inspec 0.14.8 → 0.15.0

data/lib/resources/shadow.rb

@@ -15,121 +15,123 @@ require 'forwardable'
 # - inactive_days before deactivating the account
 # - expiry_date when this account will expire
 
-class Shadow < Inspec.resource(1)
-  name 'shadow'
-  desc 'Use the shadow InSpec resource to test the contents of /etc/shadow, '\
-       'which contains the following information for users that may log into '\
-       'the system and/or as users that own running processes.'
-  example "
-    describe shadow do
-      its('users') { should_not include 'forbidden_user' }
-    end
+module Inspec::Resources
+  class Shadow < Inspec.resource(1)
+    name 'shadow'
+    desc 'Use the shadow InSpec resource to test the contents of /etc/shadow, '\
+         'which contains the following information for users that may log into '\
+         'the system and/or as users that own running processes.'
+    example "
+      describe shadow do
+        its('users') { should_not include 'forbidden_user' }
+      end
 
-    describe shadow.users('bin') do
-      its('password') { should cmp 'x' }
-      its('count') { should eq 1 }
+      describe shadow.users('bin') do
+        its('password') { should cmp 'x' }
+        its('count') { should eq 1 }
+      end
+    "
+
+    extend Forwardable
+    attr_reader :params
+    attr_reader :content
+    attr_reader :lines
+
+    def initialize(path = '/etc/shadow', opts = nil)
+      opts ||= {}
+      @path = path || '/etc/shadow'
+      @content = opts[:content] || inspec.file(@path).content
+      @lines = @content.to_s.split("\n")
+      @filters = opts[:filters] || ''
+      @params = @lines.map { |l| parse_shadow_line(l) }
     end
-  "
-
-  extend Forwardable
-  attr_reader :params
-  attr_reader :content
-  attr_reader :lines
-
-  def initialize(path = '/etc/shadow', opts = nil)
-    opts ||= {}
-    @path = path || '/etc/shadow'
-    @content = opts[:content] || inspec.file(@path).content
-    @lines = @content.to_s.split("\n")
-    @filters = opts[:filters] || ''
-    @params = @lines.map { |l| parse_shadow_line(l) }
-  end
 
-  def filter(hm = {})
-    return self if hm.nil? || hm.empty?
-    res = @params
-    filters = ''
-    hm.each do |attr, condition|
-      condition = condition.to_s if condition.is_a? Integer
-      filters += " #{attr} = #{condition.inspect}"
-      res = res.find_all do |line|
-        case line[attr.to_s]
-        when condition
-          true
-        else
-          false
+    def filter(hm = {})
+      return self if hm.nil? || hm.empty?
+      res = @params
+      filters = ''
+      hm.each do |attr, condition|
+        condition = condition.to_s if condition.is_a? Integer
+        filters += " #{attr} = #{condition.inspect}"
+        res = res.find_all do |line|
+          case line[attr.to_s]
+          when condition
+            true
+          else
+            false
+          end
         end
       end
+      content = res.map { |x| x.values.join(':') }.join("\n")
+      Shadow.new(@path, content: content, filters: @filters + filters)
     end
-    content = res.map { |x| x.values.join(':') }.join("\n")
-    Shadow.new(@path, content: content, filters: @filters + filters)
-  end
 
-  def entries
-    @lines.map { |line| Shadow.new(@path, content: line, filters: @filters) }
-  end
+    def entries
+      @lines.map { |line| Shadow.new(@path, content: line, filters: @filters) }
+    end
 
-  def users(name = nil)
-    name.nil? ? map_data('user') : filter(user: name)
-  end
+    def users(name = nil)
+      name.nil? ? map_data('user') : filter(user: name)
+    end
 
-  def passwords(password = nil)
-    password.nil? ? map_data('password') : filter(password: password)
-  end
+    def passwords(password = nil)
+      password.nil? ? map_data('password') : filter(password: password)
+    end
 
-  def last_changes(filter_by = nil)
-    filter_by.nil? ? map_data('last_change') : filter(last_change: filter_by)
-  end
+    def last_changes(filter_by = nil)
+      filter_by.nil? ? map_data('last_change') : filter(last_change: filter_by)
+    end
 
-  def min_days(filter_by = nil)
-    filter_by.nil? ? map_data('min_days') : filter(min_days: filter_by)
-  end
+    def min_days(filter_by = nil)
+      filter_by.nil? ? map_data('min_days') : filter(min_days: filter_by)
+    end
 
