inspec-core 5.14.0 → 5.17.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3cb92e0f21964ecac43d5d9f208e7a2b07a57c2daa0fef4aad06515f933b9072
-  data.tar.gz: 6c4d5f59ed6dde73193198f4ad32c801515cec12d9c04924765d1ac7ee4bd5bc
+  metadata.gz: b31dbb074483f274162eeea0fde1b234cd19e1c65257e19f7d0bc2f46c375b70
+  data.tar.gz: 31756fedad66edc248e5ae7b1ca5ab08408f6d7d6e6ce6dfb9053d1323c1acac
 SHA512:
-  metadata.gz: 8397f679eea47dead2cb1952026b74c800adf7ea650120597b714c3ccdef1c7e0eeb6af387458a31c028173a6bc332b07de103d4d545dbd37257573b77c6e0b1
-  data.tar.gz: 96d8ac046aa00ec95fc173e81c28999d744ed823af7a4a6401e9d1776817e303e451e7c8d46450d2c39c02e6ef4ff4c82d1c425683e82299effa2f3384f9f93e
+  metadata.gz: e765163668a3799ae45fbe2a5ddd219832341c32b01b62422506324a62c44b99ad771f47c662be5abb1198fdd65969e2a038f54c5059841561edda42170f7631
+  data.tar.gz: bbbadea0724f15d1a67c895eab750eea1a660bfc2e65143af703f8b5a88eb9e0c9fde1f9c08356fd9e4b32d202d620902fbad8784618cc01eec866c20f5247c7

data/etc/keys/progress-2022-05-04.pem.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8FWKhVwT5ilFdk5/schY
+J3X6DkDbZPul7MAKYuicmyvrk4VZFqFJYzUo9G+ZvtWCjCMZF3JLDbg0VJ+V3j2b
+A5MRUDMH1MtbQZS8u0AIUAitHsSiMgu4w/EHUSHODoDmbdaHT1xkFe9IxMSM1/AV
+/s5u2uAMuiayo+dGW5i9xf/LMZN1JCeX8Yqw85CpS01gMC2XxoUu5wGLwBwXkdql
++H3SaWRdDTtccgtu0Rxt9dzRtHAPNWKSLl9TScW6Qt/+7bgb3M6+7od/FuPziAS9
+1NGUiKL9vajpafxUJF8863q0l64dAXGWXVFed7/7GFiNVuLxBksPzK8VrkyCS214
+kQIDAQAB
+-----END PUBLIC KEY-----

data/lib/inspec/dependency_loader.rb

@@ -50,7 +50,11 @@ module Inspec
     end
 
     def gem_version_installed?(name, version)
-      list_installed_gems.any? { |s| s.name == name && Gem::Requirement.new(version.split(",")) =~ s.version }
+      if version.nil?
+        list_installed_gems.any? { |s| s.name == name }
+      else
+        list_installed_gems.any? { |s| s.name == name && Gem::Requirement.new(version.split(",")) =~ s.version }
+      end
     end
 
     private

data/lib/inspec/profile.rb

@@ -410,7 +410,7 @@ module Inspec
           else
             ui = Inspec::UI.new
             gem_dependencies.each { |gem_dependency| ui.list_item("#{gem_dependency[:name]} #{gem_dependency[:version]}") }
-            choice = ui.prompt.select("Would you like to install profile gem dependencies listed above?", %w{Yes No})
+            choice = ui.prompt.select("The above listed gem dependencies are required to run the profile. Would you like to install them ?", %w{Yes No})
             if choice == "Yes"
               Inspec::Config.cached[:auto_install_gems] = true
               load_gem_dependencies
@@ -850,7 +850,12 @@ module Inspec
         f = load_rule_filepath(prefix, rule)
         load_rule(rule, f, controls, groups)
       end
-      params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      if @profile_id.nil?
+        # identifying inputs using profile name
+        params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(params[:name])
+      else
+        params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      end
       params
     end
 

data/lib/inspec/resources/host.rb

@@ -113,6 +113,16 @@ module Inspec::Resources
       resolve.nil? || resolve.empty? ? nil : resolve
     end
 
+    # returns an array of the ipv4 addresses
+    def ipv4_address
+      ipaddress.select { |ip| ip.match(Resolv::IPv4::Regex) }
+    end
+
+    # returns an array of the ipv6 addresses
+    def ipv6_address
+      ipaddress.select { |ip| ip.match(Resolv::IPv6::Regex) }
+    end
+
     def to_s
       resource_name = "Host #{hostname}"
       resource_name += " port #{port} proto #{protocol}" if port
@@ -296,15 +306,44 @@ module Inspec::Resources
     end
 
     def resolve(hostname)
+      addresses = []
+      # -Type A is the DNS query for IPv4 server Address.
       cmd = inspec.command("Resolve-DnsName –Type A #{hostname} | ConvertTo-Json")
       begin
-        resolv = JSON.parse(cmd.stdout)
+        resolve_ipv4 = JSON.parse(cmd.stdout)
       rescue JSON::ParserError => _e
         return nil
       end
 
-      resolv = [resolv] unless resolv.is_a?(Array)
-      resolv.map { |entry| entry["IPAddress"] }
+      resolve_ipv4 = resolve_ipv4.inject(:merge) if resolve_ipv4.is_a?(Array)
+
+      # Append the ipv4 addresses
+      resolve_ipv4.each_value do |ip|
+        matched = ip.to_s.chomp.match(Resolv::IPv4::Regex)
+        next if matched.nil? || addresses.include?(matched.to_s)
+
+        addresses << matched.to_s
+      end
+
+      # -Type AAAA is the DNS query for IPv6 server Address.
+      cmd = inspec.command("Resolve-DnsName –Type AAAA #{hostname} | ConvertTo-Json")
+      begin
+        resolve_ipv6 = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+
+      resolve_ipv6 = resolve_ipv6.inject(:merge) if resolve_ipv6.is_a?(Array)
+
+      # Append the ipv6 addresses
+      resolve_ipv6.each_value do |ip|
+        matched = ip.to_s.chomp.match(Resolv::IPv6::Regex)
+        next if matched.nil? || addresses.include?(matched.to_s)
+
+        addresses << matched.to_s
+      end
+
+      addresses
     end
   end
 end

data/lib/inspec/resources/php_config.rb

@@ -0,0 +1,72 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class PhpConfig < Inspec.resource(1)
+    # Resource's internal name.
+    name "php_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the php_config InSpec audit resource to test PHP config parameters"
+
+    example <<~EXAMPLE
+      describe php_config("config_param") do
+        its("value") { should eq "some_value" }
+      end
+
+      describe php_config("config_param", { "ini" => "path_to_ini_file" }) do
+        its("value") { should eq "some_value"  }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    attr_reader :config_param, :config_file_or_path
+    def initialize(config_param, config_file_or_path = {})
+      @config_param = config_param
+      @config_file_or_path = config_file_or_path
+    end
+
+    # Unique resource id
+    def resource_id
+      config_param
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "php_config #{resource_id}"
+    end
+
+    # Returns the value evaluated for the initialized config parameter
+    def value
+      php_utility = find_utility_or_error
+
+      # The keys in the hash provided by user can be string or symbols.
+      # Converting the key to symbols to handle scenario when "ini" key is provided as string.
+      config_file_or_path.transform_keys(&:to_sym)
+
+      # Assign the path with -c option for ini file provided by the user if any.
+      php_ini_file = !config_file_or_path.empty? && config_file_or_path.key?(:ini) ? "-c #{config_file_or_path[:ini]}" : ""
+
+      # The below command `get_cfg_var` is used to fetch the value for any config parameter.
+      php_cmd = "#{php_utility} #{php_ini_file} -r 'echo get_cfg_var(\"#{config_param}\");'"
+      config_value_cmd = inspec.command(php_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{php_cmd} failed: #{config_value_cmd.stderr}" if config_value_cmd.exit_status.to_i != 0
+
+      config_value = config_value_cmd.stdout.strip
+
+      # Convert value to integer if the config value are digits.
+      config_value.match(/^(\d)+$/) ? config_value.to_i : config_value
+    end
+
+    private
+
+    # Method to check if php is present or not on the system.
+    def find_utility_or_error
+      %w{/usr/sbin/php /sbin/php php}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `php` on your system."
+    end
+  end
+end

