inspec 0.20.1 → 0.21.0

data/lib/inspec/rule.rb

@@ -12,8 +12,7 @@ module Inspec
   class Rule # rubocop:disable Metrics/ClassLength
     include ::RSpec::Matchers
 
-    def initialize(id, _opts, &block)
-      @id = id
+    def initialize(id, profile_id, _opts, &block)
       @impact = nil
       @title = nil
       @desc = nil
@@ -24,7 +23,8 @@ module Inspec
       @__block = block
       @__code = __get_block_source(&block)
       @__source_location = __get_block_source_location(&block)
-      @__rule_id = nil
+      @__rule_id = id
+      @__profile_id = profile_id
       @__checks = []
       @__skip_rule = nil
 
@@ -119,6 +119,10 @@ module Inspec
       rule.instance_variable_set(:@__rule_id, value)
     end
 
+    def self.profile_id(rule)
+      rule.instance_variable_get(:@__profile_id)
+    end
+
     def self.checks(rule)
       rule.instance_variable_get(:@__checks)
     end
@@ -167,32 +171,6 @@ module Inspec
       set_skip_rule(dst, sr) unless sr.nil?
     end
 
-    # Get the full id consisting of profile id + rule id
-    # for the rule. If the rule's profile id is empty,
-    # the given profile_id will be used instead and also
-    # set for the rule.
-    def self.full_id(profile_id, rule)
-      if rule.is_a?(String) or rule.nil?
-        rid = rule
-      else
-        # As the profile context is exclusively pulled with a
-        # profile ID, attach it to the rule if necessary.
-        rid = rule.instance_variable_get(:@id)
-        if rid.nil?
-          # TODO: Message about skipping this rule
-          # due to missing ID
-          return nil
-        end
-      end
-      pid = rule_id(rule)
-      pid = set_rule_id(rule, profile_id) if pid.nil?
-
-      # if we don't have a profile id, just return the rule's ID
-      return rid if pid.nil? or pid.empty?
-      # otherwise combine them
-      "#{pid}/#{rid}"
-    end
-
     private
 
     def __add_check(describe_or_expect, values, block)

data/lib/inspec/runner.rb

@@ -18,7 +18,6 @@ module Inspec
     attr_reader :backend, :rules
     def initialize(conf = {})
       @rules = {}
-      @profile_id = conf[:id]
       @conf = conf.dup
       @conf[:logger] ||= Logger.new(nil)
 
@@ -74,6 +73,7 @@ module Inspec
 
       @test_collector.add_profile(profile)
       options[:metadata] = profile.metadata
+      options[:profile] = profile
 
       libs = profile.libraries.map do |k, v|
         { ref: k, content: v }
@@ -88,7 +88,10 @@ module Inspec
     end
 
     def create_context(options = {})
-      Inspec::ProfileContext.new(@profile_id, @backend, @conf.merge(options))
+      meta = options['metadata']
+      profile_id = nil
+      profile_id = meta.params[:name] unless meta.nil?
+      Inspec::ProfileContext.new(profile_id, @backend, @conf.merge(options))
     end
 
     def add_content(tests, libs, options = {})
@@ -101,6 +104,11 @@ module Inspec
         ctx.reload_dsl
       end
 
+      # hand the context to the profile for further evaluation
+      unless (profile = options['profile']).nil?
+        profile.runner_context = ctx
+      end
+
       # evaluate the test content
       tests = [tests] unless tests.is_a? Array
       tests.each { |t| add_test_to_context(t, ctx) }
@@ -124,7 +132,10 @@ module Inspec
 
     def filter_controls(controls_map, include_list)
       return controls_map if include_list.nil? || include_list.empty?
-      controls_map.select { |k, _| include_list.include?(k) }
+      controls_map.select do |_, c|
+        id = ::Inspec::Rule.rule_id(c)
+        include_list.include?(id)
+      end
     end
 
     def block_source_info(block)
@@ -186,7 +197,7 @@ module Inspec
         # scope.
         dsl = Inspec::Resource.create_dsl(backend)
         example.send(:include, dsl)
-        @test_collector.add_test(example, rule_id, rule)
+        @test_collector.add_test(example, rule)
       end
     end
   end

data/lib/inspec/runner_mock.rb

@@ -14,7 +14,7 @@ module Inspec
       @profiles.push(profile)
     end
 
-    def add_test(example, _rule_id, _rule)
+    def add_test(example, _rule)
       @tests.push(example)
     end
 

data/lib/inspec/runner_rspec.rb

@@ -7,10 +7,8 @@ require 'rspec/its'
 require 'inspec/rspec_json_formatter'
 
