inspec 0.15.0 → 0.16.0

data/examples/profile/controls/example.rb

@@ -8,7 +8,9 @@ title '/tmp profile'
 control "tmp-1.0" do                        # A unique ID for this control
   impact 0.7                                # The criticality, if this control fails.
   title "Create /tmp directory"             # A human-readable title
-  desc "An optional description..."
+  desc "An optional description..."         # Describe why this is needed
+  ref "Document A-12", url: 'http://...'    # Additional references
+
   describe file('/tmp') do                  # The actual test
     it { should be_directory }
   end

data/lib/fetchers/mock.rb

@@ -0,0 +1,27 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+module Fetchers
+  class Mock < Inspec.fetcher(1)
+    name 'mock'
+    priority 0
+
+    def self.resolve(target)
+      return nil unless target.is_a? Hash
+      new(target)
+    end
+
+    def initialize(data)
+      @data = data
+    end
+
+    def files
+      @data.keys
+    end
+
+    def read(file)
+      @data[file]
+    end
+  end
+end

data/lib/fetchers/tar.rb

@@ -13,8 +13,9 @@ module Fetchers
     attr_reader :files
 
     def self.resolve(target)
-      return nil unless File.file?(target)
-      return nil unless target.end_with?('.tar.gz', '.tgz')
+      unless target.is_a?(String) && File.file?(target) && target.end_with?('.tar.gz', '.tgz')
+        return nil
+      end
       new(target)
     end
 

data/lib/fetchers/zip.rb

@@ -12,7 +12,9 @@ module Fetchers
     attr_reader :files
 
     def self.resolve(target)
-      return nil unless File.file?(target) and target.end_with?('.zip')
+      unless target.is_a?(String) && File.file?(target) && target.end_with?('.zip')
+        return nil
+      end
       new(target)
     end
 

data/lib/inspec/cli.rb

@@ -0,0 +1,164 @@
+#!/usr/bin/env ruby
+# encoding: utf-8
+# Copyright 2015 Dominik Richter. All rights reserved.
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'thor'
+require 'json'
+require 'pp'
+require 'utils/base_cli'
+require 'utils/json_log'
+
+class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
+  class_option :diagnose, type: :boolean,
+    desc: 'Show diagnostics (versions, configurations)'
+
+  desc 'json PATH', 'read all tests in PATH and generate a JSON summary'
+  option :id, type: :string,
+    desc: 'Attach a profile ID to all test results'
+  option :output, aliases: :o, type: :string,
+    desc: 'Save the created profile to a path'
+  profile_options
+  def json(target)
+    diagnose
+    o = opts.dup
+    o[:ignore_supports] = true
+
+    profile = Inspec::Profile.for_target(target, o)
+    dst = o[:output].to_s
+    if dst.empty?
+      puts JSON.dump(profile.info)
+    else
+      if File.exist? dst
+        puts "----> updating #{dst}"
+      else
+        puts "----> creating #{dst}"
+      end
+      fdst = File.expand_path(dst)
+      File.write(fdst, JSON.dump(profile.info))
+    end
+  end
+
+  desc 'check PATH', 'verify all tests at the specified PATH'
+  option :format, type: :string
+  profile_options
+  def check(path) # rubocop:disable Metrics/AbcSize
+    diagnose
+    o = opts.dup
+    # configure_logger(o) # we do not need a logger for check yet
+    o[:ignore_supports] = true # we check for integrity only
+
+    # run check
+    profile = Inspec::Profile.for_target(path, o)
+    result = profile.check
+
+    if opts['format'] == 'json'
+      puts JSON.generate(result)
+    else
+      headline('Summary')
+      %w{location profile controls timestamp valid}.each { |item|
+        puts "#{mark_text(item.to_s.capitalize + ':')} #{result[:summary][item.to_sym]}"
+      }
+      puts
+
+      %w{errors warnings}.each { |list|
+        headline(list.to_s.capitalize)
+        result[list.to_sym].each { |item|
+          puts "#{item[:file]}:#{item[:line]}:#{item[:column]}: #{item[:msg]} "
+        }
+        puts
+      }
+    end
+    exit 1 unless result[:summary][:valid]
+  end
+
+  desc 'archive PATH', 'archive a profile to tar.gz (default) or zip'
+  profile_options
+  option :output, aliases: :o, type: :string,
+    desc: 'Save the archive to a path'
+  option :zip, type: :boolean, default: false,
+    desc: 'Generates a zip archive.'
+  option :tar, type: :boolean, default: false,
+    desc: 'Generates a tar.gz archive.'
+  option :overwrite, type: :boolean, default: false,
+    desc: 'Overwrite existing archive.'
+  option :ignore_errors, type: :boolean, default: false,
+    desc: 'Ignore profile warnings.'
+  def archive(path)
+    diagnose
+
+    o = opts.dup
+    o[:logger] = Logger.new(STDOUT)
+    o[:logger].level = get_log_level(o.log_level)
+
+    profile = Inspec::Profile.for_target(path, o)
+    result = profile.check
+
+    if result && !opts[:ignore_errors] == false
+      @logger.info 'Profile check failed. Please fix the profile before generating an archive.'
+      return exit 1
+    end
+
+    # generate archive
+    exit 1 unless profile.archive(opts)
+  end
+
+  desc 'exec PATHS', 'run all test files at the specified PATH.'
+  exec_options
+  def exec(*targets)
+    diagnose
+    run_tests(targets, opts)
+  end
+
+  desc 'detect', 'detect the target OS'
+  target_options
+  def detect
+    diagnose
+
+    rel = File.join(File.dirname(__FILE__), *%w{.. utils detect.rb})
+    detect_util = File.expand_path(rel)
+    # exits on execution:
+    runner = Inspec::Runner.new(opts)
+    profile = Inspec::Profile.for_target(detect_util, opts)
+    runner.add_profile(profile)
+    exit runner.run
+  rescue RuntimeError => e
+    puts e.message
+  end
+
+  desc 'shell', 'open an interactive debugging shell'
+  target_options
+  option :format, type: :string, default: Inspec::NoSummaryFormatter, hide: true
+  def shell_func
+    diagnose
+    o = opts.dup
+    o[:logger] = Logger.new(STDOUT)
+    o[:logger].level = get_log_level(o.log_level)
+
+    runner = Inspec::Runner.new(o)
+    Inspec::Shell.new(runner).start
+  rescue RuntimeError => e
+    puts e.message
+  end
+
+  desc 'version', 'prints the version of this tool'
+  def version
+    puts Inspec::VERSION
+  end
+end
+
+# Load all plugins on startup
+ctl = Inspec::PluginCtl.new
+ctl.list.each { |x| ctl.load(x) }
+
+# load CLI plugins before the Inspec CLI has been started
+Inspec::Plugins::CLI.subcommands.each { |_subcommand, params|
+  Inspec::InspecCLI.register(
+    params[:klass],
+    params[:subcommand_name],
+    params[:usage],
+    params[:description],
+    params[:options],
+  )
+}

