inspec 0.18.0 → 0.19.0

data/lib/bundles/inspec-compliance/http.rb

@@ -0,0 +1,80 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'net/http'
+require 'uri'
+
+module Compliance
+  # implements a simple http abstraction on top of Net::HTTP
+  class HTTP
+    # generic get requires
+    def self.get(url, token, insecure, basic_auth = false)
+      uri = URI.parse(url)
+      req = Net::HTTP::Get.new(uri.path)
+
+      return send_request(uri, req, insecure) if token.nil?
+
+      if basic_auth
+        req.basic_auth(token, '')
+      else
+        req['Authorization'] = "Bearer #{token}"
+      end
+      send_request(uri, req, insecure)
+    end
+
+    # generic post request
+    def self.post(url, token, insecure, basic_auth = false)
+      # form request
+      uri = URI.parse(url)
+      req = Net::HTTP::Post.new(uri.path)
+      if basic_auth
+        req.basic_auth token, ''
+      else
+        req['Authorization'] = "Bearer #{token}"
+      end
+      req.form_data={}
+
+      send_request(uri, req, insecure)
+    end
+
+    # post a file
+    def self.post_file(url, token, file_path, insecure, basic_auth = false)
+      uri = URI.parse(url)
+      http = Net::HTTP.new(uri.host, uri.port)
+
+      # set connection flags
+      http.use_ssl = (uri.scheme == 'https')
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
+
+      req = Net::HTTP::Post.new(uri.path)
+      if basic_auth
+        req.basic_auth token, ''
+      else
+        req['Authorization'] = "Bearer #{token}"
+      end
+
+      req.body_stream=File.open(file_path, 'rb')
+      req.add_field('Content-Length', File.size(file_path))
+      req.add_field('Content-Type', 'application/x-gtar')
+
+      boundary = 'INSPEC-PROFILE-UPLOAD'
+      req.add_field('session', boundary)
+      res=http.request(req)
+      res
+    end
+
+    # sends a http requests
+    def self.send_request(uri, req, insecure)
+      opts = {
+        use_ssl: uri.scheme == 'https',
+      }
+      opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if insecure
+
+      res = Net::HTTP.start(uri.host, uri.port, opts) {|http|
+        http.request(req)
+      }
+      res
+    end
+  end
+end

data/lib/bundles/inspec-compliance.rb

@@ -7,6 +7,7 @@ $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
 module Compliance
   autoload :Configuration, 'inspec-compliance/configuration'
+  autoload :HTTP, 'inspec-compliance/http'
   autoload :API, 'inspec-compliance/api'
 end
 

data/lib/inspec/metadata.rb

@@ -4,6 +4,8 @@
 # author: Christoph Hartmann
 
 require 'logger'
+require 'rubygems/version'
+require 'rubygems/requirement'
 
 module Inspec
   # Extract metadata.rb information
@@ -40,8 +42,10 @@ module Inspec
       # already.
     end
 
-    def is_supported(os, entry)
-      name, family, release = support_fields(entry)
+    def is_supported?(os, entry)
+      name = entry[:'os-name'] || entry[:os]
+      family = entry[:'os-family']
+      release = entry[:release]
 
       # return true if the backend matches the supported OS's
       # fields act as masks, i.e. any value configured for os-name, os-family,
@@ -66,34 +70,24 @@ module Inspec
       name_ok && family_ok && release_ok
     end
 
-    def support_fields(entry)
-      if entry.is_a?(Hash)
-        try_support = self.class.symbolize_keys(entry)
-        name = try_support[:'os-name'] || try_support[:os]
-        family = try_support[:'os-family']
-        release = try_support[:release]
-      elsif entry.is_a?(String)
-        @logger.warn(
-          "Do not use deprecated `supports: #{entry}` syntax. Instead use "\
-          "`supports: {os-family: #{entry}}`.")
-        family = entry
-      end
+    def inspec_requirement
+      inspec = params[:supports].find { |x| !x[:inspec].nil? } || {}
+      Gem::Requirement.create(inspec[:inspec])
+    end
 
-      [name, family, release]
+    def supports_runtime?
+      running = Gem::Version.new(Inspec::VERSION)
+      inspec_requirement.satisfied_by?(running)
     end
 
     def supports_transport?(backend)
-      # make sure the supports field is always an array
-      supp = params[:supports]
-      supp = supp.is_a?(Hash) ? [supp] : Array(supp)
-
       # with no supports specified, always return true, as there are no
       # constraints on the supported backend; it is equivalent to putting
       # all fields into accept-all mode
-      return true if supp.empty?
+      return true if params[:supports].empty?
 
