inspec-core 4.41.2 → 4.41.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ccadabfe4c0ecceecb305842e1874255ce4797a8df92e9d1d940bfe52f4b2dbb
-  data.tar.gz: 8bed2e86c15c05fcd6ee5974e1167aab1f2ab6c2d321a6f802af738594fafe5b
+  metadata.gz: 26a893a79810f4d3e7aeb90032bd625636c045c8edc11274dddef456d504d278
+  data.tar.gz: 05c34cf8764889bc585a0175cfd7d7c63ef54a4c45c30d182f599de1b3ef8a56
 SHA512:
-  metadata.gz: ac9a9e7a80179eaa6f1a77ff4fd4aa4505a39ce389a655bdf853caeece477c58ea7ef46db749cf54a11c2e5dff5e62b09fdd950caac396ffbab4640183549924
-  data.tar.gz: 613c20973b4b10202fe0d0aac0e53b65cb0cb201150b93665304f0a5f7d4341981768cc799865bb3d7b9ad6b9afa93f782a9651d88001001b899d85b4521e1b6
+  metadata.gz: 6d04b25d7423b4fec6be048b8f131bfc28e90266a631829270930b8aa96a520b220c19a0d8fe463689441f67cb8d567d6163df7f56fcc27786ef72f25508dbfc
+  data.tar.gz: f798eee0dafda728d169d34ac8a73fef9803f3a70b1b1342d395d3954420644cef3fedcc202c1dc30204bdf1b2098741831af0200b1b3758c03511f38874e9ca

data/Gemfile

@@ -30,7 +30,11 @@ end
 group :test do
   gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  if Gem.ruby_version.to_s.start_with?("2.5")
+    gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
+  else
+    gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  end
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"

data/lib/inspec/base_cli.rb

@@ -43,11 +43,15 @@ module Inspec
       begin
         if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
             !ARGV.empty? # Did they supply at least one command?
-          LicenseAcceptance::Acceptor.check_and_persist(
+          license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist(
             Inspec::Dist::EXEC_NAME,
             Inspec::VERSION,
             logger: Inspec::Log
           )
+          if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
+            Inspec::UI.new.exit
+          end
+          license_acceptor_output
         end
       rescue LicenseAcceptance::LicenseNotAcceptedError
         Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"

data/lib/inspec/cached_fetcher.rb

@@ -6,9 +6,9 @@ module Inspec
     extend Forwardable
 
     attr_reader :cache, :target, :fetcher
-    def initialize(target, cache)
+    def initialize(target, cache, opts = {})
       @target = target
-      @fetcher = Inspec::Fetcher::Registry.resolve(target)
+      @fetcher = Inspec::Fetcher::Registry.resolve(target, opts)
 
       if @fetcher.nil?
         raise("Could not fetch inspec profile in #{target.inspect}.")

data/lib/inspec/control_eval_context.rb

@@ -53,19 +53,26 @@ module Inspec
 
     def control(id, opts = {}, &block)
       opts[:skip_only_if_eval] = @skip_only_if_eval
-      tag_ids = control_tags(&block)
-      if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids)
+      if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id)
         register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
+      elsif !tags_list_empty?
+        # Inside elsif rule is initialised before registering it because it enables fetching of control tags
+        # This condition is only true when --tags option is used
+        inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)
+        tag_ids = control_tags(inspec_rule)
+        register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids)
       end
     end
 
     alias rule control
 
-    def control_tags(&block)
-      tag_source = block.source.split("\n").select { |src| src.split.first.eql?("tag") }
-      tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.sub(/([^:]*):/, "") } }.flatten
-      output = tag_source.map { |src| src.sub(/\[|\]/, "") }.map { |src| instance_eval(src) }
-      output.compact.uniq
+    def control_tags(inspec_rule)
+      all_tags = []
+      inspec_rule.tag.each do |key, value|
+        all_tags.push(key)
+        all_tags.push(value) unless value.nil?
+      end
+      all_tags.flatten.compact.uniq.map(&:to_s)
     rescue
       []
     end

