inspec-core 5.22.29 → 6.6.0

data/lib/inspec/config.rb

@@ -7,6 +7,7 @@ require "forwardable" unless defined?(Forwardable)
 require "thor" unless defined?(Thor)
 require "base64" unless defined?(Base64)
 require "inspec/plugin/v2/filter"
+require "inspec/feature"
 
 module Inspec
   class Config
@@ -25,6 +26,12 @@ module Inspec
       shell_command
     }.freeze
 
+    AUDIT_LOG_OPTIONS = %w{
+      audit_log_location
+      enable_audit_log
+      audit_log_app_name
+    }.freeze
+
     KNOWN_VERSIONS = [
       "1.1",
       "1.2",
@@ -80,6 +87,10 @@ module Inspec
       puts
     end
 
+    def allow_unsigned_profiles?
+      self["allow_unsigned_profiles"] || ENV["CHEF_ALLOW_UNSIGNED_PROFILES"]
+    end
+
     # return all telemetry options from config
     # @return [Hash]
     def telemetry_options
@@ -109,11 +120,14 @@ module Inspec
     def unpack_train_credentials
       # Internally, use indifferent access while we build the creds
       credentials = Thor::CoreExt::HashWithIndifferentAccess.new({})
-
       # Helper methods prefixed with _utc_ (Unpack Train Credentials)
 
       credentials.merge!(_utc_generic_credentials)
 
+      # Only runs this block when preview flag CHEF_PREVIEW_AUDIT_LOGGING is set
+      Inspec.with_feature("inspec-audit-logging") {
+        credentials.merge!(_utc_merge_audit_log_options)
+      }
       _utc_determine_backend(credentials)
       transport_name = credentials[:backend].to_s
 
@@ -154,13 +168,21 @@ module Inspec
 
     private
 
+    def _utc_merge_audit_log_options
+      @final_options.select { |option, _value| AUDIT_LOG_OPTIONS.include?(option) }
+    end
+
     def _utc_merge_transport_options(credentials, transport_name)
       # Ask Train for the names of the transport options
       transport_options = Train.options(transport_name).keys.map(&:to_s)
 
       # If there are any options with those (unprefixed) names, merge them in.
+      # e.g., 'host'
       unprefixed_transport_options = final_options.select do |option_name, _value|
-        transport_options.include? option_name # e.g., 'host'
+        # We currently want this option only to be set if CHEF_PREVIEW_AUDIT_LOGGING is set
+        # and we already merging the audit_log_options within _utc_merge_audit_log_options method which only invoke if feature flag is on
+        # we don't want audit log option to get set from here again so this is a safe check and can be removed when we remove preview feature flag.
+        transport_options.include? option_name unless option_name.match?("enable_audit_log")
       end
       credentials.merge!(unprefixed_transport_options)
 

data/lib/inspec/dependencies/cache.rb

@@ -70,5 +70,38 @@ module Inspec
     def base_path_for(cache_key)
       File.join(@path, cache_key)
     end
+
+    #
+    # For given cache key, return true if the
+    # cache path is locked
+    def locked?(key)
+      locked = false
+      path = base_path_for(key)
+      # For archive there is no need to lock the directory so we skip those and return false for archive formatted cache
+      if File.directory?(path)
+        locked = File.exist?("#{path}/.lock")
+      end
+      locked
+    end
+
+    def lock(cache_path)
+      lock_file_path = File.join(cache_path, ".lock")
+      begin
+        FileUtils.mkdir_p(cache_path)
+        Inspec::Log.debug("Locking cache ..... #{cache_path}")
+        FileUtils.touch(lock_file_path)
+      rescue Errno::EACCES
+        raise "Permission denied while creating cache lock #{cache_path}/.lock."
+      end
+    end
+
+    def unlock(cache_path)
+      Inspec::Log.debug("Unlocking cache..... #{cache_path}")
+      begin
+        FileUtils.rm("#{cache_path}/.lock") if File.exist?("#{cache_path}/.lock")
+      rescue Errno::EACCES
+        raise "Permission denied while removing cache lock #{cache_path}/.lock"
+      end
+    end
   end
 end

data/lib/inspec/enhanced_outcomes.rb

@@ -15,5 +15,6 @@ module Inspec
         "passed"
       end
     end
+
   end
 end

