inspec-core 4.56.19 → 5.12.2

data/lib/inspec/profile.rb

@@ -13,6 +13,8 @@ require "inspec/dependencies/cache"
 require "inspec/dependencies/lockfile"
 require "inspec/dependencies/dependency_set"
 require "inspec/utils/json_profile_summary"
+require "inspec/dependency_loader"
+require "inspec/dependency_installer"
 
 module Inspec
   class Profile
@@ -378,6 +380,66 @@ module Inspec
       @runner_context
     end
 
+    def collect_gem_dependencies(profile_context)
+      gem_dependencies = []
+      all_profiles = []
+      profile_context.dependencies.list.values.each do |requirement|
+        all_profiles << requirement.profile
+      end
+      all_profiles << self
+      all_profiles.each do |profile|
+        gem_dependencies << profile.metadata.gem_dependencies unless profile.metadata.gem_dependencies.empty?
+      end
+      gem_dependencies.flatten.uniq
+    end
+
+    # Loads the required gems specified in the Profile's metadata file from default inspec gems path i.e. ~/.inspec/gems
+    # else installs and loads them.
+    def load_gem_dependencies
+      gem_dependencies = collect_gem_dependencies(load_libraries)
+      gem_dependencies.each do |gem_data|
+        dependency_loader = DependencyLoader.new
+        if dependency_loader.gem_version_installed?(gem_data[:name], gem_data[:version]) ||
+            dependency_loader.gem_installed?(gem_data[:name])
+          load_gem_dependency(gem_data)
+        else
+          if Inspec::Config.cached[:auto_install_gems]
+            install_gem_dependency(gem_data)
+            load_gem_dependency(gem_data)
+          else
+            ui = Inspec::UI.new
+            gem_dependencies.each { |gem_dependency| ui.list_item("#{gem_dependency[:name]} #{gem_dependency[:version]}") }
+            choice = ui.prompt.select("Would you like to install profile gem dependencies listed above?", %w{Yes No})
+            if choice == "Yes"
+              Inspec::Config.cached[:auto_install_gems] = true
+              load_gem_dependencies
+            else
+              ui.error "Unable to resolve above listed profile gem dependencies."
+              Inspec::UI.new.exit(:gem_dependency_load_error)
+            end
+          end
+        end
+      end
+    end
+
+    # Requires gem_data as argument.
+    # gem_dta example: { name: "gem_name", version: "0.0.1"}
+    def load_gem_dependency(gem_data)
+      dependency_loader = DependencyLoader.new(nil, [gem_data])
+      dependency_loader.load
+    rescue Inspec::GemDependencyLoadError => e
+      raise e.message
+    end
+
+    # Requires gem_data as argument.
+    # gem_dta example: { name: "gem_name", version: "0.0.1"}
+    def install_gem_dependency(gem_data)
+      gem_dependency = DependencyInstaller.new(nil, [gem_data])
+      gem_dependency.install
+    rescue Inspec::GemDependencyInstallError => e
+      raise e.message
+    end
+
     def to_s
       "Inspec::Profile<#{name}>"
     end
@@ -774,6 +836,7 @@ module Inspec
     end
 
     def load_checks_params(params)
+      load_gem_dependencies
       load_libraries
       tests = collect_tests
       params[:controls] = controls = {}

data/lib/inspec/reporters/automate.rb

@@ -21,7 +21,7 @@ module Inspec::Reporters
       final_report[:type] = "inspec_report"
 
       final_report[:end_time] = Time.now.utc.strftime("%FT%TZ")
-      final_report[:node_uuid] = report[:platform][:target_id] || @config["node_uuid"] || @config["target_id"]
+      final_report[:node_uuid] = @config["node_uuid"] || report[:platform][:target_id]
       raise Inspec::ReporterError, "Cannot find a UUID for your node. Please specify one via json-config." if final_report[:node_uuid].nil?
 