-  def max_days(filter_by = nil)
-    filter_by.nil? ? map_data('max_days') : filter(max_days: filter_by)
-  end
+    def max_days(filter_by = nil)
+      filter_by.nil? ? map_data('max_days') : filter(max_days: filter_by)
+    end
 
-  def warn_days(filter_by = nil)
-    filter_by.nil? ? map_data('warn_days') : filter(warn_days: filter_by)
-  end
+    def warn_days(filter_by = nil)
+      filter_by.nil? ? map_data('warn_days') : filter(warn_days: filter_by)
+    end
 
-  def inactive_days(filter_by = nil)
-    filter_by.nil? ? map_data('inactive_days') : filter(inactive_days: filter_by)
-  end
+    def inactive_days(filter_by = nil)
+      filter_by.nil? ? map_data('inactive_days') : filter(inactive_days: filter_by)
+    end
 
-  def expiry_dates(filter_by = nil)
-    filter_by.nil? ? map_data('expiry_date') : filter(expiry_date: filter_by)
-  end
+    def expiry_dates(filter_by = nil)
+      filter_by.nil? ? map_data('expiry_date') : filter(expiry_date: filter_by)
+    end
 
-  def to_s
-    f = @filters.empty? ? '' : ' with'+@filters
-    "/etc/shadow#{f}"
-  end
+    def to_s
+      f = @filters.empty? ? '' : ' with'+@filters
+      "/etc/shadow#{f}"
+    end
 
-  def_delegator :@params, :length, :count
+    def_delegator :@params, :length, :count
 
-  private
+    private
 
-  def map_data(id)
-    @params.map { |x| x[id] }
-  end
+    def map_data(id)
+      @params.map { |x| x[id] }
+    end
 
-  # Parse a line of /etc/shadow
-  #
-  # @param [String] line a line of /etc/shadow
-  # @return [Hash] Map of entries in this line
-  def parse_shadow_line(line)
-    x = line.split(':')
-    {
-      'user'          => x.at(0),
-      'password'      => x.at(1),
-      'last_change'   => x.at(2),
-      'min_days'      => x.at(3),
-      'max_days'      => x.at(4),
-      'warn_days'     => x.at(5),
-      'inactive_days' => x.at(6),
-      'expiry_date'   => x.at(7),
-      'reserved'      => x.at(8),
-    }
+    # Parse a line of /etc/shadow
+    #
+    # @param [String] line a line of /etc/shadow
+    # @return [Hash] Map of entries in this line
+    def parse_shadow_line(line)
+      x = line.split(':')
+      {
+        'user'          => x.at(0),
+        'password'      => x.at(1),
+        'last_change'   => x.at(2),
+        'min_days'      => x.at(3),
+        'max_days'      => x.at(4),
+        'warn_days'     => x.at(5),
+        'inactive_days' => x.at(6),
+        'expiry_date'   => x.at(7),
+        'reserved'      => x.at(8),
+      }
+    end
   end
 end

data/lib/resources/ssh_conf.rb

@@ -6,76 +6,78 @@
 
 require 'utils/simpleconfig'
 
-class SshConf < Inspec.resource(1)
-  name 'ssh_config'
-  desc 'Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.'
-  example "
-    describe sshd_config do
-      its('Protocol') { should eq '2' }
+module Inspec::Resources
+  class SshConf < Inspec.resource(1)
+    name 'ssh_config'
+    desc 'Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.'
+    example "
+      describe sshd_config do
+        its('Protocol') { should eq '2' }
+      end
+    "
+
+    def initialize(conf_path = nil, type = nil)
+      @conf_path = conf_path || '/etc/ssh/ssh_config'
+      typename = (@conf_path.include?('sshd') ? 'Server' : 'Client')
+      @type = type || "SSH #{typename} configuration #{conf_path}"
     end
-  "
 
-  def initialize(conf_path = nil, type = nil)
-    @conf_path = conf_path || '/etc/ssh/ssh_config'
-    typename = (@conf_path.include?('sshd') ? 'Server' : 'Client')
-    @type = type || "SSH #{typename} configuration #{conf_path}"
-  end
+    def content
+      read_content
+    end
 
-  def content
-    read_content
-  end
+    def params(*opts)
+      opts.inject(read_params) do |res, nxt|
+        res.respond_to?(:key) ? res[nxt] : nil
+      end
+    end
 
-  def params(*opts)
-    opts.inject(read_params) do |res, nxt|
-      res.respond_to?(:key) ? res[nxt] : nil
+    def method_missing(name)
+      param = read_params[name.to_s]
+      return nil if param.nil?
+      # extract first value if we have only one value in array
+      return param[0] if param.length == 1
+      param
     end
-  end
 
