inspec 0.10.1 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9faacfe31cee7ccb07175da65b07f589165c8960
-  data.tar.gz: a2d9f9b214a2af6ff48dd738b325786b0d5bb593
+  metadata.gz: 70a0c204211c2bd4a689aff2790fe23999a5013a
+  data.tar.gz: ee648ad90d3d80a6f2cd4f2c18207d39916a6b49
 SHA512:
-  metadata.gz: 5f90de24ba19b21d3653c73f4501c546883d42aa098e47368205d9711a7ae8fbf71bf5117ca2b884350abdf1530f84f1378d690cdc2335dede6ff1882dfbef12
-  data.tar.gz: 8c408ae57fed30a71e85873bbeaf83a6b9eeee02c6f05702f5c3d699d6bfbb7c99f68ad6c20a4b997ceb2ba50055bc30654e3a708e7ff9976bb59b5ee4d90540
+  metadata.gz: c71d588c6547180d6f54e769c1580dc88d98634cc7100583e6723ea172014fb1f3feb7471791cbd9429b112bda7dbba840564e6ea65ec61faf36427847ca92e2
+  data.tar.gz: 0d5750125ca6c6cce5ab69a001726dc7663ae95b2269cf8a162ff9e08037ae64ca3607a220af7ae11f47b2c623b3f17b99da92ebabd8650481ae6916b5286a18

data/CHANGELOG.md

@@ -1,12 +1,43 @@
 # Change Log
 
-## [0.10.1](https://github.com/chef/inspec/tree/0.10.1) (2016-02-05)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.10.0...0.10.1)
+## [0.11.0](https://github.com/chef/inspec/tree/0.11.0) (2016-02-09)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.10.1...0.11.0)
+
+**Implemented enhancements:**
+
+- Improve apache resource [\#407](https://github.com/chef/inspec/pull/407) ([chris-rock](https://github.com/chris-rock))
+- auditd\_rules rework [\#400](https://github.com/chef/inspec/pull/400) ([srenatus](https://github.com/srenatus))
+
+**Fixed bugs:**
+
+- File stats are not always working properly [\#430](https://github.com/chef/inspec/issues/430)
+- Integration test for apache config [\#406](https://github.com/chef/inspec/issues/406)
+- rework auditd\_rules resource [\#312](https://github.com/chef/inspec/issues/312)
+- resource/auditd\_rules: update rule list format [\#309](https://github.com/chef/inspec/issues/309)
 
 **Merged pull requests:**
 
+- Fix supermarket cli registration [\#441](https://github.com/chef/inspec/pull/441) ([chris-rock](https://github.com/chris-rock))
+- update to winrm 1.6.1 command scheme [\#439](https://github.com/chef/inspec/pull/439) ([arlimus](https://github.com/arlimus))
+- semantics: rename CLI plugins registry -\> commands [\#435](https://github.com/chef/inspec/pull/435) ([arlimus](https://github.com/arlimus))
+- avoid automatic plugin loading via library [\#434](https://github.com/chef/inspec/pull/434) ([arlimus](https://github.com/arlimus))
+- clarify the role of the plugin API at the moment [\#433](https://github.com/chef/inspec/pull/433) ([arlimus](https://github.com/arlimus))
+- Implement Supermarket Extension [\#432](https://github.com/chef/inspec/pull/432) ([chris-rock](https://github.com/chris-rock))
+- dedup Gemfiles [\#429](https://github.com/chef/inspec/pull/429) ([srenatus](https://github.com/srenatus))
+- fix loading order of plugins [\#428](https://github.com/chef/inspec/pull/428) ([arlimus](https://github.com/arlimus))
+- Update dsl\_inspec.rst [\#427](https://github.com/chef/inspec/pull/427) ([GeoFruck](https://github.com/GeoFruck))
+
+## [v0.10.1](https://github.com/chef/inspec/tree/v0.10.1) (2016-02-05)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.10.0...v0.10.1)
+
+**Fixed bugs:**
+
 - wrap basecli in inspec module [\#425](https://github.com/chef/inspec/pull/425) ([arlimus](https://github.com/arlimus))
 