data/lib/inspec/resources/processes.rb

@@ -60,6 +60,17 @@ module Inspec::Resources
       @list
     end
 
+    # Matcher to check if the process is running
+    def running?
+      # A process is considered running if:
+      # unix: it is in running(R) state or either of sleep state(D: Uninterruptible or S: Interruptible)
+      # windows: it is responding i.e. state is True.
+
+      # Other codes like <(high priorty), N(low priority), +(foreground process group) etc. may appear after the state code in unix.
+      # Hence the regex used is /^statecode+/ where statecode is either R, S, or D.
+      states.any? and !!(states[0] =~ /True/ || states[0] =~ /^R+/ || states[0] =~ /^D+/ || states[0] =~ /^S+/)
+    end
+
     filter = FilterTable.create
     filter.register_column(:labels, field: "label")
       .register_column(:pids,     field: "pid")

data/lib/inspec/resources/service.rb

@@ -182,7 +182,9 @@ module Inspec::Resources
       when "aix"
         SrcMstr.new(inspec)
       when "amazon"
-        if os[:release] =~ /^20\d\d/
+        # If `initctl` exists on the system, use `Upstart`. Else use `Systemd` since all-new Amazon Linux supports `systemctl`.
+        # This way, it is not dependent on the version of Amazon Linux.
+        if inspec.command("initctl").exist? || inspec.command("/sbin/initctl").exist?
           Upstart.new(inspec, service_ctl)
         else
           Systemd.new(inspec, service_ctl)

data/lib/inspec/resources/x509_private_key.rb

@@ -0,0 +1,93 @@
+require "inspec/resources/file"
+
+module Inspec::Resources
+  class X509PrivateKey < Inspec.resource(1)
+    # Resource internal name.
+    name "x509_private_key"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the x509_private_key InSpec audit resource to test the x509 private key"
+
+    example <<~EXAMPLE
+      # With passphrase
+      describe x509_private_key("/home/openssl_activity/alice_private.pem", "password@123") do
+        it { should be_valid }
+        it { should be_encrypted }
+        it { should have_matching_certificate("/home/openssl_activity/alice_certificate.crt") }
+      end
+
+      # Without passphrase
+      describe x509_private_key("/home/openssl_activity/bob_private.pem") do
+        it { should be_valid }
+        it { should_not be_encrypted }
+        it { should have_matching_certificate("/home/openssl_activity/bob_certificate.crt") }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    attr_reader :secret_key_path, :passphrase, :openssl_utility
+
+    def initialize(secret_key_path, passphrase = nil)
+      @openssl_utility = check_openssl_or_error
+      @secret_key_path = secret_key_path
+      @passphrase = passphrase
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "x509_private_key"
+    end
+
+    # Matcher to check if the given key is valid.
+    def valid?
+      # Below is the command to check if the key is valid.
+      openssl_key_validity_cmd = "#{openssl_utility} rsa -in #{secret_key_path} -check -noout"
+
+      # Additionally, if key is password protected, passphrase needs to be given with -passin argument
+      openssl_key_validity_cmd.concat(" -passin pass:#{passphrase}") if passphrase
+
+      openssl_key_validity = inspec.command(openssl_key_validity_cmd)
+      openssl_key_validity.exit_status.to_i == 0
+    end
+
+    # Matcher to check if the given key is encrypted.
+    def encrypted?
+      raise Inspec::Exceptions::ResourceFailed, "The given secret key #{secret_key_path} does not exist." unless inspec.file(secret_key_path).exist?
+
+      # All encrypted keys have the header of Proc-Type: 4,ENCRYPTED
+      key_file = inspec.file(secret_key_path)
+      key_file.content =~ /Proc-Type: 4,ENCRYPTED/
+    end
+
+    # Matcher to verify if the private key maatches the certificate
+    def has_matching_certificate?(cert_file_or_path)
+      cert_hash_cmd = "openssl x509 -noout -modulus -in #{cert_file_or_path} | openssl md5"
+      cert_hash = inspec.command(cert_hash_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_hash_cmd} failed: #{cert_hash.stderr}" if cert_hash.exit_status.to_i != 0
+
+      key_hash_cmd = "openssl rsa -noout -modulus -in #{secret_key_path}"
+      passphrase ? key_hash_cmd.concat(" -passin pass:#{passphrase} | openssl md5") : key_hash_cmd.concat(" | openssl md5")
+      key_hash = inspec.command(key_hash_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{key_hash_cmd} failed: #{key_hash.stderr}" if key_hash.exit_status.to_i != 0
+
+      cert_hash.stdout == key_hash.stdout
+    end
+
+    private
+
+    # This resource requires openssl to be available on the system
+    def check_openssl_or_error
+      %w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
+    end
+  end
+end

data/lib/inspec/resources/zfs.rb

@@ -0,0 +1,48 @@
+require "inspec/resources/zfs_pool"
+
+module Inspec::Resources
+  class Zfs < ZfsPool
+    # resource's internal name.
+    name "zfs"
+
+    # Restrict to only run on the below platforms
+    supports platform: "unix"
+
+    desc "Use the zfs InSpec audit resource to test if the named ZFS Pool is present and/or has certain properties."
+
+    example <<~EXAMPLE
+      describe zfs("new-pool") do
+        it { should exist }
+        it { should have_property({ "failmode" => "wait", "capacity" => "0" }) }
+      end
+    EXAMPLE
+
+    # Resource initialization is done in the parent class i.e. ZfsPool
+
+    # Unique identity for the resource.
+    def resource_id
+      # @zfs_pool is the zfs pool name assigned during initialization in the parent class i.e. ZfsPool
+      @zfs_pool
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "zfs #{resource_id}"
+    end
+
+    # The below matcher checks if the given properties are valid properties of the zfs pool.
+    def has_property?(properties_hash)
+      raise Inspec::Exceptions::ResourceSkipped, "Provide a valid key-value pair of the zfs properties." if properties_hash.empty?
+
+      # Transform all the key & values provided by user to string,
+      # since hash keys can be symbols or strings & values can be integers or strings.
+      # @params is a hash populated in the parent class with the properties(key-value) of the current zfs pool.
+      # and the key-value in @params are of string type.
+      properties_hash.transform_keys(&:to_s)
+      properties_hash.transform_values(&:to_s)
+
+      # check if the given properties is a subset of @params
+      properties_hash <= @params
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.14.0".freeze
+  VERSION = "5.17.4".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.14.0
+  version: 5.17.4
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-20 00:00:00.000000000 Z
+date: 2022-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -392,6 +392,7 @@ files:
 - Gemfile
 - LICENSE
 - etc/deprecations.json
+- etc/keys/progress-2022-05-04.pem.pub
 - etc/plugin_filters.json
 - inspec-core.gemspec
 - lib/bundles/README.md
@@ -601,6 +602,7 @@ files:
 - lib/inspec/resources/parse_config.rb
 - lib/inspec/resources/parse_config_file.rb
 - lib/inspec/resources/passwd.rb
+- lib/inspec/resources/php_config.rb
 - lib/inspec/resources/pip.rb
 - lib/inspec/resources/platform.rb
 - lib/inspec/resources/port.rb
@@ -647,10 +649,12 @@ files:
 - lib/inspec/resources/windows_task.rb
 - lib/inspec/resources/wmi.rb
 - lib/inspec/resources/x509_certificate.rb
+- lib/inspec/resources/x509_private_key.rb
 - lib/inspec/resources/xinetd_conf.rb
 - lib/inspec/resources/xml.rb
 - lib/inspec/resources/yaml.rb
 - lib/inspec/resources/yum.rb
+- lib/inspec/resources/zfs.rb
 - lib/inspec/resources/zfs_dataset.rb
 - lib/inspec/resources/zfs_pool.rb
 - lib/inspec/rspec_extensions.rb