inspec 0.15.0 → 0.16.0

data/lib/inspec/runner.rb

@@ -55,25 +55,26 @@ module Inspec
     def add_profile(profile, options = {})
       return unless options[:ignore_supports] ||
                     profile.metadata.supports_transport?(@backend)
+      @test_collector.add_profile(profile)
 
       libs = profile.libraries.map do |k, v|
         { ref: k, content: v }
       end
 
-      profile.tests.each do |ref, content|
+      tests = profile.tests.map do |ref, content|
         r = profile.source_reader.target.abs_path(ref)
-        test = { ref: r, content: content }
-        add_content(test, libs, options)
+        { ref: r, content: content }
       end
+
+      add_content(tests, libs, options)
     end
 
     def create_context(options = {})
       Inspec::ProfileContext.new(@profile_id, @backend, @conf.merge(options))
     end
 
-    def add_content(test, libs, options = {})
-      content = test[:content]
-      return if content.nil? || content.empty?
+    def add_content(tests, libs, options = {})
+      return if tests.nil? || tests.empty?
 
       # load all libraries
       ctx = create_context(options)
@@ -83,7 +84,8 @@ module Inspec
       end
 
       # evaluate the test content
-      ctx.load(content, test[:ref], test[:line] || 1)
+      tests = [tests] unless tests.is_a? Array
+      tests.each { |t| add_test_to_context(t, ctx) }
 
       # process the resulting rules
       filter_controls(ctx.rules, options[:controls]).each do |rule_id, rule|
@@ -96,6 +98,12 @@ module Inspec
 
     private
 
+    def add_test_to_context(test, ctx)
+      content = test[:content]
+      return if content.nil? || content.empty?
+      ctx.load(content, test[:ref], test[:line] || 1)
+    end
+
     def filter_controls(controls_map, include_list)
       return controls_map if include_list.nil? || include_list.empty?
       controls_map.select { |k, _| include_list.include?(k) }

data/lib/inspec/runner_mock.rb

@@ -4,9 +4,14 @@
 
 module Inspec
   class RunnerMock
-    attr_reader :tests
+    attr_reader :tests, :profiles
     def initialize
       @tests = []
+      @profiles = []
+    end
+
+    def add_profile(profile)
+      @profiles.push(profile)
     end
 
     def add_test(example, _rule_id, _rule)

data/lib/inspec/runner_rspec.rb

@@ -29,6 +29,18 @@ module Inspec
       RSpec::Core::ExampleGroup.describe(*args, &block)
     end
 
+    # Add a full profile to the runner. Only pulls in metadata
+    #
+    # @param [Inspec::Profile] profile
+    # @return [nil]
+    def add_profile(profile)
+      RSpec.configuration.formatters
+           .find_all { |c| c.is_a? InspecRspecFormatter }
+           .each do |fmt|
+        fmt.add_profile(profile)
+      end
+    end
+
     # Add an example group to the list of registered tests.
     #
     # @param [RSpecExampleGroup] example test
@@ -75,7 +87,15 @@ module Inspec
     #
     # @return [nil]
     def configure_output
-      RSpec.configuration.add_formatter(@conf['format'] || 'progress')
+      if !@conf['output'] || @conf['output'] == '-'
+        RSpec.configuration.output_stream = $stdout
+      else
+        RSpec.configuration.output_stream = @conf['output']
+      end
+
+      format = @conf['format'] || 'progress'
+      format = 'InspecRspecFormatter' if format == 'fulljson'
+      RSpec.configuration.add_formatter(format)
       RSpec.configuration.color = @conf['color']
 
       setup_reporting if @conf['report']
@@ -96,9 +116,17 @@ module Inspec
     def set_rspec_ids(example, id, rule)
       example.metadata[:id] = id
       example.metadata[:impact] = rule.impact
+      example.metadata[:title] = rule.title
+      example.metadata[:desc] = rule.desc
+      example.metadata[:code] = rule.instance_variable_get(:@__code)
+      example.metadata[:source_location] = rule.instance_variable_get(:@__source_location)
       example.filtered_examples.each do |e|
         e.metadata[:id] = id
         e.metadata[:impact] = rule.impact
+        e.metadata[:title] = rule.title
+        e.metadata[:desc] = rule.desc
+        e.metadata[:code] = rule.instance_variable_get(:@__code)
+        e.metadata[:source_location] = rule.instance_variable_get(:@__source_location)
       end
       example.children.each do |child|
         set_rspec_ids(child, id, rule)

