inspec-core 5.22.65 → 6.6.0

data/lib/inspec/config.rb

@@ -7,6 +7,7 @@ require "forwardable" unless defined?(Forwardable)
 require "thor" unless defined?(Thor)
 require "base64" unless defined?(Base64)
 require "inspec/plugin/v2/filter"
+require "inspec/feature"
 
 module Inspec
   class Config
@@ -25,6 +26,12 @@ module Inspec
       shell_command
     }.freeze
 
+    AUDIT_LOG_OPTIONS = %w{
+      audit_log_location
+      enable_audit_log
+      audit_log_app_name
+    }.freeze
+
     KNOWN_VERSIONS = [
       "1.1",
       "1.2",
@@ -80,6 +87,10 @@ module Inspec
       puts
     end
 
+    def allow_unsigned_profiles?
+      self["allow_unsigned_profiles"] || ENV["CHEF_ALLOW_UNSIGNED_PROFILES"]
+    end
+
     # return all telemetry options from config
     # @return [Hash]
     def telemetry_options
@@ -109,11 +120,14 @@ module Inspec
     def unpack_train_credentials
       # Internally, use indifferent access while we build the creds
       credentials = Thor::CoreExt::HashWithIndifferentAccess.new({})
-
       # Helper methods prefixed with _utc_ (Unpack Train Credentials)
 
       credentials.merge!(_utc_generic_credentials)
 
+      # Only runs this block when preview flag CHEF_PREVIEW_AUDIT_LOGGING is set
+      Inspec.with_feature("inspec-audit-logging") {
+        credentials.merge!(_utc_merge_audit_log_options)
+      }
       _utc_determine_backend(credentials)
       transport_name = credentials[:backend].to_s
 
@@ -154,13 +168,21 @@ module Inspec
 
     private
 
+    def _utc_merge_audit_log_options
+      @final_options.select { |option, _value| AUDIT_LOG_OPTIONS.include?(option) }
+    end
+
     def _utc_merge_transport_options(credentials, transport_name)
       # Ask Train for the names of the transport options
       transport_options = Train.options(transport_name).keys.map(&:to_s)
 
       # If there are any options with those (unprefixed) names, merge them in.
+      # e.g., 'host'
       unprefixed_transport_options = final_options.select do |option_name, _value|
-        transport_options.include? option_name # e.g., 'host'
+        # We currently want this option only to be set if CHEF_PREVIEW_AUDIT_LOGGING is set
+        # and we already merging the audit_log_options within _utc_merge_audit_log_options method which only invoke if feature flag is on
+        # we don't want audit log option to get set from here again so this is a safe check and can be removed when we remove preview feature flag.
+        transport_options.include? option_name unless option_name.match?("enable_audit_log")
       end
       credentials.merge!(unprefixed_transport_options)
 
@@ -448,15 +470,6 @@ module Inspec
       # Reporter options may be defined top-level.
       options.merge!(config_file_reporter_options)
 
-      # when sent reporter from compliance-mode (via chef-client), the reporter is a symbol
-      if @cli_opts.key?(:reporter) && @cli_opts["reporter"].nil?
-        @cli_opts["reporter"] = @cli_opts[:reporter]
-        @cli_opts.delete(:reporter)
-      elsif @cli_opts.key?(:reporter) && @cli_opts.key?("reporter") && @cli_opts["reporter"].is_a?(Array)
-        # combine reporter and "reporter" options into "reporter" option
-        @cli_opts["reporter"] = @cli_opts[:reporter] + @cli_opts["reporter"]
-      end
-
       if @cli_opts["reporter"]
         # Add reporter_cli_opts in options to capture reporter cli opts separately
         options.merge!({ "reporter_cli_opts" => @cli_opts["reporter"] })

data/lib/inspec/dependencies/cache.rb

@@ -70,5 +70,38 @@ module Inspec
     def base_path_for(cache_key)
       File.join(@path, cache_key)
     end
+
+    #
+    # For given cache key, return true if the
+    # cache path is locked
+    def locked?(key)
+      locked = false
+      path = base_path_for(key)
+      # For archive there is no need to lock the directory so we skip those and return false for archive formatted cache
+      if File.directory?(path)
+        locked = File.exist?("#{path}/.lock")
+      end
+      locked
+    end
+
+    def lock(cache_path)
+      lock_file_path = File.join(cache_path, ".lock")
+      begin
+        FileUtils.mkdir_p(cache_path)
+        Inspec::Log.debug("Locking cache ..... #{cache_path}")
+        FileUtils.touch(lock_file_path)
+      rescue Errno::EACCES
+        raise "Permission denied while creating cache lock #{cache_path}/.lock."
+      end
+    end
+
+    def unlock(cache_path)
+      Inspec::Log.debug("Unlocking cache..... #{cache_path}")
+      begin
+        FileUtils.rm("#{cache_path}/.lock") if File.exist?("#{cache_path}/.lock")
+      rescue Errno::EACCES
+        raise "Permission denied while removing cache lock #{cache_path}/.lock"
+      end
+    end
   end
 end

