inspec-core 5.18.14 → 5.22.3

data/lib/inspec/resources/podman_container.rb

@@ -0,0 +1,84 @@
+require "inspec/resources/podman"
+require_relative "docker_object"
+
+# Change module if required
+module Inspec::Resources
+  class PodmanContainer < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+    name "podman_container"
+    supports platform: "unix"
+
+    desc "Inspec core resource to retrieve information about podman container"
+
+    example <<~EXAMPLE
+        describe podman_container("sweet_mendeleev") do
+          it { should exist }
+          it { should be_running }
+          its("id") { should eq "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" }
+          its("image") { should eq "docker.io/library/nginx:latest" }
+          its("labels") { should include "maintainer"=>"NGINX Docker Maintainers <docker-maint@nginx.com>" }
+          its("ports") { should eq nil }
+        end
+
+        describe podman_container(id: "591270d8d80d2667") do
+          it { should exist }
+          it { should be_running }
+        end
+    EXAMPLE
+
+    def initialize(opts = {})
+      skip_resource "The `podman_container` resource is not yet available on your OS." unless inspec.os.unix?
+
+      # if a string is provided, we expect it is the name
+      if opts.is_a?(String)
+        @opts = { name: opts }
+      else
+        @opts = opts
+      end
+    end
+
+    def running?
+      status.downcase.start_with?("up") if object_info.entries.length == 1
+    end
+
+    def status
+      object_info.status[0] if object_info.entries.length == 1
+    end
+
+    def labels
+      object_info.labels
+    end
+
+    def ports
+      object_info.ports[0] if object_info.entries.length == 1
+    end
+
+    def command
+      return unless object_info.entries.length == 1
+
+      object_info.commands[0]
+    end
+
+    def image
+      object_info.images[0] if object_info.entries.length == 1
+    end
+
+    def resource_id
+      object_info.ids[0] || @opts[:id] || @opts[:name] || ""
+    end
+
+    def to_s
+      name = @opts[:name] || @opts[:id]
+      "Podman Container #{name}"
+    end
+
+    private
+
+    def object_info
+      return @info if defined?(@info)
+
+      opts = @opts
+      @info = inspec.podman.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
+    end
+  end
+end

data/lib/inspec/resources/podman_image.rb

@@ -0,0 +1,108 @@
+require "inspec/resources/command"
+require_relative "docker_object"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanImage < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+    include Inspec::Utils::Podman
+
+    name "podman_image"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman image"
+
+    example <<~EXAMPLE
+      describe podman_image("docker.io/library/busybox") do
+        it { should exist }
+        its("repo_tags") { should include "docker.io/library/busybox:latest" }
+        its("size") { should eq 1636053 }
+        its("resource_id") { should eq "docker.io/library/busybox:latest" }
+      end
+
+      describe podman_image("docker.io/library/busybox:latest") do
+        it { should exist }
+      end
+
+      describe podman_image(repo: "docker.io/library/busybox", tag: "latest") do
+        it { should exist }
+      end
+
+      describe podman_image(id: "3c19bafed223") do
+        it { should exist }
+      end
+    EXAMPLE
+
+    attr_reader :opts, :image_info
+
+    def initialize(opts)
+      skip_resource "The `podman_image` resource is not yet available on your OS." unless inspec.os.unix?
+      opts = { image: opts } if opts.is_a?(String)
+      @opts = sanitize_options(opts)
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @image_info = get_image_info
+    end
+
+    LABELS = {
+      "id" => "ID",
+      "repo_tags" => "RepoTags",
+      "size" => "Size",
+      "digest" => "Digest",
+      "created_at" => "Created",
+      "version" => "Version",
+      "names_history" => "NamesHistory",
+      "repo_digests" => "RepoDigests",
+      "architecture" => "Architecture",
+      "os" => "Os",
+      "virtual_size" => "VirtualSize",
+    }.freeze
+
+    ## This creates all the required properties methods dynamically.
+    LABELS.each do |k, v|
+      define_method(k) do
+        image_info[k.to_s]
+      end
+    end
+
+    def exist?
+      ! image_info.empty?
+    end
+
+    def resource_id
+      opts[:id] || opts[:image] || ""
+    end
+
+    def to_s
+      "podman_image #{resource_id}"
+    end
+
+    private
+
+    def sanitize_options(opts)
+      opts.merge!(parse_components_from_image(opts[:image]))
+
+      # assume a "latest" tag if we don't have one
+      opts[:tag] ||= "latest"
+
+      # Assemble/reassemble the image from the repo and tag
+      opts[:image] = "#{opts[:repo]}:#{opts[:tag]}" unless opts[:repo].nil?
+
+      opts
+    end
+
+    def get_image_info
+      current_image = opts[:id] || opts[:image] || opts[:repo] + ":" + opts[:tag]
+      json_key_label = generate_go_template(LABELS)
+      podman_inspect_cmd = inspec.command("podman image inspect #{current_image} --format '{#{json_key_label}}'")
+
+      if podman_inspect_cmd.exit_status == 0
+        parse_command_output(podman_inspect_cmd.stdout)
+      elsif podman_inspect_cmd.stderr =~ /failed to find image/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman image information for #{current_image}.\nError message: #{podman_inspect_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/podman_network.rb

