inspec-core 5.17.4 → 5.21.29
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +20 -17
- data/etc/deprecations.json +4 -0
- data/inspec-core.gemspec +23 -23
- data/lib/inspec/base_cli.rb +7 -0
- data/lib/inspec/cli.rb +68 -11
- data/lib/inspec/dependencies/dependency_set.rb +6 -2
- data/lib/inspec/dsl.rb +24 -5
- data/lib/inspec/enhanced_outcomes.rb +19 -0
- data/lib/inspec/env_printer.rb +1 -1
- data/lib/inspec/errors.rb +2 -0
- data/lib/inspec/exceptions.rb +4 -0
- data/lib/inspec/fetcher/url.rb +1 -1
- data/lib/inspec/file_provider.rb +36 -0
- data/lib/inspec/formatters/base.rb +69 -16
- data/lib/inspec/iaf_file.rb +127 -0
- data/lib/inspec/plugin/v2/loader.rb +19 -8
- data/lib/inspec/plugin/v2/plugin_types/reporter.rb +1 -0
- data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb +54 -0
- data/lib/inspec/profile.rb +17 -7
- data/lib/inspec/reporters/base.rb +1 -0
- data/lib/inspec/reporters/cli.rb +94 -3
- data/lib/inspec/reporters/json.rb +3 -1
- data/lib/inspec/reporters/yaml.rb +3 -1
- data/lib/inspec/reporters.rb +2 -1
- data/lib/inspec/resources/aide_conf.rb +4 -0
- data/lib/inspec/resources/apache.rb +4 -0
- data/lib/inspec/resources/apache_conf.rb +4 -0
- data/lib/inspec/resources/apt.rb +6 -1
- data/lib/inspec/resources/audit_policy.rb +5 -0
- data/lib/inspec/resources/auditd_conf.rb +4 -0
- data/lib/inspec/resources/bash.rb +4 -0
- data/lib/inspec/resources/bond.rb +4 -0
- data/lib/inspec/resources/bridge.rb +4 -0
- data/lib/inspec/resources/cassandradb_conf.rb +5 -0
- data/lib/inspec/resources/cassandradb_session.rb +8 -3
- data/lib/inspec/resources/chocolatey_package.rb +4 -0
- data/lib/inspec/resources/chrony_conf.rb +4 -0
- data/lib/inspec/resources/command.rb +5 -0
- data/lib/inspec/resources/cpan.rb +4 -0
- data/lib/inspec/resources/cran.rb +4 -0
- data/lib/inspec/resources/cron.rb +5 -0
- data/lib/inspec/resources/csv.rb +6 -1
- data/lib/inspec/resources/dh_params.rb +4 -0
- data/lib/inspec/resources/docker_container.rb +4 -0
- data/lib/inspec/resources/docker_image.rb +4 -0
- data/lib/inspec/resources/docker_plugin.rb +4 -0
- data/lib/inspec/resources/docker_service.rb +4 -0
- data/lib/inspec/resources/etc_group.rb +4 -0
- data/lib/inspec/resources/etc_hosts_allow_deny.rb +5 -0
- data/lib/inspec/resources/file.rb +7 -2
- data/lib/inspec/resources/filesystem.rb +4 -0
- data/lib/inspec/resources/gem.rb +4 -0
- data/lib/inspec/resources/groups.rb +4 -0
- data/lib/inspec/resources/grub_conf.rb +4 -0
- data/lib/inspec/resources/host.rb +4 -0
- data/lib/inspec/resources/http.rb +6 -2
- data/lib/inspec/resources/ibmdb2_conf.rb +8 -0
- data/lib/inspec/resources/ibmdb2_session.rb +12 -3
- data/lib/inspec/resources/iis_app.rb +4 -0
- data/lib/inspec/resources/iis_app_pool.rb +4 -0
- data/lib/inspec/resources/iis_site.rb +4 -0
- data/lib/inspec/resources/inetd_conf.rb +4 -0
- data/lib/inspec/resources/interface.rb +4 -0
- data/lib/inspec/resources/ip6tables.rb +4 -0
- data/lib/inspec/resources/ipfilter.rb +4 -0
- data/lib/inspec/resources/ipnat.rb +4 -0
- data/lib/inspec/resources/iptables.rb +4 -0
- data/lib/inspec/resources/json.rb +4 -0
- data/lib/inspec/resources/kernel_module.rb +4 -0
- data/lib/inspec/resources/kernel_parameter.rb +4 -0
- data/lib/inspec/resources/key_rsa.rb +4 -0
- data/lib/inspec/resources/ksh.rb +4 -0
- data/lib/inspec/resources/limits_conf.rb +4 -0
- data/lib/inspec/resources/login_defs.rb +4 -0
- data/lib/inspec/resources/lxc.rb +65 -9
- data/lib/inspec/resources/mongodb.rb +4 -0
- data/lib/inspec/resources/mongodb_conf.rb +5 -0
- data/lib/inspec/resources/mongodb_session.rb +6 -1
- data/lib/inspec/resources/mount.rb +4 -0
- data/lib/inspec/resources/mssql_session.rb +4 -0
- data/lib/inspec/resources/mssql_sys_conf.rb +7 -0
- data/lib/inspec/resources/mysql_conf.rb +4 -0
- data/lib/inspec/resources/mysql_session.rb +8 -1
- data/lib/inspec/resources/nginx.rb +6 -1
- data/lib/inspec/resources/nginx_conf.rb +4 -0
- data/lib/inspec/resources/noop.rb +4 -0
- data/lib/inspec/resources/npm.rb +4 -0
- data/lib/inspec/resources/ntp_conf.rb +4 -0
- data/lib/inspec/resources/oneget.rb +4 -0
- data/lib/inspec/resources/opa_api.rb +10 -0
- data/lib/inspec/resources/opa_cli.rb +14 -0
- data/lib/inspec/resources/oracledb_conf.rb +5 -0
- data/lib/inspec/resources/oracledb_listener_conf.rb +4 -0
- data/lib/inspec/resources/oracledb_session.rb +23 -4
- data/lib/inspec/resources/os.rb +4 -0
- data/lib/inspec/resources/os_env.rb +4 -0
- data/lib/inspec/resources/package.rb +4 -0
- data/lib/inspec/resources/parse_config.rb +10 -1
- data/lib/inspec/resources/pip.rb +4 -0
- data/lib/inspec/resources/platform.rb +4 -0
- data/lib/inspec/resources/podman.rb +353 -0
- data/lib/inspec/resources/podman_container.rb +84 -0
- data/lib/inspec/resources/podman_image.rb +108 -0
- data/lib/inspec/resources/podman_network.rb +81 -0
- data/lib/inspec/resources/podman_pod.rb +101 -0
- data/lib/inspec/resources/podman_volume.rb +87 -0
- data/lib/inspec/resources/postfix_conf.rb +4 -0
- data/lib/inspec/resources/postgres_conf.rb +4 -0
- data/lib/inspec/resources/postgres_session.rb +8 -4
- data/lib/inspec/resources/powershell.rb +4 -0
- data/lib/inspec/resources/processes.rb +6 -4
- data/lib/inspec/resources/rabbitmq_config.rb +4 -0
- data/lib/inspec/resources/registry_key.rb +4 -0
- data/lib/inspec/resources/security_identifier.rb +4 -0
- data/lib/inspec/resources/security_policy.rb +4 -0
- data/lib/inspec/resources/service.rb +5 -1
- data/lib/inspec/resources/ssh_config.rb +4 -0
- data/lib/inspec/resources/sybase_conf.rb +4 -0
- data/lib/inspec/resources/sybase_session.rb +4 -0
- data/lib/inspec/resources/sys_info.rb +4 -0
- data/lib/inspec/resources/timezone.rb +4 -0
- data/lib/inspec/resources/users.rb +4 -0
- data/lib/inspec/resources/vbscript.rb +5 -0
- data/lib/inspec/resources/virtualization.rb +4 -0
- data/lib/inspec/resources/windows_feature.rb +5 -1
- data/lib/inspec/resources/windows_firewall.rb +4 -0
- data/lib/inspec/resources/windows_firewall_rule.rb +4 -0
- data/lib/inspec/resources/windows_hotfix.rb +4 -0
- data/lib/inspec/resources/windows_task.rb +4 -0
- data/lib/inspec/resources/wmi.rb +4 -0
- data/lib/inspec/resources/x509_certificate.rb +59 -0
- data/lib/inspec/resources/yum.rb +4 -0
- data/lib/inspec/resources/zfs_dataset.rb +4 -0
- data/lib/inspec/resources/zfs_pool.rb +4 -0
- data/lib/inspec/rule.rb +55 -18
- data/lib/inspec/run_data/control.rb +6 -0
- data/lib/inspec/run_data/statistics.rb +8 -2
- data/lib/inspec/runner.rb +18 -8
- data/lib/inspec/runner_rspec.rb +3 -2
- data/lib/inspec/schema/exec_json.rb +78 -2
- data/lib/inspec/schema/output_schema.rb +4 -1
- data/lib/inspec/schema/profile_json.rb +46 -0
- data/lib/inspec/schema.rb +91 -0
- data/lib/inspec/secrets/yaml.rb +7 -1
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/utils/convert.rb +8 -0
- data/lib/inspec/utils/podman.rb +24 -0
- data/lib/inspec/utils/waivers/csv_file_reader.rb +34 -0
- data/lib/inspec/utils/waivers/excel_file_reader.rb +39 -0
- data/lib/inspec/utils/waivers/json_file_reader.rb +15 -0
- data/lib/inspec/utils/yaml_profile_summary.rb +34 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/inspec/waiver_file_reader.rb +61 -0
- data/lib/matchers/matchers.rb +7 -1
- data/lib/plugins/inspec-init/templates/profiles/alicloud/README.md +27 -0
- data/lib/plugins/inspec-init/templates/profiles/alicloud/controls/example.rb +10 -0
- data/lib/plugins/inspec-init/templates/profiles/alicloud/inputs.yml +1 -0
- data/lib/plugins/inspec-init/templates/profiles/alicloud/inspec.yml +14 -0
- data/lib/plugins/inspec-reporter-html2/README.md +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/body.html.erb +11 -5
- data/lib/plugins/inspec-reporter-html2/templates/control.html.erb +11 -7
- data/lib/plugins/inspec-reporter-html2/templates/default.css +12 -0
- data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/selector.html.erb +7 -1
- data/lib/plugins/{inspec-artifact/inspec-artifact.gemspec → inspec-sign/inspec-sign.gemspec} +2 -2
- data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb +164 -0
- data/lib/plugins/{inspec-artifact/lib/inspec-artifact → inspec-sign/lib/inspec-sign}/cli.rb +14 -23
- data/lib/plugins/inspec-sign/lib/inspec-sign.rb +12 -0
- data/lib/plugins/inspec-streaming-reporter-progress-bar/lib/inspec-streaming-reporter-progress-bar/streaming_reporter.rb +39 -13
- data/lib/source_readers/inspec.rb +8 -2
- metadata +33 -15
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +0 -187
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +0 -12
@@ -20,6 +20,9 @@ module InspecPlugins::StreamingReporterProgressBar
|
|
20
20
|
"passed" => "\033[0;1;32m",
|
21
21
|
"skipped" => "\033[0;37m",
|
22
22
|
"reset" => "\033[0m",
|
23
|
+
"error" => "\033[34m",
|
24
|
+
"not_applicable" => "\033[36m",
|
25
|
+
"not_reviewed" => "\033[33m",
|
23
26
|
}.freeze
|
24
27
|
|
25
28
|
# Most currently available Windows terminals have poor support
|
@@ -28,6 +31,9 @@ module InspecPlugins::StreamingReporterProgressBar
|
|
28
31
|
"failed" => "[FAIL]",
|
29
32
|
"skipped" => "[SKIP]",
|
30
33
|
"passed" => "[PASS]",
|
34
|
+
"error" => " [ERROR] ",
|
35
|
+
"not_applicable" => " [N/A] ",
|
36
|
+
"not_reviewed" => " [N/R] ",
|
31
37
|
}.freeze
|
32
38
|
else
|
33
39
|
# Extended colors for everyone else
|
@@ -36,6 +42,9 @@ module InspecPlugins::StreamingReporterProgressBar
|
|
36
42
|
"passed" => "\033[38;5;41m",
|
37
43
|
"skipped" => "\033[38;5;247m",
|
38
44
|
"reset" => "\033[0m",
|
45
|
+
"error" => "\033[0;38;5;21m",
|
46
|
+
"not_applicable" => "\033[0;38;5;117m",
|
47
|
+
"not_reviewed" => "\033[0;38;5;214m",
|
39
48
|
}.freeze
|
40
49
|
|
41
50
|
# Groovy UTF-8 characters for everyone else...
|
@@ -44,6 +53,9 @@ module InspecPlugins::StreamingReporterProgressBar
|
|
44
53
|
"failed" => "× [FAILED] ",
|
45
54
|
"skipped" => "↺ [SKIPPED]",
|
46
55
|
"passed" => "✔ [PASSED] ",
|
56
|
+
"error" => "× [ERROR] ",
|
57
|
+
"not_applicable" => " [N/A] ",
|
58
|
+
"not_reviewed" => " [N/R] ",
|
47
59
|
}.freeze
|
48
60
|
end
|
49
61
|
|
@@ -71,29 +83,43 @@ module InspecPlugins::StreamingReporterProgressBar
|
|
71
83
|
control_id = notification.example.metadata[:id]
|
72
84
|
title = notification.example.metadata[:title]
|
73
85
|
full_description = notification.example.metadata[:full_description]
|
74
|
-
|
86
|
+
|
87
|
+
# No-op exception occurs in case of not_applicable_if
|
88
|
+
if (full_description.include? "No-op") && notification.example.exception
|
89
|
+
full_description += notification.example.exception.message
|
90
|
+
end
|
91
|
+
|
75
92
|
set_status_mapping(control_id, status)
|
76
|
-
|
93
|
+
collect_notifications(notification, control_id, status)
|
94
|
+
control_ended = control_ended?(control_id)
|
95
|
+
if control_ended
|
96
|
+
control_outcome = add_enhanced_outcomes(control_id) if enhanced_outcomes
|
97
|
+
show_progress(control_id, title, full_description, control_outcome)
|
98
|
+
end
|
77
99
|
end
|
78
100
|
|
79
|
-
def show_progress(control_id, title, full_description,
|
101
|
+
def show_progress(control_id, title, full_description, control_outcome)
|
80
102
|
@bar ||= ProgressBar.new(controls_count, :bar, :counter, :percentage)
|
81
103
|
sleep 0.1
|
82
104
|
@bar.increment!
|
83
|
-
@bar.puts format_it(control_id, title, full_description,
|
105
|
+
@bar.puts format_it(control_id, title, full_description, control_outcome)
|
84
106
|
rescue StandardError => e
|
85
107
|
raise "Exception in Progress Bar streaming reporter: #{e}"
|
86
108
|
end
|
87
109
|
|
88
|
-
def format_it(control_id, title, full_description,
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
@status_mapping[control_id].include? "
|
95
|
-
|
96
|
-
|
110
|
+
def format_it(control_id, title, full_description, control_outcome)
|
111
|
+
if control_outcome
|
112
|
+
control_status = control_outcome
|
113
|
+
else
|
114
|
+
control_status = if @status_mapping[control_id].include? "failed"
|
115
|
+
"failed"
|
116
|
+
elsif @status_mapping[control_id].include? "passed"
|
117
|
+
"passed"
|
118
|
+
else
|
119
|
+
@status_mapping[control_id].include? "skipped"
|
120
|
+
"skipped"
|
121
|
+
end
|
122
|
+
end
|
97
123
|
indicator = INDICATORS[control_status]
|
98
124
|
message_to_format = ""
|
99
125
|
message_to_format += "#{indicator} "
|
@@ -12,7 +12,7 @@ module SourceReaders
|
|
12
12
|
nil
|
13
13
|
end
|
14
14
|
|
15
|
-
attr_reader :metadata, :tests, :libraries, :data_files, :target
|
15
|
+
attr_reader :metadata, :metadata_src, :tests, :libraries, :data_files, :target, :readme
|
16
16
|
|
17
17
|
# This create a new instance of an InSpec profile source reader
|
18
18
|
#
|
@@ -24,14 +24,16 @@ module SourceReaders
|
|
24
24
|
@tests = load_tests
|
25
25
|
@libraries = load_libs
|
26
26
|
@data_files = load_data_files
|
27
|
+
@readme = load_readme
|
27
28
|
end
|
28
29
|
|
29
30
|
private
|
30
31
|
|
31
32
|
def load_metadata(metadata_source)
|
33
|
+
@metadata_src = @target.read(metadata_source)
|
32
34
|
Inspec::Metadata.from_ref(
|
33
35
|
metadata_source,
|
34
|
-
@
|
36
|
+
@metadata_src,
|
35
37
|
nil
|
36
38
|
)
|
37
39
|
rescue Psych::SyntaxError => e
|
@@ -62,5 +64,9 @@ module SourceReaders
|
|
62
64
|
def load_data_files
|
63
65
|
load_all(%r{^files/})
|
64
66
|
end
|
67
|
+
|
68
|
+
def load_readme
|
69
|
+
load_all(/README.md/)
|
70
|
+
end
|
65
71
|
end
|
66
72
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.