data/lib/inspec/dependencies/dependency_set.rb

@@ -26,7 +26,7 @@ module Inspec
       dep_list = {}
       dependencies.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = ((d.source_version.nil? || d.source_version.empty?) ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
       end
       new(cwd, cache, dep_list, backend)
@@ -42,7 +42,7 @@ module Inspec
       dep_list = {}
       dep_tree.each do |d|
         # if depedent profile does not have a source version then only name is used in dependency hash
-        key_name = ((d.source_version.nil? || d.source_version.empty?) ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
+        key_name = (d.source_version.blank? ? "#{d.name}" : "#{d.name}-#{d.source_version}") rescue "#{d.name}"
         dep_list[key_name] = d
         dep_list.merge!(flatten_dep_tree(d.dependencies))
       end

data/lib/inspec/dsl.rb

@@ -95,7 +95,7 @@ module Inspec::DSL
         # 1. Fetching VERSION from a profile dependency name which is in a format NAME-VERSION.
         # 2. Matching original profile dependency name with profile name used with include or require control DSL.
         source_version = value.source_version
-        unless source_version.nil? || source_version.empty?
+        unless source_version.blank?
           profile_id_key = key.split("-#{source_version}")[0]
           new_profile_id = key if profile_id_key == profile_id
         end

data/lib/inspec/enhanced_outcomes.rb

@@ -15,5 +15,6 @@ module Inspec
         "passed"
       end
     end
+
   end
 end

data/lib/inspec/errors.rb

@@ -24,4 +24,9 @@ module Inspec
   end
 
   class InvalidProfileSignature < Error; end
+
+  class FeatureConfigMissingError < Error; end
+  class FeatureConfigTamperedError < Error; end
+
+  class ProfileSignatureRequired < Error; end
 end

data/lib/inspec/exceptions.rb

@@ -12,5 +12,7 @@ module Inspec
     class ProfileSigningKeyNotFound < ArgumentError; end
     class WaiversFileNotReadable < ArgumentError; end
     class WaiversFileDoesNotExist < ArgumentError; end
+    class WaiversFileInvalidFormatting < ArgumentError; end
+    class InvalidAuditLogOption < ArgumentError; end
   end
 end

data/lib/inspec/feature/config.rb

@@ -0,0 +1,75 @@
+require "inspec/iaf_file" # Uses some of the same encryption routines
+
+module Inspec
+  class Feature
+    class Config
+
+      VERIFICATION_KEY_NAME = "progress-2022-05-04".freeze
+
+      attr_reader :cfg_data, :valid
+
+      def initialize(conf_path = nil)
+        # If conf path is nil, read from source installation
+        conf_path ||= File.join(Inspec.src_root, "etc", "features.yaml")
+
+        # Verify path and sig file exists or else throw exception
+        sig_path = conf_path.sub(/\.yaml/, ".sig")
+        [conf_path, sig_path].each do |file|
+          raise Inspec::FeatureConfigMissingError.new("No such file #{file}") unless File.exist?(file)
+        end
+
+        # Verify sig matches contents
+        validation_key_path = Inspec::IafFile.find_validation_key(VERIFICATION_KEY_NAME)
+        verification_key = Inspec::IafFile::KEY_ALG.new File.read validation_key_path
+        signature = Base64.decode64 File.read sig_path
+        digest = Inspec::IafFile::ARTIFACT_DIGEST.new
+        unless verification_key.verify digest, signature, File.read(conf_path)
+          # If not load default empty config and raise exception
+          @cfg_data = load_error_data
+          raise Inspec::FeatureConfigTamperedError.new("Feature yaml file does not match signature - tampered?")
+        end
+
+        # Read YAML data from path
+        @cfg_data = YAML.load_file(conf_path)
+        @features_by_name = {}
+      end
+
+      def with_each_feature
+        cfg_data["features"].each do |feature_name, raw_info|
+          feat = @features_by_name[feature_name] ||= Inspec::Feature.new(feature_name.to_sym, raw_info)
+          yield(feat)
+        end
+      end
+
+      def [](feature_name)
+        raw_info = cfg_data["features"][feature_name]
+        return nil unless raw_info
+
+        @features_by_name[feature_name] ||= Inspec::Feature.new(feature_name.to_sym, raw_info)
+      end
+
+      def feature_name?(query)
+        cfg_data["features"].key?(query.to_s)
+      end
+
+      def features
+        @features ||= load_features
+      end
+
+      private
+
+      def load_features
+        feats = []
+        with_each_feature { |f| feats << f }
+        feats
+      end
+
+      # Default data for when the config is in an error state.
+      def load_error_data
+        {
+          "features": {},
+        }
+      end
+    end
+  end
+end

