inspec 0.16.4 → 0.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dd9121f0f0fbdd3881f80534bb3fc91cb8256d9a
-  data.tar.gz: d83f04403f4157f117dd9b9ed413217c8554bfc2
+  metadata.gz: 2454963fda63c4f4fbac8878277b21c1fc41d43a
+  data.tar.gz: acdaf6cd9432ff53d73a3140344c831d8fe7fa2f
 SHA512:
-  metadata.gz: faa3803af3c3f9d516ccafe00e8abb988ab594e8f2294926333cc8e3d3c4ceaa12dda942fb6edcf4ac7343948bc4ed9f94bfba19909c7c0f53205a0b204e8fef
-  data.tar.gz: a514b070ef2f9d72b631f5289b8d733000faf05fa9ae6538f31183599a72e582fb41c4a14fc819b69f6683db496a8f8995eaf9322e015de7ed621bb475f451ee
+  metadata.gz: b08a2835b8f86afca3167418009b38dbdd3196db983d26c4f72cf049cf66deb8efc7e35c58710417e1ffb72ef055755dcb76746e812018a6c6e15a7ee8c45f96
+  data.tar.gz: a815b5c316027b14c308642943e57aa8a88e176e7e5abcbb9d658c1e3b3a5626ba66f23fd292df0c5c5f258b7c3a4c339f203e38428c786ac202ba763d63a240

data/CHANGELOG.md

@@ -1,7 +1,29 @@
 # Change Log
 
-## [0.16.4](https://github.com/chef/inspec/tree/0.16.4) (2016-03-25)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.16.3...0.16.4)
+## [0.17.0](https://github.com/chef/inspec/tree/0.17.0) (2016-03-31)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.16.4...0.17.0)
+
+**Implemented enhancements:**
+
+- add advanced passwd filters \(experimental\) [\#602](https://github.com/chef/inspec/pull/602) ([arlimus](https://github.com/arlimus))
+
+**Closed issues:**
+
+- readable.by not working on RHEL7 [\#597](https://github.com/chef/inspec/issues/597)
+- sshd\_config resource no method error [\#595](https://github.com/chef/inspec/issues/595)
+- Update the readme.md file to include new cli output [\#590](https://github.com/chef/inspec/issues/590)
+
+**Merged pull requests:**
+
+- add file uid and gid accessors [\#603](https://github.com/chef/inspec/pull/603) ([arlimus](https://github.com/arlimus))
+- fix errors introduced in \#593 [\#594](https://github.com/chef/inspec/pull/594) ([chris-rock](https://github.com/chris-rock))
+- Updated documentation and examples to include tags and references [\#593](https://github.com/chef/inspec/pull/593) ([aaronlippold](https://github.com/aaronlippold))
+- Ease removal of whitespace for Powershell Write-Output and VBScript Echo [\#592](https://github.com/chef/inspec/pull/592) ([chris-rock](https://github.com/chris-rock))
+- Amazon linux support for service resource [\#580](https://github.com/chef/inspec/pull/580) ([jbussdieker](https://github.com/jbussdieker))
+- Fixed API calls for inspec compliance [\#537](https://github.com/chef/inspec/pull/537) ([JTabel](https://github.com/JTabel))
+
+## [v0.16.4](https://github.com/chef/inspec/tree/v0.16.4) (2016-03-25)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.16.3...v0.16.4)
 
 **Implemented enhancements:**
 
@@ -19,6 +41,7 @@
 
 **Merged pull requests:**
 
+- 0.16.4 [\#591](https://github.com/chef/inspec/pull/591) ([arlimus](https://github.com/arlimus))
 - Improvements to gordon example and docs [\#583](https://github.com/chef/inspec/pull/583) ([alexpop](https://github.com/alexpop))
 - bugfix: fix rare inspec shell missing all resources [\#582](https://github.com/chef/inspec/pull/582) ([alexpop](https://github.com/alexpop))
 - document tags and refs [\#561](https://github.com/chef/inspec/pull/561) ([chris-rock](https://github.com/chris-rock))

