inspec-core 5.12.2 → 5.18.14

data/lib/inspec/resources/x509_private_key.rb

@@ -0,0 +1,93 @@
+require "inspec/resources/file"
+
+module Inspec::Resources
+  class X509PrivateKey < Inspec.resource(1)
+    # Resource internal name.
+    name "x509_private_key"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the x509_private_key InSpec audit resource to test the x509 private key"
+
+    example <<~EXAMPLE
+      # With passphrase
+      describe x509_private_key("/home/openssl_activity/alice_private.pem", "password@123") do
+        it { should be_valid }
+        it { should be_encrypted }
+        it { should have_matching_certificate("/home/openssl_activity/alice_certificate.crt") }
+      end
+
+      # Without passphrase
+      describe x509_private_key("/home/openssl_activity/bob_private.pem") do
+        it { should be_valid }
+        it { should_not be_encrypted }
+        it { should have_matching_certificate("/home/openssl_activity/bob_certificate.crt") }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    attr_reader :secret_key_path, :passphrase, :openssl_utility
+
+    def initialize(secret_key_path, passphrase = nil)
+      @openssl_utility = check_openssl_or_error
+      @secret_key_path = secret_key_path
+      @passphrase = passphrase
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "x509_private_key"
+    end
+
+    # Matcher to check if the given key is valid.
+    def valid?
+      # Below is the command to check if the key is valid.
+      openssl_key_validity_cmd = "#{openssl_utility} rsa -in #{secret_key_path} -check -noout"
+
+      # Additionally, if key is password protected, passphrase needs to be given with -passin argument
+      openssl_key_validity_cmd.concat(" -passin pass:#{passphrase}") if passphrase
+
+      openssl_key_validity = inspec.command(openssl_key_validity_cmd)
+      openssl_key_validity.exit_status.to_i == 0
+    end
+
+    # Matcher to check if the given key is encrypted.
+    def encrypted?
+      raise Inspec::Exceptions::ResourceFailed, "The given secret key #{secret_key_path} does not exist." unless inspec.file(secret_key_path).exist?
+
+      # All encrypted keys have the header of Proc-Type: 4,ENCRYPTED
+      key_file = inspec.file(secret_key_path)
+      key_file.content =~ /Proc-Type: 4,ENCRYPTED/
+    end
+
+    # Matcher to verify if the private key maatches the certificate
+    def has_matching_certificate?(cert_file_or_path)
+      cert_hash_cmd = "openssl x509 -noout -modulus -in #{cert_file_or_path} | openssl md5"
+      cert_hash = inspec.command(cert_hash_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_hash_cmd} failed: #{cert_hash.stderr}" if cert_hash.exit_status.to_i != 0
+
+      key_hash_cmd = "openssl rsa -noout -modulus -in #{secret_key_path}"
+      passphrase ? key_hash_cmd.concat(" -passin pass:#{passphrase} | openssl md5") : key_hash_cmd.concat(" | openssl md5")
+      key_hash = inspec.command(key_hash_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{key_hash_cmd} failed: #{key_hash.stderr}" if key_hash.exit_status.to_i != 0
+
+      cert_hash.stdout == key_hash.stdout
+    end
+
+    private
+
+    # This resource requires openssl to be available on the system
+    def check_openssl_or_error
+      %w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
+    end
+  end
+end

data/lib/inspec/resources/yum.rb

@@ -89,6 +89,10 @@ module Inspec::Resources
       repo(name.to_s) unless name.nil?
     end
 
+    def resource_id
+      "Yum repository"
+    end
+
     def to_s
       "Yum Repository"
     end

