
+            status_line = prelude.shift
+            @status = status_line.split(" ", 3)[1].to_i
+
+            # parse the rest of the prelude which will be all the HTTP headers
+            @response_headers = {}
+            prelude.each do |line|
+              line.strip!
+              key, value = line.split(":", 2)
+              @response_headers[key] = value.strip
+            end
           end
         end
 
-        def curl_command # rubocop:disable Metrics/AbcSize
-          cmd = ["curl -i"]
-
-          # Use curl's --head option when the method requested is HEAD. Otherwise,
-          # the user may experience a timeout when curl does not properly close
-          # the connection after the response is received.
-          if http_method.casecmp("HEAD") == 0
-            cmd << "--head"
+        def http_command # rubocop:disable Metrics/AbcSize
+          if inspec.os.windows?
+            load_powershell_command
           else
-            cmd << "-X #{http_method}"
+            cmd = ["curl -i"]
+
+            # Use curl's --head option when the method requested is HEAD. Otherwise,
+            # the user may experience a timeout when curl does not properly close
+            # the connection after the response is received.
+            if http_method.casecmp("HEAD") == 0
+              cmd << "--head"
+            else
+              cmd << "-X #{http_method}"
+            end
+
+            cmd << "--noproxy '*'" if proxy == "disable"
+            unless proxy == "disable" || proxy.nil?
+              if proxy.is_a?(Hash)
+                cmd << "--proxy #{proxy[:uri]} --proxy-user #{proxy[:user]}:#{proxy[:password]}"
+              else
+                cmd << "--proxy #{proxy}"
+              end
+            end
+            cmd << "--connect-timeout #{open_timeout}"
+            cmd << "--max-time #{open_timeout + read_timeout}"
+            cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
+            cmd << "--insecure" unless ssl_verify?
+            cmd << "--data #{Shellwords.shellescape(request_body)}" unless request_body.nil?
+            cmd << "--location" unless max_redirects.nil?
+            cmd << "--max-redirs #{max_redirects}" unless max_redirects.nil?
+
+            request_headers.each do |k, v|
+              cmd << "-H '#{k}: #{v}'"
+            end
+
+            if params.nil?
+              cmd << "'#{url}'"
+            else
+              cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
+            end
+
+            cmd.join(" ")
           end
+        end
 
-          cmd << "--connect-timeout #{open_timeout}"
-          cmd << "--max-time #{open_timeout + read_timeout}"
-          cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
-          cmd << "--insecure" unless ssl_verify?
-          cmd << "--data #{Shellwords.shellescape(request_body)}" unless request_body.nil?
-          cmd << "--location" if max_redirects > 0
-          cmd << "--max-redirs #{max_redirects}" if max_redirects > 0
-
+        def load_powershell_command
+          cmd = ["Invoke-WebRequest"]
+          cmd << "-Method #{http_method}"
+          # Missing connect-timeout
+          cmd << "-TimeoutSec #{open_timeout + read_timeout}"
+          # Insecure not supported simply https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
+          cmd << "-MaximumRedirection #{max_redirects}" unless max_redirects.nil?
+          request_headers["Authorization"] = """ '\"Basic ' + [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(\"#{username}:#{password}\")) +'\"' """ unless username.nil? || password.nil?
+          request_header_string = nil
           request_headers.each do |k, v|
-            cmd << "-H '#{k}: #{v}'"
+            request_header_string << " #{k} = #{v}"
           end
-
+          cmd << "-Headers @{#{request_header_string.join(";")}}" unless request_header_string.nil?
           if params.nil?
             cmd << "'#{url}'"
           else
             cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
           end
 
-          cmd.join(" ")
+          proxy_script = ""
+          unless proxy == "disable" || proxy.nil?
+            cmd << "-Proxy #{proxy[:uri]}"
+            cmd << "-ProxyCredential $proxyCreds"
+            proxy_script = <<-EOH
+              $secPasswd = ConvertTo-SecureString "#{proxy[:password]}" -AsPlainText -Force
+              $proxyCreds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{proxy[:user]}",$secPasswd
+            EOH
+          end
+
+          command = cmd.join(" ")
+          body = "\'#{request_body}\'"
+          script = <<-EOH
+            $body = #{body.strip unless request_body.nil?}
+            $Body = $body | ConvertFrom-Json
+            #convert to hashtable
+            $HashTable = @{}
+            foreach ($property in $Body.PSObject.Properties) {
+              $HashTable[$property.Name] = $property.Value
+            }
+            $response = #{command} -Body $HashTable -UseBasicParsing
+            $response | Select-Object -Property * | ConvertTo-json # We use `Select-Object -Property * ` to get around an odd PowerShell error
+          EOH
+          proxy_script.strip + "\n" + script.strip
         end
       end
     end

data/lib/inspec/resources/ibmdb2_conf.rb

@@ -0,0 +1,57 @@
+module Inspec::Resources
+  class Ibmdb2Conf < Inspec.resource(1)
+    name "ibmdb2_conf"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_conf InSpec audit resource to test the configuration values of IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_conf(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1") do
+        its("output") { should_not be_empty }
+        its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
+      end
+    EXAMPLE
+
+    attr_reader :output
+
+    def initialize(opts = {})
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil?
+      end
+      @output = run_command
+    end
+
+    def to_s
+      "IBM Db2 Conf"
+    end
+
+    private
+
+    def run_command
+      # attach to the db2 instance and get the configuration
+      if inspec.os.platform?("unix")
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}"
+      else
+        cmd.stdout.gsub(/\n|\r/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") }
+      end
+    end
+  end
+end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -0,0 +1,69 @@
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class Ibmdb2Session < Inspec.resource(1)
+    name "ibmdb2_session"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_session InSpec audit resource to test SQL commands run against a IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_session(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1", db_name: "sample").query('list database directory') do
+        its('output') { should_not match(/sample/) }
+      end
+    EXAMPLE
+
+    def initialize(opts = {})
+      @db_name = opts[:db_name]
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil?
+      elsif inspec.os.platform?("windows")
+        raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db_name option provided." if @db_name.nil?
+      end
+    end
+
+    def query(q)
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      if inspec.os.platform?("unix")
+        # connect to the db and query on the database
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} \"#{q}\"\;")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 \"#{q}\"\;")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}"
+      else
+        Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}")
+      end
+    end
+
+    def to_s
+      "IBM Db2 Session"
+    end
+  end
+end