-  def method_missing(name)
-    param = read_params[name.to_s]
-    return nil if param.nil?
-    # extract first value if we have only one value in array
-    return param[0] if param.length == 1
-    param
-  end
+    def to_s
+      'SSH Configuration'
+    end
 
-  def to_s
-    'SSH Configuration'
-  end
+    private
 
-  private
+    def read_content
+      return @content if defined?(@content)
+      file = inspec.file(@conf_path)
+      if !file.file?
+        return skip_resource "Can't find file \"#{@conf_path}\""
+      end
 
-  def read_content
-    return @content if defined?(@content)
-    file = inspec.file(@conf_path)
-    if !file.file?
-      return skip_resource "Can't find file \"#{@conf_path}\""
-    end
+      @content = file.content
+      if @content.empty? && file.size > 0
+        return skip_resource "Can't read file \"#{@conf_path}\""
+      end
 
-    @content = file.content
-    if @content.empty? && file.size > 0
-      return skip_resource "Can't read file \"#{@conf_path}\""
+      @content
     end
 
-    @content
-  end
-
-  def read_params
-    return @params if defined?(@params)
-    return @params = {} if read_content.nil?
-    conf = SimpleConfig.new(
-      read_content,
-      assignment_re: /^\s*(\S+?)\s+(.*?)\s*$/,
-      multiple_values: true,
-    )
-    @params = conf.params
+    def read_params
+      return @params if defined?(@params)
+      return @params = {} if read_content.nil?
+      conf = SimpleConfig.new(
+        read_content,
+        assignment_re: /^\s*(\S+?)\s+(.*?)\s*$/,
+        multiple_values: true,
+      )
+      @params = conf.params
+    end
   end
-end
 
-class SshdConf < SshConf
-  name 'sshd_config'
+  class SshdConf < SshConf
+    name 'sshd_config'
 
-  def initialize(path = nil)
-    super(path || '/etc/ssh/sshd_config')
+    def initialize(path = nil)
+      super(path || '/etc/ssh/sshd_config')
+    end
   end
 end

data/lib/resources/user.rb

@@ -38,421 +38,423 @@
 require 'utils/parser'
 require 'utils/convert'
 
-class User < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
-  name 'user'
-  desc 'Use the user InSpec audit resource to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.'
-  example "
-    describe user('root') do
-      it { should exist }
-      its('uid') { should eq 1234 }
-      its('gid') { should eq 1234 }
-    end
-  "
-  def initialize(user)
-    @user = user
-
-    # select package manager
-    @user_provider = nil
-    os = inspec.os
-    if os.linux?
-      @user_provider = LinuxUser.new(inspec)
-    elsif os.windows?
-      @user_provider = WindowsUser.new(inspec)
-    elsif ['darwin'].include?(os[:family])
-      @user_provider = DarwinUser.new(inspec)
-    elsif ['freebsd'].include?(os[:family])
-      @user_provider = FreeBSDUser.new(inspec)
-    elsif ['aix'].include?(os[:family])
-      @user_provider = AixUser.new(inspec)
-    elsif os.solaris?
-      @user_provider = SolarisUser.new(inspec)
-    else
-      return skip_resource 'The `user` resource is not supported on your OS yet.'
+module Inspec::Resources
+  class User < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+    name 'user'
+    desc 'Use the user InSpec audit resource to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.'
+    example "
+      describe user('root') do
+        it { should exist }
+        its('uid') { should eq 1234 }
+        its('gid') { should eq 1234 }
+      end
+    "
+    def initialize(user)
+      @user = user
+
+      # select package manager
+      @user_provider = nil
+      os = inspec.os
+      if os.linux?
+        @user_provider = LinuxUser.new(inspec)
+      elsif os.windows?
+        @user_provider = WindowsUser.new(inspec)
+      elsif ['darwin'].include?(os[:family])
+        @user_provider = DarwinUser.new(inspec)
+      elsif ['freebsd'].include?(os[:family])
+        @user_provider = FreeBSDUser.new(inspec)
+      elsif ['aix'].include?(os[:family])
+        @user_provider = AixUser.new(inspec)
+      elsif os.solaris?
+        @user_provider = SolarisUser.new(inspec)
+      else
+        return skip_resource 'The `user` resource is not supported on your OS yet.'
+      end
     end
-  end
 
-  def exists?
-    !identity.nil? && !identity[:user].nil?
-  end
+    def exists?
+      !identity.nil? && !identity[:user].nil?
+    end
 
