inspec-core 4.49.0 → 4.56.17

data/lib/inspec/resources/http.rb

@@ -11,6 +11,7 @@ module Inspec::Resources
   class Http < Inspec.resource(1)
     name "http"
     supports platform: "unix"
+    supports platform: "windows"
     desc "Use the http InSpec audit resource to test http call."
     example <<~EXAMPLE
       describe http('http://localhost:8080/ping', auth: {user: 'user', pass: 'test'}, params: {format: 'html'}) do
@@ -104,6 +105,7 @@ module Inspec::Resources
           opts[:data]
         end
 
+        # not supported on Windows
         def open_timeout
           opts.fetch(:open_timeout, 60)
         end
@@ -117,7 +119,11 @@ module Inspec::Resources
         end
 
         def max_redirects
-          opts.fetch(:max_redirects, 0)
+          opts.fetch(:max_redirects, nil)
+        end
+
+        def proxy
+          opts.fetch(:proxy, nil)
         end
       end
 
@@ -139,12 +145,18 @@ module Inspec::Resources
         def response
           return @response if @response
 
+          Faraday.ignore_env_proxy = true if proxy == "disable"
+
           conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
             builder.request :url_encoded
-            builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects if max_redirects > 0
+            builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
             builder.adapter Faraday.default_adapter
           end
 
+          unless proxy == "disable" || proxy.nil?
+            conn.proxy = proxy
+          end
+
           # set basic authentication
           conn.basic_auth username, password unless username.nil? || password.nil?
 
@@ -162,98 +174,167 @@ module Inspec::Resources
         attr_reader :inspec
 
         def initialize(inspec, http_method, url, opts)
-          unless inspec.command("curl").exist?
+          http_cmd = inspec.os.windows? ? "Invoke-WebRequest" : "curl"
+          unless inspec.command(http_cmd).exist?
             raise Inspec::Exceptions::ResourceSkipped,
-                  "curl is not available on the target machine"
+                  "#{http_cmd} is not available on the target machine"
           end
-
-          @ran_curl = false
+          @ran_http = false
           @inspec = inspec
           super(http_method, url, opts)
         end
 
         def status
-          run_curl
+          run_http
           @status
         end
 
         def body
-          run_curl
+          run_http
           @body&.strip
         end
 
         def response_headers
-          run_curl
+          run_http
           @response_headers
         end
 
         private
 
-        def run_curl
-          return if @ran_curl
+        def run_http
+          return if @ran_http
 
-          cmd_result = inspec.command(curl_command)
+          cmd_result = inspec.command(http_command)
           response = cmd_result.stdout
-          @ran_curl = true
+          @ran_http = true
           return if response.nil? || cmd_result.exit_status != 0
 
-          # strip any carriage returns to normalize output
-          response.delete!("\r")
+          if inspec.os.windows?
+            response = JSON.parse(response)
 
-          # split the prelude (status line and headers) and the body
-          prelude, remainder = response.split("\n\n", 2)
-          loop do
-            break unless remainder =~ %r{^HTTP/}
+            @status = response["StatusCode"]
+            @body = response["Content"]
 
-            prelude, remainder = remainder.split("\n\n", 2)
-          end
-          @body = remainder
-          prelude = prelude.lines
-
-          # grab the status off of the first line of the prelude
-          status_line = prelude.shift
-          @status = status_line.split(" ", 3)[1].to_i
-
-          # parse the rest of the prelude which will be all the HTTP headers
-          @response_headers = {}
-          prelude.each do |line|
-            line.strip!
-            key, value = line.split(":", 2)
-            @response_headers[key] = value.strip
+            @response_headers = {}
+            response["Headers"].each do |name, value|
+              @response_headers["#{name}"] = value
+            end
+          else
+            # strip any carriage returns to normalize output
+            response.delete!("\r")
+
+            # split the prelude (status line and headers) and the body
+            prelude, remainder = response.split("\n\n", 2)
+            loop do
+              break unless remainder =~ %r{^HTTP/}
+
+              prelude, remainder = remainder.split("\n\n", 2)
+            end
+            @body = remainder
+            prelude = prelude.lines
+
+            # grab the status off of the first line of the prelude
+            status_line = prelude.shift
+            @status = status_line.split(" ", 3)[1].to_i
+
+            # parse the rest of the prelude which will be all the HTTP headers
+            @response_headers = {}
+            prelude.each do |line|
+              line.strip!
+              key, value = line.split(":", 2)
+              @response_headers[key] = value.strip
+            end
           end
         end
 
