inspec-core 5.22.40 → 6.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a95805ac2a4faab83d1826792a5d838caa5f1808fcc884e061cf3f7070ab6ef2
-  data.tar.gz: 984dfca55efec04f1e9b98ddfebf5be636b96a91c7fe7dc97f9ffb9789c60af3
+  metadata.gz: 2e2d81ddee4b440d4bcb0d00b586707400b189e833942dd65e677bd7f75df0a4
+  data.tar.gz: 69905f313a3303d2e385fe603c6d808970aca2efc7d37498d74ca12727583608
 SHA512:
-  metadata.gz: fb6e20f346e0e5ab27878931b1396c10a633b99767472774299d92fce3ae2ccf01399cb100e5ae4566456039a3d814ac4148670da65b41563e72139d29551ed7
-  data.tar.gz: 0c9c665c3afb6d90121bf40ac00736a900955e0ea5955af58f7e56378d18eecfd7560f40e2cce049afd7156ecb495c77b1c58765c0e69f82bfd03e976c2f367f
+  metadata.gz: 754812b73f047d377cdcdfd1c409a15a916ae69d529bded4ace7993b638f1ab6783c7a4394107d538a2df5523887d782a251cfbbf7923a2084961372de1ab12d
+  data.tar.gz: 2ccb38f332159f8af419ef0c343710271d32328198354327489d492ca66c7bad921a5271310f984e844f12eddfa0a70664024be9dac2bdabbf96a0974fc97c74

data/Chef-EULA

@@ -0,0 +1,9 @@
+Packaged distributions of Progress® Chef® products obtained from RubyGems 
+are made available pursuant to the Progress Chef EULA at 
+https://www.chef.io/end-user-license-agreement, unless there is an executed 
+agreement in effect between you and Progress that covers the Progress Chef 
+products ("Master Agreement"), in which case the Master Agreement shall govern.
+
+Source code obtained from the Chef GitHub repository is made available 
+under Apache-2.0, a copy of which can be found in 
+http://www.apache.org/licenses/LICENSE-2.0 

data/Gemfile

@@ -1,3 +1,12 @@
+# For Chef internal builds, allows preview versions of gems if available.
+if ENV["ARTIFACTORY_BASE_URL"]
+  source ENV["ARTIFACTORY_BASE_URL"] + "/artifactory/api/gems/omnibus-gems-local/" do
+    # TODO: either fully populate this list, or revert back to non-block format
+    #       to sweep all Chef gems from Artifactory.
+    gem "chef-licensing"
+  end
+end
+
 source "https://rubygems.org"
 
 gem "inspec", path: "."
@@ -11,10 +20,6 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
-# We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
-# See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22
-gem "unf_ext", "= 0.0.8.2"
-
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
@@ -33,7 +38,7 @@ group :test do
   gem "m"
   gem "minitest-sprint", "~> 1.0"
   gem "minitest", "5.15.0"
-  gem "mocha", "~> 2.1"
+  gem "mocha", "~> 1.1"
   gem "nokogiri", "~> 1.9"
   gem "pry-byebug"
   gem "pry", "~> 0.10"

data/etc/features.sig

@@ -0,0 +1,6 @@
+LoJePRrMIqFz6d1uu5n3QBqQAPD8wLuLM8PfvdDerFjuX/TFJDFdwdcNZ8b8
+KBxFjR5qUTMZizjIUp5Jd6FFI4gSm0RIMKa4UeJCQQAWKJGo/tIbSKLPLWlV
+m1X1Z869AkvQSJxyaXvS2oKPck/znCbRKEDhuk2kqSyDJlC2BILTVa0sx3nd
+4W2J2CwFBlqmYWI1FARkZCMGlfzkjcUqrVrCb3RcZ7bcEYOT5ebIm9zZlbuV
+n2Di29KFZhl8paEoGq3EYJvxEC7rVtLccei8UteNQcSOWihG61dtPGhHnpS+
+/7RNGjrS8s4i/dQHjZlZgV6guki6EqB+DIirVek9PQ==

