inspec-core 2.2.102 → 2.2.112

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 536fc0f8a749210da73f4908b57c9c3f032541ff2b8c27b293fdea23e138f518
-  data.tar.gz: 27c338de9ab67b4c28e8dfa70e503e9d89b0a730008fb96a1a55d1d441b79bee
+  metadata.gz: '08e8c25f0f329b43923160911ebafc36bebe17e7f7a09d5f4254a3534849429e'
+  data.tar.gz: 9238855161cf160af08a51119847757864374c75f6dfcbef2a2abec6e8033358
 SHA512:
-  metadata.gz: 12215a7ecd6b95a6a06d111079ef6343fa08840a3a357ac36be0b56c401ce9671137db9575cb62a334b32205cd2b17db20ef7193ff64ce98e71ceb2b80cf622d
-  data.tar.gz: 1887e20247d05651d7793338d8c39b705ce1cd76d1fb6fbf98fa0b293df6153c2655bf3d361af73893c1cfc1880bcc9bc9d06c3b5bc399e96c2225eb2aa0c313
+  metadata.gz: 648d001c2eea839d426543d34f80da62928abe93a9ffbf6de4838a1e100b4aaa16475dc16bf93fb647f8f0e41f2db02eab834678a0f88c628d358dfdfbd6bbf8
+  data.tar.gz: c170162f6a199addb3fb8595e6e265a2e14efb715ec8eb890cc827cbe248d07bd516b83f81b0f431b28e18f1a645a1586cabf7d4177043fa7e55339bdd8c543d

data/CHANGELOG.md

@@ -1,20 +1,39 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.102 -->
-## [v2.2.102](https://github.com/inspec/inspec/tree/v2.2.102) (2018-09-17)
+<!-- latest_release 2.2.112 -->
+## [v2.2.112](https://github.com/inspec/inspec/tree/v2.2.112) (2018-09-19)
 
 #### Merged Pull Requests
-- Add json-automate to the report method [#3401](https://github.com/inspec/inspec/pull/3401) ([jquick](https://github.com/jquick))
+- Move artifact to v2 plugin  [#3406](https://github.com/inspec/inspec/pull/3406) ([jquick](https://github.com/jquick))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.101 -->
-### Changes since 2.2.101 release
+<!-- release_rollup since=2.2.102 -->
+### Changes since 2.2.102 release
+
+#### Enhancements
+- adding `versions` to the `gem` resource [#3398](https://github.com/inspec/inspec/pull/3398) ([majormoses](https://github.com/majormoses)) <!-- 2.2.107 -->
+- Plugins: Add support for &#39;bundles&#39; migration [#3384](https://github.com/inspec/inspec/pull/3384) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.105 -->
+
+#### New Features
+- Update AWS Security Group to work with IPV6 rules. [#3394](https://github.com/inspec/inspec/pull/3394) ([MartinLogan](https://github.com/MartinLogan)) <!-- 2.2.111 -->
+- Added db_name flag [#3383](https://github.com/inspec/inspec/pull/3383) ([kdoores](https://github.com/kdoores)) <!-- 2.2.104 -->
 
 #### Merged Pull Requests
-- Add json-automate to the report method [#3401](https://github.com/inspec/inspec/pull/3401) ([jquick](https://github.com/jquick)) <!-- 2.2.102 -->
+- Move artifact to v2 plugin  [#3406](https://github.com/inspec/inspec/pull/3406) ([jquick](https://github.com/jquick)) <!-- 2.2.112 -->
+- Move inspec init to v2 plugins [#3407](https://github.com/inspec/inspec/pull/3407) ([jquick](https://github.com/jquick)) <!-- 2.2.110 -->
+- Fix gem tests from recent merge [#3409](https://github.com/inspec/inspec/pull/3409) ([jquick](https://github.com/jquick)) <!-- 2.2.109 -->
+- Fix json automate tests and render call [#3408](https://github.com/inspec/inspec/pull/3408) ([jquick](https://github.com/jquick)) <!-- 2.2.108 -->
+- Move habitat to v2 plugin [#3404](https://github.com/inspec/inspec/pull/3404) ([jquick](https://github.com/jquick)) <!-- 2.2.106 -->
+- Fix rendering of profiles docs [#3393](https://github.com/inspec/inspec/pull/3393) ([jquick](https://github.com/jquick)) <!-- 2.2.103 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.2.102](https://github.com/inspec/inspec/tree/v2.2.102) (2018-09-17)
+
+#### Merged Pull Requests
+- Add json-automate to the report method [#3401](https://github.com/inspec/inspec/pull/3401) ([jquick](https://github.com/jquick))
+<!-- latest_stable_release -->
+
 ## [v2.2.101](https://github.com/inspec/inspec/tree/v2.2.101) (2018-09-14)
 
