inspec-core 5.12.2 → 5.18.14
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/etc/deprecations.json +4 -0
- data/etc/keys/progress-2022-05-04.pem.pub +9 -0
- data/inspec-core.gemspec +1 -1
- data/lib/inspec/base_cli.rb +5 -0
- data/lib/inspec/cli.rb +64 -9
- data/lib/inspec/dependencies/dependency_set.rb +6 -2
- data/lib/inspec/dependency_loader.rb +5 -1
- data/lib/inspec/dsl.rb +18 -5
- data/lib/inspec/errors.rb +2 -0
- data/lib/inspec/exceptions.rb +2 -0
- data/lib/inspec/fetcher/url.rb +1 -1
- data/lib/inspec/file_provider.rb +36 -0
- data/lib/inspec/iaf_file.rb +127 -0
- data/lib/inspec/profile.rb +31 -14
- data/lib/inspec/resources/aide_conf.rb +4 -0
- data/lib/inspec/resources/apache.rb +4 -0
- data/lib/inspec/resources/apache_conf.rb +4 -0
- data/lib/inspec/resources/apt.rb +6 -1
- data/lib/inspec/resources/audit_policy.rb +5 -0
- data/lib/inspec/resources/auditd_conf.rb +4 -0
- data/lib/inspec/resources/bash.rb +4 -0
- data/lib/inspec/resources/bond.rb +4 -0
- data/lib/inspec/resources/bridge.rb +4 -0
- data/lib/inspec/resources/cassandradb_conf.rb +5 -0
- data/lib/inspec/resources/cassandradb_session.rb +8 -3
- data/lib/inspec/resources/chocolatey_package.rb +4 -0
- data/lib/inspec/resources/chrony_conf.rb +4 -0
- data/lib/inspec/resources/command.rb +5 -0
- data/lib/inspec/resources/cpan.rb +4 -0
- data/lib/inspec/resources/cran.rb +4 -0
- data/lib/inspec/resources/cron.rb +5 -0
- data/lib/inspec/resources/csv.rb +6 -1
- data/lib/inspec/resources/default_gateway.rb +61 -0
- data/lib/inspec/resources/dh_params.rb +4 -0
- data/lib/inspec/resources/docker_container.rb +4 -0
- data/lib/inspec/resources/docker_image.rb +4 -0
- data/lib/inspec/resources/docker_plugin.rb +4 -0
- data/lib/inspec/resources/docker_service.rb +4 -0
- data/lib/inspec/resources/etc_group.rb +4 -0
- data/lib/inspec/resources/etc_hosts_allow_deny.rb +5 -0
- data/lib/inspec/resources/file.rb +97 -1
- data/lib/inspec/resources/filesystem.rb +4 -0
- data/lib/inspec/resources/gem.rb +4 -0
- data/lib/inspec/resources/groups.rb +9 -0
- data/lib/inspec/resources/grub_conf.rb +4 -0
- data/lib/inspec/resources/host.rb +46 -3
- data/lib/inspec/resources/http.rb +4 -0
- data/lib/inspec/resources/ibmdb2_conf.rb +8 -0
- data/lib/inspec/resources/ibmdb2_session.rb +12 -3
- data/lib/inspec/resources/iis_app.rb +4 -0
- data/lib/inspec/resources/iis_app_pool.rb +4 -0
- data/lib/inspec/resources/iis_site.rb +4 -0
- data/lib/inspec/resources/inetd_conf.rb +4 -0
- data/lib/inspec/resources/interface.rb +4 -0
- data/lib/inspec/resources/ip6tables.rb +4 -0
- data/lib/inspec/resources/ipfilter.rb +4 -0
- data/lib/inspec/resources/ipnat.rb +4 -0
- data/lib/inspec/resources/iptables.rb +4 -0
- data/lib/inspec/resources/json.rb +4 -0
- data/lib/inspec/resources/kernel_module.rb +4 -0
- data/lib/inspec/resources/kernel_parameter.rb +4 -0
- data/lib/inspec/resources/key_rsa.rb +4 -0
- data/lib/inspec/resources/ksh.rb +4 -0
- data/lib/inspec/resources/limits_conf.rb +4 -0
- data/lib/inspec/resources/linux_audit_system.rb +81 -0
- data/lib/inspec/resources/login_defs.rb +4 -0
- data/lib/inspec/resources/mongodb.rb +4 -0
- data/lib/inspec/resources/mongodb_conf.rb +5 -0
- data/lib/inspec/resources/mongodb_session.rb +6 -1
- data/lib/inspec/resources/mount.rb +4 -0
- data/lib/inspec/resources/mssql_session.rb +4 -0
- data/lib/inspec/resources/mssql_sys_conf.rb +7 -0
- data/lib/inspec/resources/mysql_conf.rb +4 -0
