inspec-core 2.2.78 → 2.2.101

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd2c06a328a1d1852683797eaafa3b7391e39b82a22b8bb830bb965fabb6b1ab
-  data.tar.gz: bc65f001fafc0b7b7fefe90309388cea38ad6968e081dc4a136f4cc1bb6ee531
+  metadata.gz: bad3e7476f7a3931284706247846b67ecabfb59be55430187e86dc6635436a4f
+  data.tar.gz: ec9f1586d0bde6037aa60a25ee9d758feb21e9715a45019baaa7189b9de599df
 SHA512:
-  metadata.gz: '0822f141bda2c4640c154f61f3b819f05c154a213aaef9fca6e24b011d10c8344f85637bb356c4ec1ae6772db1fb27c88637beb0051607a0b71d1afb07977e00'
-  data.tar.gz: aa6727726d7418819f3c905c058a49911fbb272bc0a7627307112015eb0fa455a5fbdd6592ebf6cbfe6a7d7416bd091b9a51139a8f5d8eb80ec72cedd307f3a6
+  metadata.gz: ca03041c8f5168ac760996394b57649208debb42e761dcca2fda628adc9850d72c4c962ceb34df836313169d1137a9217dc69b6f3fa3fa64c64f70298b514a18
+  data.tar.gz: 6a6aeb327d3664bb505b35d80a68d157eef7427f2bfe43062c2559ca6dc320bc4350be61fe85b26768a9d8348923099b726880609628162ee3478b6956146485

data/CHANGELOG.md

@@ -1,31 +1,62 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.78 -->
-## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
+<!-- latest_release 2.2.101 -->
+## [v2.2.101](https://github.com/inspec/inspec/tree/v2.2.101) (2018-09-14)
 
 #### Merged Pull Requests
-- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
+- Fix profile vendoring on Windows [#3378](https://github.com/inspec/inspec/pull/3378) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.70 -->
-### Changes since 2.2.70 release
+<!-- release_rollup since=2.2.78 -->
+### Changes since 2.2.78 release
 
 #### New Features
-- Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo)) <!-- 2.2.77 -->
-- Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo)) <!-- 2.2.76 -->
+- Add string impact options for controls [#3359](https://github.com/inspec/inspec/pull/3359) ([jquick](https://github.com/jquick)) <!-- 2.2.96 -->
 
 #### Bug Fixes
-- fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo)) <!-- 2.2.73 -->
+- Fix the compliance target error checks [#3392](https://github.com/inspec/inspec/pull/3392) ([jquick](https://github.com/jquick)) <!-- 2.2.94 -->
+- Prevent logs from showing up when running inspec json [#3391](https://github.com/inspec/inspec/pull/3391) ([jquick](https://github.com/jquick)) <!-- 2.2.93 -->
+- Fixing AWS integration tests. [#3374](https://github.com/inspec/inspec/pull/3374) ([MartinLogan](https://github.com/MartinLogan)) <!-- 2.2.87 -->
+- enforce utf encoding for cli output [#3376](https://github.com/inspec/inspec/pull/3376) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.86 -->
+- Fix vendoring functional test cleanup [#3377](https://github.com/inspec/inspec/pull/3377) ([jquick](https://github.com/jquick)) <!-- 2.2.85 -->
+- use multipart gem for upload to support upload on windows [#3369](https://github.com/inspec/inspec/pull/3369) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.84 -->
+- ensure we use the mock backend when we upload profiles [#3370](https://github.com/inspec/inspec/pull/3370) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.83 -->
+
+#### Enhancements
+- do not show success message since its confusing [#3366](https://github.com/inspec/inspec/pull/3366) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.82 -->
+- Harmonize vendoring (ensure archives are extracted and local paths do not vendor on exec) [#3286](https://github.com/inspec/inspec/pull/3286) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.81 -->
+- handle errors from automate report and display them to the user [#3360](https://github.com/inspec/inspec/pull/3360) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.80 -->
 
