inspec-core 4.1.4.preview → 4.2.0.preview

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4153e41e5d8fddfb696a73688b7d92b299aed682
-  data.tar.gz: 9a9c379e82e175edacc705e63b299e091be4df1b
+  metadata.gz: 3cbd02d922c9f1c6cbe5d81b74598ac88ca10676
+  data.tar.gz: 31b971b6c1c65154a2952d4eb27ab6b1edb765ae
 SHA512:
-  metadata.gz: abbbc79378e7f76da10089bea0030fe19c0ad470eba604caaa5ad909ceb8977919f9849346e558f3dceb213d290d2317ec12a282936100cb2152f412f034aac2
-  data.tar.gz: 806520071a450b2a8c4fe097dbc580d3de4b6beed0b09f95f3ae3e4af2948ec653456ff59bdc815396149391b0a82d496f3abdaf608af1653ccd1ed82544009d
+  metadata.gz: 91dc0c86668e00121588268d2828521a73e315efa0480919b09d3ee7e82e2dd4a9d93e88204a47e960c96e31ed425ff32e3131a60f94590053c417c3da0a2344
+  data.tar.gz: 45628e2783b3ba28495fa7efe504956c21a9462355a77ef87aa164e9738858b186f187c6c27f18629083b66a5c02cf77835e9fde5cb7c200d8dc6aa8e997152f

data/etc/deprecations.json

@@ -3,12 +3,12 @@
   "unknown_group_action": "ignore",
   "groups": {
     "attrs_value_replaces_default": {
-      "action": "ignore",
+      "action": "warn",
       "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
     },
     "aws_resources_in_resource_pack": {
       "comment": "See #3822",
-      "action": "ignore",
+      "action": "warn",
       "prefix": "AWS resources shipped with core InSpec are being to moved to a resource pack for faster iteration. Please update your profiles to depend on git@github.com:inspec/inspec-aws.git ."
     },
     "cli_option_json_config": {
@@ -17,11 +17,11 @@
       "comment": "See #3661"
     },
     "file_resource_be_mounted_matchers": {
-      "action": "warn",
+      "action": "fail_control",
       "suffix": "This will not be supported in InSpec 4.0."
     },
     "host_resource_proto_usage": {
-      "action": "warn",
+      "action": "fail_control",
       "suffix": "This will not be supported in InSpec 4.0."
     },
     "inspec_ui_methods": {
@@ -30,67 +30,67 @@
       "comment": "See #3715"
     },
     "mssql_session_pass_option": {
-      "action": "warn",
+      "action": "exit",
       "suffix": "This will not be supported in InSpec 4.0."
     },
     "oracledb_session_pass_option": {
-      "action": "warn",
-      "suffix": "This will not be supported in InSpec 4.0."
+      "action": "exit",
+      "suffix": "This is not supported in InSpec 4.0."
     },
     "property_filesystem_size": {
-      "action": "ignore",
+      "action": "warn",
       "comment": "See #3778"
     },
     "property_processes_list": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     },
     "properties_aws_iam_user": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     },
     "properties_shadow": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     },
     "rename_attributes_to_inputs": {
-      "action": "ignore",
+      "action": "warn",
       "prefix": "InSpec Attributes are being renamed to InSpec Inputs to avoid confusion with Chef Attributes.",
       "comment": "See #3802"
     },
     "resource_apache": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0."
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0."
     },
     "resource_azure_generic_resource": {
       "action": "warn",
       "prefix": "The azure_generic_resource is deprecated. Please use a specific resource. See: 'https://github.com/inspec/inspec/issues/3131'"
     },
     "resource_iis_website": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "resource_linux_kernel_parameter": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "resource_ppa": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "resource_script": {
-      "action": "warn",
+      "action": "exit",
       "suffix": "This resource will be removed in InSpec 4.0"
     },
     "resource_user_serverspec_compat": {
-      "action": "warn"
+      "action": "fail_control"
     },
     "resource_windows_registry_key": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "serverspec_compatibility": {
@@ -101,11 +101,11 @@
       "action": "warn"
     },
     "mount_parser_serverspec_compat": {
-      "action": "warn"
+      "action": "fail_control"
     },
     "wmi_non_hash_usage": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     }
   }
 }

data/lib/inspec/cli.rb

@@ -392,7 +392,11 @@ require 'license_acceptance/acceptor'
 begin
   if (commands_exempt_from_license_check & ARGV.map(&:downcase)).empty? &&  # Did they use a non-exempt command?
      !ARGV.empty?                                                           # Did they supply at least one command?
-    LicenseAcceptance::Acceptor.check_and_persist('inspec', Inspec::VERSION)
+    LicenseAcceptance::Acceptor.check_and_persist(
+      'inspec',
+      Inspec::VERSION,
+      logger: Inspec::Log,
+    )
   end
 rescue LicenseAcceptance::LicenseNotAcceptedError
   Inspec::Log.error 'InSpec cannot execute without accepting the license'

data/lib/inspec/control_eval_context.rb

@@ -26,8 +26,23 @@ module Inspec
         with_resource_dsl resources_dsl
 
         # allow attributes to be accessed within control blocks
-        define_method :attribute do |name|
-          Inspec::InputRegistry.find_input(name, profile_id).value
+        # TODO: deprecate name, use input()
+        define_method :attribute do |input_name, options = {}|
+          if options.empty?
+            # Simply an access, no event here
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_id).value
+          else
+            options[:priority] = 20
+            options[:provider] = :inline_control_code
+            evt = Inspec::Input.infer_event(options)
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_name, event: evt).value
+          end
+        end
+
+        # Find the Input object, but don't collapse to a value.
+        # Will return nil on a miss.
+        define_method :input_object do |input_name|
+          Inspec::InputRegistry.find_or_register_input(input_name, profile_id)
         end
 
