inspec-core 5.17.4 → 5.21.29

data/lib/inspec/resources/podman_pod.rb

@@ -0,0 +1,101 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanPod < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_pod"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman pod"
+
+    example <<~EXAMPLE
+      describe podman_pod("nginx-frontend") do
+        it { should exist }
+        its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" }
+        its("name") { should eq "nginx-frontend" }
+        its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" }
+        its("create_command") { should include "new:nginx-frontend" }
+        its("state") { should eq "Running" }
+        its("hostname") { should eq "" }
+        its("create_cgroup") { should eq true }
+        its("cgroup_parent") { should eq "user.slice" }
+        its("cgroup_path") { should eq "user.slice/user-libpod_pod_fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4.slice" }
+        its("create_infra") { should eq true }
+        its("infra_container_id") { should eq "727538044b32a165934729dc2d47d9d5e981b6496aebfad7de470f7e76ea4251" }
+        its("infra_config") { should include "DNSOption" }
+        its("shared_namespaces") { should include "ipc" }
+        its("num_containers") { should eq 2 }
+        its("containers") { should_not be nil }
+      end
+
+      describe podman_pod("non-existing-pod") do
+        it { should_not exist }
+      end
+    EXAMPLE
+
+    attr_reader :pod_info, :pod_id
+
+    def initialize(pod_id)
+      skip_resource "The `podman_pod` resource is not yet available on your OS." unless inspec.os.unix?
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @pod_id = pod_id
+      @pod_info = get_pod_info
+    end
+
+    LABELS = {
+      "id" => "ID",
+      "name" => "Name",
+      "created_at" => "Created",
+      "create_command" => "CreateCommand",
+      "state" => "State",
+      "hostname" => "Hostname",
+      "create_cgroup" => "CreateCgroup",
+      "cgroup_parent" => "CgroupParent",
+      "cgroup_path" => "CgroupPath",
+      "create_infra" => "CreateInfra",
+      "infra_container_id" => "InfraContainerID",
+      "infra_config" => "InfraConfig",
+      "shared_namespaces" => "SharedNamespaces",
+      "num_containers" => "NumContainers",
+      "containers" => "Containers",
+    }.freeze
+
+    # This creates all the required properties methods dynamically.
+    LABELS.each do |k, _|
+      define_method(k) do
+        pod_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !pod_info.empty?
+    end
+
+    def resource_id
+      pod_id
+    end
+
+    def to_s
+      "Podman Pod #{resource_id}"
+    end
+
+    private
+
+    def get_pod_info
+      json_key_label = generate_go_template(LABELS)
+
+      inspect_pod_cmd = inspec.command("podman pod inspect #{pod_id} --format '{#{json_key_label}}'")
+
+      if inspect_pod_cmd.exit_status == 0
+        parse_command_output(inspect_pod_cmd.stdout)
+      elsif inspect_pod_cmd.stderr =~ /no pod with name or ID/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman pod information for #{pod_id}.\nError message: #{inspect_pod_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/podman_volume.rb

@@ -0,0 +1,87 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanVolume < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_volume"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman volume"
+
+    example <<~EXAMPLE
+      describe podman_volume("my_volume") do
+        it { should exist }
+        its("name") { should eq "my_volume" }
+        its("driver") { should eq "local" }
+        its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" }
+        its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" }
+        its("labels") { should eq({}) }
+        its("scope") { should eq "local" }
+        its("options") { should eq({}) }
+        its("mount_count") { should eq 0 }
+        its("needs_copy_up") { should eq true }
+        its("needs_chown") { should eq true }
+      end
+    EXAMPLE
+
+    attr_reader :volume_info, :volume_name
+
+    def initialize(volume_name)
+      skip_resource "The `podman_volume` resource is not yet available on your OS." unless inspec.os.unix?
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @volume_name = volume_name
+      @volume_info = get_volume_info
+    end
+
+    LABELS = {
+      "name" => "Name",
+      "driver" => "Driver",
+      "mountpoint" => "Mountpoint",
+      "created_at" => "CreatedAt",
+      "labels" => "Labels",
+      "scope" => "Scope",
+      "options" => "Options",
+      "mount_count" => "MountCount",
+      "needs_copy_up" => "NeedsCopyUp",
+      "needs_chown" => "NeedsChown",
+    }.freeze
+
+    # This creates all the required properties methods dynamically.
+    LABELS.each do |k, _|
+      define_method(k) do
+        volume_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !volume_info.empty?
+    end
+
+    def resource_id
+      volume_name
+    end
+
+    def to_s
+      "podman_volume #{resource_id}"
+    end
+
+    private
+
+    def get_volume_info
+      json_key_label = generate_go_template(LABELS)
+
+      inspect_volume_cmd = inspec.command("podman volume inspect #{volume_name} --format '{#{json_key_label}}'")
+
+      if inspect_volume_cmd.exit_status == 0
+        parse_command_output(inspect_volume_cmd.stdout)
+      elsif inspect_volume_cmd.stderr =~ /inspecting object: no such/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman volume information for #{volume_name}.\nError message: #{inspect_volume_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/postfix_conf.rb