@@ -0,0 +1,81 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+module Inspec::Resources
+  class PodmanNetwork < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_network"
+
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrive information about the given Podman network"
+
+    example <<~EXAMPLE
+      describe podman_network("podman") do
+        it { should exist }
+      end
+      describe podman_network("3a7c94d937d5f3a0f1a9b1610589945aedfbe56207fd5d32fc8154aa1a8b007f") do
+        its("driver") { should eq bridge }
+      end
+    EXAMPLE
+
+    LABELS = {
+      id: "ID",
+      name: "Name",
+      driver: "Driver",
+      labels: "Labels",
+      options: "Options",
+      ipam_options: "IPAMOptions",
+      internal: "Internal",
+      created: "Created",
+      ipv6_enabled: "IPv6Enabled",
+      dns_enabled: "DNSEnabled",
+      network_interface: "NetworkInterface",
+      subnets: "Subnets",
+    }.freeze
+
+    attr_reader :param, :network_info
+    def initialize(param)
+      skip_resource "The `podman_network` resource is not yet available on your OS." unless inspec.os.unix?
+
+      @param = param
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @network_info = get_network_info
+    end
+
+    ## This creates all the required properties methods dynamically.
+    LABELS.each do |k, v|
+      define_method(k) do
+        network_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !network_info.empty?
+    end
+
+    def resource_id
+      id || param || ""
+    end
+
+    def to_s
+      "podman_network #{resource_id}"
+    end
+
+    private
+
+    def get_network_info
+      go_template_format = generate_go_template(LABELS)
+      result = inspec.command("podman network inspect #{param} --format '{#{go_template_format}}'")
+
+      if result.exit_status == 0
+        parse_command_output(result.stdout)
+      elsif result.stderr =~ /network not found/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman network information for #{param}.\nError message: #{result.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/podman_pod.rb