 # There be dragons!! Or borgs, or something...
-# This file and all its contents cannot yet be tested. Once it is included
-# in our unit test suite, it deactivates all other checks completely.
-# To circumvent this, we need functional tests which tackle the RSpec runner
-# or a separate suite of unit tests to which get along with this.
+# This file and all its contents cannot be unit-tested. both test-suits
+# collide and disable all unit tests that have been added.
 
 module Inspec
   class RunnerRspec
@@ -35,7 +33,7 @@ module Inspec
     # @return [nil]
     def add_profile(profile)
       RSpec.configuration.formatters
-           .find_all { |c| c.is_a? InspecRspecFormatter }
+           .find_all { |c| c.is_a? InspecRspecJson }
            .each do |fmt|
         fmt.add_profile(profile)
       end
@@ -46,8 +44,8 @@ module Inspec
     # @param [RSpecExampleGroup] example test
     # @param [String] rule_id the ID associated with this check
     # @return [nil]
-    def add_test(example, rule_id, rule)
-      set_rspec_ids(example, rule_id, rule)
+    def add_test(example, rule)
+      set_rspec_ids(example, rule)
       @tests.example_groups.push(example)
     end
 
@@ -83,6 +81,12 @@ module Inspec
       RSpec.configuration.reset
     end
 
+    FORMATTERS = {
+      'json-min' => 'InspecRspecMiniJson',
+      'json' => 'InspecRspecJson',
+      'json-rspec' => 'InspecRspecVanilla',
+    }.freeze
+
     # Configure the output formatter and stream to be used with RSpec.
     #
     # @return [nil]
@@ -93,8 +97,7 @@ module Inspec
         RSpec.configuration.output_stream = @conf['output']
       end
 
-      format = @conf['format'] || 'progress'
-      format = 'InspecRspecFormatter' if format == 'fulljson'
+      format = FORMATTERS[@conf['format']] || @conf['format'] || 'progress'
       RSpec.configuration.add_formatter(format)
       RSpec.configuration.color = @conf['color']
 
@@ -111,27 +114,26 @@ module Inspec
     # by the InSpec adjusted json formatter (rspec_json_formatter).
     #
     # @param [RSpecExampleGroup] example object which contains a check
-    # @param [Type] id describe id
     # @return [Type] description of returned object
-    def set_rspec_ids(example, id, rule)
-      example.metadata[:id] = id
-      example.metadata[:impact] = rule.impact
-      example.metadata[:title] = rule.title
-      example.metadata[:desc] = rule.desc
-      example.metadata[:code] = rule.instance_variable_get(:@__code)
-      example.metadata[:source_location] = rule.instance_variable_get(:@__source_location)
+    def set_rspec_ids(example, rule)
+      assign_rspec_ids(example.metadata, rule)
       example.filtered_examples.each do |e|
-        e.metadata[:id] = id
-        e.metadata[:impact] = rule.impact
-        e.metadata[:title] = rule.title
-        e.metadata[:desc] = rule.desc
-        e.metadata[:code] = rule.instance_variable_get(:@__code)
-        e.metadata[:source_location] = rule.instance_variable_get(:@__source_location)
+        assign_rspec_ids(e.metadata, rule)
       end
       example.children.each do |child|
-        set_rspec_ids(child, id, rule)
+        set_rspec_ids(child, rule)
       end
     end
+
+    def assign_rspec_ids(metadata, rule)
+      metadata[:id] = ::Inspec::Rule.rule_id(rule)
+      metadata[:profile_id] = ::Inspec::Rule.profile_id(rule)
+      metadata[:impact] = rule.impact
+      metadata[:title] = rule.title
+      metadata[:desc] = rule.desc
+      metadata[:code] = rule.instance_variable_get(:@__code)
+      metadata[:source_location] = rule.instance_variable_get(:@__source_location)
+    end
   end
 
