inspec-core 5.17.4 → 5.18.14

data/lib/inspec/resources/x509_certificate.rb

@@ -83,6 +83,11 @@ module Inspec::Resources
       @parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
     end
 
+    # This property is equivalent to subject.emailAddress
+    def email
+      subject.emailAddress
+    end
+
     def issuer_dn
       return if @cert.nil?
 
@@ -104,6 +109,8 @@ module Inspec::Resources
       @cert.public_key.n.num_bytes * 8
     end
 
+    alias :keylength :key_length
+
     def validity_in_days
       (not_after - Time.now.utc) / 86400
     end
@@ -138,6 +145,50 @@ module Inspec::Resources
       @extensions
     end
 
+    # check purpose of the certificate
+    def has_purpose?(purpose)
+      # If we have the filepath in our options we use the filepath to fetch the purposes.
+      # Else, we create a temporary file and write the content to that file.
+      # Then, use the temporary file to fetch the purposes.
+      # Todo: Check if this can be optimized or improved.
+
+      if @opts[:filepath]
+        cert_purpose = fetch_purpose(@opts[:filepath])
+      else
+        begin
+          f = File.open("temporary_certificate.pem", "w")
+          f.write(@cert.to_pem)
+          f.rewind
+          cert_purpose = fetch_purpose("temporary_certificate.pem")
+        ensure
+          f.close unless f.nil? || f.closed?
+          File.delete("temporary_certificate.pem") if File.exist? "temporary_certificate.pem"
+        end
+      end
+      cert_purpose =~ /purpose/ ? true : false
+    end
+
+    def fetch_purpose(cert_file_or_path)
+      openssl_utility = check_openssl_or_error
+
+      # The below command is used to view the Certificate purposes
+      # The -in argument expects a certificate file or path to certificate file.
+      cert_purpose_cmd = "#{openssl_utility} x509 -noout -purpose -in #{cert_file_or_path}"
+      cert_purpose = inspec.command(cert_purpose_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_purpose_cmd} failed: #{cert_purpose.stderr}" if cert_purpose.exit_status.to_i != 0
+
+      cert_purpose.stdout
+    end
+
+    def subject_alt_names
+      extensions["subjectAltName"]
+    end
+
+    def resource_id
+      @opts[:filepath] || subject.CN || "x509 Certificate"
+    end
+
     def to_s
       cert = @opts[:filepath]
       cert ||= subject.CN
@@ -153,5 +204,13 @@ module Inspec::Resources
         opts
       end
     end
+
+    def check_openssl_or_error
+      %w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
+    end
   end
 end

data/lib/inspec/resources/yum.rb

@@ -89,6 +89,10 @@ module Inspec::Resources
       repo(name.to_s) unless name.nil?
     end
 
+    def resource_id
+      "Yum repository"
+    end
+
     def to_s
       "Yum Repository"
     end

data/lib/inspec/resources/zfs_dataset.rb

@@ -38,6 +38,10 @@ module Inspec::Resources
       inspec.mount(@params["mountpoint"]).mounted?
     end
 
+    def resource_id
+      @zfs_dataset || "ZFS Dataset"
+    end
+
     def to_s
       "ZFS Dataset #{@zfs_dataset}"
     end

data/lib/inspec/resources/zfs_pool.rb

@@ -31,6 +31,10 @@ module Inspec::Resources
       inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0
     end
 
+    def resource_id
+      @zfs_pool || "ZFS Pool"
+    end
+
     def to_s
       "ZFS Pool #{@zfs_pool}"
     end

data/lib/inspec/rule.rb

@@ -358,7 +358,7 @@ module Inspec
         # YAML will automagically give us a Date or a Time.
         # If transcoding YAML between languages (e.g. Go) the date might have also ended up as a String.
         # A string that does not represent a valid time results in the date 0000-01-01.
-        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
+        if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.parse(expiry).year != 0)
           expiry = expiry.to_time if expiry.is_a? Date
           expiry = Time.parse(expiry) if expiry.is_a? String
           if expiry < Time.now # If the waiver expired, return - no skip applied

