inspec 0.19.3 → 0.20.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    Y2RmMzdlYzM1NmRkODlmNDNiZDRjMTg4MTkxZDczOGM4ZWEyMjdmNw==
-  data.tar.gz: !binary |-
-    NjFmODBkODVkMTI5MzljNjk1NzI4MGNjNDZkMzc0YTczODExYjYwMA==
+SHA1:
+  metadata.gz: ffbce1bccc070d857ed236bce62eedcb3bb42a4c
+  data.tar.gz: 14004e3dc76705d06589615590dd8bc5f2d4fd12
 SHA512:
-  metadata.gz: !binary |-
-    YzM5Njc4YTc2NTZjNTk0ZTNlYWVlYWU0ZTU3ZGVlNDU2OTA2NWIxZjA5ZDRi
-    MjVlYWZhNDViZjU4NmIzNDZkNjcwOThkMWZkZGY2NjU4YjI4MzFlMWU1ZjE0
-    MDY0NDZhOGRiODU4YTFmNWExMGYwYzYwZGYxMTI2Nzg0N2U3Y2M=
-  data.tar.gz: !binary |-
-    NGUwMDk1YWFiMmM3ZTNjOGMxY2ZmMjBmYzFmNGIyZWMwYmM4MDNiZWZkYjRm
-    YTIzMDkyNjg0ODk1YzllNjJmNDMxMzdhMTUyZmQxZTYwMWIwNDVlYTJmNTQ0
-    ZWUyNzljYjM1NzMzOWFlOWVmOTU4NWE0N2ZhN2FhNTlkODU0N2E=
+  metadata.gz: fcd0f4c1ec713bda329e8a2cbfeb9d6897fe511c2f6cfaa9bd6bfb222c68d0a1eefdcf1997bafbce0462172dc7b0153337c58b9c42af0aa6ccaf8c1c16c76495
+  data.tar.gz: 4a15062bb74303d4845ff8b0d7128909c3b3bb45aeeae1dd18d5a23fae9fd7841c392adbf757f6a1d3825cfc86a960b3042df8e00505d314f74dde136a7c06cd

data/.rubocop.yml

@@ -26,7 +26,7 @@ NumericLiterals:
 Metrics/CyclomaticComplexity:
   Max: 10
 Metrics/PerceivedComplexity:
-  Max: 10
+  Max: 11
 Metrics/AbcSize:
   Max: 33
 Style/PercentLiteralDelimiters:

data/CHANGELOG.md

@@ -1,7 +1,34 @@
 # Change Log
 
-## [0.19.3](https://github.com/chef/inspec/tree/0.19.3) (2016-04-22)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.19.2...0.19.3)
+## [0.20.0](https://github.com/chef/inspec/tree/0.20.0) (2016-04-29)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.19.3...0.20.0)
+
+**Implemented enhancements:**
+
+- `where { field op value }` for filter table [\#684](https://github.com/chef/inspec/pull/684) ([arlimus](https://github.com/arlimus))
+- add `shell -c` for executing calls against the inspec api [\#683](https://github.com/chef/inspec/pull/683) ([arlimus](https://github.com/arlimus))
+- Add table-style filter utility [\#681](https://github.com/chef/inspec/pull/681) ([arlimus](https://github.com/arlimus))
+- added hpux user and package resource support [\#678](https://github.com/chef/inspec/pull/678) ([Anirudh-Gupta](https://github.com/Anirudh-Gupta))
+
+**Fixed bugs:**
+
+- Specifying an invalid target protocol should give a failure message [\#686](https://github.com/chef/inspec/issues/686)
+- update compliance plugin [\#695](https://github.com/chef/inspec/pull/695) ([chris-rock](https://github.com/chris-rock))
+- bugfix: restore pax\_global\_header fetcher filter [\#669](https://github.com/chef/inspec/pull/669) ([arlimus](https://github.com/arlimus))
+
+**Closed issues:**
+
+- How do I run an inspec profile in chef audit mode? [\#692](https://github.com/chef/inspec/issues/692)
+
+**Merged pull requests:**
+
+- update appveyor ruby to 2.2 + fix caching [\#697](https://github.com/chef/inspec/pull/697) ([arlimus](https://github.com/arlimus))
+- update to train's new file interface: symlink + uid + gid [\#694](https://github.com/chef/inspec/pull/694) ([arlimus](https://github.com/arlimus))
+- validate target backend [\#688](https://github.com/chef/inspec/pull/688) ([arlimus](https://github.com/arlimus))
+- Hpux [\#682](https://github.com/chef/inspec/pull/682) ([Anirudh-Gupta](https://github.com/Anirudh-Gupta))
+
+## [v0.19.3](https://github.com/chef/inspec/tree/v0.19.3) (2016-04-22)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.19.2...v0.19.3)
 