+**Merged pull requests:**
+
+- 0.10.1 [\#426](https://github.com/chef/inspec/pull/426) ([chris-rock](https://github.com/chris-rock))
+
 ## [v0.10.0](https://github.com/chef/inspec/tree/v0.10.0) (2016-02-05)
 [Full Changelog](https://github.com/chef/inspec/compare/v0.9.11...v0.10.0)
 

data/Gemfile

@@ -2,6 +2,12 @@
 source 'https://rubygems.org'
 gemspec
 
+# pin dependency for Ruby 1.9.3 since bundler is not
+# detecting that net-ssh 3 does not work with 1.9.3
+if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('1.9.3')
+  gem 'net-ssh', '~> 2.9'
+end
+
 group :test do
   gem 'bundler', '~> 1.5'
   gem 'minitest', '~> 5.5'

data/bin/inspec

@@ -142,8 +142,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   end
 end
 
+# Load all plugins on startup
+ctl = Inspec::PluginCtl.new
+ctl.list.each { |x| ctl.load(x) }
+
 # load CLI plugins before the Inspec CLI has been started
-Inspec::Plugins::CLI.registry.each { |_subcommand, params|
+Inspec::Plugins::CLI.subcommands.each { |_subcommand, params|
   Inspec::InspecCLI.register(
     params[:klass],
     params[:subcommand_name],

data/docs/dsl_inspec.rst

@@ -11,7 +11,7 @@ The following sections describe the syntax and show some simple examples of usin
 Syntax
 =====================================================
 
-The following resource tests |ssh| server configuration. For example, a simple control may desrcibed as:
+The following resource tests |ssh| server configuration. For example, a simple control may described as:
 
 .. code-block:: ruby
 

data/docs/resources.rst

@@ -306,12 +306,14 @@ The following examples show how to use this InSpec audit resource.
 
 auditd_rules
 =====================================================
-Use the ``auditd_rules`` |inspec resource| to test the rules for logging that exist on the system. The ``audit.rules`` file is typically located under ``/etc/audit/`` and contains the list of rules that define what is captured in log files.
+Use the ``auditd_rules`` |inspec resource| to test the rules for logging that exist on the system. The ``audit.rules`` file is typically located under ``/etc/audit/`` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the _run-time_ auditd rules setup (which may divert from `audit.rules`).
 
 **Stability: Experimental**
 
 Syntax
 -----------------------------------------------------
+A change in the output format (with an `audit` package version 2.3 or newer) is reflected in two interfaces included in `auditd_rules`:
+
 A ``auditd_rules`` |inspec resource| block declares one (or more) rules to be tested, and then what that rule should do:
 
 .. code-block:: ruby
@@ -342,7 +344,7 @@ or test that individual rules are defined:
 
 where each test
 
-* Must declare one (or more) rules to be tested
+* must declare one (or more) rules to be tested
 
 Examples
 -----------------------------------------------------
@@ -352,12 +354,47 @@ The following examples show how to use this InSpec audit resource.
 
 .. code-block:: ruby
 
+   # syntax for audit < 2.3
    describe audit_daemon_rules do
      its("LIST_RULES") {
        should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/)
      }
    end
 
+   # syntax for auditd >= 2.3
+   describe auditd_rules do
+     its(:lines) { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
+   end
+
+The syntax for recent auditd versions allows more precise tests, such as the following:
+
+**Query the audit daemon status.**
+
+.. code-block:: ruby
+
+   describe auditd_rules.status('backlog') do
+     it { should cmp 0 }
+   end
+
+**Query properties of rules targeting specific syscalls or files.**
+
+.. code-block:: ruby
+
+   describe auditd_rules.syscall('open').action do
+     it { should eq(['always']) }
+   end
+
+   describe auditd_rules.key('sshd_config') do
+     its(:permissions) { should contain_match(/x/) }
+   end
+
+Note that filters can be chained, for example:
+
+.. code-block:: ruby
+
+   describe auditd_rules.syscall('open').action('always').list do
+     it { should eq(['exit']) }
+   end
 
 
 bond

data/examples/resource/controls/tiny.rb

@@ -0,0 +1,3 @@
+describe tiny do
+require 'pry'; binding.pry
+end

data/examples/resource/inspec.yml

@@ -0,0 +1,10 @@
+name: resource
+title: InSpec Example Resources
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache 2 license
+summary: Demonstrates the use of InSpec custom resources
+version: 1.0.0
+supports:
+  - linux

data/examples/resource/libraries/tiny.rb

@@ -0,0 +1,3 @@
+class Tiny < Inspec.resource(1)
+  name 'tiny'
+end

data/lib/bundles/inspec-compliance/cli.rb

@@ -142,5 +142,5 @@ module Compliance
   end
 
   # register the subcommand to Inspec CLI registry
-  Inspec::Plugins::CLI.register(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
+  Inspec::Plugins::CLI.add_subcommand(ComplianceCLI, 'compliance', 'compliance SUBCOMMAND ...', 'Chef Compliance commands', {})
 end

data/lib/bundles/inspec-supermarket/README.md

@@ -10,22 +10,3 @@ To use the CLI, this InSpec add-on adds the following commands:
 