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.15.0'.freeze
+  VERSION = '0.16.0'.freeze
 end

data/lib/resources/{script.rb → powershell.rb}

@@ -5,15 +5,15 @@
 # license: All rights reserved
 
 module Inspec::Resources
-  class Script < Cmd
-    name 'script'
-    desc 'Use the script InSpec audit resource to test a Windows PowerShell script on the Microsoft Windows platform.'
+  class PowershellScript < Cmd
+    name 'powershell'
+    desc 'Use the powershell InSpec audit resource to test a Windows PowerShell script on the Microsoft Windows platform.'
     example "
       script = <<-EOH
         # you powershell script
       EOH
 
-      describe script(script) do
+      describe powershell(script) do
         its('matcher') { should eq 'output' }
       end
     "
@@ -37,7 +37,21 @@ module Inspec::Resources
     end
 
     def to_s
-      'Script'
+      'Powershell'
+    end
+  end
+
+  # this is deprecated syntax and will be removed in future versions
+  class LegacyPowershellScript < PowershellScript
+    name 'script'
+
+    def initialize(script)
+      deprecated
+      super(script)
+    end
+
+    def deprecated
+      warn '[DEPRECATION] `script(script)` is deprecated.  Please use `powershell(script)` instead.'
     end
   end
 end

data/lib/resources/registry_key.rb

@@ -111,7 +111,7 @@ module Inspec::Resources
       $object | ConvertTo-Json
       EOH
 
-      cmd = inspec.script(script)
+      cmd = inspec.powershell(script)
 
       # cannot rely on exit code for now, successful command returns exit code 1
       # return nil if cmd.exit_status != 0, try to parse json

data/test/{integration/cookbooks → cookbooks}/os_prepare/recipes/mount.rb

@@ -9,7 +9,7 @@ when 'ubuntu', 'rhel', 'centos', 'fedora'
 
   # copy iso file for mount tests
   # NB created using `mkdir empty; mkisofs -o empty.iso empty/`
-  cookbook_file '/root/empty.iso' do
+  cookbook_file '/tmp/empty.iso' do
     owner 'root'
     group 'root'
     mode '0755'
@@ -26,7 +26,7 @@ when 'ubuntu', 'rhel', 'centos', 'fedora'
 
   # mount -o loop /root/empty.iso /mnt/iso-disk
   mount '/mnt/iso-disk' do
-    device '/root/empty.iso'
+    device '/tmp/empty.iso'
     options 'loop'
     action [:mount, :enable]
   end

data/test/{integration/cookbooks → cookbooks}/os_prepare/recipes/postgres.rb

@@ -6,6 +6,12 @@
 # hw-cookbooks/postgresql is tested on these platforms
 case node['platform']
 when 'ubuntu', 'centos'
+
+  # also skip it on ubuntu 15.10, because the cookbook is not supported
+  # with `enable_pgdg_apt` yet
+  return if node['platform_version'] == "15.10"
+
+  node.default['postgresql']['enable_pgdg_apt'] = true
   node.default['postgresql']['config']['listen_addresses'] = 'localhost'
   node.default['postgresql']['password']['postgres'] = 'md506be11be01439cb4abd537e454df34ea' # "inspec"
   include_recipe 'postgresql::server'