-      found = supp.find do |entry|
-        is_supported(backend.os, entry)
+      found = params[:supports].find do |entry|
+        is_supported?(backend.os, entry)
       end
 
       # finally, if we found a supported entry, we are good to go
@@ -132,32 +126,51 @@ module Inspec
       @missing_methods
     end
 
-    def self.symbolize_keys(hash)
-      hash.each_with_object({}) {|(k, v), h|
+    def self.symbolize_keys(obj)
+      return obj.map { |i| symbolize_keys(i) } if obj.is_a?(Array)
+      return obj unless obj.is_a?(Hash)
+
+      obj.each_with_object({}) {|(k, v), h|
         v = symbolize_keys(v) if v.is_a?(Hash)
+        v = symbolize_keys(v) if v.is_a?(Array)
         h[k.to_sym] = v
       }
     end
 
-    def self.finalize(metadata, profile_id)
+    def self.finalize(metadata, profile_id, logger = nil)
       return nil if metadata.nil?
       param = metadata.params || {}
       param['name'] = profile_id.to_s unless profile_id.to_s.empty?
       param['version'] = param['version'].to_s unless param['version'].nil?
       metadata.params = symbolize_keys(param)
+
+      # consolidate supports field with legacy mode
+      metadata.params[:supports] =
+        case x = metadata.params[:supports]
+        when Hash   then [x]
+        when Array  then x
+        when nil    then []
+        else
+          logger ||= Logger.new(nil)
+          logger.warn(
+            "Do not use deprecated `supports: #{x}` syntax. Instead use "\
+            "`supports: {os-family: #{x}}`.")
+          [{ :'os-family' => x }]
+        end
+
       metadata
     end
 
     def self.from_yaml(ref, contents, profile_id, logger = nil)
       res = Metadata.new(ref, logger)
       res.params = YAML.load(contents)
-      finalize(res, profile_id)
+      finalize(res, profile_id, logger)
     end
 
     def self.from_ruby(ref, contents, profile_id, logger = nil)
       res = Metadata.new(ref, logger)
       res.instance_eval(contents, ref, 1)
-      finalize(res, profile_id)
+      finalize(res, profile_id, logger)
     end
 
     def self.from_ref(ref, contents, profile_id, logger = nil)

data/lib/inspec/objects/test.rb

@@ -48,7 +48,8 @@ module Inspec
 
       if @qualifier.length > 1
         last = @qualifier[-1]
-        if last.length == 1
+        # preventing its(:to_i) as the value returned is always 0
+        if last.length == 1 && last[0] != 'to_i'
           xres = last[0]
         else
           res += '.' + ruby_qualifier(last)

data/lib/inspec/resource.rb

@@ -62,6 +62,7 @@ require 'resources/etc_group'
 require 'resources/file'
 require 'resources/gem'
 require 'resources/group'
+require 'resources/grub_conf'
 require 'resources/host'
 require 'resources/inetd_conf'
 require 'resources/interface'

data/lib/inspec/rspec_json_formatter.rb

@@ -38,7 +38,7 @@ class InspecRspecFormatter < RSpec::Core::Formatters::JsonFormatter
 
   def dump_summary(summary)
     super(summary)
-    @output_hash[:profiles] = @profiles.map do |profile|
+    @output_hash[:profiles] = Array(@profiles).map do |profile|
       r = profile.params.dup
       r.delete(:rules)
       r

data/lib/inspec/runner.rb

@@ -52,7 +52,26 @@ module Inspec
       add_profile(profile, options)
     end
 
+    def supports_profile?(profile)
+      return true if profile.metadata.nil?
+
+      if !profile.metadata.supports_runtime?
+        fail 'This profile requires InSpec version '\
+             "#{profile.metadata.inspec_requirement}. You are running "\
+             "InSpec v#{Inspec::VERSION}.\n"
+      end
+
+      if !profile.metadata.supports_transport?(@backend)
+        os_info = @backend.os[:family].to_s
+        fail "This OS/platform (#{os_info}) is not supported by this profile."
+      end
+
+      true
+    end
+
     def add_profile(profile, options = {})
+      return if !options[:ignore_supports] && !supports_profile?(profile)
+
       @test_collector.add_profile(profile)
       options[:metadata] = profile.metadata
 