data/lib/inspec/resources/zfs.rb

@@ -0,0 +1,48 @@
+require "inspec/resources/zfs_pool"
+
+module Inspec::Resources
+  class Zfs < ZfsPool
+    # resource's internal name.
+    name "zfs"
+
+    # Restrict to only run on the below platforms
+    supports platform: "unix"
+
+    desc "Use the zfs InSpec audit resource to test if the named ZFS Pool is present and/or has certain properties."
+
+    example <<~EXAMPLE
+      describe zfs("new-pool") do
+        it { should exist }
+        it { should have_property({ "failmode" => "wait", "capacity" => "0" }) }
+      end
+    EXAMPLE
+
+    # Resource initialization is done in the parent class i.e. ZfsPool
+
+    # Unique identity for the resource.
+    def resource_id
+      # @zfs_pool is the zfs pool name assigned during initialization in the parent class i.e. ZfsPool
+      @zfs_pool
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "zfs #{resource_id}"
+    end
+
+    # The below matcher checks if the given properties are valid properties of the zfs pool.
+    def has_property?(properties_hash)
+      raise Inspec::Exceptions::ResourceSkipped, "Provide a valid key-value pair of the zfs properties." if properties_hash.empty?
+
+      # Transform all the key & values provided by user to string,
+      # since hash keys can be symbols or strings & values can be integers or strings.
+      # @params is a hash populated in the parent class with the properties(key-value) of the current zfs pool.
+      # and the key-value in @params are of string type.
+      properties_hash.transform_keys(&:to_s)
+      properties_hash.transform_values(&:to_s)
+
+      # check if the given properties is a subset of @params
+      properties_hash <= @params
+    end
+  end
+end

data/lib/inspec/resources/zfs_dataset.rb

@@ -38,6 +38,10 @@ module Inspec::Resources
       inspec.mount(@params["mountpoint"]).mounted?
     end
 
+    def resource_id
+      @zfs_dataset || "ZFS Dataset"
+    end
+
     def to_s
       "ZFS Dataset #{@zfs_dataset}"
     end

data/lib/inspec/resources/zfs_pool.rb

@@ -31,6 +31,10 @@ module Inspec::Resources
       inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0
     end
 
+    def resource_id
+      @zfs_pool || "ZFS Pool"
+    end
+
     def to_s
       "ZFS Pool #{@zfs_pool}"
     end

data/lib/inspec/rule.rb

@@ -358,7 +358,7 @@ module Inspec
         # YAML will automagically give us a Date or a Time.
         # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
         # A string that does not represent a valid time results in the date 0000-01-01.
-        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.parse(expiry).year != 0)
           expiry = expiry.to_time if expiry.is_a? Date
           expiry = Time.parse(expiry) if expiry.is_a? String
           if expiry < Time.now # If the waiver expired, return - no skip applied

data/lib/inspec/secrets/yaml.rb

@@ -16,7 +16,13 @@ module Secrets
 
     # array of yaml file paths
     def initialize(target)
-      @inputs = ::YAML.load_file(target)
+      # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
+      # It's not a valid option in 3.0.x
+      if Gem.ruby_version >= Gem::Version.new("3.1.0")
+        @inputs = ::YAML.load_file(target, permitted_classes: [Date, Time])
+      else
+        @inputs = ::YAML.load_file(target)
+      end
 
       if @inputs == false || !@inputs.is_a?(Hash)
         Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")

data/lib/inspec/ui.rb

@@ -31,6 +31,7 @@ module Inspec
     EXIT_PLUGIN_ERROR = 2
     EXIT_FATAL_DEPRECATION = 3
     EXIT_GEM_DEPENDENCY_LOAD_ERROR = 4
+    EXIT_BAD_SIGNATURE = 5
     EXIT_LICENSE_NOT_ACCEPTED = 172
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101

data/lib/inspec/utils/yaml_profile_summary.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Inspec
+  module Utils
+    #
+    # Inspec::Utils::YamlProfileSummary takes in certain information to identify a
+    # profile and then produces a YAML-formatted summary of that profile. It can
+    # return the results to STDOUT or a file.
+    #
+    #
+    module YamlProfileSummary
+      def self.produce_yaml(info:, write_path: "", suppress_output: false)
+        # add in inspec version
+        info[:generator] = {
+          name: "inspec",
+          version: Inspec::VERSION,
+        }
+        if write_path.empty?
+          puts info.to_yaml
+        else
+          unless suppress_output
+            if File.exist? write_path
+              Inspec::Log.info "----> updating #{write_path}"
+            else
+              Inspec::Log.info "----> creating #{write_path}"
+            end
+          end
+          full_write_path = File.expand_path(write_path)
+          File.write(full_write_path, info.to_yaml)
+        end
+      end
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.12.2".freeze
+  VERSION = "5.18.14".freeze
 end