         # Support for Control DSL plugins.
@@ -168,14 +183,25 @@ module Inspec
         end
 
         # method for inputs; import input handling
-        define_method :attribute do |name, options = nil|
-          if options.nil?
-            Inspec::InputRegistry.find_input(name, profile_id).value
+        # TODO: deprecate name, use input()
+        define_method :attribute do |input_name, options = {}|
+          if options.empty?
+            # Simply an access, no event here
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_id).value
           else
-            profile_context_owner.register_input(name, options)
+            options[:priority] = 20
+            options[:provider] = :inline_control_code
+            evt = Inspec::Input.infer_event(options)
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_name, event: evt).value
           end
         end
 
+        # Find the Input object, but don't collapse to a value.
+        # Will return nil on a miss.
+        define_method :input_object do |input_name|
+          Inspec::InputRegistry.find_or_register_input(input_name, profile_id)
+        end
+
         define_method :skip_control do |id|
           profile_context_owner.unregister_rule(id)
         end

data/lib/inspec/dependencies/requirement.rb

@@ -118,6 +118,7 @@ module Inspec
       return @profile unless @profile.nil?
       opts = @opts.dup
       opts[:backend] = @backend
+      opts[:runner_conf] = Inspec::Config.cached
       if !@dependencies.nil? && !@dependencies.empty?
         opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end

data/lib/inspec/dependencies/resolver.rb

@@ -23,6 +23,7 @@ module Inspec
   # implementation of the fetcher being used.
   #
   class Resolver
+    # Here deps is an Array of Hashes
     def self.resolve(dependencies, cache, working_dir, backend)
       reqs = dependencies.map do |dep|
         req = Inspec::Requirement.from_metadata(dep, cache, cwd: working_dir, backend: backend)
@@ -47,6 +48,7 @@ module Inspec
       end
     end
 
+    # Here deps is an Array of Inspec::Requirement
     def resolve(deps, top_level = true, seen_items = {}, path_string = '') # rubocop:disable Metrics/AbcSize
       graph = {}
       if top_level

data/lib/inspec/dsl.rb

@@ -79,7 +79,7 @@ module Inspec::DSL
 
   def self.filter_included_controls(context, profile, &block)
     mock = Inspec::Backend.create(Inspec::Config.mock)
-    include_ctx = Inspec::ProfileContext.for_profile(profile, mock, {})
+    include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
     include_ctx.load(block) if block_given?
     # remove all rules that were not registered
     context.all_rules.each do |r|

data/lib/inspec/impact.rb

@@ -4,7 +4,7 @@
 module Inspec::Impact
   IMPACT_SCORES = {
     'none'     => 0.0,
-    'low'      => 0.01,
+    'low'      => 0.1,
     'medium'   => 0.4,
     'high'     => 0.7,
     'critical' => 0.9,

data/lib/inspec/input_registry.rb

@@ -1,83 +1,224 @@
 require 'forwardable'
 require 'singleton'
 require 'inspec/objects/input'
+require 'inspec/secrets'
+require 'inspec/exceptions'
 
 module Inspec
+  # The InputRegistry's responsibilities include:
+  #   - maintaining a list of Input objects that are bound to profiles
+  #   - assisting in the lookup and creation of Inputs
   class InputRegistry
     include Singleton
     extend Forwardable
 
-    attr_reader :list
-    def_delegator :list, :each
-    def_delegator :list, :[]
-    def_delegator :list, :key?, :profile_exist?
-    def_delegator :list, :select
+    attr_reader :inputs_by_profile, :profile_aliases
+    def_delegator :inputs_by_profile, :each
+    def_delegator :inputs_by_profile, :[]
+    def_delegator :inputs_by_profile, :key?, :profile_known?
+    def_delegator :inputs_by_profile, :select
+    def_delegator :profile_aliases, :key?, :profile_alias?
 
-    # These self methods are convenience methods so you dont always
-    # have to specify instance when calling the registry
-    def self.find_input(name, profile)
-      instance.find_input(name, profile)
-    end
+    def initialize
+      # Keyed on String profile_name => Hash of String input_name => Input object
+      @inputs_by_profile = {}
 
-    def self.register_input(name, profile, options = {})
-      instance.register_input(name, profile, options)
+      # this is a list of optional profile name overrides set in the inspec.yml
+      @profile_aliases = {}
     end
 
-    def self.register_profile_alias(name, alias_name)
-      instance.register_profile_alias(name, alias_name)
+    #-------------------------------------------------------------#
+    #                 Support for Profiles
+    #-------------------------------------------------------------#
+
+    def register_profile_alias(name, alias_name)
+      @profile_aliases[name] = alias_name
     end
 
-    def self.list_inputs_for_profile(profile)
-      instance.list_inputs_for_profile(profile)
+    def list_inputs_for_profile(profile)
+      inputs_by_profile[profile] = {} unless profile_known?(profile)
+      inputs_by_profile[profile]
     end
 