-  def uid
-    identity[:uid] unless identity.nil?
-  end
+    def uid
+      identity[:uid] unless identity.nil?
+    end
 
-  def gid
-    identity[:gid] unless identity.nil?
-  end
+    def gid
+      identity[:gid] unless identity.nil?
+    end
 
-  def group
-    identity[:group] unless identity.nil?
-  end
+    def group
+      identity[:group] unless identity.nil?
+    end
 
-  def groups
-    identity[:groups] unless identity.nil?
-  end
+    def groups
+      identity[:groups] unless identity.nil?
+    end
 
-  def home
-    meta_info[:home] unless meta_info.nil?
-  end
+    def home
+      meta_info[:home] unless meta_info.nil?
+    end
 
-  def shell
-    meta_info[:shell] unless meta_info.nil?
-  end
+    def shell
+      meta_info[:shell] unless meta_info.nil?
+    end
 
-  # returns the minimum days between password changes
-  def mindays
-    credentials[:mindays] unless credentials.nil?
-  end
+    # returns the minimum days between password changes
+    def mindays
+      credentials[:mindays] unless credentials.nil?
+    end
 
-  # returns the maximum days between password changes
-  def maxdays
-    credentials[:maxdays] unless credentials.nil?
-  end
+    # returns the maximum days between password changes
+    def maxdays
+      credentials[:maxdays] unless credentials.nil?
+    end
 
-  # returns the days for password change warning
-  def warndays
-    credentials[:warndays] unless credentials.nil?
-  end
+    # returns the days for password change warning
+    def warndays
+      credentials[:warndays] unless credentials.nil?
+    end
 
-  # implement 'mindays' method to be compatible with serverspec
-  def minimum_days_between_password_change
-    deprecated('minimum_days_between_password_change', "Please use 'its(:mindays)'")
-    mindays
-  end
+    # implement 'mindays' method to be compatible with serverspec
+    def minimum_days_between_password_change
+      deprecated('minimum_days_between_password_change', "Please use 'its(:mindays)'")
+      mindays
+    end
 
-  # implement 'maxdays' method to be compatible with serverspec
-  def maximum_days_between_password_change
-    deprecated('maximum_days_between_password_change', "Please use 'its(:maxdays)'")
-    maxdays
-  end
+    # implement 'maxdays' method to be compatible with serverspec
+    def maximum_days_between_password_change
+      deprecated('maximum_days_between_password_change', "Please use 'its(:maxdays)'")
+      maxdays
+    end
 
-  # implements rspec has matcher, to be compatible with serverspec
-  # @see: https://github.com/rspec/rspec-expectations/blob/master/lib/rspec/matchers/built_in/has.rb
-  def has_uid?(compare_uid)
-    deprecated('has_uid?')
-    uid == compare_uid
-  end
+    # implements rspec has matcher, to be compatible with serverspec
+    # @see: https://github.com/rspec/rspec-expectations/blob/master/lib/rspec/matchers/built_in/has.rb
+    def has_uid?(compare_uid)
+      deprecated('has_uid?')
+      uid == compare_uid
+    end
 
-  def has_home_directory?(compare_home)
-    deprecated('has_home_directory?', "Please use 'its(:home)'")
-    home == compare_home
-  end
+    def has_home_directory?(compare_home)
+      deprecated('has_home_directory?', "Please use 'its(:home)'")
+      home == compare_home
+    end
 
-  def has_login_shell?(compare_shell)
-    deprecated('has_login_shell?', "Please use 'its(:shell)'")
-    shell == compare_shell
-  end
+    def has_login_shell?(compare_shell)
+      deprecated('has_login_shell?', "Please use 'its(:shell)'")
+      shell == compare_shell
+    end
 
-  def has_authorized_key?(_compare_key)
-    deprecated('has_authorized_key?')
-    fail NotImplementedError
-  end
+    def has_authorized_key?(_compare_key)
+      deprecated('has_authorized_key?')
+      fail NotImplementedError
+    end
 
-  def deprecated(name, alternative = nil)
-    warn "[DEPRECATION] #{name} is deprecated. #{alternative}"
-  end
+    def deprecated(name, alternative = nil)
+      warn "[DEPRECATION] #{name} is deprecated. #{alternative}"
+    end
 
-  def to_s
-    "User #{@user}"
-  end
+    def to_s
+      "User #{@user}"
+    end
 
-  def identity
-    return @id_cache if defined?(@id_cache)
-    @id_cache = @user_provider.identity(@user) if !@user_provider.nil?
-  end
+    def identity
+      return @id_cache if defined?(@id_cache)
+      @id_cache = @user_provider.identity(@user) if !@user_provider.nil?
+    end
 
