inspec-core 5.22.65 → 6.6.0

data/lib/inspec/waiver_file_reader.rb

@@ -15,49 +15,90 @@ module Inspec
       output = {}
 
       files.each do |file_path|
-        file_extension = File.extname(file_path)
-        data = nil
-        if [".yaml", ".yml"].include? file_extension
-          data = Secrets::YAML.resolve(file_path)
-          unless data.nil?
-            data = data.inputs
-            validate_json_yaml(data)
-          end
-        elsif file_extension == ".csv"
-          data = Waivers::CSVFileReader.resolve(file_path)
-          headers = Waivers::CSVFileReader.headers
-          validate_headers(headers)
-        elsif file_extension == ".json"
-          data = Waivers::JSONFileReader.resolve(file_path)
-          validate_json_yaml(data) unless data.nil?
-        end
+        data = read_from_file(file_path)
         output.merge!(data) if !data.nil? && data.is_a?(Hash)
 
         if data.nil?
           raise Inspec::Exceptions::WaiversFileNotReadable,
-              "Cannot find parser for waivers file '#{file_path}'. " \
+              "Cannot find parser for waivers file." \
               "Check to make sure file has the appropriate extension."
         end
+      rescue Inspec::Exceptions::WaiversFileNotReadable, Inspec::Exceptions::WaiversFileInvalidFormatting => e
+        Inspec::Log.error "Error reading waivers file #{file_path}. #{e.message}"
+        Inspec::UI.new.exit(:usage_error)
       end
 
       @waivers_data[profile_id] = output
     end
 
-    def self.validate_headers(headers, json_yaml = false)
-      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
-      all_fields = %w{control_id justification expiration_date run}
+    def self.read_from_file(file_path)
+      data = nil
+      file_extension = File.extname(file_path)
+      if [".yaml", ".yml"].include? file_extension
+        data = Secrets::YAML.resolve(file_path)
+        data = data.inputs unless data.nil?
+        validate_json_yaml(data)
+      elsif file_extension == ".csv"
+        data = Waivers::CSVFileReader.resolve(file_path)
+        headers = Waivers::CSVFileReader.headers
+        validate_csv_headers(headers)
+      elsif file_extension == ".json"
+        data = Waivers::JSONFileReader.resolve(file_path)
+        validate_json_yaml(data) unless data.nil?
+      end
+      data
+    end
+
+    def self.all_fields
+      %w{control_id justification expiration_date run}
+    end
+
+    def self.validate_csv_headers(headers)
+      invalid_headers_info = fetch_invalid_headers_info(headers)
+      # Warn if blank column found in csv file
+      Inspec::Log.warn "Invalid column headers: Column can't be nil" if invalid_headers_info[:blank_column]
+      # Warn if extra header found in csv file
+      Inspec::Log.warn "Extra header/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+      unless invalid_headers_info[:missing_required_fields].empty?
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+        "Missing required header/s #{invalid_headers_info[:missing_required_fields]}. Fix headers in file to proceed."
+      end
+    end
 
-      Inspec::Log.warn "Missing column headers: #{(required_fields - headers)}" unless (required_fields - headers).empty?
-      Inspec::Log.warn "Invalid column header: Column can't be nil" if headers.include? nil
-      Inspec::Log.warn "Extra column headers: #{(headers - all_fields)}" unless (headers - all_fields).empty?
+    def self.fetch_invalid_headers_info(headers, json_yaml = false)
+      required_fields = json_yaml ? %w{justification} : %w{control_id justification}
+      data = {}
+      data[:missing_required_fields] = []
+      # Finds missing required fields
+      unless (required_fields - headers).empty?
+        data[:missing_required_fields] = required_fields - headers
+      end
+      # If column with no header found set the blank_column flag. Only applicable for csv
+      data[:blank_column] = headers.include?(nil) ? true : false
+      # Find extra headers/parameters
+      data[:extra_headers] = (headers - all_fields)
+      data
     end
 