-    def initialize
-      # this is a collection of profiles which have a value of input objects
-      @list = {}
+    #-------------------------------------------------------------#
+    #              Support for Individual Inputs
+    #-------------------------------------------------------------#
 
-      # this is a list of optional profile name overrides set in the inspec.yml
-      @profile_aliases = {}
+    def find_or_register_input(input_name, profile_name, options = {})
+      if profile_alias?(profile_name)
+        alias_name = profile_name
+        profile_name = profile_aliases[profile_name]
+        handle_late_arriving_alias(alias_name, profile_name) if profile_known?(alias_name)
+      end
+
+      inputs_by_profile[profile_name] ||= {}
+      if inputs_by_profile[profile_name].key?(input_name)
+        inputs_by_profile[profile_name][input_name].update(options)
+      else
+        inputs_by_profile[profile_name][input_name] = Inspec::Input.new(input_name, options)
+      end
+
+      inputs_by_profile[profile_name][input_name]
     end
 
-    def find_input(name, profile)
-      profile = @profile_aliases[profile] if !profile_exist?(profile) && @profile_aliases[profile]
-      unless profile_exist?(profile)
-        error = Inspec::InputRegistry::ProfileLookupError.new
-        error.profile_name = profile
-        raise error, "Profile '#{error.profile_name}' does not have any inputs"
+    # It is possible for a wrapper profile to create an input in metadata,
+    # referring to the child profile by an alias that has not yet been registered.
+    # The registry will then store the inputs under the alias, as if the alias
+    # were a true profile.
+    # If that happens and the child profile also mentions the input, we will
+    # need to move some things - all inputs should be stored under the true
+    # profile name, and no inputs should be stored under the alias.
+    def handle_late_arriving_alias(alias_name, profile_name)
+      inputs_by_profile[profile_name] ||= {}
+      inputs_by_profile[alias_name].each do |input_name, input_from_alias|
+        # Move the inpuut, or if it exists, merge events
+        existing = inputs_by_profile[profile_name][input_name]
+        if existing
+          existing.events.concat(input_from_alias.events)
+        else
+          inputs_by_profile[profile_name][input_name] = input_from_alias
+        end
       end
+      # Finally, delete the (now copied-out) entry for the alias
+      inputs_by_profile.delete(alias_name)
+    end
+    #-------------------------------------------------------------#
+    #               Support for Binding Inputs
+    #-------------------------------------------------------------#
+
+    # This method is called by the Profile as soon as it has
+    # enough context to allow binding inputs to it.
+    def bind_profile_inputs(profile_name, sources = {})
+      inputs_by_profile[profile_name] ||= {}
+
+      # In a more perfect world, we could let the core plugins choose
+      # self-determine what to do; but as-is, the APIs that call this
+      # are a bit over-constrained.
+      bind_inputs_from_metadata(profile_name, sources[:profile_metadata])
+      bind_inputs_from_input_files(profile_name, sources[:cli_input_files])
+      bind_inputs_from_runner_api(profile_name, sources[:runner_api])
+    end
+
+    private
 
-      unless list[profile].key?(name)
-        error = Inspec::InputRegistry::InputLookupError.new
-        error.input_name = name
-        error.profile_name = profile
-        raise error, "Profile '#{error.profile_name}' does not have an input with name '#{error.input_name}'"
+    def bind_inputs_from_runner_api(profile_name, input_hash)
+      # TODO: move this into a core plugin
+
+      return if input_hash.nil?
+      return if input_hash.empty?
+
+      # These arrive as a bare hash - values are raw values, not options
+      input_hash.each do |input_name, input_value|
+        loc = Inspec::Input::Event.probe_stack # TODO: likely modify this to look for a kitchen.yml, if that is realistic
+        evt = Inspec::Input::Event.new(
+          value: input_value,
+          provider: :runner_api, # TODO: suss out if audit cookbook or kitchen-inspec or something unknown
+          priority: 40,
+          file: loc.path,
+          line: loc.lineno,
+        )
+        find_or_register_input(input_name, profile_name, event: evt)
       end
-      list[profile][name]
     end
 
-    def register_input(name, profile, options = {})
-      # check for a profile override name
-      if profile_exist?(profile) && list[profile][name] && options.empty?
-        list[profile][name]
-      else
-        list[profile] = {} unless profile_exist?(profile)
-        list[profile][name] = Inspec::Input.new(name, options)
+    def bind_inputs_from_input_files(profile_name, file_list)
+      # TODO: move this into a core plugin
+
+      return if file_list.nil?
+      return if file_list.empty?
+
+      file_list.each do |path|
+        validate_inputs_file_readability!(path)
+
+        # TODO: drop this SecretsBackend stuff, will be handled by plugin system
+        data = Inspec::SecretsBackend.resolve(path)
+        if data.nil?
+          raise Inspec::Exceptions::SecretsBackendNotFound,
+                "Cannot find parser for inputs file '#{path}'. " \
+                'Check to make sure file has the appropriate extension.'
+        end
+
+        next if data.inputs.nil?
+        data.inputs.each do |input_name, input_value|
+          evt = Inspec::Input::Event.new(
+            value: input_value,
+            provider: :cli_files,
+            priority: 40,
+            file: path,
+            # TODO: any way we could get a line number?
+          )
+          find_or_register_input(input_name, profile_name, event: evt)
+        end
       end
     end
 
-    def register_profile_alias(name, alias_name)
-      @profile_aliases[name] = alias_name
+    def validate_inputs_file_readability!(path)
+      unless File.exist?(path)
+        raise Inspec::Exceptions::InputsFileDoesNotExist,
+              "Cannot find input file '#{path}'. " \
+              'Check to make sure file exists.'
+      end
+
+      unless File.readable?(path)
+        raise Inspec::Exceptions::InputsFileNotReadable,
+              "Cannot read input file '#{path}'. " \
+              'Check to make sure file is readable.'
+      end
+
+      true
     end
 
-    def list_inputs_for_profile(profile)
-      list[profile] = {} unless profile_exist?(profile)
-      list[profile]
+    def bind_inputs_from_metadata(profile_name, profile_metadata_obj)
+      # TODO: move this into a core plugin
+      # TODO: add deprecation stuff
+      return if profile_metadata_obj.nil? # Metadata files are technically optional
+
+      if profile_metadata_obj.params.key?(:attributes) && profile_metadata_obj.params[:attributes].is_a?(Array)
+        profile_metadata_obj.params[:attributes].each do |input_orig|
+          input_options = input_orig.dup
+          input_name = input_options.delete(:name)
+          input_options.merge!({ priority: 30, provider: :profile_metadata, file: File.join(profile_name, 'inspec.yml') })
+          evt = Inspec::Input.infer_event(input_options)
+
+          # Profile metadata may set inputs in other profiles by naming them.
+          if input_options[:profile]
+            profile_name = input_options[:profile] || profile_name
+            # Override priority to force this to win.  Allow user to set their own priority.
+            evt.priority = input_orig[:priority] || 35
+          end
+          find_or_register_input(input_name,
+                                 profile_name,
+                                 type: input_options[:type],
+                                 required: input_options[:required],
+                                 event: evt)
+        end
+      elsif profile_metadata_obj.params.key?(:attributes)
+        Inspec::Log.warn 'Inputs must be defined as an Array. Skipping current definition.'
+      end
     end
 
+    #-------------------------------------------------------------#
+    #               Other Support
+    #-------------------------------------------------------------#
+    public
+
+    # Used in testing
     def __reset
-      @list = {}
+      @inputs_by_profile = {}
       @profile_aliases = {}
     end
+
+    # These class methods are convenience methods so you don't always
+    # have to call #instance when calling the registry
+    [
+      :find_or_register_input,
+      :register_profile_alias,
+      :list_inputs_for_profile,
+      :bind_profile_inputs,
+    ].each do |meth|
+      define_singleton_method(meth) do |*args|
+        instance.send(meth, *args)
+      end
+    end
   end
 end

data/lib/inspec/objects/input.rb

@@ -14,6 +14,73 @@ end
 
 module Inspec
   class Input
+    #===========================================================================#
+    #                        Class Input::Event
+    #===========================================================================#
+
+    # Information about how the input obtained its value.
+    # Each time it changes, an Input::Event is added to the #events array.
+    class Event
+      EVENT_PROPERTIES = [
+        :action,   # :create, :set, :fetch
+        :provider, # Name of the plugin
+        :priority, # Priority of this plugin for resolving conflicts.  1-100, higher numbers win.
+        :value,    # New value, if provided.
+        :file,     # File containing the input-changing action, if known
+        :line,     # Line in file containing the input-changing action, if known
+        :hit,      # if action is :fetch, true if the remote source had the input
+      ].freeze
+
+      # Value has a special handler
+      EVENT_PROPERTIES.reject { |p| p == :value }.each do |prop|
+        attr_accessor prop
+      end
+
+      attr_reader :value
+
+      def initialize(properties = {})
+        @value_has_been_set = false
+
+        properties.each do |prop_name, prop_value|
+          if EVENT_PROPERTIES.include? prop_name
+            # OK, save the property
+            send((prop_name.to_s + '=').to_sym, prop_value)
+          else
+            raise "Unrecognized property to Input::Event: #{prop_name}"
+          end
+        end
+      end
+
+      def value=(the_val)
+        # Even if set to nil or false, it has indeed been set; note that fact.
+        @value_has_been_set = true
+        @value = the_val
+      end
+
+      def value_has_been_set?
+        @value_has_been_set
+      end
+
+      def diagnostic_string
+        to_h.reject { |_, val| val.nil? }.to_a.map { |pair| "#{pair[0]}: '#{pair[1]}'" }.join(', ')
+      end
+
+      def to_h
+        EVENT_PROPERTIES.each_with_object({}) do |prop, hash|
+          hash[prop] = send(prop)
+        end
+      end
+
+      def self.probe_stack
+        frames = caller_locations(2, 40)
+        frames.reject! { |f| f.path && f.path.include?('/lib/inspec/') }
+        frames.first
+      end
+    end
+
+    #===========================================================================#
+    #                    Class NO_VALUE_SET
+    #===========================================================================#
     # This special class is used to represent the value when an input has
     # not been assigned a value. This allows a user to explicitly assign nil
     # to an input.
@@ -62,8 +129,11 @@ module Inspec
   end
 
   class Input
-    attr_accessor :name
+    #===========================================================================#
+    #                       Class Inspec::Input
+    #===========================================================================#
 