 **Fixed bugs:**
 
@@ -9,6 +36,7 @@
 
 **Merged pull requests:**
 
+- Releasing inspec 0.19.3 [\#680](https://github.com/chef/inspec/pull/680) ([alexpop](https://github.com/alexpop))
 - v0.19.2 [\#675](https://github.com/chef/inspec/pull/675) ([arlimus](https://github.com/arlimus))
 
 ## [v0.19.2](https://github.com/chef/inspec/tree/v0.19.2) (2016-04-21)

data/inspec.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'r-train', '~> 0.10.5'
+  spec.add_dependency 'r-train', '~> 0.11'
   spec.add_dependency 'thor', '~> 0.19'
   spec.add_dependency 'json', '~> 1.8'
   spec.add_dependency 'rainbow', '~> 2'

data/lib/bundles/inspec-compliance.rb

@@ -8,6 +8,7 @@ $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 module Compliance
   autoload :Configuration, 'inspec-compliance/configuration'
   autoload :HTTP, 'inspec-compliance/http'
+  autoload :Support, 'inspec-compliance/support'
   autoload :API, 'inspec-compliance/api'
 end
 

data/lib/bundles/inspec-compliance/.kitchen.yml

@@ -0,0 +1,21 @@
+---
+driver:
+  name: vagrant
+  synced_folders:
+    - ['../../../', '/inspec']
+  network:
+    - ['private_network', {ip: '192.168.251.2'}]
+
+provisioner:
+  name: shell
+
+verifier:
+  name: inspec
+  sudo: true
+
+platforms:
+  - name: ubuntu-14.04
+suites:
+  - name: default
+    run_list:
+    attributes:

data/lib/bundles/inspec-compliance/README.md

@@ -19,3 +19,27 @@ Compliance profiles can be executed in two mays:
 
 - via compliance exec: `inspec compliance exec profile`
 - via compliance scheme: `inspec exec compliance://profile`
+
+## Integration Tests
+
+At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:
+
+ * run `kitchen converge`
+ * open https://192.168.251.2 and log in with user `admin` and password `admin`
+ * click on user->about and obtain the refresh token
+ * run `kitchen verify` with the required env variables:
+
+```
+COMPLIANCE_REFRESH_TOKEN=myrefreshtoken COMPLIANCE_ACCESS_TOKEN=mycompliancetoken b kitchen verify
+-----> Starting Kitchen (v1.7.3)
+-----> Verifying <default-ubuntu-1404>...
+       Search `/Users/chartmann/Development/compliance/inspec/lib/bundles/inspec-compliance/test/integration/default` for tests
+..................................
+
+Finished in 6.35 seconds (files took 0.40949 seconds to load)
+34 examples, 0 failures
+
+       Finished verifying <default-ubuntu-1404> (0m6.62s).
+-----> Kitchen is finished. (0m7.02s)
+zlib(finalizer): the stream was freed prematurely.
+```