data/etc/features.yaml

@@ -0,0 +1,94 @@
+---
+  features:
+    inspec-cli-exec:
+      description: Run InSpec profile code at the command line.
+    inspec-cli-shell:
+      description: Experiment with InSpec Language interactively.
+    inspec-cli-check:
+      description: Examine a profile for problems.
+    inspec-cli-json:
+      description: Generate JSON summary for inspec profile/s.
+    inspec-cli-export:
+      description: Generate summary in specified formats for profile/s.
+    inspec-cli-vendor:
+      description: Download all profile dependencies and generate a lockfile in vendor directory.
+    inspec-cli-archive:
+      description: Archive a profile to tar.gz (default) or zip.
+    inspec-cli-detect:
+      description: Detect the target OS.
+    inspec-cli-env:
+      description: Output shell-appropriate completion configuration.
+    inspec-cli-schema:
+      description: Print the JSON schema.
+    inspec-cli-run-context:
+      description: Test run-context detection.
+    inspec-cli-version:
+      description: Print the version of InSpec.
+    inspec-cli-clear-cache:
+      description: Clear InSpec cache stored in ~/.inspec/cache or specific vendor cache path.
+    inspec-cli-compliance-login:
+      description: Login to Automate Server using InSpec.
+    inspec-cli-compliance-profiles:
+      description: Lists all uploaded profiles from automate server.
+    inspec-cli-compliance-exec:
+      description: Run InSpec profile from a list of profiles in automate server.
+    inspec-cli-compliance-download:
+      description: Download the InSpec profile from automate server.
+    inspec-cli-compliance-upload:
+      description: Upload InSpec profile to automate server.
+    inspec-cli-compliance-version:
+      description: Print the version of Automate Server.
+    inspec-cli-compliance-logout:
+      description: Logout from Automate Server.
+    inspec-cli-habitat-profile-create:
+      description: Create Habitat Artifact for the InSpec profile.
+    inspec-cli-habitat-profile-setup:
+      description: Configure Habitat Artifact.
+    inspec-cli-habitat-profile-upload:
+      description: Upload Habitat Artifact for the InSpec profile to Habitat Builder Depot.
+    inspec-cli-init-profile:
+      description: Generate a new InSpec profile.
+    inspec-cli-init-plugin:
+      description: Generate a new InSpec plugin.
+    inspec-cli-init-resource:
+      description: Generate a new InSpec resource.
+    inspec-cli-parallel-exec:
+      description: Run list of InSpec exec operations parallely.
+    inspec-cli-sign-generate-keys:
+      description: Generate a RSA key pair for signing and verification.
+    inspec-cli-sign-profile:
+      description: Sign InSpec profile and generate .iaf artifact.
+    inspec-cli-sign-verify:
+      description: Verify a signed profile .iaf artifact.
+    inspec-enhanced-outcomes:
+      description: Use enhanced outcomes in reporters
+    inspec-waivers:
+      description: Use waivers mechanism with one or more waiver files.
+    inspec-reporter-cli:
+      description: Use CLI reporter.
+    inspec-reporter-json:
+      description: Use JSON reporter.
+    inspec-reporter-json-automate:
+      description: Use JSON automate reporter.
+    inspec-reporter-automate:
+      description: Use automate reporter.
+    inspec-reporter-yaml:
+      description: Use YAML reporter.
+    inspec-reporter-json-min:
+      description: Use JSON min reporter for minimal JSON output.
+    inspec-reporter-junit:
+      description: Use JUnit reporter.
+    inspec-reporter-junit2:
+      description: Use JUnit2 reporter.
+    inspec-reporter-html2:
+      description: Use HTML reporter.
+    inspec-reporter-progress-bar:
+      description: Use progress bar streaming reporter
+    inspec-reporter-child-status:
+      description: Child status reporter used in inspec parallel reporting.
+    inspec-mandatory-profile-signing:
+      description: Required to use a signed Inspec profile by default with inspec commands
+      env_preview: true
+    inspec-audit-logging:
+      description: Use audit logging.
+      env_preview: true

data/inspec-core.gemspec

@@ -8,16 +8,24 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Chef InSpec Team"]
   spec.email         = ["inspec@chef.io"]
   spec.summary       = "Infrastructure and compliance testing. Core library."
-  spec.description   = "InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification. This has local support only. See the `inspec` gem for full support."
+  spec.description   = <<-EOT
+InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification.
+This has local support only. See the `inspec` gem for full support.
+
+Packaged distributions of Progress® Chef® products obtained from RubyGems are made available pursuant to the Progress Chef EULA at https://www.chef.io/end-user-license-agreement, unless there is an executed agreement in effect between you and Progress that covers the Progress Chef products ("Master Agreement"), in which case the Master Agreement shall govern.
+
+Source code obtained from the Chef GitHub repository is made available under Apache-2.0, a copy of which is included.
+
+  EOT
   spec.homepage      = "https://github.com/inspec/inspec"
-  spec.license       = "Apache-2.0"
+  spec.license       = "LicenseRef-Chef-EULA"
   spec.require_paths = ["lib"]
 