 #### New Features
@@ -44,7 +63,6 @@
 - Bump omnibus ruby to 2.5.1 [#3390](https://github.com/inspec/inspec/pull/3390) ([jquick](https://github.com/jquick))
 - Add platforms schema command [#3346](https://github.com/inspec/inspec/pull/3346) ([jquick](https://github.com/jquick))
 - Fix profile vendoring on Windows [#3378](https://github.com/inspec/inspec/pull/3378) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
-<!-- latest_stable_release -->
 
 ## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
 

data/docs/profiles.md

@@ -348,6 +348,7 @@ Attributes may contain the following options:
 
 
 You can specify attributes in your `inspec.yml` using the `attributes` setting. For example, to add a `user` attribute for your profile:
+
 ```YAML
 attributes:
   - name: user
@@ -356,6 +357,7 @@ attributes:
 ```
 
 Example of adding a array object of servers:
+
 ```YAML
 attributes:
   - name: servers
@@ -369,6 +371,7 @@ attributes:
 To access an attribute you will use the `attribute` keyword. You can use this anywhere in your control code.
 
 For example:
+
 ```Ruby
 current_user = attribute('user')
 
@@ -386,6 +389,7 @@ end
 For sensitive data it is recomended to use a secrets YAML file located on the local machine to populate the values of attributes. A secrets file will always overwrite a attributes default value. To use the secrets file run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
 
 For example, a inspec.yml:
+
 ```YAML
 attributes:
   - name: username
@@ -432,6 +436,7 @@ $ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
 To change your attributes for platform specific cases you can setup multiple `--attrs` files.
 
 For example, a inspec.yml:
+
 ```YAML
 attributes:
   - name: users
@@ -440,6 +445,7 @@ attributes:
 ```
 
 A YAML file named `windows.yml`
+
 ```YAML
 users:
   - Administrator
@@ -448,6 +454,7 @@ users:
 ```
 
 A YAML file named `linux.yml`
+
 ```YAML
 users:
   - root
@@ -456,6 +463,7 @@ users:
 ```
 
 The control file:
+
 ```RUBY
 control 'system-users' do
   impact 0.8
@@ -468,6 +476,7 @@ end
 ```
 
 The following command runs the tests and applies the attributes specified:
+
 ```bash
 $ inspec exec examples/profile-attribute --attrs examples/windows.yml
 $ inspec exec examples/profile-attribute --attrs examples/linux.yml

data/docs/resources/gem.md.erb

@@ -46,6 +46,15 @@ The following examples show how to use this InSpec audit resource.
       its('version') { should eq '0.33.0' }
     end
 
+### Verify that a particular version is installed when there are multiple versions installed
+
+    describe gem('rubocop') do
+      it { should be_installed }
+      its('versions') { should include /0.51.0/ }
+      its('versions.count') { should_not be > 3 }
+    end
+
+
 ### Verify that a gem package is not installed
 
     describe gem('rubocop') do
@@ -72,6 +81,21 @@ The following examples show how to use this InSpec audit resource.
 
