inspec-core 2.3.10 → 2.3.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c5e7615776b52330a209b35ca344d1bdb85a04f78903152edd67fa94d81700e
-  data.tar.gz: e6042ee4e8ede90034c06762b2dd2ab6135d0eeeef505ffccc138b0df566f5f9
+  metadata.gz: 17c51957624df054318ca580aa5c5b8819779b6a8e908a8733d3ebaa8de324d4
+  data.tar.gz: 35923b58619c9ea189a3f41a10726c701bf149e3bbc85fe149c610625832725d
 SHA512:
-  metadata.gz: 22bf4eed15b0f3b8ab6eb0ff13b7901bbe468c956d0a9c7615fcbce1e20e4974b4af823744106ed77db6d6fd40d31ae143a707edb8a94ae1d6aaf40bd1acc707
-  data.tar.gz: 5ff797572d8637e1e1d7a6939e4c95d2b33bdc5e4577f0db0677c85a850d536d7d1677ba28e9112473ebe60ca01f7aa4d0a3d05821a090630667f42b2d687f89
+  metadata.gz: 39ba1aafa5dbf29b15577093145d5fc3a1385aefa588369d8e08c28af1750c8a5182cf86e093e705b177b28ee8d97dcc9905563f8c1ee5f3ecc128be8a26b6ce
+  data.tar.gz: 1b0f13cf9321e3ab9fcd692b41268422f2a9fd954510a853e2b27468453c67cae78ac4885e37f8d0819aac970b1d10560c2ca17d4d3950cd47d2c30e3aa7a71f

data/CHANGELOG.md

@@ -1,33 +1,54 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.3.10 -->
-## [v2.3.10](https://github.com/inspec/inspec/tree/v2.3.10) (2018-10-04)
+<!-- latest_release 2.3.23 -->
+## [v2.3.23](https://github.com/inspec/inspec/tree/v2.3.23) (2018-10-12)
 
-#### Enhancements
-- Move compliance to v2 plugin  [#3423](https://github.com/inspec/inspec/pull/3423) ([jquick](https://github.com/jquick))
+#### Merged Pull Requests
+- Fix plugin issues on omni builds [#3499](https://github.com/inspec/inspec/pull/3499) ([jquick](https://github.com/jquick))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.3.5 -->
-### Changes since 2.3.5 release
+<!-- release_rollup since=2.3.10 -->
+### Changes since 2.3.10 release
+
+#### Enhancements
+- Plugins: Filter Plugins During Search and Install [#3458](https://github.com/inspec/inspec/pull/3458) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.3.20 -->
 
 #### Bug Fixes
-- Fix distinct_exit cli desc to reflect reality [#3463](https://github.com/inspec/inspec/pull/3463) ([teknofire](https://github.com/teknofire)) <!-- 2.3.8 -->
+- Backport compliance namespace and add testing for A2 audit report. [#3493](https://github.com/inspec/inspec/pull/3493) ([jquick](https://github.com/jquick)) <!-- 2.3.21 -->
+- Fix error on empty attributes yaml [#3485](https://github.com/inspec/inspec/pull/3485) ([jquick](https://github.com/jquick)) <!-- 2.3.19 -->
+- small fix - update to AlpinePkg Class  [#3483](https://github.com/inspec/inspec/pull/3483) ([aaronlippold](https://github.com/aaronlippold)) <!-- 2.3.16 -->
 