data/lib/inspec/secrets/yaml.rb

@@ -16,7 +16,13 @@ module Secrets
 
     # array of yaml file paths
     def initialize(target)
-      @inputs = ::YAML.load_file(target)
+      # Ruby 3.1 treats YAML load as a dangerous operation by default, requiring us to declare date and time classes as permitted
+      # It's not a valid option in 3.0.x
+      if Gem.ruby_version >= Gem::Version.new("3.1.0")
+        @inputs = ::YAML.load_file(target, permitted_classes: [Date, Time])
+      else
+        @inputs = ::YAML.load_file(target)
+      end
 
       if @inputs == false || !@inputs.is_a?(Hash)
         Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")

data/lib/inspec/ui.rb

@@ -31,6 +31,7 @@ module Inspec
     EXIT_PLUGIN_ERROR = 2
     EXIT_FATAL_DEPRECATION = 3
     EXIT_GEM_DEPENDENCY_LOAD_ERROR = 4
+    EXIT_BAD_SIGNATURE = 5
     EXIT_LICENSE_NOT_ACCEPTED = 172
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101

data/lib/inspec/utils/yaml_profile_summary.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Inspec
+  module Utils
+    #
+    # Inspec::Utils::YamlProfileSummary takes in certain information to identify a
+    # profile and then produces a YAML-formatted summary of that profile. It can
+    # return the results to STDOUT or a file.
+    #
+    #
+    module YamlProfileSummary
+      def self.produce_yaml(info:, write_path: "", suppress_output: false)
+        # add in inspec version
+        info[:generator] = {
+          name: "inspec",
+          version: Inspec::VERSION,
+        }
+        if write_path.empty?
+          puts info.to_yaml
+        else
+          unless suppress_output
+            if File.exist? write_path
+              Inspec::Log.info "----> updating #{write_path}"
+            else
+              Inspec::Log.info "----> creating #{write_path}"
+            end
+          end
+          full_write_path = File.expand_path(write_path)
+          File.write(full_write_path, info.to_yaml)
+        end
+      end
+    end
+  end
+end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.17.4".freeze
+  VERSION = "5.18.14".freeze
 end

data/lib/plugins/inspec-reporter-html2/templates/body.html.erb

@@ -7,21 +7,21 @@
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <style type="text/css">
     /* Must inline all CSS files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(css_path), nil, nil, "_css").result(binding)  %>
+    <%= ERB.new(File.read(css_path), eoutvar: "_css").result(binding)  %>
     </style>
     <script type="text/javascript">
     // <![CDATA[
     /* Must inline all JavaScript files, this is a single-file output that may be airgapped */
-    <%= ERB.new(File.read(js_path), nil, nil, "_js").result(binding)  %>
+    <%= ERB.new(File.read(js_path), eoutvar: "_js").result(binding)  %>
     // ]]>
     </script>
   </head>
   <body onload="pageLoaded()">
-    <%= ERB.new(File.read(template_path + "/selector.html.erb"), nil, nil, "_select").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/selector.html.erb"), eoutvar: "_select").result(binding)  %>
     <div class="inspec-report">
     <h1><%= Inspec::Dist::PRODUCT_NAME %> Report</h1>
     <% run_data.profiles.each do |profile| %>
-      <%= ERB.new(File.read(template_path + "/profile.html.erb"), nil, nil, "_prof").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/profile.html.erb"), eoutvar: "_prof").result(binding)  %>
     <% end %>
 
     <div class="inspec-summary">

data/lib/plugins/inspec-reporter-html2/templates/control.html.erb

@@ -74,7 +74,7 @@
   </table>
 
   <% control.results.each do |result| %>
-    <%= ERB.new(File.read(template_path + "/result.html.erb"), nil, nil, "_rslt").result(binding)  %>
+    <%= ERB.new(File.read(template_path + "/result.html.erb"), eoutvar: "_rslt").result(binding)  %>
   <% end %>
 
 </div>

data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb

@@ -18,7 +18,7 @@
 
   <% if profile.status == "loaded" %>
     <% profile.controls.each do |control| %>
-      <%= ERB.new(File.read(template_path + "/control.html.erb"), nil, nil, "_ctl").result(binding)  %>
+      <%= ERB.new(File.read(template_path + "/control.html.erb"), eoutvar: "_ctl").result(binding)  %>
     <% end %>
   <% end %>
 </div>

data/lib/plugins/{inspec-artifact/inspec-artifact.gemspec → inspec-sign/inspec-sign.gemspec}