data/lib/inspec/plugins/resource.rb

@@ -2,6 +2,8 @@
 # author: Dominik Richter
 # author: Christoph Hartmann
 
+require 'inspec/resource'
+
 module Inspec
   module Plugins
     class Resource
@@ -50,8 +52,10 @@ module Inspec
         end
         # rubocop:enable Lint/NestedMethodDefinition
 
-        # add the resource to the registry by name
-        Inspec::Resource.registry[name] = cl
+        # add the resource to the registry by name with a newly-named registry class
+        klass_name = name.split('_').map(&:capitalize).join
+        Inspec::Resource::Registry.const_set(klass_name, cl)
+        Inspec::Resource.registry[name] = Inspec::Resource::Registry.const_get(klass_name)
       end
 
       # Define methods which are available to all resources

data/lib/inspec/profile.rb

@@ -173,26 +173,17 @@ module Inspec
 
     # generates a archive of a folder profile
     # assumes that the profile was checked before
-    def archive(opts) # rubocop:disable Metrics/AbcSize
-      profile_name = params[:name]
-      ext = opts[:zip] ? 'zip' : 'tar.gz'
-
-      if opts[:archive]
-        archive = Pathname.new(opts[:archive])
-      else
-        slug = profile_name.downcase.strip.tr(' ', '-').gsub(/[^\w-]/, '_')
-        archive = Pathname.new(Dir.pwd).join("#{slug}.#{ext}")
-      end
-
+    def archive(opts)
       # check if file exists otherwise overwrite the archive
-      if archive.exist? && !opts[:overwrite]
-        @logger.info "Archive #{archive} exists already. Use --overwrite."
+      dst = archive_name(opts)
+      if dst.exist? && !opts[:overwrite]
+        @logger.info "Archive #{dst} exists already. Use --overwrite."
         return false
       end
 
       # remove existing archive
-      File.delete(archive) if archive.exist?
-      @logger.info "Generate archive #{archive}."
+      File.delete(dst) if dst.exist?
+      @logger.info "Generate archive #{dst}."
 
       # filter files that should not be part of the profile
       # TODO ignore all .files, but add the files to debug output
@@ -207,12 +198,12 @@ module Inspec
         # generate zip archive
         require 'inspec/archive/zip'
         zag = Inspec::Archive::ZipArchiveGenerator.new
-        zag.archive(root_path, files, archive)
+        zag.archive(root_path, files, dst)
       else
         # generate tar archive
         require 'inspec/archive/tar'
         tag = Inspec::Archive::TarArchiveGenerator.new
-        tag.archive(root_path, files, archive)
+        tag.archive(root_path, files, dst)
       end
 
       @logger.info 'Finished archive generation.'
@@ -221,6 +212,24 @@ module Inspec
 
     private
 
+    # Create an archive name for this profile and an additional options
+    # configuration. Either use :output or generate the name from metadata.
+    #
+    # @param [Hash] configuration options
+    # @return [Pathname] path for the archive
+    def archive_name(opts)
+      if (name = opts[:output])
+        return Pathname.new(name)
+      end
+
+      name = params[:name] ||
+             fail('Cannot create an archive without a profile name! Please '\
+             'specify the name in metadata or use --output to create the archive.')
+      ext = opts[:zip] ? 'zip' : 'tar.gz'
+      slug = name.downcase.strip.tr(' ', '-').gsub(/[^\w-]/, '_')
+      Pathname.new(Dir.pwd).join("#{slug}.#{ext}")
+    end
+
     def load_params
       params = @source_reader.metadata.params
       params[:name] = @profile_id unless @profile_id.nil?
@@ -245,6 +254,8 @@ module Inspec
           title: rule.title,
           desc: rule.desc,
           impact: rule.impact,
+          refs: rule.ref,
+          tags: rule.tag,
           checks: rule.instance_variable_get(:@checks),
           code: rule.instance_variable_get(:@__code),
           source_location: rule.instance_variable_get(:@__source_location),

data/lib/inspec/resource.rb

@@ -8,6 +8,10 @@ require 'inspec/plugins'
 
 module Inspec
   class Resource
+    class Registry
+      # empty class for namespacing resource classes in the registry
+    end
+
     def self.registry
       @registry ||= {}
     end
@@ -84,9 +88,9 @@ require 'resources/port'
 require 'resources/postgres'
 require 'resources/postgres_conf'
 require 'resources/postgres_session'
+require 'resources/powershell'
 require 'resources/processes'
 require 'resources/registry_key'
-require 'resources/script'
 require 'resources/security_policy'
 require 'resources/service'
 require 'resources/shadow'

data/lib/inspec/rspec_json_formatter.rb

@@ -3,6 +3,7 @@
 # author: Christoph Hartmann
 
 require 'rspec/core'
+require 'rspec/core/formatters/json_formatter'
 
 # Extend the basic RSpec JSON Formatter
 # to give us an ID in its output
@@ -26,3 +27,44 @@ module RSpec::Core::Formatters
     end
   end
 end
+
+class InspecRspecFormatter < RSpec::Core::Formatters::JsonFormatter
+  RSpec::Core::Formatters.register self, :message, :dump_summary, :dump_profile, :stop, :close
+
+  def add_profile(profile)
+    @profiles ||= []
+    @profiles.push(profile)
+  end
+
+  def dump_summary(summary)
+    super(summary)
+    @output_hash[:profiles] = @profiles.map do |profile|
+      r = profile.params.dup
+      r.delete(:rules)
+      r
+    end
+  end
+
+  private
+
+  def format_example(example)
+    res = {
+      id: example.metadata[:id],
+      title: example.metadata[:title],
+      desc: example.metadata[:desc],
+      code: example.metadata[:code],
+      impact: example.metadata[:impact],
+      status: example.execution_result.status.to_s,
+      code_desc: example.full_description,
+      ref: example.metadata['file_path'],
+      ref_line: example.metadata['line_number'],
+      run_time: example.execution_result.run_time,
+      start_time: example.execution_result.started_at.to_s,
+    }
+
+    # pending messages are embedded in the resources description
+    res[:pending] = example.metadata[:description] if res[:status] == 'pending'
+
+    res
+  end
+end

data/lib/inspec/rule.rb

@@ -9,7 +9,7 @@ require 'inspec/describe'
 require 'inspec/expect'
 
 module Inspec
-  class Rule
+  class Rule # rubocop:disable Metrics/ClassLength
     include ::RSpec::Matchers
 
     def initialize(id, _opts, &block)
@@ -20,6 +20,8 @@ module Inspec
       @__source_location = __get_block_source_location(&block)
       @title = nil
       @desc = nil
+      @refs = []
+      @tags = {}
       # not changeable by the user:
       @profile_id = nil
       @checks = []
@@ -47,6 +49,27 @@ module Inspec
       @desc
     end
 
+    def ref(ref = nil, opts = {})
+      return @refs if ref.nil? && opts.empty?
+      if opts.empty? && ref.is_a?(Hash)
+        opts = ref
+      else
+        opts[:ref] = ref
+      end
+      @refs.push(opts)
+    end
+
+    def tag(*args)
+      args.each do |arg|
+        if arg.is_a?(Hash)
+          @tags.merge!(arg)
+        else
+          @tags[arg] ||= nil
+        end
+      end
+      @tags
+    end
+
     # Describe will add one or more tests to this control. There is 2 ways
     # of calling it:
     #