- data/lib/inspec/resources/mysql_session.rb +8 -1
- data/lib/inspec/resources/nginx.rb +6 -1
- data/lib/inspec/resources/nginx_conf.rb +4 -0
- data/lib/inspec/resources/noop.rb +4 -0
- data/lib/inspec/resources/npm.rb +4 -0
- data/lib/inspec/resources/ntp_conf.rb +4 -0
- data/lib/inspec/resources/oneget.rb +4 -0
- data/lib/inspec/resources/opa_api.rb +10 -0
- data/lib/inspec/resources/opa_cli.rb +14 -0
- data/lib/inspec/resources/oracledb_conf.rb +5 -0
- data/lib/inspec/resources/oracledb_listener_conf.rb +4 -0
- data/lib/inspec/resources/oracledb_session.rb +10 -0
- data/lib/inspec/resources/os.rb +4 -0
- data/lib/inspec/resources/os_env.rb +4 -0
- data/lib/inspec/resources/package.rb +4 -0
- data/lib/inspec/resources/parse_config.rb +10 -1
- data/lib/inspec/resources/php_config.rb +72 -0
- data/lib/inspec/resources/pip.rb +4 -0
- data/lib/inspec/resources/platform.rb +4 -0
- data/lib/inspec/resources/postfix_conf.rb +4 -0
- data/lib/inspec/resources/postgres_conf.rb +4 -0
- data/lib/inspec/resources/postgres_session.rb +8 -4
- data/lib/inspec/resources/powershell.rb +4 -0
- data/lib/inspec/resources/processes.rb +17 -4
- data/lib/inspec/resources/rabbitmq_config.rb +4 -0
- data/lib/inspec/resources/registry_key.rb +4 -0
- data/lib/inspec/resources/security_identifier.rb +4 -0
- data/lib/inspec/resources/security_policy.rb +4 -0
- data/lib/inspec/resources/service.rb +80 -1
- data/lib/inspec/resources/ssh_config.rb +4 -0
- data/lib/inspec/resources/sybase_conf.rb +4 -0
- data/lib/inspec/resources/sybase_session.rb +4 -0
- data/lib/inspec/resources/sys_info.rb +4 -0
- data/lib/inspec/resources/timezone.rb +4 -0
- data/lib/inspec/resources/users.rb +4 -0
- data/lib/inspec/resources/vbscript.rb +5 -0
- data/lib/inspec/resources/virtualization.rb +4 -0
- data/lib/inspec/resources/windows_feature.rb +5 -1
- data/lib/inspec/resources/windows_firewall.rb +4 -0
- data/lib/inspec/resources/windows_firewall_rule.rb +4 -0
- data/lib/inspec/resources/windows_hotfix.rb +4 -0
- data/lib/inspec/resources/windows_task.rb +4 -0
- data/lib/inspec/resources/wmi.rb +4 -0
- data/lib/inspec/resources/x509_certificate.rb +59 -0
- data/lib/inspec/resources/x509_private_key.rb +93 -0
- data/lib/inspec/resources/yum.rb +4 -0
- data/lib/inspec/resources/zfs.rb +48 -0
- data/lib/inspec/resources/zfs_dataset.rb +4 -0
- data/lib/inspec/resources/zfs_pool.rb +4 -0
- data/lib/inspec/rule.rb +1 -1
- data/lib/inspec/secrets/yaml.rb +7 -1
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/utils/yaml_profile_summary.rb +34 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/body.html.erb +4 -4
- data/lib/plugins/inspec-reporter-html2/templates/control.html.erb +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb +1 -1
- data/lib/plugins/{inspec-artifact/inspec-artifact.gemspec → inspec-sign/inspec-sign.gemspec} +2 -2
- data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb +161 -0
- data/lib/plugins/{inspec-artifact/lib/inspec-artifact → inspec-sign/lib/inspec-sign}/cli.rb +14 -23
- data/lib/plugins/inspec-sign/lib/inspec-sign.rb +12 -0
- data/lib/source_readers/inspec.rb +8 -2
- metadata +16 -8
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +0 -187
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +0 -12
@@ -0,0 +1,72 @@
|
|
1
|
+
require "inspec/resources/command"
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class PhpConfig < Inspec.resource(1)