 #### Merged Pull Requests
-- Fix `attribute` with empty hash regression [#3454](https://github.com/inspec/inspec/pull/3454) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.3.7 -->
+- Fix plugin issues on omni builds [#3499](https://github.com/inspec/inspec/pull/3499) ([jquick](https://github.com/jquick)) <!-- 2.3.23 -->
+- Set a static node GUID for travis runs [#3497](https://github.com/inspec/inspec/pull/3497) ([jquick](https://github.com/jquick)) <!-- 2.3.22 -->
+- docs: Add version to multiple descriptions doc [#3477](https://github.com/inspec/inspec/pull/3477) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.3.18 -->
+- Skip running appveyor on docs and examples [#3474](https://github.com/inspec/inspec/pull/3474) ([btm](https://github.com/btm)) <!-- 2.3.17 -->
+- Remove &#39;demo&#39; from website. [#3475](https://github.com/inspec/inspec/pull/3475) ([miah](https://github.com/miah)) <!-- 2.3.15 -->
+- Enable compression for deb/rpm packages [#3472](https://github.com/inspec/inspec/pull/3472) ([tas50](https://github.com/tas50)) <!-- 2.3.14 -->
+- Fix Packages Resource Docs [#3469](https://github.com/inspec/inspec/pull/3469) ([pwelch](https://github.com/pwelch)) <!-- 2.3.13 -->
+- Exclude docs and examples from the gem [#3471](https://github.com/inspec/inspec/pull/3471) ([tas50](https://github.com/tas50)) <!-- 2.3.12 -->
+- Fix archive with required attributes [#3468](https://github.com/inspec/inspec/pull/3468) ([jquick](https://github.com/jquick)) <!-- 2.3.11 -->
+<!-- release_rollup -->
+
+<!-- latest_stable_release -->
+## [v2.3.10](https://github.com/inspec/inspec/tree/v2.3.10) (2018-10-04)
 
 #### Enhancements
-- Move compliance to v2 plugin  [#3423](https://github.com/inspec/inspec/pull/3423) ([jquick](https://github.com/jquick)) <!-- 2.3.10 -->
-- Support finding larger processes on Busybox [#3446](https://github.com/inspec/inspec/pull/3446) ([RoboticCheese](https://github.com/RoboticCheese)) <!-- 2.3.9 -->
-- Modify `cmp` matcher output to use `.inspect` [#3450](https://github.com/inspec/inspec/pull/3450) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.3.6 -->
-<!-- release_rollup -->
+- Modify `cmp` matcher output to use `.inspect` [#3450](https://github.com/inspec/inspec/pull/3450) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Support finding larger processes on Busybox [#3446](https://github.com/inspec/inspec/pull/3446) ([RoboticCheese](https://github.com/RoboticCheese))
+- Move compliance to v2 plugin  [#3423](https://github.com/inspec/inspec/pull/3423) ([jquick](https://github.com/jquick))
+
+#### Bug Fixes
+- Fix distinct_exit cli desc to reflect reality [#3463](https://github.com/inspec/inspec/pull/3463) ([teknofire](https://github.com/teknofire))
 
+#### Merged Pull Requests
+- Fix `attribute` with empty hash regression [#3454](https://github.com/inspec/inspec/pull/3454) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_stable_release -->
+
 ## [v2.3.5](https://github.com/inspec/inspec/tree/v2.3.5) (2018-10-01)
 
 #### Bug Fixes
 - Update plugin gem install code [#3453](https://github.com/inspec/inspec/pull/3453) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v2.3.4](https://github.com/inspec/inspec/tree/v2.3.4) (2018-09-28)
 

data/etc/plugin_filters.json

@@ -0,0 +1,25 @@
+{
+  "file_version": "1.0.0",
+  "exclude": [
+    {
+      "plugin_name": "inspec-core",
+      "rationale": "This gem is a stripped-down alternate packaging of InSpec. It is not a plugin."
+    },
+    {
+      "plugin_name": "inspec-multi-server",
+      "rationale": "This gem is a script that attempts to drive a parallel execution of InSpec by wrapping and forking. It is not a plugin."
+    },
+    {
+      "plugin_name": "train-tax-calculator",
+      "rationale": "This gem is a tax calculation tool for the Philippines. It has nothing to do the Chef Train remote execution framework, or the InSpec project."
+    },
+    {
+      "plugin_name": "inspec-plugin-example",
+      "rationale": "This gem is an early self-taught example of a v1 plugin. Please use inspec-resource-lister as an example for PluginV2 development."
+    },
+    {
+      "plugin_name": "train-core",
+      "rationale": "This gem is a stripped-down alternate packaging of Train. It is not a plugin."
+    }
+  ]
+}

data/inspec-core.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
 
   spec.files = %w{README.md MAINTAINERS.toml MAINTAINERS.md LICENSE
                   inspec-core.gemspec Gemfile CHANGELOG.md} +
-               Dir.glob('{bin,docs,examples,lib}/**/*', File::FNM_DOTMATCH)
+               Dir.glob('{bin,lib,etc}/**/*', File::FNM_DOTMATCH)
                   .reject { |f| File.directory?(f) || f =~ /aws|azure|gcp/ }
 
   spec.executables   = %w{inspec}

data/lib/bundles/inspec-compliance/api.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/api'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/configuration.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/configuration'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/http.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/http'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/support.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/support'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/target.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/target'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/inspec/objects/attribute.rb