data/lib/inspec/feature/runner.rb

@@ -0,0 +1,26 @@
+module Inspec
+  class Feature
+    class Runner
+      def self.with_feature(feature_name, opts = {}, &feature_implementation)
+        config = opts[:config] || Inspec::Feature::Config.new
+        logger = opts[:logger] || Inspec::Log
+
+        # Emit log message saying we're running a feature
+        logger.debug("Prepping to run feature '#{feature_name}'")
+
+        # Validate that the feature is recognized
+        feature = config[feature_name]
+        unless feature
+          logger.warn "Unrecognized feature name '#{feature_name}'"
+        end
+
+        # If the feature is not recognized
+        # If the feature has no env_preview flag set in config
+        # If the feature is previewable
+        if feature.nil? || feature&.no_preview? || feature&.previewable?
+          yield feature_implementation
+        end
+      end
+    end
+  end
+end

data/lib/inspec/feature.rb

@@ -0,0 +1,34 @@
+require_relative "feature/config"
+require_relative "feature/runner"
+
+module Inspec
+  def self.with_feature(feature_name, opts = {}, &feature_implementation)
+    Inspec::Feature::Runner.with_feature(feature_name, opts, &feature_implementation)
+  end
+
+  class Feature
+    attr_reader :name, :description, :env_preview
+    def initialize(feature_name, feature_yaml_opts)
+      @name = feature_name
+      feature_yaml_opts ||= {}
+      @description = feature_yaml_opts["description"]
+      @env_preview = feature_yaml_opts["env_preview"]
+    end
+
+    def previewable?
+      # If the feature is previewable in config (features.yaml) & has an environment value set to use previewed feature
+      !!env_preview && !env_preview_value.nil?
+    end
+
+    def no_preview?
+      env_preview.nil?
+    end
+
+    def env_preview_value
+      # Examples: If feature name is "inspec-test-feature"
+      # ENV used for this feature preview would be CHEF_PREVIEW_TEST_FEATURE
+      env_preview_feature_name = name.to_s.split("inspec-")[-1]
+      ENV["CHEF_PREVIEW_#{env_preview_feature_name.gsub("-", "_").upcase}"]
+    end
+  end
+end

data/lib/inspec/fetcher/git.rb

@@ -127,6 +127,11 @@ module Inspec::Fetcher
       %i{branch tag ref}.map { |opt_name| update_ivar_from_opt(opt_name, opts) }.any?
     end
 
+    # Git fetcher is sensitive to cache contention so it needs cache locking mechanism.
+    def requires_locking?
+      true
+    end
+
     private
 
     def resolved_ref

data/lib/inspec/fetcher/url.rb

@@ -93,7 +93,7 @@ module Inspec::Fetcher
                            end
 
       if transformed_target
-        Inspec::Log.debug("URL target #{target} transformed to #{transformed_target}. Consider using the git fetcher")
+        Inspec::Log.warn("URL target #{target} transformed to #{transformed_target}. Consider using the git fetcher")
         transformed_target
       else
         target
@@ -133,14 +133,12 @@ module Inspec::Fetcher
     class << self
       def default_ref(match_data, repo_url)
         remote_url = "#{repo_url}/#{match_data[:user]}/#{match_data[:repo]}.git"
-        command_string = "git ls-remote #{remote_url} HEAD"
+        command_string = "git remote show #{remote_url}"
         cmd = shellout(command_string)
         unless cmd.exitstatus == 0
           raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': #{cmd.stderr}")
         else
-          # cmd.stdout of "git ls-remote #{remote_url} HEAD" looks like this:
-          # "457d14843ab7c1c3740169eb47cf129a6f417964\tHEAD\n"
-          ref = cmd.stdout.split("\t").first
+          ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
           unless ref
             raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': NULL reference")
           end
@@ -248,30 +246,10 @@ module Inspec::Fetcher
       @temp_archive_path = archive.path
     end
 