@@ -0,0 +1,101 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanPod < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_pod"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman pod"
+
+    example <<~EXAMPLE
+      describe podman_pod("nginx-frontend") do
+        it { should exist }
+        its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" }
+        its("name") { should eq "nginx-frontend" }
+        its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" }
+        its("create_command") { should include "new:nginx-frontend" }
+        its("state") { should eq "Running" }
+        its("hostname") { should eq "" }
+        its("create_cgroup") { should eq true }
+        its("cgroup_parent") { should eq "user.slice" }
+        its("cgroup_path") { should eq "user.slice/user-libpod_pod_fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4.slice" }
+        its("create_infra") { should eq true }
+        its("infra_container_id") { should eq "727538044b32a165934729dc2d47d9d5e981b6496aebfad7de470f7e76ea4251" }
+        its("infra_config") { should include "DNSOption" }
+        its("shared_namespaces") { should include "ipc" }
+        its("num_containers") { should eq 2 }
+        its("containers") { should_not be nil }
+      end
+
+      describe podman_pod("non-existing-pod") do
+        it { should_not exist }
+      end
+    EXAMPLE
+
+    attr_reader :pod_info, :pod_id
+
+    def initialize(pod_id)
+      skip_resource "The `podman_pod` resource is not yet available on your OS." unless inspec.os.unix?
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @pod_id = pod_id
+      @pod_info = get_pod_info
+    end
+
+    LABELS = {
+      "id" => "ID",
+      "name" => "Name",
+      "created_at" => "Created",
+      "create_command" => "CreateCommand",
+      "state" => "State",
+      "hostname" => "Hostname",
+      "create_cgroup" => "CreateCgroup",
+      "cgroup_parent" => "CgroupParent",
+      "cgroup_path" => "CgroupPath",
+      "create_infra" => "CreateInfra",
+      "infra_container_id" => "InfraContainerID",
+      "infra_config" => "InfraConfig",
+      "shared_namespaces" => "SharedNamespaces",
+      "num_containers" => "NumContainers",
+      "containers" => "Containers",
+    }.freeze
+
+    # This creates all the required properties methods dynamically.
+    LABELS.each do |k, _|
+      define_method(k) do
+        pod_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !pod_info.empty?
+    end
+
+    def resource_id
+      pod_id
+    end
+
+    def to_s
+      "Podman Pod #{resource_id}"
+    end
+
+    private
+
+    def get_pod_info
+      json_key_label = generate_go_template(LABELS)
+
+      inspect_pod_cmd = inspec.command("podman pod inspect #{pod_id} --format '{#{json_key_label}}'")
+
+      if inspect_pod_cmd.exit_status == 0
+        parse_command_output(inspect_pod_cmd.stdout)
+      elsif inspect_pod_cmd.stderr =~ /no pod with name or ID/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman pod information for #{pod_id}.\nError message: #{inspect_pod_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/podman_volume.rb

@@ -0,0 +1,87 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanVolume < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_volume"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman volume"
+
+    example <<~EXAMPLE
+      describe podman_volume("my_volume") do
+        it { should exist }
+        its("name") { should eq "my_volume" }
+        its("driver") { should eq "local" }
+        its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" }
+        its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" }
+        its("labels") { should eq({}) }
+        its("scope") { should eq "local" }
+        its("options") { should eq({}) }
+        its("mount_count") { should eq 0 }
+        its("needs_copy_up") { should eq true }
+        its("needs_chown") { should eq true }
+      end
+    EXAMPLE
+
+    attr_reader :volume_info, :volume_name
+
+    def initialize(volume_name)
+      skip_resource "The `podman_volume` resource is not yet available on your OS." unless inspec.os.unix?
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @volume_name = volume_name
+      @volume_info = get_volume_info
+    end
+
+    LABELS = {
+      "name" => "Name",
+      "driver" => "Driver",
+      "mountpoint" => "Mountpoint",
+      "created_at" => "CreatedAt",
+      "labels" => "Labels",
+      "scope" => "Scope",
+      "options" => "Options",
+      "mount_count" => "MountCount",
+      "needs_copy_up" => "NeedsCopyUp",
+      "needs_chown" => "NeedsChown",
+    }.freeze
+
+    # This creates all the required properties methods dynamically.
+    LABELS.each do |k, _|
+      define_method(k) do
+        volume_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !volume_info.empty?
+    end
+
+    def resource_id
+      volume_name
+    end
+
+    def to_s
+      "podman_volume #{resource_id}"
+    end
+
+    private
+
+    def get_volume_info
+      json_key_label = generate_go_template(LABELS)
+
+      inspect_volume_cmd = inspec.command("podman volume inspect #{volume_name} --format '{#{json_key_label}}'")
+
+      if inspect_volume_cmd.exit_status == 0
+        parse_command_output(inspect_volume_cmd.stdout)
+      elsif inspect_volume_cmd.stderr =~ /inspecting object: no such/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman volume information for #{volume_name}.\nError message: #{inspect_volume_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/postgres_session.rb

