inspec 0.11.0 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 70a0c204211c2bd4a689aff2790fe23999a5013a
-  data.tar.gz: ee648ad90d3d80a6f2cd4f2c18207d39916a6b49
+  metadata.gz: 5e3b076ffed41d9148eb98065a025a6acb6a9f70
+  data.tar.gz: eb36dc73cf37bc30a46949943ba7db582ed82417
 SHA512:
-  metadata.gz: c71d588c6547180d6f54e769c1580dc88d98634cc7100583e6723ea172014fb1f3feb7471791cbd9429b112bda7dbba840564e6ea65ec61faf36427847ca92e2
-  data.tar.gz: 0d5750125ca6c6cce5ab69a001726dc7663ae95b2269cf8a162ff9e08037ae64ca3607a220af7ae11f47b2c623b3f17b99da92ebabd8650481ae6916b5286a18
+  metadata.gz: 09d87d6da242d31586af6d3e39e913223a141d6dbc39474c921636d3169a57bcf1b5029defc1d2f6a8f01c246fe3494846edfe9d00a27381f3aa13f8f335435a
+  data.tar.gz: d2806a4c8e637a1ec46cf3ed9ea5a40fc8dd32a6e3bb0de63f405d33f4de9a09d3f25faf36932d949b73c7d9ff1d11949e59963f6ab6116402890632facb0227

data/.rubocop.yml

@@ -6,6 +6,7 @@ AllCops:
   - 'test/**/*'
   - 'examples/**/*'
   - 'vendor/**/*'
+  - 'lib/bundles/inspec-init/templates/**/*'
 Documentation:
   Enabled: false
 AlignParameters:

data/CHANGELOG.md

@@ -1,7 +1,27 @@
 # Change Log
 
-## [0.11.0](https://github.com/chef/inspec/tree/0.11.0) (2016-02-09)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.10.1...0.11.0)
+## [0.12.0](https://github.com/chef/inspec/tree/0.12.0) (2016-02-15)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.11.0...0.12.0)
+
+**Implemented enhancements:**
+
+- add runlevel support for System V services [\#455](https://github.com/chef/inspec/pull/455) ([arlimus](https://github.com/arlimus))
+- Add a init subcommand [\#454](https://github.com/chef/inspec/pull/454) ([chris-rock](https://github.com/chris-rock))
+
+**Fixed bugs:**
+
+- Windows 2008 isn't being detected. [\#346](https://github.com/chef/inspec/issues/346)
+- Fix two minor logging and config bugs in CLI [\#452](https://github.com/chef/inspec/pull/452) ([srenatus](https://github.com/srenatus))
+- bugfix: verify the target resolver before using it [\#449](https://github.com/chef/inspec/pull/449) ([arlimus](https://github.com/arlimus))
+- Fix iptables on CentOS6 + more tests for iptables \(plus small code improvements\) [\#442](https://github.com/chef/inspec/pull/442) ([srenatus](https://github.com/srenatus))
+
+**Merged pull requests:**
+
+- rework target to resolver connection [\#447](https://github.com/chef/inspec/pull/447) ([arlimus](https://github.com/arlimus))
+- separate directory resolver from target resolver [\#446](https://github.com/chef/inspec/pull/446) ([arlimus](https://github.com/arlimus))
+
+## [v0.11.0](https://github.com/chef/inspec/tree/v0.11.0) (2016-02-10)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.10.1...v0.11.0)
 
 **Implemented enhancements:**
 
@@ -11,12 +31,14 @@
 **Fixed bugs:**
 
 - File stats are not always working properly [\#430](https://github.com/chef/inspec/issues/430)
+- Inspec iptables should have\_rule tests not working [\#420](https://github.com/chef/inspec/issues/420)
 - Integration test for apache config [\#406](https://github.com/chef/inspec/issues/406)
 - rework auditd\_rules resource [\#312](https://github.com/chef/inspec/issues/312)
 - resource/auditd\_rules: update rule list format [\#309](https://github.com/chef/inspec/issues/309)
 
 **Merged pull requests:**
 
+- 0.11.0 [\#443](https://github.com/chef/inspec/pull/443) ([arlimus](https://github.com/arlimus))
 - Fix supermarket cli registration [\#441](https://github.com/chef/inspec/pull/441) ([chris-rock](https://github.com/chris-rock))
 - update to winrm 1.6.1 command scheme [\#439](https://github.com/chef/inspec/pull/439) ([arlimus](https://github.com/arlimus))
 - semantics: rename CLI plugins registry -\> commands [\#435](https://github.com/chef/inspec/pull/435) ([arlimus](https://github.com/arlimus))

data/bin/inspec

@@ -84,7 +84,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   def archive(path)
     diagnose
 
-    o = options.dup
+    o = opts.dup
     o[:logger] = Logger.new(STDOUT)
     o[:logger].level = get_log_level(o.log_level)
 
@@ -129,8 +129,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   option :format, type: :string, default: Inspec::NoSummaryFormatter, hide: true
   def shell_func
     diagnose
+    o = opts.dup
+    o[:logger] = Logger.new(STDOUT)
+    o[:logger].level = get_log_level(o.log_level)
 