@@ -22,6 +22,10 @@ module Inspec::Resources
       SimpleConfig.new(content).params
     end
 
+    def resource_id
+      "Postfix Conf"
+    end
+
     def to_s
       "Postfix Mail Transfer Agent"
     end

data/lib/inspec/resources/postgres_conf.rb

@@ -64,6 +64,10 @@ module Inspec::Resources
       param
     end
 
+    def resource_id
+      @conf_path || "postgres_conf"
+    end
+
     def to_s
       "PostgreSQL Configuration"
     end

data/lib/inspec/resources/postgres_session.rb

@@ -4,9 +4,9 @@ require "shellwords" unless defined?(Shellwords)
 
 module Inspec::Resources
   class Lines
-    attr_reader :output
+    attr_reader :output, :exit_status
 
-    def initialize(raw, desc)
+    def initialize(raw, desc, exit_status)
       @output = raw
       @desc = desc
     end
@@ -58,12 +58,16 @@ module Inspec::Resources
       if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
-        Lines.new(out, "PostgreSQL query with error: #{query}")
+        Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
       else
-        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
+        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}", cmd.exit_status)
       end
     end
 
+    def resource_id
+      "postgress_session:User:#{@user}:Host:#{@host}"
+    end
+
     private
 
     def escaped_query(query)

data/lib/inspec/resources/powershell.rb

@@ -49,6 +49,10 @@ module Inspec::Resources
     def to_s
       "Powershell"
     end
+
+    def resource_id
+      "Powershell"
+    end
   end
 
   PowershellScript = Powershell

data/lib/inspec/resources/processes.rb

@@ -43,7 +43,7 @@ module Inspec::Resources
 
       all_cmds = ps_axo
       @list = all_cmds.find_all do |hm|
-        hm[:command] =~ grep
+        hm[:command] =~ grep || hm[:process_name] =~ grep
       end
     end
 
@@ -84,6 +84,7 @@ module Inspec::Resources
       .register_column(:time,     field: "time")
       .register_column(:users,    field: "user")
       .register_column(:commands, field: "command")
+      .register_column(:process_name, field: "process_name")
       .install_filter_methods_on_resource(self, :filtered_processes)
 
     private
@@ -98,9 +99,9 @@ module Inspec::Resources
       if os.linux?
         command, regex, field_map = ps_configuration_for_linux
       elsif os.windows?
-        command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
+        command = '$Proc = Get-Process -IncludeUserName | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path,ProcessName | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
         # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
-        regex = /^(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+)$/
+        regex = /^(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*)$/
         field_map = {
           pid: 2,
           cpu: 3,
@@ -113,6 +114,7 @@ module Inspec::Resources
           time: 10,
           user: 11,
           command: 12,
+          process_name: 13,
         }
       else
         command = "ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command"
@@ -204,7 +206,7 @@ module Inspec::Resources
 
         # build a hash of process data that we'll turn into a struct for FilterTable
         process_data = {}
-        %i{label pid cpu mem vsz rss tty stat start time user command}.each do |param|
+        %i{label pid cpu mem vsz rss tty stat start time user command process_name}.each do |param|
           # not all operating systems support all fields, so skip the field if we don't have it
           process_data[param] = line[field_map[param]] if field_map.key?(param)
         end

data/lib/inspec/resources/rabbitmq_config.rb

@@ -32,6 +32,10 @@ module Inspec::Resources
       "rabbitmq_config #{@conf_path}"
     end
 
+    def resource_id
+      @conf_path
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/registry_key.rb