data/README.md

@@ -74,13 +74,20 @@ You should now be able to run:
 ```bash
 $ inspec --help
 Commands:
-  inspec check PATH      # verify test structure in PATH
-  inspec detect          # detect the target OS
-  inspec exec PATHS      # run all test files
-  inspec help [COMMAND]  # Describe available commands or one specific command
-  inspec json PATH       # read all tests in PATH and generate a JSON profile
-  inspec shell           # open an interactive debugging shell
-  inspec version         # prints the version of this tool
+  inspec archive PATH                # archive a profile to tar.gz (default) ...
+  inspec check PATH                  # verify all tests at the specified PATH
+  inspec compliance SUBCOMMAND ...   # Chef Compliance commands
+  inspec detect                      # detect the target OS
+  inspec exec PATH(S)                # run all test files at the specified PATH.
+  inspec help [COMMAND]              # Describe available commands or one spe...
+  inspec init TEMPLATE ...           # Scaffolds a new project
+  inspec json PATH                   # read all tests in PATH and generate a ...
+  inspec shell                       # open an interactive debugging shell
+  inspec supermarket SUBCOMMAND ...  # Supermarket commands
+  inspec version                     # prints the version of this tool
+
+Options:
+  [--diagnose], [--no-diagnose]  # Show diagnostics (versions, configurations)
 ```
 
 # Examples

data/docs/ctl_inspec.rst

@@ -106,19 +106,26 @@ This subcommand has the following syntax:
 
 .. code-block:: bash
 
-   $ inspec exec PATHS (options)
+   $ inspec exec PATH(S) (options)
 
 where:
 
-* ``PATHS`` is one (or more) locations against which tests are run
+* ``PATH(S)`` is one (or more) locations against which tests are run
 
 Options
 -----------------------------------------------------
 This subcommand has additional options:
 
-``--id``
+``--id=``
    Use to attach a profile identifier to all test results.
 
+``--controls="a b c"``
+   A list of controls to run. Ignore all other tests.
+
+``--format=FORMAT``
+   Which formatter to use: progress, documentation, json
+
+
 Examples
 -----------------------------------------------------
 The following examples show how to use this subcommand.
@@ -129,6 +136,12 @@ The following examples show how to use this subcommand.
 
    $ inspec exec test.rb
 
+**Run test 'tmp-01' locally and ignore other tests**
+
+.. code-block:: bash
+
+  $ inspec exec test.rb --controls="tmp-01"
+
 **Run a test on a remote host using SSH**
 
 .. code-block:: bash
@@ -175,6 +188,9 @@ Options
 -----------------------------------------------------
 This subcommand has additional options:
 
+``--controls="a b c"``
+   Use to read only specific subset of controls in the PATH profile.
+
 ``--id``
    Use to attach a profile identifier to all test results.
 

data/docs/inspec_and_friends.rst

@@ -16,10 +16,12 @@ A complete InSpec rule looks like:
   control "sshd-11" do
     impact 1.0
     title "Server: Set protocol version to SSHv2"
-    desc "
-      Set the SSH protocol version to 2. Don't use legacy
-      insecure SSHv1 connections anymore.
-    "
+    desc "Set the SSH protocol version to 2. Don't use legacy
+          insecure SSHv1 connections anymore."
+    tag security: "level-1"
+    tag "openssh-server"
+    ref "Server Security Guide v.1.0", url: "http://..."
+
     describe sshd_config do
       its('Protocol') { should eq('2') }
     end
@@ -59,10 +61,12 @@ One of the key differences is that InSpec targets more user groups. It is optimi
   control "sshd-11" do
     impact 1.0
     title "Server: Set protocol version to SSHv2"
-    desc "
-      Set the SSH protocol version to 2. Don't use legacy
-      insecure SSHv1 connections anymore.
-    "
+    desc "Set the SSH protocol version to 2. Don't use legacy
+          insecure SSHv1 connections anymore."
+    tag security: "level-1"
+    tag "openssh-server"
+    ref "Server Security Guide v.1.0" url: "http://..."
+
     describe sshd_config do
       its('Protocol') { should cmp 2 }
     end

data/docs/readme.rst

@@ -24,6 +24,9 @@ We add a control to this file, to check the ``/tmp`` path in our system:
     impact 0.7                                # The criticality, if this control fails.
     title "Create separate /tmp partition"    # A human-readable title
     desc "An optional description..."
+    tag mygroup: "tag"                        # A tag can be a simple value or
+    tag "tag"                                 # can have a more complex key/value pair.
+    ref "name", url: "http://..."              # A reference to a document, uri: is optional
     describe file('/tmp') do                  # The actual test
       it { should be_mounted }
     end
@@ -50,10 +53,11 @@ It will contain:
   control "sshd-11" do
     impact 1.0
     title "Server: Set protocol version to SSHv2"
-    desc "
-      Set the SSH protocol version to 2. Don't use legacy
-      insecure SSHv1 connections anymore.
-    "
+    desc "Set the SSH protocol version to 2. Don't use legacy
+          insecure SSHv1 connections anymore."
+    tag security: "openssh-server"
+    ref "Document A-12"
+
     describe sshd_config do
       its('Protocol') { should eq('2') }
     end
@@ -62,11 +66,12 @@ It will contain:
   control "sshd-7" do
     impact 1.0
     title "Server: Do not permit root-based login with password."
-    desc "
-      To reduce the potential to gain full privileges
-      of a system in the course of an attack (by either misconfiguration
-      or vulnerabilities), do not allow login as root with password
-    "
+    desc "To reduce the potential to gain full privileges
+          of a system in the course of an attack (by either misconfiguration
+          or vulnerabilities), do not allow login as root with password"
+    tag security: "openssh-server"
+    ref "Document A-12"
+
     describe sshd_config do
       its('PermitRootLogin') { should match(/no|without-password/) }
     end

data/examples/profile/controls/example.rb

@@ -9,6 +9,8 @@ control "tmp-1.0" do                        # A unique ID for this control
   impact 0.7                                # The criticality, if this control fails.
   title "Create /tmp directory"             # A human-readable title
   desc "An optional description..."         # Describe why this is needed
+  tag data: "temp data"                     # A tag allows you to associate key information
+  tag "security"                            # to the test
   ref "Document A-12", url: 'http://...'    # Additional references
 
   describe file('/tmp') do                  # The actual test

data/examples/profile/controls/gordon.rb

@@ -15,6 +15,9 @@ control 'gordon-1.0' do
   impact 0.7
   title 'Verify the version number of Gordon'
   desc 'An optional description...'
+  tag 'gordon'
+  ref 'Gordon Requirements 1.0', uri: 'http://...'
+
   describe gordon_config do
     its('version') { should eq('1.0') }
     its('size') { should <= 20 }

data/inspec.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'r-train', '~> 0.10.1'
+  spec.add_dependency 'r-train', '~> 0.10.4'
   spec.add_dependency 'thor', '~> 0.19'
   spec.add_dependency 'json', '~> 1.8'
   spec.add_dependency 'rainbow', '~> 2'

data/lib/bundles/inspec-compliance/api.rb

@@ -10,10 +10,10 @@ module Compliance
   # everything will be stored in local Configuration store
   class API # rubocop:disable Metrics/ClassLength
     # logs into the server, retrieves a token and stores it locally
-    def self.login(server, username, password, insecure)
+    def self.login(server, username, password, insecure, apipath)
       config = Compliance::Configuration.new
-      config['server'] = server
-      url = "#{server}/oauth/token"
+      config['server'] = "#{server}#{apipath}"
+      url = "#{config['server']}/oauth/token"
 
       success, data = Compliance::API.post(url, username, password, insecure)
       if !data.nil?

data/lib/bundles/inspec-compliance/cli.rb

@@ -16,8 +16,10 @@ module Compliance
       desc: 'Chef Compliance Password'
     option :insecure, aliases: :k, type: :boolean,
       desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
+    option :apipath, type: :string, default: '/api',
+      desc: 'Set the path to the API, defaults to /api'
     def login(server)
-      success, msg = Compliance::API.login(server, options['user'], options['password'], options['insecure'])
+      success, msg = Compliance::API.login(server, options['user'], options['password'], options['insecure'], options['apipath'])
       if success
         puts 'Successfully authenticated'
       else

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.16.4'.freeze
+  VERSION = '0.17.0'.freeze
 end

data/lib/resources/file.rb

@@ -4,6 +4,8 @@
 # author: Christoph Hartmann
 # license: All rights reserved
 
+require 'shellwords'
+
 module Inspec::Resources
   class FileResource < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
     name 'file'
@@ -89,6 +91,20 @@ module Inspec::Resources
       end
     end
 
+    # TODO: This is temporary and must be moved to train
+    def uid
+      res = inspec.command('stat '+Shellwords.escape(@path)+' -c %u')
+      return nil if res.exit_status != 0 || res.stdout.empty?
+      res.stdout.to_i
+    end
+
+    # TODO: This is temporary and must be moved to train
+    def gid
+      res = inspec.command('stat '+Shellwords.escape(@path)+' -c %u')
+      return nil if res.exit_status != 0 || res.stdout.empty?
+      res.stdout.to_i
+    end
+
     def to_s
       "File #{path}"
     end

data/lib/resources/passwd.rb

@@ -16,7 +16,7 @@
 require 'utils/parser'
 
 module Inspec::Resources
-  class Passwd < Inspec.resource(1)
+  class Passwd < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
     name 'passwd'
     desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
     example "
@@ -56,16 +56,7 @@ module Inspec::Resources
       res = @params
       filters = ''
       hm.each do |attr, condition|
-        condition = condition.to_s if condition.is_a? Integer
-        filters += " #{attr} = #{condition.inspect}"
-        res = res.find_all do |line|
-          case line[attr.to_s]
-          when condition
-            true
-          else
-            false
-          end
-        end
+        res, filters = filter_attribute(attr, condition, res, filters)
       end
       content = res.map { |x| x.values.join(':') }.join("\n")
       Passwd.new(@path, content: content, filters: @filters + filters)
@@ -124,5 +115,43 @@ module Inspec::Resources
     def map_data(id)
       @params.map { |x| x[id] }
     end
+
+    def filter_res_line(item, matcher, condition, positive)
+      # TODO: REWORK ALL OF THESE, please don't depend on them except for simple equality!
+      case matcher
+      when '<'
+        item.to_i < condition
+      when '<='
+        item.to_i <= condition
+      when '>'
+        item.to_i > condition
+      when '>='
+        item.to_i >= condition
+      else
+        condition = condition.to_s if condition.is_a? Integer
+        case item
+        when condition
+          positive
+        else
+          !positive
+        end
+      end
+    end
+
+    def filter_attribute(attr, condition, res, filters)
+      matcher = '=='
+      positive = true
+      if condition.is_a?(Hash) && condition.length == 1
+        matcher = condition.keys[0].to_s
+        condition = condition.values[0]
+      end
+      positive = false if matcher == '!='
+
+      a = res.find_all do |line|
+        filter_res_line(line[attr.to_s], matcher, condition, positive)
+      end
+      b = filters + " #{attr} #{matcher} #{condition.inspect}"
+      [a, b]
+    end
   end
 end

data/lib/resources/powershell.rb

@@ -36,6 +36,11 @@ module Inspec::Resources
       nil
     end
 
+    # Removes leading and trailing whitespace from stdout
+    def strip
+      result.stdout.strip unless result.stdout.nil?
+    end
+
     def to_s
       'Powershell'
     end

data/lib/resources/service.rb

@@ -139,6 +139,8 @@ module Inspec::Resources
         Systemd.new(inspec, service_ctl)
       elsif %w{aix}.include?(family)
         SrcMstr.new(inspec)
+      elsif %w{amazon}.include?(family)
+        Upstart.new(inspec, service_ctl)
       elsif os.solaris?
         Svcs.new(inspec)
       end

data/test/functional/inspec_exec_test.rb

@@ -121,7 +121,7 @@ describe 'inspec exec' do
     end
 
     it 'ref_line in json' do
-      ex1['ref_line'].must_equal 14
+      ex1['ref_line'].must_equal 16
     end
 
     it 'run_time in json' do

data/test/integration/default/powershell_spec.rb

@@ -9,6 +9,11 @@ describe powershell(script) do
   its('stderr') { should eq '' }
 end
 
+# remove whitespace \r\n from stdout
+describe powershell(script) do
+  its('strip') { should eq "hello" }
+end
+
 # legacy test with `script` resource
 describe script(script) do
   its('stdout') { should eq "hello\r\n" }

data/test/integration/default/vbscript_spec.rb

@@ -9,6 +9,11 @@ describe vbscript(vbscript) do
   its('stdout') { should eq "hello\r\n" }
 end
 
+# remove whitespace \r\n from stdout
+describe vbscript(vbscript) do
+  its('strip') { should eq "hello" }
+end
+
 # ensure that we do not require a newline
 describe vbscript("Wscript.Stdout.Write \"hello\"") do
   its('stdout') { should eq 'hello' }

data/test/unit/resources/passwd_test.rb

@@ -42,7 +42,7 @@ describe 'Inspec::Resources::Passwd' do
     end
 
     it 'prints a nice to_s string' do
-      _(child.to_s).must_equal '/etc/passwd with uid = "0"'
+      _(child.to_s).must_equal '/etc/passwd with uid == 0'
     end
 
     it 'retrieves singular elements instead of arrays when filter has only one entry' do
@@ -59,7 +59,7 @@ describe 'Inspec::Resources::Passwd' do
     end
 
     it 'prints a nice to_s string' do
-      _(child.to_s).must_equal '/etc/passwd with user = /^www/'
+      _(child.to_s).must_equal '/etc/passwd with user == /^www/'
     end
   end
 
@@ -76,4 +76,37 @@ describe 'Inspec::Resources::Passwd' do
       _(passwd.usernames).must_equal ['root', 'www-data']
     end
   end
+
+  # TODO REWORK ALL OF THESE, please don't depend on them yet!
+  describe 'experimental features' do
+    it 'retrieves username via uids < x' do
+      _(passwd.uids({ :< => 33 }).count).must_equal 1
+      _(passwd.uids({ :< => 34 }).count).must_equal 2
+    end
+
+    it 'retrieves username via uids <= x' do
+      _(passwd.uids({ :<= => 32 }).count).must_equal 1
+      _(passwd.uids({ :<= => 33 }).count).must_equal 2
+    end
+
+    it 'retrieves username via uids > x' do
+      _(passwd.uids({ :> => 0 }).count).must_equal 1
+      _(passwd.uids({ :> => -1 }).count).must_equal 2
+    end
+
+    it 'retrieves username via uids >= x' do
+      _(passwd.uids({ :>= => 1 }).count).must_equal 1
+      _(passwd.uids({ :>= => 0 }).count).must_equal 2
+    end
+
+    it 'retrieves username via uids == x' do
+      _(passwd.uids({ :== => 0 }).count).must_equal 1
+      _(passwd.uids({ :== => 1 }).count).must_equal 0
+    end
+
+    it 'retrieves username via uids != x' do
+      _(passwd.uids({ :!= => 0 }).count).must_equal 1
+      _(passwd.uids({ :!= => 1 }).count).must_equal 2
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 0.16.4
+  version: 0.17.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-25 00:00:00.000000000 Z
+date: 2016-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: r-train
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.1
+        version: 0.10.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.1
+        version: 0.10.4
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement