inspec-core 4.38.9 → 4.41.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 17449ad4c9680511a8fc11c6fdb11d9ece550a7942c9e734c95eac0d41913d9f
-  data.tar.gz: ae5055ccc9bebd1aed4f22da4ad4dcd1be31e1bd2b5707e7b5fb088c916eda08
+  metadata.gz: ccadabfe4c0ecceecb305842e1874255ce4797a8df92e9d1d940bfe52f4b2dbb
+  data.tar.gz: 8bed2e86c15c05fcd6ee5974e1167aab1f2ab6c2d321a6f802af738594fafe5b
 SHA512:
-  metadata.gz: 6cec299ca48d7ca4c3fb9b3eecc79c8687541fbd83fc79e837ed13d2abb4bcb861f747782a68bf90f7e1083443a671079a1368a97e9f552e249e456616a92059
-  data.tar.gz: 287e2d79dbc494c83d6f8b8046e0f9c54632c5a13ec75ac69b603bdf9fe9b6a89ff86c9c8f025f7e04372490adb1ffa5a5a7fc10f3ecab1e7fabd70f71f6767d
+  metadata.gz: ac9a9e7a80179eaa6f1a77ff4fd4aa4505a39ce389a655bdf853caeece477c58ea7ef46db749cf54a11c2e5dff5e62b09fdd950caac396ffbab4640183549924
+  data.tar.gz: 613c20973b4b10202fe0d0aac0e53b65cb0cb201150b93665304f0a5f7d4341981768cc799865bb3d7b9ad6b9afa93f782a9651d88001001b899d85b4521e1b6

data/lib/inspec/base_cli.rb

@@ -136,6 +136,8 @@ module Inspec
       profile_options
       option :controls, type: :array,
         desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
+      option :tags, type: :array,
+        desc: "A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests."
       option :reporter, type: :array,
         banner: "one two:/output/file/path",
         desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"

data/lib/inspec/cli.rb

@@ -65,6 +65,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Save the created profile to a path"
   option :controls, type: :array,
     desc: "A list of controls to include. Ignore all other tests."
+  option :tags, type: :array,
+    desc: "A list of tags to filter controls and include only those. Ignore all other tests."
   profile_options
   def json(target)
     require "json" unless defined?(JSON)

data/lib/inspec/control_eval_context.rb

@@ -53,12 +53,23 @@ module Inspec
 
     def control(id, opts = {}, &block)
       opts[:skip_only_if_eval] = @skip_only_if_eval
-      if control_exist_in_controls_list?(id) || controls_list_empty?
+      tag_ids = control_tags(&block)
+      if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids)
         register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
       end
     end
+
     alias rule control
 
+    def control_tags(&block)
+      tag_source = block.source.split("\n").select { |src| src.split.first.eql?("tag") }
+      tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.sub(/([^:]*):/, "") } }.flatten
+      output = tag_source.map { |src| src.sub(/\[|\]/, "") }.map { |src| instance_eval(src) }
+      output.compact.uniq
+    rescue
+      []
+    end
+
     # Describe allows users to write rspec-like bare describe
     # blocks without declaring an inclosing control. Here, we
     # generate a control for them automatically and then execute
@@ -74,7 +85,7 @@ module Inspec
         res = describe(*args, &block)
       end
 
-      if control_exist_in_controls_list?(id) || controls_list_empty?
+      if controls_list_empty? || control_exist_in_controls_list?(id)
         register_control(rule, &block)
       end
 
@@ -187,11 +198,19 @@ module Inspec
       !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
     end
 
+    def profile_tag_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
+    end
+
     # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
     def controls_list_empty?
       !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
     end
 
+    def tags_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty?
+    end
+
     # Check if the given control exist in the --controls option
     def control_exist_in_controls_list?(id)
       id_exist_in_list = false
@@ -203,5 +222,25 @@ module Inspec
       end
       id_exist_in_list
     end
+
+    # Check if the given control exist in the --tags option
+    def tag_exist_in_control_tags?(tag_ids)
+      tag_option_matches_with_list = false
+      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
+        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
+        unless tag_option_matches_with_list
+          @conf["profile"].include_tags_list.any? do |inclusion|
+            # Try to see if the inclusion is a regex, and if it matches
+            if inclusion.is_a?(Regexp)
+              tag_ids.each do |id|
+                tag_option_matches_with_list = (inclusion =~ id)
+                break if tag_option_matches_with_list
+              end
+            end
+          end
+        end
+      end
+      tag_option_matches_with_list
+    end
   end
 end

data/lib/inspec/profile.rb

@@ -87,6 +87,7 @@ module Inspec
       @logger = options[:logger] || Logger.new(nil)
       @locked_dependencies = options[:dependencies]
       @controls = options[:controls] || []
+      @tags = options[:tags] || []
       @writable = options[:writable] || false
       @profile_id = options[:id]
       @profile_name = options[:profile_name]
@@ -206,7 +207,7 @@ module Inspec
       @params ||= load_params
     end
 
-    def collect_tests(include_list = @controls)
+    def collect_tests
       unless @tests_collected || failed?
         return unless supports_platform?
 
@@ -253,6 +254,30 @@ module Inspec
       included_controls
     end
 
+    # This creates the list of controls to be filtered by tag values provided in the --tags options
+    def include_tags_list
+      return [] if @tags.nil? || @tags.empty?
+
+      included_tags = @tags
+      # Check for anything that might be a regex in the list, and make it official
+      included_tags.each_with_index do |inclusion, index|
+        next if inclusion.is_a?(Regexp)
+        # Insist the user wrap the regex in slashes to demarcate it as a regex
+        next unless inclusion.start_with?("/") && inclusion.end_with?("/")
+
+        inclusion = inclusion[1..-2] # Trim slashes
+        begin
+          re = Regexp.new(inclusion)
+          included_tags[index] = re
+        rescue RegexpError => e
+          warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
+          included_tags[index] = nil
+        end
+      end
+      included_tags.compact!
+      included_tags
+    end
+
     def load_libraries
       return @runner_context if @libraries_loaded
 

data/lib/inspec/resources.rb

@@ -73,6 +73,7 @@ require "inspec/resources/limits_conf"
 require "inspec/resources/login_defs"
 require "inspec/resources/mongodb"
 require "inspec/resources/mongodb_conf"
+require "inspec/resources/mongodb_session"
 require "inspec/resources/mount"
 require "inspec/resources/mssql_session"
 require "inspec/resources/mysql"
@@ -83,6 +84,8 @@ require "inspec/resources/nginx_conf"
 require "inspec/resources/npm"
 require "inspec/resources/ntp_conf"
 require "inspec/resources/oneget"
+require "inspec/resources/opa_cli"
+require "inspec/resources/opa_api"
 require "inspec/resources/oracledb_session"
 require "inspec/resources/os"
 require "inspec/resources/os_env"

data/lib/inspec/resources/mongodb_session.rb

@@ -0,0 +1,88 @@
+require "mongo"
+
+module Inspec::Resources
+  class Lines
+    attr_reader :params
+
+    def initialize(raw, desc)
+      @params = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class MongodbSession < Inspec.resource(1)
+    name "mongodb_session"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the mongodb_session InSpec audit resource to run MongoDB command against a MongoDB Database."
+    example <<~EXAMPLE
+      # default values:
+      # host: "127.0.0.1"
+      # port: "27017"
+      # auth_source - default to database name
+      # auth_mech - :scram
+
+      describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "ian").params["users"].first["roles"].first do
+        its(["role"]) { should eq "readWrite" }
+      end
+    EXAMPLE
+    attr_reader :user, :host, :port, :database, :params
+
+    def initialize(opts = {})
+      @user = opts[:user] || nil
+      @password = opts[:password] || nil
+      @host = opts[:host] || "127.0.0.1"
+      @port = opts[:port] || "27017"
+      @database = opts[:database] || nil
+      @auth_mech = opts[:auth_mech] || :scram
+      @auth_source = opts[:auth_source] || @database
+      @ssl = opts[:ssl] || false
+      @ssl_cert = opts[:ssl_cert] || nil
+      @ssl_key = opts[:ssl_key] || nil
+      @ssl_ca_cert = opts[:ssl_ca_cert] || nil
+      @auth_mech_properties = opts[:auth_mech_properties] || {}
+      @client = nil
+
+      fail_resource "Can't run MongoDB checks without authentication." unless user && @password
+      fail_resource "You must provide a database name for the session." unless database
+
+      create_session
+    end
+
+    def query(command)
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      Lines.new(@client.command(command).documents.first, "MongoDB query: #{command}")
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}"
+    end
+
+    private
+
+    def create_session
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      options = { user: "#{user}",
+        password: "#{@password}",
+        database: "#{database}",
+        auth_source: "#{@auth_source}",
+        auth_mech: @auth_mech,
+        }
+      options[:auth_mech_properties] = @auth_mech_properties unless @auth_mech_properties.empty?
+      options[:ssl] = @ssl
+      opitons[:ssl_key] = @ssl_key unless @ssl_key.nil?
+      options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
+      options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
+
+      @client = Mongo::Client.new([ "#{host}:#{port}" ], options)
+
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command. Error: #{e.message}"
+    end
+  end
+end

data/lib/inspec/resources/opa.rb

@@ -0,0 +1,23 @@
+require "inspec/resources/json"
+
+module Inspec::Resources
+  class Opa < JsonConfig
+    name "opa"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    attr_reader :result
+    def initialize(content)
+      @content = content
+      super({ content: @content })
+    end
+
+    private
+
+    def parse(content)
+      @content = YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse OPA query output: #{e.message}"
+    end
+  end
+end

data/lib/inspec/resources/opa_api.rb

@@ -0,0 +1,39 @@
+require "inspec/resources/opa"
+
+module Inspec::Resources
+  class OpaApi < Opa
+    name "opa_api"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    def initialize(opts = {})
+      @url = opts[:url] || nil
+      @data = opts[:data] || nil
+      fail_resource "OPA url and data are mandatory." if @url.nil? || @url.empty? || @data.nil? || @data.empty?
+      @content = load_result
+      super(@content)
+    end
+
+    def allow
+      @content["result"]
+    end
+
+    def to_s
+      "OPA api"
+    end
+
+    private
+
+    def load_result
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      result = inspec.command("curl -X POST #{@url} -d @#{@data} -H 'Content-Type: application/json'")
+      if result.exit_status == 0
+        result.stdout.gsub("\n", "")
+      else
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing OPA query: #{error}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/opa_cli.rb

@@ -0,0 +1,43 @@
+require "inspec/resources/opa"
+
+module Inspec::Resources
+  class OpaCli < Opa
+    name "opa_cli"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    def initialize(opts = {})
+      @opa_executable_path = opts[:opa_executable_path] || "opa" # if this path is not provided then we will assume that it's been set in the ENV PATH
+      @policy = opts[:policy] || nil
+      @data = opts[:data] || nil
+      @query = opts[:query] || nil
+      if (@policy.nil? || @policy.empty?) || (@data.nil? || @data.empty?) || (@query.nil? || @query.empty?)
+        fail_resource "OPA policy, data and query are mandatory."
+      end
+      @content = load_result
+      super(@content)
+    end
+
+    def allow
+      @content["result"][0]["expressions"][0]["value"] if @content["result"][0]["expressions"][0]["text"].include?("allow")
+    end
+
+    def to_s
+      "OPA cli"
+    end
+
+    private
+
+    def load_result
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      result = inspec.command("#{@opa_executable_path} eval -i '#{@data}' -d '#{@policy}' '#{@query}'")
+      if result.exit_status == 0
+        result.stdout.gsub("\n", "")
+      else
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing OPA query: #{error}"
+      end
+    end
+  end
+end

data/lib/inspec/runner.rb

@@ -50,6 +50,7 @@ module Inspec
       @conf[:logger] ||= Logger.new(nil)
       @target_profiles = []
       @controls = @conf[:controls] || []
+      @tags = @conf[:tags] || []
       @depends = @conf[:depends] || []
       @create_lockfile = @conf[:create_lockfile]
       @cache = Inspec::Cache.new(@conf[:vendor_cache])
@@ -199,6 +200,7 @@ module Inspec
                                            vendor_cache: @cache,
                                            backend: @backend,
                                            controls: @controls,
+                                           tags: @tags,
                                            runner_conf: @conf)
       raise "Could not resolve #{target} to valid input." if profile.nil?
 

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.38.9".freeze
+  VERSION = "4.41.2".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.38.9
+  version: 4.41.2
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-22 00:00:00.000000000 Z
+date: 2021-08-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -556,6 +556,7 @@ files:
 - lib/inspec/resources/login_defs.rb
 - lib/inspec/resources/mongodb.rb
 - lib/inspec/resources/mongodb_conf.rb
+- lib/inspec/resources/mongodb_session.rb
 - lib/inspec/resources/mount.rb
 - lib/inspec/resources/mssql_session.rb
 - lib/inspec/resources/mysql.rb
@@ -567,6 +568,9 @@ files:
 - lib/inspec/resources/npm.rb
 - lib/inspec/resources/ntp_conf.rb
 - lib/inspec/resources/oneget.rb
+- lib/inspec/resources/opa.rb
+- lib/inspec/resources/opa_api.rb
+- lib/inspec/resources/opa_cli.rb
 - lib/inspec/resources/oracledb_session.rb
 - lib/inspec/resources/os.rb
 - lib/inspec/resources/os_env.rb