@@ -2,8 +2,8 @@
 # These specs are used in plugin list and search command
 
 Gem::Specification.new do |spec|
-  spec.name          = "inspec-artifact"
+  spec.name          = "inspec-sign"
   spec.summary       = ""
   spec.description   = "Plugin to generate asymmetrical keys that you can use to encrypt profiles"
   spec.license       = "Apache-2.0"
-end
+end

data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb

@@ -0,0 +1,161 @@
+require "base64" unless defined?(Base64)
+require "openssl" unless defined?(OpenSSL)
+require "pathname" unless defined?(Pathname)
+require "set" unless defined?(Set)
+require "tempfile" unless defined?(Tempfile)
+require "yaml"
+require "inspec/dist"
+require "inspec/utils/json_profile_summary"
+require "inspec/iaf_file"
+
+module InspecPlugins
+  module Sign
+    class Base
+      include Inspec::Dist
+
+      KEY_BITS = 2048
+      KEY_ALG = OpenSSL::PKey::RSA
+
+      INSPEC_PROFILE_VERSION_1 = "INSPEC-PROFILE-1".freeze
+      INSPEC_REPORT_VERSION_1 = "INSPEC-REPORT-1".freeze
+
+      INSPEC_PROFILE_VERSION_2 = "INSPEC-PROFILE-2".freeze
+      ARTIFACT_DIGEST = OpenSSL::Digest::SHA512
+      ARTIFACT_DIGEST_NAME = "SHA512".freeze
+
+      VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1, INSPEC_PROFILE_VERSION_2]
+      VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]
+
+      SIGNED_PROFILE_SUFFIX = "iaf".freeze
+      SIGNED_REPORT_SUFFIX = "iar".freeze
+
+      def self.keygen(options)
+        key = KEY_ALG.new KEY_BITS
+
+        path = File.join(Inspec.config_dir, "keys")
+        FileUtils.mkdir_p(path)
+
+        puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
+        open "#{path}/#{options["keyname"]}.pem.key", "w" do |io|
+          io.write key.to_pem
+        end
+        puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
+        open "#{path}/#{options["keyname"]}.pem.pub", "w" do |io|
+          io.write key.public_key.to_pem
+        end
+      end
+
+      def self.profile_sign(profile_path, options)
+        artifact = new
+
+        # Writes the profile content id in the inspec.yml
+        if options[:profile_content_id] && !options[:profile_content_id].strip.empty?
+          artifact.write_profile_content_id(profile_path, options[:profile_content_id])
+        end
+
+        puts "Signing #{profile_path} with key #{options["keyname"]}"
+        keypath = Inspec::IafFile.find_signing_key(options["keyname"])
+
+        # Read name and version from metadata and use them to form the filename
+        profile_md = artifact.read_profile_metadata(profile_path)
+
+        artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}"
+
+        # Generating tar.gz file using archive method of Inspec Cli
+        Inspec::InspecCLI.new.archive(profile_path, "error")
+        tarfile = "#{profile_md["name"]}-#{profile_md["version"]}.tar.gz"
+        tar_content = IO.binread(tarfile)
+        FileUtils.rm(tarfile)
+
+        # Generate the signature
+        signing_key = KEY_ALG.new File.read keypath
+        sha = ARTIFACT_DIGEST.new
+        signature = signing_key.sign sha, tar_content
+        # convert the signature to Base64
+        signature_base64 = Base64.encode64(signature)
+
+        content = (format("%-100s", options[:keyname]) +
+                  format("%-20s", ARTIFACT_DIGEST_NAME) +
+                  format("%-370s", signature_base64)).gsub(" ", "\0").unpack("H*").pack("h*") + "#{tar_content}"
+
+        File.open(artifact_filename, "wb") do |f|
+          f.puts INSPEC_PROFILE_VERSION_2
+          f.puts "Use \"inspec export\" to view this file"
+          f.write(content)
+        end
+        puts "Successfully generated #{artifact_filename}"
+      rescue Inspec::Exceptions::ProfileValidationKeyNotFound => e
+        $stderr.puts e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      def self.profile_verify(signed_profile_path)
+        file_to_verify = signed_profile_path
+        puts "Verifying #{file_to_verify}"
+
+        iaf_file = Inspec::IafFile.new(file_to_verify)
+        if iaf_file.valid?
+          puts "Detected format version '#{iaf_file.version}'"
+          puts "Attempting to verify using key '#{iaf_file.key_name}'"
+          puts "Profile is valid."
+          Inspec::UI.new.exit(:normal)
+        else
+          puts "Detected format version '#{iaf_file.version}'"
+          puts "Attempting to verify using key '#{iaf_file.key_name}'" if iaf_file.key_name
+          puts "Profile is invalid"
+          Inspec::UI.new.exit(:bad_signature)
+        end
+      rescue Inspec::Exceptions::ProfileValidationKeyNotFound => e
+        $stderr.puts e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      def read_profile_metadata(profile_path)
+        begin
+          p = Pathname.new(profile_path)
+          p = p.join("inspec.yml")
+          unless p.exist?
+            raise "#{profile_path} doesn't appear to be a valid #{PRODUCT_NAME} profile"
+          end
+
+          yaml = YAML.load_file(p.to_s)
+          yaml = yaml.to_hash
+
+          unless yaml.key? "name"
+            raise "Profile is invalid, name is not defined"
+          end
+
+          unless yaml.key? "version"
+            raise "Profile is invalid, version is not defined"
+          end
+        rescue => e
+          # rewrap it and pass it up to the CLI
+          $stderr.puts "Error reading profile metadata file #{e.message}"
+          Inspec::UI.new.exit(:usage_error)
+        end
+
+        yaml
+      end
+
+      def write_profile_content_id(profile_path, profile_content_id)
+        p = Pathname.new(profile_path)
+        p = p.join("inspec.yml")
+        yaml = YAML.load_file(p.to_s)
+        existing_profile_content_id = yaml["profile_content_id"]
+
+        unless existing_profile_content_id.nil?
+          ui = Inspec::UI.new
+          ui.error("Cannot use --profile-content-id when profile_content_id already exists in metadata file.")
+          ui.exit(:usage_error)
+        end
+
+        lines = IO.readlines(p)
+        lines << "\nprofile_content_id: #{profile_content_id}\n"
+
+        File.open("#{p}", "w" ) do |f|
+          f.puts lines
+        end
+      end
+    end
+  end
+end

data/lib/plugins/{inspec-artifact/lib/inspec-artifact → inspec-sign/lib/inspec-sign}/cli.rb

@@ -70,46 +70,37 @@ require "inspec/dist"
 # To extract the raw content from a .iaf:
 #        sed '1,/^$/d' foo.iaf
 
+#  inspec artifact is renamed to inspec sign
+
 module InspecPlugins
-  module Artifact
+  module Sign
     class CLI < Inspec.plugin(2, :cli_command)
       include Inspec::Dist
 
-      subcommand_desc "artifact SUBCOMMAND", "Manage #{PRODUCT_NAME} Artifacts"
+      subcommand_desc "sign SUBCOMMAND", "Manage #{PRODUCT_NAME} profile signing."
 
-      desc "generate", "Generate a RSA key pair for signing and verification"
+      desc "generate-keys", "Generate a RSA key pair for signing and verification"
       option :keyname, type: :string, required: true,
         desc: "Desriptive name of key"
       option :keydir, type: :string, default: "./",
         desc: "Directory to search for keys"
       def generate_keys
         puts "Generating keys"
-        InspecPlugins::Artifact::Base.keygen(options)
+        InspecPlugins::Sign::Base.keygen(options)
       end
 
-      desc "sign-profile", "Create a signed .iaf artifact"
-      option :profile, type: :string, required: true,
-        desc: "Path to profile directory"
+      desc "profile PATH", "sign the profile in PATH and generate .iaf artifact."
       option :keyname, type: :string, required: true,
         desc: "Desriptive name of key"
-      def sign_profile
-        InspecPlugins::Artifact::Base.profile_sign(options)
-      end
-
-      desc "verify-profile", "Verify a signed .iaf artifact"
-      option :infile, type: :string, required: true,
-          desc: ".iaf file to verify"
-      def verify_profile
-        InspecPlugins::Artifact::Base.profile_verify(options)
+      option :profile_content_id, type: :string,
+        desc: "UUID of the profile. This will write the profile_content_id in the metadata file if it does not already exist in the metadata file."
+      def profile(profile_path)
+        InspecPlugins::Sign::Base.profile_sign(profile_path, options)
       end
 