-  private
+    private
 
-  def meta_info
-    return @meta_cache if defined?(@meta_cache)
-    @meta_cache = @user_provider.meta_info(@user) if !@user_provider.nil?
-  end
+    def meta_info
+      return @meta_cache if defined?(@meta_cache)
+      @meta_cache = @user_provider.meta_info(@user) if !@user_provider.nil?
+    end
 
-  def credentials
-    return @cred_cache if defined?(@cred_cache)
-    @cred_cache = @user_provider.credentials(@user) if !@user_provider.nil?
+    def credentials
+      return @cred_cache if defined?(@cred_cache)
+      @cred_cache = @user_provider.credentials(@user) if !@user_provider.nil?
+    end
   end
-end
 
-class UserInfo
-  include Converter
-
-  attr_reader :inspec
-  def initialize(inspec)
-    @inspec = inspec
-  end
+  class UserInfo
+    include Converter
 
-  def credentials(_username)
-  end
-end
+    attr_reader :inspec
+    def initialize(inspec)
+      @inspec = inspec
+    end
 
-# implements generic unix id handling
-class UnixUser < UserInfo
-  attr_reader :inspec, :id_cmd
-  def initialize(inspec)
-    @inspec = inspec
-    @id_cmd ||= 'id'
-    super
+    def credentials(_username)
+    end
   end
 
-  # parse one id entry like '0(wheel)''
-  def parse_value(line)
-    SimpleConfig.new(
-      line,
-      line_separator: ',',
-      assignment_re: /^\s*([^\(]*?)\s*\(\s*(.*?)\)*$/,
-      group_re: nil,
-      multiple_values: false,
-    ).params
-  end
+  # implements generic unix id handling
+  class UnixUser < UserInfo
+    attr_reader :inspec, :id_cmd
+    def initialize(inspec)
+      @inspec = inspec
+      @id_cmd ||= 'id'
+      super
+    end
 
-  # extracts the identity
-  def identity(username)
-    cmd = inspec.command("#{id_cmd} #{username}")
-    return nil if cmd.exit_status != 0
-
-    # parse words
-    params = SimpleConfig.new(
-      parse_id_entries(cmd.stdout.chomp),
-      assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
-      group_re: nil,
-      multiple_values: false,
-    ).params
-
-    {
-      uid: convert_to_i(parse_value(params['uid']).keys[0]),
-      user: parse_value(params['uid']).values[0],
-      gid: convert_to_i(parse_value(params['gid']).keys[0]),
-      group: parse_value(params['gid']).values[0],
-      groups: parse_value(params['groups']).values,
-    }
-  end
+    # parse one id entry like '0(wheel)''
+    def parse_value(line)
+      SimpleConfig.new(
+        line,
+        line_separator: ',',
+        assignment_re: /^\s*([^\(]*?)\s*\(\s*(.*?)\)*$/,
+        group_re: nil,
+        multiple_values: false,
+      ).params
+    end
 
-  # splits the results of id into seperate lines
-  def parse_id_entries(raw)
-    data = []
-    until (index = raw.index(/\)\s{1}/)).nil?
-      data.push(raw[0, index+1]) # inclue closing )
-      raw = raw[index+2, raw.length-index-2]
+    # extracts the identity
+    def identity(username)
+      cmd = inspec.command("#{id_cmd} #{username}")
+      return nil if cmd.exit_status != 0
+
+      # parse words
+      params = SimpleConfig.new(
+        parse_id_entries(cmd.stdout.chomp),
+        assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
+        group_re: nil,
+        multiple_values: false,
+      ).params
+
+      {
+        uid: convert_to_i(parse_value(params['uid']).keys[0]),
+        user: parse_value(params['uid']).values[0],
+        gid: convert_to_i(parse_value(params['gid']).keys[0]),
+        group: parse_value(params['gid']).values[0],
+        groups: parse_value(params['groups']).values,
+      }
     end
-    data.push(raw) if !raw.nil?
-    data.join("\n")
-  end
-end
 
-class LinuxUser < UnixUser
-  include PasswdParser
-  include CommentParser
-
-  def meta_info(username)
-    cmd = inspec.command("getent passwd #{username}")
-    return nil if cmd.exit_status != 0
-    # returns: root:x:0:0:root:/root:/bin/bash
-    passwd = parse_passwd_line(cmd.stdout.chomp)
-    {
-      home: passwd['home'],
-      shell: passwd['shell'],
-    }
+    # splits the results of id into seperate lines
+    def parse_id_entries(raw)
+      data = []
+      until (index = raw.index(/\)\s{1}/)).nil?
+        data.push(raw[0, index+1]) # inclue closing )
+        raw = raw[index+2, raw.length-index-2]
+      end
+      data.push(raw) if !raw.nil?
+      data.join("\n")
+    end
   end
 
