inspec-core 6.8.24 → 7.0.38.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '06894dd5c2b09dac3432041d74b257a5b25dd00c9c0a2d623e7343e6a651e1b6'
-  data.tar.gz: 20592025afc13ecdcae95fcde514b8bc4b5855358e93dcef24365d15aa773eb1
+  metadata.gz: 9f295e7d99ec735932c005e949cf99cbb1184780d52eae109cec87faf27501c8
+  data.tar.gz: b9fe70883d7593b0d6c7ce51067c7fb2b26154a88981d4ff6458f1f3306518b1
 SHA512:
-  metadata.gz: 2d0a1749cfa6f3d1f517f31e5bc722f85ad5ecf8dd4d155df88afcc41c76c93ba21bba3749b534fd1515a724af17bedc706755606a4a3c109a655ef891bc0e0d
-  data.tar.gz: 2f0b14a4f79fad859d931a8d0427d88306beb44b7b4f8698910a053d383ebc05a28b9b440c7164cfd5f712d56ba08aeb35afa51b21ef1c5f157b4fb525dd2d3c
+  metadata.gz: 0f35167f971fcdd9d71a43bf7d6e4baf97ae9f0ac9b16b8ebe33103b15e4fee3892d34f8f2a9c0ef1a499e1860d3a8c2e4080acc20cf5415929c013bc97b0972
+  data.tar.gz: cf3bfdfa97c737abcd3f054a6eb4899de5831e2ebebc8a4e9907865835560ff979acb2a86ccce37059dfb0075fc2d628fbdeb3045357a02ad01a9ea22842e462

data/Gemfile

@@ -29,12 +29,12 @@ gem "ffi", ">= 1.15.5", "< 1.17.0"
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
 
-group :omnibus do
-  gem "rb-readline"
-  gem "appbundler"
-  gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
-  gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
-end
+# group :omnibus do
+#   gem "rb-readline"
+#   gem "appbundler"
+#   gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+#   gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+# end
 
 group :test do
   gem "chefstyle"

data/etc/deprecations.json

@@ -1,5 +1,5 @@
 {
-  "file_version": "1.0.0",
+  "file_version": "2.0.0",
   "unknown_group_action": "ignore",
   "groups": {
     "attrs_value_replaces_default": {
@@ -73,11 +73,6 @@
       "action": "exit",
       "suffix": "This resource was removed in InSpec 4.0."
     },
-    "core_resource_moved_to_rp": {
-      "action": "warn",
-      "suffix": "This resource will be moved to a separate resource pack. Additional details will be provided with the InSpec 7 release.",
-      "comment": "Deprecation notice for core resource which are getting moved to resource packs."
-    },
     "resource_iis_website": {
       "action": "exit",
       "suffix": "This resource was removed in InSpec 4.0.",
@@ -131,5 +126,19 @@
       "action": "ignore",
       "prefix": "The `inspec json` command is deprecated in InSpec 5 and replaced with `inspec export` command."
     }
+  },
+  "fallback_resource_packs":{
+    "internal_fallback_test.+":{
+      "gem":"inspec-test-resources",
+      "message":"The internal_fallback_test resource is a test resource used to exercise InSpec's ability to fallback on gem resource packs."
+    },
+    "elasticsearch.*": {
+      "gem":"inspec-elasticsearch-resources",
+      "message":"The `inspec-elasticsearch-resources` allows testing of elasticsearch using Inspec."
+    },
+    "docker.+":{
+      "gem": "inspec-docker-resources",
+      "message": "The Inspec docker resources are moved out of InSpec core and will be installed as gem"
+    }
   }
 }

data/lib/inspec/base_cli.rb

@@ -389,6 +389,9 @@ module Inspec
       when Inspec::InvalidProfileSignature
         $stderr.puts exception.message
         Inspec::UI.new.exit(:bad_signature)
+      when Inspec::Exceptions::GemDependencyNotFound
+        $stderr.puts exception.message
+        Inspec::UI.new.exit(:gem_dependency_not_found)
       when Inspec::Error
         $stderr.puts exception.message
         exit(1)

data/lib/inspec/cached_fetcher.rb

@@ -52,7 +52,19 @@ module Inspec
         fetch
       elsif cache.exists?(cache_key) && !cache.locked?(cache_key)
         Inspec::Log.debug "Using cached dependency for #{target}"
-        [cache.prefered_entry_for(cache_key), false]
+        cache_value = cache.prefered_entry_for(cache_key)
+        if cache_value
+          [cache_value, false]
+        else
+          Inspec::Log.debug "Dependency does not exist in the cache for target #{target}"
+          cache_key_name = cache_key
+          if cache_key_name.start_with?("gem:")
+            # When cache for gem - meaning gemspec exists but gem does not exists then clearing up gemspec is required
+            # This logic enables the gem fetcher logic to work step by step again
+            Inspec::Log.debug "Clearing cached gemspec to fix dependency issue and enable fresh download."
+            FileUtils.rm_rf(cache.gemspec_path_for(cache_key))
+          end
+        end
       else
         begin
           Inspec::Log.debug "Dependency does not exist in the cache #{target}"
@@ -61,6 +73,7 @@ module Inspec
         rescue SystemExit => e
           exit_code = e.status || 1
           Inspec::Log.error "Error while creating cache for dependency ... #{e.message}"
+          # TODO: in the case of gem profile/resource pack dependency installs gone awry, this is the wrong thing to do!
           FileUtils.rm_rf(cache.base_path_for(fetcher.cache_key))
           exit(exit_code)
         ensure
@@ -72,6 +85,8 @@ module Inspec
     end
 
     def assert_cache_sanity!
+      # TODO: update this to handle gem resource pack dependencies
+      # which are known by a special prefix on their cache key or by having the :gem key
       return unless target.respond_to?(:key?) && target.key?(:sha256)
 
       exception_message = <<~EOF

data/lib/inspec/dependencies/cache.rb

@@ -45,6 +45,12 @@ module Inspec
     # For a given name and source_url, return true if the
     # profile exists in the Cache.
     #
+    # InSpec 7+ Special Magic for Gem-Based Resource Pack Profiles:
+    #   These "profiles" are installed as gems, and so are "cached"
+    #   by being installed as gems.
+    #     The magic is triggered by a special prefix of
+    #   the cache_key: gem: or gem_path:
+    #
     # @param [String] name
     # @param [String] source_url
     # @return [Boolean]
@@ -52,8 +58,21 @@ module Inspec
     def exists?(key)
       return false if key.nil? || key.empty?
 
-      path = base_path_for(key)
-      File.directory?(path) || File.exist?("#{path}.tar.gz") || File.exist?("#{path}.zip")
+      if key.start_with?("gem:")
+        # A gem installation
+        (_, gem_name, version) = key.split(":")
+        loader = Inspec::Plugin::V2::Loader.new
+        !loader.find_gem_directory(gem_name, version).nil?
+
+      elsif key.start_with?("gem_path:")
+        # Gem installed as explicit path reference, as in testing / development
+        entry_point_path = key.sub(/^gem_path:/, "")
+        File.exist?(entry_point_path)
+      else
+        # Standard cache entry
+        path = base_path_for(key)
+        File.directory?(path) || File.exist?("#{path}.tar.gz") || File.exist?("#{path}.zip")
+      end
     end
 
     #
@@ -67,8 +86,33 @@ module Inspec
     # @param [String] source_url
     # @return [String]
     #
-    def base_path_for(cache_key)
-      File.join(@path, cache_key)
+    def base_path_for(key)
+      if key.start_with?("gem:")
+        # A gem installation
+        (_, gem_name, version) = key.split(":")
+        loader = Inspec::Plugin::V2::Loader.new
+        loader.find_gem_directory(gem_name, version)
+
+      elsif key.start_with?("gem_path:")
+        # Gem installed as explicit path reference, as in testing / development
+        entry_point_path = key.sub(/^gem_path:/, "")
+        # We were given an explicit path like
+        # inspec-test-resources/lib/inspec-test-resources.rb
+        # go two directories up
+        parts = Pathname(entry_point_path).each_filename.to_a
+        File.join(parts.slice(0, parts.length - 2))
+      else
+        # Standard cache entry
+        File.join(@path, key)
+      end
+    end
+
+    def gemspec_path_for(key)
+      if key.start_with?("gem:")
+        (_, gem_name, version) = key.split(":")
+        loader = Inspec::Plugin::V2::Loader.new
+        loader.find_gemspec_directory(gem_name, version)
+      end
     end
 
     #

data/lib/inspec/dsl.rb

@@ -2,7 +2,6 @@
 require "inspec/log"
 require "inspec/plugin/v2"
 require "inspec/utils/deprecated_cloud_resources_list"
-require "inspec/utils/deprecated_core_resources_list"
 
 module Inspec::DSL
   attr_accessor :backend
@@ -39,20 +38,50 @@ module Inspec::DSL
     return unless backend
 
     begin
-      include DeprecatedCoreResourcesList
-      if CORE_RESOURCES_DEPRECATED.include? id
-        Inspec.deprecate(:core_resource_moved_to_rp, "The resource '#{id}' will not be part of the InSpec 7 core.")
-      end
       require "inspec/resources/#{id}"
     rescue LoadError => e
-      include DeprecatedCloudResourcesList
-      cloud_resource = id.start_with?("aws_") ? "aws" : "azure"
 
-      # Deprecated AWS and Azure resources in InSpec 5.
-      if CLOUD_RESOURCES_DEPRECATED.include? id
-        Inspec.deprecate(:"#{cloud_resource}_resources_in_resource_pack", "Resource '#{id}'")
+      # InSpec 7+ Fallback Support for Resource Packs
+      # Use Deprecator to lookup the matching gem
+      # if a gem matches, try to load the resource from the gem
+      gem_name = Inspec::Deprecation::Deprecator.new.match_gem_for_fallback_resource_name(id.to_s)
+      if gem_name
+        # Install if needed
+        cfg = Inspec::Config.cached
+        unless cfg.final_options[:auto_install_gems]
+          raise Inspec::Plugin::V2::InstallRequiredError, "resource pack gem '#{gem_name}' is required for resource '#{id}' support (consider --auto-install-gems)"
+        end
+
+        Inspec::Plugin::V2::Installer.instance.ensure_installed gem_name
+
+        # Load the gem, add  gemspecs to the path, load any deps, load resource libraries into registry
+        # This is plugin API orthodoxy but is impossible to program
+        # Inspec::Plugin::V2::Registry.instance.find_activator(gem_name).activate
+        loader = Inspec::Plugin::V2::Loader.new
+
+        # 1. Activate gem and deps.
+        loader.activate_managed_gems_for_plugin(gem_name)
+
+        # 2. Load all libraries from the gem path
+        gem_path = loader.find_gem_directory(gem_name)
+        resources_path = File.join(gem_path, "lib", gem_name, "resources", "*.rb")
+        legacy_library_path = File.join(gem_path, "libraries", "*.rb")
+        Dir.glob([resources_path, legacy_library_path]).each do |resource_lib|
+          require resource_lib
+        end
+        # Resources now available in Inspec::Resource.registry
       else
-        raise LoadError, "#{e.message}"
+        # TODO: InSpec 7: Replace with Fallbacks for inspec-aws-resources and inspec-azure-resources
+        include DeprecatedCloudResourcesList
+        cloud_resource = id.start_with?("aws_") ? "aws" : "azure"
+
+        # Deprecated AWS and Azure resources in InSpec 5.
+        if CLOUD_RESOURCES_DEPRECATED.include? id
+          Inspec.deprecate(:"#{cloud_resource}_resources_in_resource_pack", "Resource '#{id}'")
+        else
+          # OK, give up entirely
+          raise LoadError, "#{e.message}"
+        end
       end
     end
 

data/lib/inspec/exceptions.rb

@@ -7,6 +7,7 @@ module Inspec
     class ProfileLoadFailed < StandardError; end
     class ResourceFailed < StandardError; end
     class ResourceSkipped < StandardError; end
+    class GemDependencyNotFound < StandardError; end
     class SecretsBackendNotFound < ArgumentError; end
     class ProfileValidationKeyNotFound < ArgumentError; end
     class ProfileSigningKeyNotFound < ArgumentError; end

data/lib/inspec/fetcher/gem.rb

@@ -0,0 +1,99 @@
+require "inspec/plugin/v2/installer"
+
+module Inspec::Fetcher
+  class Gem < Inspec.fetcher(1)
+    name "gem"
+    priority 0.5 # TODO: verify value
+    # Priority is used for setting precedence of fetchers. And registry plugin(v1) decides which fetcher to use for loading profiles by using this priority
+    # Gem fetcher's priority should be lowest because gem profiles are only executables via inspec metadata
+
+    def self.resolve(target)
+      if target.is_a?(Hash) && target.key?(:gem)
+        resolve_from_hash(target)
+      end
+    end
+
+    def self.resolve_from_hash(target)
+      return unless target.key?(:gem)
+
+      new(target)
+    end
+
+    def initialize(target, opts = {})
+      @target = target
+      @gem_name = target[:gem]
+      @version = target[:version] # optional
+      @source = target[:source] # optional
+      @gem_path = target[:path] # optional, sets local path installation mode
+      @backend = opts[:backend]
+      @archive_shasum = nil
+    end
+
+    def fetch(path)
+      plugin_installer = Inspec::Plugin::V2::Installer.instance
+
+      # Determine if gem is installed
+      have_plugin = false
+      Inspec::Log.debug("GemFetcher fetching #{@gem_name} v" + (@version || "ANY"))
+
+      if @version
+        have_plugin = plugin_installer.plugin_version_installed?(@gem_name, @version)
+      else
+        have_plugin = plugin_installer.plugin_installed?(@gem_name)
+      end
+
+      unless have_plugin
+        # Install
+        # TODO - error handling?
+        Inspec::Log.debug("GemFetcher - install request for #{@gem_name}")
+        if @gem_path
+          # No version permitted
+          plugin_installer.install(@gem_name, path: @gem_path)
+        else
+          # Passing an extra gem argument to enable detecting gem based plugins
+          plugin_installer.install(@gem_name, version: @version, source: @source, gem: @gem_name )
+        end
+      end
+
+      # Should the plugin activate? No, it should only be "fetched" (installed)
+      # Activation would load resource libararies and would effectively execute the profile
+
+      @target
+    end
+
+    def archive_path
+      @target
+    end
+
+    def writable?
+      # Gem based profile is not writable because it is not cached in lockfile
+      false
+    end
+
+    def cache_key
+      # This special value is interpreted by Inspec::Cache.exists?
+      # gem:gemname:version
+      # gem_path:/filesystem/path/entrypoint.rb
+
+      if @gem_path
+        "gem_path:#{@gem_path}"
+      else
+        "gem:#{@gem_name}:#{@version}"
+      end
+    end
+
+    # The intent here is to provide a signature that would change with the content of the profile.
+    # In the case of gems, for released gems,  "name-version" should suffice.
+    # For development gems specified by path, the're ever-changing anyway, so just give the path.
+    # In eith case, that string is in fact just the cache key.
+    def sha256
+      cache_key
+    end
+
+    def resolved_source
+      h = { gem: @gem_name, version: @version, gem_path: @gem_path }
+      h[:sha256] = sha256
+      h
+    end
+  end
+end

data/lib/inspec/fetcher/local.rb

@@ -10,7 +10,7 @@ module Inspec::Fetcher
       if target.is_a?(String)
         local_path = resolve_from_string(target)
         new(local_path) if local_path
-      elsif target.is_a?(Hash)
+      elsif target.is_a?(Hash) && !target.key?(:gem)
         local_path = resolve_from_hash(target)
         new(local_path, target) if local_path
       end

data/lib/inspec/fetcher.rb

@@ -43,4 +43,5 @@ end
 require "inspec/fetcher/local"
 require "inspec/fetcher/url"
 require "inspec/fetcher/git"
+require "inspec/fetcher/gem"
 require "plugins/inspec-compliance/lib/inspec-compliance/api"

data/lib/inspec/file_provider.rb

@@ -7,8 +7,12 @@ require "inspec/iaf_file"
 module Inspec
   class FileProvider
     def self.for_path(path)
-      if path.is_a?(Hash)
+      raise "Profile or dependency path not resolved." if path.nil?
+
+      if path.is_a?(Hash) && !path.key?(:gem)
         MockProvider.new(path)
+      elsif path.is_a?(Hash) && path.key?(:gem)
+        GemProvider.new(path)
       elsif File.directory?(path)
         DirProvider.new(path)
       elsif File.exist?(path) && path.end_with?(".tar.gz", "tgz")
@@ -99,6 +103,47 @@ module Inspec
     end
   end # class DirProvider
 
+  class GemProvider < FileProvider
+    attr_reader :files
+    def initialize(gem_info)
+      # Determine a path to the gem installation directory
+      gem_name = gem_info[:gem]
+      bootstrap_file = gem_info[:path]
+      gem_version = gem_info[:version]
+      if bootstrap_file
+        # We were given an explicit path - go two directories up
+        parts = Pathname(gem_info[:path]).each_filename.to_a
+        @gem_lib_root = File.join(parts.slice(0, parts.length - 2))
+        @files = Dir[File.join(Shellwords.shellescape(@gem_lib_root), "**", "*")]
+      else
+        # Look up where the gem is installed, respecting version
+        loader = Inspec::Plugin::V2::Loader.new
+        gem_path = loader.find_gem_directory(gem_name, gem_version)
+        if gem_path && File.exist?(gem_path)
+          gem = DirProvider.new(gem_path)
+          @files = gem.files
+          gem
+        else
+          raise Inspec::Exceptions::GemDependencyNotFound, "Dependency does not exist #{gem_name}"
+        end
+      end
+    end
+
+    def read(file)
+      return nil unless files.include?(file)
+      return nil unless File.file?(file)
+
+      File.read(file)
+    end
+
+    def binread(file)
+      return nil unless files.include?(file)
+      return nil unless File.file?(file)
+
+      File.binread(file)
+    end
+  end # class GemProvider
+
   class ZipProvider < FileProvider
     attr_reader :files
 

data/lib/inspec/input_registry.rb

@@ -173,7 +173,7 @@ module Inspec
             raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
           end
         end
-        pair = pair.match(/^([^=]+)=(.*)$/)
+        pair = pair.match(/(.*?)=(.*)/)
         input_name, input_value = pair[1], pair[2]
         input_value = parse_cli_input_value(input_name, input_value)
         evt = Inspec::Input::Event.new(

data/lib/inspec/plugin/v2/concerns/gem_spec_helper.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Inspec
+  module Plugin
+    module V2
+      # holds all GemSpec related helper functions
+      module GemSpecHelper
+
+        def loaded_recent_most_version_of?(gemspec)
+          # Check if the gem is already loaded via bundler
+          # In most cases this is true since all Plugins/Resource Packs inherit from inspec-core
+          gem_name = gemspec.name
+          loaded_gem = Gem.loaded_specs[gem_name]
+          return false unless loaded_gem
+
+          # follow bundler's original philosophy i.e load gems that are recent most
+          # This logic works unless there is a pinned version which we don't expect to have since these are managed by us
+          if gemspec.version > loaded_gem.version
+            # deactivate the lower version specs that are loaded via bundler
+            Gem.loaded_specs.delete(gem_name)
+            false # so it can re-activate the requested spec
+          else
+            # don't activate requested gemspec when the already loaded gem is the most recent version
+            true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/inspec/plugin/v2/gem_source_manager.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+require "singleton" unless defined?(Singleton)
+require "forwardable" unless defined?(Forwardable)
+require "chef-licensing"
+
+module Inspec::Plugin::V2
+  class GemSourceManager
+    include Singleton
+    extend Forwardable
+
+    DEFAULT_CHEF_RUBY_GEMS_SERVER = "rubygems.chef.io"
+    DEFAULT_USERNAME = "v1"
+
+    def initialize
+      @sources = Gem.sources
+    end
+
+    def_delegator :@sources, :sources
+
+    def add_chef_rubygems_server
+      register_source(chef_rubygems_server)
+    end
+
+    def add(sources)
+      Array(sources).each { |source| register_source(source) }
+    end
+
+    private
+
+    def chef_rubygems_server
+      "https://#{DEFAULT_USERNAME}:#{licenses_string}@#{DEFAULT_CHEF_RUBY_GEMS_SERVER}"
+    end
+
+    def register_source(source)
+      gem_source = Gem::Source.new(source)
+      sources << gem_source unless sources.include?(gem_source)
+    end
+
+    def licenses_string
+      ChefLicensing.license_keys.join(",")
+    end
+  end
+end

data/lib/inspec/plugin/v2/installer.rb

@@ -12,6 +12,9 @@ require "rubygems/uninstaller"
 require "rubygems/remote_fetcher"
 
 require "inspec/plugin/v2/filter"
+require "inspec/plugin/v2/concerns/gem_spec_helper"
+
+require "inspec/plugin/v2/gem_source_manager"
 
 module Inspec::Plugin::V2
   # Handles all actions modifying the user's plugin set:
@@ -23,6 +26,7 @@ module Inspec::Plugin::V2
   class Installer
     include Singleton
     extend Forwardable
+    include Inspec::Plugin::V2::GemSpecHelper
 
     Gem.configuration["verbose"] = false
 
@@ -45,6 +49,10 @@ module Inspec::Plugin::V2
       list_installed_plugin_gems.detect { |spec| spec.name == name && spec.version == Gem::Version.new(version) }
     end
 
+    def ensure_installed(name)
+      plugin_installed?(name) || install(name)
+    end
+
     # Installs a plugin. Defaults to assuming the plugin provided is a gem, and will try to install
     # from whatever gemsources `rubygems` thinks it should use.
     # If it's a gem, installs it and its dependencies to the `gem_path`. The gem is not activated.
@@ -213,7 +221,10 @@ module Inspec::Plugin::V2
         if opts.key?(:version) && plugin_version_installed?(plugin_name, opts[:version])
           raise InstallError, "#{plugin_name} version #{opts[:version]} is already installed."
         else
-          raise InstallError, "#{plugin_name} is already installed. Use 'inspec plugin update' to change version."
+          # Do not redirect to plugin update when using gem based plugin
+          unless gem_based_plugin?(opts)
+            raise InstallError, "#{plugin_name} is already installed. Use 'inspec plugin update' to change version."
+          end
         end
       end
 
@@ -296,18 +307,21 @@ module Inspec::Plugin::V2
       install_gem_to_plugins_dir(plugin_dependency, [requested_local_gem_set])
     end
 
-    def install_from_remote_gems(requested_plugin_name, opts)
+    def install_from_remote_gems(requested_plugin_name, opts, source_manager: GemSourceManager.instance)
       plugin_dependency = Gem::Dependency.new(requested_plugin_name, opts[:version] || "> 0")
+      source_manager.add_chef_rubygems_server # ensure CHEF RUBYGEMS server is added to the source
+
+      # This adds custom gem sources to the memoized `Gem.Sources` for this specific run
+      # Note: This will not make any change to the environment Gem source list and
+      # in fact will consider all of the environment Gem sources and custom gem sources to resolve deps
+      source_manager.add(opts[:source])
 
-      # BestSet is rubygems.org API + indexing, APISet is for custom sources
-      sources = if opts[:source]
-                  Gem::Resolver::APISet.new(URI.join(opts[:source] + "/api/v1/dependencies"))
-                else
-                  Gem::Resolver::BestSet.new
-                end
+      # BestSet is rubygems.org API + indexing by default
+      # `Gem.sources` is injected as a dependency implicitly while BestSet is initialized
+      sources = Gem::Resolver::BestSet.new
 
       begin
-        install_gem_to_plugins_dir(plugin_dependency, [sources], opts[:update_mode])
+        install_gem_to_plugins_dir(plugin_dependency, [sources], opts[:update_mode], opts: opts)
       rescue Gem::RemoteFetcher::FetchError => gem_ex
         # TODO: Give a hint if the host was not resolvable or a 404 occured
         ex = Inspec::Plugin::V2::InstallError.new(gem_ex.message)
@@ -318,7 +332,7 @@ module Inspec::Plugin::V2
 
     def install_gem_to_plugins_dir(new_plugin_dependency, # rubocop: disable Metrics/AbcSize
       extra_request_sets = [],
-      update_mode = false)
+      update_mode = false, opts: {})
 
       # Get a list of all the gems available to us.
       gem_to_force_update = update_mode ? new_plugin_dependency.name : nil
@@ -338,21 +352,28 @@ module Inspec::Plugin::V2
 
       # Activate all current plugins before trying to activate the new one
       loader.list_managed_gems.each do |spec|
-        next if spec.name == new_plugin_dependency.name && update_mode
+        # Skip in case of update mode
+        # Skip in case using a gem based plugin
+        next if spec.name == new_plugin_dependency.name && (update_mode || gem_based_plugin?(opts))
 
-        spec.activate
+        # activate the requested gemspec from the Gem::RequestSet
+        spec.activate unless loaded_recent_most_version_of?(spec)
       end
 
       # Make sure we remove any previously loaded gem on update
-      Gem.loaded_specs.delete(new_plugin_dependency.name) if update_mode
+      # Make sure we remove any previously loaded gem when trying to use resource pack gem
+      # Gem based plugin when updated need to deactivate older version of gem
+      Gem.loaded_specs.delete(new_plugin_dependency.name) if update_mode || gem_based_plugin?(opts)
 
       # Test activating the solution. This makes sure we do not try to load two different versions
       # of the same gem on the stack or a malformed dependency.
       begin
         solution.each do |activation_request|
-          unless activation_request.full_spec.activated?
-            activation_request.full_spec.activate
-          end
+          requested_gemspec = activation_request.full_spec
+          next if requested_gemspec.activated?
+
+          # activate the requested gemspec from the Gem::RequestSet
+          requested_gemspec.activate unless loaded_recent_most_version_of?(requested_gemspec)
         end
       rescue Gem::LoadError => gem_ex
         ex = Inspec::Plugin::V2::InstallError.new(gem_ex.message)
@@ -536,5 +557,10 @@ module Inspec::Plugin::V2
 
       conf_file
     end
+
+    def gem_based_plugin?(opts)
+      # Param passed by gem fetcher while installing a new gem plugin dependency.
+      !!opts[:gem]
+    end
   end
 end