data/lib/bundles/inspec-compliance/bootstrap.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+echo "Installing Chef Compliance $deb"
+# select latest package from cache directory
+# deb=$(find /inspec/.cache -name '*.deb' | tail -1)
+# sudo dpkg -i $deb
+
+# use chef compliance package repository
+sudo apt-get install -y apt-transport-https
+sudo apt-get install wget
+wget -qO - https://downloads.chef.io/packages-chef-io-public.key | sudo apt-key add -
+CHANNEL=${CHANNEL:-stable}
+DISTRIBUTION=$(lsb_release --codename | cut -f2)
+echo "found $DISTRIBUTION"
+echo "use $CHANNEL channel"
+echo "deb https://packages.chef.io/$CHANNEL-apt $DISTRIBUTION main" > /etc/apt/sources.list.d/chef-$CHANNEL.list
+sudo apt-get update
+sudo apt-get install chef-compliance
+
+sudo chef-compliance-ctl reconfigure --accept-license
+sudo chef-compliance-ctl restart
+
+# build master version of inspec
+sudo /opt/chef-compliance/embedded/bin/gem list inspec
+
+cd /inspec
+sudo /opt/chef-compliance/embedded/bin/gem build *.gemspec
+sudo /opt/chef-compliance/embedded/bin/gem install inspec*.gem
+sudo /opt/chef-compliance/embedded/bin/inspec version
+sudo /opt/chef-compliance/embedded/bin/gem list inspec
+
+# finalize setup
+cd /
+/opt/chef-compliance/embedded/service/core/bin/core setup --endpoint "http://127.0.0.1:10500/setup" --login "admin" --password "admin" --name "John Doe" --accept-eula
+
+# wget --no-check-certificate http://127.0.0.1/api/version
+# cat version

data/lib/bundles/inspec-compliance/cli.rb

@@ -23,9 +23,9 @@ module Compliance
       desc: 'Chef Compliance access token'
     option :refresh_token, type: :string, required: false,
       desc: 'Chef Compliance refresh token'
-    def login(server) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/AbcSize, PerceivedComplexity
+    def login(server) # rubocop:disable Metrics/AbcSize, PerceivedComplexity
       # show warning if the Compliance Server does not support
-      if !Compliance::Configuration.new.supported?(:oidc) && (!options['token'].nil? || !options['refresh_token'].nil?)
+      if !Compliance::Configuration.new.supported?(:oidc)
         puts 'Your server supports --user and --password only'
       end
 

data/lib/bundles/inspec-compliance/support.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+module Compliance
+  # is a helper that provides information which version of compliance supports
+  # which feature
+  class Support
+    # for a feature, returns either:
+    #  - a version v0:                      v supports v0       iff v0 <= v
+    #  - an array [v0, v1] of two versions: v supports [v0, v1] iff v0 <= v < v1
+    def self.version_with_support(feature)
+      case feature.to_sym
+      when :oidc # open id connect authentication
+        Gem::Version.new('0.16.19')
+      else
+        Gem::Version.new('0.0.0')
+      end
+    end
+
+    # determines if the given version support a certain feature
+    def self.supported?(feature, version)
+      sup = version_with_support(feature)
+
+      if sup.is_a?(Array)
+        Gem::Version.new(version) >= sup[0] &&
+          Gem::Version.new(version) < sup[1]
+      else
+        Gem::Version.new(version) >= sup
+      end
+    end
+
+    # we do not know the version, therefore we do not know if its possible to use the feature
+    # return if self['version'].nil? || self['version']['version'].nil?
+  end
+end

data/lib/bundles/inspec-compliance/target.rb

@@ -14,7 +14,7 @@ module Compliance
     name 'compliance'
     priority 500
 
-    def self.resolve(target, opts = {})
+    def self.resolve(target, _opts = {})
       # check for local scheme compliance://
       uri = URI(target)
       return nil unless URI(uri).scheme == 'compliance'
@@ -25,10 +25,8 @@ module Compliance
 