  - via supermarket exec: `inspec supermarket exec nathenharvey/tmp-compliance-profile`
  - via supermarket scheme: `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
-
-
- # fetch all available profiles in local cache
- # https://supermarket.chef.io/api/v1/tools-search\?q\=compliance_profile
-
- # get the tool slug url
- # https://supermarket.chef.io/api/v1/tools/tmp-compliance-profile
- # https://supermarket.chef.io/api/v1/tools/tmp_compliance_profile
- # response
- # {
- #     "description": "An InSpec compliance profile for use with Chef Compliance Server.\r\n",
- #     "instructions": "## Installation\r\n\r\nDownload the [latest release](https://github.com/nathenharvey/tmp_compliance_profile/releases) from GitHub and upload the tar.gz to your Chef Compliance Server.\r\n\r\n## Controls Included\r\n\r\n* tmp-1.0 - A /tmp directory must exist\r\n* tmp-1.1 - The /tmp directory must be owned by the root user\r\n\r\n## License & Authors\r\n\r\n*Author:*  Nathen Harvey\r\n\r\n*Copyright:* 2015-2016, Chef Software, Inc.\r\n\r\n    Licensed under the Apache License, Version 2.0 (the \"License\");\r\n    you may not use this file except in compliance with the License.\r\n    You may obtain a copy of the License at\r\n\r\n        http://www.apache.org/licenses/LICENSE-2.0\r\n\r\n    Unless required by applicable law or agreed to in writing, software\r\n    distributed under the License is distributed on an \"AS IS\" BASIS,\r\n    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r\n    See the License for the specific language governing permissions and\r\n    limitations under the License.\r\n",
- #     "name": "/tmp Compliance Profile",
- #     "owner": "nathenharvey",
- #     "slug": "tmp-compliance-profile",
- #     "source_url": "https://github.com/nathenharvey/tmp_compliance_profile/",
- #     "type": "compliance_profile",
- #     "up_for_adoption": false
- # }

data/lib/bundles/inspec-supermarket/api.rb

@@ -4,36 +4,65 @@
 
 module Supermarket
   class API
+    SUPERMARKET_URL = 'https://supermarket.chef.io'.freeze
+
+    def self.supermarket_url
+      SUPERMARKET_URL
+    end
+
+    # displays a list of profiles
     def self.profiles
-      url = 'https://supermarket.chef.io/api/v1/tools-search'
-      data = get(url, { :q => 'compliance_profile' })
+      url = "#{SUPERMARKET_URL}/api/v1/tools-search"
+      _success, data = get(url, { q: 'compliance_profile' })
       if !data.nil?
         profiles = JSON.parse(data)
         profiles['items']
-        # val = []
-        # # iterate over profiles
-        # profiles.each_key { |org|
-        #   profiles[org].each_key { |name|
-        #     val.push({ org: org, name: name})
-        #   }
-        # }
-        # val
       else
         []
       end
     end
 
-    def self.info(slug)
-      url = "https://supermarket.chef.io/api/v1/tools/#{slug}"
-      data = get(url, {})
+    def self.profile_name(profile)
+      uri = URI(profile)
+      [uri.host, uri.path[1..-1]]
+    rescue URI::Error => _e
+      nil
+    end
+
+    # displays profile infos
+    def self.info(profile)
+      _tool_owner, tool_name = profile_name("supermarket://#{profile}")
+      url = "#{SUPERMARKET_URL}/api/v1/tools/#{tool_name}"
+      _success, data = get(url, {})
       if !data.nil?
-        info = JSON.parse(data)
+        JSON.parse(data)
       else
         {}
       end
+    rescue JSON::ParserError
+      {}
     end
 
-    private
+    # compares a profile with the supermarket tool info
+    def self.same?(profile, supermarket_tool)
+      tool_owner, tool_name = profile_name(profile)
+      tool = "#{SUPERMARKET_URL}/api/v1/tools/#{tool_name}"
+      supermarket_tool['tool_owner'] == tool_owner && supermarket_tool['tool'] == tool
+    end
+
+    def self.find(profile)
+      profiles = Supermarket::API.profiles
+      if !profiles.empty?
+        index = profiles.index { |t| same?(profile, t) }
+        # return profile or nil
+        profiles[index] if !index.nil? && index >= 0
+      end
+    end
+
+    # verifies that a profile exists
+    def self.exist?(profile)
+      !find(profile).nil?
+    end
 
     def self.get(url, params)
       uri = URI.parse(url)
@@ -44,15 +73,10 @@ module Supermarket
 
     def self.send_request(uri, req)
       # send request
-      res = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') {|http|
+      res = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') {|http|
         http.request(req)
       }
-      if res.is_a?(Net::HTTPSuccess)
-        res.body
-      else
-        puts res.body
-        nil
-      end
+      [res.is_a?(Net::HTTPSuccess), res.body]
     end
   end
 end

data/lib/bundles/inspec-supermarket/cli.rb

@@ -6,17 +6,15 @@ module Supermarket
   class SupermarketCLI < Inspec::BaseCLI
     namespace 'supermarket'
 
-    desc 'configure SERVER', 'Changes the default supermarket https://supermarket.chef.io/api/v1/'
-    def configure(server)
-    end
-
     desc 'profiles', 'list all available profiles in Chef Supermarket'
     def profiles
-      # display profiles in format nathenharvey/tmp_compliance_profile
+      # display profiles in format user/profile
       supermarket_profiles = Supermarket::API.profiles
+
+      headline('Available profiles:')
       supermarket_profiles.each { |p|
-        m = %r{^https://supermarket.chef.io/api/v1/tools/(?<slug>[\w-]+)(/)?$}.match(p['tool'])
-        puts "#{p['tool_owner']}/#{m[:slug]}"
+        m = %r{^#{Supermarket::API.supermarket_url}/api/v1/tools/(?<slug>[\w-]+)(/)?$}.match(p['tool'])
+        li("#{p['tool_owner']}/#{m[:slug]}")
       }
     end
 
@@ -36,19 +34,16 @@ module Supermarket
 
     desc 'info profile', 'display profile details'
     def info(profile)
-      # display profiles in format nathenharvey/tmp-compliance-profile
-      # name:  tmp_compliance_profile
-      # owner: nathenharvey
-      # description: ...
-      info = Supermarket::API.info('tmp-compliance-profile')
-      puts "name:   #{info['slug']}"
-      puts "owner:  #{info['owner']} "
-      puts "url:    #{info['source_url']}"
-      puts "\n"
-      puts "description:\n#{info['description']}"
+      info = Supermarket::API.info(profile)
+
+      puts "#{mark_text('name: ')}  #{info['slug']}"
+      puts "#{mark_text('owner:')}  #{info['owner']}"
+      puts "#{mark_text('url:  ')}  #{info['source_url']}"
+      puts
+      puts "#{mark_text('description:  ')} #{info['description']}"
     end
   end
 
   # register the subcommand to Inspec CLI registry
-  Inspec::Plugins::CLI.register(Supermarket::SupermarketCLI, "supermarket", "supermarket SUBCOMMAND ...", "Supermarket commands", {})
+  Inspec::Plugins::CLI.add_subcommand(Supermarket::SupermarketCLI, 'supermarket', 'supermarket SUBCOMMAND ...', 'Supermarket commands', {})
 end

data/lib/bundles/inspec-supermarket/target.rb

@@ -10,34 +10,17 @@ module Supermarket
     def handles?(profile)
       # check for local scheme supermarket://
       return unless URI(profile).scheme == 'supermarket'
-      # emulate supermarket namespace
-      profile == 'supermarket://nathenharvey/tmp-compliance-profile'
-    rescue URI::Error => e
+
+      # verifies that the target e.g base/ssh exists
+      Supermarket::API.exist?(profile)
+    rescue URI::Error => _e
       false
     end
 
     # generates proper url
     def resolve(profile, opts = {})
-      profile = get_profile_name(URI(target))
-      target = build_target_url(profile)
-      super(target, opts)
-    end
-
-    # extracts profile name from url
-    def get_profile_name(uri)
-      uri.host + uri.path
-    end
-
-    def build_target_url(target)
-
-      # read details from json
-      # extracts github url
-
-      supermarket, slug = target.split('/')
-      # search profile with slug
-      # get github url
-      # return github url
-      "https://github.com/nathenharvey/tmp_compliance_profile/"
+      tool_info = Supermarket::API.find(profile)
+      super(tool_info['tool_source_url'], opts)
     end
 
     def to_s

data/lib/inspec/plugins.rb

@@ -11,6 +11,10 @@ module Inspec
     autoload :CLI, 'inspec/plugins/cli'
   end
 
+  # PLEASE NOTE: The Plugin system is an internal mechanism for connecting
+  # inspec components. Its API is currently considered in an alpha state
+  # and may change between minor version revisions. A stable plugin API will be
+  # released in the future.
   class PluginCtl
     extend Forwardable
 
@@ -44,7 +48,3 @@ module Inspec
     end
   end
 end
-
-# Load all plugins on startup
-ctl = Inspec::PluginCtl.new
-ctl.list.each { |x| ctl.load(x) }

data/lib/inspec/plugins/cli.rb

@@ -6,12 +6,12 @@ module Inspec
   module Plugins
     # stores all CLI plugin, we expect those to the `Thor` subclasses
     class CLI
-      def self.registry
-        @registry ||= {}
+      def self.subcommands
+        @subcommands ||= {}
       end
 
-      def self.register(klass, subcommand_name, usage, description, options = {})
-        registry[subcommand_name] = {
+      def self.add_subcommand(klass, subcommand_name, usage, description, options = {})
+        subcommands[subcommand_name] = {
           klass: klass,
           subcommand_name: subcommand_name,
           usage: usage,