data/lib/inspec/errors.rb

@@ -24,4 +24,9 @@ module Inspec
   end
 
   class InvalidProfileSignature < Error; end
+
+  class FeatureConfigMissingError < Error; end
+  class FeatureConfigTamperedError < Error; end
+
+  class ProfileSignatureRequired < Error; end
 end

data/lib/inspec/exceptions.rb

@@ -12,5 +12,7 @@ module Inspec
     class ProfileSigningKeyNotFound < ArgumentError; end
     class WaiversFileNotReadable < ArgumentError; end
     class WaiversFileDoesNotExist < ArgumentError; end
+    class WaiversFileInvalidFormatting < ArgumentError; end
+    class InvalidAuditLogOption < ArgumentError; end
   end
 end

data/lib/inspec/feature/config.rb

@@ -0,0 +1,75 @@
+require "inspec/iaf_file" # Uses some of the same encryption routines
+
+module Inspec
+  class Feature
+    class Config
+
+      VERIFICATION_KEY_NAME = "progress-2022-05-04".freeze
+
+      attr_reader :cfg_data, :valid
+
+      def initialize(conf_path = nil)
+        # If conf path is nil, read from source installation
+        conf_path ||= File.join(Inspec.src_root, "etc", "features.yaml")
+
+        # Verify path and sig file exists or else throw exception
+        sig_path = conf_path.sub(/\.yaml/, ".sig")
+        [conf_path, sig_path].each do |file|
+          raise Inspec::FeatureConfigMissingError.new("No such file #{file}") unless File.exist?(file)
+        end
+
+        # Verify sig matches contents
+        validation_key_path = Inspec::IafFile.find_validation_key(VERIFICATION_KEY_NAME)
+        verification_key = Inspec::IafFile::KEY_ALG.new File.read validation_key_path
+        signature = Base64.decode64 File.read sig_path
+        digest = Inspec::IafFile::ARTIFACT_DIGEST.new
+        unless verification_key.verify digest, signature, File.read(conf_path)
+          # If not load default empty config and raise exception
+          @cfg_data = load_error_data
+          raise Inspec::FeatureConfigTamperedError.new("Feature yaml file does not match signature - tampered?")
+        end
+
+        # Read YAML data from path
+        @cfg_data = YAML.load_file(conf_path)
+        @features_by_name = {}
+      end
+
+      def with_each_feature
+        cfg_data["features"].each do |feature_name, raw_info|
+          feat = @features_by_name[feature_name] ||= Inspec::Feature.new(feature_name.to_sym, raw_info)
+          yield(feat)
+        end
+      end
+
+      def [](feature_name)
+        raw_info = cfg_data["features"][feature_name]
+        return nil unless raw_info
+
+        @features_by_name[feature_name] ||= Inspec::Feature.new(feature_name.to_sym, raw_info)
+      end
+
+      def feature_name?(query)
+        cfg_data["features"].key?(query.to_s)
+      end
+
+      def features
+        @features ||= load_features
+      end
+
+      private
+
+      def load_features
+        feats = []
+        with_each_feature { |f| feats << f }
+        feats
+      end
+
+      # Default data for when the config is in an error state.
+      def load_error_data
+        {
+          "features": {},
+        }
+      end
+    end
+  end
+end

data/lib/inspec/feature/runner.rb

@@ -0,0 +1,26 @@
+module Inspec
+  class Feature
+    class Runner
+      def self.with_feature(feature_name, opts = {}, &feature_implementation)
+        config = opts[:config] || Inspec::Feature::Config.new
+        logger = opts[:logger] || Inspec::Log
+
+        # Emit log message saying we're running a feature
+        logger.debug("Prepping to run feature '#{feature_name}'")
+
+        # Validate that the feature is recognized
+        feature = config[feature_name]
+        unless feature
+          logger.warn "Unrecognized feature name '#{feature_name}'"
+        end
+
+        # If the feature is not recognized
+        # If the feature has no env_preview flag set in config
+        # If the feature is previewable
+        if feature.nil? || feature&.no_preview? || feature&.previewable?
+          yield feature_implementation
+        end
+      end
+    end
+  end
+end

data/lib/inspec/feature.rb

@@ -0,0 +1,34 @@
+require_relative "feature/config"
+require_relative "feature/runner"
+
+module Inspec
+  def self.with_feature(feature_name, opts = {}, &feature_implementation)
+    Inspec::Feature::Runner.with_feature(feature_name, opts, &feature_implementation)
+  end
+
+  class Feature
+    attr_reader :name, :description, :env_preview
+    def initialize(feature_name, feature_yaml_opts)
+      @name = feature_name
+      feature_yaml_opts ||= {}
+      @description = feature_yaml_opts["description"]
+      @env_preview = feature_yaml_opts["env_preview"]
+    end
+
+    def previewable?
+      # If the feature is previewable in config (features.yaml) & has an environment value set to use previewed feature
+      !!env_preview && !env_preview_value.nil?
+    end
+
+    def no_preview?
+      env_preview.nil?
+    end
+
+    def env_preview_value
+      # Examples: If feature name is "inspec-test-feature"
+      # ENV used for this feature preview would be CHEF_PREVIEW_TEST_FEATURE
+      env_preview_feature_name = name.to_s.split("inspec-")[-1]
+      ENV["CHEF_PREVIEW_#{env_preview_feature_name.gsub("-", "_").upcase}"]
+    end
+  end
+end

data/lib/inspec/fetcher/git.rb

@@ -127,6 +127,11 @@ module Inspec::Fetcher
       %i{branch tag ref}.map { |opt_name| update_ivar_from_opt(opt_name, opts) }.any?
     end
 
+    # Git fetcher is sensitive to cache contention so it needs cache locking mechanism.
+    def requires_locking?
+      true
+    end
+
     private
 
     def resolved_ref

data/lib/inspec/globals.rb

@@ -23,4 +23,10 @@ module Inspec
     require "rbconfig" unless defined?(RbConfig)
     RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
   end
+
+  def self.log_dir
+    log_dir_path = "#{config_dir}/logs"
+    FileUtils.mkdir_p(log_dir_path) unless File.directory?(log_dir_path)
+    log_dir_path
+  end
 end

data/lib/inspec/plugin/v1/plugin_types/fetcher.rb

@@ -105,6 +105,13 @@ module Inspec
         file_provider = Inspec::FileProvider.for_path(archive_path)
         file_provider.relative_provider
       end
+
+      # Returns false by default
+      # This is used to regulate cache contention.
+      # Fetchers that are sensitive to cache contention should return true.
+      def requires_locking?
+        false
+      end
     end
   end
 end

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -12,6 +12,7 @@ module Inspec::Plugin::V2::PluginType
       @control_checks_count_map = {}
       @controls_count = nil
       @notifications = {}
+      @enhanced_outcome_control_wise = {}
     end
 
     private
@@ -29,16 +30,43 @@ module Inspec::Plugin::V2::PluginType
 
     # method to identify when the control ended running
     # this will be useful in executing operations on control's level end
-    def control_ended?(control_id)
+    def control_ended?(notification, control_id)
       set_control_checks_count_map_value
       unless @control_checks_count_map[control_id].nil?
         @control_checks_count_map[control_id] -= 1
-        @control_checks_count_map[control_id] == 0
+        control_ended = @control_checks_count_map[control_id] == 0
+        # after a control has ended it checks for certain operations, like enhanced outcomes
+        run_control_operations(notification, control_id) if control_ended
+        control_ended
       else
         false
       end
     end
 
+    def run_control_operations(notification, control_id)
+      check_for_enhanced_outcomes(notification, control_id)
+    end
+
+    def check_for_enhanced_outcomes(notification, control_id)
+      if enhanced_outcomes
+        control_outcome = add_enhanced_outcomes(control_id)
+        @enhanced_outcome_control_wise[control_id] = control_outcome
+      end
+    end
+
+    def format_message(indicator, control_id, title, full_description)
+      message_to_format = ""
+      message_to_format += "#{indicator}  "
+      message_to_format += "#{control_id.to_s.strip.dup.force_encoding(Encoding::UTF_8)}  "
+      message_to_format += "#{title.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " if title
+      message_to_format += "#{full_description.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " unless title
+      message_to_format
+    end
+
+    def control_outcome(control_id)
+      @enhanced_outcome_control_wise[control_id]
+    end
+
     # method to identify total no. of controls
     def controls_count
       @controls_count ||= RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.get_controls_count