+    # Validation types for input values
     VALID_TYPES = %w{
       String
       Numeric
@@ -74,6 +144,21 @@ module Inspec
       Any
     }.freeze
 
+    # If you call `input` in a control file, the input will receive this priority.
+    # You can override that with a :priority option.
+    DEFAULT_PRIORITY_FOR_DSL_ATTRIBUTES = 20
+
+    # If you somehow manage to initialize an Input outside of the DSL,
+    # AND you don't provide an Input::Event, this is the priority you get.
+    DEFAULT_PRIORITY_FOR_UNKNOWN_CALLER = 10
+
+    # If you directly call value=, this is the priority assigned.
+    # This is the highest priority within InSpec core; though plugins
+    # are free to go higher.
+    DEFAULT_PRIORITY_FOR_VALUE_SET = 60
+
+    attr_reader :description, :events, :identifier, :name, :required, :title, :type
+
     def initialize(name, options = {})
       @name = name
       @opts = options
@@ -82,49 +167,164 @@ module Inspec
         if @opts.key?(:value)
           Inspec::Log.warn "Input #{@name} created using both :default and :value options - ignoring :default"
           @opts.delete(:default)
+        end
+      end
+
+      # Array of Input::Event objects.  These compete with one another to determine
+      # the value of the input when value() is called, as well as providing a
+      # debugging record of when and how the value changed.
+      @events = []
+      events.push make_creation_event(options)
+
+      update(options)
+    end
+
+    def set_events
+      events.select { |e| e.action == :set }
+    end
+
+    def diagnostic_string
+      "Input #{name}, with history:\n" +
+        events.map(&:diagnostic_string).map { |line| "  #{line}" }.join("\n")
+    end
+
+    #--------------------------------------------------------------------------#
+    #                           Managing Value
+    #--------------------------------------------------------------------------#
+
+    def update(options)
+      _update_set_metadata(options)
+      normalize_type_restriction!
+
+      # Values are set by passing events in; but we can also infer an event.
+      if options.key?(:value) || options.key?(:default)
+        if options.key?(:event)
+          if options.key?(:value) || options.key?(:default)
+            Inspec::Log.warn "Do not provide both an Event and a value as an option to attribute('#{name}') - using value from event"
+          end
         else
-          @opts[:value] = @opts.delete(:default)
+          self.class.infer_event(options) # Sets options[:event]
         end
       end
-      @value = @opts[:value]
-      validate_value_type(@value) if @opts.key?(:type) && @opts.key?(:value)
+      events << options[:event] if options.key? :event
+
+      enforce_type_restriction!
     end
 
-    def value=(new_value)
-      validate_value_type(new_value) if @opts.key?(:type)
-      @value = new_value
+    # We can determine a value:
+    # 1. By event.value (preferred)
+    # 2. By options[:value]
+    # 3. By options[:default] (deprecated)
+    def self.infer_event(options)
+      # Don't rely on this working; you really should be passing a proper Input::Event
+      # with the context information you have.
+      location = Input::Event.probe_stack
+      event = Input::Event.new(
+        action: :set,
+        provider: options[:provider] || :unknown,
+        priority: options[:priority] || Inspec::Input::DEFAULT_PRIORITY_FOR_UNKNOWN_CALLER,
+        file: location.path,
+        line: location.lineno,
+      )
+
+      if options.key?(:default)
+        Inspec.deprecate(:attrs_value_replaces_default, "attribute name: '#{name}'")
+        if options.key?(:value)
+          Inspec::Log.warn "Input #{@name} created using both :default and :value options - ignoring :default"
+          options.delete(:default)
+        else
+          options[:value] = options.delete(:default)
+        end
+      end
+      event.value = options[:value] if options.key?(:value)
+      options[:event] = event
     end
 
-    def value
-      if @value.nil?
-        validate_required(@value) if @opts[:required] == true
-        @value = value_or_dummy
+    private
+
+    def _update_set_metadata(options)
+      # Basic metadata
+      @title = options[:title] if options.key?(:title)
+      @description = options[:description] if options.key?(:description)
+      @required = options[:required] if options.key?(:required)
+      @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
+      @type = options[:type] if options.key?(:type)
+    end
+
+    def make_creation_event(options)
+      loc = options[:location] || Event.probe_stack
+      Input::Event.new(
+        action: :create,
+        provider: options[:provider],
+        file: loc.path,
+        line: loc.lineno,
+      )
+    end
+
+    # Determine the current winning value, but don't validate it
+    def current_value
+      # Examine the events to determine highest-priority value. Tie-break
+      # by using the last one set.
+      events_that_set_a_value = events.select(&:value_has_been_set?)
+      winning_priority = events_that_set_a_value.map(&:priority).max
+      winning_events = events_that_set_a_value.select { |e| e.priority == winning_priority }
+      winning_event = winning_events.last # Last for tie-break
+
+      if winning_event.nil?
+        # No value has been set - return special no value object
+        NO_VALUE_SET.new(name)
       else
-        @value
+        winning_event.value # May still be nil
       end
     end
 
-    def title
-      @opts[:title]
+    public
+
+    def value=(new_value, priority = DEFAULT_PRIORITY_FOR_VALUE_SET)
+      # Inject a new Event with the new value.
+      location = Event.probe_stack
+      events << Event.new(
+        action: :set,
+        provider: :value_setter,
+        priority: priority,
+        value: new_value,
+        file: location.path,
+        line: location.lineno,
+      )
+      enforce_type_restriction!
+
+      new_value
     end
 
