inspec-core 4.46.13 → 4.49.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cc013914b6503c547eeb5fbba13ce8398cf039236b82a0422339a8b7d178649
-  data.tar.gz: bb763eb39cb82fa264417d15147769d9d4b3fe1dff34ac40351712a35c6dbcb3
+  metadata.gz: 31dcab9ba9621f43755fc390ad061c08b7e6ab19466d26a38921d33960e1bbf5
+  data.tar.gz: eecdf0ec772ef012bfbf5185b379c47dd008fe902b9e91d4feee6979b0294c0f
 SHA512:
-  metadata.gz: 492c4bbde3afe3c8be2d7640bb5e6a04f973a762aa2b541231dc61a3862d2d4d3248a49ff9b149ca66fa07eba83e1cd61260185a61fb073ba6a3cc9b542ac04f
-  data.tar.gz: 89b55b1c8d8da24e1266bf6e19f688d284b88b18ec36c97f3f088c6f0422ac6ae6b0ddcab867bcb174ae789fc8e5bb334ed40cfd49adb26c7c3eb401c3164123
+  metadata.gz: 1059703ad59c2bf7c213a0914f94a8852cc550b1d305f634e07a08b364edae5c0f550927a8bcec9e712cd313949388082fdebf5c3164147ef12c21df952281b9
+  data.tar.gz: 1d4e6e64b8851c40349b7d696d46904fa73c0683d19c70afaa942a4c4bef4591a3ed4d7ec2c89aa5f7717da70617d70f182a7e9b894338da77592231b4c62234

data/lib/inspec/base_cli.rb

@@ -174,6 +174,10 @@ module Inspec
         desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
+      option :filter_waived_controls, type: :boolean,
+        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
+      option :retain_waiver_data, type: :boolean,
+        desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
       option :command_timeout, type: :numeric,
         desc: "Maximum seconds to allow commands to run during execution.",
         long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."

data/lib/inspec/cli.rb

@@ -122,8 +122,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       end
       puts
 
-      if result[:errors].empty? && result[:warnings].empty?
-        ui.plain_line("No errors or warnings")
+      if result[:errors].empty? && result[:warnings].empty? && result[:offenses].empty?
+        ui.plain_line("No errors, warnings, or offenses")
       else
         item_msg = lambda { |item|
           pos = [item[:file], item[:line], item[:column]].compact.join(":")
@@ -135,11 +135,18 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
         puts
 
+        unless result[:offenses].empty?
+          puts "Offenses:\n"
+          result[:offenses].each { |item| ui.cyan(" #{Inspec::UI::GLYPHS[:script_x]} #{item_msg.call(item)}\n\n") }
+        end
+
+        offenses = ui.cyan("#{result[:offenses].length} offenses", print: false)
         errors = ui.red("#{result[:errors].length} errors", print: false)
         warnings = ui.yellow("#{result[:warnings].length} warnings", print: false)
-        ui.plain_line("Summary:     #{errors}, #{warnings}")
+        ui.plain_line("Summary:     #{errors}, #{warnings}, #{offenses}")
       end
     end
+
     ui.exit Inspec::UI::EXIT_USAGE_ERROR unless result[:summary][:valid]
   rescue StandardError => e
     pretty_handle_exception(e)

data/lib/inspec/profile.rb

@@ -217,6 +217,9 @@ module Inspec
 
         locked_dependencies.each(&:collect_tests)
 
+        tests = filter_waived_controls
+
+        # Collect tests
         tests.each do |path, content|
           next if content.nil? || content.empty?
 