     def self.validate_json_yaml(data)
-      headers = []
-      data.each_value do |value|
-        headers.push value.keys
+      missing_required_field = false
+      data.each do |key, value|
+        # In case of yaml or json we need to validate headers/parametes for each value
+        invalid_headers_info = fetch_invalid_headers_info(value.keys, true)
+        # WARN in case of extra parameters found in each waived control
+        Inspec::Log.warn "Control ID #{key}: extra parameter/s #{invalid_headers_info[:extra_headers]}" unless invalid_headers_info[:extra_headers].empty?
+        unless invalid_headers_info[:missing_required_fields].empty?
+          missing_required_field = true
+          # Log error for each waived control
+          Inspec::Log.error "Control ID #{key}: missing required parameter/s #{invalid_headers_info[:missing_required_fields]}"
+        end
+      end
+
+      # Raise error if any of the waived control has missing required filed
+      if missing_required_field
+        raise Inspec::Exceptions::WaiversFileInvalidFormatting,
+             "Missing required parameter [justification]. Fix parameters in file to proceed."
       end
-      validate_headers(headers.flatten.uniq, true)
     end
   end
 end

data/lib/inspec.rb

@@ -4,6 +4,7 @@ libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
 require "inspec/version"
+require "inspec/utils/licensing_config"
 require "inspec/exceptions"
 require "inspec/utils/deprecation"
 require "inspec/profile"
@@ -30,4 +31,4 @@ require "inspec/source_reader"
 require "inspec/resource"
 
 require "inspec/dependency_loader"
-require "inspec/dependency_installer"
+require "inspec/dependency_installer"

data/lib/matchers/matchers.rb

@@ -299,9 +299,9 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
     end
   end
 
-  def format_actual(actual, negate = false)
+  def format_actual(actual)
     actual = "0%o" % actual if octal?(@expected) && !actual.nil?
-    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(negate), actual]
+    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
   end
 
   def format_expectation(negate)
@@ -316,7 +316,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   failure_message_when_negated do |actual|
-    format_actual actual, true
+    format_actual actual
   end
 
   description do

data/lib/plugins/inspec-compliance/README.md

@@ -14,18 +14,8 @@ To use the CLI, this InSpec add-on adds the following commands:
  * `$ inspec automate profiles` - list all available Compliance profiles
  * `$ inspec exec compliance://profile` - runs a Compliance profile
  * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
- * `$ inspec automate upload path/to/local/profile --legacy` - uploads a local profile to Chef Automate/Chef Compliance using legacy functionalities of inspec check and inspec export
-
-    *Options*:
-    ```
-      [--overwrite], [--no-overwrite]  # Overwrite existing profile on Server.
-      [--owner=OWNER]                  # Owner that should own the profile
-      [--legacy], [--no-legacy]        # Enable legacy functionality, activating both legacy export and legacy check.
-
-    uploads a local profile to Chef Automate
-    ```
  * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
-
+ 
  Similar to these CLI commands are:
 
  * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -1,6 +1,7 @@
 require "inspec/dist"
 
 require_relative "api"
+require "inspec/feature"
 
 module InspecPlugins
   module Compliance
@@ -32,90 +33,102 @@ module InspecPlugins
       option :ent, type: :string, required: false,
         desc: "Enterprise for #{AUTOMATE_PRODUCT_NAME} reporting (#{AUTOMATE_PRODUCT_NAME} Only)"
       def login(server)
-        options["server"] = server
-        login_response = InspecPlugins::Compliance::API.login(options)
-        puts login_response
+        Inspec.with_feature("inspec-cli-compliance-login") {
+          options["server"] = server
+          login_response = InspecPlugins::Compliance::API.login(options)
+          puts login_response
+        }
       end
 