@@ -81,7 +81,8 @@ module Inspec::Resources
         # Socket path and empty host in the connection string establishes socket connection
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
-        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
+        option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?

data/lib/inspec/resources/service.rb

@@ -646,7 +646,7 @@ module Inspec::Resources
       return nil if srv.nil? || srv[0].nil?
 
       # extract values from service
-      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
+      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[\-0-9]+)\t(?<name>\S*)$/.match(srv[0])
       enabled = !parsed_srv["name"].nil? # it's in the list
 
       # check if the service is running

data/lib/inspec/resources.rb

@@ -73,6 +73,7 @@ require "inspec/resources/mssql_sys_conf"
 require "inspec/resources/mysql"
 require "inspec/resources/mysql_conf"
 require "inspec/resources/mysql_session"
+require "inspec/resources/nftables"
 require "inspec/resources/nginx"
 require "inspec/resources/nginx_conf"
 require "inspec/resources/npm"

data/lib/inspec/rule.rb

@@ -8,13 +8,15 @@ require "inspec/impact"
 require "inspec/resource"
 require "inspec/resources/os"
 require "inspec/input_registry"
+require "inspec/waiver_file_reader"
+require "inspec/utils/convert"
 
 module Inspec
   class Rule
     include ::RSpec::Matchers
 
     attr_reader :__waiver_data
-    attr_accessor :resource_dsl
+    attr_accessor :resource_dsl, :na_impact_freeze
     attr_reader :__profile_id
 
     def initialize(id, profile_id, resource_dsl, opts, &block)
@@ -38,6 +40,7 @@ module Inspec
       @__merge_count = 0
       @__merge_changes = []
       @__skip_only_if_eval = opts[:skip_only_if_eval]
+      @__na_rule = {}
 
       # evaluate the given definition
       return unless block_given?
@@ -73,10 +76,13 @@ module Inspec
     end
 
     def impact(v = nil)
-      if v.is_a?(String)
-        @impact = Inspec::Impact.impact_from_string(v)
-      elsif !v.nil?
-        @impact = v
+      # N/A impact freeze is required when only_applicable_if block has reset impact value to zero"
+      unless na_impact_freeze
+        if v.is_a?(String)
+          @impact = Inspec::Impact.impact_from_string(v)
+        elsif !v.nil?
+          @impact = v
+        end
       end
 
       @impact
@@ -133,15 +139,28 @@ module Inspec
     #
     # @param [Type] &block returns true if tests are added, false otherwise
     # @return [nil]
-    def only_if(message = nil)
+    def only_if(message = nil, impact: nil)
       return unless block_given?
       return if @__skip_only_if_eval == true
 
+      self.impact(impact) if impact && !yield
       @__skip_rule[:result] ||= !yield
       @__skip_rule[:type] = :only_if
       @__skip_rule[:message] = message
     end
 
+    def only_applicable_if(message = nil)
+      return unless block_given?
+      return if yield
+
+      impact(0.0)
+      self.na_impact_freeze = true # this flag prevents impact value to reset to any other value
+
+      @__na_rule[:result] ||= !yield
+      @__na_rule[:type] = :only_applicable_if
+      @__na_rule[:message] = message
+    end
+
     # Describe will add one or more tests to this control. There is 2 ways
     # of calling it:
     #
@@ -252,6 +271,10 @@ module Inspec
       rule.instance_variable_get(:@__skip_rule)
     end
 