@@ -233,6 +236,65 @@ module Inspec
       @runner_context.all_rules
     end
 
+    # Wipe out waived controls
+    def filter_waived_controls
+      cfg = Inspec::Config.cached
+      return tests unless cfg["filter_waived_controls"]
+
+      ## Find the waivers file
+      # - TODO: cli_opts and instance_variable_get could be exposed
+      waiver_paths = cfg.instance_variable_get(:@cli_opts)["waiver_file"]
+      if waiver_paths.blank?
+        Inspec::Log.error "Must use --waiver-file with --filter-waived-controls"
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      # # Pull together waiver
+      waived_control_ids = []
+      waiver_paths.each do |waiver_path|
+        waiver_content = YAML.load_file(waiver_path)
+        unless waiver_content
+          # Note that we will have already issued a detailed warning
+          Inspec::Log.error "YAML parsing error in #{waiver_path}"
+          Inspec::UI.new.exit(:usage_error)
+        end
+        waived_control_ids << waiver_content.keys
+      end
+      waived_control_id_regex = "(#{waived_control_ids.join("|")})"
+
+      ## Purge tests (this could be doone in next block for performance)
+      ## TODO: implement earlier with pure AST and pure autocorrect AST
+      filtered_tests = {}
+      if cfg["retain_waiver_data"]
+        # VERY EXPERIMENTAL, but an empty describe block at the top level
+        # of the control blocks evaluation of ruby code until later-term
+        # waivers (behind the scenes this tells RSpec to hold on and use its internals to lazy load the code). This allows current waiver-data (e.g. skips) to still
+        # be processed and rendered
+        tests.each do |control_filename, source_code|
+          cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).collect do |element|
+            next if element.blank?
+
+            if element&.match?(waived_control_id_regex)
+              splitlines = element.split("\n")
+              splitlines[0] + "\ndescribe '---' do\n" + splitlines[1..-1].join("\n") + "\nend\n"
+            else
+              element
+            end
+          end.join("")
+          filtered_tests[control_filename] = cleared_tests
+        end
+      else
+        tests.each do |control_filename, source_code|
+          cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).select do |control_code|
+            !control_code.match?(waived_control_id_regex)
+          end.join("")
+
+          filtered_tests[control_filename] = cleared_tests
+        end
+      end
+      filtered_tests
+    end
+
     # This creates the list of controls provided in the --controls options which need to be include
     # for evaluation.
     def include_controls_list
@@ -386,6 +448,43 @@ module Inspec
       res
     end
 
+    def cookstyle_linting_check
+      msgs = []
+      output = cookstyle_rake_output.split("Offenses:").last
+      msgs = output.split("\n").select { |x| x =~ /[A-Z]:/ } unless output.nil?
+      msgs
+    end
+
+    # Cookstyle linting rake run output
+    def cookstyle_rake_output
+      require "cookstyle"
+      require "rubocop/rake_task"
+      begin
+        RuboCop::RakeTask.new(:cookstyle_lint) do |spec|
+          spec.options += [
+            "--display-cop-names",
+            "--parallel",
+            "--only=InSpec/Deprecations",
+          ]
+          spec.patterns += Dir.glob("#{@target}/**/*.rb").reject { |f| File.directory?(f) }
+          spec.fail_on_error = false
+        end
+      rescue LoadError
+        puts "Rubocop is not available. Install the rubocop gem to run the lint tests."
+      end
+      begin
+        stdout = StringIO.new
+        $stdout = stdout
+        Rake::Task["cookstyle_lint"].invoke
+        $stdout = STDOUT
+        Rake.application["cookstyle_lint"].reenable
+        stdout.string
+      rescue => e
+        puts "Cookstyle lint checks could not be performed. Error while running cookstyle - #{e}"
+        ""
+      end
+    end
+
     # Check if the profile is internally well-structured. The logger will be
     # used to print information on errors and warnings which are found.
     #
@@ -402,6 +501,7 @@ module Inspec
         },
         errors: [],
         warnings: [],
+        offenses: [],
       }
 
       entry = lambda { |file, line, column, control, msg|
@@ -424,6 +524,10 @@ module Inspec
         result[:errors].push(entry.call(file, line, column, control, msg))
       }
 
+      offense = lambda { |file, line, column, control, msg|
+        result[:offenses].push(entry.call(file, line, column, control, msg))
+      }
+
       @logger.info "Checking profile in #{@target}"
       meta_path = @source_reader.target.abs_path(@source_reader.metadata.ref)
 
@@ -486,8 +590,15 @@ module Inspec
         warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? || control[:checks].empty?
       end
 
-      # profile is valid if we could not find any error
-      result[:summary][:valid] = result[:errors].empty?
+      # Running cookstyle to check for code offenses
+      cookstyle_linting_check.each do |lint_output|
+        data = lint_output.split(":")
+        msg = "#{data[-2]}:#{data[-1]}"
+        offense.call(data[0], data[1], data[2], nil, msg)
+      end
+
+      # profile is valid if we could not find any error & offenses
+      result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
 
       @logger.info "Control definitions OK." if result[:warnings].empty?
       result

data/lib/inspec/resources/cassandra.rb

@@ -0,0 +1,64 @@
+module Inspec::Resources
+  class Cassandra < Inspec.resource(1)
+    name "cassandra"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'cassandra' resource is a helper for the 'cql_conf'"
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "redhat", "linux", "suse"
+        determine_conf_dir_and_path_in_linux
+      when "windows"
+        determine_conf_dir_and_path_in_windows
+      end
+    end
+
+    def to_s
+      "CassandraDB"
+    end
+
+    private
+
+    def determine_conf_dir_and_path_in_linux
+      cassandra_home = inspec.os_env("CASSANDRA_HOME").content
+
+      if cassandra_home.nil? || cassandra_home.empty?
+        warn "$CASSANDRA_HOME environment variable not set in the system"
+        nil
+      else
+        conf_path = "#{cassandra_home}/cassandra.yaml"
+        if !inspec.file(conf_path).exist?
+          warn "Cassandra conf file not found in #{cassandra_home} directory."
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading cassandra conf file: #{e}"
+    end
+
+    def determine_conf_dir_and_path_in_windows
+      cassandra_home = inspec.os_env("CASSANDRA_HOME").content
+
+      if cassandra_home.nil? || cassandra_home.empty?
+        warn "CASSANDRA_HOME environment variable not set in the system"
+        nil
+      else
+        conf_path = "#{cassandra_home}\\conf\\cassandra.yaml"
+        if !inspec.file(conf_path).exist?
+          warn "Cassandra conf file not found in #{cassandra_home}\\conf directory."
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading cassandra conf file: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/cassandradb_conf.rb

@@ -0,0 +1,47 @@
+require "inspec/resources/json"
+require "inspec/resources/cassandra"
+
+module Inspec::Resources
+  class CassandradbConf < JsonConfig
+    name "cassandradb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the cql_conf InSpec audit resource to test the contents of the configuration file for Cassandra DB"
+    example <<~EXAMPLE
+      describe cassandradb_conf do
+        its('listen_address') { should eq '0.0.0.0' }
+      end
+    EXAMPLE
+
+    def initialize(conf_path = nil)
+      cassandra = nil
+      if conf_path.nil?
+        cassandra = inspec.cassandra
+        @conf_path = cassandra.conf_path
+      else
+        @conf_path = conf_path
+      end
+
+      if cassandra && cassandra.resource_failed?
+        raise cassandra.resource_exception_message
+      elsif @conf_path.nil?
+        return skip_resource "Cassandra db conf path is not set"
+      end
+
+      super(@conf_path)
+    end
+
+    private
+
+    def parse(content)
+      YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse `cassandra.yaml` file: #{e.message}"
+    end
+
+    def resource_base_name
+      "Cassandra Configuration"
+    end
+
+  end
+end

data/lib/inspec/resources/cassandradb_session.rb

@@ -0,0 +1,68 @@
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class CassandradbSession < Inspec.resource(1)
+    name "cassandradb_session"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the cassandradb_session InSpec resource to test commands against an Cassandra database"
+    example <<~EXAMPLE
+      cql = cassandradb_session(user: 'my_user', password: 'password', host: 'host', port: 'port')
+      describe cql.query("SELECT cluster_name FROM system.local") do
+        its('output') { should match /Test Cluster/ }
+      end
+    EXAMPLE
+
+    attr_reader :user, :password, :host, :port
+
+    def initialize(opts = {})
+      @user = opts[:user] || "cassandra"
+      @password = opts[:password] || "cassandra"
+      @host = opts[:host]
+      @port = opts[:port]
+    end
+
+    def query(q)
+      cassandra_cmd = create_cassandra_cmd(q)
+      cmd = inspec.command(cassandra_cmd)
+      out = cmd.stdout + "\n" + cmd.stderr
+      if cmd.exit_status != 0 || out =~ /Unable to connect to any servers/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "Cassandra query with errors: #{out}"
+      else
+        Lines.new(cmd.stdout.strip, "Cassandra query: #{q}")
+      end
+    end
+
+    def to_s
+      "Cassandra DB Session"
+    end
+
+    private
+
+    def create_cassandra_cmd(q)
+      # TODO: simple escape, must be handled by a library
+      # that does this securely
+      escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$')
+
+      # construct the query
+      command = "cqlsh"
+      command += " #{@host}" unless @host.nil?
+      command += " #{@port}" unless @port.nil?
+      command += " -u #{@user}"
+      command += " -p #{@password}"
+      command += " --execute '#{escaped_query}'"
+      command
+    end
+  end
+end

data/lib/inspec/resources/groups.rb

@@ -22,6 +22,18 @@ module Inspec::Resources
     end
   end
 
+  # Class defined to check for members without case-sensitivity
+  class Members < Array
+    def initialize(group_members)
+      @group_members = group_members
+      super
+    end
+
+    def include?(user)
+      !(@group_members.select { |group_member| group_member.casecmp?(user) }.empty?)
+    end
+  end
+
   class Groups < Inspec.resource(1)
     include GroupManagementSelector
 
@@ -82,6 +94,7 @@ module Inspec::Resources
   #   its('gid') { should eq 0 }
   # end
   #
+
   class Group < Inspec.resource(1)
     include GroupManagementSelector
 
@@ -118,11 +131,13 @@ module Inspec::Resources
     end
 
     def members
-      flatten_entry(group_info, "members") || empty_value_for_members
+      members_list = flatten_entry(group_info, "members") || empty_value_for_members
+      inspec.os.windows? ? Members.new(members_list) : members_list
     end
 
     def members_array
-      flatten_entry(group_info, "members_array") || []
+      members_list = flatten_entry(group_info, "members_array") || []
+      inspec.os.windows? ? Members.new(members_list) : members_list
     end
 
     def local
@@ -150,7 +165,11 @@ module Inspec::Resources
     def group_info
       # we need a local copy for the block
       group = @group.dup
-      @groups_cache ||= inspec.groups.where { name == group }
+      if inspec.os.windows?
+        @groups_cache ||= inspec.groups.where { name.casecmp?(group) }
+      else
+        @groups_cache ||= inspec.groups.where { name == group }
+      end
     end
 
     def empty_value_for_members

data/lib/inspec/resources/oracledb_session.rb

@@ -42,6 +42,7 @@ module Inspec::Resources
     end
 
     def query(sql)
+      raise Inspec::Exceptions::ResourceSkipped, "#{resource_exception_message}" if resource_skipped?
       raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
 
       if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
@@ -78,7 +79,14 @@ module Inspec::Resources
     # using a db_role
     # su, using a db_role
     def command_builder(format_options, query)
-      verified_query = verify_query(query)
+      if @db_role.nil? || @su_user.nil?
+        verified_query = verify_query(query)
+      else
+        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
+        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
+        verified_query = verify_query(escaped_query)
+      end
+
       sql_prefix, sql_postfix = "", ""
       if inspec.os.windows?
         sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | }
@@ -87,11 +95,14 @@ module Inspec::Resources
       end
 
       if @db_role.nil?
-        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}"
+        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
-        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}"
+        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
       else
-        "su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"
+        # oracle_query_string is echoed to be able to extract the query output clearly
+        # su - su_user in certain versions of oracle returns a message
+        # Example of msg with query output: The Oracle base remains unchanged with value /oracle\n\nVALUE\n3\n
+        %{su - #{@su_user} -c "echo 'oracle_query_string'; env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
       end
     end
 