       desc "profiles", "list all available profiles in #{AUTOMATE_PRODUCT_NAME}"
       option :owner, type: :string, required: false,
         desc: "owner whose profiles to list"
       def profiles
-        config = InspecPlugins::Compliance::Configuration.new
-        return unless loggedin(config)
-
-        # set owner to config
-        config["owner"] = options["owner"] || config["user"]
-
-        msg, profiles = InspecPlugins::Compliance::API.profiles(config)
-        profiles.sort_by! { |hsh| hsh["title"] }
-        if !profiles.empty?
-          # iterate over profiles
-          headline("Available profiles:")
-          profiles.each do |profile|
-            owner = profile["owner_id"] || profile["owner"]
-            li("#{profile["title"]} v#{profile["version"]} (#{mark_text(owner + "/" + profile["name"])})")
+        Inspec.with_feature("inspec-cli-compliance-profiles") {
+          begin
+            config = InspecPlugins::Compliance::Configuration.new
+            return unless loggedin(config)
+
+            # set owner to config
+            config["owner"] = options["owner"] || config["user"]
+
+            msg, profiles = InspecPlugins::Compliance::API.profiles(config)
+            profiles.sort_by! { |hsh| hsh["title"] }
+            if !profiles.empty?
+              # iterate over profiles
+              headline("Available profiles:")
+              profiles.each do |profile|
+                owner = profile["owner_id"] || profile["owner"]
+                li("#{profile["title"]} v#{profile["version"]} (#{mark_text(owner + "/" + profile["name"])})")
+              end
+            else
+              puts msg if msg != "success"
+              puts "Could not find any profiles"
+              exit 1
+            end
+          rescue InspecPlugins::Compliance::ServerConfigurationMissing
+            $stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
+            exit 1
           end
-        else
-          puts msg if msg != "success"
-          puts "Could not find any profiles"
-          exit 1
-        end
-      rescue InspecPlugins::Compliance::ServerConfigurationMissing
-        $stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
-        exit 1
+        }
       end
 
       desc "exec PROFILE", "executes a #{AUTOMATE_PRODUCT_NAME} profile"
       exec_options
       def exec(*tests)
-        compliance_config = InspecPlugins::Compliance::Configuration.new
-        return unless loggedin(compliance_config)
+        Inspec.with_feature("inspec-cli-compliance-exec") {
+          begin
+            compliance_config = InspecPlugins::Compliance::Configuration.new
+            return unless loggedin(compliance_config)
 
-        o = config # o is an Inspec::Config object, provided by a helper method from Inspec::BaseCLI
-        diagnose(o)
-        configure_logger(o)
+            o = config # o is an Inspec::Config object, provided by a helper method from Inspec::BaseCLI
+            diagnose(o)
+            configure_logger(o)
 
-        # iterate over tests and add compliance scheme
-        tests = tests.map { |t| "compliance://" + InspecPlugins::Compliance::API.sanitize_profile_name(t) }
+            # iterate over tests and add compliance scheme
+            tests = tests.map { |t| "compliance://" + InspecPlugins::Compliance::API.sanitize_profile_name(t) }
 
-        runner = Inspec::Runner.new(o)
-        tests.each { |target| runner.add_target(target) }
+            runner = Inspec::Runner.new(o)
+            tests.each { |target| runner.add_target(target) }
 
-        exit runner.run
-      rescue ArgumentError, RuntimeError, Train::UserError => e
-        $stderr.puts e.message
-        exit 1
+            exit runner.run
+          rescue ArgumentError, RuntimeError, Train::UserError => e
+            $stderr.puts e.message
+            exit 1
+          end
+        }
       end
 