-    runner = Inspec::Runner.new(opts)
+    runner = Inspec::Runner.new(o)
     Inspec::Shell.new(runner).start
   rescue RuntimeError => e
     puts e.message

data/lib/bundles/inspec-init.rb

@@ -0,0 +1,8 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require 'inspec-init/cli'

data/lib/bundles/inspec-init/cli.rb

@@ -0,0 +1,86 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+
+module Init
+  class CLI < Inspec::BaseCLI
+    namespace 'init'
+
+    # read template directoy
+    template_dir = File.join(File.dirname(__FILE__), 'templates')
+    Dir.glob(File.join(template_dir, '*')) do |template|
+      relative = Pathname.new(template).relative_path_from(Pathname.new(template_dir))
+
+      # register command for the template
+      desc "#{relative} NAME", "Create a new #{relative}"
+      option :overwrite, type: :boolean, default: false,
+         desc: 'Overwrites existing directory'
+      define_method relative.to_s.to_sym do |name|
+        generator(relative.to_s, { name: name }, options)
+      end
+    end
+
+    private
+
+    # 1. iterate over all files
+    # 2. read content in erb
+    # 3. write to target
+    def generator(type, attributes = {}, options = {}) # rubocop:disable Metrics/AbcSize
+      # path of this script
+      dir = File.dirname(__FILE__)
+      # look for template directory
+      base_dir = File.join(dir, 'templates', type)
+      # prepare glob for all subdirectories and files
+      template = File.join(base_dir, '**', '{*,.*}')
+      # generate target path
+      target = Pathname.new(Dir.pwd).join(attributes[:name])
+      puts "Create new #{type} at #{mark_text(target)}"
+
+      # check that the directory does not exist
+      if File.exist?(target) && !options['overwrite']
+        error "#{mark_text(target)} exists already, use --overwrite"
+        exit 1
+      end
+
+      # ensure that target directory is available
+      FileUtils.mkdir_p(target)
+
+      # iterate over files and write to target path
+      Dir.glob(template) do |file|
+        relative = Pathname.new(file).relative_path_from(Pathname.new(base_dir))
+        destination = Pathname.new(target).join(relative)
+        if File.directory?(file)
+          li "Create directory #{mark_text(relative)}"
+          FileUtils.mkdir_p(destination)
+        elsif File.file?(file)
+          li "Create file #{mark_text(relative)}"
+          # read & render content
+          content = render(File.read(file), attributes)
+          # write file content
+          File.write(destination, content)
+        else
+          puts "Ignore #{file}, because its not an file or directoy"
+        end
+      end
+    end
+
+    # This is a render helper to bind hash values to a ERB template
+    def render(content, hash)
+      # create a new binding class
+      cls = Class.new do
+        hash.each do |key, value|
+          define_method key.to_sym do
+            value
+          end
+        end
+        # expose binding
+        define_method :bind do
+          binding
+        end
+      end
+      ERB.new(content).result(cls.new.bind)
+    end
+  end
+
+  # register the subcommand to Inspec CLI registry
+  Inspec::Plugins::CLI.add_subcommand(Init::CLI, 'init', 'init TEMPLATE ...', 'Scaffolds a new project', {})
+end

data/lib/bundles/inspec-init/templates/profile/README.md

@@ -0,0 +1,3 @@
+# Example InSpec Profile
+
+This example shows the implementation of an InSpec [profile](../../docs/profiles.rst).

data/lib/bundles/inspec-init/templates/profile/controls/example.rb

@@ -0,0 +1,20 @@
+# encoding: utf-8
+# copyright: 2015, The Authors
+# license: All rights reserved
+
+title 'sample section'
+
+# you can also use plain tests
+describe file('/tmp') do
+  it { should be_directory }
+end
+
+# you add controls here
+control 'tmp-1.0' do                        # A unique ID for this control
+  impact 0.7                                # The criticality, if this control fails.
+  title 'Create /tmp directory'             # A human-readable title
+  desc 'An optional description...'
+  describe file('/tmp') do                  # The actual test
+    it { should be_directory }
+  end
+end

data/lib/bundles/inspec-init/templates/profile/inspec.yml

@@ -0,0 +1,8 @@
+name: <%= name %>
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: All Rights Reserved
+summary: An InSpec Compliance Profile
+version: 0.1.0

data/lib/inspec/targets/archive.rb

@@ -4,40 +4,30 @@
 
 require 'rubygems/package'
 require 'zlib'
+require 'inspec/targets/dir'
 
 module Inspec::Targets
-  class ArchiveHelper
-    def resolve(target, _opts = {})
-      files, rootdir = structure(target)
+  class ArchiveHelper < DirsResolver
+    attr_reader :files
+
+    def initialize(target, _opts = {})
+      @target = target
+      files, @rootdir = structure(target)
 
