inspec-core 5.18.14 → 5.22.3

data/lib/inspec/resources/nftables.rb

@@ -0,0 +1,251 @@
+require "inspec/resources/command"
+require "json" unless defined?(JSON)
+
+# @see https://wiki.nftables.org/
+# @see https://www.netfilter.org/projects/nftables/manpage.html
+
+# rubocop:disable Style/ClassVars
+
+module Inspec::Resources
+  class NfTables < Inspec.resource(1)
+    name "nftables"
+    supports platform: "linux"
+    desc "Use the nftables InSpec audit resource to test rules and sets that are defined in nftables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains. A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet."
+    example <<~EXAMPLE
+      describe nftables(family:'inet', table:'filter', chain: 'INPUT') do
+        its('type') { should eq 'filter' }
+        its('hook') { should eq 'input' }
+        its('prio') { should eq 0 } # filter
+        its('policy') { should eq 'drop' }
+        it { should have_rule('tcp dport { 22, 80, 443 } accept') }
+      end
+    describe nftables(family: 'inet', table: 'filter', set: 'OPEN_PORTS') do
+      its('type') { should eq 'ipv4_addr . inet_proto . inet_service' }
+      its('flags') { should include 'interval' }
+      it { should have_element('1.1.1.1 . tcp . 25-27') }
+    end
+    EXAMPLE
+
+    @@bin = nil
+    @@nft_params = {}
+    @@nft_params["json"] = ""
+    @@nft_params["stateless"] = ""
+    @@nft_params["num"] = ""
+
+    def initialize(params = {})
+      @family = params[:family] || nil
+      @table = params[:table] || nil
+      @chain = params[:chain] || nil
+      @set = params[:set] || nil
+      @ignore_comments = params[:ignore_comments] || false
+      unless @@bin
+        @@bin = find_nftables_or_error
+      end
+
+      # Some old versions of `nft` do not support JSON output or stateless modifier
+      res = inspec.command("#{@@bin} --version").stdout
+      version = Gem::Version.new(/^nftables v(\S+) .*/.match(res)[1])
+      case
+      when version < Gem::Version.new("0.8.0")
+        @@nft_params["num"] = "-nn"
+      when version < Gem::Version.new("0.9.0")
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-nn"
+      when version < Gem::Version.new("0.9.3")
+        @@nft_params["json"] = "-j"
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-nn"
+      when version >= Gem::Version.new("0.9.3")
+        @@nft_params["json"] = "-j"
+        @@nft_params["stateless"] = "-s"
+        @@nft_params["num"] = "-y"
+        ## --terse
+      end
+
+      # family and table attributes are mandatory
+      fail_resource "nftables family and table are mandatory." if @family.nil? || @family.empty? || @table.nil? || @table.empty?
+      # chain name or set name has to be specified and are mutually exclusive
+      fail_resource "You must specify either a chain or a set name." if (@chain.nil? || @chain.empty?) && (@set.nil? || @set.empty?)
+      fail_resource "You must specify either a chain or a set name, not both." if !(@chain.nil? || @chain.empty?) && !(@set.nil? || @set.empty?)
+
+      # we're done if we are on linux
+      return if inspec.os.linux?
+
+      # ensures, all calls are aborted for non-supported os
+      @nftables_cache = {}
+      skip_resource "The `nftables` resource is not supported on your OS yet."