   class RSpecReporter < RSpec::Core::Formatters::JsonFormatter

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.20.1'.freeze
+  VERSION = '0.21.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -106,7 +106,7 @@ RSpec::Matchers.define :be_installed do
   end
 
   chain :with_version do |version|
-    warn "[DEPRECATION] `with_version` is deprecated.  Please use `its(:version) { should eq '1.4.1' }` instead."
+    warn "[DEPRECATION] `with_version` is deprecated.  Please use `its('version') { should eq '1.4.1' }` instead."
     @version = version
   end
 end
@@ -146,7 +146,7 @@ end
 # Deprecated: You should not use this matcher anymore
 RSpec::Matchers.define :belong_to_group do |compare_group|
   match do |user|
-    warn "[DEPRECATION] `belong_to_group` is deprecated.  Please use `its(:groups) { should include('root') }` instead."
+    warn "[DEPRECATION] `belong_to_group` is deprecated.  Please use `its('groups') { should include('root') }` instead."
     user.groups.include?(compare_group)
   end
 
@@ -159,7 +159,7 @@ end
 # Deprecated: You should not use this matcher anymore
 RSpec::Matchers.define :belong_to_primary_group do |compare_group|
   match do |user|
-    warn "[DEPRECATION] `belong_to_primary_group` is deprecated.  Please use `its(:group) { should eq 'root' }` instead."
+    warn "[DEPRECATION] `belong_to_primary_group` is deprecated.  Please use `its('group') { should eq 'root' }` instead."
     user.group == compare_group
   end
 

data/lib/resources/auditd_rules.rb

@@ -67,11 +67,11 @@ module Inspec::Resources
       end
 
       describe auditd_rules.key('sshd_config') do
-        its(:permissions) { should contain_match(/x/) }
+        its('permissions') { should contain_match(/x/) }
       end
 
       describe auditd_rules do
-        its(:lines) { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
+        its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
       end
     "
 

data/lib/resources/host.rb

@@ -6,7 +6,7 @@
 # describe host('example.com') do
 #   it { should be_resolvable }
 #   it { should be_reachable }
-#   its(:ipaddress) { should include '93.184.216.34' }
+#   its('ipaddress') { should include '93.184.216.34' }
 # end
 #
 # To verify a hostname with protocol and port

data/lib/resources/interface.rb

@@ -12,7 +12,7 @@ module Inspec::Resources
       describe interface('eth0') do
         it { should exist }
         it { should be_up }
-        its(:speed) { should eq 1000 }
+        its('speed') { should eq 1000 }
       end
     "
     def initialize(iface)

data/lib/resources/kernel_parameter.rb

@@ -8,7 +8,7 @@ module Inspec::Resources
     desc 'Use the kernel_parameter InSpec audit resource to test kernel parameters on Linux platforms.'
     example "
       describe kernel_parameter('net.ipv4.conf.all.forwarding') do
-        its(:value) { should eq 0 }
+        its('value') { should eq 0 }
       end
     "
 

data/lib/resources/mount.rb

@@ -11,10 +11,11 @@ module Inspec::Resources
     example "
       describe mount('/') do
         it { should be_mounted }
-        its(:count) { should eq 1 }
+        its('count') { should eq 1 }
         its('device') { should eq  '/dev/mapper/VolGroup-lv_root' }
         its('type') { should eq  'ext4' }
         its('options') { should eq ['rw', 'mode=620'] }
+        its('options') { should include 'nodev' }
       end
     "
     include MountParser

data/lib/resources/mysql_session.rb

@@ -11,7 +11,7 @@ module Inspec::Resources
     example "
       sql = mysql_session('my_user','password')
       describe sql.query('show databases like \'test\';') do
-        its(:stdout) { should_not match(/test/) }
+        its('stdout') { should_not match(/test/) }
       end
     "
 

data/lib/resources/os_env.rb

@@ -7,8 +7,8 @@
 # Usage:
 #
 # describe os_env('PATH') do
-#   its(:split) { should_not include('') }
-#   its(:split) { should_not include('.') }
+#   its('split') { should_not include('') }
+#   its('split') { should_not include('.') }
 # end
 
 require 'utils/simpleconfig'

data/lib/resources/passwd.rb

@@ -14,9 +14,10 @@
 # - command
 
 require 'utils/parser'
+require 'utils/filter'
 
 module Inspec::Resources
-  class Passwd < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+  class Passwd < Inspec.resource(1)
     name 'passwd'
     desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
     example "
@@ -37,7 +38,6 @@ module Inspec::Resources
 
     include PasswdParser
 
-    attr_reader :uid
     attr_reader :params
     attr_reader :content
     attr_reader :lines
@@ -47,111 +47,51 @@ module Inspec::Resources
       @path = path || '/etc/passwd'
       @content = opts[:content] || inspec.file(@path).content
       @lines = @content.to_s.split("\n")
-      @filters = opts[:filters] || ''
       @params = parse_passwd(@content)
     end
 
