inspec-core 5.24.7 → 6.6.0

data/lib/plugins/inspec-parallel/lib/inspec-parallel/super_reporter/status.rb

@@ -0,0 +1,124 @@
+require "highline"
+
+module InspecPlugins::Parallelism
+  class SuperReporter
+    class Status < InspecPlugins::Parallelism::SuperReporter::Base
+
+      attr_reader :status_by_pid, :slots
+
+      def initialize(job_count, invocations)
+        @status_by_pid = {}
+        @slots = Array.new(job_count)
+        paint_header(job_count, invocations)
+        paint
+      end
+
+      # --------
+      # SuperReporter API
+      # --------
+      def child_spawned(pid, invocation)
+        new_child("spawned", pid, invocation)
+      end
+
+      def child_forked(pid, invocation)
+        new_child("forked", pid, invocation)
+      end
+
+      def child_exited(pid)
+        slots[status_by_pid[pid][:slot]] = "exited"
+
+        status_by_pid[pid][:pct] = 100.0
+        status_by_pid[pid][:slot] = nil
+        status_by_pid[pid][:exit] = $?
+
+        # TODO: consider holding slot in 100 status for UI grace
+
+        paint
+      end
+
+      def child_status_update_line(pid, update_line)
+        control_serial, status, control_count, title = update_line.split("/")
+        percent = 100.0 * control_serial.to_i / control_count.to_i.to_f
+
+        status_by_pid[pid][:pct] = percent
+        status_by_pid[pid][:last_control] = title
+        status_by_pid[pid][:last_status] = status
+
+        paint
+      end
+
+      # --------
+      # Utilities
+      # --------
+      private
+
+      def new_child(how, pid, invocation)
+        # Update status by PID with new info
+        status_by_pid[pid] = {
+          pct: 0.0,
+          inv: invocation,
+          how: how,
+        }
+
+        # Assign first empty slot
+        slots.each_index do |idx|
+          next unless slots[idx].nil? || slots[idx] == "exited"
+
+          slots[idx] = pid
+          status_by_pid[pid][:slot] = idx
+          break
+        end
+
+        # TODO: consider printing log message
+        paint
+      end
+
+      def terminal_width
+        return @terminal_width if @terminal_width
+
+        @highline ||= HighLine.new
+        width = @highline.output_cols.to_i
+        width = 80 if width < 1
+        @terminal_width = width
+      end
+
+      def paint
+        # Determine the width of a slot
+        slot_width = terminal_width / slots.length
+        line = ""
+        # Loop over slots
+        slots.each_index do |idx|
+          if slots[idx].nil?
+            # line += "idle".center(slot_width)
+            # Need to improve UI
+          elsif slots[idx] == "exited"
+            line += "Done".center(slot_width)
+          else
+            pid = slots[idx]
+            with_pid = format("%s: %0.1f%%", pid, status_by_pid[pid][:pct])
+            if with_pid.length <= slot_width - 2
+              line += with_pid.center(slot_width)
+            else
+              line += format("%0.1f%%", status_by_pid[pid][:pct]).center(slot_width)
+            end
+          end
+        end
+
+        print "\r" + (" " * terminal_width) + "\r"
+        print line
+      end
+
+      def paint_header(jobs, invocations)
+        puts "InSpec Parallel".center(terminal_width)
+        puts "Running #{invocations.length} invocations in #{jobs} slots".center(terminal_width)
+        puts "-" * terminal_width
+        slot_width = terminal_width / slots.length
+        slots.each_index do |idx|
+          print "Slot #{idx + 1}".center(slot_width)
+        end
+        puts
+        puts "-" * terminal_width
+      end
+    end
+  end
+end

data/lib/plugins/inspec-parallel/lib/inspec-parallel/super_reporter/text.rb

@@ -0,0 +1,23 @@
+module InspecPlugins::Parallelism
+  class SuperReporter
+    class Text < InspecPlugins::Parallelism::SuperReporter::Base
+      def child_spawned(pid, _inv)
+        puts "[#{Time.now.iso8601}] Spawned child PID #{pid}"
+      end
+
+      def child_forked(pid, _inv)
+        puts "[#{Time.now.iso8601}] Forked child PID #{pid}"
+      end
+
+      def child_exited(pid)
+        puts "[#{Time.now.iso8601}] Exited child PID #{pid} status #{$?}"
+      end
+
+      def child_status_update_line(pid, update_line)
+        control_serial, _status, control_count, _title = update_line.split("/")
+        percent = 100.0 * control_serial.to_i / control_count.to_i.to_f
+        puts "[#{Time.now.iso8601}] #{pid} " + format("%.1f%%", percent)
+      end
+    end
+  end
+end