-        def curl_command # rubocop:disable Metrics/AbcSize
-          cmd = ["curl -i"]
-
-          # Use curl's --head option when the method requested is HEAD. Otherwise,
-          # the user may experience a timeout when curl does not properly close
-          # the connection after the response is received.
-          if http_method.casecmp("HEAD") == 0
-            cmd << "--head"
+        def http_command # rubocop:disable Metrics/AbcSize
+          if inspec.os.windows?
+            load_powershell_command
           else
-            cmd << "-X #{http_method}"
+            cmd = ["curl -i"]
+
+            # Use curl's --head option when the method requested is HEAD. Otherwise,
+            # the user may experience a timeout when curl does not properly close
+            # the connection after the response is received.
+            if http_method.casecmp("HEAD") == 0
+              cmd << "--head"
+            else
+              cmd << "-X #{http_method}"
+            end
+
+            cmd << "--noproxy '*'" if proxy == "disable"
+            unless proxy == "disable" || proxy.nil?
+              if proxy.is_a?(Hash)
+                cmd << "--proxy #{proxy[:uri]} --proxy-user #{proxy[:user]}:#{proxy[:password]}"
+              else
+                cmd << "--proxy #{proxy}"
+              end
+            end
+            cmd << "--connect-timeout #{open_timeout}"
+            cmd << "--max-time #{open_timeout + read_timeout}"
+            cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
+            cmd << "--insecure" unless ssl_verify?
+            cmd << "--data #{Shellwords.shellescape(request_body)}" unless request_body.nil?
+            cmd << "--location" unless max_redirects.nil?
+            cmd << "--max-redirs #{max_redirects}" unless max_redirects.nil?
+
+            request_headers.each do |k, v|
+              cmd << "-H '#{k}: #{v}'"
+            end
+
+            if params.nil?
+              cmd << "'#{url}'"
+            else
+              cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
+            end
+
+            cmd.join(" ")
           end
+        end
 
-          cmd << "--connect-timeout #{open_timeout}"
-          cmd << "--max-time #{open_timeout + read_timeout}"
-          cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
-          cmd << "--insecure" unless ssl_verify?
-          cmd << "--data #{Shellwords.shellescape(request_body)}" unless request_body.nil?
-          cmd << "--location" if max_redirects > 0
-          cmd << "--max-redirs #{max_redirects}" if max_redirects > 0
-
+        def load_powershell_command
+          cmd = ["Invoke-WebRequest"]
+          cmd << "-Method #{http_method}"
+          # Missing connect-timeout
+          cmd << "-TimeoutSec #{open_timeout + read_timeout}"
+          # Insecure not supported simply https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
+          cmd << "-MaximumRedirection #{max_redirects}" unless max_redirects.nil?
+          request_headers["Authorization"] = """ '\"Basic ' + [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(\"#{username}:#{password}\")) +'\"' """ unless username.nil? || password.nil?
+          request_header_string = nil
           request_headers.each do |k, v|
-            cmd << "-H '#{k}: #{v}'"
+            request_header_string << " #{k} = #{v}"
           end
-
+          cmd << "-Headers @{#{request_header_string.join(";")}}" unless request_header_string.nil?
           if params.nil?
             cmd << "'#{url}'"
           else
             cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
           end
 
-          cmd.join(" ")
+          proxy_script = ""
+          unless proxy == "disable" || proxy.nil?
+            cmd << "-Proxy #{proxy[:uri]}"
+            cmd << "-ProxyCredential $proxyCreds"
+            proxy_script = <<-EOH
+              $secPasswd = ConvertTo-SecureString "#{proxy[:password]}" -AsPlainText -Force
+              $proxyCreds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{proxy[:user]}",$secPasswd
+            EOH
+          end
+
+          command = cmd.join(" ")
+          body = "\'#{request_body}\'"
+          script = <<-EOH
+            $body = #{body.strip unless request_body.nil?}
+            $Body = $body | ConvertFrom-Json
+            #convert to hashtable
+            $HashTable = @{}
+            foreach ($property in $Body.PSObject.Properties) {
+              $HashTable[$property.Name] = $property.Value
+            }
+            $response = #{command} -Body $HashTable -UseBasicParsing
+            $response | Select-Object -Property * | ConvertTo-json # We use `Select-Object -Property * ` to get around an odd PowerShell error
+          EOH
+          proxy_script.strip + "\n" + script.strip
         end
       end
     end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -46,12 +46,12 @@ module Inspec::Resources
 
         # check if following specific error is there. Sourcing the db2profile to resolve the error.
         if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
-          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} \"#{q}\"\;")
           out = cmd.stdout + "\n" + cmd.stderr
         end
       elsif inspec.os.platform?("windows")
         # set-item command set the powershell to run the db2 commands.
-        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;")
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 \"#{q}\"\;")
         out = cmd.stdout + "\n" + cmd.stderr
       end
 

data/lib/inspec/resources/iptables.rb

@@ -33,6 +33,7 @@ module Inspec::Resources
     def initialize(params = {})
       @table = params[:table]
       @chain = params[:chain]
+      @ignore_comments = params[:ignore_comments] || false
 