-    def filter(hm = {})
-      return self if hm.nil? || hm.empty?
-      res = @params
-      filters = ''
-      hm.each do |attr, condition|
-        res, filters = filter_attribute(attr, condition, res, filters)
-      end
-      content = res.map { |x| x.values.join(':') }.join("\n")
-      Passwd.new(@path, content: content, filters: @filters + filters)
-    end
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:users,     field: 'user')
+          .add(:passwords, field: 'password')
+          .add(:uids,      field: 'uid')
+          .add(:gids,      field: 'gid')
+          .add(:descs,     field: 'desc')
+          .add(:homes,     field: 'home')
+          .add(:shells,    field: 'shell')
 
-    def usernames
+    filter.add(:count) { |t, _|
+      warn '[DEPRECATION] `passwd.count` is deprecated. Please use `passwd.entries.length` instead. It will be removed in version 1.0.0.'
+      t.entries.length
+    }
+
+    filter.add(:usernames) { |t, x|
       warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
-      users
-    end
+      t.users(x)
+    }
 
-    def username
-      warn '[DEPRECATION] `passwd.user` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
-      users[0]
-    end
+    filter.add(:username) { |t, x|
+      warn '[DEPRECATION] `passwd.username` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
+      t.users(x)[0]
+    }
+
+    # rebuild the passwd line from raw content
+    filter.add(:content) { |t, _|
+      t.entries.map do |e|
+        [e.user, e.password, e.uid, e.gid, e.desc, e.home, e.shell].join(':')
+      end.join("\n")
+    }
 
     def uid(x)
       warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
       uids(x)
     end
 
-    def users(name = nil)
-      name.nil? ? map_data('user') : filter(user: name)
-    end
-
-    def passwords(password = nil)
-      password.nil? ? map_data('password') : filter(password: password)
-    end
-
-    def uids(uid = nil)
-      uid.nil? ? map_data('uid') : filter(uid: uid)
-    end
-
-    def gids(gid = nil)
-      gid.nil? ? map_data('gid') : filter(gid: gid)
-    end
-
-    def homes(home = nil)
-      home.nil? ? map_data('home') : filter(home: home)
-    end
-
-    def shells(shell = nil)
-      shell.nil? ? map_data('shell') : filter(shell: shell)
-    end
+    filter.connect(self, :params)
 
     def to_s
-      f = @filters.empty? ? '' : ' with'+@filters
-      "/etc/passwd#{f}"
-    end
-
-    def count
-      @params.length
-    end
-
-    private
-
-    def map_data(id)
-      @params.map { |x| x[id] }
-    end
-
-    def filter_res_line(item, matcher, condition, positive)
-      # TODO: REWORK ALL OF THESE, please don't depend on them except for simple equality!
-      case matcher
-      when '<'
-        item.to_i < condition
-      when '<='
-        item.to_i <= condition
-      when '>'
-        item.to_i > condition
-      when '>='
-        item.to_i >= condition
-      else
-        condition = condition.to_s if condition.is_a? Integer
-        case item
-        when condition
-          positive
-        else
-          !positive
-        end
-      end
-    end
-
-    def filter_attribute(attr, condition, res, filters)
-      matcher = '=='
-      positive = true
-      if condition.is_a?(Hash) && condition.length == 1
-        matcher = condition.keys[0].to_s
-        condition = condition.values[0]
-      end
-      positive = false if matcher == '!='
-
-      a = res.find_all do |line|
-        filter_res_line(line[attr.to_s], matcher, condition, positive)
-      end
-      b = filters + " #{attr} #{matcher} #{condition.inspect}"
-      [a, b]
+      '/etc/passwd'
     end
   end
 end