   spec.required_ruby_version = ">= 2.7"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
-    Dir.glob("{{lib,etc}/**/*,LICENSE,Gemfile,inspec-core.gemspec}")
+    Dir.glob("{{lib,etc}/**/*,LICENSE,Chef-EULA,Gemfile,inspec-core.gemspec}")
       .grep_v(%r{(?<!inspec-init/templates/profiles/)(aws|azure|gcp|alicloud)})
       .grep_v(%r{lib/plugins/.*/test/})
       .reject { |f| File.directory?(f) }
@@ -43,9 +51,10 @@ Gem::Specification.new do |spec|
   spec.add_dependency "tty-prompt",               "~> 0.17"
   spec.add_dependency "tomlrb",                   ">= 1.2", "< 2.1"
   spec.add_dependency "addressable",              "~> 2.4"
-  spec.add_dependency "parslet",                  ">= 1.5", "< 3.0" # Pinned < 2.0, see #5389
+  spec.add_dependency "parslet",                  ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
   spec.add_dependency "semverse",                 "~> 3.0"
   spec.add_dependency "multipart-post",           "~> 2.0"
 
-  spec.add_dependency "train-core", "~> 3.10"
+  spec.add_dependency "train-core", ">= 3.11.0"
+  spec.add_dependency "chef-licensing", ">= 0.7.5"
 end

data/lib/inspec/backend.rb

@@ -61,6 +61,8 @@ module Inspec
       raise "Client error, can't connect to '#{transport_name}' backend: #{e.message}"
     rescue Train::TransportError => e
       raise "Transport error, can't connect to '#{transport_name}' backend: #{e.message}"
+    rescue Errno::ENOENT => e
+      raise "#{e.message}"
     end
 
     def initialize(backend)

data/lib/inspec/base_cli.rb

@@ -1,9 +1,11 @@
 require "thor" # rubocop:disable Chef/Ruby/UnlessDefinedRequire
+require "chef-licensing"
 require "inspec/log"
 require "inspec/ui"
 require "inspec/config"
 require "inspec/dist"
 require "inspec/utils/deprecation/global_method"
+require "inspec/utils/licensing_config"
 
 # Allow end of options during array type parsing
 # https://github.com/erikhuda/thor/issues/631
@@ -30,11 +32,34 @@ module Inspec
     end
 
     def self.start(given_args = ARGV, config = {})
-      check_license! if config[:enforce_license] || config[:enforce_license].nil?
+      if Inspec::Dist::EXEC_NAME == "inspec"
+        check_license! if config[:enforce_license] || config[:enforce_license].nil?
+        fetch_and_persist_license
+      end
 
       super(given_args, config)
     end
 
+    def self.fetch_and_persist_license
+      allowed_commands = ["-h", "--help", "help", "-v", "--version", "version", "license"]
+      begin
+        if (allowed_commands & ARGV.map(&:downcase)).empty? && !ARGV.empty?
+          license_keys = ChefLicensing.fetch_and_persist
+
+          # Only if EULA acceptance or license key args are present. And licenses are successfully persisted, do clean exit.
+          if ARGV.select { |arg| !(arg.include? "--chef-license") }.empty? && !license_keys.blank?
+            Inspec::UI.new.exit
+          end
+        end
+      rescue ChefLicensing::LicenseKeyFetcher::LicenseKeyNotFetchedError
+        Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without valid licenses."
+        Inspec::UI.new.exit(:license_not_set)
+      rescue ChefLicensing::Error => e
+        Inspec::Log.error e.message
+        Inspec::UI.new.exit(:usage_error)
+      end
+    end
+
     # EULA acceptance
     def self.check_license!
       allowed_commands = ["-h", "--help", "help", "-v", "--version", "version"]
@@ -48,9 +73,6 @@ module Inspec
             Inspec::VERSION,
             logger: Inspec::Log
           )
-          if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
-            Inspec::UI.new.exit
-          end
           license_acceptor_output
         end
       rescue LicenseAcceptance::LicenseNotAcceptedError
@@ -149,6 +171,8 @@ module Inspec
         desc: "Use the given path for caching dependencies, (default: ~/.inspec/cache)."
       option :auto_install_gems, type: :boolean, default: false,
         desc: "Auto installs gem dependencies of the profile or resource pack."
+      option :allow_unsigned_profiles, type: :boolean, default: false,
+        desc: "Allow unsigned profiles to be used in InSpec command."
     end
 
     def self.supermarket_options
@@ -209,8 +233,37 @@ module Inspec
         desc: "Show enhanced outcomes in output"
     end
 