@@ -89,6 +89,9 @@ module Inspec
     private
 
     def validate_required(value)
+      # skip if we are not doing an exec call (archive/vendor/check)
+      return unless Inspec::BaseCLI.inspec_cli_command == :exec
+
       # value will be set already if a secrets file was passed in
       if (!@opts.key?(:default) && value.nil?) || (@opts[:default].nil? && value.nil?)
         error = Inspec::Attribute::RequiredError.new

data/lib/inspec/plugin/v2.rb

@@ -11,6 +11,9 @@ module Inspec
         attr_accessor :version
       end
       class InstallError < Inspec::Plugin::V2::GemActionError; end
+      class PluginExcludedError < Inspec::Plugin::V2::InstallError
+        attr_accessor :details
+      end
       class UpdateError < Inspec::Plugin::V2::GemActionError
         attr_accessor :from_version, :to_version
       end

data/lib/inspec/plugin/v2/filter.rb

@@ -0,0 +1,62 @@
+require 'singleton'
+require 'json'
+require 'inspec/globals'
+
+module Inspec::Plugin::V2
+  Exclusion = Struct.new(:plugin_name, :rationale)
+
+  class PluginFilter
+    include Singleton
+    def initialize
+      read_filter_data
+    end
+
+    def self.exclude?(plugin_name)
+      instance.exclude?(plugin_name)
+    end
+
+    def exclude?(plugin_name)
+      # Currently, logic is very simple: is there an exact match?
+      # In the future, we might add regexes on names, or exclude version ranges
+      return false unless @filter_data[:exclude].detect { |e| e.plugin_name == plugin_name }
+
+      # OK, return entire data structure.
+      @filter_data[:exclude].detect { |e| e.plugin_name == plugin_name }
+    end
+
+    private
+
+    def read_filter_data
+      path = File.join(Inspec.src_root, 'etc', 'plugin_filters.json')
+      @filter_data = JSON.parse(File.read(path))
+
+      unless @filter_data['file_version'] == '1.0.0'
+        raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format at #{path}"
+      end
+
+      validate_plugin_filter_file('1.0.0')
+
+      @filter_data[:exclude] = @filter_data['exclude'].map do |entry|
+        Exclusion.new(entry['plugin_name'], entry['rationale'])
+      end
+      @filter_data.delete('exclude')
+    end
+
+    def validate_plugin_filter_file(_file_version)
+      unless @filter_data.key?('exclude') && @filter_data['exclude'].is_a?(Array)
+        raise Inspec::Plugin::V2::ConfigError, 'Unknown plugin fillter file format: expected "exclude" to be an array'
+      end
+      @filter_data['exclude'].each_with_index do |entry, idx|
+        unless entry.is_a? Hash
+          raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format: expected entry #{idx} to be a Hash / JS Object"
+        end
+        unless entry.key?('plugin_name')
+          raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format: expected entry #{idx} to have a \"plugin_name\" field"
+        end
+        unless entry.key?('rationale')
+          raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format: expected entry #{idx} to have a \"rationale\" field"
+        end
+      end
+    end
+  end
+end

data/lib/inspec/plugin/v2/installer.rb

@@ -9,6 +9,8 @@ require 'rubygems/package'
 require 'rubygems/name_tuple'
 require 'rubygems/uninstaller'
 
+require 'inspec/plugin/v2/filter'
+
 module Inspec::Plugin::V2
   # Handles all actions modifying the user's plugin set:
   # * Modifying the plugins.json file
@@ -127,7 +129,7 @@ module Inspec::Plugin::V2
       else
         regex = Regexp.new('^' + plugin_query + '.*')
         matched_tuples = fetcher.detect(opts[:scope]) do |tuple|
-          tuple.name != 'inspec-core' && tuple.name =~ regex
+          tuple.name =~ regex && !Inspec::Plugin::V2::PluginFilter.exclude?(tuple.name)
         end
       end
 