|
5
|
+
# Resource's internal name.
|
6
|
+
name "php_config"
|
7
|
+
supports platform: "unix"
|
8
|
+
supports platform: "windows"
|
9
|
+
desc "Use the php_config InSpec audit resource to test PHP config parameters"
|
10
|
+
|
11
|
+
example <<~EXAMPLE
|
12
|
+
describe php_config("config_param") do
|
13
|
+
its("value") { should eq "some_value" }
|
14
|
+
end
|
15
|
+
|
16
|
+
describe php_config("config_param", { "ini" => "path_to_ini_file" }) do
|
17
|
+
its("value") { should eq "some_value" }
|
18
|
+
end
|
19
|
+
EXAMPLE
|
20
|
+
|
21
|
+
# Resource initialization.
|
22
|
+
attr_reader :config_param, :config_file_or_path
|
23
|
+
def initialize(config_param, config_file_or_path = {})
|
24
|
+
@config_param = config_param
|
25
|
+
@config_file_or_path = config_file_or_path
|
26
|
+
end
|
27
|
+
|
28
|
+
# Unique resource id
|
29
|
+
def resource_id
|
30
|
+
config_param
|
31
|
+
end
|
32
|
+
|
33
|
+
# Resource appearance in test reports.
|
34
|
+
def to_s
|
35
|
+
"php_config #{resource_id}"
|
36
|
+
end
|
37
|
+
|
38
|
+
# Returns the value evaluated for the initialized config parameter
|
39
|
+
def value
|
40
|
+
php_utility = find_utility_or_error
|
41
|
+
|
42
|
+
# The keys in the hash provided by user can be string or symbols.
|
43
|
+
# Converting the key to symbols to handle scenario when "ini" key is provided as string.
|
44
|
+
config_file_or_path.transform_keys(&:to_sym)
|
45
|
+
|
46
|
+
# Assign the path with -c option for ini file provided by the user if any.
|
47
|
+
php_ini_file = !config_file_or_path.empty? && config_file_or_path.key?(:ini) ? "-c #{config_file_or_path[:ini]}" : ""
|
48
|
+
|
49
|
+
# The below command `get_cfg_var` is used to fetch the value for any config parameter.
|
50
|
+
php_cmd = "#{php_utility} #{php_ini_file} -r 'echo get_cfg_var(\"#{config_param}\");'"
|
51
|
+
config_value_cmd = inspec.command(php_cmd)
|
52
|
+
|
53
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{php_cmd} failed: #{config_value_cmd.stderr}" if config_value_cmd.exit_status.to_i != 0
|
54
|
+
|
55
|
+
config_value = config_value_cmd.stdout.strip
|
56
|
+
|
57
|
+
# Convert value to integer if the config value are digits.
|
58
|
+
config_value.match(/^(\d)+$/) ? config_value.to_i : config_value
|
59
|
+
end
|
60
|
+
|
61
|
+
private
|
62
|
+
|
63
|
+
# Method to check if php is present or not on the system.
|
64
|
+
def find_utility_or_error
|
65
|
+
%w{/usr/sbin/php /sbin/php php}.each do |cmd|
|
66
|
+
return cmd if inspec.command(cmd).exist?
|
67
|
+
end
|
68
|
+
|
69
|
+
raise Inspec::Exceptions::ResourceFailed, "Could not find `php` on your system."
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
data/lib/inspec/resources/pip.rb
CHANGED
@@ -4,9 +4,9 @@ require "shellwords" unless defined?(Shellwords)
|
|
4
4
|
|
5
5
|
module Inspec::Resources
|
6
6
|
class Lines
|
7
|
-
attr_reader :output
|
7
|
+
attr_reader :output, :exit_status
|
8
8
|
|
9
|
-
def initialize(raw, desc)
|
9
|
+
def initialize(raw, desc, exit_status)
|
10
10
|
@output = raw
|
11
11
|
@desc = desc
|
12
12
|
end
|
@@ -58,12 +58,16 @@ module Inspec::Resources
|
|
58
58
|
if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
|
59
59
|
raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
|
60
60
|
elsif cmd.exit_status != 0 && out.downcase =~ /error:/
|
61
|
-
Lines.new(out, "PostgreSQL query with error: #{query}")
|
61
|
+
Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
|
62
62
|
else
|
63
|
-
Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
|
63
|
+
Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}", cmd.exit_status)
|
64
64
|
end
|
65
65
|
end
|
66
66
|
|
67
|
+
def resource_id
|
68
|
+
"postgress_session:User:#{@user}:Host:#{@host}"
|
69
|
+
end
|
70
|
+
|
67
71
|
private
|
68
72
|
|
69
73
|
def escaped_query(query)
|
@@ -43,7 +43,7 @@ module Inspec::Resources
|
|
43
43
|
|
44
44
|
all_cmds = ps_axo
|
45
45
|
@list = all_cmds.find_all do |hm|
|
46
|
-
hm[:command] =~ grep
|
46
|
+
hm[:command] =~ grep || hm[:process_name] =~ grep
|
47
47
|
end
|
48
48
|
end
|
49
49
|
|
@@ -60,6 +60,17 @@ module Inspec::Resources
|
|
60
60
|
@list
|
61
61
|
end
|
62
62
|
|
63
|
+
# Matcher to check if the process is running
|
64
|
+
def running?
