inspec 0.12.0 → 0.14.0

data/lib/source_readers/flat.rb

@@ -0,0 +1,38 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'inspec/fetcher'
+require 'inspec/metadata'
+
+module SourceReaders
+  class Flat < Inspec.source_reader(1)
+    name 'flat'
+    priority 5
+
+    def self.resolve(target)
+      # TODO: eventually remove the metadata.rb exception here
+      # when we have fully phased out metadata.rb in 1.0
+      files = target.files.find_all { |x|
+        x.end_with?('.rb') && !x.include?('/') && x != 'metadata.rb'
+      }
+      return nil if files.empty?
+      new(target, files)
+    end
+
+    attr_reader :metadata, :tests, :libraries
+
+    def initialize(target, files)
+      @target = target
+      @metadata = ::Inspec::Metadata.new(nil)
+      @tests = load_tests(files)
+      @libraries = {}
+    end
+
+    private
+
+    def load_tests(files)
+      Hash[files.map { |x| [x, @target.read(x)] }]
+    end
+  end
+end

data/lib/source_readers/inspec.rb

@@ -0,0 +1,78 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'inspec/fetcher'
+require 'inspec/metadata'
+
+module SourceReaders
+  class InspecReader < Inspec.source_reader(1)
+    name 'inspec'
+    priority 10
+
+    def self.resolve(target)
+      return new(target, 'inspec.yml') if target.files.include?('inspec.yml')
+      # TODO: deprecated for 1.0.0 release
+      if target.files.include?('metadata.rb') &&
+         (
+           target.files.include?('controls') ||
+           target.files.include?('test')
+         )
+        return new(target, 'metadata.rb')
+      end
+      nil
+    end
+
+    attr_reader :metadata, :tests, :libraries
+
+    def initialize(target, metadata_source)
+      @target = target
+      @metadata = Inspec::Metadata.from_ref(
+        metadata_source,
+        @target.read(metadata_source),
+        nil)
+
+      @tests = load_tests
+      @libraries = load_libs
+      prepare_load_paths
+    end
+
+    private
+
+    def load_tests
+      tests = @target.files.find_all do |path|
+        path.start_with?('controls', 'test') && path.end_with?('.rb')
+      end
+      Hash[tests.map { |x| [x, @target.read(x)] }]
+    end
+
+    def load_libs
+      tests = @target.files.find_all do |path|
+        path.start_with?('libraries') && path.end_with?('.rb')
+      end
+      Hash[tests.map { |x| [x, @target.read(x)] }]
+    end
+
+    # Ensure each test directory exists on the $LOAD_PATH. This
+    # will ensure traditional RSpec-isms like `require 'spec_helper'`
+    # continue to work. The method outlined here is only meant to be temporary!
+    def prepare_load_paths
+      t = @target
+      t = @target.parent unless @target.parent.nil?
+      unless t.is_a?(Fetchers::Local)
+        return # no need to mess with load-paths if this is not on disk
+      end
+
+      rel_dirs = (@libraries.keys + @tests.keys)
+                 .map { |x| File.dirname(x) }.uniq
+
+      abs_dirs = rel_dirs.map { |x| @target.abs_path(x) }
+                         .find_all { |x| File.directory?(x) }
+                         .map { |x| File.expand_path(x) }
+
+      abs_dirs.each do |dir|
+        $LOAD_PATH.unshift dir unless $LOAD_PATH.include?(dir)
+      end
+    end
+  end
+end

data/lib/utils/base_cli.rb

@@ -42,13 +42,13 @@ module Inspec
     private
 
     # helper method to run tests
-    def run_tests(opts, tests)
+    def run_tests(targets, opts)
       o = opts.dup
       o[:logger] = Logger.new(opts['format'] == 'json' ? nil : STDOUT)
       o[:logger].level = get_log_level(o.log_level)
 
       runner = Inspec::Runner.new(o)
-      runner.add_tests(tests)
+      targets.each { |target| runner.add_target(target, opts) }
       exit runner.run
     rescue RuntimeError => e
       puts e.message

data/lib/utils/parser.rb

@@ -20,7 +20,7 @@ module PasswdParser
   def parse_passwd_line(line)
     x = line.split(':')
     {
-      'name' => x.at(0),
+      'user' => x.at(0),
       'password' => x.at(1),
       'uid' => x.at(2),
       'gid' => x.at(3),