@@ -86,19 +105,6 @@ module Inspec
       tests = [tests] unless tests.is_a? Array
       tests.each { |t| add_test_to_context(t, ctx) }
 
-      # skip based on support checks in metadata
-      meta = options[:metadata]
-      if !options[:ignore_supports] && !meta.nil? &&
-         !meta.supports_transport?(@backend)
-        os_info = @backend.os[:family].to_s
-        ctx.rules.values.each do |ctrl|
-          ::Inspec::Rule.set_skip_rule(
-            ctrl,
-            "This OS/platform (#{os_info}) is not supported by this profile.",
-          )
-        end
-      end
-
       # process the resulting rules
       filter_controls(ctx.rules, options[:controls]).each do |rule_id, rule|
         register_rule(rule_id, rule)

data/lib/inspec/runner_rspec.rb

@@ -48,7 +48,7 @@ module Inspec
     # @return [nil]
     def add_test(example, rule_id, rule)
       set_rspec_ids(example, rule_id, rule)
-      @tests.register(example)
+      @tests.example_groups.push(example)
     end
 
     # Retrieve the list of tests that have been added.

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.18.0'.freeze
+  VERSION = '0.19.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -226,7 +226,7 @@ end
 # - compare strings case-insensitive
 # - you expect a number (strings will be converted if possible)
 #
-RSpec::Matchers.define :cmp do |expected|
+RSpec::Matchers.define :cmp do |first_expected|
 
   def integer?(value)
     !(value =~ /\A\d+\Z/).nil?
@@ -243,33 +243,52 @@ RSpec::Matchers.define :cmp do |expected|
     !(value =~ /\A0+\d+\Z/).nil?
   end
 
-  match do |actual|
-    actual = actual[0] if actual.is_a?(Array) && !expected.is_a?(Array) && actual.length == 1
+  def try_match(actual, op, expected) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
     # if actual and expected are strings
     if expected.is_a?(String) && actual.is_a?(String)
-      actual.casecmp(expected) == 0
+      return actual.casecmp(expected) == 0 if op == :==
     elsif expected.is_a?(String) && integer?(expected) && actual.is_a?(Integer)
-      expected.to_i == actual
+      return actual.method(op).call(expected.to_i)
     elsif expected.is_a?(Integer) && integer?(actual)
-      expected == actual.to_i
+      return actual.to_i.method(op).call(expected)
     elsif expected.is_a?(Float) && float?(actual)
-      expected == actual.to_f
+      return actual.to_f.method(op).call(expected)
     elsif octal?(expected) && actual.is_a?(Integer)
-      expected.to_i(8) == actual
-    # fallback to equal
-    else
-      actual == expected
+      return actual.method(op).call(expected.to_i(8))
+    end
+
+    # fallback to simple operation
+    actual.method(op).call(expected)
+
+  rescue NameError => _
+    false
+  rescue ArgumentError
+    false
+  end
+
+  match do |actual|
+    @operation ||= :==
+    @expected ||= first_expected
+    return actual === @expected if @operation == :=== # rubocop:disable Style/CaseEquality
+    actual = actual[0] if actual.is_a?(Array) && !@expected.is_a?(Array) && actual.length == 1
+    try_match(actual, @operation, @expected)
+  end
+
+  [:==, :<, :<=, :>=, :>, :===, :=~].each do |op|
+    chain(op) do |x|
+      @operation = op
+      @expected = x
     end
   end
 
   failure_message do |actual|
     actual = '0' + actual.to_s(8) if octal?(expected)
-    "\nexpected: #{expected}\n     got: #{actual}\n\n(compared using `cmp` matcher)\n"
+    "\nexpected: value #{@operation} #{expected}\n     got: #{actual}\n\n(compared using `cmp` matcher)\n"
   end
 
   failure_message_when_negated do |actual|
     actual = '0' + actual.to_s(8) if octal?(expected)
-    "\nexpected: value != #{expected}\n     got: #{actual}\n\n(compared using `cmp` matcher)\n"
+    "\nexpected: value ! #{@operation} #{expected}\n     got: #{actual}\n\n(compared using `cmp` matcher)\n"
   end
 end
 

data/lib/resources/grub_conf.rb

@@ -0,0 +1,186 @@
+# encoding: utf-8
+# author: Thomas Cate
+# license: All rights reserved
+
+require 'utils/simpleconfig'
+
+class GrubConfig < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+  name 'grub_conf'
+  desc 'Use the grub_conf InSpec audit resource to test the boot config of Linux systems that use Grub.'
+  example "
+    describe grub_conf('/etc/grub.conf',  'default') do
+      its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
+      its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
+      its('default') { should_not eq '1' }
+      its('timeout') { should eq '5' }
+    end
+
+    also check specific kernels
+    describe grub_conf('/etc/grub.conf',  'CentOS (2.6.32-573.12.1.el6.x86_64)') do
+      its('kernel') { should include 'audit=1' }
+    end
+  "
+
+  def initialize(path = nil, kernel = nil)
+    family = inspec.os[:family]
+    case family
+    when 'redhat', 'fedora', 'centos'
+      release = inspec.os[:release].to_f
+      supported = true
+      if release < 7
+        @conf_path = path || '/etc/grub.conf'
+        @version = 'legacy'
+      else
+        @conf_path = path || '/boot/grub/grub.cfg'
+        @defaults_path = '/etc/default/grub'
+        @version = 'grub2'
+      end
+    when 'ubuntu'
+      @conf_path = path || '/boot/grub/grub.cfg'
+      @defaults_path = '/etc/default/grub'
+      @version = 'grub2'
+      supported = true
+    end
+    @kernel = kernel || 'default'
+    return skip_resource 'The `grub_config` resource is not supported on your OS yet.' if supported.nil?
+  end
+
+  def method_missing(name)
+    read_params[name.to_s]
+  end
+
+  def to_s
+    'Grub Config'
+  end
+
+  private
+
+  ######################################################################
+  # Grub2 This is used by all supported versions of Ubuntu and Rhel 7+ #
+  ######################################################################
+
+  def grub2_parse_kernel_lines(content, conf)
+    # Find all "menuentry" lines and then parse them into arrays
+    menu_entry = 0
+    lines = content.split("\n")
+    kernel_opts = {}
+    kernel_opts['insmod'] = []
+    lines.each_with_index do |file_line, index|
+      next unless file_line =~ /(^|\s)menuentry\s.*/
+      lines.drop(index+1).each do |kernel_line|
+        next if kernel_line =~ /(^|\s)(menu|}).*/
+        if menu_entry == conf['GRUB_DEFAULT'].to_i && @kernel == 'default'
+          if kernel_line =~ /(^|\s)initrd.*/
+            kernel_opts['initrd'] = kernel_line.split(' ')[1]
+          end
+          if kernel_line =~ /(^|\s)linux.*/
+            kernel_opts['kernel'] = kernel_line.split
+          end
+          if kernel_line =~ /(^|\s)set root=.*/
+            kernel_opts['root'] = kernel_line.split('=')[1].tr('\'', '')
+          end
+          if kernel_line =~ /(^|\s)insmod.*/
+            kernel_opts['insmod'].push(kernel_line.split(' ')[1])
+          end
+        else
+          menu_entry += 1
+          break
+        end
+      end
+    end
+    kernel_opts
+  end
+
+  ###################################################################
+  # Grub1 aka legacy-grub config. Primarily used by Centos/Rhel 6.x #
+  ###################################################################
+
+  def parse_kernel_lines(content, conf)
+    # Find all "title" lines and then parse them into arrays
+    menu_entry = 0
+    lines = content.split("\n")
+    kernel_opts = {}
+    lines.each_with_index do |file_line, index|
+      next unless file_line =~ /^title.*/
+      current_kernel = file_line.split(' ', 2)[1]
+      lines.drop(index+1).each do |kernel_line|
+        if kernel_line =~ /^\s.*/
+          option_type = kernel_line.split(' ')[0]
+          line_options = kernel_line.split(' ').drop(1)
+          if (menu_entry == conf['default'].to_i && @kernel == 'default') || current_kernel == @kernel
+            if option_type == 'kernel'
+              kernel_opts['kernel'] = line_options
+            else
+              kernel_opts[option_type] = line_options[0]
+            end
+          end
+        else
+          menu_entry += 1
+          break
+        end
+      end
+    end
+    kernel_opts
+  end
+
+  def read_file(config_file)
+    file = inspec.file(config_file)
+
+    if !file.file? && !file.symlink?
+      skip_resource "Can't find file '#{@conf_path}'"
+      return @params = {}
+    end
+
+    content = file.content
+
+    if content.empty? && file.size > 0
+      skip_resource "Can't read file '#{@conf_path}'"
+      return @params = {}
+    end
+
+    content
+  end
+
+  def read_params
+    return @params if defined?(@params)
+
+    content = read_file(@conf_path)
+
+    if @version == 'legacy'
+      # parse the file
+      conf = SimpleConfig.new(
+        content,
+        multiple_values: true,
+      ).params
+      # convert single entry arrays into strings
+      conf.each do |key, value|
+        if value.size == 1
+          conf[key] = conf[key][0].to_s
+        end
+      end
+      kernel_opts = parse_kernel_lines(content, conf)
+      @params = conf.merge(kernel_opts)
+    end
+
+    if @version == 'grub2'
+      # read defaults
+      defaults = read_file(@defaults_path)
+
+      conf = SimpleConfig.new(
+        defaults,
+        multiple_values: true,
+      ).params
+
+      # convert single entry arrays into strings
+      conf.each do |key, value|
+        if value.size == 1
+          conf[key] = conf[key][0].to_s
+        end
+      end
+
+      kernel_opts = grub2_parse_kernel_lines(content, conf)
+      @params = conf.merge(kernel_opts)
+    end
+    @params
+  end
+end