       final_report[:report_uuid] = @config["report_uuid"] || uuid_from_string(final_report[:end_time] + final_report[:node_uuid])

data/lib/inspec/reporters/cli.rb

@@ -76,7 +76,7 @@ module Inspec::Reporters
       }
       header["Failure Message"] = profile[:status_message] if profile[:status] == "failed"
       header["Target"] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
-      header["Target ID"] = @config["target_id"] unless @config["target_id"].nil?
+      header["Target ID"] = run_data[:platform][:target_id] || ""
 
       pad = header.keys.max_by(&:length).length + 1
       header.each do |title, value|

data/lib/inspec/reporters/json.rb

@@ -29,28 +29,48 @@ module Inspec::Reporters
       {
         name:      run_data[:platform][:name],
         release:   run_data[:platform][:release],
-        target_id: run_data[:platform][:target_id] || @config["target_id"],
+        target_id: run_data[:platform][:target_id] || "",
       }.reject { |_k, v| v.nil? }
     end
 
     def profile_results(control)
       (control[:results] || []).map { |r|
         {
-          status:       r[:status],
-          code_desc:    r[:code_desc],
-          run_time:     r[:run_time],
-          start_time:   r[:start_time],
-          resource:     r[:resource],
-          skip_message: r[:skip_message],
-          message:      r[:message],
-          exception:    r[:exception],
-          backtrace:    r[:backtrace],
-          resource_class: r[:resource_class],
+          status:          r[:status],
+          code_desc:       r[:code_desc],
+          run_time:        r[:run_time],
+          start_time:      r[:start_time],
+          resource:        r[:resource],
+          skip_message:    r[:skip_message],
+          message:         r[:message],
+          exception:       r[:exception],
+          backtrace:       r[:backtrace],
+          resource_class:  r[:resource_class],
           resource_params: r[:resource_params].to_s,
+          resource_id:     extract_resource_id(r),
         }.reject { |_k, v| v.nil? }
       }
     end
 
+    def extract_resource_id(r)
+      # According to the RunData API, this is supposed to be an anonymous
+      # class that represents a resource, with embedded instance methods....
+      resource_obj = r[:resource_title]
+      return resource_obj.resource_id if resource_obj.respond_to?(:resource_id)
+
+      # But sometimes, it isn't, and has been collapsed into the to_s stringification of the resource.
+      if resource_obj.is_a?(String)
+        orig_str = resource_obj
+        # Try to trim off the resource class - eg "File /some/path" => "/some/path"
+        trimmed_str = orig_str.sub(/^#{r[:resource_class]}/i, "").strip
+        trimmed_str.empty? ? orig_str : trimmed_str
+      else
+        # Boo, InSpec is crazy, and we don't know what it possibly could be.
+        # Failsafe for resource_id is empty string.
+        ""
+      end
+    end
+
     def profiles
       run_data[:profiles].map do |p|
         res = {

data/lib/inspec/resource.rb

@@ -34,6 +34,12 @@ module Inspec
       Inspec::Resource.support_registry[key].push(criteria)
     end
 
+    def resource_id(value = nil)
+      @resource_id = value if value
+      @resource_id = ""    if @resource_id.nil?
+      @resource_id
+    end
+
     # TODO: this is pretty terrible and is only here to work around
     # the idea that we've trained resource authors to make initialize
     # methods w/o calling super.

data/lib/inspec/resources/apt.rb

@@ -135,19 +135,25 @@ module Inspec::Resources
 
   class PpaRepository < AptRepository
     name "ppa"
+    desc "Use the ppa InSpec audit resource to verify PPA repositories on the Debian-based linux platforms."
+    example <<~EXAMPLE
+      describe ppa('ubuntu-wine/ppa') do
+        it { should exist }
+        it { should be_enabled }
+      end
+
+      describe ppa('ppa:ubuntu-wine/ppa') do
+        it { should exist }
+        it { should be_enabled }
+      end
+    EXAMPLE
 
     def exists?
-      deprecated
       super()
     end
 
     def enabled?
-      deprecated
       super()
     end
-
-    def deprecated
-      Inspec.deprecate(:resource_ppa, "The `ppa` resource is deprecated. Please use `apt`")
-    end
   end
 end

