inspec-core 7.0.38.beta → 7.0.95

data/lib/inspec/resources/postgres_session.rb

@@ -1,7 +1,7 @@
 # copyright: 2015, Vulcano Security GmbH
 
 require "shellwords" unless defined?(Shellwords)
-
+require "cgi" unless defined?(CGI)
 module Inspec::Resources
   class Lines
     attr_reader :output, :exit_status
@@ -55,7 +55,7 @@ module Inspec::Resources
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
+      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && (out.downcase =~ /error:/ || out.downcase =~ /fatal:/)
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
         Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
@@ -74,6 +74,10 @@ module Inspec::Resources
       Shellwords.escape(query)
     end
 
+    def encoded_password(password)
+      CGI.escape(password)
+    end
+
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
 
@@ -82,14 +86,14 @@ module Inspec::Resources
         # Socket connection only enabled for non-windows platforms
         # Windows does not support unix domain sockets
         option_port = @port.nil? ? "" : "-p #{@port}" # add explicit port if specified
-        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
+        "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@/#{dbs}?host=#{@socket_path} #{option_port} -A -t -w -c #{escaped_query(query)}"
       else
         # Host in connection string establishes tcp/ip connection
         if inspec.os.windows?
           warn "Socket based connection not supported in windows, connecting using host" if @socket_path
-          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
         else
-          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+          "psql -d postgresql://#{@user}:#{encoded_password(@pass)}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
         end
       end
     end