 #### Merged Pull Requests
-- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah)) <!-- 2.2.78 -->
-- Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50)) <!-- 2.2.75 -->
-- Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick)) <!-- 2.2.74 -->
-- bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu)) <!-- 2.2.72 -->
-- Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj)) <!-- 2.2.71 -->
+- Fix profile vendoring on Windows [#3378](https://github.com/inspec/inspec/pull/3378) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.101 -->
+- Add platforms schema command [#3346](https://github.com/inspec/inspec/pull/3346) ([jquick](https://github.com/jquick)) <!-- 2.2.97 -->
+- Bump omnibus ruby to 2.5.1 [#3390](https://github.com/inspec/inspec/pull/3390) ([jquick](https://github.com/jquick)) <!-- 2.2.95 -->
+- Add windows functional tests [#3385](https://github.com/inspec/inspec/pull/3385) ([jquick](https://github.com/jquick)) <!-- 2.2.92 -->
+- Populate code for inspec json inheritance [#3386](https://github.com/inspec/inspec/pull/3386) ([jquick](https://github.com/jquick)) <!-- 2.2.91 -->
+- Revert uuid change from A2 report [#3387](https://github.com/inspec/inspec/pull/3387) ([jquick](https://github.com/jquick)) <!-- 2.2.90 -->
+- Implement InSpec global attributes [#3318](https://github.com/inspec/inspec/pull/3318) ([jquick](https://github.com/jquick)) <!-- 2.2.89 -->
+- Update rubyzip to resolve a directory traversal security vulnerability. [#3388](https://github.com/inspec/inspec/pull/3388) ([miah](https://github.com/miah)) <!-- 2.2.88 -->
+- Allow target-id passthrough [#3320](https://github.com/inspec/inspec/pull/3320) ([jquick](https://github.com/jquick)) <!-- 2.2.79 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
+
+#### New Features
+- Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo))
+- Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo))
+
+#### Bug Fixes
+- fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo))
+
+#### Merged Pull Requests
+- Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj))
+- bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu))
+- Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick))
+- Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50))
+- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
+<!-- latest_stable_release -->
+
 ## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-24)
 
 #### Enhancements
@@ -38,7 +69,6 @@
 - Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil))
 - Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick))
 - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v2.2.64](https://github.com/inspec/inspec/tree/v2.2.64) (2018-08-17)
 

data/docs/profiles.md

@@ -51,6 +51,7 @@ Each profile must have an `inspec.yml` file that defines the following informati
 * Use `inspec_version` to place SemVer constraints on the version of InSpec that the profile can run under.
 * Use `supports` to specify a list of supported platform targets.
 * Use `depends` to define a list of profiles on which this profile depends.
+* Use `attributes` to define a list of attributes you can use in your controls.
 
 `name` is required; all other profile settings are optional. For example:
 
@@ -336,15 +337,68 @@ profile `my_dep` using the name `my_res2`.
 
 # Profile Attributes
 
-Attributes may be used in profiles to define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. First specify a variable in the control for each secret, then add the secret to a YAML file located on the local machine, and then run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
+Attributes are frequently used to parameterize a profile for use in different environments or targets. It can also be used define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. Attributes may be set for the whole profile in the `inspec.yml`.
 
-For example, a control:
+Attributes may contain the following options:
 