data/lib/inspec/resources/cgroup.rb

@@ -0,0 +1,101 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Cgroup < Inspec.resource(1)
+    name "cgroup"
+    # Restrict to only run on the below platform
+    supports platform: "linux"
+    desc "Use the cgroup InSpec audit resource to test cgroup subsytem's parameters."
+
+    example <<~EXAMPLE
+      describe cgroup("foo") do
+        its("cpuset.cpus") { should eq 0 }
+        its("memory.limit_in_bytes") { should eq 499712 }
+        its("memory.limit_in_bytes") { should be <= 500000 }
+        its("memory.numa_stat") { should match /total=0/ }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    def initialize(cgroup_name)
+      raise Inspec::Exceptions::ResourceSkipped, "The `cgroup` resource is not supported on your OS yet." unless inspec.os.linux?
+
+      @cgroup_name = cgroup_name
+      @valid_queries, @valid_queries_split = [], []
+      find_valid_queries
+      # Used to track the method calls in an "its" query
+      @cgroup_info_query = []
+    end
+
+    def resource_id
+      @cgroup_name
+    end
+
+    def to_s
+      "cgroup #{resource_id}"
+    end
+
+    def method_missing(param)
+      # Add the latest param we've seen to the list and form the query with all the params we've seen so far.
+      @cgroup_info_query << param.to_s
+      query = @cgroup_info_query.join(".")
+
+      # The ith level param must match with atleast one row's ith column of @valid_queries_split
+      # Else there is no way, we would find any valid query in further iteration, so raise exception.
+      if @valid_queries_split.map { |e| e[@cgroup_info_query.length - 1] }.include?(param.to_s)
+        # If the query form so far is part of @valid_queries, we are good to trigger find_cgroup_info
+        # else go for next level of param
+        if @valid_queries.include?(query)
+          @cgroup_info_query = []
+          find_cgroup_info(query)
+        else
+          self
+        end
+      else
+        @cgroup_info_query = []
+
+        raise Inspec::Exceptions::ResourceFailed, "The query #{query} does not appear to be valid."
+      end
+    end
+
+    private
+
+    # Method to find cgget tool
+    def find_cgget_or_error
+      %w{/usr/sbin/cgget /sbin/cgget cgget}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `cgget`"
+    end
+
+    # find the cgroup info of the query which is given as input by the user
+    def find_cgroup_info(query)
+      bin = find_cgget_or_error
+      cgget_cmd = "#{bin} -n -r #{query} #{@cgroup_name}"
+      cmd = inspec.command(cgget_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing cgget failed: #{cmd.stderr}" if cmd.exit_status.to_i != 0
+
+      # For complex returns the user must use match /the_regex/
+      param_value = cmd.stdout.split(":")
+      return nil if param_value.nil? || param_value.empty?
+
+      param_value = param_value[1].strip.split("\t").join
+      param_value.match(/^\d+$/) ? param_value.to_i : param_value
+    end
+
+    # find all the information about all relevant controllers for the current cgroup
+    def find_valid_queries
+      bin = find_cgget_or_error
+      cgget_all_cmd = "#{bin} -n -a #{@cgroup_name}"
+      cmd = inspec.command(cgget_all_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing cgget failed: #{cmd.stderr}" if cmd.exit_status.to_i != 0
+
+      queries = cmd.stdout.to_s.gsub(/:.*/, "").gsub(/^\s+.*/, "").split("\n")
+      # store the relevant controller parameters in @valid_queries and the dot splitted paramters into @valid_queries_split
+      @valid_queries = queries.map { |q| q if q.length > 0 }.compact
+      @valid_queries_split = @valid_queries.map { |q| q.split(".") }.compact
+    end
+  end
+end