data/lib/inspec/fetcher/url.rb

@@ -44,11 +44,17 @@ module Inspec::Fetcher
     #  - Branch URL
     #  - Commit URL
     #
-    # master url:
+    # master url(default branch master):
     # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
     # https://github.com/nathenharvey/tmp_compliance_profile/archive/master.tar.gz
     # https://bitbucket.org/username/repo is transformed to
     # https://bitbucket.org/username/repo/get/master.tar.gz
+
+    # main url(default branch main):
+    # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
+    # https://github.com/nathenharvey/tmp_compliance_profile/archive/main.tar.gz
+    # https://bitbucket.org/username/repo is transformed to
+    # https://bitbucket.org/username/repo/get/main.tar.gz
     #
     # branch:
     # https://github.com/hardening-io/tests-os-hardening/tree/2.0 is transformed to
@@ -68,14 +74,18 @@ module Inspec::Fetcher
     BITBUCKET_URL_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}.freeze
     BITBUCKET_URL_BRANCH_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/branch/(?<branch>[\w\.]+)(/)?$}.freeze
     BITBUCKET_URL_COMMIT_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/commits/(?<commit>[\w\.]+)(/)?$}.freeze
+    GITHUB_URL = "https://github.com".freeze
+    BITBUCKET_URL = "https://bitbucket.org".freeze
 
     def self.transform(target)
       transformed_target = if m = GITHUB_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
-                             "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz"
+                             default_branch = default_ref(m, GITHUB_URL)
+                             "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{default_branch}.tar.gz"
                            elsif m = GITHUB_URL_WITH_TREE_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{m[:commit]}.tar.gz"
                            elsif m = BITBUCKET_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
-                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/master.tar.gz"
+                             default_branch = default_ref(m, BITBUCKET_URL)
+                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{default_branch}.tar.gz"
                            elsif m = BITBUCKET_URL_BRANCH_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:branch]}.tar.gz"
                            elsif m = BITBUCKET_URL_COMMIT_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
@@ -120,6 +130,38 @@ module Inspec::Fetcher
 
     private
 
+    class << self
+      def default_ref(match_data, repo_url)
+        remote_url = "#{repo_url}/#{match_data[:user]}/#{match_data[:repo]}.git"
+        command_string = "git remote show #{remote_url}"
+        cmd = shellout(command_string)
+        unless cmd.exitstatus == 0
+          raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': #{cmd.stderr}")
+        else
+          ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+          unless ref
+            raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': NULL reference")
+          end
+
+          ref
+        end
+      end
+
+      def shellout(cmd, opts = {})
+        Inspec::Log.debug("Running external command: #{cmd} (#{opts})")
+        cmd = Mixlib::ShellOut.new(cmd, opts)
+        cmd.run_command
+        Inspec::Log.debug("External command: completed with exit status: #{cmd.exitstatus}")
+        Inspec::Log.debug("External command: STDOUT BEGIN")
+        Inspec::Log.debug(cmd.stdout)
+        Inspec::Log.debug("External command: STDOUT END")
+        Inspec::Log.debug("External command: STDERR BEGIN")
+        Inspec::Log.debug(cmd.stderr)
+        Inspec::Log.debug("External command: STDERR END")
+        cmd
+      end
+    end
+
     def parse_uri(target)
       return URI.parse(target) if target.is_a?(String)
 

data/lib/inspec/fetcher.rb

@@ -2,12 +2,12 @@ require "inspec/plugin/v1"
 
 module Inspec
   class FetcherRegistry < PluginRegistry
-    def resolve(target)
+    def resolve(target, opts = {})
       if fetcher_specified?(target)
-        super(target)
+        super(target, opts)
       else
         Inspec::Log.debug("Assuming default supermarket source for #{target}")
-        super(with_default_fetcher(target))
+        super(with_default_fetcher(target), opts)
       end
     end
 