@@ -193,6 +195,13 @@ module Inspec::Plugin::V2
           raise InstallError, "#{plugin_name} is already installed. Use 'inspec plugin update' to change version."
         end
       end
+
+      reason = Inspec::Plugin::V2::PluginFilter.exclude?(plugin_name)
+      if reason
+        ex = PluginExcludedError.new("Refusing to install #{plugin_name}.  It is on the Plugin Exclusion List.  Rationale: #{reason.rationale}")
+        ex.details = reason
+        raise ex
+      end
     end
     # rubocop: enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize
 
@@ -386,10 +395,21 @@ module Inspec::Plugin::V2
     class InstalledVendorSet < Gem::Resolver::VendorSet
       def initialize
         super
+
         Gem::Specification.find_all do |spec|
           @specs[spec.name] = spec
           @directories[spec] = spec.gem_dir
         end
+
+        if !defined?(::Bundler)
+          directories = Gem::Specification.dirs.find_all do |path|
+            !path.start_with?(Gem.user_dir)
+          end
+          Gem::Specification.each_spec(directories) do |spec|
+            @specs[spec.name] = spec
+            @directories[spec] = spec.gem_dir
+          end
+        end
       end
     end
 

data/lib/inspec/plugin/v2/loader.rb

@@ -31,6 +31,10 @@ module Inspec::Plugin::V2
     end
 
     def load_all
+      # This fixes the gem paths on some bundles
+      Gem.path << plugin_gem_path
+      Gem.refresh
+
       # Be careful not to actually iterate directly over the registry here;
       # we want to allow "sidecar loading", in which case a plugin may add an entry to the registry.
       registry.plugin_names.dup.each do |plugin_name|

data/lib/inspec/profile.rb

@@ -126,12 +126,14 @@ module Inspec
     end
 
     def register_metadata_attributes
-      if metadata.params.key?(:attributes)
+      if metadata.params.key?(:attributes) && metadata.params[:attributes].is_a?(Array)
         metadata.params[:attributes].each do |attribute|
           attr_dup = attribute.dup
           name = attr_dup.delete(:name)
           @runner_context.register_attribute(name, attr_dup)
         end
+      elsif metadata.params.key?(:attributes)
+        Inspec::Log.warn 'Attributes must be defined as an Array. Skipping current definition.'
       end
     end
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.3.10'
+  VERSION = '2.3.23'
 end

data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb

@@ -1,5 +1,6 @@
 require 'term/ansicolor'
 require 'pathname'
+require 'inspec/plugin/v2'
 require 'inspec/plugin/v2/installer'
 
 module InspecPlugins
@@ -35,16 +36,30 @@ module InspecPlugins
       #                        inspec plugin search
       #==================================================================#
 
-      desc 'search [options] PATTERN', 'Searches rubygems.org for InSpec plugins. Exits 0 on a search hit, exits 2 on a search miss.'
+      desc 'search [options] PATTERN', 'Searches rubygems.org for plugins.'
+      long_desc <<~EOLD
+        Searches rubygems.org for InSpec plugins. Exits 0 on a search hit, 1 on user error,
+        2 on a search miss. PATTERN is a simple string; a wildcard will be added as
+        a suffix, unless -e is used.
+      EOLD
       option :all, desc: 'List all available versions, not just the latest one.', type: :boolean, aliases: [:a]
       option :exact, desc: 'Assume PATTERN is exact; do not add a wildcard to the end', type: :boolean, aliases: [:e]
+      option :'include-test-fixture', type: :boolean, desc: 'Internal use', hide: true
       # Justification for disabling ABC: currently at 33.51/33
       def search(search_term) # rubocop: disable Metrics/AbcSize
         search_results = installer.search(search_term, exact: options[:exact])
+        # The search results have already been filtered by the reject list.  But the
+        # RejectList doesn't filter {inspec, train}-test-fixture because we need those
+        # for testing.  We want to hide those from users, so unless we know we're in
+        # test mode, remove them.
+        unless options[:'include-test-fixture']
+          search_results.delete('inspec-test-fixture')
+          search_results.delete('train-test-fixture')
+        end
 
         # TODO: ui object support
         puts
-        puts(bold { format(' %-30s%-50s%', 'Plugin Name', 'Versions Available') })
+        puts(bold { format(' %-30s%-50s', 'Plugin Name', 'Versions Available') })
         puts '-' * 55
         search_results.keys.sort.each do |plugin_name|
           versions = options[:all] ? search_results[plugin_name] : [search_results[plugin_name].first]
@@ -342,8 +357,15 @@ module InspecPlugins
         exit 2
       end
 
-      def install_attempt_install(plugin_name)
+      # Rationale for RuboCop variance: This is a one-line method with heavy UX-focused error handling.
+      def install_attempt_install(plugin_name) # rubocop: disable Metrics/AbcSize
         installer.install(plugin_name, version: options[:version])
+      rescue Inspec::Plugin::V2::PluginExcludedError => ex
+        puts(red { 'Plugin on Exclusion List' } + " - #{plugin_name} is listed as an incompatible gem - refusing to install.")
+        puts "Rationale: #{ex.details.rationale}"
+        puts 'Exclusion list location: ' + File.join(Inspec.src_root, 'etc', 'plugin_filters.json')
+        puts 'If you disagree with this determination, please accept our apologies for the misunderstanding, and open an issue at https://github.com/inspec/inspec/issues/new'
+        exit 2
       rescue Inspec::Plugin::V2::InstallError
         results = installer.search(plugin_name, exact: true)
         if results.empty?

data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb

@@ -143,8 +143,14 @@ class PluginManagerCliSearch < MiniTest::Test
   include CorePluginFunctionalHelper
   include PluginManagerHelpers
 
+  # TODO: Thor can't hide options, but we wish it could.
+  # def test_search_include_fixture_hidden_option
+  #   result = run_inspec_process_with_this_plugin('plugin help search')
+  #   refute_includes result.stdout, '--include-test-fixture'
+  # end
+
   def test_search_for_a_real_gem_with_full_name_no_options
-    result = run_inspec_process('plugin search inspec-test-fixture')
+    result = run_inspec_process('plugin search --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -153,7 +159,7 @@ class PluginManagerCliSearch < MiniTest::Test
   end
 
   def test_search_for_a_real_gem_with_stub_name_no_options
-    result = run_inspec_process('plugin search inspec-test-')
+    result = run_inspec_process('plugin search --include-test-fixture inspec-test-')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -163,26 +169,26 @@ class PluginManagerCliSearch < MiniTest::Test
   end
 
   def test_search_for_a_real_gem_with_full_name_and_exact_option
-    result = run_inspec_process('plugin search --exact inspec-test-fixture')
+    result = run_inspec_process('plugin search --exact --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
 
-    result = run_inspec_process('plugin search -e inspec-test-fixture')
+    result = run_inspec_process('plugin search -e --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
   end
 
   def test_search_for_a_real_gem_with_stub_name_and_exact_option
-    result = run_inspec_process('plugin search --exact inspec-test-')
+    result = run_inspec_process('plugin search --exact --include-test-fixture inspec-test-')
     assert_equal 2, result.exit_status, 'Search should exit 2 on a miss'
     assert_includes result.stdout, '0 plugin(s) found', 'Search result should find 0 plugins'
 
-    result = run_inspec_process('plugin search -e inspec-test-')
+    result = run_inspec_process('plugin search -e --include-test-fixture inspec-test-')
     assert_equal 2, result.exit_status, 'Search should exit 2 on a miss'
   end
 
   def test_search_for_a_real_gem_with_full_name_and_all_option
-    result = run_inspec_process('plugin search --all inspec-test-fixture')
+    result = run_inspec_process('plugin search --all --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -190,24 +196,24 @@ class PluginManagerCliSearch < MiniTest::Test
     line = result.stdout.split("\n").grep(/inspec-test-fixture/).first
     assert_match(/\s*inspec-test-fixture\s+\((\d+\.\d+\.\d+(,\s)?){2,}\)/,line,'Plugin line should include name and at least two versions')
 