@@ -101,9 +112,15 @@ module Inspec::Resources
     end
 
     def parse_csv_result(stdout)
-      output = stdout.sub(/\r/, "").strip
+      output = stdout.split("oracle_query_string")[-1]
+      # comma_query_sub replaces the csv delimiter "," in the output.
+      # Handles CSV parsing of data like this (DROP,3) etc
+      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
-      CSV.parse(output, headers: true, header_converters: converter).map { |row| Hashie::Mash.new(row.to_h) }
+      CSV.parse(output, headers: true, header_converters: converter).map do |row|
+        revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
+        Hashie::Mash.new([revised_row].to_h)
+      end
     end
   end
 end

data/lib/inspec/resources/users.rb

@@ -204,7 +204,9 @@ module Inspec::Resources
     alias group groupname
 
     def groups
-      identity[:groups] unless identity.nil?
+      unless identity.nil?
+        inspec.os.windows? ? UserGroups.new(identity[:groups]) : identity[:groups]
+      end
     end
 
     def home
@@ -314,6 +316,18 @@ module Inspec::Resources
     end
   end
 
+  # Class defined to compare for groups without case-sensitivity
+  class UserGroups < Array
+    def initialize(user_groups)
+      @user_groups = user_groups
+      super
+    end
+
+    def include?(group)
+      !(@user_groups.select { |user_group| user_group.casecmp?(group) }.empty?)
+    end
+  end
+
   # This is an abstract class that every user provoider has to implement.
   # A user provider implements a system abstracts and helps the InSpec resource
   # hand-over system specific behavior to those providers
@@ -622,7 +636,7 @@ module Inspec::Resources
       name, _domain = parse_windows_account(username)
       return if collect_user_details.nil?
 
-      res = collect_user_details.select { |user| user[:username] == name }
+      res = collect_user_details.select { |user| user[:username].casecmp? name }
       res[0] unless res.empty?
     end
 

data/lib/inspec/resources/windows_firewall.rb

@@ -77,7 +77,7 @@ module Inspec::Resources
 
     def load_firewall_profile(profile_name)
       <<-EOH
-        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        Get-TypeData -TypeName System.Array | Remove-TypeData # workaround for PS bug here: https://bit.ly/2SRMQ8M
         $profile = Get-NetFirewallProfile -Name "#{profile_name}"
         $count = @($profile | Get-NetFirewallRule).Count
         ([PSCustomObject]@{

data/lib/inspec/resources.rb

@@ -37,6 +37,9 @@ require "inspec/resources/chocolatey_package"
 require "inspec/resources/command"
 require "inspec/resources/cran"
 require "inspec/resources/cpan"
+require "inspec/resources/cassandradb_session"
+require "inspec/resources/cassandradb_conf"
+require "inspec/resources/cassandra"
 require "inspec/resources/crontab"
 require "inspec/resources/dh_params"
 require "inspec/resources/directory"

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.46.13".freeze
+  VERSION = "4.49.0".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.46.13
+  version: 4.49.0
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-28 00:00:00.000000000 Z
+date: 2021-10-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -505,6 +505,9 @@ files:
 - lib/inspec/resources/bond.rb
 - lib/inspec/resources/bridge.rb
 - lib/inspec/resources/bsd_service.rb
+- lib/inspec/resources/cassandra.rb
+- lib/inspec/resources/cassandradb_conf.rb
+- lib/inspec/resources/cassandradb_session.rb
 - lib/inspec/resources/chocolatey_package.rb
 - lib/inspec/resources/chrony_conf.rb
 - lib/inspec/resources/command.rb