inspec-core 6.6.0 → 6.8.1

data/lib/inspec/resources/ssh_key.rb

@@ -0,0 +1,124 @@
+require "inspec/utils/file_reader"
+require "net/ssh" unless defined?(Net::SSH)
+
+# Change module if required
+module Inspec::Resources
+  class SshKey < FileResource
+    # Every resource requires an internal name.
+    name "ssh_key"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "public/private SSH key pair test"
+
+    example <<~EXAMPLE
+      describe ssh_key('path: ~/.ssh/id_rsa') do
+        its('key_length') { should eq 4096 }
+        its('type') { should cmp /rsa/ }
+        it { should be_private }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(keypath, passphrase = nil)
+      skip_resource "The `ssh_key` resource is not yet available on your OS." unless inspec.os.unix? || inspec.os.windows?
+      @key_path = set_ssh_key_path(keypath)
+      @passphrase = passphrase
+      @key = read_ssh_key
+      super(@key_path)
+    end
+
+    def public?
+      return if @key.nil?
+
+      @key[:public]
+    end
+
+    def private?
+      return if @key.nil?
+
+      @key[:private]
+    end
+
+    def key_length
+      return if @key.nil?
+
+      @key[:key_length]
+    end
+
+    def type
+      return if @key.nil?
+
+      @key[:type]
+    end
+
+    # Define a resource ID. This is used in reporting engines to uniquely identify the individual resource.
+    # This might be a file path, or a process ID, or a cloud instance ID. Only meaningful to the implementation.
+    # Must be a string. Defaults to the empty string if not implemented.
+    def resource_id
+      @key_path || "SSH key"
+    end
+
+    def to_s
+      "ssh_key #{@key_path}"
+    end
+
+    private
+
+    def set_ssh_key_path(keypath)
+      if File.exist?(keypath)
+        @key_path = keypath
+      elsif File.exist?(File.join("#{Dir.home}/.ssh/", keypath))
+        @key_path = File.join("#{Dir.home}/.ssh/", keypath)
+      else
+        raise Inspec::Exceptions::ResourceSkipped, "Can't find file: #{keypath}"
+      end
+    end
+
+    def read_ssh_key
+      key_data = {}
+      key = nil
+      filecontent = read_file_content((@key_path), @passphrase)
+      raise Inspec::Exceptions::ResourceSkipped, "File is empty: #{@key_path}" if filecontent.split("\n").empty?
+
+      if filecontent.split("\n")[0].include?("PRIVATE")
+        # Net::SSH::KeyFactory does not have support to load private key for DSA
+        key = Net::SSH::KeyFactory.load_private_key(@key_path, @passphrase, false)
+        unless key.nil?
+          key_data[:private] = true
+          key_data[:public] = false
+          # The data send for ssh type is not in same format so it's good to match on the string
+          key_data[:type] = key.ssh_type
+          key_data[:key_length] = key_lengh(key)
+        end
+      else
+        key = Net::SSH::KeyFactory.load_public_key(@key_path)
+        unless key.nil?
+          key_data[:private] = false
+          key_data[:public] = true
+          # The data send for ssh type is not in same format so it's good to match on the string
+          key_data[:type] = key.ssh_type
+          key_data[:key_length] = key_lengh(key)
+        end
+      end
+
+      key_data
+    rescue OpenSSL::PKey::PKeyError => e
+      raise Inspec::Exceptions::ResourceFailed, "#{e.message}"
+    end
+
+    def key_lengh(key)
+      if key.class.to_s == "OpenSSL::PKey::RSA"
+        key.public_key.n.num_bits
+      else
+        # Unable to get the key lenght data for other types of keys
+        # TODO: Need to check if there is any method that will get this info.
+        nil
+      end
+    end
+  end
+end

data/lib/inspec/resources/sshd_active_config.rb

@@ -0,0 +1,2 @@
+# This is just here to make the dynamic loader happy.
+require "inspec/resources/ssh_config"

data/lib/inspec/resources/sybase_session.rb

@@ -44,10 +44,19 @@ module Inspec::Resources
       # try to get a temp path
       sql_file_path = upload_sql_file(sql)
 
+      # TODO: Find if there is better way to get the current shell
+      current_shell = inspec.command("echo $SHELL")
+
+      res = current_shell.exit_status
+
       # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
-      command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
-      isql_cmd = inspec.command(command)
+      if res == 0 && ( current_shell.stdout&.include?("/csh") || current_shell.stdout&.include?("/tcsh") )
+        command = "source #{sybase_home}/SYBASE.csh; setenv LANG en_US.UTF-8; #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      else
+        command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      end
 
+      isql_cmd = inspec.command(command)
       # Check for isql errors
       res = isql_cmd.exit_status
       raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0

data/lib/inspec/resources/virtualization.rb

@@ -223,7 +223,7 @@ module Inspec::Resources
       elsif cgroup_content =~ %r{^\d+:[^:]+:/(kubepods)/.+$}
         @virtualization_data[:system] = $1
         @virtualization_data[:role] = "guest"
-      elsif /container=podman/.match?(file_read("/proc/1/environ"))
+      elsif /container=podman/.match?(inspec.file("/proc/1/environ").content)
         @virtualization_data[:system] = "podman"
         @virtualization_data[:role] = "guest"
       elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}

data/lib/inspec/resources.rb

@@ -110,6 +110,7 @@ require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"
+require "inspec/resources/ssh_key"
 require "inspec/resources/ssl"
 require "inspec/resources/sys_info"
 require "inspec/resources/toml"

data/lib/inspec/rule.rb

@@ -375,19 +375,24 @@ module Inspec
     # only_if mechanism)
     # Double underscore: not intended to be called as part of the DSL
     def __apply_waivers
+      @__waiver_data = nil
       control_id = @__rule_id # TODO: control ID slugging
-      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
-
-      waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files) unless waiver_files.nil?
 
-      return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
+      waiver_files = Inspec::Config.cached.final_options["waiver_file"] if Inspec::Config.cached.respond_to?(:final_options)
+      if waiver_files.nil? || waiver_files.empty?
+        # Support for input registry is provided for backward compatibilty with compliance phase of chef-client
+        # Chef-client sends waiver information in inputs hash
+        input_registry = Inspec::InputRegistry.instance
+        waiver_data_via_input = input_registry.inputs_by_profile.dig(__profile_id, control_id)
+        return unless waiver_data_via_input && waiver_data_via_input.has_value? && waiver_data_via_input.value.is_a?(Hash)
+
+        @__waiver_data = waiver_data_via_input.value
+      else
+        waiver_data_by_profile = Inspec::WaiverFileReader.fetch_waivers_by_profile(__profile_id, waiver_files)
+        return unless waiver_data_by_profile && waiver_data_by_profile[control_id] && waiver_data_by_profile[control_id].is_a?(Hash)
 
-      # An InSpec Input is a datastructure that tracks a profile parameter
-      # over time. Its value can be set by many sources, and it keeps a
-      # log of each "set" event so that when it is collapsed to a value,
-      # it can determine the correct (highest priority) value.
-      # Store in an instance variable for.. later reading???
-      @__waiver_data = waiver_data_by_profile[control_id]
+        @__waiver_data = waiver_data_by_profile[control_id]
+      end
 
       __waiver_data["skipped_due_to_waiver"] = false
       __waiver_data["message"] = ""

data/lib/inspec/runner.rb

@@ -12,6 +12,7 @@ require "inspec/dist"
 require "inspec/reporters"
 require "inspec/runner_rspec"
 require "chef-licensing"
+require "inspec/utils/telemetry"
 # spec requirements
 
 module Inspec
@@ -89,7 +90,12 @@ module Inspec
     end
 
     def configure_transport
-      @backend = Inspec::Backend.create(@conf)
+      backend = Inspec::Backend.create(@conf)
+      set_backend(backend)
+    end
+
+    def set_backend(new_backend)
+      @backend = new_backend
       @test_collector.backend = @backend
     end
 
@@ -145,7 +151,7 @@ module Inspec
             get_check_example(m, a, b)
           end.compact
 
-          examples.map { |example| total_checks += example.examples.count }
+          examples.map { |example| total_checks += example.descendant_filtered_examples.count }
 
           unless control_describe_checks.empty?
             # controls with empty tests are avoided
@@ -174,6 +180,7 @@ module Inspec
       }
 
       Inspec::Log.debug "Starting run with targets: #{@target_profiles.map(&:to_s)}"
+      Inspec::Telemetry.run_starting(runner: self, conf: @conf)
       load
       run_tests(with)
     rescue ChefLicensing::SoftwareNotEntitled
@@ -222,6 +229,7 @@ module Inspec
       @run_data = @test_collector.run(with)
       # dont output anything if we want a report
       render_output(@run_data) unless @conf["report"]
+      Inspec::Telemetry.run_ending(runner: self, run_data: @run_data, conf: @conf)
       @test_collector.exit_code
     end
 

data/lib/inspec/utils/profile_ast_helpers.rb

@@ -3,8 +3,7 @@ require "rubocop-ast"
 module Inspec
   class Profile
     class AstHelper
-      class CollectorBase
-        include Parser::AST::Processor::Mixin
+      class CollectorBase < Parser::AST::Processor
         include RuboCop::AST::Traversal
 
         attr_reader :memo

data/lib/inspec/utils/telemetry/base.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+require "chef-licensing"
+require "securerandom" unless defined?(SecureRandom)
+require "digest" unless defined?(Digest)
+require_relative "../../dist"
+module Inspec
+  class Telemetry
+    class Base
+      VERSION = 2.0
+      TYPE = "job"
+      JOB_TYPE = "InSpec"
+
+      attr_accessor :scratch
+
+      def fetch_license_ids
+        Inspec::Log.debug "Fetching license IDs for telemetry"
+        @license_keys ||= ChefLicensing.license_keys
+      end
+
+      def create_wrapper
+        Inspec::Log.debug "Initialising wrapper for telemetry"
+        {
+          version: VERSION,
+          createdTimeUTC: Time.now.getutc.iso8601,
+          environment: Inspec::Telemetry::RunContextProbe.guess_run_context,
+          licenseIds: fetch_license_ids,
+          source: "#{Inspec::Dist::EXEC_NAME}:#{Inspec::VERSION}",
+          type: TYPE,
+        }
+      end
+
+      def note_feature_usage(feature_name)
+        @scratch ||= {}
+        @scratch[:features] ||= []
+        @scratch[:features] << feature_name
+      end
+
+      def run_starting(_opts = {})
+        Inspec::Log.debug "Initiating telemetry for InSpec"
+        @scratch ||= {}
+        @scratch[:features] ||= []
+        @scratch[:run_start_time] = Time.now.getutc.iso8601
+      end
+
+      def run_ending(opts)
+        note_per_run_features(opts)
+
+        payload = create_wrapper
+
+        train_platform = opts[:runner].backend.backend.platform
+        payload[:platform] = train_platform.name
+
+        payload[:jobs] = [{
+                            type: JOB_TYPE,
+
+                            # Target platform info
+                            environment: {
+                              host: obscure(URI(opts[:runner].backend.backend.uri).host) || "unknown",
+                              os: train_platform.name,
+                              version: train_platform.release,
+                              architecture: train_platform.arch || "",
+                              id: train_platform.uuid,
+                            },
+
+                            runtime: Inspec::VERSION,
+                            content: [],  # one content == one profile
+                            steps: [],    # one step == one control
+                          }]
+
+        opts[:run_data][:profiles].each do |profile|
+          payload[:jobs][0][:content] << {
+            name: obscure(profile[:name]),
+            version: profile[:version],
+            sha256: profile[:sha256],
+            maintainer: profile[:maintainer] || "",
+            type: "profile",
+          }
+
+          profile[:controls].each do |control|
+            payload[:jobs][0][:steps] << {
+              id: obscure(control[:id]),
+              name: "inspec-control",
+              description: control[:desc] || "",
+              target: {
+                mode: opts[:runner].backend.backend.backend_type,
+                id: opts[:runner].backend.backend.platform.uuid,
+              },
+              resources: [],
+              features: [],
+              tags: format_control_tags(control[:tags]),
+            }
+
+            control[:results]&.each do |resource_block|
+              payload[:jobs][0][:steps].last[:resources] << {
+                type: "inspec-resource",
+                name: resource_block[:resource_class],
+                id: obscure(resource_block[:resource_title].respond_to?(:resource_id) ? resource_block[:resource_title].resource_id : nil) || "unknown",
+              }
+            end
+
+            # Per-control features.
+            payload[:jobs][0][:steps].last[:features] = scratch[:features].dup
+          end
+        end
+
+        Inspec::Log.debug "Final data for telemetry upload -> #{payload}"
+        Inspec::Log.debug "Finishing telemetry for InSpec"
+        # Return payload object for testing
+        payload
+      end
+
+      def format_control_tags(tags)
+        tags_list = []
+        tags.each do |key, value|
+          tags_list << { name: key.to_s, value: (value || "").to_s }
+        end
+        tags_list
+      end
+
+      # Hash text if non-nil
+      def obscure(cleartext)
+        return nil if cleartext.nil?
+        return nil if cleartext.empty?
+
+        Digest::SHA2.new(256).hexdigest(cleartext)
+      end
+
+      def note_per_run_features(opts)
+        note_all_invoked_features
+        note_gem_dependency_usage(opts)
+      end
+
+      def note_all_invoked_features
+        Inspec::Feature.list_all_invoked_features.each do |feature|
+          Inspec::Telemetry.note_feature_usage(feature.to_s)
+        end
+      end
+
+      def note_gem_dependency_usage(opts)
+        unless opts[:runner].target_profiles.map do |tp|
+          tp.metadata.gem_dependencies + \
+              tp.locked_dependencies.list.map { |_k, v| v.profile.metadata.gem_dependencies }.flatten
+        end.flatten.empty?
+          Inspec::Telemetry.note_feature_usage("inspec-gem-deps-in-profiles")
+        end
+      end
+    end
+  end
+end

data/lib/inspec/utils/telemetry/http.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+require_relative "base"
+require "faraday" unless defined?(Faraday)
+require "inspec/utils/licensing_config"
+module Inspec
+  class Telemetry
+    class HTTP < Base
+      TELEMETRY_JOBS_PATH = "v1/job"
+      TELEMETRY_URL = if ChefLicensing::Config.license_server_url&.match?("acceptance")
+                        ENV["CHEF_TELEMETRY_URL"]
+                      else
+                        "https://services.chef.io/telemetry/"
+                      end
+      def run_ending(opts)
+        payload = super
+        response = connection.post(TELEMETRY_JOBS_PATH) do |req|
+          req.body = payload.to_json
+        end
+        if response.success?
+          Inspec::Log.debug "HTTP connection with Telemetry Client successful."
+          Inspec::Log.debug "HTTP response from Telemetry Client -> #{response.to_hash}"
+          true
+        else
+          Inspec::Log.debug "HTTP connection with Telemetry Client faced an error."
+          Inspec::Log.debug "HTTP error -> #{response.to_hash[:body]["error"]}" if response.to_hash[:body] && response.to_hash[:body]["error"]
+          false
+        end
+      rescue Faraday::ConnectionFailed
+        Inspec::Log.debug "HTTP connection failure with telemetry url -> #{TELEMETRY_URL}"
+      end
+
+      def connection
+        Faraday.new(url: TELEMETRY_URL) do |config|
+          config.request :json
+          config.response :json
+        end
+      end
+    end
+  end
+end

data/lib/inspec/utils/telemetry/null.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+require_relative "base"
+module Inspec
+  class Telemetry
+    class Null < Base
+      def run_starting(_opts); end
+      def run_ending(_opts); end
+    end
+  end
+end
+

data/lib/inspec/utils/telemetry/run_context_probe.rb

@@ -1,9 +1,21 @@
 module Inspec
-  module Telemetry
+  class Telemetry
     # Guesses the run context of InSpec - how were we invoked?
     # All stack values here are determined experimentally
 
     class RunContextProbe
+      # Guess if we are running under Automate
+      def self.under_automate?
+        # Currently assume we are under automate if we have an automate-based reporter
+        Inspec::Config.cached[:reporter]
+          .keys
+          .map(&:to_s)
+          .any? { |n| n =~ /automate/ }
+      end
+
+      # Guess, using stack introspection, if we were called under
+      # test-kitchen, cli, audit-cookbook, or otherwise.
+      # TODO add compliance-phase of chef-infra
       def self.guess_run_context(stack = nil)
         stack ||= caller_locations
         return "test-kitchen" if kitchen?(stack)

data/lib/inspec/utils/telemetry.rb

@@ -1,3 +1,74 @@
-require "inspec/utils/telemetry/collector"
-require "inspec/utils/telemetry/data_series"
-require "inspec/utils/telemetry/global_methods"
+require "time" unless defined?(Time.zone_offset)
+require "chef-licensing"
+require_relative "telemetry/null"
+require_relative "telemetry/http"
+require_relative "telemetry/run_context_probe"
+
+module Inspec
+  class Telemetry
+
+    @@instance = nil
+    @@config = nil
+
+    def self.instance
+      @@instance ||= determine_backend_class.new
+    end
+
+    def self.determine_backend_class
+      # Don't perform telemetry action for other InSpec distros
+      # Don't perform telemetry action if running under Automate - Automate does LDC tracking for us
+      # Don't perform telemetry action if license is a commercial license
+
+      if Inspec::Dist::EXEC_NAME != "inspec" ||
+          Inspec::Telemetry::RunContextProbe.under_automate? ||
+          license&.license_type&.downcase == "commercial"
+
+        Inspec::Log.debug "Determined telemetry operation is not applicable and hence aborting it."
+        return Inspec::Telemetry::Null
+      end
+
+      if Inspec::Dist::EXEC_NAME == "inspec" && telemetry_disabled?
+        # Issue a warning if an InSpec user is explicitly trying to opt out of telemetry using cli option
+        Inspec::Log.warn "Telemetry opt-out is not permissible."
+      end
+
+      Inspec::Log.debug "Determined HTTP instance for telemetry"
+
+      Inspec::Telemetry::HTTP
+    end
+
+    def self.license
+      Inspec::Log.debug "Fetching license context for telemetry check"
+      @license = ChefLicensing.license_context
+    end
+
+    ######
+    # These class methods make it convenient to call from anywhere within the InSpec codebase.
+    ######
+    def self.run_starting(opts)
+      @@config ||= opts[:conf]
+      instance.run_starting(opts)
+    rescue StandardError => e
+      Inspec::Log.debug "Encountered error in Telemetry start run call -> #{e.message}"
+    end
+
+    def self.run_ending(opts)
+      @@config ||= opts[:conf]
+      instance.run_ending(opts)
+    rescue StandardError => e
+      Inspec::Log.debug "Encountered error in Telemetry end run call -> #{e.message}"
+    end
+
+    def self.note_feature_usage(feature_name)
+      instance.note_feature_usage(feature_name)
+    end
+
+    def self.config
+      @@config
+    end
+
+    def self.telemetry_disabled?
+      config.telemetry_options["enable_telemetry"].nil? ? false : !config.telemetry_options["enable_telemetry"]
+    end
+  end
+end

data/lib/inspec/utils/waivers/csv_file_reader.rb

@@ -19,7 +19,7 @@ module Waivers
         row_hash.delete("control_id")
         row_hash.delete_if { |k, v| k.nil? || v.nil? }
 
-        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+        waiver_data_hash[control_id] = row_hash if control_id && !(row_hash.nil? || row_hash.empty?)
       end
 
       waiver_data_hash

data/lib/inspec/utils/waivers/excel_file_reader.rb

@@ -25,7 +25,7 @@ module Waivers
           row_hash.delete_if { |k, v| k.nil? || v.nil? }
         end
 
-        waiver_data_hash[control_id] = row_hash if control_id && !row_hash.blank?
+        waiver_data_hash[control_id] = row_hash if control_id && !(row_hash.nil? || row_hash.empty?)
       end
       waiver_data_hash
     rescue Exception => e

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "6.6.0".freeze
+  VERSION = "6.8.1".freeze
 end

data/lib/inspec.rb

@@ -19,7 +19,6 @@ require "inspec/rspec_extensions"
 require "inspec/globals"
 require "inspec/impact"
 require "inspec/utils/telemetry"
-require "inspec/utils/telemetry/global_methods"
 
 require "inspec/plugin/v2"
 require "inspec/plugin/v1"

data/lib/matchers/matchers.rb

@@ -299,9 +299,9 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
     end
   end
 
-  def format_actual(actual)
+  def format_actual(actual, negate = false)
     actual = "0%o" % actual if octal?(@expected) && !actual.nil?
-    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
+    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(negate), actual]
   end
 
   def format_expectation(negate)
@@ -316,7 +316,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   failure_message_when_negated do |actual|
-    format_actual actual
+    format_actual actual, true
   end
 
   description do

data/lib/plugins/inspec-parallel/lib/inspec-parallel/runner.rb

@@ -22,7 +22,10 @@ module InspecPlugins
 
       def run
         initiate_background_run if run_in_background # running a process as daemon changes parent process pid
+        original_stdout_stream = ChefLicensing::Config.output
         until invocations.empty? && @child_tracker.empty?
+          # Changing output to STDERR to avoid the output interruption between runs
+          ChefLicensing::Config.output = STDERR
           while should_start_more_jobs?
             if Inspec.locally_windows?
               spawn_another_process
@@ -35,6 +38,8 @@ module InspecPlugins
           cleanup_child_processes
           sleep 0.1
         end
+        # Reset output to the original STDOUT stream as a safe measure.
+        ChefLicensing::Config.output = original_stdout_stream
 
         # Requires renaming operations on windows only
         # Do Rename and delete operations after all child processes have exited successfully

data/lib/plugins/inspec-parallel/lib/inspec-parallel/super_reporter/status.rb

@@ -44,6 +44,7 @@ module InspecPlugins::Parallelism
         status_by_pid[pid][:last_control] = title
         status_by_pid[pid][:last_status] = status
 
+        sleep 0.5
         paint
       end