data/test/functional/command_test.rb

@@ -0,0 +1,390 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'helper'
+require 'minitest/hell'
+class Minitest::Test
+  parallelize_me!
+end
+
+describe 'Inspec::InspecCLI' do
+  let(:repo_path) { File.expand_path(File.join( __FILE__, '..', '..', '..')) }
+  let(:exec_inspec) { File.join(repo_path, 'bin', 'inspec') }
+  let(:profile_path) { File.join(repo_path, 'test', 'unit', 'mock', 'profiles') }
+  let(:examples_path) { File.join(repo_path, 'examples') }
+  let(:dst) {
+    # create a temporary path, but we only want an auto-clean helper
+    # so remove the file and give back the path
+    res = Tempfile.new('inspec-shred')
+    FileUtils.rm(res.path)
+    TMP_CACHE[res.path] = res
+  }
+
+  def inspec(commandline)
+    CMD.run_command("#{exec_inspec} #{commandline}")
+  end
+
+  describe 'detect' do
+    it 'runs well on all nodes' do
+      out = inspec('detect')
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      j = JSON.load(out.stdout)
+      j.keys.must_include 'name'
+      j.keys.must_include 'family'
+      j.keys.must_include 'arch'
+      j.keys.must_include 'release'
+    end
+  end
+
+  describe 'version' do
+    it 'provides the version number on stdout' do
+      out = inspec('version')
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      out.stdout.must_equal Inspec::VERSION+"\n"
+    end
+  end
+
+  describe 'shell' do
+    it 'provides a help command' do
+      out = CMD.run_command("echo \"help\nexit\" | #{exec_inspec} shell")
+      out.exit_status.must_equal 0
+      out.stdout.must_include 'Available commands:'
+      out.stdout.must_include 'You are currently running on:'
+    end
+
+    it 'exposes all resources' do
+      out = CMD.run_command("echo \"os\nexit\" | #{exec_inspec} shell")
+      out.exit_status.must_equal 0
+      out.stdout.must_match /^=> .*Operating.* .*System.* .*Detection.*$/
+    end
+  end
+
+  describe 'example profile' do
+    let(:path) { File.join(examples_path, 'profile') }
+
+    it 'check is successful' do
+      out = inspec('check ' + path)
+      out.stdout.must_match /Valid.*true/
+      out.exit_status.must_equal 0
+    end
+
+    it 'archive is successful' do
+      out = inspec('archive ' + path + ' --overwrite')
+      out.exit_status.must_equal 0
+      out.stdout.must_match /Generate archive [^ ]*profile.tar.gz/
+      out.stdout.must_include 'Finished archive generation.'
+    end
+
+    it 'archives to output file' do
+      out = inspec('archive ' + path + ' --output ' + dst.path)
+      out.stderr.must_equal ''
+      out.stdout.must_include 'Generate archive '+dst.path
+      out.stdout.must_include 'Finished archive generation.'
+      out.exit_status.must_equal 0
+      File.exist?(dst.path).must_equal true
+    end
+
+    it 'auto-archives when no --output is given' do
+      auto_dst = File.join(repo_path, 'profile.tar.gz')
+      out = inspec('archive ' + path + ' --overwrite')
+      out.stderr.must_equal ''
+      out.stdout.must_include 'Generate archive '+auto_dst
+      out.stdout.must_include 'Finished archive generation.'
+      out.exit_status.must_equal 0
+      File.exist?(auto_dst).must_equal true
+    end
+
+    it 'archive on invalid archive' do
+      out = inspec('archive /proc --output ' + dst.path)
+      # out.stdout.must_equal '' => we have partial stdout output right now
+      out.stderr.must_include "Don't understand inspec profile in \"/proc\""
+      out.exit_status.must_equal 1
+      File.exist?(dst.path).must_equal false
+    end
+
+    it 'archive wont overwrite existing files' do
+      x = rand.to_s
+      File.write(dst.path, x)
+      out = inspec('archive ' + path + ' --output ' + dst.path)
+      out.stderr.must_equal '' # uh...
+      out.stdout.must_include "Archive #{dst.path} exists already. Use --overwrite."
+      out.exit_status.must_equal 1
+      File.read(dst.path).must_equal x
+    end
+
+    it 'archive will overwrite files if necessary' do
+      x = rand.to_s
+      File.write(dst.path, x)
+      out = inspec('archive ' + path + ' --output ' + dst.path + ' --overwrite')
+      out.stderr.must_equal ''
+      out.stdout.must_include 'Generate archive '+dst.path