-    # Opens a URI or local file specified by `target` with options `opts`.
-    # If `target` is a valid URI (http://, https://, ftp://), opens it using URI.open.
-    # If `target` is a local file path, opens it using File.open.
-    # Raises ArgumentError for invalid `target` that is neither a valid URI nor a local file path.
-    # Logs or handles exceptions gracefully using `pretty_handle_exception`.
-    def open(target, opts)
-      if valid_uri?(target)
-        URI(target).open(opts) # Open URI if it's a valid HTTP, HTTPS, or FTP URI
-      elsif File.file?(target)
-        File.open(target, opts) # Open local file if it exists
-      else
-        raise ArgumentError, "Invalid target: #{target}. Must be a valid URI or a local file path."
-      end
-    rescue StandardError => e
-      raise Inspec::FetcherFailure, "Profile URL dependency #{target} could not be fetched: #{e.message}"
-    end
-
-    # Checks if the given `target` string is a valid URI by attempting to parse it.
-    # Returns true if `target` is a valid HTTP, HTTPS, or FTP URI; false otherwise.
-    def valid_uri?(target)
-      uri = URI.parse(target)
-      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS) || uri.is_a?(URI::FTP)
-    rescue URI::InvalidURIError
-      false
+    def open(target, opts) # overridden so we can control who we're talking to
+      URI.open(target, opts)
+    rescue NoMethodError   # TODO: remove when we drop ruby 2.4
+      super(target, opts)  # Kernel#open
     end
 
     def open_via_uri(target)

data/lib/inspec/globals.rb

@@ -23,4 +23,10 @@ module Inspec
     require "rbconfig" unless defined?(RbConfig)
     RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
   end
+
+  def self.log_dir
+    log_dir_path = "#{config_dir}/logs"
+    FileUtils.mkdir_p(log_dir_path) unless File.directory?(log_dir_path)
+    log_dir_path
+  end
 end

data/lib/inspec/input_registry.rb

@@ -189,11 +189,7 @@ module Inspec
     def parse_cli_input_value(input_name, given_value)
       value = given_value.chomp(",") # Trim trailing comma if any
       case value
-      # Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
-      # This prevents potential bypass issues with multi-line input and ensures the entire string
-      # is exactly "true" or "false", enhancing security when dealing with untrusted input.
-      # Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
-      when /\A(true|false)\z/i
+      when /^true|false$/i
         value = !!(value =~ /true/i)
       when /^-?\d+$/
         value = value.to_i

data/lib/inspec/plugin/v1/plugin_types/fetcher.rb

@@ -105,6 +105,13 @@ module Inspec
         file_provider = Inspec::FileProvider.for_path(archive_path)
         file_provider.relative_provider
       end
+
+      # Returns false by default
+      # This is used to regulate cache contention.
+      # Fetchers that are sensitive to cache contention should return true.
+      def requires_locking?
+        false
+      end
     end
   end
 end

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -12,6 +12,7 @@ module Inspec::Plugin::V2::PluginType
       @control_checks_count_map = {}
       @controls_count = nil
       @notifications = {}
+      @enhanced_outcome_control_wise = {}
     end
 
     private
@@ -29,16 +30,43 @@ module Inspec::Plugin::V2::PluginType
 
     # method to identify when the control ended running
     # this will be useful in executing operations on control's level end
-    def control_ended?(control_id)
+    def control_ended?(notification, control_id)
       set_control_checks_count_map_value
       unless @control_checks_count_map[control_id].nil?
         @control_checks_count_map[control_id] -= 1
-        @control_checks_count_map[control_id] == 0
+        control_ended = @control_checks_count_map[control_id] == 0
+        # after a control has ended it checks for certain operations, like enhanced outcomes
+        run_control_operations(notification, control_id) if control_ended
+        control_ended
       else
         false
       end
     end
 
+    def run_control_operations(notification, control_id)
+      check_for_enhanced_outcomes(notification, control_id)
+    end
+
+    def check_for_enhanced_outcomes(notification, control_id)
+      if enhanced_outcomes
+        control_outcome = add_enhanced_outcomes(control_id)
+        @enhanced_outcome_control_wise[control_id] = control_outcome
+      end
+    end
+
+    def format_message(indicator, control_id, title, full_description)
+      message_to_format = ""
+      message_to_format += "#{indicator}  "
+      message_to_format += "#{control_id.to_s.strip.dup.force_encoding(Encoding::UTF_8)}  "
+      message_to_format += "#{title.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " if title
+      message_to_format += "#{full_description.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " unless title
+      message_to_format
+    end
+
+    def control_outcome(control_id)
+      @enhanced_outcome_control_wise[control_id]
+    end
+
     # method to identify total no. of controls
     def controls_count
       @controls_count ||= RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.get_controls_count

data/lib/inspec/profile.rb

@@ -16,6 +16,7 @@ require "inspec/utils/json_profile_summary"
 require "inspec/dependency_loader"
 require "inspec/dependency_installer"
 require "inspec/utils/profile_ast_helpers"
+require "plugins/inspec-sign/lib/inspec-sign/base"
 
 module Inspec
   class Profile
@@ -82,7 +83,7 @@ module Inspec
     end
 
     attr_reader :source_reader, :backend, :runner_context, :check_mode
-    attr_accessor :parent_profile, :profile_id, :profile_name
+    attr_accessor :parent_profile, :profile_id, :profile_name, :target
     def_delegator :@source_reader, :tests
     def_delegator :@source_reader, :libraries
     def_delegator :@source_reader, :metadata
@@ -181,6 +182,26 @@ module Inspec
       @state == :failed
     end
 
+    def verify_if_signed
+      if signed?
+        verify_signed_profile
+        true
+      else
+        false
+      end
+    end
+
+    def signed?
+      # Signed profiles have .iaf extension
+      (@source_reader&.target&.parent&.class == Inspec::IafProvider)
+    end
+
+    def verify_signed_profile
+      # Kitchen inspec send target profile in Hash format in some scenarios. For example: While using local profile with kitchen, {:path => "path/to/kitchen/lcoal-profile"}
+      target_profile = target.is_a?(Hash) ? target.values[0] : target
+      InspecPlugins::Sign::Base.profile_verify(target_profile, true) if target_profile
+    end
+
     #
     # Is this profile is supported on the current platform of the
     # backend machine and the current inspec version.
@@ -215,8 +236,30 @@ module Inspec
       @params ||= load_params
     end
 
+    def virtual_profile?
+      # A virtual profile is for virtual profile evaluation
+      # Used by shell & inspec detect command.
+      (name == "inspec-shell") && (files&.length == 1) && (files[0] == "inspec.yml")
+    end
+
     def collect_tests
       unless @tests_collected || failed?
+
+        # This is that one common place in InSpec engine which is used to collect tests of InSpec profile
+        # One common place used by most of the CLI commands using profile, like exec, export etc
+        # Checking for profile signature in parent profile only
+        # Child profiles of a signed profile are extracted to cache dir
+        # Hence they are not in .iaf format
+        # Only runs this block when preview flag CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING is set
+        Inspec.with_feature("inspec-mandatory-profile-signing") {
+          if !parent_profile && !virtual_profile?
+            cfg = Inspec::Config.cached
+            if cfg.is_a?(Inspec::Config) && !cfg.allow_unsigned_profiles?
+              raise Inspec::ProfileSignatureRequired, "Signature required for profile: #{name}. Please provide a signed profile. Or set CHEF_ALLOW_UNSIGNED_PROFILES in the environment. Or use `--allow-unsigned-profiles` flag with InSpec CLI." unless verify_if_signed
+            end
+          end
+        }
+
         return unless supports_platform?
 
         locked_dependencies.each(&:collect_tests)
@@ -248,7 +291,7 @@ module Inspec
       ## Find the waivers file
       # - TODO: cli_opts and instance_variable_get could be exposed
       waiver_paths = cfg.instance_variable_get(:@cli_opts)["waiver_file"]
-      if waiver_paths.nil? || waiver_paths.empty?
+      if waiver_paths.blank?
         Inspec::Log.error "Must use --waiver-file with --filter-waived-controls"
         Inspec::UI.new.exit(:usage_error)
       end
@@ -276,7 +319,7 @@ module Inspec
         # be processed and rendered
         tests.each do |control_filename, source_code|
           cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).collect do |element|
-            next if element.nil? || element.empty?
+            next if element.blank?
 
             if element&.match?(waived_control_id_regex)
               splitlines = element.split("\n")

data/lib/inspec/reporters/cli.rb

@@ -317,7 +317,7 @@ module Inspec::Reporters
       not_applicable = 0
 
       all_unique_controls.each do |control|
-        next if control[:status].nil? || control[:status].empty?
+        next if control[:status].blank?
 
         if control[:status] == "failed"
           failed += 1