data/lib/plugins/inspec-reporter-html2/templates/body.html.erb

@@ -7,21 +7,21 @@
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <style type="text/css">
     /* Must inline all CSS files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(css_path), nil, nil, "_css").result(binding)  %>
+    <%= ERB.new(File.read(css_path), eoutvar: "_css").result(binding)  %>
     </style>
     <script type="text/javascript">
     // <![CDATA[
     /* Must inline all JavaScript files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(js_path), nil, nil, "_js").result(binding)  %>
+    <%= ERB.new(File.read(js_path), eoutvar: "_js").result(binding)  %>
     // ]]>
     </script>
   </head>
   <body onload="pageLoaded()">
-    <%= ERB.new(File.read(template_path + "/selector.html.erb"), nil, nil, "_select").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/selector.html.erb"), eoutvar: "_select").result(binding)  %>
     <div class="inspec-report">
     <h1><%= Inspec::Dist::PRODUCT_NAME %> Report</h1>
     <% run_data.profiles.each do |profile| %>
-      <%= ERB.new(File.read(template_path + "/profile.html.erb"), nil, nil, "_prof").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/profile.html.erb"), eoutvar: "_prof").result(binding)  %>
     <% end %>
 
     <div class="inspec-summary">

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -74,7 +74,7 @@
   </table>
 
   <% control.results.each do |result| %>
-    <%= ERB.new(File.read(template_path + "/result.html.erb"), nil, nil, "_rslt").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/result.html.erb"), eoutvar: "_rslt").result(binding)  %>
   <% end %>
 
 </div>

data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb

@@ -18,7 +18,7 @@
 
   <% if profile.status == "loaded" %>
     <% profile.controls.each do |control| %>
-      <%= ERB.new(File.read(template_path + "/control.html.erb"), nil, nil, "_ctl").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/control.html.erb"), eoutvar: "_ctl").result(binding)  %>
     <% end %>
   <% end %>
 </div>

data/lib/plugins/{inspec-artifact/inspec-artifact.gemspec → inspec-sign/inspec-sign.gemspec}

@@ -2,8 +2,8 @@
 # These specs are used in plugin list and search command
 
 Gem::Specification.new do |spec|
-  spec.name          = "inspec-artifact"
+  spec.name          = "inspec-sign"
   spec.summary       = ""
   spec.description   = "Plugin to generate asymmetrical keys that you can use to encrypt profiles"
   spec.license       = "Apache-2.0"
-end
+end

data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb

@@ -0,0 +1,161 @@
+require "base64" unless defined?(Base64)
+require "openssl" unless defined?(OpenSSL)
+require "pathname" unless defined?(Pathname)
+require "set" unless defined?(Set)
+require "tempfile" unless defined?(Tempfile)
+require "yaml"
+require "inspec/dist"
+require "inspec/utils/json_profile_summary"
+require "inspec/iaf_file"
+
+module InspecPlugins
+  module Sign
+    class Base
+      include Inspec::Dist
+
+      KEY_BITS = 2048
+      KEY_ALG = OpenSSL::PKey::RSA
+
+      INSPEC_PROFILE_VERSION_1 = "INSPEC-PROFILE-1".freeze
+      INSPEC_REPORT_VERSION_1 = "INSPEC-REPORT-1".freeze
+
+      INSPEC_PROFILE_VERSION_2 = "INSPEC-PROFILE-2".freeze
+      ARTIFACT_DIGEST = OpenSSL::Digest::SHA512
+      ARTIFACT_DIGEST_NAME = "SHA512".freeze
+
+      VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1, INSPEC_PROFILE_VERSION_2]
+      VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]
+
+      SIGNED_PROFILE_SUFFIX = "iaf".freeze
+      SIGNED_REPORT_SUFFIX = "iar".freeze
+
+      def self.keygen(options)
+        key = KEY_ALG.new KEY_BITS
+
+        path = File.join(Inspec.config_dir, "keys")
+        FileUtils.mkdir_p(path)
+
+        puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
+        open "#{path}/#{options["keyname"]}.pem.key", "w" do |io|
+          io.write key.to_pem
+        end
+        puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
+        open "#{path}/#{options["keyname"]}.pem.pub", "w" do |io|
+          io.write key.public_key.to_pem
+        end
+      end
+
+      def self.profile_sign(profile_path, options)
+        artifact = new
+
+        # Writes the profile content id in the inspec.yml
+        if options[:profile_content_id] && !options[:profile_content_id].strip.empty?
+          artifact.write_profile_content_id(profile_path, options[:profile_content_id])
+        end
+
+        puts "Signing #{profile_path} with key #{options["keyname"]}"
+        keypath = Inspec::IafFile.find_signing_key(options["keyname"])
+
+        # Read name and version from metadata and use them to form the filename
+        profile_md = artifact.read_profile_metadata(profile_path)
+
+        artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}"
+
+        # Generating tar.gz file using archive method of Inspec Cli
+        Inspec::InspecCLI.new.archive(profile_path, "error")
+        tarfile = "#{profile_md["name"]}-#{profile_md["version"]}.tar.gz"
+        tar_content = IO.binread(tarfile)
+        FileUtils.rm(tarfile)
+
+        # Generate the signature
+        signing_key = KEY_ALG.new File.read keypath
+        sha = ARTIFACT_DIGEST.new
+        signature = signing_key.sign sha, tar_content
+        # convert the signature to Base64
+        signature_base64 = Base64.encode64(signature)
+
+        content = (format("%-100s", options[:keyname]) +
+                  format("%-20s", ARTIFACT_DIGEST_NAME) +
+                  format("%-370s", signature_base64)).gsub(" ", "\0").unpack("H*").pack("h*") + "#{tar_content}"
+
+        File.open(artifact_filename, "wb") do |f|
+          f.puts INSPEC_PROFILE_VERSION_2
+          f.puts "Use \"inspec export\" to view this file"
+          f.write(content)
+        end
+        puts "Successfully generated #{artifact_filename}"
+      rescue Inspec::Exceptions::ProfileValidationKeyNotFound => e
+        $stderr.puts e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      def self.profile_verify(signed_profile_path)
+        file_to_verify = signed_profile_path
+        puts "Verifying #{file_to_verify}"
+
+        iaf_file = Inspec::IafFile.new(file_to_verify)
+        if iaf_file.valid?
+          puts "Detected format version '#{iaf_file.version}'"
+          puts "Attempting to verify using key '#{iaf_file.key_name}'"
+          puts "Profile is valid."
+          Inspec::UI.new.exit(:normal)
+        else
+          puts "Detected format version '#{iaf_file.version}'"
+          puts "Attempting to verify using key '#{iaf_file.key_name}'" if iaf_file.key_name
+          puts "Profile is invalid"
+          Inspec::UI.new.exit(:bad_signature)
+        end
+      rescue Inspec::Exceptions::ProfileValidationKeyNotFound => e
+        $stderr.puts e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      def read_profile_metadata(profile_path)
+        begin
+          p = Pathname.new(profile_path)
+          p = p.join("inspec.yml")
+          unless p.exist?
+            raise "#{profile_path} doesn't appear to be a valid #{PRODUCT_NAME} profile"
+          end
+
+          yaml = YAML.load_file(p.to_s)
+          yaml = yaml.to_hash
+
+          unless yaml.key? "name"
+            raise "Profile is invalid, name is not defined"
+          end
+
+          unless yaml.key? "version"
+            raise "Profile is invalid, version is not defined"
+          end
+        rescue => e
+          # rewrap it and pass it up to the CLI
+          $stderr.puts "Error reading profile metadata file #{e.message}"
+          Inspec::UI.new.exit(:usage_error)
+        end
+
+        yaml
+      end
+
+      def write_profile_content_id(profile_path, profile_content_id)
+        p = Pathname.new(profile_path)
+        p = p.join("inspec.yml")
+        yaml = YAML.load_file(p.to_s)
+        existing_profile_content_id = yaml["profile_content_id"]
+
+        unless existing_profile_content_id.nil?
+          ui = Inspec::UI.new
+          ui.error("Cannot use --profile-content-id when profile_content_id already exists in metadata file.")
+          ui.exit(:usage_error)
+        end
+
+        lines = IO.readlines(p)
+        lines << "\nprofile_content_id: #{profile_content_id}\n"
+
+        File.open("#{p}", "w" ) do |f|
+          f.puts lines
+        end
+      end
+    end
+  end
+end

data/lib/plugins/{inspec-artifact/lib/inspec-artifact → inspec-sign/lib/inspec-sign}/cli.rb

@@ -70,46 +70,37 @@ require "inspec/dist"
 # To extract the raw content from a .iaf:
 #        sed '1,/^$/d' foo.iaf
 
+#  inspec artifact is renamed to inspec sign
+
 module InspecPlugins
-  module Artifact
+  module Sign
     class CLI < Inspec.plugin(2, :cli_command)
       include Inspec::Dist
 
-      subcommand_desc "artifact SUBCOMMAND", "Manage #{PRODUCT_NAME} Artifacts"
+      subcommand_desc "sign SUBCOMMAND", "Manage #{PRODUCT_NAME} profile signing."
 
-      desc "generate", "Generate a RSA key pair for signing and verification"
+      desc "generate-keys", "Generate a RSA key pair for signing and verification"
       option :keyname, type: :string, required: true,
         desc: "Desriptive name of key"
       option :keydir, type: :string, default: "./",
         desc: "Directory to search for keys"
       def generate_keys
         puts "Generating keys"
-        InspecPlugins::Artifact::Base.keygen(options)
+        InspecPlugins::Sign::Base.keygen(options)
       end
 
-      desc "sign-profile", "Create a signed .iaf artifact"
-      option :profile, type: :string, required: true,
-        desc: "Path to profile directory"
+      desc "profile PATH", "sign the profile in PATH and generate .iaf artifact."
       option :keyname, type: :string, required: true,
         desc: "Desriptive name of key"
-      def sign_profile
-        InspecPlugins::Artifact::Base.profile_sign(options)
-      end
-
-      desc "verify-profile", "Verify a signed .iaf artifact"
-      option :infile, type: :string, required: true,
-          desc: ".iaf file to verify"
-      def verify_profile
-        InspecPlugins::Artifact::Base.profile_verify(options)
+      option :profile_content_id, type: :string,
+        desc: "UUID of the profile. This will write the profile_content_id in the metadata file if it does not already exist in the metadata file."
+      def profile(profile_path)
+        InspecPlugins::Sign::Base.profile_sign(profile_path, options)
       end
 
-      desc "install-profile", "Verify and install a signed .iaf artifact"
-      option :infile, type: :string, required: true,
-          desc: ".iaf file to install"
-      option :destdir, type: :string, required: true,
-        desc: "Installation directory"
-      def install_profile
-        InspecPlugins::Artifact::Base.profile_install(options)
+      desc "verify PATH", "Verify a signed profile .iaf artifact at given path."
+      def verify(signed_profile_path)
+        InspecPlugins::Sign::Base.profile_verify(signed_profile_path)
       end
     end
   end

data/lib/plugins/inspec-sign/lib/inspec-sign.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Sign
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-sign'
+
+      cli_command :sign do
+        require_relative "inspec-sign/cli"
+        InspecPlugins::Sign::CLI
+      end
+    end
+  end
+end

data/lib/source_readers/inspec.rb

@@ -12,7 +12,7 @@ module SourceReaders
       nil
     end
 
-    attr_reader :metadata, :tests, :libraries, :data_files, :target
+    attr_reader :metadata, :metadata_src, :tests, :libraries, :data_files, :target, :readme
 
     # This create a new instance of an InSpec profile source reader
     #
@@ -24,14 +24,16 @@ module SourceReaders
       @tests      = load_tests
       @libraries  = load_libs
       @data_files = load_data_files
+      @readme     = load_readme
     end
 
     private
 
     def load_metadata(metadata_source)
+      @metadata_src = @target.read(metadata_source)
       Inspec::Metadata.from_ref(
         metadata_source,
-        @target.read(metadata_source),
+        @metadata_src,
         nil
       )
     rescue Psych::SyntaxError => e
@@ -62,5 +64,9 @@ module SourceReaders
     def load_data_files
       load_all(%r{^files/})
     end
+
+    def load_readme
+      load_all(/README.md/)
+    end
   end
 end