data/lib/inspec/resources/ssh_config.rb

@@ -0,0 +1,215 @@
+# copyright: 2015, Vulcano Security GmbH
+
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
+
+module Inspec::Resources
+  class SshConfig < Inspec.resource(1)
+    name "ssh_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms."
+    example <<~EXAMPLE
+      describe ssh_config do
+        its('cipher') { should contain '3des' }
+        its('port') { should eq '22' }
+        its('hostname') { should include('example.com') }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(conf_path = nil, type = nil)
+      @conf_path = conf_path || ssh_config_file("ssh_config")
+      typename = (@conf_path.include?("sshd") ? "Server" : "Client")
+      @type = type || "SSH #{typename} configuration #{conf_path}"
+      read_content
+    end
+
+    def content
+      read_content
+    end
+
+    def params(*opts)
+      opts.inject(read_params) do |res, nxt|
+        res.respond_to?(:key) ? res[nxt] : nil
+      end
+    end
+
+    def convert_hash(hash)
+      new_hash = {}
+      hash.each { |k, v| new_hash[k.downcase] ||= v }
+      new_hash
+    end
+
+    def method_missing(name)
+      param = read_params[name.to_s.downcase]
+      return nil if param.nil?
+      return param[0] if param.length == 1
+
+      param
+    end
+
+    def to_s
+      "SSH Configuration"
+    end
+
+    def resource_id
+      @conf_path || "SSH Configuration"
+    end
+
+    private
+
+    def read_content
+      return @content if defined?(@content)
+
+      @content = read_file_content(@conf_path)
+    end
+
+    def read_params
+      return @params if defined?(@params)
+      return @params = {} if read_content.nil?
+
+      conf =
+        SimpleConfig.new(
+          read_content,
+          assignment_regex: /^\s*(\S+?)\s+(.*?)\s*$/,
+          multiple_values: true
+        )
+      @params = convert_hash(conf.params)
+    end
+
+    def ssh_config_file(type)
+      if inspec.os.windows?
+        programdata = inspec.os_env("programdata").content
+        return "#{programdata}\\ssh\\#{type}"
+      end
+
+      "/etc/ssh/#{type}"
+    end
+  end
+
+  class SshdConfig < SshConfig
+    name "sshd_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges."
+    example <<~EXAMPLE
+      describe sshd_config do
+        its('Protocol') { should eq '2' }
+      end
+    EXAMPLE
+
+    def initialize(path = nil)
+      super(path || ssh_config_file("sshd_config"))
+    end
+
+    def to_s
+      "SSHD Configuration"
+    end
+
+    private
+
+    def ssh_config_file(type)
+      if inspec.os.windows?
+        programdata = inspec.os_env("programdata").content
+        return "#{programdata}\\ssh\\#{type}"
+      end
+
+      "/etc/ssh/#{type}"
+    end
+  end
+
+  class SshdActiveConfig < SshdConfig
+    name "sshd_active_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the sshd_active_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges."
+    example <<~EXAMPLE
+      describe sshd_active_config do
+        its('Protocol') { should eq '2' }
+      end
+    EXAMPLE
+
+    attr_reader :active_path
+
+    def initialize
+      @active_path = dynamic_sshd_config_path
+      super(@active_path)
+    end
+
+    def to_s
+      "SSHD Active Configuration (active path: #{@conf_path})"
+    end
+
+    private
+
+    def ssh_config_file(type)
+      if inspec.os.windows?
+        programdata = inspec.os_env("programdata").content
+        return "#{programdata}\\ssh\\#{type}"
+      end
+
+      "/etc/ssh/#{type}"
+    end
+
+    def dynamic_sshd_config_path
+      if inspec.os.windows?
+        script = <<-EOH
+          $sshdPath = (Get-Command sshd.exe).Source
+          if ($sshdPath -ne $null) {
+            Write-Output $sshdPath
+          } else {
+            Write-Error "sshd.exe not found"
+          }
+        EOH
+        sshd_path_result = inspec.powershell(script).stdout.strip
+        sshd_path = "\"#{sshd_path_result}\""
+        if !sshd_path_result.empty? && sshd_path_result != "sshd.exe not found"
+          command_output = inspec.command("sudo #{sshd_path} -dd 2>&1").stdout
+          dynamic_path =
+            command_output
+              .lines
+              .find { |line| line.include?("filename") }
+              &.split("filename")
+              &.last
+              &.strip
+          env_var_name = dynamic_path.match(/__(.*?)__/)[1]
+          if env_var_name?
+            dynamic_path =
+              dynamic_path.gsub(
+                /__#{env_var_name}__/,
+                inspec.os_env(env_var_name).content
+              )
+          end
+        else
+          Inspec::Log.error("sshd.exe not found using PowerShell script block.")
+          return nil
+        end
+      elsif inspec.os.unix?
+        sshd_path = "/usr/sbin/sshd"
+        command_output = inspec.command("sudo #{sshd_path} -dd 2>&1").stdout
+        dynamic_path =
+          command_output
+            .lines
+            .find { |line| line.include?("filename") }
+            &.split("filename")
+            &.last
+            &.strip
+      else
+        Inspec::Log.error(
+          "Unable to determine sshd configuration path on Windows using -T flag."
+        )
+        return nil
+      end
+
+      if dynamic_path.nil? || dynamic_path.empty?
+        Inspec::Log.warn(
+          "No active SSHD configuration found. Using default configuration."
+        )
+        return ssh_config_file("sshd_config")
+      end
+      dynamic_path
+    end
+  end
+end

data/lib/inspec/resources/ssh_key.rb

@@ -0,0 +1,124 @@
+require "inspec/utils/file_reader"
+require "net/ssh" unless defined?(Net::SSH)
+
+# Change module if required
+module Inspec::Resources
+  class SshKey < FileResource
+    # Every resource requires an internal name.
+    name "ssh_key"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "public/private SSH key pair test"
+
+    example <<~EXAMPLE
+      describe ssh_key('path: ~/.ssh/id_rsa') do
+        its('key_length') { should eq 4096 }
+        its('type') { should cmp /rsa/ }
+        it { should be_private }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(keypath, passphrase = nil)
+      skip_resource "The `ssh_key` resource is not yet available on your OS." unless inspec.os.unix? || inspec.os.windows?
+      @key_path = set_ssh_key_path(keypath)
+      @passphrase = passphrase
+      @key = read_ssh_key
+      super(@key_path)
+    end
+
+    def public?
+      return if @key.nil?
+
+      @key[:public]
+    end
+
+    def private?
+      return if @key.nil?
+
+      @key[:private]
+    end
+
+    def key_length
+      return if @key.nil?
+
+      @key[:key_length]
+    end
+
+    def type
+      return if @key.nil?
+
+      @key[:type]
+    end
+
+    # Define a resource ID. This is used in reporting engines to uniquely identify the individual resource.
+    # This might be a file path, or a process ID, or a cloud instance ID. Only meaningful to the implementation.
+    # Must be a string. Defaults to the empty string if not implemented.
+    def resource_id
+      @key_path || "SSH key"
+    end
+
+    def to_s
+      "ssh_key #{@key_path}"
+    end
+
+    private
+
+    def set_ssh_key_path(keypath)
+      if File.exist?(keypath)
+        @key_path = keypath
+      elsif File.exist?(File.join("#{Dir.home}/.ssh/", keypath))
+        @key_path = File.join("#{Dir.home}/.ssh/", keypath)
+      else
+        raise Inspec::Exceptions::ResourceSkipped, "Can't find file: #{keypath}"
+      end
+    end
+
+    def read_ssh_key
+      key_data = {}
+      key = nil
+      filecontent = read_file_content((@key_path), @passphrase)
+      raise Inspec::Exceptions::ResourceSkipped, "File is empty: #{@key_path}" if filecontent.split("\n").empty?
+
+      if filecontent.split("\n")[0].include?("PRIVATE")
+        # Net::SSH::KeyFactory does not have support to load private key for DSA
+        key = Net::SSH::KeyFactory.load_private_key(@key_path, @passphrase, false)
+        unless key.nil?
+          key_data[:private] = true
+          key_data[:public] = false
+          # The data send for ssh type is not in same format so it's good to match on the string
+          key_data[:type] = key.ssh_type
+          key_data[:key_length] = key_lengh(key)
+        end
+      else
+        key = Net::SSH::KeyFactory.load_public_key(@key_path)
+        unless key.nil?
+          key_data[:private] = false
+          key_data[:public] = true
+          # The data send for ssh type is not in same format so it's good to match on the string
+          key_data[:type] = key.ssh_type
+          key_data[:key_length] = key_lengh(key)
+        end
+      end
+
+      key_data
+    rescue OpenSSL::PKey::PKeyError => e
+      raise Inspec::Exceptions::ResourceFailed, "#{e.message}"
+    end
+
+    def key_lengh(key)
+      if key.class.to_s == "OpenSSL::PKey::RSA"
+        key.public_key.n.num_bits
+      else
+        # Unable to get the key lenght data for other types of keys
+        # TODO: Need to check if there is any method that will get this info.
+        nil
+      end
+    end
+  end
+end

data/lib/inspec/resources/sshd_active_config.rb

@@ -0,0 +1,2 @@
+# This is just here to make the dynamic loader happy.
+require "inspec/resources/ssh_config"

data/lib/inspec/resources/sshd_config.rb

@@ -0,0 +1,2 @@
+# This is just here to make the dynamic loader happy.
+require "inspec/resources/ssh_config"

data/lib/inspec/resources/yum.rb

@@ -121,7 +121,7 @@ module Inspec::Resources
     # extracts the shortname from a repo id
     # e.g. extras/7/x86_64 -> extras
     def shortname(id)
-      val = %r{^\s*([^/]*?)/(.*?)\s*$}.match(id)
+      val = %r{^([^/]+)/.*$}.match(id)
       val.nil? ? nil : val[1]
     end
 

data/lib/inspec/resources.rb

@@ -71,8 +71,6 @@ require "inspec/resources/oneget"
 require "inspec/resources/oracle"
 require "inspec/resources/oracledb_conf"
 require "inspec/resources/oracledb_listener_conf"
-require "inspec/resources/opa_cli"
-require "inspec/resources/opa_api"
 require "inspec/resources/oracledb_session"
 require "inspec/resources/os"
 require "inspec/resources/os_env"
@@ -97,6 +95,8 @@ require "inspec/resources/security_policy"
 require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
+require "inspec/resources/ssh_config"
+require "inspec/resources/ssh_key"
 require "inspec/resources/ssl"
 require "inspec/resources/sys_info"
 require "inspec/resources/toml"

data/lib/inspec/rule.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "method_source"
 require "date"

data/lib/inspec/runner.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "forwardable" unless defined?(Forwardable)
 require "uri" unless defined?(URI)
@@ -172,7 +174,16 @@ module Inspec
     end
 
     def run(with = nil)
-      ChefLicensing.check_software_entitlement! if Inspec::Dist::EXEC_NAME == "inspec"
+      product_dist_name = Inspec::Dist::PRODUCT_NAME
+      if Inspec::Dist::EXEC_NAME == "inspec"
+        if Inspec::Telemetry::RunContextProbe.guess_run_context == "test-kitchen"
+          product_dist_name = "Chef Workstation"
+          configure_licensing_config_for_kitchen(@conf)
+          # Persist the license key in file when passed via test-kitchen
+          ChefLicensing.fetch_and_persist if @conf[:chef_license_key]
+        end
+        ChefLicensing.check_software_entitlement!
+      end
 
       # Validate if profiles are signed and verified
       # Additional check is required to provide error message in case of inspec exec command (exec command can use multiple profiles as well)
@@ -187,8 +198,11 @@ module Inspec
       Inspec::Telemetry.run_starting(runner: self, conf: @conf)
       load
       run_tests(with)
+    rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
+      Inspec::Log.error "#{product_dist_name} cannot execute without valid licenses."
+      Inspec::UI.new.exit(:license_not_set)
     rescue ChefLicensing::SoftwareNotEntitled
-      Inspec::Log.error "License is not entitled to use InSpec."
+      Inspec::Log.error "License is not entitled to use #{product_dist_name}."
       Inspec::UI.new.exit(:license_not_entitled)
     rescue ChefLicensing::Error => e
       Inspec::Log.error e.message

data/lib/inspec/utils/deprecated_core_resources_list.rb

@@ -0,0 +1,25 @@
+module DeprecatedCoreResourcesList
+  CORE_RESOURCES_DEPRECATED = %i{
+    docker_container
+    docker_image
+    docker_plugin
+    docker_service
+    elasticsearch
+    ibmdb2_conf
+    ibmdb2_session
+    mongodb
+    mongodb_conf
+    mongodb_session
+    opa_api
+    opa_cli
+    podman
+    podman_container
+    podman_image
+    podman_network
+    podman_pod
+    podman_volume
+    rabbitmq_config
+    sybase_conf
+    sybase_session
+  }.freeze
+end

data/lib/inspec/utils/licensing_config.rb

@@ -4,6 +4,20 @@ ChefLicensing.configure do |config|
   config.chef_product_name = "InSpec"
   config.chef_entitlement_id = "3ff52c37-e41f-4f6c-ad4d-365192205968"
   config.chef_executable_name = "inspec"
-  config.license_server_url = "https://services.chef.io/licensing"
+  config.license_server_url = ENV["CHEF_LICENSE_SERVER"] || "https://services.chef.io/licensing"
   config.logger = Inspec::Log
 end
+
+def configure_licensing_config_for_kitchen(opts = {})
+  ChefLicensing.configure do |config|
+    # Reset entitlement ID to the ID of Chef Workstation
+    config.chef_entitlement_id = "x6f3bc76-a94f-4b6c-bc97-4b7ed2b045c0"
+    # Reset Chef License server via kitchen when passed in kitchen.yml
+    opts["chef_license_server"] = opts["chef_license_server"].join(",") if opts["chef_license_server"].is_a? Array
+    unless opts["chef_license_server"].nil? || opts["chef_license_server"].empty?
+      ENV["CHEF_LICENSE_SERVER"] = opts["chef_license_server"]
+    end
+  end
+  # Reset Chef License key via kitchen when passed in kitchen.yml
+  ENV["CHEF_LICENSE_KEY"] = opts["chef_license_key"] if opts["chef_license_key"]
+end

data/lib/inspec/utils/parser.rb

@@ -72,15 +72,23 @@ module Inspec
         if includes_whitespaces?(mount_line)
           # Device-/Sharenames and Mountpoints including whitespaces require special treatment:
           # We use the keyword ' type ' to split up and rebuild the desired array of fields
-          type_split = mount_line.split(" type ")
-          fs_path = type_split[0]
-          other_opts = type_split[1]
-          fs, path = fs_path.match(%r{^(.+?)\son\s(/.+?)$}).captures
+          # Split the mount line by the keyword ' type '
+          fs_path, other_opts = mount_line.split(" type ", 2)
+
+          # Manually split fs_path into the filesystem and path parts
+          fs, path = fs_path.split(" on ", 2)
+
+          # Start building the mount array
           mount = [fs, "on", path, "type"]
-          mount.concat(other_opts.scan(/\S+/))
+
+          # Split the remaining options by spaces
+          other_opts = other_opts.split(/\s+/)
+
+          # Concatenate the options to the mount array
+          mount.concat(other_opts)
         else
-          # ... otherwise we just split the fields by whitespaces
-          mount = mount_line.scan(/\S+/)
+          # If no whitespace, simply split by spaces
+          mount = mount_line.split(/\s+/)
         end
 
         # parse device and type
@@ -109,8 +117,10 @@ module Inspec
 
       # Device-/Sharename or Mountpoint includes whitespaces?
       def includes_whitespaces?(mount_line)
-        ws = mount_line.match(/^(.+)\son\s(.+)\stype\s.*$/)
-        ws.captures[0].include?(" ") || ws.captures[1].include?(" ")
+        # Split the mount_line by " on "
+        parts = mount_line.split(" on ")
+        # Check if either part contains spaces
+        parts.any? { |part| part.include?(" ") }
       end
     end
 

data/lib/inspec/utils/simpleconfig.rb

@@ -1,4 +1,6 @@
 # copyright: 2015, Dominik Richter
+# Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates.
+# All Rights Reserved.
 
 require "inspec/utils/parser"
 require "hashie"

data/lib/inspec/utils/telemetry/run_context_probe.rb

@@ -26,8 +26,11 @@ module Inspec
       end
 
       def self.run_by_thor?(stack)
-        stack_match(stack: stack, path: "thor/command", label: "run") &&
-          stack_match(stack: stack, path: "thor/invocation", label: "invoke_command")
+        # Handled in both ways to fix label differences for Ruby 3.4 and other versions of Ruby
+        (stack_match(stack: stack, path: "thor/command", label: "Thor::Command#run") &&
+          stack_match(stack: stack, path: "thor/invocation", label: "Thor::Invocation#invoke_command")) ||
+          (stack_match(stack: stack, path: "thor/command", label: "run") &&
+            stack_match(stack: stack, path: "thor/invocation", label: "invoke_command"))
       end
 
       def self.kitchen?(stack)

data/lib/inspec/utils/telemetry.rb

@@ -18,10 +18,12 @@ module Inspec
       # Don't perform telemetry action for other InSpec distros
       # Don't perform telemetry action if running under Automate - Automate does LDC tracking for us
       # Don't perform telemetry action if license is a commercial license
+      # Don't perform telemetry action if running under Test Kitchen
 
       if Inspec::Dist::EXEC_NAME != "inspec" ||
           Inspec::Telemetry::RunContextProbe.under_automate? ||
-          license&.license_type&.downcase == "commercial"
+          license&.license_type&.downcase == "commercial" ||
+          Inspec::Telemetry::RunContextProbe.guess_run_context == "test-kitchen"
 
         Inspec::Log.debug "Determined telemetry operation is not applicable and hence aborting it."
         return Inspec::Telemetry::Null

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "7.0.38.beta".freeze
+  VERSION = "7.0.95".freeze
 end