-  def credentials(username)
-    cmd = inspec.command("chage -l #{username}")
-    return nil if cmd.exit_status != 0
-
-    params = SimpleConfig.new(
-      cmd.stdout.chomp,
-      assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
-      group_re: nil,
-      multiple_values: false,
-    ).params
-
-    {
-      mindays: convert_to_i(params['Minimum number of days between password change']),
-      maxdays: convert_to_i(params['Maximum number of days between password change']),
-      warndays: convert_to_i(params['Number of days of warning before password expires']),
-    }
-  end
-end
+  class LinuxUser < UnixUser
+    include PasswdParser
+    include CommentParser
 
-class SolarisUser < LinuxUser
-  def initialize(inspec)
-    @inspec = inspec
-    @id_cmd ||= 'id -a'
-    super
-  end
+    def meta_info(username)
+      cmd = inspec.command("getent passwd #{username}")
+      return nil if cmd.exit_status != 0
+      # returns: root:x:0:0:root:/root:/bin/bash
+      passwd = parse_passwd_line(cmd.stdout.chomp)
+      {
+        home: passwd['home'],
+        shell: passwd['shell'],
+      }
+    end
 
-  def credentials(_username)
-    nil
+    def credentials(username)
+      cmd = inspec.command("chage -l #{username}")
+      return nil if cmd.exit_status != 0
+
+      params = SimpleConfig.new(
+        cmd.stdout.chomp,
+        assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
+        group_re: nil,
+        multiple_values: false,
+      ).params
+
+      {
+        mindays: convert_to_i(params['Minimum number of days between password change']),
+        maxdays: convert_to_i(params['Maximum number of days between password change']),
+        warndays: convert_to_i(params['Number of days of warning before password expires']),
+      }
+    end
   end
-end
 
-class AixUser < UnixUser
-  def identity(username)
-    id = super(username)
-    return nil if id.nil?
-    # AIX 'id' command doesn't include the primary group in the supplementary
-    # yet it can be somewhere in the supplementary list if someone added root
-    # to a groups list in /etc/group
-    # we rearrange to expected list if that is the case
-    if id[:groups].first != id[:group]
-      id[:groups].reject! { |i| i == id[:group] } if id[:groups].include?(id[:group])
-      id[:groups].unshift(id[:group])
+  class SolarisUser < LinuxUser
+    def initialize(inspec)
+      @inspec = inspec
+      @id_cmd ||= 'id -a'
+      super
     end
 
-    id
+    def credentials(_username)
+      nil
+    end
   end
 
-  def meta_info(username)
-    lsuser = inspec.command("lsuser -C -a home shell #{username}")
-    return nil if lsuser.exit_status != 0
+  class AixUser < UnixUser
+    def identity(username)
+      id = super(username)
+      return nil if id.nil?
+      # AIX 'id' command doesn't include the primary group in the supplementary
+      # yet it can be somewhere in the supplementary list if someone added root
+      # to a groups list in /etc/group
+      # we rearrange to expected list if that is the case
+      if id[:groups].first != id[:group]
+        id[:groups].reject! { |i| i == id[:group] } if id[:groups].include?(id[:group])
+        id[:groups].unshift(id[:group])
+      end
+
+      id
+    end
 
-    user = lsuser.stdout.chomp.split("\n").last.split(':')
-    {
-      home:  user[1],
-      shell: user[2],
-    }
-  end
+    def meta_info(username)
+      lsuser = inspec.command("lsuser -C -a home shell #{username}")
+      return nil if lsuser.exit_status != 0
 
-  def credentials(username)
-    cmd = inspec.command(
-      "lssec -c -f /etc/security/user -s #{username} -a minage -a maxage -a pwdwarntime",
-    )
-    return nil if cmd.exit_status != 0
+      user = lsuser.stdout.chomp.split("\n").last.split(':')
+      {
+        home:  user[1],
+        shell: user[2],
+      }
+    end
 
-    user_sec = cmd.stdout.chomp.split("\n").last.split(':')
+    def credentials(username)
+      cmd = inspec.command(
+        "lssec -c -f /etc/security/user -s #{username} -a minage -a maxage -a pwdwarntime",
+      )
+      return nil if cmd.exit_status != 0
 