+    def self.na_status(rule)
+      rule.instance_variable_get(:@__na_rule)
+    end
+
     def self.set_skip_rule(rule, value, message = nil, type = :only_if)
       rule.instance_variable_set(:@__skip_rule,
                                  {
@@ -273,16 +296,26 @@ module Inspec
     # creates a dummay array of "checks" with a skip outcome
     def self.prepare_checks(rule)
       skip_check = skip_status(rule)
-      return checks(rule) unless skip_check[:result].eql?(true)
+      na_check = na_status(rule)
+      return checks(rule) unless skip_check[:result].eql?(true) || na_check[:result].eql?(true)
 
-      if skip_check[:message]
-        msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
+      resource = rule.noop
+      if skip_check[:result].eql?(true)
+        if skip_check[:message]
+          msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
+        else
+          msg = "Skipped control due to #{skip_check[:type]} condition."
+        end
+        resource.skip_resource(msg)
       else
-        msg = "Skipped control due to #{skip_check[:type]} condition."
+        if na_check[:message]
+          msg = "N/A control due to #{na_check[:type]} condition: #{na_check[:message]}"
+        else
+          msg = "N/A control due to #{na_check[:type]} condition."
+        end
+        resource.fail_resource(msg)
       end
 
-      resource = rule.noop
-      resource.skip_resource(msg)
       [["describe", [resource], nil]]
     end
 
@@ -337,17 +370,20 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
-      input_name = @__rule_id # TODO: control ID slugging
-      registry = Inspec::InputRegistry.instance
-      input = registry.inputs_by_profile.dig(__profile_id, input_name)
-      return unless input && input.has_value? && input.value.is_a?(Hash)
+      control_id = @__rule_id # TODO: control ID slugging
+      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
+
+      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
+
+      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
       # An InSpec Input is a datastructure that tracks a profile parameter
       # over time. Its value can be set by many sources, and it keeps a
       # log of each "set" event so that when it is collapsed to a value,
       # it can determine the correct (highest priority) value.
       # Store in an instance variable for.. later reading???
-      @__waiver_data = input.value
+      @__waiver_data = waiver_data_by_profile[control_id]
+
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""
 
@@ -376,6 +412,7 @@ module Inspec
       # expiration_date. We only care here if it has a "run" key and it
       # is false-like, since all non-skipped waiver operations are handled
       # during reporting phase.
+      __waiver_data["run"] = Converter.to_boolean(__waiver_data["run"]) if __waiver_data.key?("run")
       return unless __waiver_data.key?("run") && !__waiver_data["run"]
 
       # OK, apply a skip.

data/lib/inspec/run_data/control.rb

@@ -1,3 +1,5 @@
+require "inspec/enhanced_outcomes"
+
 module Inspec
   class RunData
     Control = Struct.new(
@@ -31,6 +33,10 @@ module Inspec
         ].each do |field|
           self[field] = raw_ctl_data[field]
         end
+
+        def status
+          Inspec::EnhancedOutcomes.determine_status(results, impact)
+        end
       end
     end
 

data/lib/inspec/run_data/statistics.rb

@@ -16,14 +16,20 @@ module Inspec
         :total,
         :passed,
         :skipped,
-        :failed
+        :failed,
+        :not_reviewed,
+        :not_applicable,
+        :error
       ) do
         include HashLikeStruct
         def initialize(raw_stat_ctl_data)
           self.total = raw_stat_ctl_data[:total]
           self.passed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:passed][:total])
-          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total])
           self.failed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:failed][:total])
+          self.skipped = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:skipped][:total]) if raw_stat_ctl_data[:skipped]
+          self.not_reviewed = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:not_reviewed][:total]) if raw_stat_ctl_data[:not_reviewed]
+          self.not_applicable = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:not_applicable][:total]) if raw_stat_ctl_data[:not_applicable]
+          self.error = Inspec::RunData::Statistics::Controls::Total.new(raw_stat_ctl_data[:error][:total]) if raw_stat_ctl_data[:error]
         end
       end
       class Controls