 <br>
 
+## Properties
+
+### version (String)
+
+The `version` property returns a string of the default version on the system:
+
+    its('version') { should eq '0.33.0' }
+
+### versions
+
+The `versions` property returns an array of strings of all the versions of the gem installed on the system:
+
+    its('versions') { should include /0.33/ }
+
+
 ## Matchers
 
 For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -82,8 +106,3 @@ The `be_installed` matcher tests if the named Gem package is installed:
 
     it { should be_installed }
 
-### version
-
-The `version` matcher tests if the named package version is on the system:
-
-    its('version') { should eq '0.33.0' }

data/docs/resources/mssql_session.md.erb

@@ -62,6 +62,14 @@ The following examples show how to use this InSpec audit resource.
     describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
       its("value") { should cmp > '12.00.4457' }
     end
+  
+### Test a specific database
+
+    sql = mssql_session(user: 'my_user', password: 'password', db_name: 'test')
+
+    describe sql.query("SELECT Name AS result FROM Product WHERE ProductID == 1").row(0).column('result') do
+      its("value") { should eq 'foo' }
+    end
 
 <br>
 

data/lib/inspec/plugin/v2/loader.rb

@@ -17,7 +17,14 @@ module Inspec::Plugin::V2
       determine_plugin_conf_file
       read_conf_file
       unpack_conf_file
+
+      # Old-style (v0, v1) co-distributed plugins were called 'bundles'
+      # and were located in lib/bundles
       detect_bundled_plugins unless options[:omit_bundles]
+
+      # New-style (v2) co-distributed plugins are in lib/plugins,
+      # and may be safely loaded
+      detect_core_plugins unless options[:omit_core_plugins]
     end
 
     def load_all
@@ -26,17 +33,20 @@ module Inspec::Plugin::V2
         # rubocop: disable Lint/RescueException
         begin
           # We could use require, but under testing, we need to repeatedly reload the same
-          # plugin.
-          if plugin_details.entry_point.include?('test/unit/mock/plugins')
-            load plugin_details.entry_point + '.rb'
-          else
+          # plugin.  However, gems only work with require (rubygems dooes not overload `load`)
+          if plugin_details.installation_type == :gem
+            activate_managed_gems_for_plugin(plugin_name)
             require plugin_details.entry_point
+          else
+            load_path = plugin_details.entry_point
+            load_path += '.rb' unless plugin_details.entry_point.end_with?('.rb')
+            load load_path
           end
           plugin_details.loaded = true
           annotate_status_after_loading(plugin_name)
         rescue ::Exception => ex
           plugin_details.load_exception = ex
-          Inspec::Log.error "Could not load plugin #{plugin_name}"
+          Inspec::Log.error "Could not load plugin #{plugin_name}: #{ex.message}"
         end
         # rubocop: enable Lint/RescueException
       end
@@ -60,7 +70,7 @@ module Inspec::Plugin::V2
     end
 
     def activate(plugin_type, hook_name)
-      activator = registry.find_activators(plugin_type: plugin_type, activation_name: hook_name).first
+      activator = registry.find_activators(plugin_type: plugin_type, activator_name: hook_name).first
       # We want to capture literally any possible exception here, since we are storing them.
       # rubocop: disable Lint/RescueException
       begin
@@ -80,7 +90,7 @@ module Inspec::Plugin::V2
         next if act.activated
         # If there is anything in the CLI args with the same name, activate it
         # If the word 'help' appears in the first position, load all CLI plugins
-        if cli_args.include?(act.activator_name.to_s) || cli_args[0] == 'help'
+        if cli_args.include?(act.activator_name.to_s) || cli_args[0] == 'help' || cli_args.size.zero?
           activate(:cli_command, act.activator_name)
           act.implementation_class.register_with_thor
         end
@@ -138,6 +148,22 @@ module Inspec::Plugin::V2
       @plugin_conf_file_path = File.join(@plugin_conf_file_path, 'plugins.json')
     end
 
+    def detect_core_plugins
+      core_plugins_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..', 'plugins'))
+      # These are expected to be organized as proper separate projects,
+      # with lib/ dirs, etc.
+      Dir.glob(File.join(core_plugins_dir, 'inspec-*')).each do |plugin_dir|
+        status = Inspec::Plugin::V2::Status.new
+        status.name = File.basename(plugin_dir)
+        status.entry_point = File.join(plugin_dir, 'lib', status.name + '.rb')
+        status.installation_type = :path
+        status.loaded = false
+        registry[status.name.to_sym] = status
+      end
+    end
+
+    # TODO: DRY up re: Installer read_or_init_config_file
+    # TODO: refactor the plugin.json file to have its own class, which Loader consumes
     def read_conf_file
       if File.exist?(@plugin_conf_file_path)
         @plugin_file_contents = JSON.parse(File.read(@plugin_conf_file_path))