       # remove trailing slashes
       files = files.collect { |f| f.chomp('/') }
 
       # remove leading directory
-      files = files.collect { |f|
-        Pathname(f).relative_path_from(Pathname(rootdir)).to_s
+      root = Pathname(@rootdir)
+      @files = files.collect { |f|
+        Pathname(f).relative_path_from(root).to_s
       }
-
-      helper = DirsHelper.get_handler(files)
-      if helper.nil?
-        fail "Don't know how to handle folder #{target}"
-      end
-
-      res = {
-        test:     collect(helper, files, :get_filenames),
-        library:  collect(helper, files, :get_libraries),
-        metadata: collect(helper, files, :get_metadata),
-      }.map { |as, list|
-        content(target, list, rootdir, base_folder: target, as: as)
-      }
-
-      res.flatten
     end
 
-    # FIXME(sr) dedup inspec/targets/folder
-    def collect(helper, files, getter)
-      return [] unless helper.respond_to? getter
-      helper.method(getter).call(files)
+    def resolve(path, opts = {})
+      o = (opts || {})
+      o[:base_folder] = @target
+      content(@target, path, @rootdir, o)
     end
   end
 end

data/lib/inspec/targets/core.rb

@@ -8,18 +8,47 @@ module Inspec
   module Targets
     extend Modulator
 
-    def self.__resolve(items)
-      items.map do |_|
-        # @TODO
-      end.flatten
+    # Retrieve the resolver for a given target. Resolvers are any type of
+    # instance, that can take a target in the #resolve method, and turn
+    # it into raw InSpec code. It will actually retrieve all file's
+    # contents, including libraries and metadata.
+    #
+    # @param [any] target any target you are pointing to; typically a string
+    # @return [Inspec::Targets::*] the resolver handling this target
+    def self.find_resolver(target)
+      modules.values.find { |m| m.handles?(target) }
+    end
+
+    # Retrieve the target handler, i.e. the component that is going to handle
+    # all aspects of a given target. Unlike the resolver, this provides
+    # access to an object, that understands the target and is able to read
+    # all contents, while providing additional methods which InSpec itself
+    # does not care about (think: plugins).
+    #
+    # There is a special case, where you might be pointing to a URL containing
+    # a ZIP file which has a full InSpec Profile embedded. This will be
+    # resolved to a directory helper (Inspec::Targets::DirsResolver). This
+    # method will retrieve the right handler for this directory and provide it
+    # with full access all contents (i.e. the DirsResolver will be embedded).
+    #
+    # @param [any] target any target you are pointing to; typically a string
+    # @return [Inspec::Targets::*] the handler for this target
+    def self.find_handler(target)
+      resolver = find_resolver(target)
+      return resolver unless resolver.is_a?(Module) &&
+                             resolver.ancestors.include?(DirsResolver)
+      resolver.from_target(target).handler
     end
 
+    # Turn targets into actionable InSpec code, library-data and metadata.
+    #
+    # @param [any] targets any targets you are pointing to; typically strings
+    # @param [Hash] additional options for loading
+    # @return [Array] an array of resolved data, with :content, :ref, :type
     def self.resolve(targets, opts = {})
       Array(targets).map do |target|
-        handler = modules.values.find { |m| m.handles?(target) }
-        if handler.nil?
-          fail "Don't know how to handle target: #{target}"
-        end
+        handler = find_resolver(target) ||
+                  fail("Don't know how to handle target: #{target}")
         handler.resolve(target, opts)
       end.flatten
     end

data/lib/inspec/targets/dir.rb

@@ -3,79 +3,142 @@
 # author: Christoph Hartmann
 
 module Inspec::Targets
+  # DirsHelper manages resolvers for directories. Wherever directories are,
+  # either a local folder, archive, or remote, this module provides all helpers
+  # than can resolve these.
+  #
+  # Resolvers provide these methods
+  # * handles?(paths)  =>  true if the resolver is responsible for this target
+  # * get_filenames    =>  Array[String] of files where tests/controls are found
+  # * get_metadata     =>  String path with metadata information [optional]
+  # * get_libraries    =>  Array[String] of library files [optional]
+  #
+  # Resolvers must register with this DirsHelper via #add_module .
   module DirsHelper
-    # InSpec profile Loader
-    # Previous versions used the `test` directory instead of the new `controls`
-    # directory. Usage of the test directory is deprecated and not recommended
-    # anymore. Support for `test` will be removed in InSpec 1.0
-    # TODO: remove `test` support for InSpec 1.0
-    class ProfileDir
-      def handles?(paths)
-        return true if paths.include?('inspec.yml')
-        (
-          !paths.grep(/^controls/).empty? ||
-          !paths.grep(/^test/).empty?
-        ) && paths.include?('metadata.rb')
-      end
+    extend Modulator
 
-      def get_libraries(paths)
-        paths.find_all do |path|
-          path.start_with?('libraries') && path.end_with?('.rb')
-        end
-      end
+    def self.get_handler(paths)
+      modules.values.reverse.find { |x| x.handles?(paths) }
+    end
+  end
 