+    def self.audit_log_options
+      option :audit_log_location, type: :string,
+      desc: "Audit log location to send diagnostic log messages to. (default: '~/.inspec/logs/inspec-audit.log')"
+    end
+
     def self.help(*args)
       super(*args)
+      if Inspec::Dist::EXEC_NAME == "inspec"
+        puts <<~CHEF_LICENSE_HELP
+          Chef Compliance has three tiers of licensing:
+
+          * Free-Tier
+            Users are limited to audit maximum of 10 targets
+            Entitled for personal or non-commercial use
+
+          * Trial
+            Entitled for unlimited number of targets
+            Entitled for 30 days only
+            Entitled for commercial use
+
+          * Commercial
+            Entitled for purchased number of targets
+            Entitled for period of subscription purchased
+            Entitled for commercial use
+
+          inspec license add: This command helps users to generate or add an additional license (not applicable to local licensing service)
+
+          For more information please visit:
+          www.chef.io/licensing/faqs
+        CHEF_LICENSE_HELP
+      end
       puts "\nAbout #{Inspec::Dist::PRODUCT_NAME}:"
       puts "  Patents: chef.io/patents\n\n"
     end
@@ -327,6 +380,9 @@ module Inspec
 
     def pretty_handle_exception(exception)
       case exception
+      when Inspec::ProfileSignatureRequired
+        $stderr.puts exception.message
+        Inspec::UI.new.exit(:signature_required)
       when Inspec::InvalidProfileSignature
         $stderr.puts exception.message
         Inspec::UI.new.exit(:bad_signature)
@@ -379,5 +435,25 @@ module Inspec
       end
       o[:logger].level = get_log_level(o["log_level"])
     end
+
+    # This method is currenlty under feature preview flag and audit log will only be enabeld when CHEF_PREVIEW_AUDIT_LOGGING is set in the env variable
+    def set_and_validate_audit_log_options(opts)
+      err = []
+      opts[:enable_audit_log] ||= true
+      if opts[:audit_log_location].nil?
+        opts[:audit_log_location] = "#{Inspec.log_dir}/inspec-audit-#{Time.now.strftime("%Y%m%dT%H%M%S")}-#{Process.pid}.log"
+      elsif File.directory?(File.dirname(opts[:audit_log_location]))
+        file_path = opts[:audit_log_location]
+        # suffix the timestamp and pid to the audit log file name if log location is set through cli option
+        filename  = "#{File.basename(file_path, ".*")}-#{Time.now.strftime("%Y%m%dT%H%M%S")}-#{Process.pid}"
+        opts[:audit_log_location] = File.join( File.dirname(file_path), "#{filename}#{File.extname(file_path)}" )
+      else
+        err << "Audit log location directory #{opts[:audit_log_location]} does not exist."
+      end
+      opts[:audit_log_app_name] = Inspec::Dist::EXEC_NAME
+      unless err.empty?
+        raise Inspec::Exceptions::InvalidAuditLogOption, err.join("\n")
+      end
+    end
   end
 end

data/lib/inspec/cached_fetcher.rb

@@ -39,12 +39,33 @@ module Inspec
     end
 
     def fetch
-      if cache.exists?(cache_key)
+      if cache.exists?(cache_key) && cache.locked?(cache_key)
+        Inspec::Log.debug "Waiting for lock to be released on the cache dir ...."
+        counter = 0
+        until cache.locked?(cache_key) == false
+          if (counter += 1) > 300
+            Inspec::Log.warn "Giving up waiting on cache lock at #{cache_key}"
+            exit 1
+          end
+          sleep 0.1
+        end
+        fetch
+      elsif cache.exists?(cache_key) && !cache.locked?(cache_key)
         Inspec::Log.debug "Using cached dependency for #{target}"
         [cache.prefered_entry_for(cache_key), false]
       else
-        Inspec::Log.debug "Dependency does not exist in the cache #{target}"
-        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        begin
+          Inspec::Log.debug "Dependency does not exist in the cache #{target}"
+          cache.lock(cache.base_path_for(fetcher.cache_key)) if fetcher.requires_locking?
+          fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        rescue SystemExit => e
+          exit_code = e.status || 1
+          Inspec::Log.error "Error while creating cache for dependency ... #{e.message}"
+          FileUtils.rm_rf(cache.base_path_for(fetcher.cache_key))
+          exit(exit_code)
+        ensure
+          cache.unlock(cache.base_path_for(fetcher.cache_key)) if fetcher.requires_locking?
+        end
         assert_cache_sanity!
         [fetcher.archive_path, fetcher.writable?]
       end