data/lib/inspec/plugin/v1/registry.rb

@@ -9,9 +9,13 @@ class PluginRegistry
   #
   # @param [String] target to resolve
   # @return [Plugin] plugin instance if it can be resolved, nil otherwise
-  def resolve(target)
+  def resolve(target, opts = {})
     modules.each do |m|
-      res = m.resolve(target)
+      res = if Inspec::Fetcher::Url == m
+              m.resolve(target, opts)
+            else
+              m.resolve(target)
+            end
       return res unless res.nil?
     end
     nil

data/lib/inspec/profile.rb

@@ -18,9 +18,9 @@ module Inspec
   class Profile
     extend Forwardable
 
-    def self.resolve_target(target, cache)
+    def self.resolve_target(target, cache, opts = {})
       Inspec::Log.debug "Resolve #{target} into cache #{cache.path}"
-      Inspec::CachedFetcher.new(target, cache)
+      Inspec::CachedFetcher.new(target, cache, opts)
     end
 
     # Check if the profile contains a vendored cache, move content into global cache
@@ -70,7 +70,11 @@ module Inspec
 
     def self.for_target(target, opts = {})
       opts[:vendor_cache] ||= Cache.new
-      fetcher = resolve_target(target, opts[:vendor_cache])
+      config = {}
+      unless opts[:runner_conf].nil?
+        config = opts[:runner_conf].respond_to?(:final_options) ? opts[:runner_conf].final_options : opts[:runner_conf]
+      end
+      fetcher = resolve_target(target, opts[:vendor_cache], config)
       for_fetcher(fetcher, opts)
     end
 

data/lib/inspec/resources/apache_conf.rb

@@ -82,7 +82,7 @@ module Inspec::Resources
           end
         end
 
-        @params.merge!(params)
+        @params.merge!(params) { |key, current_val, new_val| [*current_val].to_a + [*new_val].to_a }
 
         to_read = to_read.drop(1)
         to_read += include_files(params).find_all do |fp|
@@ -101,12 +101,14 @@ module Inspec::Resources
       include_files_optional = params["IncludeOptional"] || []
 
       includes = []
-      (include_files + include_files_optional).each do |f|
-        id    = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
-        files = find_files(id, depth: 1, type: "file")
-        files += find_files(id, depth: 1, type: "link")
+      unless conf_dir.nil?
+        (include_files + include_files_optional).each do |f|
+          id    = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
+          files = find_files(id, depth: 1, type: "file")
+          files += find_files(id, depth: 1, type: "link")
 
-        includes.push(files) if files
+          includes.push(files) if files
+        end
       end
 
       # [].flatten! == nil

data/lib/inspec/resources/postgres_session.rb

@@ -46,8 +46,6 @@ module Inspec::Resources
       @host = host || "localhost"
       @port = port || 5432
       raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
-
-      test_connection
     end
 
     def query(query, db = [])
@@ -65,10 +63,6 @@ module Inspec::Resources
 
     private
 
-    def test_connection
-      query("select now()\;")
-    end
-
     def escaped_query(query)
       Shellwords.escape(query)
     end

data/lib/inspec/resources/registry_key.rb

@@ -105,7 +105,7 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
-    # returns nil, if not existant or value
+    # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
       # can use it to query for keys with . characters in them

data/lib/inspec/resources/security_identifier.rb

@@ -57,14 +57,14 @@ module Inspec::Resources
       @sids = {}
       case @type
       when :group
-        sid_data = wmi_results(:group)
+        sid_data = cim_results(:group)
       when :user
-        sid_data = wmi_results(:user)
+        sid_data = cim_results(:user)
       when :unspecified
         # try group first, then user
-        sid_data = wmi_results(:group)
+        sid_data = cim_results(:group)
         if sid_data.empty?
-          sid_data = wmi_results(:user)
+          sid_data = cim_results(:user)
         end
       else
         raise "Unhandled entity type '#{@type}'"
@@ -72,20 +72,14 @@ module Inspec::Resources
       sid_data.each { |sid| @sids[sid[1]] = sid[2] }
     end
 