-      def get_filenames(paths)
-        paths.find_all do |path|
-          path.start_with?('controls', 'test') && path.end_with?('.rb')
-        end
-      end
+  # Base class for all directory resolvers. I.e. any target helper that
+  # takes a directory/archive/... and ultimately calls DirsHelper to resolve it.
+  #
+  # These resolvers must implement the required methods of this class.
+  class DirsResolver
+    def files
+      fail NotImplementedError, "Directory resolver #{self.class} must implement #files"
+    end
 
-      def get_metadata(paths)
-        return 'inspec.yml' if paths.include?('inspec.yml')
-        return 'metadata.rb' if paths.include?('metadata.rb')
-      end
+    def resolve(_path)
+      fail NotImplementedError, "Directory resolver #{self.class} must implement #content"
     end
 
-    class ChefAuditDir
-      def handles?(paths)
-        paths.include?('recipes') and paths.include?('metadata.rb')
-      end
+    def handler
+      DirsHelper.get_handler(files) ||
+        fail("Don't know how to handle #{self}")
+    end
+
+    def self.from_target(target)
+      new(target)
+    end
 
-      def get_filenames(paths)
-        paths.find_all do |x|
-          x.start_with? 'recipes/' and x.end_with? '.rb'
-        end
+    def self.resolve(target, opts)
+      r = new(target, opts)
+      handler = r.handler
+      files = r.files
+
+      res = []
+      {
+        test:     __collect(handler, :get_filenames, files),
+        library:  __collect(handler, :get_libraries, files),
+        metadata: __collect(handler, :get_metadata, files),
+      }.each do |as, list|
+        Array(list).each { |path|
+          res.push(r.resolve(path, as: as))
+        }
       end
+
+      return handler.resolve_contents(res) if handler.respond_to?(:resolve_contents)
+      res
+    end
+
+    def self.__collect(handler, getter, files)
+      return [] unless handler.respond_to? getter
+      handler.method(getter).call(files)
+    end
+  end
+
+  # InSpec profile Loader
+  # Previous versions used the `test` directory instead of the new `controls`
+  # directory. Usage of the test directory is deprecated and not recommended
+  # anymore. Support for `test` will be removed in InSpec 1.0
+  # TODO: remove `test` support for InSpec 1.0
+  class ProfileDir
+    def handles?(paths)
+      return true if paths.include?('inspec.yml')
+      (
+        !paths.grep(/^controls/).empty? ||
+        !paths.grep(/^test/).empty?
+      ) && paths.include?('metadata.rb')
     end
 
-    class ServerspecDir
-      def handles?(paths)
-        paths.include?('spec')
+    def get_libraries(paths)
+      paths.find_all do |path|
+        path.start_with?('libraries') && path.end_with?('.rb')
       end
+    end
 
-      def get_filenames(paths)
-        paths.find_all do |path|
-          path.start_with? 'spec' and path.end_with? '_spec.rb'
-        end
+    def get_filenames(paths)
+      paths.find_all do |path|
+        path.start_with?('controls', 'test') && path.end_with?('.rb')
       end
     end
 
-    class FlatDir
-      def handles?(paths)
-        get_filenames(paths).empty? == false
+    def get_metadata(paths)
+      return 'inspec.yml' if paths.include?('inspec.yml')
+      return 'metadata.rb' if paths.include?('metadata.rb')
+    end
+  end
+  DirsHelper.add_module('inspec-profile', ProfileDir.new)
+
+  class ChefAuditDir
+    def handles?(paths)
+      paths.include?('recipes') and paths.include?('metadata.rb')
+    end
+
+    def get_filenames(paths)
+      paths.find_all do |x|
+        x.start_with? 'recipes/' and x.end_with? '.rb'
       end
+    end
+  end
+  DirsHelper.add_module('chef-cookbook', ChefAuditDir.new)
+
+  class ServerspecDir
+    def handles?(paths)
+      paths.include?('spec')
+    end
 
-      def get_filenames(paths)
-        paths.find_all { |x| x.end_with?('.rb') and !x.include?('/') }
+    def get_filenames(paths)
+      paths.find_all do |path|
+        path.start_with? 'spec' and path.end_with? '_spec.rb'
       end
     end
+  end
+  DirsHelper.add_module('serverspec-folder', ServerspecDir.new)
 
-    HANDLERS = [
-      ProfileDir, ChefAuditDir, ServerspecDir, FlatDir
-    ].map(&:new)
+  class FlatDir
+    def handles?(paths)
+      get_filenames(paths).empty? == false
+    end
 
-    def self.get_handler(paths)
-      HANDLERS.find { |x| x.handles? paths }
+    def get_filenames(paths)
+      # TODO: eventually remove the metadata.rb exception here
+      # when we have fully phased out metadata.rb in 1.0
+      paths.find_all { |x| x.end_with?('.rb') && !x.include?('/') && x != 'metadata.rb' }
     end
   end
+  DirsHelper.add_module('flat-ruby-folder', FlatDir.new)
 end

data/lib/inspec/targets/folder.rb

@@ -6,48 +6,33 @@ require 'inspec/targets/dir'
 require 'inspec/targets/file'
 
 module Inspec::Targets
-  class FolderHelper
-    def handles?(target)
+  class FolderHelper < DirsResolver
+    def self.handles?(target)
       File.directory?(target)
     end
 