+      out.exit_status.must_equal 0
+      File.read(dst.path).wont_equal x
+    end
+
+    it 'creates valid tar.gz archives' do
+      out = inspec('archive ' + path + ' --output ' + dst.path + ' --tar')
+      out.stderr.must_equal ''
+      out.stdout.must_include 'Generate archive '+dst.path
+      out.exit_status.must_equal 0
+      t = Zlib::GzipReader.open(dst.path)
+      Gem::Package::TarReader.new(t).entries.map(&:header).map(&:name).must_include 'inspec.yml'
+    end
+
+    it 'creates valid zip archives' do
+      out = inspec('archive ' + path + ' --output ' + dst.path + ' --zip')
+      out.stderr.must_equal ''
+      out.stdout.must_include 'Generate archive '+dst.path
+      out.exit_status.must_equal 0
+      Zip::File.new(dst.path).entries.map(&:name).must_include 'inspec.yml'
+    end
+
+    it 'read the profile json' do
+      out = inspec('json ' + path)
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      s = out.stdout
+      JSON.load(s).must_be_kind_of Hash
+    end
+
+    describe 'json profile data' do
+      let(:json) { JSON.load(inspec('json '+path).stdout) }
+
+      it 'has a name' do
+        json['name'].must_equal 'profile'
+      end
+
+      it 'has a title' do
+        json['title'].must_equal 'InSpec Example Profile'
+      end
+
+      it 'has a summary' do
+        json['summary'].must_equal 'Demonstrates the use of InSpec Compliance Profile'
+      end
+
+      it 'has a version' do
+        json['version'].must_equal '1.0.0'
+      end
+
+      it 'has a maintainer' do
+        json['maintainer'].must_equal 'Chef Software, Inc.'
+      end
+
+      it 'has a copyright' do
+        json['copyright'].must_equal 'Chef Software, Inc.'
+      end
+
+      it 'has rules' do
+        json['rules'].length.must_equal 2 # TODO: flatten out or search deeper!
+      end
+
+      describe 'a rule' do
+        let(:rule) { json['rules']['controls/example.rb']['rules']['tmp-1.0'] }
+
+        it 'has a title' do
+          rule['title'].must_equal 'Create /tmp directory'
+        end
+
+        it 'has a description' do
+          rule['desc'].must_equal 'An optional description...'
+        end
+
+        it 'has an impact' do
+          rule['impact'].must_equal 0.7
+        end
+
+        it 'has a ref' do
+          rule['refs'].must_equal([{'ref' => 'Document A-12', 'url' => 'http://...'}])
+        end
+
+        it 'has a source location' do
+          loc = File.join(path, '/controls/example.rb')
+          rule['source_location'].must_equal [loc, 8]
+        end
+
+        it 'has a the source code' do
+          rule['code'].must_match /\Acontrol \"tmp-1.0\" do.*end\n\Z/m
+        end
+      end
+    end
+
+    it 'writes json to file' do
+      out = inspec('json ' + path + ' --output ' + dst.path)
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      hm = JSON.load(File.read(dst.path))
+      hm['name'].must_equal 'profile'
+      hm['rules'].length.must_equal 2 # TODO: flatten out or search deeper!
+    end
+
+    it 'can execute the profile' do
+      out = inspec('exec ' + path)
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      out.stdout.must_match /^Pending: /
+      out.stdout.must_include '3 examples, 0 failures, 1 pending'
+    end
+
+    it 'can execute the profile with the json formatter' do
+      out = inspec('exec ' + path + ' --format json')
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      JSON.load(out.stdout).must_be_kind_of Hash
+    end
+
+    describe 'execute a profile with json formatting' do
+      let(:json) { JSON.load(inspec('exec ' + path + ' --format json').stdout) }
+      let(:examples) { json['examples'] }
+      let(:ex1) { examples.find{|x| x['id'] == 'tmp-1.0'} }
+      let(:ex2) { examples.find{|x| x['id'] =~ /generated/} }
+      let(:ex3) { examples.find{|x| x['id'] == 'gordon-1.0'} }
+
+      it 'must have 3 examples' do
+        json['examples'].length.must_equal 3
+      end
+
+      it 'id in json' do
+        examples.find { |ex| !ex.key? 'id' }.must_be :nil?
+      end
+
+      it 'impact in json' do
+        ex1['impact'].must_equal 0.7
+        ex2['impact'].must_be :nil?