-    def wmi_results(type)
-      query = "wmic "
+    def cim_results(type)
       case type
       when :group
-        query += "group"
+        cmd = "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID | Where-Object { $_.Name -eq '#{@name}' -and { $_.SIDType -eq 4 -or $_.SIDType -eq 5 } } | ConvertTo-Csv -NoTypeInformation"
       when :user
-        query += "useraccount"
+        cmd = "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID, SIDType | Where-Object { $_.Name -eq '#{@name}' -and $_.SIDType -eq 1 } | ConvertTo-Csv -NoTypeInformation"
       end
-      query += " where 'Name=\"#{@name}\"' get Name\",\"SID /format:csv"
-      # Example output:
-      #     inspec> command("wmic useraccount where 'Name=\"Administrator\"' get Name\",\"SID /format:csv").stdout
-      #     => "\r\n\r\nNode,Name,SID\r\n\r\nComputer1,Administrator,S-1-5-21-650485088-1194226989-968533923-500\r\n\r\n"
-      # Remove the \r characters, split on \n\n, ignore the CSV header row
-      inspec.command(query).stdout.strip.tr("\r", "").split("\n\n")[1..-1].map { |entry| entry.split(",") }
+      inspec.command(cmd).stdout.strip.gsub("\"", "").tr("\r", "").split("\n")[1..-1].map { |entry| entry.split(",") }
     end
   end
 end

data/lib/inspec/resources/security_policy.rb

@@ -147,7 +147,7 @@ module Inspec::Resources
 
     # extracts the values, this methods detects:
     # numbers and SIDs and optimizes them for further usage
-    def extract_value(val)
+    def extract_value(key, val)
       if val =~ /^\d+$/
         val.to_i
       # special handling for SID array
@@ -166,14 +166,15 @@ module Inspec::Resources
       elsif !(m = /^\"(.*)\"$/.match(val)).nil?
         m[1]
       else
-        val
+        # When there is Registry Values we are not spliting the value for backward compatibility
+        key.include?("\\") ? val : val.split(",")
       end
     end
 
     def convert_hash(hash)
       new_hash = {}
       hash.each do |k, v|
-        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
+        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(k, v)
         new_hash[k.strip] = value
       end
       new_hash

data/lib/inspec/resources/service.rb

@@ -152,6 +152,12 @@ module Inspec::Resources
         else
           SysV.new(inspec, service_ctl || "/sbin/service")
         end
+      when "alibaba"
+        if os[:release].to_i >= 3
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || "/sbin/service")
+        end
       when "wrlinux"
         SysV.new(inspec, service_ctl)
       when "mac_os_x", "darwin"

data/lib/inspec/resources/wmi.rb

@@ -36,7 +36,7 @@ module Inspec::Resources
       end
     end
 
-    # returns nil, if not existant or value
+    # returns nil, if not existent or value
     def method_missing(*keys)
       # catch behavior of rspec its implementation
       # @see https://github.com/rspec/rspec-its/blob/v1.2.0/lib/rspec/its.rb#L110

data/lib/inspec/utils/filter.rb

@@ -256,7 +256,7 @@ module FilterTable
     end
 
     def matches(x, y)
-      x === y # rubocop:disable Style/CaseEquality
+      y === x # rubocop:disable Style/CaseEquality
     end
 
     def filter_raw_data(current_raw_data, field, desired_value)