+    end
+
+    # Let's have a generic method to retrieve attributes for chains and sets
+    def _get_attr(name)
+      # Some attributes are valid for chains only, for sets only or for both
+      valid = {
+        "chains" => %w{hook policy prio type},
+        "sets" => %w{flags size type},
+      }
+
+      target_obj = @set.nil? ? "chains" : "sets"
+
+      if valid[target_obj].include?(name)
+        attrs = @set.nil? ? retrieve_chain_attrs : retrieve_set_attrs
+      else
+        raise Inspec::Exceptions::ResourceSkipped, "`#{name}` attribute is not valid for #{target_obj}"
+      end
+      # flags attribute is an array, if not retrieved ensure we return an empty array
+      # otherwise return an empty string
+      default = name == "flags" ? [] : ""
+      val = attrs.key?(name) ? attrs[name] : default
+      # When set type is has multiple data types it's retrieved as an array, make humans life easier
+      # by returning a string representation
+      if name == "type" && target_obj == "sets" && val.is_a?(Array)
+        return val.join(" . ")
+      end
+
+      val
+    end
+
+    # Create a method for each attribute
+    %i{flags hook policy prio size type}.each do |attr_method|
+      define_method attr_method do
+        _get_attr(attr_method.to_s)
+      end
+    end
+
+    def has_rule?(rule = nil, _family = nil, _table = nil, _chain = nil)
+      # checks if the rule is part of the chain
+      # for now, we expect an exact match
+      retrieve_chain_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def has_element?(element = nil, _family = nil, _table = nil, _chain = nil)
+      # checks if the element is part of the set
+      # for now, we expect an exact match
+      retrieve_set_elements.any? { |line| line.casecmp(element) == 0 }
+    end
+
+    def retrieve_set_elements
+      idx = "set_#{@family}_#{@table}_#{@set}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      elem_cmd = "list set #{@family} #{@table} #{@set}"
+      nftables_cmd = format("%s %s %s", @@bin, @@nft_params["stateless"], elem_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
+    end
+
+    def retrieve_chain_rules
+      idx = "rule_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      # construct nftables command to read all rules of the given chain
+      chain_cmd = "list chain #{@family} #{@table} #{@chain}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["num"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      rules = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|chain)/ || line =~ /^}$/ }
+
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @nftables_cache[idx] = remove_comments_from_rules(rules)
+      else
+        # split rules, returns array or rules
+        @nftables_cache[idx] = rules.map(&:strip)
+      end
+    end
+
+    def retrieve_chain_attrs
+      idx = "chain_attrs_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      chain_cmd = "list chain #{@family} #{@table} #{@chain}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["json"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return {} if cmd.exit_status.to_i != 0
+
+      if @@nft_params["json"].empty?
+        res = cmd.stdout.gsub("\t", "").split("\n").select { |line| line =~ /^type/ }[0]
+        parsed = /type (\S+) hook (\S+) priority (\S+); policy (\S+);/.match(res)
+        @nftables_cache[idx] = { "type" => parsed[1], "hook" => parsed[2], "prio" => parsed[3].to_i, "policy" => parsed[4] }
+      else
+        @nftables_cache[idx] = JSON.parse(cmd.stdout)["nftables"].select { |line| line.key?("chain") }[0]["chain"]
+      end
+    end
+
+    def retrieve_set_attrs
+      idx = "set_attrs_#{@family}_#{@table}_#{@chain}"
+      return @nftables_cache[idx] if defined?(@nftables_cache) && @nftables_cache.key?(idx)
+
+      @nftables_cache = {} unless defined?(@nftables_cache)
+
+      chain_cmd = "list set #{@family} #{@table} #{@set}"
+      nftables_cmd = format("%s %s %s %s", @@bin, @@nft_params["stateless"], @@nft_params["json"], chain_cmd).strip
+
+      cmd = inspec.command(nftables_cmd)
+      return {} if cmd.exit_status.to_i != 0
+
+      if @@nft_params["json"].empty?
+        type = ""
+        size = 0
+        flags = []
+        res = cmd.stdout.gsub("\t", "").split("\n").select { |line| line =~ /^(type|size|flags)/ }
+        res.each do |line|
+          parsed = /^type (.*)/.match(line)
+          if parsed
+            type = parsed[1]
+          end
+          parsed = /^flags (.*)/.match(line)
+          if parsed
+            flags = parsed[1].split(",")
+          end
+          parsed = /^size (.*)/.match(line)
+          if parsed
+            size = parsed[1].to_i
+          end
+        end
+        @nftables_cache[idx] = { "type" => type, "size" => size, "flags" => flags }
+      else
+        @nftables_cache[idx] = JSON.parse(cmd.stdout)["nftables"].select { |line| line.key?("set") }[0]["set"]
+      end
+    end
+
+    def resource_id
+      to_s || "nftables"
+    end
+
+    def to_s
+      format("nftables (%s %s %s %s)", @family && "family: #{@family}", @table && "table: #{@table}", @chain && "chain: #{@chain}", @set && "set: #{@set}").strip
+    end
+
+    private
+
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
+    def find_nftables_or_error
+      %w{/usr/sbin/nft /sbin/nft nft}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `nft`"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_session.rb

@@ -101,22 +101,31 @@ module Inspec::Resources
         verified_query = verify_query(escaped_query)
       end
 
-      sql_prefix, sql_postfix = "", ""
+      sql_prefix, sql_postfix, oracle_echo_str = "", "", ""
       if inspec.os.windows?
         sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | }
       else
         sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\nEOC}
+        # oracle_query_string is echoed to be able to extract the query output clearly
+        oracle_echo_str = %{echo 'oracle_query_string';}
+      end
+
+      # Resetting sql_postfix if system is using AIX OS and C shell installation for oracle
+      if inspec.os.aix?
+        command_to_fetch_shell = @su_user ? %{su - #{@su_user} -c "env | grep SHELL"} : %{env | grep SHELL}
+        shell_is_csh = inspec.command(command_to_fetch_shell).stdout&.include? "/csh"
+        sql_postfix = %{ <<'EOC'\n#{format_options}\n#{verified_query}\nEXIT\n'EOC'} if shell_is_csh
       end
 
       if @db_role.nil?
-        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
+        %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
-        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
+        %{#{oracle_echo_str}#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
       else
         # oracle_query_string is echoed to be able to extract the query output clearly
         # su - su_user in certain versions of oracle returns a message
         # Example of msg with query output: The Oracle base remains unchanged with value /oracle\n\nVALUE\n3\n
-        %{su - #{@su_user} -c "echo 'oracle_query_string'; env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
+        %{su - #{@su_user} -c "#{oracle_echo_str} env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
       end
     end
 

data/lib/inspec/resources/podman.rb

@@ -0,0 +1,353 @@
+require "inspec/resources/command"
+require "inspec/utils/filter"
+require "hashie/mash"
+
+module Inspec::Resources
+  class Podman < Inspec.resource(1)
+    # Resource requires an internal name.
+    name "podman"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+
+    desc "A resource to retrieve information about podman"
+
+    example <<~EXAMPLE
+      describe podman.containers do
+        its('images') { should include "docker.io/library/ubuntu:latest" }
+      end
+
+      describe podman.images do
+        its('names') { should_not include "docker.io/library/ubuntu:latest" }
+      end
+
+      describe podman.pods do
+        its("ids") { should include "95cadbb84df71e6374fceb3fd89ee3b8f2c7e1a831062cd9cea7d0e3e4b1dbcc" }
+      end
+
+      describe podman.info.host do
+        its("os") { should eq "linux"}
+      end
+
+      describe podman.version do
+        its("Client.Version") { should eq "4.1.0"}
+      end
+
+      podman.containers.ids.each do |id|
+        # call podman inspect for a specific container id
+        describe podman.object(id) do
+          its("State.OciVersion") { should eq "1.0.2-dev" }
+          its("State.Running") { should eq true}
+        end
+      end
+    EXAMPLE
+
+    def containers
+      PodmanContainerFilter.new(parse_containers)
+    end
+
+    def images
+      PodmanImageFilter.new(parse_images)
+    end
+
+    def networks
+      PodmanNetworkFilter.new(parse_networks)
+    end
+
+    def pods
+      PodmanPodFilter.new(parse_pods)
+    end
+
+    def volumes
+      PodmanVolumeFilter.new(parse_volumes)
+    end
+
+    def version
+      return @version if defined?(@version)
+
+      sub_cmd = "version --format json"
+      output = run_command(sub_cmd)
+      @version = Hashie::Mash.new(JSON.parse(output))
+    rescue JSON::ParserError => _e
+      Hashie::Mash.new({})
+    end
+
+    def info
+      return @info if defined?(@info)
+
+      sub_cmd = "info --format json"
+      output = run_command(sub_cmd)
+      @info = Hashie::Mash.new(JSON.parse(output))
+    rescue JSON::ParserError => _e
+      Hashie::Mash.new({})
+    end
+
+    # returns information about podman objects
+    def object(id)
+      return @inspect if defined?(@inspect)
+
+      output = run_command("inspect #{id} --format json")
+      data = JSON.parse(output)
+      data = data[0] if data.is_a?(Array)
+      @inspect = Hashie::Mash.new(data)
+    rescue JSON::ParserError => _e
+      Hashie::Mash.new({})
+    end
+
+    def to_s
+      "Podman"
+    end
+
+    private
+
+    # Calls the run_command method to get all podman containers and parse the command output.