-    def resolve(target, _opts = {})
+    attr_reader :files
+
+    def initialize(target, _opts = {})
+      @base_folder = target
       # find all files in the folder
       files = Dir[File.join(target, '**', '*')]
       # remove the prefix
       prefix = File.join(target, '')
-      files = files.map { |x| x.sub(prefix, '') }
-      # get the dirs helper
-      helper = DirsHelper.get_handler(files)
-      if helper.nil?
-        fail "Don't know how to handle folder #{target}"
-      end
-
-      # get all test file contents
-      file_handler = Inspec::Targets.modules['file']
-      res = {
-        test:     collect(helper, files, :get_filenames),
-        library:  collect(helper, files, :get_libraries),
-        metadata: collect(helper, files, :get_metadata),
-      }.map { |as, list|
-        file_handler.resolve_all(list, base_folder: target, as: as)
-      }
+      @files = files.map { |x| x.sub(prefix, '') }
+      @file_handler = Inspec::Targets.modules['file']
+    end
 
-      # flatten the outer list layer
-      res.inject(&:+)
+    def resolve(path, opts = {})
+      o = (opts || {})
+      o[:base_folder] = @base_folder
+      @file_handler.resolve(path, o)
     end
 
     def to_s
       'Folder Loader'
     end
-
-    private
-
-    def collect(helper, files, getter)
-      return [] unless helper.respond_to? getter
-      helper.method(getter).call(files)
-    end
   end
 
-  Inspec::Targets.add_module('folder', FolderHelper.new)
+  Inspec::Targets.add_module('folder', FolderHelper)
 end

data/lib/inspec/targets/tar.rb

@@ -8,7 +8,7 @@ require 'inspec/targets/archive'
 
 module Inspec::Targets
   class TarHelper < ArchiveHelper
-    def handles?(target)
+    def self.handles?(target)
       File.file?(target) && target.end_with?('.tar.gz', '.tgz')
     end
 
@@ -30,22 +30,20 @@ module Inspec::Targets
       [files, rootdir]
     end
 
-    def content(input, files, rootdir = nil, opts = {})
-      content = []
+    def content(input, path, rootdir = nil, opts = {})
+      content = nil
       Gem::Package::TarReader.new(Zlib::GzipReader.open(input)) do |tar|
         tar.each do |entry|
           if entry.directory?
             # nothing to do
           elsif entry.file?
-            if files.include?(entry.full_name.gsub(rootdir, ''))
-              h = {
-                # NB if some file is empty, return empty-string, not nil
-                content: entry.read || '',
-                type: opts[:as] || :test,
-                ref: entry.full_name,
-              }
-              content.push(h)
-            end
+            next unless path == entry.full_name.gsub(rootdir, '')
+            content = {
+              # NB if some file is empty, return empty-string, not nil
+              content: entry.read || '',
+              type: opts[:as] || :test,
+              ref: entry.full_name,
+            }
           elsif entry.header.typeflag == '2'
             # ignore symlinks for now
           end
@@ -59,5 +57,5 @@ module Inspec::Targets
     end
   end
 
-  Inspec::Targets.add_module('tar', TarHelper.new)
+  Inspec::Targets.add_module('tar', TarHelper)
 end

data/lib/inspec/targets/zip.rb

@@ -8,22 +8,22 @@ require 'inspec/targets/archive'
 
 module Inspec::Targets
   class ZipHelper < ArchiveHelper
-    def handles?(target)
+    def self.handles?(target)
       File.file?(target) and target.end_with?('.zip')
     end
 
-    def content(input, files, rootdir = nil, opts = {})
-      content = []
+    def content(input, path, rootdir = nil, opts = {})
+      content = nil
       ::Zip::InputStream.open(input) do |io|
         while (entry = io.get_next_entry)
-          next if !files.include?(entry.name.gsub(rootdir, ''))
-          h = {
+          next unless path == entry.name.gsub(rootdir, '')
+          content = {
             # NB if some file is empty, return empty-string, not nil
             content: io.read || '',
             type: opts[:as] || :test,
             ref: entry.name,
           }
-          content.push(h)
+          abort
         end
       end
       content
@@ -51,5 +51,5 @@ module Inspec::Targets
     end
   end
 
-  Inspec::Targets.add_module('zip', ZipHelper.new)
+  Inspec::Targets.add_module('zip', ZipHelper)
 end

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.11.0'.freeze
+  VERSION = '0.12.0'.freeze
 end

data/lib/resources/iptables.rb

@@ -31,8 +31,8 @@ class IpTables < Inspec.resource(1)
   "
 
   def initialize(params = {})
-    @table = params[:table] || nil
-    @chain = params[:chain] || nil
+    @table = params[:table]
+    @chain = params[:chain]
 