-      desc "install-profile", "Verify and install a signed .iaf artifact"
-      option :infile, type: :string, required: true,
-          desc: ".iaf file to install"
-      option :destdir, type: :string, required: true,
-        desc: "Installation directory"
-      def install_profile
-        InspecPlugins::Artifact::Base.profile_install(options)
+      desc "verify PATH", "Verify a signed profile .iaf artifact at given path."
+      def verify(signed_profile_path)
+        InspecPlugins::Sign::Base.profile_verify(signed_profile_path)
       end
     end
   end

data/lib/plugins/inspec-sign/lib/inspec-sign.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Sign
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-sign'
+
+      cli_command :sign do
+        require_relative "inspec-sign/cli"
+        InspecPlugins::Sign::CLI
+      end
+    end
+  end
+end

data/lib/source_readers/inspec.rb

@@ -12,7 +12,7 @@ module SourceReaders
       nil
     end
 
-    attr_reader :metadata, :tests, :libraries, :data_files, :target
+    attr_reader :metadata, :metadata_src, :tests, :libraries, :data_files, :target, :readme
 
     # This create a new instance of an InSpec profile source reader
     #
@@ -24,14 +24,16 @@ module SourceReaders
       @tests      = load_tests
       @libraries  = load_libs
       @data_files = load_data_files
+      @readme     = load_readme
     end
 
     private
 
     def load_metadata(metadata_source)
+      @metadata_src = @target.read(metadata_source)
       Inspec::Metadata.from_ref(
         metadata_source,
-        @target.read(metadata_source),
+        @metadata_src,
         nil
       )
     rescue Psych::SyntaxError => e
@@ -62,5 +64,9 @@ module SourceReaders
     def load_data_files
       load_all(%r{^files/})
     end
+
+    def load_readme
+      load_all(/README.md/)
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.17.4
+  version: 5.18.14
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-24 00:00:00.000000000 Z
+date: 2022-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -370,14 +370,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.10'
 description: InSpec provides a framework for creating end-to-end infrastructure tests.
   You can use it for integration or even compliance testing. Create fully portable
   test profiles and use them in your workflow to ensure stability and security. Integrate
@@ -444,6 +444,7 @@ files:
 - lib/inspec/formatters/json_rspec.rb
 - lib/inspec/formatters/show_progress.rb
 - lib/inspec/globals.rb
+- lib/inspec/iaf_file.rb
 - lib/inspec/impact.rb
 - lib/inspec/input.rb
 - lib/inspec/input_dsl_helpers.rb
@@ -715,13 +716,10 @@ files:
 - lib/inspec/utils/telemetry/data_series.rb
 - lib/inspec/utils/telemetry/global_methods.rb
 - lib/inspec/utils/telemetry/run_context_probe.rb
+- lib/inspec/utils/yaml_profile_summary.rb
 - lib/inspec/version.rb
 - lib/matchers/matchers.rb
 - lib/plugins/README.md
-- lib/plugins/inspec-artifact/inspec-artifact.gemspec
-- lib/plugins/inspec-artifact/lib/inspec-artifact.rb
-- lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb
-- lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb
 - lib/plugins/inspec-compliance/README.md
 - lib/plugins/inspec-compliance/inspec-compliance.gemspec
 - lib/plugins/inspec-compliance/lib/inspec-compliance.rb
@@ -805,6 +803,10 @@ files:
 - lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit.rb
 - lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/reporter.rb
 - lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/version.rb
+- lib/plugins/inspec-sign/inspec-sign.gemspec
+- lib/plugins/inspec-sign/lib/inspec-sign.rb
+- lib/plugins/inspec-sign/lib/inspec-sign/base.rb
+- lib/plugins/inspec-sign/lib/inspec-sign/cli.rb
 - lib/plugins/inspec-streaming-reporter-progress-bar/README.md
 - lib/plugins/inspec-streaming-reporter-progress-bar/inspec-streaming-reporter-progress-bar.gemspec
 - lib/plugins/inspec-streaming-reporter-progress-bar/lib/inspec-streaming-reporter-progress-bar.rb