data/lib/inspec/reporters/json_automate.rb

@@ -10,7 +10,7 @@ module Inspec::Reporters
     end
 
     def render
-      output(report_merged.to_json, false)
+      output(report.to_json, false)
     end
 
     def report

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.2.102'
+  VERSION = '2.2.112'
 end

data/lib/plugins/README.md

@@ -0,0 +1,16 @@
+# Core Plugins of InSpec
+
+This area contains the plugins that ship with InSpec.  They are automatically detected by the plugin loader.
+
+## inspec-* directories
+
+Each subdirectory here that begins with `inspec-` is intended to be a self-contained plugin project,
+with code, docs, and tests.
+
+## shared directory
+
+This directory contains material that is reusable for core plugins, such as a test helper tuned to assisting
+core plugin testing.
+
+
+

data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb

@@ -0,0 +1,162 @@
+require 'base64'
+require 'openssl'
+require 'pathname'
+require 'set'
+require 'tempfile'
+require 'yaml'
+
+module InspecPlugins
+  module Artifact
+    class Base
+      KEY_BITS=2048
+      KEY_ALG=OpenSSL::PKey::RSA
+
+      INSPEC_PROFILE_VERSION_1='INSPEC-PROFILE-1'.freeze
+      INSPEC_REPORT_VERSION_1='INSPEC-REPORT-1'.freeze
+
+      ARTIFACT_DIGEST=OpenSSL::Digest::SHA512
+      ARTIFACT_DIGEST_NAME='SHA512'.freeze
+
+      VALID_PROFILE_VERSIONS=Set.new [INSPEC_PROFILE_VERSION_1]
+      VALID_PROFILE_DIGESTS=Set.new [ARTIFACT_DIGEST_NAME]
+
+      SIGNED_PROFILE_SUFFIX='iaf'.freeze
+      SIGNED_REPORT_SUFFIX='iar'.freeze
+
+      def self.keygen(options)
+        key = KEY_ALG.new KEY_BITS
+        puts 'Generating private key'
+        open "#{options['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end
+        puts 'Generating public key'
+        open "#{options['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end
+      end
+
+      def self.profile_sign(options)
+        artifact = new
+        Dir.mktmpdir do |workdir|
+          puts "Signing #{options['profile']} with key #{options['keyname']}"
+          path_to_profile = options['profile']
+          profile_md = artifact.read_profile_metadata(path_to_profile)
+          artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}"
+          tarfile = artifact.profile_compress(path_to_profile, profile_md, workdir)
+          content = IO.binread(tarfile)
+          signing_key = KEY_ALG.new File.read "#{options['keyname']}.pem.key"
+          sha = ARTIFACT_DIGEST.new
+          signature = signing_key.sign sha, content
+          # convert the signature to Base64
+          signature_base64 = Base64.encode64(signature)
+          tar_content = IO.binread(tarfile)
+          File.open(artifact_filename, 'wb') do |f|
+            f.puts(INSPEC_PROFILE_VERSION_1)
+            f.puts(options['keyname'])
+            f.puts(ARTIFACT_DIGEST_NAME)
+            f.puts(signature_base64)
+            f.puts('') # newline separates artifact header with body
+            f.write(tar_content)
+          end
+          puts "Successfully generated #{artifact_filename}"
+        end
+      end
+
+      def self.profile_verify(options)
+        artifact = new
+        file_to_verifiy = options['infile']
