inspec 0.12.0 → 0.14.0

data/lib/inspec/source_reader.rb

@@ -0,0 +1,32 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'inspec/plugins'
+require 'utils/plugin_registry'
+
+module Inspec
+  # Pre-checking of target resolution. Make sure that SourceReader plugins
+  # always receive a fetcher.
+  class SourceReaderRegistry < PluginRegistry
+    def resolve(target)
+      return nil if target.nil?
+      unless target.is_a? Inspec::Plugins::Fetcher
+        fail "SourceReader cannot resolve targets that aren't Fetchers: #{target.class}"
+      end
+      super(target)
+    end
+  end
+
+  SourceReader = SourceReaderRegistry.new
+
+  def self.source_reader(version)
+    if version != 1
+      fail 'Only source readers version 1 is supported!'
+    end
+    Inspec::Plugins::SourceReader
+  end
+end
+
+require 'source_readers/inspec'
+require 'source_readers/flat'

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.12.0'.freeze
+  VERSION = '0.14.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -229,23 +229,22 @@ end
 RSpec::Matchers.define :cmp do |expected|
 
   def integer?(value)
-    return true if value =~ /\A\d+\Z/
-    false
+    !(value =~ /\A\d+\Z/).nil?
   end
 
   def float?(value)
-    return true if Float(value)
-    false
+    Float(value)
+    true
   rescue ArgumentError => _ex
     false
   end
 
   def octal?(value)
-    return true if value =~ /\A0+\d+\Z/
-    false
+    !(value =~ /\A0+\d+\Z/).nil?
   end
 
   match do |actual|
+    actual = actual[0] if actual.is_a?(Array) && !expected.is_a?(Array) && actual.length == 1
     # if actual and expected are strings
     if expected.is_a?(String) && actual.is_a?(String)
       actual.casecmp(expected) == 0

data/lib/resources/file.rb

@@ -5,7 +5,7 @@
 # license: All rights reserved
 
 module Inspec::Resources
-  class File < Inspec.resource(1)
+  class File < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
     name 'file'
     desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
     example "
@@ -29,7 +29,7 @@ module Inspec::Resources
     %w{
       type exist? file? block_device? character_device? socket? directory?
       symlink? pipe? mode mode? owner owned_by? group grouped_into? link_target
-      link_path linked_to? content mtime size selinux_label immutable?
+      link_path linked_to? mtime size selinux_label immutable?
       product_version file_version version? md5sum sha256sum
     }.each do |m|
       define_method m.to_sym do |*args|
@@ -37,6 +37,12 @@ module Inspec::Resources
       end
     end
 
+    def content
+      res = file.content
+      return nil if res.nil?
+      res.force_encoding('utf-8')
+    end
+
     def contain(*_)
       fail 'Contain is not supported. Please use standard RSpec matchers.'
     end

data/lib/resources/passwd.rb

@@ -13,88 +13,114 @@
 # - home directory
 # - command
 
-# usage:
-#
-# describe passwd do
-#   its(:usernames) { should eq ['root'] }
-#   its(:uids) { should eq [0] }
-# end
-#
-# describe passwd.uid(0) do
-#   its(:username) { should eq 'root' }
-#   its(:count) { should eq 1 }
-# end
-
 require 'utils/parser'
 
 class Passwd < Inspec.resource(1)
   name 'passwd'
   desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
   example "
-    describe passwd.uid(0) do
-      its('username') { should eq 'root' }
+    describe passwd do
+      its('users') { should_not include 'forbidden_user' }
+    end
+
+    describe passwd.uids(0) do
+      its('users') { should cmp 'root' }
       its('count') { should eq 1 }
     end
+
+    describe passwd.shells(/nologin/) do
+      # find all users with a nologin shell
+      its('users') { should_not include 'my_login_user' }
+    end
   "
 
   include PasswdParser
 
   attr_reader :uid
-  attr_reader :parsed
+  attr_reader :params
+  attr_reader :content
+  attr_reader :lines
 
-  def initialize(path = nil)
+  def initialize(path = nil, opts = nil)
+    opts ||= {}
     @path = path || '/etc/passwd'
-    @content = inspec.file(@path).content
-    @parsed = parse_passwd(@content)
+    @content = opts[:content] || inspec.file(@path).content
+    @lines = @content.to_s.split("\n")
+    @filters = opts[:filters] || ''
+    @params = parse_passwd(@content)
   end
 