-    def description
-      @opts[:description]
+    def value
+      enforce_required_validation!
+      current_value
     end
 
-    def ruby_var_identifier
-      @opts[:identifier] || 'attr_' + @name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
+    def has_value?
+      !current_value.is_a? NO_VALUE_SET
     end
 
+    #--------------------------------------------------------------------------#
+    #                               Marshalling
+    #--------------------------------------------------------------------------#
+
     def to_hash
-      {
-        name: @name,
-        options: @opts,
-      }
+      as_hash = { name: name, options: {} }
+      [:description, :title, :identifier, :type, :required, :value].each do |field|
+        val = send(field)
+        next if val.nil?
+        as_hash[:options][field] = val
+      end
+      as_hash
+    end
+
+    def ruby_var_identifier
+      identifier || 'attr_' + name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
     end
 
     def to_ruby
-      res = ["#{ruby_var_identifier} = attribute('#{@name}',{"]
+      res = ["#{ruby_var_identifier} = attribute('#{name}',{"]
       res.push "  title: '#{title}'," unless title.to_s.empty?
       res.push "  value: #{value.inspect}," unless value.to_s.empty?
       # to_ruby may generate code that is to be used by older versions of inspec.
@@ -136,37 +336,78 @@ module Inspec
       res.join("\n")
     end
 
+    #--------------------------------------------------------------------------#
+    #                           Value Type Coercion
+    #--------------------------------------------------------------------------#
+
     def to_s
-      "Input #{@name} with #{@value}"
+      "Input #{name} with #{current_value}"
     end
 
+    #--------------------------------------------------------------------------#
+    #                               Validation
+    #--------------------------------------------------------------------------#
+
     private
 
-    def validate_required(value)
+    def enforce_required_validation!
+      return unless required
       # skip if we are not doing an exec call (archive/vendor/check)
       return unless Inspec::BaseCLI.inspec_cli_command == :exec
 
-      # value will be set already if a secrets file was passed in
-      if (!@opts.key?(:default) && value.nil?) || (@opts[:default].nil? && value.nil?)
+      proposed_value = current_value
+      if proposed_value.nil? || proposed_value.is_a?(NO_VALUE_SET)
         error = Inspec::Input::RequiredError.new
-        error.input_name = @name
+        error.input_name = name
         raise error, "Input '#{error.input_name}' is required and does not have a value."
       end
     end
 
-    def validate_type(type)
-      type = type.capitalize
+    def enforce_type_restriction! # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      return unless type
+      return unless has_value?
+
+      type_req = type
+      return if type_req == 'Any'
+
+      proposed_value = current_value
+
+      invalid_type = false
+      if type_req == 'Regexp'
+        invalid_type = true if !valid_regexp?(proposed_value)
+      elsif type_req == 'Numeric'
+        invalid_type = true if !valid_numeric?(proposed_value)
+      elsif type_req == 'Boolean'
+        invalid_type = true if ![true, false].include?(proposed_value)
+      elsif proposed_value.is_a?(Module.const_get(type_req)) == false
+        # TODO: why is this case here?
+        invalid_type = true
+      end
+
+      if invalid_type == true
+        error = Inspec::Input::ValidationError.new
+        error.input_name = @name
+        error.input_value = proposed_value
+        error.input_type = type_req
+        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to type '#{error.input_type}'."
+      end
+    end
+
+    def normalize_type_restriction!
+      return unless type
+
+      type_req = type.capitalize
       abbreviations = {
         'Num' => 'Numeric',
         'Regex' => 'Regexp',
       }
-      type = abbreviations[type] if abbreviations.key?(type)
-      if !VALID_TYPES.include?(type)
+      type_req = abbreviations[type_req] if abbreviations.key?(type_req)
+      if !VALID_TYPES.include?(type_req)
         error = Inspec::Input::TypeError.new
-        error.input_type = type
+        error.input_type = type_req
         raise error, "Type '#{error.input_type}' is not a valid input type."
       end
-      type
+      @type = type_req
     end
 
     def valid_numeric?(value)
@@ -177,41 +418,11 @@ module Inspec
     end
 
     def valid_regexp?(value)
-      # check for invalid regex syntex
+      # check for invalid regex syntax
       Regexp.new(value)
       true
     rescue
       false
     end
-
-    # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-    def validate_value_type(value)
-      type = validate_type(@opts[:type])
-      return if type == 'Any'
-
-      invalid_type = false
-      if type == 'Regexp'
-        invalid_type = true if !value.is_a?(String) || !valid_regexp?(value)
-      elsif type == 'Numeric'
-        invalid_type = true if !valid_numeric?(value)
-      elsif type == 'Boolean'
-        invalid_type = true if ![true, false].include?(value)
-      elsif value.is_a?(Module.const_get(type)) == false
-        invalid_type = true
-      end
-
-      if invalid_type == true
-        error = Inspec::Input::ValidationError.new
-        error.input_name = @name
-        error.input_value = value
-        error.input_type = type
-        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to type '#{error.input_type}'."
-      end
-    end
-    # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-
-    def value_or_dummy
-      @opts.key?(:value) ? @opts[:value] : Inspec::Input::NO_VALUE_SET.new(@name)
-    end
   end
 end

data/lib/inspec/profile.rb

@@ -81,7 +81,7 @@ module Inspec
     end
 
     attr_reader :source_reader, :backend, :runner_context, :check_mode
-    attr_accessor :parent_profile, :profile_name
+    attr_accessor :parent_profile, :profile_id, :profile_name
     def_delegator :@source_reader, :tests
     def_delegator :@source_reader, :libraries
     def_delegator :@source_reader, :metadata
@@ -118,25 +118,32 @@ module Inspec
       @runtime_profile = RuntimeProfile.new(self)
       @backend.profile = @runtime_profile
 
+      # The AttributeRegistry is in charge of keeping track of inputs;
+      # it is the single source of truth. Now that we have a profile object,
+      # we can create any inputs that were provided by various mechanisms.
+      options[:runner_conf] ||= Inspec::Config.cached
+
+      if options[:runner_conf].key?(:attrs)
+        Inspec.deprecate(:rename_attributes_to_inputs, 'Use --input-file on the command line instead of --attrs.')
+        options[:runner_conf][:input_file] = options[:runner_conf].delete(:attrs)
+      end
+
+      Inspec::InputRegistry.bind_profile_inputs(
+        # Every input only exists in the context of a profile
+        metadata.params[:name], # TODO: test this with profile aliasing
+        # Remaining args are possible sources of inputs
+        cli_input_files: options[:runner_conf][:input_file], # From CLI --input-file
+        profile_metadata: metadata,
+        # TODO: deprecation checks here
+        runner_api: options[:runner_conf][:attributes], # This is the route the audit_cookbook and kitchen-inspec take
+      )
+
       @runner_context =
         options[:profile_context] ||
-        Inspec::ProfileContext.for_profile(self, @backend, @input_values)
+        Inspec::ProfileContext.for_profile(self, @backend)
 
       @supports_platform = metadata.supports_platform?(@backend)
       @supports_runtime = metadata.supports_runtime?
-      register_metadata_inputs
-    end
-
-    def register_metadata_inputs # TODO: deprecate
-      if metadata.params.key?(:attributes) && metadata.params[:attributes].is_a?(Array)
-        metadata.params[:attributes].each do |attribute|
-          attr_dup = attribute.dup
-          name = attr_dup.delete(:name)
-          @runner_context.register_input(name, attr_dup)
-        end
-      elsif metadata.params.key?(:attributes)
-        Inspec::Log.warn 'Inputs must be defined as an Array. Skipping current definition.'
-      end
     end
 
     def name
@@ -595,7 +602,7 @@ module Inspec
         f = load_rule_filepath(prefix, rule)
         load_rule(rule, f, controls, groups)
       end
-      params[:inputs] = @runner_context.inputs
+      params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
       params
     end
 

data/lib/inspec/profile_context.rb

@@ -12,13 +12,11 @@ require 'inspec/objects/input'
 
 module Inspec
   class ProfileContext
-    def self.for_profile(profile, backend, inputs)
-      new(profile.name, backend, { 'profile' => profile,
-                                   'inputs' => inputs,
-                                   'check_mode' => profile.check_mode })
+    def self.for_profile(profile, backend)
+      new(profile.name, backend, { 'profile' => profile, 'check_mode' => profile.check_mode })
     end
 
-    attr_reader :inputs, :backend, :profile_name, :profile_id, :resource_registry
+    attr_reader :backend, :profile_name, :profile_id, :resource_registry
     attr_accessor :rules
     def initialize(profile_id, backend, conf)
       if backend.nil?
@@ -35,7 +33,8 @@ module Inspec
       @lib_subcontexts = []
       @require_loader = ::Inspec::RequireLoader.new
       Inspec::InputRegistry.register_profile_alias(@profile_id, @profile_name) if @profile_id != @profile_name
-      @inputs = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      # TODO: consider polling input source plugins; this is a bulk fetch opportunity
+
       # A local resource registry that only contains resources defined
       # in the transitive dependency tree of the loaded profile.
       @resource_registry = Inspec::Resource.new_registry
@@ -43,6 +42,10 @@ module Inspec
       @current_load = nil
     end
 
+    def attributes
+      Inspec::AttributeRegistry.list_attributes_for_profile(@profile_id)
+    end
+
     def dependencies
       if @conf['profile'].nil?
         {}
@@ -187,13 +190,6 @@ module Inspec
       end
     end
 
-    def register_input(name, options = {})
-      # we need to return an input object, to allow dermination of values
-      input = Inspec::InputRegistry.register_input(name, @profile_id, options)
-      input.value = @conf['inputs'][name] unless @conf['inputs'].nil? || @conf['inputs'][name].nil?
-      input.value
-    end
-
     def set_header(field, val)
       @current_load[field] = val
     end

data/lib/inspec/rspec_extensions.rb

@@ -66,9 +66,13 @@ end
 class RSpec::Core::ExampleGroup
   # This DSL method allows us to access the values of inputs within InSpec tests
   def attribute(name)
-    Inspec::InputRegistry.find_input(name, self.class.metadata[:profile_id]).value
+    Inspec::InputRegistry.find_or_register_input(name, self.class.metadata[:profile_id]).value
   end
   define_example_method :attribute
+  def input_obj(name)
+    Inspec::InputRegistry.find_or_register_input(name, self.class.metadata[:profile_id])
+  end
+  define_example_method :input_obj
 
   # Here, we have to ensure our method_missing gets called prior
   # to RSpec::Core::ExampleGroup.method_missing (the class method).

data/lib/inspec/runner.rb

@@ -9,7 +9,6 @@ require 'inspec/backend'
 require 'inspec/profile_context'
 require 'inspec/profile'
 require 'inspec/metadata'
-require 'inspec/secrets'
 require 'inspec/config'
 require 'inspec/dependencies/cache'
 # spec requirements
@@ -32,7 +31,7 @@ module Inspec
   class Runner
     extend Forwardable
 
-    attr_reader :backend, :rules, :inputs
+    attr_reader :backend, :rules
 
     def attributes
       Inspec.deprecate(:rename_attributes_to_inputs, "Don't call runner.attributes, call runner.inputs")
@@ -57,10 +56,17 @@ module Inspec
         RunnerRspec.new(@conf)
       end
 
-      # list of profile inputs
-      @inputs = {}
+      # About reading inputs:
+      #   @conf gets passed around a lot, eventually to
+      # Inspec::InputRegistry.register_external_inputs.
+      #
+      #   @conf may contain the key :attributes or :inputs, which is to be a Hash
+      # of values passed in from the Runner API.
+      # This is how kitchen-inspec and the audit_cookbook pass in inputs.
+      #
+      #   @conf may contain the key :attrs or :input_file, which is to be an Array
+      # of file paths, each a YAML file. This how --input-file works.
 
-      load_inputs(@conf)
       configure_transport
     end
 
@@ -101,7 +107,6 @@ module Inspec
           @test_collector.add_profile(requirement.profile)
         end
 
-        @inputs = profile.runner_context.inputs if @inputs.empty?
         tests = profile.collect_tests
         all_controls += tests unless tests.nil?
       end
@@ -149,35 +154,6 @@ module Inspec
       @test_collector.exit_code
     end
 
-    # determine all inputs before the execution, fetch data from secrets backend
-    def load_inputs(options)
-      # TODO: - rename :attributes - it is user-visible
-      options[:attributes] ||= {}
-
-      if options.key?(:attrs)
-        Inspec.deprecate(:rename_attributes_to_inputs, 'Use --input-file on the command line instead of --attrs.')
-        options[:input_file] = options.delete(:attrs)
-      end
-      secrets_targets = options[:input_file]
-      return options[:attributes] if secrets_targets.nil?
-
-      secrets_targets.each do |target|
-        validate_inputs_file_readability!(target)
-
-        secrets = Inspec::SecretsBackend.resolve(target)
-        if secrets.nil?
-          raise Inspec::Exceptions::SecretsBackendNotFound,
-                "Cannot find parser for inputs file '#{target}'. " \
-                'Check to make sure file has the appropriate extension.'
-        end
-
-        next if secrets.inputs.nil?
-        options[:attributes].merge!(secrets.inputs)
-      end
-
-      options[:attributes]
-    end
-
     #
     # add_target allows the user to add a target whose tests will be
     # run when the user calls the run method.
@@ -209,7 +185,7 @@ module Inspec
                                            vendor_cache: @cache,
                                            backend: @backend,
                                            controls: @controls,
-                                           inputs: @conf[:attributes]) # TODO: read form :inputs here (user visible)
+                                           runner_conf: @conf)
       raise "Could not resolve #{target} to valid input." if profile.nil?
       @target_profiles << profile if supports_profile?(profile)
     end
@@ -300,22 +276,6 @@ module Inspec
       examples.each { |e| @test_collector.add_test(e, rule) }
     end
 
-    def validate_inputs_file_readability!(target)
-      unless File.exist?(target)
-        raise Inspec::Exceptions::InputsFileDoesNotExist,
-              "Cannot find input file '#{target}'. " \
-              'Check to make sure file exists.'
-      end
-
-      unless File.readable?(target)
-        raise Inspec::Exceptions::InputsFileNotReadable,
-              "Cannot read input file '#{target}'. " \
-              'Check to make sure file is readable.'
-      end
-
-      true
-    end
-
     def rspec_skipped_block(arg, opts, message)
       @test_collector.example_group(*arg, opts) do
         # Send custom `it` block to RSpec

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = '4.1.4.preview'.freeze
+  VERSION = '4.2.0.preview'.freeze
 end

data/lib/resources/mssql_session.rb

@@ -108,7 +108,7 @@ module Inspec::Resources
       results = table.map { |row|
         res = {}
         headers.each { |header|
-          res[header.downcase] = row[header]
+          res[header.downcase] = row[header] if header
         }
         Hashie::Mash.new(res)
       }

data/lib/resources/port.rb

@@ -569,6 +569,10 @@ module Inspec::Resources
       # example: ::ffff:10.0.2.15:9200
       host.delete!('::ffff:') if host.start_with?('::ffff:')
 
+      # To remove brackets that might surround the IPv6 address
+      # example: [::] and [fe80::dc11:b9b6:514b:134]%eth0:123
+      host = host.tr('[]', '')
+
       # if there's an interface name in the local address, which is common for
       # IPv6 listeners, strip that out too.
       # example: fe80::a00:27ff:fe32:ed09%enp0s3

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.1.4.preview
+  version: 4.2.0.preview
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-22 00:00:00.000000000 Z
+date: 2019-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train-core