+        puts "Verifying #{file_to_verifiy}"
+        artifact.verify(file_to_verifiy) do ||
+          puts 'Artifact is valid'
+        end
+      end
+
+      def self.profile_install(options)
+        artifact = new
+        puts 'Installing profile'
+        file_to_verifiy = options['infile']
+        dest_dir = options['destdir']
+        artifact.verify(file_to_verifiy) do |content|
+          Dir.mktmpdir do |workdir|
+            tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz')
+            File.write(tmpfile, content)
+            puts "Installing to #{dest_dir}"
+            `tar xzf #{tmpfile} -C #{dest_dir}`
+          end
+        end
+      end
+
+      def read_profile_metadata(path_to_profile)
+        begin
+          p = Pathname.new(path_to_profile)
+          p = p.join('inspec.yml')
+          if not p.exist?
+            raise "#{path_to_profile} doesn't appear to be a valid Inspec profile"
+          end
+          yaml = YAML.load_file(p.to_s)
+          yaml = yaml.to_hash
+
+          if not yaml.key? 'name'
+            raise 'Profile is invalid, name is not defined'
+          end
+
+          if not yaml.key? 'version'
+            raise 'Profile is invalid, version is not defined'
+          end
+        rescue => e
+          # rewrap it and pass it up to the CLI
+          raise "Error reading Inspec profile metadata: #{e}"
+        end
+
+        yaml
+      end
+
+      def profile_compress(path_to_profile, profile_md, workdir)
+        profile_name = profile_md['name']
+        profile_version = profile_md['version']
+        outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
+        `tar czf #{outfile_name} -C #{path_to_profile} .`
+        outfile_name
+      end
+
+      def valid_header?(file_alg, file_version, file_keyname)
+        public_keyfile = "#{file_keyname}.pem.pub"
+        puts "Looking for #{public_keyfile} to verify artifact"
+        if !File.exist? public_keyfile
+          raise "Can't find #{public_keyfile}"
+        end
+
+        raise 'Invalid artifact digest algorithm detected' if !VALID_PROFILE_DIGESTS.member?(file_alg)
+        raise 'Invalid artifact version detected' if !VALID_PROFILE_VERSIONS.member?(file_version)
+      end
+
+      def verify(file_to_verifiy, &content_block)
+        f = File.open(file_to_verifiy, 'r')
+        file_version = f.readline.strip!
+        file_keyname = f.readline.strip!
+        file_alg = f.readline.strip!
+
+        file_sig = ''
+        # the signature is multi-line
+        while (line = f.readline) != "\n"
+          file_sig += line
+        end
+        file_sig.strip!
+        f.close
+
+        valid_header?(file_alg, file_version, file_keyname)
+
+        public_keyfile = "#{file_keyname}.pem.pub"
+        verification_key = KEY_ALG.new File.read public_keyfile
+
+        f = File.open(file_to_verifiy, 'r')
+        while f.readline != "\n" do end
+        content = f.read
+
+        signature = Base64.decode64(file_sig)
+        digest = ARTIFACT_DIGEST.new
+        if verification_key.verify digest, signature, content
+          content_block.yield(content)
+        else
+          puts 'Artifact is invalid'
+        end
+      end
+    end
+  end
+end

data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb

@@ -0,0 +1,114 @@
+# encoding: utf-8
+require_relative 'base'
+
+#
+# Notes:
+#
+# Generate keys
+#   The initial implementation uses 2048 bit RSA key pairs (public + private).
+#   Public keys must be available for a customer to install and verify an artifact.
+#   Private keys should be stored in a secure location and NOT be distributed.
+#     (They're only for creating artifacts).
+#
+#
+# .IAF file format
+#   .iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
+#   The iaf file wraps a binary artifact with some metadata. The first implementation
+#   looks like this:
+#
+# INSPEC-PROFILE-1
+# name_of_signing_key
+# algorithm
+# signature
+# <empty line>
+# binary-blob
+# <eof>
+#
+# Let's look at each line:
+# INSPEC-PROFILE-1:
+#   This is the artifact version descriptor. It should't change unless the
+#   format of the archive changes.
+#
+# name_of_signing_key
+#   The name of the public key that can be used to verify an artifact
+#
+# algorithm
+#   The digest used to sign, I picked SHA512 to start with.
+#   If we support multiple digests, we'll need to have the verify() method
+#   support each digest.
+#
+# signature
+#   The result of passing the binary artifact through the digest algorithm above.
+#   Result is base64 encoded.
+#
+# <empty line>
+#   We use an empty line to separate artifact header from artifact body (binary blob).
+#   The artifact body can be anything you like.
+#
+# binary-blob
+#   A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
+#   stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
+#   format, the artifact version descriptor must be incremented, and the sign()
+#   and verify() methods must be updated to support a newer version.
+#
+#
+# Key revocation
+#   This implementation doesn't support key revocation. However, a customer
+#   can remove the public cert file before installation, and artifacts will then
+#   fail verification.
+#
+# Key locations
+#   This implementation uses the current working directory to find public and
+#   private keys. We should establish a common key directory (similar to /hab/cache/keys
+#   or ~/.hab/cache/keys in Habitat).
+#
+# Extracting artifacts outside of Inspec
+#   As in Habitat, the artifact format for Inspec allows the use of common
+#   Unix tools to read the header and body of an artifact.
+# To extract the header from a .iaf:
+#        sed '/^$/q' foo.iaf
+# To extract the raw content from a .iaf:
+#        sed '1,/^$/d' foo.iaf
+
+module InspecPlugins
+  module Artifact
+    class CLI < Inspec.plugin(2, :cli_command)
+      subcommand_desc 'artifact SUBCOMMAND', 'Manage InSpec Artifacts'
+
+      desc 'generate', 'Generate a RSA key pair for signing and verification'
+      option :keyname, type: :string, required: true,
+        desc: 'Desriptive name of key'
+      option :keydir, type: :string, default: './',
+        desc: 'Directory to search for keys'
+      def generate_keys
+        puts 'Generating keys'
+        InspecPlugins::Artifact::Base.keygen(options)
+      end
+
+      desc 'sign-profile', 'Create a signed .iaf artifact'
+      option :profile, type: :string, required: true,
+        desc: 'Path to profile directory'
+      option :keyname, type: :string, required: true,
+        desc: 'Desriptive name of key'
+      def sign_profile
+        InspecPlugins::Artifact::Base.profile_sign(options)
+      end
+
+      desc 'verify-profile', 'Verify a signed .iaf artifact'
+      option :infile, type: :string, required: true,
+          desc: '.iaf file to verify'
+      def verify_profile
+        InspecPlugins::Artifact::Base.profile_verify(options)
+      end
+
+      desc 'install-profile', 'Verify and install a signed .iaf artifact'
+      option :infile, type: :string, required: true,
+          desc: '.iaf file to install'
+      option :destdir, type: :string, required: true,
+        desc: 'Installation directory'
+      def install_profile
+        InspecPlugins::Artifact::Base.profile_install(options)
+      end
+    end
+  end
+end

data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Artifact
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-artifact'
+
+      cli_command :artifact do
+        require_relative 'inspec-artifact/cli'
+        InspecPlugins::Artifact::CLI
+      end
+    end
+  end
+end

data/lib/plugins/inspec-artifact/test/functional/inspec_artifact_test.rb

@@ -0,0 +1,46 @@
+# encoding: utf-8
+
+require_relative '../../../shared/core_plugin_test_helper.rb'
+require 'fileutils'
+require 'securerandom'
+
+class ArtifactCli < MiniTest::Test
+  include CorePluginFunctionalHelper
+
+  def test_generating_archive_keys
+    Dir.mktmpdir do |dir|
+      unique_key_name = SecureRandom.uuid()
+      out = run_inspec_process("artifact generate --keyname #{unique_key_name}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      stdout = out.stdout.force_encoding(Encoding::UTF_8)
+      assert_includes stdout, 'Generating private key'
+      assert_includes stdout, 'Generating public key'
+    end
+  end
+
+  def test_verify_and_install_signed_profile
+    Dir.mktmpdir do |dir|
+      unique_key_name = SecureRandom.uuid()
+      install_dir = File.join(dir, SecureRandom.uuid())
+      profile = File.join(dir, 'profile')
+      FileUtils.mkdir(install_dir)
+
+      # create profile
+      profile = File.join(dir, 'artifact-profile')
+      run_inspec_process("init profile artifact-profile", prefix: "cd #{dir} &&")
+
+      out = run_inspec_process("artifact generate --keyname #{unique_key_name}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      out = run_inspec_process("artifact sign-profile --profile #{profile} --keyname #{unique_key_name}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      out = run_inspec_process("artifact install-profile --infile artifact-profile-0.1.0.iaf --destdir #{install_dir}", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+
+      assert_includes out.stdout.force_encoding(Encoding::UTF_8), "Installing to #{install_dir}"
+      assert_includes Dir.entries(install_dir).join, 'inspec.yml'
+    end
+  end
+end