|
65
|
+
# A process is considered running if:
|
66
|
+
# unix: it is in running(R) state or either of sleep state(D: Uninterruptible or S: Interruptible)
|
67
|
+
# windows: it is responding i.e. state is True.
|
68
|
+
|
69
|
+
# Other codes like <(high priorty), N(low priority), +(foreground process group) etc. may appear after the state code in unix.
|
70
|
+
# Hence the regex used is /^statecode+/ where statecode is either R, S, or D.
|
71
|
+
states.any? and !!(states[0] =~ /True/ || states[0] =~ /^R+/ || states[0] =~ /^D+/ || states[0] =~ /^S+/)
|
72
|
+
end
|
73
|
+
|
63
74
|
filter = FilterTable.create
|
64
75
|
filter.register_column(:labels, field: "label")
|
65
76
|
.register_column(:pids, field: "pid")
|
@@ -73,6 +84,7 @@ module Inspec::Resources
|
|
73
84
|
.register_column(:time, field: "time")
|
74
85
|
.register_column(:users, field: "user")
|
75
86
|
.register_column(:commands, field: "command")
|
87
|
+
.register_column(:process_name, field: "process_name")
|
76
88
|
.install_filter_methods_on_resource(self, :filtered_processes)
|
77
89
|
|
78
90
|
private
|
@@ -87,9 +99,9 @@ module Inspec::Resources
|
|
87
99
|
if os.linux?
|
88
100
|
command, regex, field_map = ps_configuration_for_linux
|
89
101
|
elsif os.windows?
|
90
|
-
command = '$Proc = Get-Process -IncludeUserName |
|
102
|
+
command = '$Proc = Get-Process -IncludeUserName | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path,ProcessName | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
|
91
103
|
# Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
|
92
|
-
regex = /^(
|
104
|
+
regex = /^(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*)$/
|
93
105
|
field_map = {
|
94
106
|
pid: 2,
|
95
107
|
cpu: 3,
|
@@ -102,6 +114,7 @@ module Inspec::Resources
|
|
102
114
|
time: 10,
|
103
115
|
user: 11,
|
104
116
|
command: 12,
|
117
|
+
process_name: 13,
|
105
118
|
}
|
106
119
|
else
|
107
120
|
command = "ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command"
|
@@ -193,7 +206,7 @@ module Inspec::Resources
|
|
193
206
|
|
194
207
|
# build a hash of process data that we'll turn into a struct for FilterTable
|
195
208
|
process_data = {}
|
196
|
-
%i{label pid cpu mem vsz rss tty stat start time user command}.each do |param|
|
209
|
+
%i{label pid cpu mem vsz rss tty stat start time user command process_name}.each do |param|
|
197
210
|
# not all operating systems support all fields, so skip the field if we don't have it
|
198
211
|
process_data[param] = line[field_map[param]] if field_map.key?(param)
|
199
212
|
end
|
@@ -182,7 +182,9 @@ module Inspec::Resources
|
|
182
182
|
when "aix"
|
183
183
|
SrcMstr.new(inspec)
|
184
184
|
when "amazon"
|
185
|
-
|
185
|
+
# If `initctl` exists on the system, use `Upstart`. Else use `Systemd` since all-new Amazon Linux supports `systemctl`.
|
186
|
+
# This way, it is not dependent on the version of Amazon Linux.
|
187
|
+
if inspec.command("initctl").exist? || inspec.command("/sbin/initctl").exist?
|
186
188
|
Upstart.new(inspec, service_ctl)
|
187
189
|
else
|
188
190
|
Systemd.new(inspec, service_ctl)
|
@@ -271,6 +273,34 @@ module Inspec::Resources
|
|
271
273
|
info[:startname]
|
272
274
|
end
|
273
275
|
|
276
|
+
# matcher equivalent to startmode property; compares start-up mode
|
277
|
+
# supported only on windows.
|
278
|
+
def has_start_mode?(mode)
|
279
|
+
raise Inspec::Exceptions::ResourceSkipped, "The `has_start_mode` matcher is not supported on your OS yet." unless inspec.os.windows?
|
280
|
+
|
281
|
+
mode == startmode
|
282
|
+
end
|
283
|
+
|
284
|
+
# matcher to check if the service is monitored by the given monitoring tool/software
|
285
|
+
def monitored_by?(monitoring_tool)
|
286
|
+
# Currently supported monitoring tools are: monit & god
|
287
|
+
# To add support for new monitoring tools, extend the case statement with additional monitoring tool and
|
288
|
+
# add the definition and logic in a new class (inheriting the base class MonitoringTool: optional)
|
289
|
+
case monitoring_tool
|
290
|
+
when "monit"
|
291
|
+
current_monitoring_tool = Monit.new(inspec, @service_name)
|
292
|
+
when "god"
|
293
|
+
current_monitoring_tool = God.new(inspec, @service_name)
|
294
|
+
else
|
295
|
+
puts "The monitoring tool #{monitoring_tool} is not yet supported by InSpec."
|
296
|
+
end
|
297
|
+
current_monitoring_tool.is_service_monitored?
|
298
|
+
end
|
299
|
+
|
300
|
+
def resource_id
|
301
|
+
@service_name || "Service"
|
302
|
+
end
|
303
|
+
|
274
304
|
def to_s
|
275
305
|
"Service #{@service_name}"
|
276
306
|
end
|
@@ -893,4 +923,53 @@ module Inspec::Resources
|
|
893
923
|
Runit.new(inspec, service_ctl)
|
894
924
|
end
|
895
925
|
end
|
926
|
+
|
927
|
+
# Helper class for monitored_by matcher
|
928
|
+
class MonitoringTool
|
929
|
+
attr_reader :inspec, :service_name
|
930
|
+
def initialize(inspec, service_name)
|
931
|
+
@inspec = inspec
|
932
|
+
@service_name ||= service_name
|
933
|
+
end
|
934
|
+
|
935
|
+
def find_utility_or_error(utility_name)
|
936
|
+
[ "/usr/sbin/#{utility_name}" , "/sbin/#{utility_name}" , "/usr/bin/#{utility_name}" , "/bin/#{utility_name}" , "#{utility_name}" ].each do |cmd|
|
937
|
+
return cmd if inspec.command(cmd).exist?
|
938
|
+
end
|
939
|
+
|
940
|
+
raise Inspec::Exceptions::ResourceFailed, "Could not find `#{utility_name}`"
|
941
|
+
end
|
942
|
+
end
|
943
|
+
|
944
|
+
class Monit < MonitoringTool
|
945
|
+
def is_service_monitored?
|
946
|
+
utility = find_utility_or_error("monit")
|
947
|
+
utility_cmd = inspec.command("#{utility} summary")
|
948
|
+
|
949
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} summary failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
|
950
|
+
|
951
|
+
monitoring_info = utility_cmd.stdout.split("\n")
|
952
|
+
monitoring_info.map! { |info| info.strip.squeeze(" ") }
|
953
|
+
is_monitored = false
|
954
|
+
monitoring_info.each do |info|
|
955
|
+
if info =~ /^#{service_name} OK.*/
|
956
|
+
is_monitored = true
|
957
|
+
break
|
958
|
+
end
|
959
|
+
end
|
960
|
+
is_monitored
|
961
|
+
end
|
962
|
+
end
|
963
|
+
|
964
|
+
class God < MonitoringTool
|
965
|
+
def is_service_monitored?