+    # Returns the parsed command output.
+    def parse_containers
+      labels = %w{ID Image ImageID Command CreatedAt RunningFor Status Pod Ports Size Names Networks Labels Mounts}
+      parse_json_command(labels, "ps -a --no-trunc --size")
+    end
+
+    # Calls the run_command method to get all podman images and parse the command output.
+    # Returns the parsed command output.
+    def parse_images
+      labels = %w{ID Repository Tag Size Digest CreatedAt CreatedSince History}
+      parse_json_command(labels, "images -a --no-trunc")
+    end
+
+    # Calls the run_command method to get all podman network list and parse the command output.
+    # Returns the parsed command output.
+    def parse_networks
+      labels = %w{ID Name Driver Labels Options IPAMOptions Created Internal IPv6Enabled DNSEnabled NetworkInterface Subnets}
+      parse_json_command(labels, "network ls --no-trunc")
+    end
+
+    # Calls the run_command method to get all podman pod list and parse the command output.
+    # Returns the parsed command output.
+    def parse_pods
+      sub_cmd = "pod ps --no-trunc --format json"
+      output = run_command(sub_cmd)
+      parse(output)
+    end
+
+    # Calls the run_command method to get all podman volume list and parse the command output.
+    # Returns the parsed command output.
+    def parse_volumes
+      sub_cmd = "volume ls --format json"
+      output = run_command(sub_cmd)
+      parse(output)
+    end
+
+    # Runs the given podman command on the host machine on which podman is installed
+    # Returns the command output or raises the command execution error.
+    def run_command(subcommand)
+      result = inspec.command("podman #{subcommand}")
+      if result.stderr.empty?
+        result.stdout
+      else
+        raise "Error while running command \'podman #{subcommand}\' : #{result.stderr}"
+      end
+    end
+
+    def parse_json_command(labels, subcommand)
+      # build command
+      format = labels.map { |label| "\"#{label}\": {{json .#{label}}}" }
+      raw = inspec.command("podman #{subcommand} --format '{#{format.join(", ")}}'").stdout
+      output = []
+
+      raw.each_line do |entry|
+        # convert all keys to lower_case to work well with ruby and filter table
+        row = JSON.parse(entry).map do |key, value|
+          [key.downcase, value]
+        end.to_h
+
+        # ensure all keys are there
+        row = ensure_keys(row, labels)
+        output.push(row)
+      end
+
+      output
+    rescue JSON::ParserError => _e
+      warn "Could not parse `podman #{subcommand}` output"
+      []
+    end
+
+    def ensure_keys(entry, labels)
+      labels.each do |key|
+        entry[key.downcase] = nil unless entry.key?(key.downcase)
+      end
+      entry
+    end
+
+    # Method to parse JDON content.
+    # Returns: Parsed data.
+    def parse(content)
+      require "json" unless defined?(JSON)
+      output = JSON.parse(content)
+      parsed_output = []
+      output.each do |entry|
+        entry = entry.map do |k, v|
+          [k.downcase, v]
+        end.to_h
+        parsed_output << entry
+      end
+      parsed_output
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse command JSON output: #{e.message}"
+    end
+  end
+
+  # class for podman.containers plural resource
+  class PodmanContainerFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:commands,   field: "command")
+      .register_column(:ids,            field: "id")
+      .register_column(:created_at,     field: "createdat")
+      .register_column(:images,         field: "image")
+      .register_column(:names,          field: "names")
+      .register_column(:status,         field: "status")
+      .register_column(:image_ids,      field: "image_id")
+      .register_column(:labels,         field: "labels", style: :simple)
+      .register_column(:mounts,         field: "mounts")
+      .register_column(:networks,       field: "networks")
+      .register_column(:pods,           field: "pod")
+      .register_column(:ports,          field: "ports")
+      .register_column(:sizes,          field: "size")
+      .register_column(:running_for,    field: "running_for")
+      .register_custom_matcher(:running?) do |x|
+        x.where { status.downcase.start_with?("up") }
+      end
+    filter.install_filter_methods_on_resource(self, :containers)
+
+    attr_reader :containers
+    def initialize(containers)
+      @containers = containers
+    end
+
+    def to_s
+      "Podman Containers"
+    end
+
+    def resource_id
+      "Podman Containers"
+    end
+  end
+
+  # class for podman.images plural resource
+  class PodmanImageFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:ids,       field: "id")
+      .register_column(:repositories,  field: "repository")
+      .register_column(:tags,          field: "tag")
+      .register_column(:sizes,         field: "size")
+      .register_column(:digests,       field: "digest")
+      .register_column(:created_at,    field: "createdat")
+      .register_column(:created_since, field: "createdsince")
+      .register_column(:history,       field: "history")
+    filter.install_filter_methods_on_resource(self, :images)
+
+    attr_reader :images
+    def initialize(images)
+      @images = images
+    end
+
+    def to_s
+      "Podman Images"
+    end
+
+    def resource_id
+      "Podman Images"
+    end
+  end
+
+  class PodmanNetworkFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+      .register_column(:ids,                  field: "id")
+      .register_column(:names,                field: "name")
+      .register_column(:drivers,              field: "driver")
+      .register_column(:network_interfaces,   field: "networkinterface")
+      .register_column(:created,              field: "created")
+      .register_column(:subnets,              field: "subnets")
+      .register_column(:ipv6_enabled,         field: "ipv6enabled")
+      .register_column(:internal,             field: "internal")
+      .register_column(:dns_enabled,          field: "dnsenabled")
+      .register_column(:ipam_options,         field: "ipamoptions")
+      .register_column(:options,              field: "options")
+      .register_column(:labels,               field: "labels")
+    filter.install_filter_methods_on_resource(self, :networks)
+
+    attr_reader :networks
+    def initialize(networks)
+      @networks = networks
+    end
+
+    def to_s
+      "Podman Networks"
+    end
+
+    def resource_id
+      "Podman Networks"
+    end
+  end
+
+  class PodmanPodFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+      .register_column(:ids,                  field: "id")
+      .register_column(:cgroups,              field: "cgroup")
+      .register_column(:containers,           field: "containers")
+      .register_column(:created,              field: "created")
+      .register_column(:infraids,             field: "infraid")
+      .register_column(:names,                field: "name")
+      .register_column(:namespaces,           field: "namespace")
+      .register_column(:networks,             field: "networks")
+      .register_column(:status,               field: "status")
+      .register_column(:labels,               field: "labels")
+    filter.install_filter_methods_on_resource(self, :pods)
+
+    attr_reader :pods
+    def initialize(pods)
+      @pods = pods
+    end
+
+    def to_s
+      "Podman Pods"
+    end
+
+    def resource_id
+      "Podman Pods"
+    end
+  end
+
+  class PodmanVolumeFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+      .register_column(:names,              field: "name")
+      .register_column(:drivers,            field: "driver")
+      .register_column(:mountpoints,        field: "mountpoint")
+      .register_column(:createdat,          field: "createdat")
+      .register_column(:labels,             field: "labels")
+      .register_column(:scopes,             field: "scope")
+      .register_column(:options,            field: "options")
+      .register_column(:mountcount,         field: "mountcount")
+      .register_column(:needscopyup,        field: "needscopyup")
+      .register_column(:needschown,         field: "needschown")
+    filter.install_filter_methods_on_resource(self, :volumes)
+
+    attr_reader :volumes
+    def initialize(volumes)
+      @volumes = volumes
+    end
+
+    def to_s
+      "Podman Volumes"
+    end
+
+    def resource_id
+      "Podman Volumes"
+    end
+  end
+end