+      end
+
+      it 'status in json' do
+        ex1['status'].must_equal 'passed'
+        ex3['status'].must_equal 'pending'
+      end
+
+      it 'pending message in json' do
+        ex1['pending_message'].must_be :nil?
+        ex3['pending_message'].must_equal 'Not yet implemented'
+      end
+    end
+
+    describe 'execute a profile with fulljson formatting' do
+      let(:json) { JSON.load(inspec('exec ' + path + ' --format fulljson').stdout) }
+      let(:examples) { json['examples'] }
+      let(:metadata) { json['profiles'][0] }
+      let(:ex1) { examples.find{|x| x['id'] == 'tmp-1.0'} }
+      let(:ex2) { examples.find{|x| x['id'] =~ /generated/} }
+      let(:ex3) { examples.find{|x| x['id'] == 'gordon-1.0'} }
+
+      it 'has all the metadata' do
+        metadata.must_equal({
+          "name" => "profile",
+          "title" => "InSpec Example Profile",
+          "maintainer" => "Chef Software, Inc.",
+          "copyright" => "Chef Software, Inc.",
+          "copyright_email" => "support@chef.io",
+          "license" => "Apache 2 license",
+          "summary" => "Demonstrates the use of InSpec Compliance Profile",
+          "version" => "1.0.0",
+          "supports" => [{"os-family" => "linux"}]
+        })
+      end
+
+      it 'must have 3 examples' do
+        json['examples'].length.must_equal 3
+      end
+
+      it 'id in json' do
+        examples.find { |ex| !ex.key? 'id' }.must_be :nil?
+      end
+
+      it 'title in json' do
+        ex3['title'].must_equal 'Verify the version number of Gordon'
+      end
+
+      it 'desc in json' do
+        ex3['desc'].must_equal 'An optional description...'
+      end
+
+      it 'code in json' do
+        ex3['code'].wont_be :nil?
+      end
+
+      it 'code_desc in json' do
+        ex3['code_desc'].wont_be :nil?
+      end
+
+      it 'impact in json' do
+        ex1['impact'].must_equal 0.7
+        ex2['impact'].must_be :nil?
+      end
+
+      it 'status in json' do
+        ex1['status'].must_equal 'passed'
+        ex3['status'].must_equal 'pending'
+      end
+
+      it 'ref in json' do
+        ex1['ref'].must_match %r{examples/profile/controls/example.rb$}
+      end
+
+      it 'ref_line in json' do
+        ex1['ref_line'].must_equal 14
+      end
+
+      it 'run_time in json' do
+        ex1['run_time'].wont_be :nil?
+      end
+
+      it 'start_time in json' do
+        ex1['start_time'].wont_be :nil?
+      end
+
+      it 'pending message in json' do
+        ex1['pending'].must_be :nil?
+        ex3['pending'].must_equal "Can't find file \"/etc/gordon/config.yaml\""
+      end
+    end
+  end
+
+  describe 'example inheritance profile' do
+    let(:path) { File.join(examples_path, 'inheritance') }
+
+    [
+      'archive %s --overwrite',
+      'check %s',
+      'json %s',
+    ].each do |cmd|
+      it cmd[/^\w/] + ' fails without --profiles-path' do
+        out = inspec(format(cmd, path))
+        out.stderr.must_include 'You must supply a --profiles-path to inherit'
+        # out.stdout.must_equal '' => we still get partial output
+        out.exit_status.must_equal 1
+      end
+    end
+
+    it 'check succeeds with --profiles-path' do
+      out = inspec('check ' + path + ' --profiles-path ' + examples_path)
+      out.stderr.must_equal ''
+      out.stdout.must_match /Valid.*true/
+      out.exit_status.must_equal 0
+    end
+
+    it 'archive is successful with --profiles-path' do
+      out = inspec('archive ' + path + ' --output ' + dst.path + ' --profiles-path ' + examples_path)
+      out.stderr.must_equal ''
+      out.stdout.must_include 'Generate archive '+dst.path
+      out.stdout.must_include 'Finished archive generation.'
+      out.exit_status.must_equal 0
+      File.exist?(dst.path).must_equal true
+    end
+
+    it 'read the profile json with --profiles-path' do
+      out = inspec('json ' + path + ' --profiles-path '+examples_path)
+      out.stderr.must_equal ''
+      out.exit_status.must_equal 0
+      s = out.stdout
+      hm = JSON.load(s)
+      hm['name'].must_equal 'inheritance'
+      hm['rules'].length.must_equal 1 # TODO: flatten out or search deeper!
+    end
+  end
+end