data/lib/utils/plugin_registry.rb

@@ -0,0 +1,93 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+class PluginRegistry
+  attr_reader :registry
+
+  def initialize
+    @registry = {}
+  end
+
+  # Resolve a target via available plugins.
+  #
+  # @param [String] target to resolve
+  # @return [Plugin] plugin instance if it can be resolved, nil otherwise
+  def resolve(target)
+    modules.each do |m|
+      res = m.resolve(target)
+      return res unless res.nil?
+    end
+    nil
+  end
+
+  private
+
+  # Get all registered plugins sorted by priority, with highest first
+  #
+  # @return [Array[Plugin]] sorted list of plugins
+  def modules
+    @registry.values
+             .sort_by { |x| x.respond_to?(:priority) ? x.priority : 0 }
+             .reverse
+  end
+end
+
+class PluginRegistry
+  class Plugin
+    # Retrieve the plugin registry associated with this plugin
+    #
+    # @return [PluginRegistry] plugin registry for this plugin
+    def self.plugin_registry
+      fail "Plugin #{self} does not implement `self.plugin_registry()`. This method is required"
+    end
+
+    # Register a new plugin by name
+    #
+    # @param [String] the unique name of this plugin
+    # @return [nil] disregard
+    def self.name(name)
+      fail "Trying to register #{self} with name == nil" if name.nil?
+      @name = name
+      plugin_registry.registry[name] = self
+    end
+
+    # This plugin's priority. Set it by providing the priority as an
+    # argument. Higher numbers ensure that the plugin is
+    # called early to check if a target belongs to it. When called without
+    # an argument, it retrieves this plugin's priority. Defaults to 0.
+    #
+    # @param [Numeric] Priority as a number. Will only be set if != nil
+    # @return [Numeric] This plugin's priority
+    def self.priority(x = nil)
+      @priority = x unless x.nil?
+      @priority || 0
+    end
+
+    # Try to resolve the target. If this plugin cannot handle it, the result
+    # will be nil. If, however, the plugin can resolve it, the resulting
+    # object will be an instance of this plugin. This means, that the interface
+    # that this base class provides, is the basis for the returned type.
+    #
+    # @param [String] target to try to resolve
+    # @return [Plugin] instance if it can be resolved, nil otherwise
+    def self.resolve(_target)
+      fail "Plugin #{self} does not implement `self.resolve(target)`. This method is required"
+    end
+
+    # When a plugin's resolve doesn't lead to the final state, it can
+    # use this method to hand it back for another resolver to handle.
+    #
+    # @param [Any] the current target that needs resolving
+    # @param [Plugin] an instance of the calling resolver
+    # @return [Plugin] instance if it can be resolved, nil otherwise
+    def self.resolve_next(target, parent)
+      res = plugin_registry.resolve(target)
+      res.parent = parent
+      res
+    end
+
+    attr_reader :target
+    attr_accessor :parent
+  end
+end

data/test/docker_test.rb

@@ -42,7 +42,7 @@ class DockerTester
     puts "--> run test on docker #{container.id}"
     opts = { 'target' => "docker://#{container.id}" }
     runner = Inspec::Runner.new(opts)
-    runner.add_tests(@tests)
+    @tests.each { |test| runner.add_target(test, opts) }
     runner.tests.map { |g| g.run(report) }
   end
 end

data/test/helper.rb

@@ -14,12 +14,19 @@ SimpleCov.start do
   add_group 'Backends', 'lib/inspec/backend'
 end
 
+require 'fileutils'
+require 'pathname'
+require 'tempfile'
+require 'zip'
+
 require 'utils/base_cli'
-require 'inspec/targets'
+require 'inspec/fetcher'
+require 'inspec/source_reader'
 require 'inspec/resource'
 require 'inspec/backend'
 require 'inspec/profile'
-
+require 'inspec/runner'
+require 'inspec/runner_mock'
 
 class MockLoader
   # collects emulation operating systems
@@ -44,6 +51,8 @@ class MockLoader
     undefined:  { family: nil, release: nil, arch: nil },
   }
 
+  @archives = {}
+
   # pass the os identifier to emulate a specific operating system
   def initialize(os = nil)
     # selects operating system
@@ -86,6 +95,7 @@ class MockLoader
       '/etc/ssh/ssh_config' => mockfile.call('ssh_config'),
       '/etc/ssh/sshd_config' => mockfile.call('sshd_config'),
       '/etc/passwd' => mockfile.call('passwd'),
+      '/etc/shadow' => mockfile.call('shadow'),
       '/etc/ntp.conf' => mockfile.call('ntp.conf'),
       '/etc/login.defs' => mockfile.call('login.defs'),
       '/etc/security/limits.conf' => mockfile.call('limits.conf'),
@@ -238,6 +248,56 @@ class MockLoader
     resource.inspec.backend
             .mock_command(cmd, res[:stdout], res[:stderr], res[:exit_status])
   end
+
+  def self.home
+    File.join(File.dirname(__FILE__), 'unit')
+  end
+
+  def self.profile_path(name)
+    dst = name
+    dst = "#{home}/mock/profiles/#{name}" unless name.start_with?(home)
+    dst
+  end
+
+  def self.load_profile(name, opts = {})
+    opts[:test_collector] = Inspec::RunnerMock.new
+    Inspec::Profile.for_target(profile_path(name), opts)
+  end
+
+  def self.profile_tgz(name)
+    path = File.join(home, 'mock', 'profiles', name)
+    archive = Tempfile.new([name, '.tar.gz'])
+    dst = archive.path
+    archive.close
+
+    # generate relative paths
+    files = Dir.glob("#{path}/**/*")
+    relatives = files.map { |e| Pathname.new(e).relative_path_from(Pathname.new(path)).to_s }
+
+    require 'inspec/archive/tar'
+    tag = Inspec::Archive::TarArchiveGenerator.new
+    tag.archive(path, relatives, dst)
+    @archives[dst] = archive
+
+    dst
+  end
+
+  def self.profile_zip(name, opts = {})
+    path = File.join(home, 'mock', 'profiles', name)
+    archive = Tempfile.new([name, '.zip'])
+    dst = archive.path
+    archive.close
+
+    # rubyzip only works relative paths
+    files = Dir.glob("#{path}/**/*")
+    relatives = files.map { |e| Pathname.new(e).relative_path_from(Pathname.new(path)).to_s }
+
+    require 'inspec/archive/zip'
+    zag = Inspec::Archive::ZipArchiveGenerator.new
+    zag.archive(path, relatives, dst)
+    @archives[dst] = archive
+    dst
+  end
 end
 
 def load_resource(*args)

data/test/integration/cookbooks/os_prepare/recipes/service.rb

@@ -12,6 +12,8 @@ when 'ubuntu'
 
 when 'centos'
   # install runit for alternative service mgmt
-  include_recipe 'os_prepare::_runit_service_centos'
-  include_recipe 'os_prepare::_upstart_service_centos'
+  if node['platform_version'].to_i >= 6
+    include_recipe 'os_prepare::_runit_service_centos'
+    include_recipe 'os_prepare::_upstart_service_centos'
+  end
 end

data/test/integration/test/integration/default/compare_matcher_spec.rb

@@ -18,4 +18,15 @@ if os.linux?
     its('LogLevel') { should cmp 'info' }
     its('LogLevel') { should cmp 'InfO' }
   end
+
+  describe passwd.passwords.uniq do
+    it { should eq ['x'] }
+    it { should cmp ['x'] }
+    it { should cmp 'x' }
+  end
+
+  describe passwd.usernames do
+    it { should include 'root' }
+    it { should_not cmp 'root' }
+  end
 end

data/test/integration/test/integration/default/service_spec.rb

@@ -47,7 +47,7 @@ if os[:family] == 'ubuntu'
 end
 
 # extra tests for alt. runit on centos with runit_service
-if os[:family] == 'centos'
+if os[:family] == 'centos' && os[:release].to_i >= 6
   describe runit_service('running-runit-service') do
     it { should be_enabled }
     it { should be_installed }
@@ -103,3 +103,18 @@ if os[:family] == 'centos'
     it { should_not be_running }
   end
 end
+
+# extra tests for sys-v runlevels
+if os[:family] == 'centos' && os[:release].to_i <= 6
+  describe service('sshd').runlevels do
+    its('keys') { should include(2) }
+  end
+
+  describe service('sshd').runlevels(2, 4) do
+    it { should be_enabled }
+  end
+
+  describe service('sshd').runlevels(0, 1) do
+    it { should_not be_enabled }
+  end
+end

data/test/unit/fetchers.rb

@@ -0,0 +1,61 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'helper'
+
+describe Inspec::Fetcher do
+  it 'loads the local fetcher for this file' do
+    res = Inspec::Fetcher.resolve(__FILE__)
+    res.must_be_kind_of Fetchers::Local
+  end
+end
+
+describe Inspec::Plugins::RelFetcher do
+  def fetcher
+    src_fetcher.expects(:files).returns(in_files).at_least_once
+    Inspec::Plugins::RelFetcher.new(src_fetcher)
+  end
+
+  let(:src_fetcher) { mock() }
+
+  IN_AND_OUT = {
+    []                        => [],
+    %w{file}                  => %w{file},
+    # don't prefix just by filename
+    %w{file file_a}           => %w{file file_a},
+    %w{path/file path/file_a} => %w{file file_a},
+    %w{path/to/file}          => %w{file},
+    %w{/path/to/file}         => %w{file},
+    %w{alice bob}             => %w{alice bob},
+    # mixed paths
+    %w{x/a y/b}               => %w{x/a y/b},
+    %w{/x/a /y/b}             => %w{x/a y/b},
+    %w{z/x/a z/y/b}           => %w{x/a y/b},
+    %w{/z/x/a /z/y/b}         => %w{x/a y/b},
+    # mixed with relative path
+    %w{a path/to/b}           => %w{a path/to/b},
+    %w{path/to/b a}           => %w{path/to/b a},
+    %w{path/to/b path/a}      => %w{to/b a},
+    %w{path/to/b path/a c}    => %w{path/to/b path/a c},
+    # mixed with absolute paths
+    %w{/path/to/b /a}         => %w{path/to/b a},
+    %w{/path/to/b /path/a}    => %w{to/b a},
+    %w{/path/to/b /path/a /c} => %w{path/to/b path/a c},
+    # mixing absolute and relative paths
+    %w{path/a /path/b}        => %w{path/a /path/b},
+    %w{/path/a path/b}        => %w{/path/a path/b},
+    # extract folder structure buildup
+    %w{/a /a/b /a/b/c}        => %w{c},
+    %w{/a /a/b /a/b/c/d/e}    => %w{e},
+  }.each do |ins, outs|
+    describe 'empty profile' do
+      let(:in_files) { ins }
+
+      it 'also has no files' do
+        fetcher.files.must_equal outs
+      end
+    end
+  end
+
+end