inspec-core 6.8.11 → 7.0.38.beta

data/lib/inspec/plugin/v2/loader.rb

@@ -2,6 +2,7 @@ require "inspec/log"
 require "inspec/version"
 require "inspec/plugin/v2/config_file"
 require "inspec/plugin/v2/filter"
+require "inspec/plugin/v2/concerns/gem_spec_helper"
 
 module Inspec::Plugin::V2
   class Loader
@@ -10,6 +11,7 @@ module Inspec::Plugin::V2
     # For {inspec|train}_plugin_name?
     include Inspec::Plugin::V2::FilterPredicates
     extend Inspec::Plugin::V2::FilterPredicates
+    include Inspec::Plugin::V2::GemSpecHelper
 
     def initialize(options = {})
       @options = options
@@ -157,6 +159,33 @@ module Inspec::Plugin::V2
       self.class.list_managed_gems
     end
 
+    def self.find_gem_directory(gem_name, version = nil)
+      selected_gemspec = find_gemspec_of(gem_name, version)
+      selected_gemspec&.full_gem_path
+    end
+
+    def self.find_gemspec_directory(gem_name, version = nil)
+      selected_gemspec = find_gemspec_of(gem_name, version)
+      selected_gemspec&.loaded_from
+    end
+
+    def self.find_gemspec_of(gem_name, version = nil)
+      version = Gem::Version.new(version) if version && !version.is_a?(Gem::Version)
+
+      list_managed_gems
+        .select { |g| g.name == gem_name }
+        .sort_by(&:version)
+        .yield_self { |gems| version ? gems.find { |g| g.version == version } : gems.last }
+    end
+
+    def find_gemspec_directory(gem_name, version = nil)
+      self.class.find_gemspec_directory(gem_name, version)
+    end
+
+    def find_gem_directory(gem_name, version = nil)
+      self.class.find_gem_directory(gem_name, version)
+    end
+
     # Lists all plugin gems found in the plugin_gem_path.
     # This is simply all gems that begin with train- or inspec-
     # and are not on the exclusion list.
@@ -169,8 +198,6 @@ module Inspec::Plugin::V2
       self.class.list_managed_gems
     end
 
-    private
-
     # 'Activating' a gem adds it to the load path, so 'require "gemname"' will work.
     # Given a gem name, this activates the gem and all of its dependencies, respecting
     # version pinning needs.
@@ -208,13 +235,15 @@ module Inspec::Plugin::V2
         raise ex
       end
       solution.each do |activation_request|
-        next if activation_request.full_spec.activated?
+        requested_gemspec = activation_request.full_spec
+        next if requested_gemspec.activated?
 
-        activation_request.full_spec.activate
-        # TODO: If we are under Bundler, inform it that we loaded a gem
+        requested_gemspec.activate unless loaded_recent_most_version_of?(requested_gemspec)
       end
     end
 
+    private
+
     def annotate_status_after_loading(plugin_name)
       status = registry[plugin_name]
       return if status.api_generation == 2 # Gen2 have self-annotating superclasses

data/lib/inspec/plugin/v2/plugin_types/resource_pack.rb

@@ -0,0 +1,8 @@
+module Inspec::Plugin::V2::PluginType
+  class ResourcePack < Inspec::Plugin::V2::PluginBase
+    register_plugin_type(:resource_pack)
+
+    # TODO: Any DSL definitions would go here
+
+  end
+end

data/lib/inspec/plugin/v2.rb

@@ -13,6 +13,7 @@ module Inspec
       end
 
       class InstallError < Inspec::Plugin::V2::GemActionError; end
+      class InstallRequiredError < Inspec::Plugin::V2::InstallError; end
 
       class PluginExcludedError < Inspec::Plugin::V2::InstallError
         attr_accessor :details