data/lib/plugins/inspec-parallel/lib/inspec-parallel/validator.rb

@@ -0,0 +1,170 @@
+require "inspec/cli"
+module InspecPlugins
+  module Parallelism
+    class Validator
+
+      # TODO: make this list dynamic so plugins can self-declare
+      PARALLEL_SAFE_REPORTERS = [
+        "automate",      # Performs HTTP transactions, silent on STDOUT
+        "child-status",  # Writes dedicated protocol to STDOUT, expected by parent
+      ].freeze
+
+      attr_accessor :invocations, :sub_cmd, :thor_options_for_sub_cmd, :aliases_mapping, :cli_options, :config_content, :stdin_config
+
+      def initialize(invocations, cli_options, sub_cmd = "exec")
+        @invocations = invocations
+        @sub_cmd = sub_cmd
+        @thor_options_for_sub_cmd = Inspec::InspecCLI.commands[sub_cmd].options
+        @aliases_mapping = create_aliases_mapping
+        @cli_options = cli_options
+        @config_content = nil
+        @stdin_config = nil
+      end
+
+      def validate
+        invocations.each do |invocation_data|
+          invocation_data[:validation_errors] = []
+
+          convert_cli_to_thor_options(invocation_data)
+          check_for_spurious_options(invocation_data)
+          check_for_required_fields(invocation_data)
+          check_for_reporter_options(invocation_data)
+
+        end
+      end
+
+      def validate_log_path
+        return [] unless cli_options["log_path"]
+
+        if File.directory?(cli_options["log_path"])
+          []
+        else
+          [true, "Log path #{cli_options["log_path"]} is not accessible"]
+        end
+      end
+
+      private
+
+      def create_aliases_mapping
+        alias_mapping = {}
+        thor_options_for_sub_cmd.each do |_, sub_cmd_option|
+          aliases = sub_cmd_option.aliases
+          unless aliases.empty?
+            alias_mapping[aliases[0]] = sub_cmd_option.name
+          end
+        end
+        alias_mapping
+      end
+
+      def check_for_spurious_options(invocation_data)
+        # LIMITATION: Assume the first arg is the profile name, and there is exactly one of them.
+        invalid_options = invocation_data[:thor_args][1..-1]
+        invocation_data[:validation_errors].push "No such option: #{invalid_options}" unless invalid_options.empty?
+      end
+
+      def check_for_required_fields(invocation_data)
+        required_fields = thor_options_for_sub_cmd.collect { |_, thor_option| thor_option.name if thor_option.required }.compact
+        option_keys = invocation_data[:thor_opts].keys
+        invocation_data[:thor_opts].keys.map { |key| option_keys.push(aliases_mapping[key.to_sym]) if aliases_mapping[key.to_sym] }
+        if !required_fields.empty? && (option_keys & required_fields).empty?
+          invocation_data[:validation_errors].push "No value provided for required options: #{required_fields}"
+        end
+      end
+
+      def check_for_reporter_options(invocation_data)
+        # if no reporter option, that's an error
+        unless invocation_data[:thor_opts].include?("reporter")
+          # Check for config reporter validation only if --reporter option is missing from options file
+          return if check_reporter_options_in_config(invocation_data)
+
+          invocation_data[:validation_errors] << "A --reporter option must be specified for each invocation in the options file"
+          return
+        end
+
+        have_child_status_reporter = false
+
+        # Reporter option is formatted as an array
+        invocation_data[:thor_opts]["reporter"].each do |reporter_spec|
+          reporter_name, file_output = reporter_spec.split(":")
+
+          have_child_status_reporter = true if reporter_name == "child-status"
+
+          # if there is a reporter option, each entry must either write to a file or
+          # else be the special child-status reporter or the automate reporter
+          next if PARALLEL_SAFE_REPORTERS.include?(reporter_name)
+
+          unless file_output
+            invocation_data[:validation_errors] << "The #{reporter_name} reporter requires being directed to a file, like #{reporter_name}:filename.out"
+          end
+        end
+
+        # if there is no child-status reporter, add one to the raw value and the parsed array
+        unless have_child_status_reporter
+          # Eww
+          invocation_data[:thor_opts]["reporter"] << "child-status"
+          invocation_data[:value].gsub!("--reporter ", "--reporter child-status ")
+        end
+      end
+
+      def check_reporter_options_in_config(invocation_data)
+        config_opts = invocation_data[:thor_opts]["config"] || invocation_data[:thor_opts]["json_config"]
+        cfg_io = check_for_piped_config_from_stdin(config_opts)
+
+        if cfg_io == STDIN
+          # Scenario of using config from STDIN
+          @config_content ||= cfg_io.read
+        else
+          if config_opts.nil?
+            # Scenario of using default config.json file when path not provided
+            default_path = File.join(Inspec.config_dir, "config.json")
+            config_opts = default_path
+            return unless File.exist?(config_opts)
+          elsif !File.exist?(config_opts)
+            invocation_data[:validation_errors] << "Could not read configuration file at #{config_opts}"
+            return
+          end
+          @config_content = File.open(config_opts).read
+        end
+
+        reporter_config = JSON.parse(config_content)["reporter"] unless config_content.nil? || config_content.empty?
+        unless reporter_config
+          invocation_data[:validation_errors] << "Config should have reporter option specified for each invocation which is not using --reporter option in options file"
+        end
+        @config_content
+      end
+
+      def check_for_piped_config_from_stdin(config_opts)
+        return nil unless config_opts
+        return nil unless config_opts == "-"
+
+        @stdin_config ||= STDIN
+      end
+
+      ## Utility functions
+
+      # Parse the invocation string using Thor into Thor options
+      # This approach was reverse engineered from studying
+      # https://github.com/rails/thor/blob/ab3b5be455791f4efb79f0efb4f88cc6b59c8ccf/lib/thor/base.rb#L53
+
+      def convert_cli_to_thor_options(invocation_data)
+        invocation_words = invocation_data[:value].split(" ")
+
+        # LIMITATION: this approach is limited to having exactly one profile in the invocation
+        args = [invocation_words.shift] # That is, the profile path
+
+        # Here we're piggybacking on on a hook used by the start() method, and provides the
+        # specifics for the subcommand
+        config = { command_options: thor_options_for_sub_cmd }
+
+        # This performs the parse
+        thor = Inspec::InspecCLI.new(args, invocation_words, config)
+
+        # A hash (with indifferent access) of option names to option config data
+        invocation_data[:thor_opts] = thor.options
+
+        # A list of everything else it could not parse, including the profile
+        invocation_data[:thor_args] = thor.args
+      end
+    end
+  end
+end

data/lib/plugins/inspec-parallel/lib/inspec-parallel.rb

@@ -0,0 +1,18 @@
+module InspecPlugins
+  module Parallelism
+    class Plugin < ::Inspec.plugin(2)
+      plugin_name :"inspec-parallel"
+
+      cli_command :parallel do
+        require_relative "inspec-parallel/cli"
+        InspecPlugins::Parallelism::CLI
+      end
+
+      streaming_reporter :"child-status" do
+        require_relative "inspec-parallel/child_status_reporter"
+        InspecPlugins::Parallelism::StreamingReporter
+      end
+
+    end
+  end
+end

data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb

@@ -36,15 +36,11 @@ module InspecPlugins
         FileUtils.mkdir_p(path)
 
         puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
-        # https://github.com/inspec/inspec/security/code-scanning/1
-        # https://github.com/inspec/inspec/security/code-scanning/2
-        # The following line was flagged by GitHub code scanning as a security vulnerability.
-        # Update the code to eliminate the vulnerability.
-        File.open("#{path}/#{options["keyname"]}.pem.key", "w") do |io|
+        open "#{path}/#{options["keyname"]}.pem.key", "w" do |io|
           io.write key.to_pem
         end
         puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
-        File.open("#{path}/#{options["keyname"]}.pem.pub", "w") do |io|
+        open "#{path}/#{options["keyname"]}.pem.pub", "w" do |io|
           io.write key.public_key.to_pem
         end
       end
@@ -71,8 +67,7 @@ module InspecPlugins
         # Generating tar.gz file using archive method of Inspec Cli
         Inspec::InspecCLI.new.archive(profile_path, "error")
         tarfile = "#{filename}.tar.gz"
-        # Update IO.binread with File.binread because of https://github.com/inspec/inspec/security/code-scanning/3
-        tar_content = File.binread(tarfile)
+        tar_content = IO.binread(tarfile)
         FileUtils.rm(tarfile)
 
         # Generate the signature
@@ -97,12 +92,16 @@ module InspecPlugins
         Inspec::UI.new.exit(:usage_error)
       end
 
-      def self.profile_verify(signed_profile_path)
+      def self.profile_verify(signed_profile_path, silent = false)
         file_to_verify = signed_profile_path
-        puts "Verifying #{file_to_verify}"
+        puts "Verifying #{file_to_verify}" unless silent
 
         iaf_file = Inspec::IafFile.new(file_to_verify)
         if iaf_file.valid?
+          # Signed profile verification is called from runner and not from CLI
+          # Do not exit and do not print logs
+          return if silent
+
           puts "Detected format version '#{iaf_file.version}'"
           puts "Attempting to verify using key '#{iaf_file.key_name}'"
           puts "Profile is valid."
@@ -157,7 +156,7 @@ module InspecPlugins
           ui.exit(:usage_error)
         end
 
-        lines = File.readlines(p)
+        lines = IO.readlines(p)
         lines << "\nprofile_content_id: #{profile_content_id}\n"
 
         File.open("#{p}", "w" ) do |f|

data/lib/plugins/inspec-sign/lib/inspec-sign/cli.rb

@@ -1,5 +1,6 @@
 require_relative "base"
 require "inspec/dist"
+require "inspec/feature"
 
 #
 # Notes:
@@ -85,8 +86,10 @@ module InspecPlugins
       option :keydir, type: :string, default: "./",
         desc: "Directory to search for keys"
       def generate_keys
-        puts "Generating keys"
-        InspecPlugins::Sign::Base.keygen(options)
+        Inspec.with_feature("inspec-cli-sign-generate-keys") {
+          puts "Generating keys"
+          InspecPlugins::Sign::Base.keygen(options)
+        }
       end
 
       desc "profile PATH", "sign the profile in PATH and generate .iaf artifact."
@@ -95,12 +98,16 @@ module InspecPlugins
       option :profile_content_id, type: :string,
         desc: "UUID of the profile. This will write the profile_content_id in the metadata file if it does not already exist in the metadata file."
       def profile(profile_path)
-        InspecPlugins::Sign::Base.profile_sign(profile_path, options)
+        Inspec.with_feature("inspec-cli-sign-profile") {
+          InspecPlugins::Sign::Base.profile_sign(profile_path, options)
+        }
       end
 
       desc "verify PATH", "Verify a signed profile .iaf artifact at given path."
       def verify(signed_profile_path)
-        InspecPlugins::Sign::Base.profile_verify(signed_profile_path)
+        Inspec.with_feature("inspec-cli-sign-verify") {
+          InspecPlugins::Sign::Base.profile_verify(signed_profile_path)
+        }
       end
     end
   end

data/lib/plugins/inspec-streaming-reporter-progress-bar/lib/inspec-streaming-reporter-progress-bar/streaming_reporter.rb

@@ -91,23 +91,20 @@ module InspecPlugins::StreamingReporterProgressBar
 
       set_status_mapping(control_id, status)
       collect_notifications(notification, control_id, status)
-      control_ended = control_ended?(control_id)
-      if control_ended
-        control_outcome = add_enhanced_outcomes(control_id) if enhanced_outcomes
-        show_progress(control_id, title, full_description, control_outcome)
-      end
+      show_progress(control_id, title, full_description) if control_ended?(notification, control_id)
     end
 
-    def show_progress(control_id, title, full_description, control_outcome)
+    def show_progress(control_id, title, full_description)
       @bar ||= ProgressBar.new(controls_count, :bar, :counter, :percentage)
       sleep 0.1
       @bar.increment!
-      @bar.puts format_it(control_id, title, full_description, control_outcome)
+      @bar.puts format_it(control_id, title, full_description)
     rescue StandardError => e
       raise "Exception in Progress Bar streaming reporter: #{e}"
     end
 
-    def format_it(control_id, title, full_description, control_outcome)
+    def format_it(control_id, title, full_description)
+      control_outcome = control_outcome(control_id)
       if control_outcome
         control_status = control_outcome
       else
@@ -121,11 +118,7 @@ module InspecPlugins::StreamingReporterProgressBar
                          end
       end
       indicator = INDICATORS[control_status]
-      message_to_format = ""
-      message_to_format += "#{indicator}  "
-      message_to_format += "#{control_id.to_s.strip.dup.force_encoding(Encoding::UTF_8)}  "
-      message_to_format += "#{title.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " if title
-      message_to_format += "#{full_description.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " unless title
+      message_to_format = format_message(indicator, control_id, title, full_description)
       format_with_color(control_status, message_to_format)
     rescue Exception => e
       raise "Exception in show_progress: #{e}"

data/lib/source_readers/inspec.rb

@@ -66,7 +66,7 @@ module SourceReaders
     end
 
     def load_readme
-      load_all(/README(\.md)?$/)
+      load_all(/README.md/)
     end
   end
 end