       # we're done if we are on linux
       return if inspec.os.linux?
@@ -59,8 +60,13 @@ module Inspec::Resources
       cmd = inspec.command(iptables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      # split rules, returns array or rules
-      @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @iptables_cache = remove_comments_from_rules(cmd.stdout.split("\n"))
+      else
+        # split rules, returns array or rules
+        @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      end
     end
 
     def to_s
@@ -69,6 +75,16 @@ module Inspec::Resources
 
     private
 
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ -m comment --comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
     def find_iptables_or_error
       %w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
         return cmd if inspec.command(cmd).exist?

data/lib/inspec/resources/kernel_parameters.rb

@@ -0,0 +1,58 @@
+module Inspec::Resources
+  class KernelParameters < Inspec.resource(1)
+    name "kernel_parameters"
+    supports platform: "unix"
+    desc "Use the kernel_parameters InSpec audit resource to test kernel parameters on Linux platforms."
+    example <<~EXAMPLE
+      describe kernel_parameters.where(parameter: /^net./ ) do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+      end
+
+      describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
+        its('values') { should eq [0] }
+      end
+
+      describe kernel_parameters do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+        its('values') { should include 0 }
+      end
+    EXAMPLE
+
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:parameters, field: "parameter")
+      .register_column(:values, field: "value")
+    filter.install_filter_methods_on_resource(self, :params)
+
+    def initialize
+      # this resource is only supported on Linux
+      return skip_resource "The `kernel_parameters` resource is not supported on your OS." unless inspec.os.linux?
+    end
+
+    def to_s
+      "Kernel Parameters"
+    end
+
+    private
+
+    def params
+      cmd = inspec.command("/sbin/sysctl -a")
+      cmd.exit_status != 0 ? [] : parse_kernel_paramater(cmd.stdout)
+    end
+
+    def parse_kernel_paramater(stdout)
+      result = []
+      stdout.split("\n").each do |out|
+        splitted_output = out.split("=").map(&:strip)
+        result.push(
+          {
+            "parameter" => splitted_output[0],
+            "value" => splitted_output[1].to_i,
+          }
+        )
+      end
+      result
+    end
+
+  end
+end

data/lib/inspec/resources/mssql_session.rb

@@ -76,7 +76,7 @@ module Inspec::Resources
       if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
         raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
       else
-        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
+        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd.stdout))
       end
     end
 
@@ -94,9 +94,17 @@ module Inspec::Resources
       !query("select getdate()").empty?
     end
 
-    def parse_csv_result(cmd)
+    def parse_csv_result(stdout)
       require "csv" unless defined?(CSV)
-      table = CSV.parse(cmd.stdout, headers: true)
+
+      # replaces \n with \r since multiline data in older versions of database returns faulty
+      # formatted multiline data, example name\r\n----\r\nThis is\na multiline field\r\n
+      out = stdout.gsub("\n", "\r")
+      out = out.gsub("\r\r", "\r")
+
+      # row separator used since row delimiters \n (in linux) or \r\n (in windows)
+      # are converted to \r for consistency and handling faulty formatted multiline data
+      table = CSV.parse(out, headers: true, row_sep: "\r")
 
       # remove first row, since it will be a seperator line
       table.delete(0)

data/lib/inspec/resources/oracledb_session.rb

@@ -118,7 +118,9 @@ module Inspec::Resources
       output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
-        revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
+        next if row.entries.flatten.empty?
+
+        revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
         Hashie::Mash.new([revised_row].to_h)
       end
     end

data/lib/inspec/resources/package.rb

@@ -26,6 +26,7 @@ module Inspec::Resources
       @cache = nil
       # select package manager
       @pkgman = nil
+      @latest_version = nil
 
       os = inspec.os
       if os.debian?
@@ -60,6 +61,15 @@ module Inspec::Resources
       info[:installed] == true
     end
 
+    def latest?(_provider = nil, _version = nil)
+      os = inspec.os
+      if os.solaris? || (%w{hpux aix}.include? os[:family])
+        raise Inspec::Exceptions::ResourceSkipped, "The `be_latest` matcher is not supported on your OS yet."
+      end
+
+      (!info[:only_version_no].nil? && !latest_version.nil?) && (info[:only_version_no] == latest_version)
+    end
+
     # returns true it the package is held (if the OS supports it)
     def held?(_provider = nil, _version = nil)
       info[:held] == true
@@ -82,6 +92,10 @@ module Inspec::Resources
       info[:version]
     end
 
+    def latest_version
+      @latest_version ||= ( @pkgman.latest_version(@package_name) || info[:latest_version] )
+    end
+
     def to_s
       "System Package #{@package_name}"
     end
@@ -107,6 +121,21 @@ module Inspec::Resources
       # combined into a `ResourceSkipped` exception message.
       []
     end
+
+    private
+
+    def fetch_latest_version(cmd_string)
+      cmd = inspec.command(cmd_string)
+      if cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed, "Failed to fetch latest version. Error: #{cmd.stderr}"
+      else
+        fetch_version_no(cmd.stdout)
+      end
+    end
+
+    def fetch_version_no(output)
+      output.scan(/(?:(?:\d+)[.]){2,}(?:\d+)/).max_by { |s| Gem::Version.new(s) } unless output.nil?
+    end
   end
 
   # Debian / Ubuntu
@@ -124,14 +153,21 @@ module Inspec::Resources
       # If the package is installed and marked hold, Status is "hold ok installed"
       # If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
       # If the package is purged cmd fails with non-zero exit status
+
       {
         name: params["Package"],
         installed: params["Status"].split(" ")[2] == "installed",
         held: params["Status"].split(" ")[0] == "hold",
         version: params["Version"],
         type: "deb",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apt list #{package_name} -a"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # RHEL family
@@ -181,9 +217,15 @@ module Inspec::Resources
         installed: true,
         version: "#{v}-#{r}",
         type: "rpm",
+        only_version_no: "#{v}",
       }
     end
 
+    def latest_version(package_name)
+      cmd_string = "yum list #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
+
     private
 
     def rpm_command(package_name)
@@ -216,11 +258,17 @@ module Inspec::Resources
         installed: true,
         version: pkg["installed"][0]["version"],
         type: "brew",
+        latest_version: pkg["versions"]["stable"],
+        only_version_no: pkg["installed"][0]["version"],
       }
     rescue JSON::ParserError => e
       raise Inspec::Exceptions::ResourceFailed,
             "Failed to parse JSON from `brew` command. Error: #{e}"
     end
+
+    def latest_version(package_name)
+      nil
+    end
   end
 
   # Arch Linux
@@ -240,8 +288,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pacman",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pacman -Ss #{package_name} | grep #{package_name} | grep installed"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class HpuxPkg < PkgManagement
@@ -267,13 +321,20 @@ module Inspec::Resources
       pkg_info = cmd.stdout.split("\n").delete_if { |e| e =~ /^WARNING/i }
       pkg = pkg_info[0].split(" - ")[0]
 
+      version = pkg.partition("-")[2]
       {
         name: pkg.partition("-")[0],
         installed: true,
-        version: pkg.partition("-")[2],
+        version: version,
         type: "pkg",
+        only_version_no: fetch_version_no(version),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apk info #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class FreebsdPkg < PkgManagement
@@ -292,8 +353,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pkg",
+        only_version_no: params["Version"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pkg version -v | grep #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # Determines the installed packages on Windows using the Windows package registry entries.
@@ -339,8 +406,14 @@ module Inspec::Resources
         installed: true,
         version: package["DisplayVersion"],
         type: "windows",
+        only_version_no: package["DisplayVersion"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "Get-Package #{package_name} -AllVersions"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # AIX

data/lib/inspec/resources/packages.rb

@@ -26,6 +26,8 @@ module Inspec::Resources
         @pkgs = Debs.new(inspec)
       elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
         @pkgs = Rpms.new(inspec)
+      elsif ["alpine"].include?(os[:name])
+        @pkgs = AlpinePkgs.new(inspec)
       else
         return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
       end
@@ -108,4 +110,23 @@ module Inspec::Resources
       end
     end
   end
+
+  # RedHat family
+  class AlpinePkgs < PkgsManagement
+    def build_package_list
+      command = "apk list --no-network --installed"
+      cmd = inspec.command(command)
+      all = cmd.stdout.split("\n")
+      return [] if all.nil? || cmd.exit_status.to_i != 0
+
+      all.map do |m|
+        next if m =~ /^WARNING/i
+
+        a = m.split(" ")
+        version = a[0].split("-")[-2]
+        name = a[2].gsub(/[{}^]*/, "")
+        PackageStruct.new("installed", name, version, a[1])
+      end
+    end
+  end
 end

data/lib/inspec/resources/registry_key.rb

@@ -105,6 +105,21 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
+    # returns hash containing users / groups and their permission
+    def user_permissions
+      return {} unless exists?
+
+      get_permissions(@options[:path])
+    end
+
+    # returns true if inheritance is enabled for registry key.
+    def inherited?
+      return false unless exists?
+
+      cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
@@ -283,6 +298,21 @@ module Inspec::Resources
 
       key.start_with?("\\") ? key : "\\#{key}"
     end
+
+    def get_permissions(path)
+      script = <<~EOH
+      $path = '#{path}'
+      $Acl = Get-Acl -Path ('Registry::' + $path)
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference = $Access.RegistryRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
   end
 
   class WindowsRegistryKey < RegistryKey