     # we're done if we are on linux
     return if inspec.os.linux?
@@ -43,29 +43,26 @@ class IpTables < Inspec.resource(1)
   end
 
   def has_rule?(rule = nil, _table = nil, _chain = nil)
-    found = false
-    retrieve_rules.each { |line|
-      # checks if the rule is part of the ruleset
-      # for now, we expect an excact match
-      found = true if line.casecmp(rule) == 0
-    }
-    found
+    # checks if the rule is part of the ruleset
+    # for now, we expect an exact match
+    retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
   end
 
   def retrieve_rules
     return @iptables_cache if defined?(@iptables_cache)
 
     # construct iptables command to read all rules
-    @table.nil? ? table_cmd = '' : table_cmd = " -t #{@table} "
-    @chain.nil? ? chain_cmd = '' : chain_cmd = " #{@chain}"
-    cmd = inspec.command(format('iptables %s -S %s', table_cmd, chain_cmd).strip)
+    table_cmd = "-t #{@table}" if @table
+    iptables_cmd = format('iptables %s -S %s', table_cmd, @chain).strip
+
+    cmd = inspec.command(iptables_cmd)
     return [] if cmd.exit_status.to_i != 0
 
     # split rules, returns array or rules
-    @iptables_cache = cmd.stdout.chomp.split("\n")
+    @iptables_cache = cmd.stdout.split("\n").map(&:strip)
   end
 
   def to_s
-    format('Iptables %s %s', @table.nil? ? '' : "table: #{@table}", @chain.nil? ? '' : "chain: #{@chain}").strip
+    format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
   end
 end

data/lib/resources/service.rb

@@ -4,13 +4,59 @@
 # author: Stephan Renatus
 # license: All rights reserved
 
-# Usage:
-# describe service('dhcp') do
-#   it { should be_enabled }
-#   it { should be_installed }
-#   it { should be_running }
-# end
-#
+class Runlevels < Hash
+  attr_accessor :owner
+
+  def self.from_hash(owner, hash = {}, filter = nil)
+    res = Runlevels.new(owner)
+    filter = filter.first if filter.is_a?(Array) && filter.length <= 1
+
+    ks = case filter
+         when nil
+           hash.keys
+         when Regexp
+           hash.keys.find_all { |x| x.to_s =~ filter }
+         when Array
+           f = filter.map(&:to_s)
+           hash.keys.find_all { |x| f.include?(x.to_s) }
+         when Numeric
+           hash.keys.include?(filter) ? [filter] : []
+         else
+           hash.keys.find_all { |x| x == filter }
+         end
+
+    ks.each { |k| res[k] = hash[k] }
+    res
+  end
+
+  def initialize(owner, default = false)
+    @owner = owner
+    super(default)
+  end
+
+  def filter(f)
+    Runlevels.from_hash(owner, self, f)
+  end
+
+  # Check if all runlevels are enabled
+  #
+  # @return [boolean] true if all runlevels are enabled
+  def enabled?
+    values.all?
+  end
+
+  # Check if all runlevels are disabled
+  #
+  # @return [boolean] true if all runlevels are disabled
+  def disabled?
+    !values.any?
+  end
+
+  def to_s
+    "#{owner} runlevels #{keys.join(', ')}"
+  end
+end
+
 # We detect the init system for each operating system, based on the operating
 # system.
 #
@@ -29,6 +75,10 @@ class Service < Inspec.resource(1)
       it { should be_enabled }
       it { should be_running }
     end
+
+    describe service('service_name').runlevels(3, 5) do
+      it { should be_enabled }
+    end
   "
 
   attr_reader :service_ctl
@@ -98,7 +148,7 @@ class Service < Inspec.resource(1)
     @cache ||= @service_mgmt.info(@service_name)
   end
 
-  # verifies the service is enabled
+  # verifies if the service is enabled
   def enabled?(_level = nil)
     return false if info.nil?
     info[:enabled]
@@ -116,6 +166,12 @@ class Service < Inspec.resource(1)
     info[:running]
   end
 
+  # get all runlevels that are available and their configuration
+  def runlevels(*args)
+    return Runlevels.new(self) if info.nil? or info[:runlevels].nil?
+    Runlevels.from_hash(self, info[:runlevels], args)
+  end
+
   def to_s
     "Service #{@service_name}"
   end
@@ -275,6 +331,8 @@ class Upstart < ServiceManager
 end
 
 class SysV < ServiceManager
+  RUNLEVELS = { 0=>false, 1=>false, 2=>false, 3=>false, 4=>false, 5=>false, 6=>false }.freeze
+
   def initialize(service_name, service_ctl = nil)
     @service_ctl ||= 'service'
     super
@@ -296,10 +354,15 @@ class SysV < ServiceManager
     # on rhel via: 'chkconfig --list', is not installed by default
     # bash: for i in `find /etc/rc*.d -name S*`; do basename $i | sed -r 's/^S[0-9]+//'; done | sort | uniq
     enabled_services_cmd = inspec.command('find /etc/rc*.d -name S*')
-    enabled_services = enabled_services_cmd.stdout.split("\n").select { |line|
-      /(^.*#{service_name}.*)/.match(line)
-    }
-    enabled = !enabled_services.empty?
+    service_line = %r{rc(?<runlevel>[0-6])\.d/S[^/]*?#{Regexp.escape service_name}$}
+    all_services = enabled_services_cmd.stdout.split("\n").map { |line|
+      service_line.match(line)
+    }.compact
+    enabled = !all_services.empty?
+
+    # Determine a list of runlevels which this service is activated for
+    runlevels = RUNLEVELS.dup
+    all_services.each { |x| runlevels[x[:runlevel].to_i] = true }
 