       # verifies that the target e.g base/ssh exists
       profile = uri.host + uri.path
-      Compliance::API.exist?(profile)
-
-      opts['user'] = config['token']
-      super(target_url(config, profile), opts)
+      Compliance::API.exist?(config, profile)
+      super(target_url(config, profile), config)
     rescue URI::Error => _e
       nil
     end

data/lib/bundles/inspec-compliance/test/integration/default/cli.rb

@@ -0,0 +1,56 @@
+# encoding: utf-8
+
+# options
+inspec_bin = '/opt/chef-compliance/embedded/bin/inspec'
+api_url = 'https://0.0.0.0'
+profile = '/inspec/examples/profile'
+
+# TODO: determine tokens automatically, define in kitchen yml
+access_token = ENV['COMPLIANCE_ACCESS_TOKEN']
+refresh_token = ENV['COMPLIANCE_REFRESH_TOKEN']
+
+%w{refresh_token access_token}.each do |type|
+  case type
+  when 'access_token'
+    token_options = "--token '#{access_token}'"
+  when 'refresh_token'
+    token_options = "--refresh_token '#{refresh_token}'"
+  end
+
+  # verifies that the help command works
+  describe command("#{inspec_bin} compliance help") do
+    its('stdout') { should include 'inspec compliance help [COMMAND]' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # login via access token token
+  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user admin #{token_options}") do
+    its('stdout') { should include 'Successfully authenticated' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # see available resources
+  describe command("#{inspec_bin} compliance profiles") do
+    its('stdout') { should include 'base/ssh' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # upload a compliance profile
+  describe command("#{inspec_bin} compliance upload #{profile} --overwrite") do
+    its('stdout') { should include 'Profile is valid' }
+    its('stdout') { should include 'Successfully uploaded profile' }
+    its('stdout') { should_not include 'error(s)' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
+  # logout
+  describe command("#{inspec_bin} compliance logout") do
+    its('stdout') { should include 'Successfully logged out' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+end

data/lib/fetchers/url.rb

@@ -65,10 +65,15 @@ module Fetchers
 
     # download url into archive using opts,
     # returns File object and content-type from HTTP headers
-    def self.download_archive(url, opts)
+    def self.download_archive(url, opts = {})
+      http_opts = {}
+      # http_opts['http_basic_authentication'] = [opts['user'] || '', opts['password'] || ''] if opts['user']
+      http_opts['ssl_verify_mode'.to_sym] = OpenSSL::SSL::VERIFY_NONE if opts['insecure']
+      http_opts['Authorization'] = "Bearer #{opts['token']}" if opts['token']
+
       remote = open(
         url,
-        http_basic_authentication: [opts['user'] || '', opts['password'] || ''],
+        http_opts,
       )
 
       content_type = remote.meta['content-type']

data/lib/inspec/backend.rb

@@ -14,7 +14,7 @@ module Inspec
     # @return [TransportBackend] enriched transport instance
     def self.create(config)
       conf = Train.target_config(config)
-      name = conf[:backend] || :local
+      name = Train.validate_backend(conf)
       transport = Train.create(name, conf)
       if transport.nil?
         fail "Can't find transport backend '#{name}'."

data/lib/inspec/cli.rb

@@ -116,21 +116,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   desc 'detect', 'detect the target OS'
   target_options
   def detect
-    diagnose
-
-    rel = File.join(File.dirname(__FILE__), *%w{.. utils detect.rb})
-    detect_util = File.expand_path(rel)
-    # exits on execution:
-    runner = Inspec::Runner.new(opts)
-    profile = Inspec::Profile.for_target(detect_util, opts)
-    runner.add_profile(profile)
-    exit runner.run
-  rescue RuntimeError => e
-    puts e.message
+    options_json[:command] = 'os.params'
+    shell_func
   end
 
   desc 'shell', 'open an interactive debugging shell'
   target_options
+  option :command, aliases: :c
   option :format, type: :string, default: Inspec::NoSummaryFormatter, hide: true
   def shell_func
     diagnose
@@ -138,8 +130,16 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     o[:logger] = Logger.new(STDOUT)
     o[:logger].level = get_log_level(o.log_level)
 