+* Use `default` to set a default value for the attribute.
+* Use `type` to restrict an attribute to a specific type (any, string, numeric, array, hash, boolean, regex).
+* Use `required` to mandate the attribute has a default value or a value from a attribute YAML file.
+* Use `description` to set a brief description for the attribute.
+
+
+You can specify attributes in your `inspec.yml` using the `attributes` setting. For example, to add a `user` attribute for your profile:
+```YAML
+attributes:
+  - name: user
+    type: string
+    default: bob
+```
+
+Example of adding a array object of servers:
+```YAML
+attributes:
+  - name: servers
+    type: array
+    default:
+      - server1
+      - server2
+      - server3
+```
+
+To access an attribute you will use the `attribute` keyword. You can use this anywhere in your control code.
+
+For example:
 ```Ruby
-# define these attributes on the top-level of your file and re-use them across all tests!
-val_user = attribute('user', default: 'alice', description: 'An identification for the user')
-val_password = attribute('password', description: 'A value for the password')
+current_user = attribute('user')
+
+control 'system-users' do
+  describe attribute('user') do
+    it { should eq 'bob' }
+  end
+
+  describe current_user do
+    it { should eq attribute('user') }
+  end
+end
+```
+
+For sensitive data it is recomended to use a secrets YAML file located on the local machine to populate the values of attributes. A secrets file will always overwrite a attributes default value. To use the secrets file run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
+
+For example, a inspec.yml:
+```YAML
+attributes:
+  - name: username
+    type: string
+    required: true
+  - name: password
+    type: string
+    required: true
+```
 
+The control:
+
+```Ruby
 control 'system-users' do
   impact 0.8
   desc '
@@ -352,11 +406,11 @@ control 'system-users' do
     specified password.
   '
 
-   val_user do
+  describe attribute('username') do
     it { should eq 'bob' }
   end
 
-  describe val_password do
+  describe attribute('password') do
     it { should eq 'secret' }
   end
 end
@@ -365,7 +419,7 @@ end
 And a YAML file named `profile-attribute.yml`:
 
 ```YAML
-user: bob
+username: bob
 password: secret
 ```
 
@@ -375,6 +429,50 @@ The following command runs the tests and applies the secrets specified in `profi
 $ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
 ```
 
+To change your attributes for platform specific cases you can setup multiple `--attrs` files.
+
+For example, a inspec.yml:
+```YAML
+attributes:
+  - name: users
+    type: array
+    required: true
+```
+
+A YAML file named `windows.yml`
+```YAML
+users:
+  - Administrator
+  - Guest
+  - Randy
+```
+
+A YAML file named `linux.yml`
+```YAML
+users:
+  - root
+  - shadow
+  - rmadison
+```
+
+The control file:
+```RUBY
+control 'system-users' do
+  impact 0.8
+  desc 'Confirm the proper users are created on the system'
+
+  describe users do
+    its('usernames') { should eq attribute('users') }
+  end
+end
+```
+
+The following command runs the tests and applies the attributes specified:
+```bash
+$ inspec exec examples/profile-attribute --attrs examples/windows.yml
+$ inspec exec examples/profile-attribute --attrs examples/linux.yml
+```
+
 See the full example in the InSpec open source repository: [Example InSpec Profile with Attributes](https://github.com/chef/inspec/tree/master/examples/profile-attribute)
 
 # Profile files

data/examples/inheritance/inspec.yml

@@ -7,7 +7,8 @@ license: Apache-2.0
 summary: Demonstrates the use of InSpec profile inheritance
 version: 1.0.0
 supports:
-  - os-family: unix
+  - platform-family: unix
+  - platform-family: windows
 depends:
   - name: profile
     path: ../profile

data/examples/profile/controls/gordon.rb

@@ -11,7 +11,7 @@ title 'Gordon Config Checks'
 # EOF
 # ```
 control 'gordon-1.0' do
-  impact 0.7
+  impact 'critical'
   title 'Verify the version number of Gordon'
   desc 'An optional description...'
   tag 'gordon'

data/examples/profile/controls/meta.rb

@@ -28,6 +28,8 @@ control 'ssh-1' do
   ref 'DISA-RHEL6-SG - Section 9.2.1', url: 'http://iasecontent.disa.mil/stigs/zip/Jan2016/U_RedHat_6_V1R10_STIG.zip'
   ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
 
+  only_if { platform.in_family?('unix') }
+
   describe file('/bin/sh') do
     it { should be_owned_by 'root' }
   end

data/examples/profile/inspec.yml

@@ -7,4 +7,5 @@ license: Apache-2.0
 summary: Demonstrates the use of InSpec Compliance Profile
 version: 1.0.0
 supports:
-  - os-family: unix
+  - platform-family: unix
+  - platform-family: windows

data/inspec-core.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3'
 
-  spec.add_dependency 'train-core', '~> 1.4', '>= 1.4.35'
+  spec.add_dependency 'train-core', '~> 1.4', '>= 1.4.37'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'
@@ -40,4 +40,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'parslet', '~> 1.5'
   spec.add_dependency 'semverse'
   spec.add_dependency 'htmlentities'
+  spec.add_dependency 'multipart-post'
 end

data/lib/bundles/inspec-compliance/cli.rb

@@ -69,7 +69,8 @@ module Compliance
           li("#{profile['title']} v#{profile['version']} (#{mark_text(owner + '/' + profile['name'])})")
         }
       else
-        puts msg, 'Could not find any profiles'
+        puts msg if msg != 'success'
+        puts 'Could not find any profiles'
         exit 1
       end
     rescue Compliance::ServerConfigurationMissing
@@ -149,6 +150,12 @@ module Compliance
 
       o = options.dup
       configure_logger(o)
+
+      # only run against the mock backend, otherwise we run against the local system
+      o[:backend] = Inspec::Backend.create(target: 'mock://')
+      o[:check_mode] = true
+      o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
+
       # check the profile, we only allow to upload valid profiles
       profile = Inspec::Profile.for_target(path, o)
 
@@ -190,7 +197,9 @@ module Compliance
       end
 
       # if it is a directory, tar it to tmp directory
+      generated = false
       if File.directory?(path)
+        generated = true
         archive_path = Dir::Tmpname.create([profile_name, '.tar.gz']) {}
         puts "Generate temporary profile archive at #{archive_path}"
         profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
@@ -208,6 +217,9 @@ module Compliance
       end
       success, msg = Compliance::API.upload(config, config['owner'], pname, archive_path)
 
+      # delete temp file if it was temporary generated
+      File.delete(archive_path) if generated && File.exist?(archive_path)
+
       if success
         puts 'Successfully uploaded profile'
       else

data/lib/bundles/inspec-compliance/http.rb

@@ -3,6 +3,7 @@
 # author: Dominik Richter
 
 require 'net/http'
+require 'net/http/post/multipart'
 require 'uri'
 
 module Compliance
@@ -60,7 +61,7 @@ module Compliance
 
       req.body_stream=File.open(file_path, 'rb')
       req.add_field('Content-Length', File.size(file_path))
-      req.add_field('Content-Type', 'application/x-gtar')
+      req.add_field('Content-Type', 'application/x-gzip')
 
       boundary = 'INSPEC-PROFILE-UPLOAD'
       req.add_field('session', boundary)
@@ -77,24 +78,14 @@ module Compliance
       http.use_ssl = (uri.scheme == 'https')
       http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
 
-      req = Net::HTTP::Post.new(uri)
-      headers.each do |key, value|
-        req.add_field(key, value)
+      File.open(file_path) do |tar|
+        req = Net::HTTP::Post::Multipart.new(uri, 'file' => UploadIO.new(tar, 'application/x-gzip', File.basename(file_path)))
+        headers.each do |key, value|
+          req.add_field(key, value)
+        end
+        res = http.request(req)
+        return res
       end
-
-      boundry = 'AaB03x'
-      req.add_field('Content-Type', "multipart/form-data; boundary=#{boundry}")
-
-      post_body = []
-      post_body << "--#{boundry}\r\n"
-      post_body << "Content-Disposition: form-data; name=\"file\"; filename=\"#{File.basename(file_path)}\"\r\n"
-      post_body << "Content-Type: application/x-gtar\r\n\r\n"
-      post_body << File.read(file_path)
-      post_body << "\r\n\r\n--#{boundry}--\r\n"
-      req.body = post_body.join
-
-      res=http.request(req)
-      res
     end
 
     # sends a http requests

data/lib/bundles/inspec-compliance/target.rb

@@ -17,12 +17,12 @@ module Compliance
 
     def initialize(target, opts)
       super(target, opts)
+      @upstream_sha256 = ''
       if target.is_a?(Hash) && target.key?(:url)
         @target = target[:url]
         @upstream_sha256 = target[:sha256]
       elsif target.is_a?(String)
         @target = target
-        @upstream_sha256 = ''
       end
     end
 
@@ -30,7 +30,7 @@ module Compliance
       upstream_sha256.empty? ? super : upstream_sha256
     end
 
-    def self.check_compliance_token(config)
+    def self.check_compliance_token(uri, config)
       if config['token'].nil? && config['refresh_token'].nil?
         if config['server_type'] == 'automate'
           server = 'automate'
@@ -73,7 +73,7 @@ module Compliance
       if target.respond_to?(:key?) && target.key?(:sha256)
         profile_checksum = target[:sha256]
       else
-        check_compliance_token(config)
+        check_compliance_token(uri, config)
         # verifies that the target e.g base/ssh exists
         # Call profiles directly instead of exist? to capture the results
         # so we can access the upstream sha256 from the results.

data/lib/fetchers/local.rb

@@ -10,21 +10,23 @@ module Fetchers
     priority 0
 
     def self.resolve(target)
-      local_path = if target.is_a?(String)
-                     resolve_from_string(target)
-                   elsif target.is_a?(Hash)
-                     resolve_from_hash(target)
-                   end
-
-      new(local_path) if local_path
+      if target.is_a?(String)
+        local_path = resolve_from_string(target)
+        new(local_path) if local_path
+      elsif target.is_a?(Hash)
+        local_path = resolve_from_hash(target)
+        new(local_path, target) if local_path
+      end
     end
 
     def self.resolve_from_hash(target)
       return unless target.key?(:path)
 
-      local_path = target[:path]
-      local_path = File.expand_path(local_path, target[:cwd]) if target.key?(:cwd)
-      local_path
+      if target.key?(:cwd)
+        File.expand_path(target[:path], target[:cwd])
+      else
+        target[:path]
+      end
     end
 
     def self.resolve_from_string(target)
@@ -36,15 +38,48 @@ module Fetchers
         target = target.tr('\\', '/')
       end
 
-      target if File.exist?(target)
+      target if File.exist?(File.expand_path(target))
     end
 
-    def initialize(target)
+    def initialize(target, opts = {})
       @target = target
+      @backend = opts[:backend]
+      @archive_shasum = nil
     end
 
-    def fetch(_path)
-      archive_path
+    def fetch(path)
+      # If `inspec exec` is used then we should not vendor/fetch. This makes
+      # local development easier and more predictable.
+      return @target if Inspec::BaseCLI.inspec_cli_command == :exec
+
+      # Skip vendoring if @backend is not set (example: ad hoc runners)
+      return @target unless @backend
+
+      if File.directory?(@target)
+        # Create an archive, checksum, and move to the vendor directory
+        Dir.mktmpdir do |tmpdir|
+          temp_archive = File.join(tmpdir, "#{File.basename(@target)}.tar.gz")
+          opts = {
+            backend: @backend,
+            output: temp_archive,
+          }
+
+          # Create a temporary archive at `opts[:output]`
+          Inspec::Profile.for_target(@target, opts).archive(opts)
+
+          checksum = perform_shasum(temp_archive)
+          final_path = File.join(path, checksum)
+          FileUtils.mkdir_p(final_path)
+          Inspec::FileProvider.for_path(temp_archive).extract(final_path)
+        end
+      else
+        # Verify profile (archive) is valid and extract to vendor directory
+        opts = { backend: @backend }
+        Inspec::Profile.for_target(@target, opts).check
+        Inspec::FileProvider.for_path(@target).extract(path)
+      end
+
+      @target
     end
 
     def archive_path
@@ -60,9 +95,17 @@ module Fetchers
     end
 
     def sha256
-      return nil if File.directory?(@target)
-      @archive_shasum ||=
-        OpenSSL::Digest::SHA256.digest(File.read(@target)).unpack('H*')[0]
+      if !@archive_shasum.nil?
+        @archive_shasum
+      elsif File.directory?(@target)
+        nil
+      else
+        perform_shasum(@target)
+      end
+    end
+
+    def perform_shasum(target)
+      @archive_shasum ||= OpenSSL::Digest::SHA256.digest(File.read(target)).unpack('H*')[0]
     end
 
     def resolved_source