       desc "download PROFILE", "downloads a profile from #{AUTOMATE_PRODUCT_NAME}"
       option :name, type: :string,
         desc: "Name of the archive filename (file type will be added)"
       def download(profile_name)
-        o = options.dup
-        configure_logger(o)
-
-        config = InspecPlugins::Compliance::Configuration.new
-        return unless loggedin(config)
-
-        profile_name = InspecPlugins::Compliance::API.sanitize_profile_name(profile_name)
-        if InspecPlugins::Compliance::API.exist?(config, profile_name)
-          puts "Downloading `#{profile_name}`"
-
-          fetcher = InspecPlugins::Compliance::Fetcher.resolve(
-            {
-              compliance: profile_name,
-            }
-          )
-
-          # we provide a name, the fetcher adds the extension
-          _owner, id = profile_name.split("/")
-          file_name = fetcher.fetch(o.name || id)
-          puts "Profile stored to #{file_name}"
-        else
-          puts "Profile #{profile_name} is not available in #{AUTOMATE_PRODUCT_NAME}."
-          exit 1
-        end
+        Inspec.with_feature("inspec-cli-compliance-download") {
+          o = options.dup
+          configure_logger(o)
+
+          config = InspecPlugins::Compliance::Configuration.new
+          return unless loggedin(config)
+
+          profile_name = InspecPlugins::Compliance::API.sanitize_profile_name(profile_name)
+          if InspecPlugins::Compliance::API.exist?(config, profile_name)
+            puts "Downloading `#{profile_name}`"
+
+            fetcher = InspecPlugins::Compliance::Fetcher.resolve(
+              {
+                compliance: profile_name,
+              }
+            )
+
+            # we provide a name, the fetcher adds the extension
+            _owner, id = profile_name.split("/")
+            file_name = fetcher.fetch(o.name || id)
+            puts "Profile stored to #{file_name}"
+          else
+            puts "Profile #{profile_name} is not available in #{AUTOMATE_PRODUCT_NAME}."
+            exit 1
+          end
+        }
       end
 
       desc "upload PATH", "uploads a local profile to #{AUTOMATE_PRODUCT_NAME}"
@@ -123,132 +136,138 @@ module InspecPlugins
         desc: "Overwrite existing profile on Server."
       option :owner, type: :string, required: false,
         desc: "Owner that should own the profile"
-      option :legacy, type: :boolean, default: false,
-        desc: "Enable legacy functionality, activating both legacy export and legacy check."
       def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
-        config = InspecPlugins::Compliance::Configuration.new
-        return unless loggedin(config)
+        Inspec.with_feature("inspec-cli-compliance-upload") {
+          config = InspecPlugins::Compliance::Configuration.new
+          return unless loggedin(config)
 
-        # set owner to config
-        config["owner"] = options["owner"] || config["user"]
+          # set owner to config
+          config["owner"] = options["owner"] || config["user"]
 
-        unless File.exist?(path)
-          puts "Directory #{path} does not exist."
-          exit 1
-        end
+          unless File.exist?(path)
+            puts "Directory #{path} does not exist."
+            exit 1
+          end
 
-        vendor_deps(path, options) if File.directory?(path)
+          vendor_deps(path, options) if File.directory?(path)
 
-        o = options.dup
-        configure_logger(o)
+          o = options.dup
+          configure_logger(o)
 
-        # only run against the mock backend, otherwise we run against the local system
-        o[:backend] = Inspec::Backend.create(Inspec::Config.mock)
-        o[:check_mode] = true
-        o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
+          # only run against the mock backend, otherwise we run against the local system
+          o[:backend] = Inspec::Backend.create(Inspec::Config.mock)
+          o[:check_mode] = true
+          o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
-        # check the profile, we only allow to upload valid profiles
-        profile = Inspec::Profile.for_target(path, o)
+          # check the profile, we only allow to upload valid profiles
+          profile = Inspec::Profile.for_target(path, o)
 
-        # start verification process
-        error_count = 0
-        error = lambda { |msg|
-          error_count += 1
-          puts msg
-        }
+          # start verification process
+          error_count = 0
+          error = lambda { |msg|
+            error_count += 1
+            puts msg
+          }
 