|
966
|
+
utility = find_utility_or_error("god")
|
967
|
+
utility_cmd = inspec.command("#{utility} status #{service_name}")
|
968
|
+
|
969
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} status #{service_name} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
|
970
|
+
|
971
|
+
monitoring_info = utility_cmd.stdout.strip
|
972
|
+
monitoring_info =~ /^#{service_name}: up/
|
973
|
+
end
|
974
|
+
end
|
896
975
|
end
|
@@ -51,6 +51,11 @@ module Inspec::Resources
|
|
51
51
|
@result ||= parse_stdout
|
52
52
|
end
|
53
53
|
|
54
|
+
# vbscript can be of multiple lines so that can't be used as UUID so using the hardcoded string.
|
55
|
+
def resource_id
|
56
|
+
"Windows VBScript"
|
57
|
+
end
|
58
|
+
|
54
59
|
def to_s
|
55
60
|
"Windows VBScript"
|
56
61
|
end
|
data/lib/inspec/resources/wmi.rb
CHANGED
@@ -83,6 +83,11 @@ module Inspec::Resources
|
|
83
83
|
@parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
|
84
84
|
end
|
85
85
|
|
86
|
+
# This property is equivalent to subject.emailAddress
|
87
|
+
def email
|
88
|
+
subject.emailAddress
|
89
|
+
end
|
90
|
+
|
86
91
|
def issuer_dn
|
87
92
|
return if @cert.nil?
|
88
93
|
|
@@ -104,6 +109,8 @@ module Inspec::Resources
|
|
104
109
|
@cert.public_key.n.num_bytes * 8
|
105
110
|
end
|
106
111
|
|
112
|
+
alias :keylength :key_length
|
113
|
+
|
107
114
|
def validity_in_days
|
108
115
|
(not_after - Time.now.utc) / 86400
|
109
116
|
end
|
@@ -138,6 +145,50 @@ module Inspec::Resources
|
|
138
145
|
@extensions
|
139
146
|
end
|
140
147
|
|
148
|
+
# check purpose of the certificate
|
149
|
+
def has_purpose?(purpose)
|
150
|
+
# If we have the filepath in our options we use the filepath to fetch the purposes.
|
151
|
+
# Else, we create a temporary file and write the content to that file.
|
152
|
+
# Then, use the temporary file to fetch the purposes.
|
153
|
+
# Todo: Check if this can be optimized or improved.
|
154
|
+
|
155
|
+
if @opts[:filepath]
|
156
|
+
cert_purpose = fetch_purpose(@opts[:filepath])
|
157
|
+
else
|
158
|
+
begin
|
159
|
+
f = File.open("temporary_certificate.pem", "w")
|
160
|
+
f.write(@cert.to_pem)
|
161
|
+
f.rewind
|
162
|
+
cert_purpose = fetch_purpose("temporary_certificate.pem")
|
163
|
+
ensure
|
164
|
+
f.close unless f.nil? || f.closed?
|
165
|
+
File.delete("temporary_certificate.pem") if File.exist? "temporary_certificate.pem"
|
166
|
+
end
|
167
|
+
end
|
168
|
+
cert_purpose =~ /purpose/ ? true : false
|
169
|
+
end
|
170
|
+
|
171
|
+
def fetch_purpose(cert_file_or_path)
|
172
|
+
openssl_utility = check_openssl_or_error
|
173
|
+
|
174
|
+
# The below command is used to view the Certificate purposes
|
175
|
+
# The -in argument expects a certificate file or path to certificate file.
|
176
|
+
cert_purpose_cmd = "#{openssl_utility} x509 -noout -purpose -in #{cert_file_or_path}"
|
177
|
+
cert_purpose = inspec.command(cert_purpose_cmd)
|
178
|
+
|
179
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_purpose_cmd} failed: #{cert_purpose.stderr}" if cert_purpose.exit_status.to_i != 0
|
180
|
+
|
181
|
+
cert_purpose.stdout
|
182
|
+
end
|
183
|
+
|
184
|
+
def subject_alt_names
|
185
|
+
extensions["subjectAltName"]
|
186
|
+
end
|
187
|
+
|
188
|
+
def resource_id
|
189
|
+
@opts[:filepath] || subject.CN || "x509 Certificate"
|
190
|
+
end
|
191
|
+
|
141
192
|
def to_s
|
142
193
|
cert = @opts[:filepath]
|
143
194
|
cert ||= subject.CN
|
@@ -153,5 +204,13 @@ module Inspec::Resources
|
|
153
204
|
opts
|
154
205
|
end
|
155
206
|
end
|
207
|
+
|
208
|
+
def check_openssl_or_error
|
209
|
+
%w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
|
210
|
+
return cmd if inspec.command(cmd).exist?
|
211
|
+
end
|
212
|
+
|
213
|
+
raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
|
214
|
+
end
|
156
215
|
end
|
157
216
|
end
|