data/lib/resources/json.rb

@@ -10,7 +10,7 @@ module Inspec::Resources
     desc 'Use the json InSpec audit resource to test data in a JSON file.'
     example "
       describe json('policyfile.lock.json') do
-        its('cookbook_locks.omnibus.version') { should eq('2.2.0') }
+        its(['cookbook_locks','omnibus','version']) { should eq('2.2.0') }
       end
     "
 

data/lib/resources/service.rb

@@ -94,7 +94,7 @@ module Inspec::Resources
       return skip_resource 'The `service` resource is not supported on your OS yet.' if @service_mgmt.nil?
     end
 
-    def select_service_mgmt # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def select_service_mgmt # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
       os = inspec.os
       family = os[:family]
 
@@ -135,8 +135,14 @@ module Inspec::Resources
         WindowsSrv.new(inspec)
       elsif %w{freebsd}.include?(family)
         BSDInit.new(inspec, service_ctl)
-      elsif %w{arch opensuse}.include?(family)
+      elsif %w{arch}.include?(family)
         Systemd.new(inspec, service_ctl)
+      elsif %w{suse opensuse}.include?(family)
+        if inspec.os[:release].to_i >= 12
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/sbin/service')
+        end
       elsif %w{aix}.include?(family)
         SrcMstr.new(inspec)
       elsif %w{amazon}.include?(family)
@@ -214,7 +220,7 @@ module Inspec::Resources
       running = params['SubState'] == 'running'
       # test via systemctl --quiet is-enabled
       # ActiveState values eg.g inactive, active
-      enabled = params['UnitFileState'] == 'enabled'
+      enabled = %w{enabled static}.include? params['UnitFileState']
 
       {
         name: params['Id'],

data/lib/utils/base_cli.rb

@@ -69,7 +69,8 @@ module Inspec
       targets.each { |target| runner.add_target(target, opts) }
       exit runner.run
     rescue RuntimeError => e
-      puts e.message
+      $stderr.puts e.message
+      exit 1
     end
 
     def diagnose

data/lib/utils/hash_map.rb

@@ -0,0 +1,37 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+class HashMap
+  class << self
+    def [](hash, *keys)
+      return hash if keys.empty? || hash.nil?
+      key = keys.shift
+      if hash.is_a?(Array)
+        map = hash.map { |i| [i, key] }
+      else
+        map = hash[key]
+      end
+      [map, *keys]
+    rescue NoMethodError => _
+      nil
+    end
+  end
+end
+
+class StringMap
+  class << self
+    def [](hash, *keys)
+      return hash if keys.empty? || hash.nil?
+      key = keys.shift
+      if hash.is_a?(Array)
+        map = hash.map { |i| [i, key] }
+      else
+        map = hash[key]
+      end
+      [map, *keys]
+    rescue NoMethodError => _
+      nil
+    end
+  end
+end