-  # call passwd().uid(0)
-  # returns a seperate object with reference to this object
-  def uid(uid)
-    PasswdUid.new(self, uid)
+  def filter(hm = {})
+    return self if hm.nil? || hm.empty?
+    res = @params
+    filters = ''
+    hm.each do |attr, condition|
+      condition = condition.to_s if condition.is_a? Integer
+      filters += " #{attr} = #{condition.inspect}"
+      res = res.find_all do |line|
+        case line[attr.to_s]
+        when condition
+          true
+        else
+          false
+        end
+      end
+    end
+    content = res.map { |x| x.values.join(':') }.join("\n")
+    Passwd.new(@path, content: content, filters: @filters + filters)
   end
 
   def usernames
-    map_data('name')
+    warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
+    users
   end
 
-  def passwords
-    map_data('password')
+  def username
+    warn '[DEPRECATION] `passwd.user` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
+    users[0]
   end
 
-  def uids
-    map_data('uid')
+  def uid(x)
+    warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
+    uids(x)
   end
 
-  def gids
-    map_data('gid')
+  def users(name = nil)
+    name.nil? ? map_data('user') : filter(user: name)
   end
 
-  def to_s
-    '/etc/passwd'
+  def passwords(password = nil)
+    password.nil? ? map_data('password') : filter(password: password)
   end
 
-  private
+  def uids(uid = nil)
+    uid.nil? ? map_data('uid') : filter(uid: uid)
+  end
 
-  def map_data(id)
-    @parsed.map {|x|
-      x[id]
-    }
+  def gids(gid = nil)
+    gid.nil? ? map_data('gid') : filter(gid: gid)
   end
-end
 
-# object that hold a specifc uid view on passwd
-class PasswdUid
-  def initialize(passwd, uid)
-    @passwd = passwd
-    @users = @passwd.parsed.select { |x| x['uid'] == uid.to_s }
+  def homes(home = nil)
+    home.nil? ? map_data('home') : filter(home: home)
   end
 
-  def username
-    @users.at(0)['name']
+  def shells(shell = nil)
+    shell.nil? ? map_data('shell') : filter(shell: shell)
+  end
+
+  def to_s
+    f = @filters.empty? ? '' : ' with'+@filters
+    "/etc/passwd#{f}"
   end
 
   def count
-    @users.size
+    @params.length
+  end
+
+  private
+
+  def map_data(id)
+    @params.map { |x| x[id] }
   end
 end

data/lib/resources/service.rb

@@ -189,7 +189,7 @@ end
 # @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
 class Systemd < ServiceManager
   def initialize(inspec, service_ctl = nil)
-    @service_ctl ||= 'systemctl'
+    @service_ctl = service_ctl || 'systemctl'
     super
   end
 
@@ -270,7 +270,7 @@ end
 # @see: http://upstart.ubuntu.com
 class Upstart < ServiceManager
   def initialize(service_name, service_ctl = nil)
-    @service_ctl ||= 'initctl'
+    @service_ctl = service_ctl || 'initctl'
     super
   end
 
@@ -311,6 +311,8 @@ class Upstart < ServiceManager
       config = inspec.file("/etc/init/#{service_name}.conf").content
     end
 
+    # disregard if the config does not exist
+    return nil if config.nil?
     enabled = !config[/^\s*start on/].nil?
 
     # implement fallback for Ubuntu 10.04
@@ -325,8 +327,10 @@ class Upstart < ServiceManager
   end
 
   def version
-    @version ||= Gem::Version.new(inspec.command("#{service_ctl} --version")
-                                        .stdout.match(/\(upstart ([^\)]+)\)/)[1])
+    @version ||= (
+      out = inspec.command("#{service_ctl} --version").stdout
+      Gem::Version.new(out[/\(upstart ([^\)]+)\)/, 1])
+    )
   end
 end
 
@@ -334,7 +338,7 @@ class SysV < ServiceManager
   RUNLEVELS = { 0=>false, 1=>false, 2=>false, 3=>false, 4=>false, 5=>false, 6=>false }.freeze
 
   def initialize(service_name, service_ctl = nil)
-    @service_ctl ||= 'service'
+    @service_ctl = service_ctl || 'service'
     super
   end
 
@@ -386,7 +390,7 @@ end
 # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
 class BSDInit < ServiceManager
   def initialize(service_name, service_ctl = nil)
-    @service_ctl ||= 'service'
+    @service_ctl = service_ctl || 'service'
     super
   end
 
@@ -423,7 +427,7 @@ end
 
 class Runit < ServiceManager
   def initialize(service_name, service_ctl = nil)
-    @service_ctl ||= 'sv'
+    @service_ctl = service_ctl || 'sv'
     super
   end
 
@@ -452,7 +456,7 @@ end
 # new launctl on macos 10.10
 class LaunchCtl < ServiceManager
   def initialize(service_name, service_ctl = nil)
-    @service_ctl ||= 'launchctl'
+    @service_ctl = service_ctl || 'launchctl'
     super
   end
 
@@ -562,7 +566,7 @@ end
 # Solaris services
 class Svcs < ServiceManager
   def initialize(service_name, service_ctl = nil)
-    @service_ctl ||= 'svcs'
+    @service_ctl = service_ctl || 'svcs'
     super
   end
 

data/lib/resources/shadow.rb

@@ -0,0 +1,135 @@
+# encoding: utf-8
+# copyright: 2016, Chef Software Inc.
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'forwardable'
+
+# The file format consists of
+# - user
+# - password
+# - last_change
+# - min_days before password change
+# - max_days until password change
+# - warn_days before warning about expiry
+# - inactive_days before deactivating the account
+# - expiry_date when this account will expire
+
+class Shadow < Inspec.resource(1)
+  name 'shadow'
+  desc 'Use the shadow InSpec resource to test the contents of /etc/shadow, '\
+       'which contains the following information for users that may log into '\
+       'the system and/or as users that own running processes.'
+  example "
+    describe shadow do
+      its('users') { should_not include 'forbidden_user' }
+    end
+
+    describe shadow.users('bin') do
+      its('password') { should cmp 'x' }
+      its('count') { should eq 1 }
+    end
+  "
+
+  extend Forwardable
+  attr_reader :params
+  attr_reader :content
+  attr_reader :lines
+
+  def initialize(path = '/etc/shadow', opts = nil)
+    opts ||= {}
+    @path = path || '/etc/shadow'
+    @content = opts[:content] || inspec.file(@path).content
+    @lines = @content.to_s.split("\n")
+    @filters = opts[:filters] || ''
+    @params = @lines.map { |l| parse_shadow_line(l) }
+  end
+
+  def filter(hm = {})
+    return self if hm.nil? || hm.empty?
+    res = @params
+    filters = ''
+    hm.each do |attr, condition|
+      condition = condition.to_s if condition.is_a? Integer
+      filters += " #{attr} = #{condition.inspect}"
+      res = res.find_all do |line|
+        case line[attr.to_s]
+        when condition
+          true
+        else
+          false
+        end
+      end
+    end
+    content = res.map { |x| x.values.join(':') }.join("\n")
+    Shadow.new(@path, content: content, filters: @filters + filters)
+  end
+
+  def entries
+    @lines.map { |line| Shadow.new(@path, content: line, filters: @filters) }
+  end
+
+  def users(name = nil)
+    name.nil? ? map_data('user') : filter(user: name)
+  end
+
+  def passwords(password = nil)
+    password.nil? ? map_data('password') : filter(password: password)
+  end
+
+  def last_changes(filter_by = nil)
+    filter_by.nil? ? map_data('last_change') : filter(last_change: filter_by)
+  end
+
+  def min_days(filter_by = nil)
+    filter_by.nil? ? map_data('min_days') : filter(min_days: filter_by)
+  end
+
+  def max_days(filter_by = nil)
+    filter_by.nil? ? map_data('max_days') : filter(max_days: filter_by)
+  end
+
+  def warn_days(filter_by = nil)
+    filter_by.nil? ? map_data('warn_days') : filter(warn_days: filter_by)
+  end
+
+  def inactive_days(filter_by = nil)
+    filter_by.nil? ? map_data('inactive_days') : filter(inactive_days: filter_by)
+  end
+
+  def expiry_dates(filter_by = nil)
+    filter_by.nil? ? map_data('expiry_date') : filter(expiry_date: filter_by)
+  end
+
+  def to_s
+    f = @filters.empty? ? '' : ' with'+@filters
+    "/etc/shadow#{f}"
+  end
+
+  def_delegator :@params, :length, :count
+
+  private
+
+  def map_data(id)
+    @params.map { |x| x[id] }
+  end
+
+  # Parse a line of /etc/shadow
+  #
+  # @param [String] line a line of /etc/shadow
+  # @return [Hash] Map of entries in this line
+  def parse_shadow_line(line)
+    x = line.split(':')
+    {
+      'user'          => x.at(0),
+      'password'      => x.at(1),
+      'last_change'   => x.at(2),
+      'min_days'      => x.at(3),
+      'max_days'      => x.at(4),
+      'warn_days'     => x.at(5),
+      'inactive_days' => x.at(6),
+      'expiry_date'   => x.at(7),
+      'reserved'      => x.at(8),
+    }
+  end
+end