@@ -140,6 +140,10 @@ module Inspec::Resources
       "Registry Key #{@options[:name]}"
     end
 
+    def resource_id
+      @options[:path]
+    end
+
     private
 
     def prep_prop(property)

data/lib/inspec/resources/security_identifier.rb

@@ -51,6 +51,10 @@ module Inspec::Resources
       "Security Identifier"
     end
 
+    def resource_id
+      @name
+    end
+
     private
 
     def fetch_sids

data/lib/inspec/resources/security_policy.rb

@@ -112,6 +112,10 @@ module Inspec::Resources
       "Security Policy"
     end
 
+    def resource_id
+      "Security Policy"
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/service.rb

@@ -297,6 +297,10 @@ module Inspec::Resources
       current_monitoring_tool.is_service_monitored?
     end
 
+    def resource_id
+      @service_name || "Service"
+    end
+
     def to_s
       "Service #{@service_name}"
     end
@@ -642,7 +646,7 @@ module Inspec::Resources
       return nil if srv.nil? || srv[0].nil?
 
       # extract values from service
-      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
+      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[\-0-9]+)\t(?<name>\S*)$/.match(srv[0])
       enabled = !parsed_srv["name"].nil? # it's in the list
 
       # check if the service is running

data/lib/inspec/resources/ssh_config.rb

@@ -57,6 +57,10 @@ module Inspec::Resources
       "SSH Configuration"
     end
 
+    def resource_id
+      @conf_path || "SSH Configuration"
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/sybase_conf.rb

@@ -29,6 +29,10 @@ module Inspec::Resources
       sql_query.row(0).column("Config Value").value
     end
 
+    def resource_id
+      conf_param || "Sybase config settings"
+    end
+
     def to_s
       "Sybase Conf #{conf_param}"
     end

data/lib/inspec/resources/sybase_session.rb

@@ -64,6 +64,10 @@ module Inspec::Resources
       DatabaseHelper::SQLQueryResult.new(isql_cmd, parse_csv_result(isql_cmd.stdout))
     end
 
+    def resource_id
+      @database || "Sybase Session"
+    end
+
     def to_s
       "Sybase Session"
     end

data/lib/inspec/resources/sys_info.rb

@@ -112,6 +112,10 @@ module Inspec::Resources
       end
     end
 
+    def resource_id
+      "sys_info"
+    end
+
     def to_s
       "System Information"
     end

data/lib/inspec/resources/timezone.rb

@@ -52,6 +52,10 @@ module Inspec::Resources
       @output["time_offset"]
     end
 
+    def resource_id
+      "timezone"
+    end
+
     def to_s
       "Time Zone resource"
     end

data/lib/inspec/resources/users.rb

@@ -307,6 +307,10 @@ module Inspec::Resources
       shadow_information[1]
     end
 
+    def resource_id
+      @username || "User"
+    end
+
     def to_s
       "User #{@username}"
     end

data/lib/inspec/resources/vbscript.rb

@@ -51,6 +51,11 @@ module Inspec::Resources
       @result ||= parse_stdout
     end
 
+    # vbscript can be of multiple lines so that can't be used as UUID so using the hardcoded string.
+    def resource_id
+      "Windows VBScript"
+    end
+
     def to_s
       "Windows VBScript"
     end

data/lib/inspec/resources/virtualization.rb

@@ -59,6 +59,10 @@ module Inspec::Resources
       collect_data_linux
     end
 
+    def resource_id
+      @virtualization_data[:system] || "virtualization"
+    end
+
     def to_s
       "Virtualization Detection"
     end

data/lib/inspec/resources/windows_feature.rb

@@ -59,8 +59,12 @@ module Inspec::Resources
       @cache
     end
 
+    def resource_id
+      @feature
+    end
+
     def to_s
-      "Windows Feature '#{@feature}'"
+      @feature || "windows_feature"
     end
 
     private

data/lib/inspec/resources/windows_firewall.rb

@@ -21,6 +21,10 @@ module Inspec::Resources
       @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
     end
 
+    def resource_id
+      @profile || "windows_firewall"
+    end
+
     def to_s
       "Windows Firewall (Profile #{@profile})"
     end

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -23,6 +23,10 @@ module Inspec::Resources
       @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
     end
 