-    runner = Inspec::Runner.new(o)
-    Inspec::Shell.new(runner).start
+    if o[:command].nil?
+      runner = Inspec::Runner.new(o)
+      return Inspec::Shell.new(runner).start
+    else
+      opts[:test_collector] = 'mock'
+      runner = Inspec::Runner.new(opts)
+      res = runner.create_context.load(o[:command])
+      jres = res.respond_to?(:to_json) ? res.to_json : JSON.dump(res)
+      puts jres
+    end
   rescue RuntimeError => e
     puts e.message
   end

data/lib/inspec/plugins/fetcher.rb

@@ -34,6 +34,7 @@ module Inspec
     end
 
     BLACKLIST_FILES = [
+      '/pax_global_header',
       'pax_global_header',
     ].freeze
 

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.19.3'.freeze
+  VERSION = '0.20.0'.freeze
 end

data/lib/resources/file.rb

@@ -22,17 +22,17 @@ module Inspec::Resources
     "
     include MountParser
 
-    attr_reader :file, :path, :mount_options
+    attr_reader :file, :mount_options
     def initialize(path)
-      @path = path
-      @file = inspec.backend.file(@path)
+      @file = inspec.backend.file(path)
     end
 
     %w{
       type exist? file? block_device? character_device? socket? directory?
-      symlink? pipe? mode mode? owner owned_by? group grouped_into? link_target
+      symlink? pipe? mode mode? owner owned_by? group grouped_into?
       link_path linked_to? mtime size selinux_label immutable?
       product_version file_version version? md5sum sha256sum
+      path source source_path uid gid
     }.each do |m|
       define_method m.to_sym do |*args|
         file.method(m.to_sym).call(*args)
@@ -74,7 +74,7 @@ module Inspec::Resources
       return file.mounted? if expected_options.nil?
 
       # deprecation warning, this functionality will be removed in future version
-      warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated.  Please use `mount('#{path}')` instead."
+      warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated.  Please use `mount('#{source_path}')` instead."
 
       # we cannot read mount data on non-Linux systems
       return nil if !inspec.os.linux?
@@ -91,22 +91,8 @@ module Inspec::Resources
       end
     end
 
-    # TODO: This is temporary and must be moved to train
-    def uid
-      res = inspec.command('stat '+Shellwords.escape(@path)+' -c %u')
-      return nil if res.exit_status != 0 || res.stdout.empty?
-      res.stdout.to_i
-    end
-
-    # TODO: This is temporary and must be moved to train
-    def gid
-      res = inspec.command('stat '+Shellwords.escape(@path)+' -c %u')
-      return nil if res.exit_status != 0 || res.stdout.empty?
-      res.stdout.to_i
-    end
-
     def to_s
-      "File #{path}"
+      "File #{source_path}"
     end
 
     private
@@ -133,11 +119,13 @@ module Inspec::Resources
 
     def check_file_permission_by_user(user, flag)
       if inspec.os.linux?
-        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{path}\" #{user}"
+        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{source_path}\" #{user}"
       elsif inspec.os.bsd? || inspec.os.solaris?
-        perm_cmd = "sudo -u #{user} test -#{flag} #{path}"
+        perm_cmd = "sudo -u #{user} test -#{flag} #{source_path}"
       elsif inspec.os.aix?
-        perm_cmd = "su #{user} -c test -#{flag} #{path}"
+        perm_cmd = "su #{user} -c test -#{flag} #{source_path}"
+      elsif inspec.os.hpux?
+        perm_cmd = "su #{user} -c \"test -#{flag} #{source_path}\""
       else
         return skip_resource 'The `file` resource does not support `by_user` on your OS.'
       end