     # check if service is really running
     # service throws an exit code if the service is not installed or
@@ -313,6 +376,7 @@ class SysV < ServiceManager
       installed: true,
       running: running,
       enabled: enabled,
+      runlevels: runlevels,
       type: 'sysv',
     }
   end

data/test/integration/cookbooks/os_prepare/recipes/default.rb

@@ -11,6 +11,7 @@ include_recipe('os_prepare::mount')
 include_recipe('os_prepare::service')
 include_recipe('os_prepare::package')
 include_recipe('os_prepare::registry_key')
+include_recipe('os_prepare::iptables')
 
 # configure repos, eg. nginx
 include_recipe('os_prepare::apt')

data/test/integration/cookbooks/os_prepare/recipes/iptables.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+# author: Stephan Renatus
+
+case node['platform']
+when 'ubuntu', 'rhel', 'centos', 'fedora'
+  execute 'iptables -A INPUT -i eth0 -p tcp -m tcp '\
+          '--dport 80 -m state --state NEW -m comment '\
+          '--comment "http on 80" -j ACCEPT'
+  execute 'iptables -N derby-cognos-web'
+  execute 'iptables -A INPUT -j derby-cognos-web'
+  execute 'iptables -A derby-cognos-web -p tcp -m tcp --dport 80 '\
+          '-m comment --comment "derby-cognos-web" -j ACCEPT'
+end

data/test/integration/test/integration/default/iptables_spec.rb

@@ -0,0 +1,25 @@
+# encoding: utf-8
+
+case os[:family]
+when 'ubuntu', 'fedora'
+  describe iptables do
+    it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') }
+    it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') }
+
+    # single-word comments have their quotes dropped
+    it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') }
+  end
+when  'rhel', 'centos'
+  describe iptables do
+    it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') }
+    it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') }
+  end
+
+  describe iptables do
+    it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') }
+  end if os[:release] == 6
+
+  describe iptables do
+    it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') }
+  end if os[:release] == 7
+end

data/test/unit/mock/cmd/iptables-s

@@ -3,4 +3,4 @@
 -P OUTPUT ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
--A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT

data/test/unit/resources/iptables_test.rb

@@ -14,6 +14,11 @@ describe 'Inspec::Resources::Iptables' do
     _(resource.has_rule?('-P OUTPUT DROP')).must_equal false
   end
 
+  it 'verify iptables with comments on ubuntu' do
+    resource = MockLoader.new(:ubuntu1404).load_resource('iptables')
+    _(resource.has_rule?('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT')).must_equal true
+  end
+
   it 'verify iptables on windows' do
     resource = MockLoader.new(:windows).load_resource('iptables')
     _(resource.has_rule?('-P OUTPUT ACCEPT')).must_equal false

data/test/unit/resources/service_test.rb

@@ -6,6 +6,7 @@ require 'helper'
 require 'inspec/resource'
 
 describe 'Inspec::Resources::Service' do
+  let(:runlevels) { {0=>false, 1=>false, 2=>true, 3=>true, 4=>true, 5=>true, 6=>false} }
 
   # windows
   it 'verify service parsing' do
@@ -58,7 +59,7 @@ describe 'Inspec::Resources::Service' do
   # centos 6 with sysv
   it 'verify centos 6 package parsing' do
     resource = MockLoader.new(:centos6).load_resource('service', 'sshd')
-    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, type: 'sysv' }
+    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, runlevels: runlevels, type: 'sysv' }
     _(resource.info).must_equal srv
     _(resource.installed?).must_equal true
     _(resource.enabled?).must_equal true
@@ -67,7 +68,7 @@ describe 'Inspec::Resources::Service' do
 