data/lib/inspec/resources/cron.rb

@@ -0,0 +1,49 @@
+require "inspec/resources/crontab"
+
+module Inspec::Resources
+  class Cron < Crontab
+    name "cron"
+    supports platform: "unix"
+    desc "Use the cron InSpec audit resource to test entires in the crontab file for a given user. This also can be used as alias to crontab resource."
+    example <<~EXAMPLE
+      describe cron do
+         it { should have_entry '* * * * * /usr/local/bin/foo' }
+      end
+
+      describe cron(user: "username") do
+        its(:table) { should match /you can use regexp/ }
+      end
+    EXAMPLE
+
+    def initialize(opts = nil)
+      super
+      @params = read_cron_contents
+    end
+
+    def read_cron_contents
+      result = inspec.command(crontab_cmd)
+      if result.exit_status == 0
+        result.stdout.lines.map { |l| parse_comment_line(l, comment_char: "#", standalone_comments: false)[0].strip }
+      else
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{crontab_cmd} command: #{error}"
+      end
+    end
+
+    def table
+      @params.reject(&:empty?).join("\n")
+    end
+
+    def has_entry?(rule)
+      @params.include?(rule)
+    end
+
+    def to_s
+      if is_user_crontab?
+        "cron for user #{@user}"
+      else
+        "cron for current user"
+      end
+    end
+  end
+end

data/lib/inspec/resources/docker_container.rb

@@ -43,6 +43,19 @@ module Inspec::Resources
       status.downcase.start_with?("up") if object_info.entries.length == 1
     end
 
+    # has_volume? matcher checks if the volume specified in source path of host is mounted in destination path of docker
+    def has_volume?(destination, source)
+      # volume_info is the hash which contains the low-level information about the container
+      # if Mounts key is not present or is nil; raise exception
+      raise Inspec::Exceptions::ResourceFailed, "Could not find any mounted volumes for your container" unless volume_info.Mounts[0]
+
+      # Iterate through the list of mounted volumes and check if it matches with the given destination and source
+      # is_mounted flag is used to handle to return explict boolean values of true or false
+      is_mounted = false
+      volume_info.Mounts.detect { |mount| is_mounted = mount.Destination == destination && mount.Source == source }
+      is_mounted
+    end
+
     def status
       object_info.status[0] if object_info.entries.length == 1
     end
@@ -87,5 +100,13 @@ module Inspec::Resources
       opts = @opts
       @info = inspec.docker.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
     end
+
+    # volume_info returns the low-level information obtained on docker inspect [container_name/id]
+    def volume_info
+      return @mount_info if defined?(@mount_info)
+
+      # Check for either docker inspect [container_name] or docker inspect [container_id]
+      @mount_info = inspec.docker.object(@opts[:name] || @opts[:id])
+    end
   end
 end

data/lib/inspec/resources/docker_image.rb

@@ -48,6 +48,25 @@ module Inspec::Resources
       object_info.tags[0] if object_info.entries.size == 1
     end
 
+    # method_missing handles when hash_keys are invoked to check information obtained on docker inspect [image_name]
+    def method_missing(*hash_keys)
+      # User can test the low-level inspect information in three ways:
+      # Way 1: Serverspec style: its(['Config.Cmd']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "Config.Cmd"]
+      # Way 2: InSpec style: its(['Config','Cmd']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "Config", "Cmd"]
+      # Way 3: Mix of both: its(['GraphDriver.Data','MergedDir']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "GraphDriver.Data", "MergedDir"]
+
+      # hash_keys are passed to this method to evaluate the value
+      image_hash_inspection(hash_keys)
+    end
+
+    # inspection property allows to test any of the hash key-value pairs as part of the image_inspect_info
+    def inspection
+      image_inspect_info
+    end
+
     def to_s
       img = @opts[:image] || @opts[:id]
       "Docker Image #{img}"
@@ -80,5 +99,39 @@ module Inspec::Resources
         (repository == opts[:repo] && tag == opts[:tag]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
       end
     end
+
+    # image_inspect_info returns the complete inspect hash_values of the image
+    def image_inspect_info
+      return @inspect_info if defined?(@inspect_info)
+
+      @inspect_info = inspec.docker.object(@opts[:image] || (!@opts[:id].nil? && @opts[:id]))
+    end
+
+    # image_hash_inspection formats the input hash_keys and checks if any value exists for such keys in @inspect_info(image_inspect_info)
+    def image_hash_inspection(hash_keys)
+      # The hash_keys recieved are in three formats as mentioned in method_missing
+      # The hash_keys recieved must be in array format [] and the zeroth index must be :[]
+      # Check for the conditions and remove the zeroth element from the hash_keys
+
+      hash_keys.shift if hash_keys.is_a?(Array) && hash_keys[0] == :[]
+
+      # When received hash_keys in Serverspec style or mix of both
+      # The hash_keys are to be splitted at '.' (dot) and flatten it so that it doesn't become array of arrays
+      # After splitting and flattening is done, hash_keys is now an array with individual keys
+      hash_keys = hash_keys.map { |key| key.split(".") }.flatten
+
+      # image_inspect_info returns the complete inspect hash_values of the image
+      # dig() finds the nested value specified by the sequence of the key object by calling dig at each step.
+      # hash_keys is the key object. If one of the key is bad, value will be nil.
+      hash_value = image_inspect_info.dig(*hash_keys)
+
+      # If one of the key is bad, hash_value will be nil, so raise exception which throws it in rescue block
+      # else return hash_value
+      raise Inspec::Exceptions::ResourceFailed if hash_value.nil?
+
+      hash_value
+    rescue
+      raise Inspec::Exceptions::ResourceFailed, "#{hash_keys.join(".")} is not a valid key for your image or has nil value."
+    end
   end
 end

data/lib/inspec/resources/ipfilter.rb

@@ -0,0 +1,59 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class IpFilter < Inspec.resource(1)
+    name "ipfilter"
+    supports platform: "bsd"
+    supports platform: "solaris"
+    desc "Use the ipfilter InSpec audit resource to test rules that are defined for ipfilter, which maintains the IP rule set"
+    example <<~EXAMPLE
+      describe ipfilter do
+        it { should have_rule("pass in quick on lo0 all") }
+      end
+    EXAMPLE
+
+    def initialize
+      # checks if the instance is either bsd or solaris
+      return if (inspec.os.bsd? && !inspec.os.darwin?) || inspec.os.solaris?
+
+      # ensures, all calls are aborted for non-supported os
+      @ipfilter_cache = []
+      skip_resource "The `ipfilter` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil)
+      # checks if the rule is part of the ruleset
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      # this would be true if the OS family was not bsd/solaris when checked in initliaze
+      return @ipfilter_cache if defined?(@ipfilter_cache)
+
+      # construct ipfstat command to read all rules
+      bin = find_ipfstat_or_error
+      ipfstat_cmd = "#{bin} -io"
+      cmd = inspec.command(ipfstat_cmd)
+
+      # Return empty array when command is not executed successfully
+      # or there is no output since no rules are active
+      return [] if cmd.exit_status.to_i != 0 || cmd.stdout == ""
+
+      # split rules, returns array or rules
+      @ipfilter_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      "Ipfilter"
+    end
+
+    private
+
+    def find_ipfstat_or_error
+      %w{/usr/sbin/ipfstat /sbin/ipfstat ipfstat}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ipfstat`"
+    end
+  end
+end

data/lib/inspec/resources/ipnat.rb

@@ -0,0 +1,58 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class IpNat < Inspec.resource(1)
+    name "ipnat"
+    supports platform: "bsd"
+    supports platform: "solaris"
+    desc "Use the ipnat InSpec audit resource to test rules that are defined for IP NAT"
+    example <<~EXAMPLE
+      describe ipnat do
+        it { should have_rule("map net1 192.168.0.0/24 -> 0/32") }
+      end
+    EXAMPLE
+
+    def initialize
+      # checks if the instance is either bsd or solaris
+      return if (inspec.os.bsd? && !inspec.os.darwin?) || inspec.os.solaris?
+
+      # ensures, all calls are aborted for non-supported os
+      @ipnat_cache = []
+      skip_resource "The `ipnat` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil)
+      # checks if the rule is part of the ruleset
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      # this would be true if the OS family was not bsd/solaris when checked in initliaze
+      return @ipnat_cache if defined?(@ipnat_cache)
+
+      # construct ipnat command to show the list of current IP NAT table entry mappings
+      bin = find_ipnat_or_error
+      ipnat_cmd = "#{bin} -l"
+      cmd = inspec.command(ipnat_cmd)
+
+      # Return empty array when command is not executed successfully
+      return [] if cmd.exit_status.to_i != 0
+
+      # split rules, returns array or rules
+      @ipnat_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      "Ipnat"
+    end
+
+    private
+
+    def find_ipnat_or_error
+      %w{/usr/sbin/ipnat /sbin/ipnat ipnat}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ipnat`"
+    end
+  end
+end

data/lib/inspec/resources/lxc.rb

@@ -0,0 +1,57 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Lxc < Inspec.resource(1)
+    name "lxc"
+    # Restrict to only run on the below platforms
+    supports platform: "linux"
+    desc "Use the lxc InSpec audit resource to test if container exists and/or is running for linux container"
+    example <<~EXAMPLE
+      describe lxc("ubuntu-container") do
+        it { should exist }
+        it { should be_running }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    def initialize(container_name)
+      @container_name = container_name
+
+      raise Inspec::Exceptions::ResourceSkipped, "The `lxc` resource is not supported on your OS yet." unless inspec.os.linux?
+    end
+
+    def resource_id
+      @container_name
+    end
+
+    def to_s
+      "lxc #{resource_id}"
+    end
+
+    def exists?
+      lxc_info_cmd.exit_status.to_i == 0
+    end
+
+    def running?
+      container_info = lxc_info_cmd.stdout.split(":").map(&:strip)
+      container_info[0] == "Status" && container_info[1] == "Running"
+    end
+
+    private
+
+    # Method to find lxc
+    def find_lxc_or_error
+      %w{/usr/sbin/lxc /sbin/lxc lxc}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `lxc`"
+    end
+
+    def lxc_info_cmd
+      bin = find_lxc_or_error
+      info_cmd = "info #{@container_name} | grep -i Status"
+      lxc_cmd = format("%s %s", bin, info_cmd).strip
+      inspec.command(lxc_cmd)
+    end
+  end
+end

data/lib/inspec/resources/mail_alias.rb

@@ -0,0 +1,46 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Mailalias < Inspec.resource(1)
+    # resource internal name.
+    name "mail_alias"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+
+    desc "Use the mail_alias InSpec audit resource to test mail alias present in the aliases file"
+
+    example <<~EXAMPLE
+      describe mail_alias("toor") do
+        it { should be_aliased_to "root" }
+      end
+    EXAMPLE
+
+    def initialize(alias_key)
+      skip_resource "The `mail_alias` resource is not yet available on your OS." unless inspec.os.unix?
+      @alias_key = alias_key
+    end
+
+    # resource_id is used in reporting engines to uniquely identify the individual resource.
+    def resource_id
+      "#{@alias_key}"
+    end
+
+    # resource appearance in test reports.
+    def to_s
+      "mail_alias #{resource_id}"
+    end
+
+    # aliased_to matcher checks if the given alias_value is set to the initialized alias_key
+    def aliased_to?(alias_value)
+      # /etc/aliases if the file where the alias and its value(s) are stored
+      cmd = inspec.command("cat /etc/aliases | grep '^#{@alias_key}:'")
+      raise Inspec::Exceptions::ResourceFailed, "#{@alias_key} is not a valid key in the aliases" if cmd.exit_status.to_i != 0
+
+      # in general aliases file contains : separated values like alias_key : alias_value1, alias_value2
+      alias_values_combined = cmd.stdout.split(":").map(&:strip)[1]
+      alias_values_splitted = alias_values_combined.split(",").map(&:strip)
+      alias_values_splitted.include?(alias_value)
+    end
+  end
+end