-    {
-      mindays:  user_sec[1].to_i * 7,
-      maxdays:  user_sec[2].to_i * 7,
-      warndays: user_sec[3].to_i,
-    }
-  end
-end
+      user_sec = cmd.stdout.chomp.split("\n").last.split(':')
 
-# we do not use 'finger' for MacOS, because it is harder to parse data with it
-# @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/fingerd.8.html
-# instead we use 'dscl' to request user data
-# @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dscl.1.html
-# @see http://superuser.com/questions/592921/mac-osx-users-vs-dscl-command-to-list-user
-class DarwinUser < UnixUser
-  def meta_info(username)
-    cmd = inspec.command("dscl -q . -read /Users/#{username} NFSHomeDirectory PrimaryGroupID RecordName UniqueID UserShell")
-    return nil if cmd.exit_status != 0
-
-    params = SimpleConfig.new(
-      cmd.stdout.chomp,
-      assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
-      group_re: nil,
-      multiple_values: false,
-    ).params
-
-    {
-      home: params['NFSHomeDirectory'],
-      shell: params['UserShell'],
-    }
+      {
+        mindays:  user_sec[1].to_i * 7,
+        maxdays:  user_sec[2].to_i * 7,
+        warndays: user_sec[3].to_i,
+      }
+    end
   end
-end
 
-# FreeBSD recommends to use the 'pw' command for user management
-# @see: https://www.freebsd.org/doc/handbook/users-synopsis.html
-# @see: https://www.freebsd.org/cgi/man.cgi?pw(8)
-# It offers the following commands:
-# - adduser(8)	The recommended command-line application for adding new users.
-# - rmuser(8)	The recommended command-line application for removing users.
-# - chpass(1)	A flexible tool for changing user database information.
-# - passwd(1)	The command-line tool to change user passwords.
-class FreeBSDUser < UnixUser
-  include PasswdParser
-
-  def meta_info(username)
-    cmd = inspec.command("pw usershow #{username} -7")
-    return nil if cmd.exit_status != 0
-    # returns: root:*:0:0:Charlie &:/root:/bin/csh
-    passwd = parse_passwd_line(cmd.stdout.chomp)
-    {
-      home: passwd['home'],
-      shell: passwd['shell'],
-    }
+  # we do not use 'finger' for MacOS, because it is harder to parse data with it
+  # @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/fingerd.8.html
+  # instead we use 'dscl' to request user data
+  # @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dscl.1.html
+  # @see http://superuser.com/questions/592921/mac-osx-users-vs-dscl-command-to-list-user
+  class DarwinUser < UnixUser
+    def meta_info(username)
+      cmd = inspec.command("dscl -q . -read /Users/#{username} NFSHomeDirectory PrimaryGroupID RecordName UniqueID UserShell")
+      return nil if cmd.exit_status != 0
+
+      params = SimpleConfig.new(
+        cmd.stdout.chomp,
+        assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
+        group_re: nil,
+        multiple_values: false,
+      ).params
+
+      {
+        home: params['NFSHomeDirectory'],
+        shell: params['UserShell'],
+      }
+    end
   end
-end
 
-# For now, we stick with WMI Win32_UserAccount
-# @see https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx
-# @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
-#
-# using Get-AdUser would be the best command for domain machines, but it will not be installed
-# on client machines by default
-# @see https://technet.microsoft.com/en-us/library/ee617241.aspx
-# @see https://technet.microsoft.com/en-us/library/hh509016(v=WS.10).aspx
-# @see http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/
-# @see http://stackoverflow.com/questions/17548523/the-term-get-aduser-is-not-recognized-as-the-name-of-a-cmdlet
-#
-# Just for reference, we could also use ADSI (Active Directory Service Interfaces)
-# @see https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
-class WindowsUser < UserInfo
-  # parse windows account name
-  def parse_windows_account(username)
-    account = username.split('\\')
-    name = account.pop
-    domain = account.pop if account.size > 0
-    [name, domain]
+  # FreeBSD recommends to use the 'pw' command for user management
+  # @see: https://www.freebsd.org/doc/handbook/users-synopsis.html
+  # @see: https://www.freebsd.org/cgi/man.cgi?pw(8)
+  # It offers the following commands:
+  # - adduser(8)	The recommended command-line application for adding new users.
+  # - rmuser(8)	The recommended command-line application for removing users.
+  # - chpass(1)	A flexible tool for changing user database information.
+  # - passwd(1)	The command-line tool to change user passwords.
+  class FreeBSDUser < UnixUser
+    include PasswdParser
+
+    def meta_info(username)
+      cmd = inspec.command("pw usershow #{username} -7")
+      return nil if cmd.exit_status != 0
+      # returns: root:*:0:0:Charlie &:/root:/bin/csh
+      passwd = parse_passwd_line(cmd.stdout.chomp)
+      {
+        home: passwd['home'],
+        shell: passwd['shell'],
+      }
+    end
   end
 
-  def identity(username)
-    # extract domain/user information
-    account, domain = parse_windows_account(username)
-
-    # TODO: escape content
-    if !domain.nil?
-      filter = "Name = '#{account}' and Domain = '#{domain}'"
-    else
-      filter = "Name = '#{account}' and LocalAccount = true"
-    end
-
-    script = <<-EOH
-      # find user
-      $user = Get-WmiObject Win32_UserAccount -filter "#{filter}"
-      # get related groups
-      $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
-      # filter user information
-      $user = $user | Select-Object -Property Caption, Description, Domain, Name, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID, SIDType, Status
-      # build response object
-      New-Object -Type PSObject | `
-      Add-Member -MemberType NoteProperty -Name User -Value ($user) -PassThru | `
-      Add-Member -MemberType NoteProperty -Name Groups -Value ($groups) -PassThru | `
-      ConvertTo-Json
-    EOH
-
-    cmd = inspec.script(script)
-
-    # cannot rely on exit code for now, successful command returns exit code 1
-    # return nil if cmd.exit_status != 0, try to parse json
-    begin
-      params = JSON.parse(cmd.stdout)
-    rescue JSON::ParserError => _e
-      return nil
-    end
-
-    user = params['User']['Caption'] unless params['User'].nil?
-    groups = params['Groups']
-    # if groups is no array, generate one
-    groups = [groups] if !groups.is_a?(Array)
-    groups = groups.map { |grp| grp['Caption'] } unless params['Groups'].nil?
-
-    {
-      uid: nil,
-      user: user,
-      gid: nil,
-      group: nil,
-      groups: groups,
-    }
-  end
+  # For now, we stick with WMI Win32_UserAccount
+  # @see https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx
+  # @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
+  #
+  # using Get-AdUser would be the best command for domain machines, but it will not be installed
+  # on client machines by default
+  # @see https://technet.microsoft.com/en-us/library/ee617241.aspx
+  # @see https://technet.microsoft.com/en-us/library/hh509016(v=WS.10).aspx
+  # @see http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/
+  # @see http://stackoverflow.com/questions/17548523/the-term-get-aduser-is-not-recognized-as-the-name-of-a-cmdlet
+  #
+  # Just for reference, we could also use ADSI (Active Directory Service Interfaces)
+  # @see https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
+  class WindowsUser < UserInfo
+    # parse windows account name
+    def parse_windows_account(username)
+      account = username.split('\\')
+      name = account.pop
+      domain = account.pop if account.size > 0
+      [name, domain]
+    end
 
-  # not implemented yet
-  def meta_info(_username)
-    {
-      home: nil,
-      shell: nil,
-    }
+    def identity(username)
+      # extract domain/user information
+      account, domain = parse_windows_account(username)
+
+      # TODO: escape content
+      if !domain.nil?
+        filter = "Name = '#{account}' and Domain = '#{domain}'"
+      else
+        filter = "Name = '#{account}' and LocalAccount = true"
+      end
+
+      script = <<-EOH
+        # find user
+        $user = Get-WmiObject Win32_UserAccount -filter "#{filter}"
+        # get related groups
+        $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
+        # filter user information
+        $user = $user | Select-Object -Property Caption, Description, Domain, Name, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID, SIDType, Status
+        # build response object
+        New-Object -Type PSObject | `
+        Add-Member -MemberType NoteProperty -Name User -Value ($user) -PassThru | `
+        Add-Member -MemberType NoteProperty -Name Groups -Value ($groups) -PassThru | `
+        ConvertTo-Json
+      EOH
+
+      cmd = inspec.script(script)
+
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0, try to parse json
+      begin
+        params = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+
+      user = params['User']['Caption'] unless params['User'].nil?
+      groups = params['Groups']
+      # if groups is no array, generate one
+      groups = [groups] if !groups.is_a?(Array)
+      groups = groups.map { |grp| grp['Caption'] } unless params['Groups'].nil?
+
+      {
+        uid: nil,
+        user: user,
+        gid: nil,
+        group: nil,
+        groups: groups,
+      }
+    end
+
+    # not implemented yet
+    def meta_info(_username)
+      {
+        home: nil,
+        shell: nil,
+      }
+    end
   end
 end