   it 'verify centos 6 package parsing with default sysv_service' do
     resource = MockLoader.new(:centos6).load_resource('sysv_service', 'sshd')
-    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, type: 'sysv' }
+    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, runlevels: runlevels, type: 'sysv' }
     _(resource.info).must_equal srv
     _(resource.installed?).must_equal true
     _(resource.enabled?).must_equal true
@@ -125,7 +126,7 @@ describe 'Inspec::Resources::Service' do
   # debian 7 with systemv
   it 'verify debian 7 package parsing' do
     resource = MockLoader.new(:debian7).load_resource('service', 'sshd')
-    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, type: 'sysv' }
+    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, runlevels: runlevels, type: 'sysv' }
     _(resource.info).must_equal srv
     _(resource.installed?).must_equal true
     _(resource.enabled?).must_equal true
@@ -173,7 +174,7 @@ describe 'Inspec::Resources::Service' do
   # wrlinux
   it 'verify wrlinux package parsing' do
     resource = MockLoader.new(:wrlinux).load_resource('service', 'sshd')
-    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, type: 'sysv' }
+    srv = { name: 'sshd', description: nil, installed: true, running: true, enabled: true, runlevels: runlevels, type: 'sysv' }
     _(resource.info).must_equal srv
     _(resource.installed?).must_equal true
     _(resource.enabled?).must_equal true
@@ -187,4 +188,45 @@ describe 'Inspec::Resources::Service' do
     _(resource.installed?).must_equal false
     _(resource.info).must_equal nil
   end
+
+  # runlevel detection
+  describe 'runlevels on centos 6 (system V)' do
+    let(:service) { MockLoader.new(:centos6).load_resource('service', 'sshd') }
+
+    it 'grabs all runlevels' do
+      service.runlevels.keys.must_equal [0, 1, 2, 3, 4, 5, 6]
+    end
+
+    it 'grabs runlevels via filter nil' do
+      service.runlevels(nil).keys.must_equal [0, 1, 2, 3, 4, 5, 6]
+    end
+
+    it 'grabs runlevels by number' do
+      service.runlevels(3).keys.must_equal [3]
+    end
+
+    it 'grabs runlevels by multiple numbers' do
+      service.runlevels(3, 4, 8).keys.must_equal [3, 4]
+    end
+
+    it 'grabs runlevels via regex' do
+      service.runlevels(/[5-9]/).keys.must_equal [5, 6]
+    end
+
+    it 'checks enabled true if all services are enabled' do
+      service.runlevels(2, 4).enabled?.must_equal true
+    end
+
+    it 'checks enabled false if some services are not enabled' do
+      service.runlevels(1, 4).enabled?.must_equal false
+    end
+
+    it 'checks disabled true if all services are disabled' do
+      service.runlevels(0, 1).disabled?.must_equal true
+    end
+
+    it 'checks disabled false if some services are not disabled' do
+      service.runlevels(0, 4).enabled?.must_equal false
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-10 00:00:00.000000000 Z
+date: 2016-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: r-train
@@ -223,6 +223,12 @@ files:
 - lib/bundles/inspec-compliance/cli.rb
 - lib/bundles/inspec-compliance/configuration.rb
 - lib/bundles/inspec-compliance/target.rb
+- lib/bundles/inspec-init.rb
+- lib/bundles/inspec-init/cli.rb
+- lib/bundles/inspec-init/templates/profile/README.md
+- lib/bundles/inspec-init/templates/profile/controls/example.rb
+- lib/bundles/inspec-init/templates/profile/inspec.yml
+- lib/bundles/inspec-init/templates/profile/libraries/.gitkeep
 - lib/bundles/inspec-supermarket/README.md
 - lib/bundles/inspec-supermarket/api.rb
 - lib/bundles/inspec-supermarket/cli.rb
@@ -339,6 +345,7 @@ files:
 - test/integration/cookbooks/os_prepare/recipes/auditctl.rb
 - test/integration/cookbooks/os_prepare/recipes/default.rb
 - test/integration/cookbooks/os_prepare/recipes/file.rb
+- test/integration/cookbooks/os_prepare/recipes/iptables.rb
 - test/integration/cookbooks/os_prepare/recipes/json_yaml_csv_ini.rb
 - test/integration/cookbooks/os_prepare/recipes/mount.rb
 - test/integration/cookbooks/os_prepare/recipes/package.rb
@@ -356,6 +363,7 @@ files:
 - test/integration/test/integration/default/file_spec.rb
 - test/integration/test/integration/default/group_spec.rb
 - test/integration/test/integration/default/ini_spec.rb
+- test/integration/test/integration/default/iptables_spec.rb
 - test/integration/test/integration/default/json_spec.rb
 - test/integration/test/integration/default/kernel_module_spec.rb
 - test/integration/test/integration/default/kernel_parameter_spec.rb
@@ -570,6 +578,7 @@ test_files:
 - test/integration/cookbooks/os_prepare/recipes/auditctl.rb
 - test/integration/cookbooks/os_prepare/recipes/default.rb
 - test/integration/cookbooks/os_prepare/recipes/file.rb
+- test/integration/cookbooks/os_prepare/recipes/iptables.rb
 - test/integration/cookbooks/os_prepare/recipes/json_yaml_csv_ini.rb
 - test/integration/cookbooks/os_prepare/recipes/mount.rb
 - test/integration/cookbooks/os_prepare/recipes/package.rb
@@ -587,6 +596,7 @@ test_files:
 - test/integration/test/integration/default/file_spec.rb
 - test/integration/test/integration/default/group_spec.rb
 - test/integration/test/integration/default/ini_spec.rb
+- test/integration/test/integration/default/iptables_spec.rb
 - test/integration/test/integration/default/json_spec.rb
 - test/integration/test/integration/default/kernel_module_spec.rb
 - test/integration/test/integration/default/kernel_parameter_spec.rb