-    result = run_inspec_process('plugin search -a inspec-test-fixture')
+    result = run_inspec_process('plugin search -a --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
   end
 
   def test_search_for_a_gem_with_missing_prefix
-    result = run_inspec_process('plugin search test-fixture')
+    result = run_inspec_process('plugin search --include-test-fixture test-fixture')
     assert_equal 1, result.exit_status, 'Search should exit 1 on user error'
     assert_includes result.stdout, "All inspec plugins must begin with either 'inspec-' or 'train-'"
   end
 
   def test_search_for_a_gem_that_does_not_exist
-    result = run_inspec_process('plugin search inspec-test-fixture-nonesuch')
+    result = run_inspec_process('plugin search --include-test-fixture inspec-test-fixture-nonesuch')
     assert_equal 2, result.exit_status, 'Search should exit 2 on a miss'
     assert_includes result.stdout, '0 plugin(s) found', 'Search result should find 0 plugins'
   end
 
   def test_search_for_a_real_gem_with_full_name_no_options_and_train_name
-    result = run_inspec_process('plugin search train-test-fixture')
+    result = run_inspec_process('plugin search --include-test-fixture train-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'train-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -215,6 +221,28 @@ class PluginManagerCliSearch < MiniTest::Test
     assert_match(/\s*train-test-fixture\s+\((\d+\.\d+\.\d+){1}\)/,line,'Plugin line should include name and exactly one version')
   end
 
+  def test_search_omit_excluded_inspec_plugins
+    result = run_inspec_process('plugin search --include-test-fixture inspec-')
+    assert_equal 0, result.exit_status, 'Search should exit 0'
+    assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the test gem'
+    [
+      'inspec-core',
+      'inspec-multi-server',
+    ].each do |plugin_name|
+      refute_includes result.stdout, plugin_name, 'Search result should not contain excluded gems'
+    end
+  end
+  def test_search_for_a_real_gem_with_full_name_no_options_filter_fixtures
+    result = run_inspec_process('plugin search inspec-test-fixture')
+    refute_includes result.stdout, 'inspec-test-fixture', 'Search result should not contain the fixture gem name'
+  end
+
+  def test_search_for_a_real_gem_with_full_name_no_options_filter_fixtures_train
+    result = run_inspec_process('plugin search train-test-fixture')
+    refute_includes result.stdout, 'train-test-fixture', 'Search result should not contain the fixture gem name'
+  end
+
+
 end
 
 #-----------------------------------------------------------------------------------------#
@@ -513,6 +541,32 @@ class PluginManagerCliInstall < MiniTest::Test
     refute_nil itf_line, 'train-test-fixture should now appear in the output of inspec list'
     assert_match(/\s*train-test-fixture\s+0.1.0\s+gem\s+/, itf_line, 'list output should show that it is a gem installation with version')
   end
+
+  def test_refuse_install_when_plugin_on_exclusion_list
+
+    # Here, 'inspec-core', 'inspec-multi-server', and 'train-tax-collector'
+    # are the names of real rubygems.  They are not InSpec/Train plugins, though,
+    # and installing them would be a jam-up.
+    # This is configured in 'etc/plugin-filter.json'.
+    [
+      'inspec-core',
+      'inspec-multi-server',
+      'train-tax-calculator',
+    ].each do |plugin_name|
+      install_result = run_inspec_process_with_this_plugin("plugin install #{plugin_name}")
+      assert_empty install_result.stderr
+      assert_equal 2, install_result.exit_status, 'Exit status should be 2'
+
+      refusal_message = install_result.stdout
+      refute_nil refusal_message, 'Should find a failure message at the end'
+      assert_includes refusal_message, plugin_name
+      assert_includes refusal_message, 'Plugin on Exclusion List'
+      assert_includes refusal_message, 'refusing to install'
+      assert_includes refusal_message, 'Rationale:'
+      assert_includes refusal_message, 'etc/plugin_filters.json'
+      assert_includes refusal_message, 'github.com/inspec/inspec/issues/new'
+    end
+  end
 end