data/lib/inspec/profile.rb

@@ -391,6 +391,16 @@ module Inspec
       included_tags
     end
 
+    # InSpec 7 introduced gem-based resource packs, so some "profiles" are now gem-based
+    # In this case, they are backed by a gem that contains an inspec.yml and a lib/PATH/plugin.rb
+    # which contains activator code which needs to be fired.
+    def activate_plugin_if_gem_based
+      return unless source_reader.is_a?(SourceReaders::GemReader)
+
+      reg = Inspec::Plugin::V2::Registry.instance
+      reg.find_activator(plugin_name: name.to_sym).activate!
+    end
+
     def load_libraries
       return @runner_context if @libraries_loaded
 

data/lib/inspec/profile_context.rb

@@ -121,6 +121,7 @@ module Inspec
       @control_subcontexts << context
     end
 
+    # Expects arrays of arrays of [[content, path, line]]
     def load_libraries(libs)
       lib_prefix = "libraries" + File::SEPARATOR
       autoloads = []
@@ -130,11 +131,20 @@ module Inspec
         next unless source.end_with?(".rb")
 
         path = source
+        # Create a list of files (presumably resources) to autoload by stripping the prefixes
+        # InSpec < 6: libraries/*.rb
+        # In InSpec 7, libraries can be installed under (for example)
+        # lib/inspec-test-resources/resources/demo_resource.rb
+
         if source.start_with?(lib_prefix)
           path = source.sub(lib_prefix, "")
           no_subdir = File.dirname(path) == "."
 
           autoloads.push(path) if no_subdir
+        elsif source.match(%r{^lib/.+/resources/.*\.rb})
+          # Gem Resource Pack
+          path = source.sub(%r{^lib/}, "")
+          autoloads.push(path)
         end
 
         @require_loader.add(path, content, source, line)

data/lib/inspec/resources/groups.rb

@@ -200,8 +200,60 @@ module Inspec::Resources
   # implements generic unix groups via /etc/group
   class UnixGroup < GroupInfo
     def groups
+      get_group_info
+    end
+
+    private
+
+    def get_group_info
+      # First, try to fetch group info using getent
+      group_info = fetch_group_info_using_getent
+
+      return group_info unless group_info.empty?
+
+      # If getent fails, fallback to reading group info from /etc/group using inspec.etc_group.entries
+      Inspec::Log.debug("Falling back to reading group info from /etc/group as getent is unavailable or failed.")
       inspec.etc_group.entries
     end
+
+    # Fetches group information using the getent utility
+    def fetch_group_info_using_getent
+      # Find getent utility on the system
+      bin = find_getent_utility
+
+      # If getent is available, fetch group info
+      return [] unless bin
+
+      cmd = inspec.command("#{bin} group")
+      return parse_group_info(cmd) if cmd.exit_status.to_i == 0
+
+      # If getent fails, log the error and return an empty array
+      Inspec::Log.debug("Failed to execute #{bin} group: #{cmd.stderr}.")
+      []
+    end
+
+    # Parses group info from the command output
+    def parse_group_info(cmd)
+      cmd.stdout.strip.split("\n").map do |line|
+        name, password, gid, members = line.split(":")
+        {
+          "name" => name,
+          "password" => password,
+          "gid" => gid.to_i,
+          "members" => members,
+        }
+      end
+    end
+
+    # Checks if getent exists on the system
+    def find_getent_utility
+      %w{/usr/bin/getent /bin/getent getent}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+      # Log debug information if getent is not found
+      Inspec::Log.debug("Could not find `getent` on your system.")
+      nil # Return nil if getent is not found
+    end
   end
 
   # OSX uses opendirectory for groups, so `/etc/group` may not be fully accurate

data/lib/inspec/resources/postgres_session.rb

@@ -55,7 +55,7 @@ module Inspec::Resources
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && (out.downcase =~ /error:/ || out.downcase =~ /fatal:/)
+      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
         Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)

data/lib/inspec/resources.rb

@@ -30,12 +30,6 @@ require "inspec/resources/cron"
 require "inspec/resources/timezone"
 require "inspec/resources/dh_params"
 require "inspec/resources/directory"
-require "inspec/resources/docker"
-require "inspec/resources/docker_container"
-require "inspec/resources/docker_image"
-require "inspec/resources/docker_plugin"
-require "inspec/resources/docker_service"
-require "inspec/resources/elasticsearch"
 require "inspec/resources/etc_fstab"
 require "inspec/resources/etc_group"
 require "inspec/resources/etc_hosts_allow_deny"
@@ -48,8 +42,6 @@ require "inspec/resources/groups"
 require "inspec/resources/grub_conf"
 require "inspec/resources/host"
 require "inspec/resources/http"
-require "inspec/resources/ibmdb2_conf"
-require "inspec/resources/ibmdb2_session"
 require "inspec/resources/iis_app"
 require "inspec/resources/iis_app_pool"
 require "inspec/resources/iis_site"
@@ -64,9 +56,6 @@ require "inspec/resources/key_rsa"
 require "inspec/resources/ksh"
 require "inspec/resources/limits_conf"
 require "inspec/resources/login_defs"
-require "inspec/resources/mongodb"
-require "inspec/resources/mongodb_conf"
-require "inspec/resources/mongodb_session"
 require "inspec/resources/mount"
 require "inspec/resources/mssql_session"
 require "inspec/resources/mssql_sys_conf"
@@ -102,15 +91,12 @@ require "inspec/resources/postgres_ident_conf"
 require "inspec/resources/postgres_session"
 require "inspec/resources/powershell"
 require "inspec/resources/processes"
-require "inspec/resources/rabbitmq_config"
 require "inspec/resources/registry_key"
 require "inspec/resources/security_identifier"
 require "inspec/resources/security_policy"
 require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
-require "inspec/resources/ssh_config"
-require "inspec/resources/ssh_key"
 require "inspec/resources/ssl"
 require "inspec/resources/sys_info"
 require "inspec/resources/toml"

data/lib/inspec/runner.rb

@@ -115,7 +115,8 @@ module Inspec
         next unless profile.supports_platform?
 
         write_lockfile(profile) if @create_lockfile
-        profile.locked_dependencies
+        # TODO: InSpec 8: Replace with Profile OnLoad event handling
+        profile.locked_dependencies # Only need to do this once, this recurses down
         profile.load_gem_dependencies
         profile_context = profile.load_libraries
 
@@ -125,6 +126,9 @@ module Inspec
              " on unsupported platform: '#{@backend.platform.name}/#{@backend.platform.release}'."
             next
           end
+          # TODO: InSpec 8: Replace with Profile OnLoad event handling
+          requirement.profile.load_gem_dependencies
+          requirement.profile.load_libraries
           @test_collector.add_profile(requirement.profile)
         end
 
@@ -168,16 +172,7 @@ module Inspec
     end
 
     def run(with = nil)
-      product_dist_name = Inspec::Dist::PRODUCT_NAME
-      if Inspec::Dist::EXEC_NAME == "inspec"
-        if Inspec::Telemetry::RunContextProbe.guess_run_context == "test-kitchen"
-          product_dist_name = "Chef Workstation"
-          configure_licensing_config_for_kitchen(@conf)
-          # Persist the license key in file when passed via test-kitchen
-          ChefLicensing.fetch_and_persist if @conf[:chef_license_key]
-        end
-        ChefLicensing.check_software_entitlement!
-      end
+      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
 
       # Validate if profiles are signed and verified
       # Additional check is required to provide error message in case of inspec exec command (exec command can use multiple profiles as well)
@@ -192,11 +187,8 @@ module Inspec
       Inspec::Telemetry.run_starting(runner: self, conf: @conf)
       load
       run_tests(with)
-    rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
-      Inspec::Log.error "#{product_dist_name} cannot execute without valid licenses."
-      Inspec::UI.new.exit(:license_not_set)
     rescue ChefLicensing::SoftwareNotEntitled
-      Inspec::Log.error "License is not entitled to use #{product_dist_name}."
+      Inspec::Log.error "License is not entitled to use InSpec."
       Inspec::UI.new.exit(:license_not_entitled)
     rescue ChefLicensing::Error => e
       Inspec::Log.error e.message

data/lib/inspec/source_reader.rb

@@ -24,3 +24,5 @@ end
 
 require "source_readers/inspec"
 require "source_readers/flat"
+require "source_readers/gem"
+

data/lib/inspec/ui.rb

@@ -39,6 +39,7 @@ module Inspec
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101
     EXIT_TERMINATED_BY_CTL_C = 130
+    EXIT_GEM_DEPENDENCY_NOT_FOUND = 201
 
     attr_reader :io
 

data/lib/inspec/utils/deprecation/config_file.rb

@@ -7,6 +7,7 @@ module Inspec
   module Deprecation
     class ConfigFile
       GroupEntry = Struct.new(:name, :action, :prefix, :suffix, :exit_status)
+      FallbackEntry = Struct.new(:resource_name_regex, :gem_name, :message)
 
       # What actions may you specify to be taken when a deprecation is encountered?
       VALID_ACTIONS = [
@@ -20,7 +21,7 @@ module Inspec
       # and pass validation.
       VALID_GROUP_FIELDS = %w{action suffix prefix exit_status comment}.freeze
 
-      attr_reader :groups, :unknown_group_action
+      attr_reader :fallback_resource_packs, :groups, :unknown_group_action
 
       def initialize(io = nil)
         io ||= open_default_config_io
@@ -31,6 +32,7 @@ module Inspec
         end
 
         @groups = {}
+        @fallback_resource_packs = []
         @unknown_group_action = :warn
         validate!
         silence_deprecations_from_cli
@@ -83,14 +85,25 @@ module Inspec
         @raw_data["groups"].each do |group_name, group_info|
           validate_group_entry(group_name, group_info)
         end
+
+        unless @raw_data.key?("fallback_resource_packs")
+          raise Inspec::Deprecation::InvalidConfigFileError, "Missing fallback_resource_packs field"
+        end
+        unless @raw_data["fallback_resource_packs"].is_a?(Hash)
+          raise Inspec::Deprecation::InvalidConfigFileError, "fallback_resource_packs field must be a Hash"
+        end
+
+        @raw_data["fallback_resource_packs"].each do |fallback_pat, fallback_info|
+          validate_fallback(fallback_pat, fallback_info)
+        end
       end
 
       def validate_file_version
         unless @raw_data.key?("file_version")
           raise Inspec::Deprecation::InvalidConfigFileError, "Missing file_version field"
         end
-        unless @raw_data["file_version"] == "1.0.0"
-          raise Inspec::Deprecation::InvalidConfigFileError, "Unrecognized file_version '#{@raw_data["file_version"]}' - supported versions: 1.0.0"
+        unless @raw_data["file_version"] == "2.0.0"
+          raise Inspec::Deprecation::InvalidConfigFileError, "Unrecognized file_version '#{@raw_data["file_version"]}' - supported versions: 2.0.0"
         end
       end
 
@@ -125,6 +138,29 @@ module Inspec
 
         groups[name.to_sym] = entry
       end
+
+      def validate_fallback(pattern, raw_info)
+        fallback = FallbackEntry.new
+        begin
+          fallback.resource_name_regex = Regexp.new(pattern)
+        rescue RegexpError
+          raise Inspec::Deprecation::InvalidConfigFileError, "Invalid regular expression in resource pack fallback definition '#{pattern}'"
+        end
+
+        unless raw_info["gem"]
+          raise Inspec::Deprecation::InvalidConfigFileError, "fallback_resource_packs missing gem name for pattern '#{pattern}'"
+        end
+
+        fallback.gem_name = raw_info["gem"]
+
+        unless raw_info["message"]
+          raise Inspec::Deprecation::InvalidConfigFileError, "fallback_resource_packs missing message for pattern '#{pattern}'"
+        end
+
+        fallback.message = raw_info["message"]
+
+        fallback_resource_packs.push fallback
+      end
     end
   end
 end

data/lib/inspec/utils/deprecation/deprecator.rb

@@ -4,11 +4,12 @@ require "inspec/log"
 module Inspec
   module Deprecation
     class Deprecator
-      attr_reader :config, :groups
+      attr_reader :config, :fallback_resource_packs, :groups
 
       def initialize(opts = {})
         @config = Inspec::Deprecation::ConfigFile.new(opts[:config_io])
         @groups = @config.groups
+        @fallback_resource_packs = @config.fallback_resource_packs
       end
 
       def handle_deprecation(group_name, message, opts = {})
@@ -21,6 +22,13 @@ module Inspec
         send(action_method, group_name.to_sym, assembled_message, group)
       end
 
+      # Given a resource name, suggest a gem nam to load and or install
+      def match_gem_for_fallback_resource_name(resource_name)
+        fallback = fallback_resource_packs.find { |fb| fb.resource_name_regex.match(resource_name) }
+        # We have a message here but can't pass it back?
+        fallback&.gem_name
+      end
+
       private
 
       def create_group_entry_for_unknown_group(group_name)

data/lib/inspec/utils/licensing_config.rb

@@ -7,17 +7,3 @@ ChefLicensing.configure do |config|
   config.license_server_url = "https://services.chef.io/licensing"
   config.logger = Inspec::Log
 end
-
-def configure_licensing_config_for_kitchen(opts = {})
-  ChefLicensing.configure do |config|
-    # Reset entitlement ID to the ID of Chef Workstation
-    config.chef_entitlement_id = "x6f3bc76-a94f-4b6c-bc97-4b7ed2b045c0"
-    # Reset Chef License server via kitchen when passed in kitchen.yml
-    opts["chef_license_server"] = opts["chef_license_server"].join(",") if opts["chef_license_server"].is_a? Array
-    unless opts["chef_license_server"].nil? || opts["chef_license_server"].empty?
-      ENV["CHEF_LICENSE_SERVER"] = opts["chef_license_server"]
-    end
-  end
-  # Reset Chef License key via kitchen when passed in kitchen.yml
-  ENV["CHEF_LICENSE_KEY"] = opts["chef_license_key"] if opts["chef_license_key"]
-end

data/lib/inspec/utils/telemetry.rb

@@ -18,12 +18,10 @@ module Inspec
       # Don't perform telemetry action for other InSpec distros
       # Don't perform telemetry action if running under Automate - Automate does LDC tracking for us
       # Don't perform telemetry action if license is a commercial license
-      # Don't perform telemetry action if running under Test Kitchen
 
       if Inspec::Dist::EXEC_NAME != "inspec" ||
           Inspec::Telemetry::RunContextProbe.under_automate? ||
-          license&.license_type&.downcase == "commercial" ||
-          Inspec::Telemetry::RunContextProbe.guess_run_context == "test-kitchen"
+          license&.license_type&.downcase == "commercial"
 
         Inspec::Log.debug "Determined telemetry operation is not applicable and hence aborting it."
         return Inspec::Telemetry::Null

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "6.8.11".freeze
+  VERSION = "7.0.38.beta".freeze
 end

data/lib/plugins/inspec-compliance/README.md

@@ -14,8 +14,18 @@ To use the CLI, this InSpec add-on adds the following commands:
  * `$ inspec automate profiles` - list all available Compliance profiles
  * `$ inspec exec compliance://profile` - runs a Compliance profile
  * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec automate upload path/to/local/profile --legacy` - uploads a local profile to Chef Automate/Chef Compliance using legacy functionalities of inspec check and inspec export
+
+    *Options*:
+    ```
+      [--overwrite], [--no-overwrite]  # Overwrite existing profile on Server.
+      [--owner=OWNER]                  # Owner that should own the profile
+      [--legacy], [--no-legacy]        # Enable legacy functionality, activating both legacy export and legacy check.
+
+    uploads a local profile to Chef Automate
+    ```
  * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
- 
+
  Similar to these CLI commands are:
 
  * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance

data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb

@@ -136,6 +136,8 @@ module InspecPlugins
         desc: "Overwrite existing profile on Server."
       option :owner, type: :string, required: false,
         desc: "Owner that should own the profile"
+      option :legacy, type: :boolean, default: false,
+        desc: "Enable legacy functionality, activating both legacy export and legacy check."
       def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
         Inspec.with_feature("inspec-cli-compliance-upload") {
           config = InspecPlugins::Compliance::Configuration.new
@@ -169,7 +171,7 @@ module InspecPlugins
             puts msg
           }
 
-          result = profile.check
+          result = options["legacy"] ? profile.legacy_check : profile.check
           unless result[:summary][:valid]
             error.call("Profile check failed. Please fix the profile before upload.")
           else
@@ -205,7 +207,7 @@ module InspecPlugins
             generated = true
             archive_path = Dir::Tmpname.create([profile_name, ".tar.gz"]) {}
             puts "Generate temporary profile archive at #{archive_path}"
-            profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
+            profile.archive({ output: archive_path, ignore_errors: false, overwrite: true, legacy_export: options["legacy"] })
           else
             archive_path = path
           end

data/lib/source_readers/gem.rb

@@ -0,0 +1,67 @@
+require "inspec/fetcher"
+require "inspec/metadata"
+
+module SourceReaders
+  class GemReader < Inspec.source_reader(1)
+    name "gem"
+    priority 20
+
+    def self.resolve(target)
+      return new(target) unless target.files.grep(/gemspec/).empty?
+
+      nil
+    end
+
+    attr_reader :metadata, :metadata_src, :tests, :libraries, :data_files, :target, :readme
+
+    # This creates a new instance of an InSpec Gem-packaged profile source reader
+    # As of July 2024 only resource packs, not controls, may be packaged as gems
+    #
+    # @param [FileProvider] target An instance of a FileProvider object that can list files and read them
+    def initialize(target)
+      @target     = target
+      @metadata   = load_metadata(target.files.grep("inspec.yml").first)
+      @tests      = {} # TODO - one day support controls?
+      @libraries  = load_libs
+      @data_files = {}
+      @readme     = load_readme
+    end
+
+    private
+
+    def load_metadata(metadata_source)
+      @metadata_src = @target.read(metadata_source)
+      Inspec::Metadata.from_ref(
+        metadata_source,
+        @metadata_src,
+        nil
+      )
+    rescue Psych::SyntaxError => e
+      raise "Unable to parse inspec.yml: line #{e.line}, #{e.problem} #{e.context}"
+    rescue => e
+      raise "Unable to parse #{metadata_source}: #{e.class} -- #{e.message}"
+    end
+
+    def find_all(regexp)
+      @target.files.grep(regexp)
+    end
+
+    def load_all(regexp)
+      find_all(regexp)
+        .map { |path| file = @target.read(path); [path, file] if file }
+        .compact
+        .to_h
+    end
+
+    def load_libs
+      # Legacy resource packs (inspec-gcp, inspec-aws, etc) have resources in old locations
+      load_all(%r{^libraries/.*\.rb$})
+      # New resource packs have them here
+      load_all(%r{^lib/.*/resources/.*\.rb$})
+    end
+
+    def load_readme
+      load_all(/README.md/)
+    end
+  end
+end

data/lib/source_readers/inspec.rb

@@ -66,7 +66,7 @@ module SourceReaders
     end
 
     def load_readme
-      load_all(/README(\.md)?$/)
+      load_all(/README.md/)
     end
   end
 end