-        result = options["legacy"] ? profile.legacy_check : profile.check
-        unless result[:summary][:valid]
-          error.call("Profile check failed. Please fix the profile before upload.")
-        else
-          puts("Profile is valid")
-        end
-
-        # determine user information
-        if (config["token"].nil? && config["refresh_token"].nil?) || config["user"].nil?
-          error.call("Please login via `#{EXEC_NAME} #{subcommand_name} login`")
-        end
-
-        # read profile name from inspec.yml
-        profile_name = profile.name
-
-        # read profile version from inspec.yml
-        profile_version = profile.version
-
-        # check that the profile is not uploaded already,
-        # confirm upload to the user (overwrite with --force)
-        if InspecPlugins::Compliance::API.exist?(config, "#{config["owner"]}/#{profile_name}##{profile_version}") && !options["overwrite"]
-          error.call("Profile exists on the server, use --overwrite")
-        end
-
-        # abort if we found an error
-        if error_count > 0
-          puts "Found #{error_count} error(s)"
-          exit 1
-        end
-
-        # if it is a directory, tar it to tmp directory
-        generated = false
-        if File.directory?(path)
-          generated = true
-          archive_path = Dir::Tmpname.create([profile_name, ".tar.gz"]) {}
-          puts "Generate temporary profile archive at #{archive_path}"
-          profile.archive({ output: archive_path, ignore_errors: false, overwrite: true, legacy_export: options["legacy"] })
-        else
-          archive_path = path
-        end
-
-        puts "Start upload to #{config["owner"]}/#{profile_name}"
-        pname = ERB::Util.url_encode(profile_name)
-
-        puts "Uploading to #{AUTOMATE_PRODUCT_NAME}"
-
-        success, msg = InspecPlugins::Compliance::API.upload(config, config["owner"], pname, archive_path)
-
-        # delete temp file if it was temporary generated
-        File.delete(archive_path) if generated && File.exist?(archive_path)
-
-        if success
-          puts "Successfully uploaded profile"
-        else
-          puts "Error during profile upload:"
-          puts msg
-          exit 1
-        end
+          result = profile.check
+          unless result[:summary][:valid]
+            error.call("Profile check failed. Please fix the profile before upload.")
+          else
+            puts("Profile is valid")
+          end
+
+          # determine user information
+          if (config["token"].nil? && config["refresh_token"].nil?) || config["user"].nil?
+            error.call("Please login via `#{EXEC_NAME} #{subcommand_name} login`")
+          end
+
+          # read profile name from inspec.yml
+          profile_name = profile.name
+
+          # read profile version from inspec.yml
+          profile_version = profile.version
+
+          # check that the profile is not uploaded already,
+          # confirm upload to the user (overwrite with --force)
+          if InspecPlugins::Compliance::API.exist?(config, "#{config["owner"]}/#{profile_name}##{profile_version}") && !options["overwrite"]
+            error.call("Profile exists on the server, use --overwrite")
+          end
+
+          # abort if we found an error
+          if error_count > 0
+            puts "Found #{error_count} error(s)"
+            exit 1
+          end
+
+          # if it is a directory, tar it to tmp directory
+          generated = false
+          if File.directory?(path)
+            generated = true
+            archive_path = Dir::Tmpname.create([profile_name, ".tar.gz"]) {}
+            puts "Generate temporary profile archive at #{archive_path}"
+            profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
+          else
+            archive_path = path
+          end
+
+          puts "Start upload to #{config["owner"]}/#{profile_name}"
+          pname = ERB::Util.url_encode(profile_name)
+
+          puts "Uploading to #{AUTOMATE_PRODUCT_NAME}"
+
+          success, msg = InspecPlugins::Compliance::API.upload(config, config["owner"], pname, archive_path)
+
+          # delete temp file if it was temporary generated
+          File.delete(archive_path) if generated && File.exist?(archive_path)
+
+          if success
+            puts "Successfully uploaded profile"
+          else
+            puts "Error during profile upload:"
+            puts msg
+            exit 1
+          end
+        }
       end
 
       desc "version", "displays the version of the #{AUTOMATE_PRODUCT_NAME} server"
       def version
-        config = InspecPlugins::Compliance::Configuration.new
-        info = InspecPlugins::Compliance::API.version(config)
-        if !info.nil? && info["build_timestamp"]
-          # key info["api"] is not longer available in latest version api response
-          puts "Name: automate"
-          puts "Version: #{info["build_timestamp"]}"
-        else
-          puts "Could not determine server version."
-          exit 1
-        end
-      rescue InspecPlugins::Compliance::ServerConfigurationMissing
-        puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
-        exit 1
+        Inspec.with_feature("inspec-cli-compliance-version") {
+          begin
+            config = InspecPlugins::Compliance::Configuration.new
+            info = InspecPlugins::Compliance::API.version(config)
+            if !info.nil? && info["build_timestamp"]
+              # key info["api"] is not longer available in latest version api response
+              puts "Name: automate"
+              puts "Version: #{info["build_timestamp"]}"
+            else
+              puts "Could not determine server version."
+              exit 1
+            end
+          rescue InspecPlugins::Compliance::ServerConfigurationMissing
+            puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`"
+            exit 1
+          end
+        }
       end
 
       desc "logout", "user logout from #{AUTOMATE_PRODUCT_NAME}"
       def logout
-        config = InspecPlugins::Compliance::Configuration.new
-        unless config.supported?(:oidc) || config["token"].nil? || config["server_type"] == "automate"
+        Inspec.with_feature("inspec-cli-compliance-logout") {
           config = InspecPlugins::Compliance::Configuration.new
-          url = "#{config["server"]}/logout"
-          InspecPlugins::Compliance::HTTP.post(url, config["token"], config["insecure"], !config.supported?(:oidc))
-        end
-        success = config.destroy
-
-        if success
-          puts "Successfully logged out"
-        else
-          puts "Could not log out"
-        end
+          unless config.supported?(:oidc) || config["token"].nil? || config["server_type"] == "automate"
+            config = InspecPlugins::Compliance::Configuration.new
+            url = "#{config["server"]}/logout"
+            InspecPlugins::Compliance::HTTP.post(url, config["token"], config["insecure"], !config.supported?(:oidc))
+          end
+          success = config.destroy
+
+          if success
+            puts "Successfully logged out"
+          else
+            puts "Could not log out"
+          end
+        }
       end
 
       private

data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb

@@ -1,5 +1,6 @@
 require_relative "profile"
 require "inspec/dist"
+require "inspec/feature"
 
 module InspecPlugins
   module Habitat
@@ -14,17 +15,23 @@ module InspecPlugins
       option :output_dir, type: :string, required: false,
         desc: "Output directory for the Habitat artifact. Default: current directory"
       def create(path = ".")
-        InspecPlugins::Habitat::Profile.new(path, options).create
+        Inspec.with_feature("inspec-cli-habitat-profile-create") {
+          InspecPlugins::Habitat::Profile.new(path, options).create
+        }
       end
 
       desc "setup PATH", "Configure the profile at PATH for Habitat, including a plan and hooks"
       def setup(path = ".")
-        InspecPlugins::Habitat::Profile.new(path, options).setup
+        Inspec.with_feature("inspec-cli-habitat-profile-setup") {
+          InspecPlugins::Habitat::Profile.new(path, options).setup
+        }
       end
 
       desc "upload PATH", "Create then upload a Habitat artifact for the profile found at PATH to the Habitat Builder Depot"
       def upload(path = ".")
-        InspecPlugins::Habitat::Profile.new(path, options).upload
+        Inspec.with_feature("inspec-cli-habitat-profile-upload") {
+          InspecPlugins::Habitat::Profile.new(path, options).upload
+        }
       end
     end
 

data/lib/plugins/inspec-init/lib/inspec-init/cli.rb

@@ -1,5 +1,6 @@
 require "pathname" unless defined?(Pathname)
 require_relative "renderer"
+require "inspec/feature"
 
 module InspecPlugins
   module Init