|
4
|
+
version: 5.21.29
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -226,34 +226,34 @@ dependencies:
|
|
226
226
|
requirements:
|
227
227
|
- - ">="
|
228
228
|
- !ruby/object:Gem::Version
|
229
|
-
version:
|
229
|
+
version: '1'
|
230
230
|
- - "<"
|
231
231
|
- !ruby/object:Gem::Version
|
232
|
-
version: '
|
232
|
+
version: '3'
|
233
233
|
type: :runtime
|
234
234
|
prerelease: false
|
235
235
|
version_requirements: !ruby/object:Gem::Requirement
|
236
236
|
requirements:
|
237
237
|
- - ">="
|
238
238
|
- !ruby/object:Gem::Version
|
239
|
-
version:
|
239
|
+
version: '1'
|
240
240
|
- - "<"
|
241
241
|
- !ruby/object:Gem::Version
|
242
|
-
version: '
|
242
|
+
version: '3'
|
243
243
|
- !ruby/object:Gem::Dependency
|
244
|
-
name:
|
244
|
+
name: faraday-follow_redirects
|
245
245
|
requirement: !ruby/object:Gem::Requirement
|
246
246
|
requirements:
|
247
247
|
- - "~>"
|
248
248
|
- !ruby/object:Gem::Version
|
249
|
-
version: '
|
249
|
+
version: '0.3'
|
250
250
|
type: :runtime
|
251
251
|
prerelease: false
|
252
252
|
version_requirements: !ruby/object:Gem::Requirement
|
253
253
|
requirements:
|
254
254
|
- - "~>"
|
255
255
|
- !ruby/object:Gem::Version
|
256
|
-
version: '
|
256
|
+
version: '0.3'
|
257
257
|
- !ruby/object:Gem::Dependency
|
258
258
|
name: tty-table
|
259
259
|
requirement: !ruby/object:Gem::Requirement
|
@@ -370,14 +370,14 @@ dependencies:
|
|
370
370
|
requirements:
|
371
371
|
- - "~>"
|
372
372
|
- !ruby/object:Gem::Version
|
373
|
-
version: '3.
|
373
|
+
version: '3.10'
|
374
374
|
type: :runtime
|
375
375
|
prerelease: false
|
376
376
|
version_requirements: !ruby/object:Gem::Requirement
|
377
377
|
requirements:
|
378
378
|
- - "~>"
|
379
379
|
- !ruby/object:Gem::Version
|
380
|
-
version: '3.
|
380
|
+
version: '3.10'
|
381
381
|
description: InSpec provides a framework for creating end-to-end infrastructure tests.
|
382
382
|
You can use it for integration or even compliance testing. Create fully portable
|
383
383
|
test profiles and use them in your workflow to ensure stability and security. Integrate
|
@@ -429,6 +429,7 @@ files:
|
|
429
429
|
- lib/inspec/dist.rb
|
430
430
|
- lib/inspec/dsl.rb
|
431
431
|
- lib/inspec/dsl_shared.rb
|
432
|
+
- lib/inspec/enhanced_outcomes.rb
|
432
433
|
- lib/inspec/env_printer.rb
|
433
434
|
- lib/inspec/errors.rb
|
434
435
|
- lib/inspec/exceptions.rb
|
@@ -444,6 +445,7 @@ files:
|
|
444
445
|
- lib/inspec/formatters/json_rspec.rb
|
445
446
|
- lib/inspec/formatters/show_progress.rb
|
446
447
|
- lib/inspec/globals.rb
|
448
|
+
- lib/inspec/iaf_file.rb
|
447
449
|
- lib/inspec/impact.rb
|
448
450
|
- lib/inspec/input.rb
|
449
451
|
- lib/inspec/input_dsl_helpers.rb
|
@@ -605,6 +607,12 @@ files:
|
|
605
607
|
- lib/inspec/resources/php_config.rb
|
606
608
|
- lib/inspec/resources/pip.rb
|
607
609
|
- lib/inspec/resources/platform.rb
|
610
|
+
- lib/inspec/resources/podman.rb
|
611
|
+
- lib/inspec/resources/podman_container.rb
|
612
|
+
- lib/inspec/resources/podman_image.rb
|
613
|
+
- lib/inspec/resources/podman_network.rb
|
614
|
+
- lib/inspec/resources/podman_pod.rb
|
615
|
+
- lib/inspec/resources/podman_volume.rb
|
608
616
|
- lib/inspec/resources/port.rb
|
609
617
|
- lib/inspec/resources/postfix_conf.rb
|
610
618
|
- lib/inspec/resources/postgres.rb
|
@@ -706,6 +714,7 @@ files:
|
|
706
714
|
- lib/inspec/utils/object_traversal.rb
|
707
715
|
- lib/inspec/utils/parser.rb
|
708
716
|
- lib/inspec/utils/pkey_reader.rb
|
717
|
+
- lib/inspec/utils/podman.rb
|
709
718
|
- lib/inspec/utils/run_data_filters.rb
|
710
719
|
- lib/inspec/utils/simpleconfig.rb
|
711
720
|
- lib/inspec/utils/spdx.rb
|
@@ -715,13 +724,14 @@ files:
|
|
715
724
|
- lib/inspec/utils/telemetry/data_series.rb
|
716
725
|
- lib/inspec/utils/telemetry/global_methods.rb
|
717
726
|
- lib/inspec/utils/telemetry/run_context_probe.rb
|
727
|
+
- lib/inspec/utils/waivers/csv_file_reader.rb
|
728
|
+
- lib/inspec/utils/waivers/excel_file_reader.rb
|
729
|
+
- lib/inspec/utils/waivers/json_file_reader.rb
|
730
|
+
- lib/inspec/utils/yaml_profile_summary.rb
|
718
731
|
- lib/inspec/version.rb
|
732
|
+
- lib/inspec/waiver_file_reader.rb
|
719
733
|
- lib/matchers/matchers.rb
|
720
734
|
- lib/plugins/README.md
|
721
|
-
- lib/plugins/inspec-artifact/inspec-artifact.gemspec
|
722
|
-
- lib/plugins/inspec-artifact/lib/inspec-artifact.rb
|
723
|
-
- lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb
|
724
|
-
- lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb
|
725
735
|
- lib/plugins/inspec-compliance/README.md
|
726
736
|
- lib/plugins/inspec-compliance/inspec-compliance.gemspec
|
727
737
|
- lib/plugins/inspec-compliance/lib/inspec-compliance.rb
|
@@ -760,6 +770,10 @@ files:
|
|
760
770
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.erb
|
761
771
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/streaming_reporter.erb
|
762
772
|
- lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.erb
|
773
|
+
- lib/plugins/inspec-init/templates/profiles/alicloud/README.md
|
774
|
+
- lib/plugins/inspec-init/templates/profiles/alicloud/controls/example.rb
|
775
|
+
- lib/plugins/inspec-init/templates/profiles/alicloud/inputs.yml
|
776
|
+
- lib/plugins/inspec-init/templates/profiles/alicloud/inspec.yml
|
763
777
|
- lib/plugins/inspec-init/templates/profiles/aws/README.md
|
764
778
|
- lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb
|
765
779
|
- lib/plugins/inspec-init/templates/profiles/aws/inputs.yml
|
@@ -805,6 +819,10 @@ files:
|
|
805
819
|
- lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit.rb
|
806
820
|
- lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/reporter.rb
|
807
821
|
- lib/plugins/inspec-reporter-junit/lib/inspec-reporter-junit/version.rb
|
822
|
+
- lib/plugins/inspec-sign/inspec-sign.gemspec
|
823
|
+
- lib/plugins/inspec-sign/lib/inspec-sign.rb
|
824
|
+
- lib/plugins/inspec-sign/lib/inspec-sign/base.rb
|
825
|
+
- lib/plugins/inspec-sign/lib/inspec-sign/cli.rb
|
808
826
|
- lib/plugins/inspec-streaming-reporter-progress-bar/README.md
|
809
827
|
- lib/plugins/inspec-streaming-reporter-progress-bar/inspec-streaming-reporter-progress-bar.gemspec
|
810
828
|
- lib/plugins/inspec-streaming-reporter-progress-bar/lib/inspec-streaming-reporter-progress-bar.rb
|
@@ -1,187 +0,0 @@
|
|
1
|
-
require "base64" unless defined?(Base64)
|
2
|
-
require "openssl" unless defined?(OpenSSL)
|
3
|
-
require "pathname" unless defined?(Pathname)
|
4
|
-
require "set" unless defined?(Set)
|
5
|
-
require "tempfile" unless defined?(Tempfile)
|
6
|
-
require "yaml"
|
7
|
-
require "inspec/dist"
|
8
|
-
require "inspec/utils/json_profile_summary"
|
9
|
-
|
10
|
-
module InspecPlugins
|
11
|
-
module Artifact
|
12
|
-
class Base
|
13
|
-
include Inspec::Dist
|
14
|
-
|
15
|
-
KEY_BITS = 2048
|
16
|
-
KEY_ALG = OpenSSL::PKey::RSA
|
17
|
-
|
18
|
-
INSPEC_PROFILE_VERSION_1 = "INSPEC-PROFILE-1".freeze
|
19
|
-
INSPEC_REPORT_VERSION_1 = "INSPEC-REPORT-1".freeze
|
20
|
-
|
21
|
-
ARTIFACT_DIGEST = OpenSSL::Digest::SHA512
|
22
|
-
ARTIFACT_DIGEST_NAME = "SHA512".freeze
|
23
|
-
|
24
|
-
VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1]
|
25
|
-
VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]
|
26
|
-
|
27
|
-
SIGNED_PROFILE_SUFFIX = "iaf".freeze
|
28
|
-
SIGNED_REPORT_SUFFIX = "iar".freeze
|
29
|
-
|
30
|
-
def self.keygen(options)
|
31
|
-
key = KEY_ALG.new KEY_BITS
|
32
|
-
puts "Generating private key"
|
33
|
-
open "#{options["keyname"]}.pem.key", "w" do |io|
|
34
|
-
io.write key.to_pem
|
35
|
-
end
|
36
|
-
puts "Generating public key"
|
37
|
-
open "#{options["keyname"]}.pem.pub", "w" do |io|
|
38
|
-
io.write key.public_key.to_pem
|
39
|
-
end
|
40
|
-
end
|
41
|
-
|
42
|
-
def self.profile_sign(options)
|
43
|
-
artifact = new
|
44
|
-
path_to_profile = options["profile"]
|
45
|
-
|
46
|
-
# Write inspec.json file within artifact
|
47
|
-
write_inspec_json(path_to_profile, options)
|
48
|
-
|
49
|
-
Dir.mktmpdir do |workdir|
|
50
|
-
puts "Signing #{options["profile"]} with key #{options["keyname"]}"
|
51
|
-
profile_md = artifact.read_profile_metadata(path_to_profile)
|
52
|
-
artifact_filename = "#{profile_md["name"]}-#{profile_md["version"]}.#{SIGNED_PROFILE_SUFFIX}"
|
53
|
-
tarfile = artifact.profile_compress(path_to_profile, profile_md, workdir)
|
54
|
-
content = IO.binread(tarfile)
|
55
|
-
signing_key = KEY_ALG.new File.read "#{options["keyname"]}.pem.key"
|
56
|
-
sha = ARTIFACT_DIGEST.new
|
57
|
-
signature = signing_key.sign sha, content
|
58
|
-
# convert the signature to Base64
|
59
|
-
signature_base64 = Base64.encode64(signature)
|
60
|
-
tar_content = IO.binread(tarfile)
|
61
|
-
File.open(artifact_filename, "wb") do |f|
|
62
|
-
f.puts(INSPEC_PROFILE_VERSION_1)
|
63
|
-
f.puts(options["keyname"])
|
64
|
-
f.puts(ARTIFACT_DIGEST_NAME)
|
65
|
-
f.puts(signature_base64)
|
66
|
-
f.puts("") # newline separates artifact header with body
|
67
|
-
f.write(tar_content)
|
68
|
-
end
|
69
|
-
puts "Successfully generated #{artifact_filename}"
|
70
|
-
end
|
71
|
-
|
72
|
-
# Cleanup
|
73
|
-
File.delete("#{path_to_profile}/inspec.json")
|
74
|
-
end
|
75
|
-
|
76
|
-
def self.profile_verify(options)
|
77
|
-
artifact = new
|
78
|
-
file_to_verifiy = options["infile"]
|
79
|
-
puts "Verifying #{file_to_verifiy}"
|
80
|
-
artifact.verify(file_to_verifiy) do ||
|
81
|
-
puts "Artifact is valid"
|
82
|
-
end
|
83
|
-
end
|
84
|
-
|
85
|
-
def self.profile_install(options)
|
86
|
-
artifact = new
|
87
|
-
puts "Installing profile"
|
88
|
-
file_to_verifiy = options["infile"]
|
89
|
-
dest_dir = options["destdir"]
|
90
|
-
artifact.verify(file_to_verifiy) do |content|
|
91
|
-
Dir.mktmpdir do |workdir|
|
92
|
-
tmpfile = Pathname.new(workdir).join("artifact_to_install.tar.gz")
|
93
|
-
File.write(tmpfile, content)
|
94
|
-
puts "Installing to #{dest_dir}"
|
95
|
-
`tar xzf #{tmpfile} -C #{dest_dir}`
|
96
|
-
end
|
97
|
-
end
|
98
|
-
end
|
99
|
-
|
100
|
-
def read_profile_metadata(path_to_profile)
|
101
|
-
begin
|
102
|
-
p = Pathname.new(path_to_profile)
|
103
|
-
p = p.join("inspec.yml")
|
104
|
-
unless p.exist?
|
105
|
-
raise "#{path_to_profile} doesn't appear to be a valid #{PRODUCT_NAME} profile"
|
106
|
-
end
|
107
|
-
|
108
|
-
yaml = YAML.load_file(p.to_s)
|
109
|
-
yaml = yaml.to_hash
|
110
|
-
|
111
|
-
unless yaml.key? "name"
|
112
|
-
raise "Profile is invalid, name is not defined"
|
113
|
-
end
|
114
|
-
|
115
|
-
unless yaml.key? "version"
|
116
|
-
raise "Profile is invalid, version is not defined"
|
117
|
-
end
|
118
|
-
rescue => e
|
119
|
-
# rewrap it and pass it up to the CLI
|
120
|
-
raise "Error reading #{PRODUCT_NAME} profile metadata: #{e}"
|
121
|
-
end
|
122
|
-
|
123
|
-
yaml
|
124
|
-
end
|
125
|
-
|
126
|
-
def profile_compress(path_to_profile, profile_md, workdir)
|
127
|
-
profile_name = profile_md["name"]
|
128
|
-
profile_version = profile_md["version"]
|
129
|
-
outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
|
130
|
-
`tar czf #{outfile_name} -C #{path_to_profile} .`
|
131
|
-
outfile_name
|
132
|
-
end
|
133
|
-
|
134
|
-
def valid_header?(file_alg, file_version, file_keyname)
|
135
|
-
public_keyfile = "#{file_keyname}.pem.pub"
|
136
|
-
puts "Looking for #{public_keyfile} to verify artifact"
|
137
|
-
unless File.exist? public_keyfile
|
138
|
-
raise "Can't find #{public_keyfile}"
|
139
|
-
end
|
140
|
-
|
141
|
-
raise "Invalid artifact digest algorithm detected" unless VALID_PROFILE_DIGESTS.member?(file_alg)
|
142
|
-
raise "Invalid artifact version detected" unless VALID_PROFILE_VERSIONS.member?(file_version)
|
143
|
-
end
|
144
|
-
|
145
|
-
def verify(file_to_verifiy, &content_block)
|
146
|
-
f = File.open(file_to_verifiy, "r")
|
147
|
-
file_version = f.readline.strip!
|
148
|
-
file_keyname = f.readline.strip!
|
149
|
-
file_alg = f.readline.strip!
|
150
|
-
|
151
|
-
file_sig = ""
|
152
|
-
# the signature is multi-line
|
153
|
-
while (line = f.readline) != "\n"
|
154
|
-
file_sig += line
|
155
|
-
end
|
156
|
-
file_sig.strip!
|
157
|
-
f.close
|
158
|
-
|
159
|
-
valid_header?(file_alg, file_version, file_keyname)
|
160
|
-
|
161
|
-
public_keyfile = "#{file_keyname}.pem.pub"
|
162
|
-
verification_key = KEY_ALG.new File.read public_keyfile
|
163
|
-
|
164
|
-
f = File.open(file_to_verifiy, "r")
|
165
|
-
while f.readline != "\n" do end
|
166
|
-
content = f.read
|
167
|
-
|
168
|
-
signature = Base64.decode64(file_sig)
|
169
|
-
digest = ARTIFACT_DIGEST.new
|
170
|
-
if verification_key.verify digest, signature, content
|
171
|
-
content_block.yield(content)
|
172
|
-
else
|
173
|
-
raise "Artifact is invalid"
|
174
|
-
end
|
175
|
-
end
|
176
|
-
|
177
|
-
def self.write_inspec_json(root_path, opts)
|
178
|
-
profile = Inspec::Profile.for_path(root_path, opts)
|
179
|
-
Inspec::Utils::JsonProfileSummary.produce_json(
|
180
|
-
info: profile.info,
|
181
|
-
write_path: "#{root_path}/inspec.json",
|
182
|
-
suppress_output: true
|
183
|
-
)
|
184
|
-
end
|
185
|
-
end
|
186
|
-
end
|
187
|
-
end
|