+    def resource_id
+      @name || "windows_firewall_rule"
+    end
+
     def to_s
       "Windows Firewall Rule #{@name}"
     end

data/lib/inspec/resources/windows_hotfix.rb

@@ -24,6 +24,10 @@ module Inspec::Resources
       @content = cmd.stdout
     end
 
+    def resource_id
+      @id || "windows_hotfix"
+    end
+
     def to_s
       "Windows Hotfix #{@id}"
     end

data/lib/inspec/resources/windows_task.rb

@@ -105,6 +105,10 @@ module Inspec::Resources
       }
     end
 
+    def resource_id
+      @taskuri || "windows_task"
+    end
+
     def to_s
       "Windows Task '#{@taskuri}'"
     end

data/lib/inspec/resources/wmi.rb

@@ -95,6 +95,10 @@ module Inspec::Resources
       @content
     end
 
+    def resource_id
+      @options[:class] || "WMI"
+    end
+
     def to_s
       "WMI with #{@options}"
     end

data/lib/inspec/resources/x509_certificate.rb

@@ -83,6 +83,11 @@ module Inspec::Resources
       @parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
     end
 
+    # This property is equivalent to subject.emailAddress
+    def email
+      subject.emailAddress
+    end
+
     def issuer_dn
       return if @cert.nil?
 
@@ -104,6 +109,8 @@ module Inspec::Resources
       @cert.public_key.n.num_bytes * 8
     end
 
+    alias :keylength :key_length
+
     def validity_in_days
       (not_after - Time.now.utc) / 86400
     end
@@ -138,6 +145,50 @@ module Inspec::Resources
       @extensions
     end
 
+    # check purpose of the certificate
+    def has_purpose?(purpose)
+      # If we have the filepath in our options we use the filepath to fetch the purposes.
+      # Else, we create a temporary file and write the content to that file.
+      # Then, use the temporary file to fetch the purposes.
+      # Todo: Check if this can be optimized or improved.
+
+      if @opts[:filepath]
+        cert_purpose = fetch_purpose(@opts[:filepath])
+      else
+        begin
+          f = File.open("temporary_certificate.pem", "w")
+          f.write(@cert.to_pem)
+          f.rewind
+          cert_purpose = fetch_purpose("temporary_certificate.pem")
+        ensure
+          f.close unless f.nil? || f.closed?
+          File.delete("temporary_certificate.pem") if File.exist? "temporary_certificate.pem"
+        end
+      end
+      cert_purpose =~ /purpose/ ? true : false
+    end
+
+    def fetch_purpose(cert_file_or_path)
+      openssl_utility = check_openssl_or_error
+
+      # The below command is used to view the Certificate purposes
+      # The -in argument expects a certificate file or path to certificate file.
+      cert_purpose_cmd = "#{openssl_utility} x509 -noout -purpose -in #{cert_file_or_path}"
+      cert_purpose = inspec.command(cert_purpose_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_purpose_cmd} failed: #{cert_purpose.stderr}" if cert_purpose.exit_status.to_i != 0
+
+      cert_purpose.stdout
+    end
+
+    def subject_alt_names
+      extensions["subjectAltName"]
+    end
+
+    def resource_id
+      @opts[:filepath] || subject.CN || "x509 Certificate"
+    end
+
     def to_s
       cert = @opts[:filepath]
       cert ||= subject.CN
@@ -153,5 +204,13 @@ module Inspec::Resources
         opts
       end
     end
+
+    def check_openssl_or_error
+      %w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
+    end
   end
 end

data/lib/inspec/resources/yum.rb

@@ -89,6 +89,10 @@ module Inspec::Resources
       repo(name.to_s) unless name.nil?
     end
 
+    def resource_id
+      "Yum repository"
+    end
+
     def to_s
       "Yum Repository"
     end

data/lib/inspec/resources/zfs_dataset.rb

@@ -38,6 +38,10 @@ module Inspec::Resources
       inspec.mount(@params["mountpoint"]).mounted?
     end
 
+    def resource_id
+      @zfs_dataset || "ZFS Dataset"
+    end
+
     def to_s
       "ZFS Dataset #{@zfs_dataset}"
     end

data/lib/inspec/resources/zfs_pool.rb

@@ -31,6 +31,10 @@ module Inspec::Resources
       inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0
     end
 
+    def resource_id
+      @zfs_pool || "ZFS Pool"
+    end
+
     def to_s
       "ZFS Pool #{@zfs_pool}"
     end