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.41.2".freeze
+  VERSION = "4.41.20".freeze
 end

data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml

@@ -16,6 +16,6 @@ inputs:
   description: 'Optional Custom AWS VPC Id'
 depends:
   - name: inspec-aws
-    url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
+    url: https://github.com/inspec/inspec-aws/archive/main.tar.gz
 supports:
   - platform: aws

data/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml

@@ -9,6 +9,6 @@ version: 0.1.0
 inspec_version: '>= 2.2.7'
 depends:
 - name: inspec-azure
-  url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
+  url: https://github.com/inspec/inspec-azure/archive/main.tar.gz
 supports:
 - platform: azure

data/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml

@@ -13,6 +13,6 @@ inputs:
   description: 'The GCP project identifier.'
 depends:
 - name: inspec-gcp
-  url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz
+  url: https://github.com/inspec/inspec-gcp/archive/main.tar.gz
 supports:
 - platform: gcp

data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb

@@ -232,10 +232,10 @@ module InspecPlugins
 
         # Already installed?
         if registry.known_plugin?(plugin_name.to_sym)
-          ui.red("Plugin already installed - #{plugin_name} - Use '#{EXEC_NAME} " \
-                 "plugin list' to see previously installed plugin - " \
-                 "installation failed.\n")
-          ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
+          ui.bold("Plugin already installed - #{plugin_name} - Use '#{EXEC_NAME} " \
+                  "plugin list' to see previously installed plugin - " \
+                  "installation failed.\n")
+          ui.exit Inspec::UI::EXIT_NORMAL
         end
 
         # Can we figure out how to load it?
@@ -391,19 +391,20 @@ module InspecPlugins
         they_explicitly_asked_for_a_version = !options[:version].nil?
         what_we_would_install_is_already_installed = pre_installed_versions.include?(requested_version)
         if what_we_would_install_is_already_installed && they_explicitly_asked_for_a_version
-          ui.red("Plugin already installed at requested version - plugin " \
+          ui.bold("Plugin already installed at requested version - plugin " \
                  "#{plugin_name} #{requested_version} - refusing to install.\n")
+          ui.exit Inspec::UI::EXIT_NORMAL
         elsif what_we_would_install_is_already_installed && !they_explicitly_asked_for_a_version
           ui.red("Plugin already installed at latest version - plugin " \
                  "#{plugin_name} #{requested_version} - refusing to install.\n")
-        else
-          # There are existing versions installed, but none of them are what was requested
-          ui.red("Update required - plugin #{plugin_name}, requested " \
-                 "#{requested_version}, have " \
-                 "#{pre_installed_versions.join(", ")}; use `inspec " \
-                 "plugin update` - refusing to install.\n")
+          ui.exit Inspec::UI::EXIT_NORMAL
         end
 
+        # There are existing versions installed, but none of them are what was requested
+        ui.red("Update required - plugin #{plugin_name}, requested " \
+               "#{requested_version}, have " \
+               "#{pre_installed_versions.join(", ")}; use `inspec " \
+               "plugin update` - refusing to install.\n")
         ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
       end
 
@@ -433,7 +434,7 @@ module InspecPlugins
                  "version #{options[:version]} found on #{source_host} - " \
                  "installation failed.\n")
         else
-          ui.red("Unknown error occured - installation failed.\n")
+          ui.red("Unknown error occurred - installation failed.\n")
         end
         ui.exit Inspec::UI::EXIT_USAGE_ERROR
       end
@@ -457,15 +458,15 @@ module InspecPlugins
           end
         end
 
-        # Check for latest version (and implicitly, existance)
+        # Check for latest version (and implicitly, existence)
         latest_version = installer.search(plugin_name, exact: true, scope: :latest)
         latest_version = latest_version[plugin_name]&.last
 
         if pre_update_versions.include?(latest_version)
-          ui.plain_line("#{ui.red("Already installed at latest version:", print: false)} " \
+          ui.plain_line("#{ui.bold("Already installed at latest version:", print: false)} " \
                    "#{plugin_name} is at #{latest_version}, which the " \
                    "latest - refusing to update")
-          ui.exit Inspec::UI::EXIT_PLUGIN_ERROR
+          ui.exit Inspec::UI::EXIT_NORMAL
         end
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.41.2
+  version: 4.41.20
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-13 00:00:00.000000000 Z
+date: 2021-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry