inspec 0.20.1 → 0.21.0

data/lib/resources/port.rb

@@ -3,7 +3,6 @@
 # author: Dominik Richter
 
 require 'utils/parser'
-
 # Usage:
 # describe port(80) do
 #   it { should be_listening }
@@ -47,6 +46,8 @@ module Inspec::Resources
         @port_manager = FreeBsdPorts.new(inspec)
       elsif os.solaris?
         @port_manager = SolarisPorts.new(inspec)
+      elsif os.hpux?
+        @port_manager = HpuxPorts.new(inspec)
       else
         return skip_resource 'The `port` resource is not supported on your OS yet.'
       end
@@ -292,7 +293,6 @@ module Inspec::Resources
       # parse each line
       # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - Inode, 8 - PID/Program name
       parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?\s+(\S+)\s+(\S+)\s+(\S+)/.match(line)
-
       return {} if parsed.nil? || line.match(/^proto/i)
 
       # parse ip4 and ip6 addresses
@@ -408,7 +408,7 @@ module Inspec::Resources
       # parse the content
       netstat_ports = parse_netstat(cmd.stdout)
 
-      # filter all ports, where we listen
+      # filter all ports, where we `listen`
       listen = netstat_ports.select { |val|
         !val['state'].nil? && 'listen'.casecmp(val['state']) == 0
       }
@@ -433,4 +433,48 @@ module Inspec::Resources
       ports
     end
   end
+
+  # extracts information from netstat for hpux
+  class HpuxPorts < FreeBsdPorts
+    def info
+      ## Can't use 'netstat -an -f inet -f inet6' as the latter -f option overrides the former one and return only inet ports
+      cmd1 = inspec.command('netstat -an -f inet')
+      return nil if cmd1.exit_status.to_i != 0
+      cmd2 = inspec.command('netstat -an -f inet6')
+      return nil if cmd2.exit_status.to_i != 0
+      cmd = cmd1.stdout + cmd2.stdout
+      ports = []
+      # parse all lines
+      cmd.each_line do |line|
+        port_info = parse_netstat_line(line)
+        next unless %w{tcp tcp6 udp udp6}.include?(port_info[:protocol])
+        ports.push(port_info)
+      end
+      # select all ports, where we `listen`
+      ports.select { |val| val if 'listen'.casecmp(val[:state]) == 0 }
+    end
+
+    def parse_netstat_line(line)
+      # parse each line
+      # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - (state)
+      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?/.match(line)
+
+      return {} if parsed.nil? || line.match(/^proto/i) || line.match(/^active/i)
+      protocol = parsed[1].downcase
+      state = parsed[6].nil?? ' ' : parsed[6].downcase
+      local_addr = parsed[4]
+      local_addr[local_addr.rindex('.')] = ':'
+      # extract host and port information
+      host, port = parse_net_address(local_addr, protocol)
+      # map data
+      {
+        port: port,
+        address: host,
+        protocol: protocol,
+        state: state,
+        process: nil,
+        pid: nil,
+      }
+    end
+  end
 end

data/lib/resources/processes.rb

@@ -58,11 +58,11 @@ module Inspec::Resources
       lines.map do |m|
         {
           user: m[1],
-          pid: m[2],
+          pid: m[2].to_i,
           cpu: m[3],
           mem: m[4],
-          vsz: m[5],
-          rss: m[6],
+          vsz: m[5].to_i,
+          rss: m[6].to_i,
           tty: m[7],
           stat: m[8],
           start: m[9],

data/lib/resources/service.rb

@@ -3,6 +3,7 @@
 # author: Dominik Richter
 # author: Stephan Renatus
 # license: All rights reserved
+require 'hashie'
 
 module Inspec::Resources
   class Runlevels < Hash
@@ -67,7 +68,7 @@ module Inspec::Resources
   # Ubuntu < 15.04 : upstart
   #
   # TODO: extend the logic to detect the running init system, independently of OS
-  class Service < Inspec.resource(1)
+  class Service < Inspec.resource(1) # rubocop:disable ClassLength
     name 'service'
     desc 'Use the service InSpec audit resource to test if the named service is installed, running and/or enabled.'
     example "
@@ -75,11 +76,16 @@ module Inspec::Resources
         it { should be_installed }
         it { should be_enabled }
         it { should be_running }
+        its('type') { should be 'systemd' }
       end
 
       describe service('service_name').runlevels(3, 5) do
         it { should be_enabled }
       end
+
+      describe service('service_name').params do
+        its('UnitFileState') { should eq 'enabled' }
+      end
     "
 
     attr_reader :service_ctl
@@ -163,6 +169,11 @@ module Inspec::Resources
       info[:enabled]
     end
 
+    def params
+      return {} if info.nil?
+      Hashie::Mash.new(info[:params] || {})
+    end
+
     # verifies the service is registered
     def installed?(_name = nil, _version = nil)
       return false if info.nil?
@@ -181,9 +192,29 @@ module Inspec::Resources
       Runlevels.from_hash(self, info[:runlevels], args)
     end
 
+    # returns the service type from info
+    def type
+      return nil if info.nil?
+      info[:type]
+    end
+
+    # returns the service name from info
+    def name
+      return @service_name if info.nil?
+      info[:name]
+    end
+
+    # returns the service description from info
+    def description
+      return nil if info.nil?
+      info[:description]
+    end
+
     def to_s
       "Service #{@service_name}"
     end
+
+    private :info
   end
 
   class ServiceManager
@@ -229,6 +260,7 @@ module Inspec::Resources
         running: running,
         enabled: enabled,
         type: 'systemd',
+        params: params,
       }
     end
   end

data/lib/resources/user.rb

@@ -6,15 +6,15 @@
 #
 # describe user('root') do
 #   it { should exist }
-#   its(:uid) { should eq 0 }
-#   its(:gid) { should eq 0 }
-#   its(:group) { should eq 'root' }
-#   its(:groups) { should eq ['root', 'wheel']}
-#   its(:home) { should eq '/root' }
-#   its(:shell) { should eq '/bin/bash' }
-#   its(:mindays) { should eq 0 }
-#   its(:maxdays) { should eq 99 }
-#   its(:warndays) { should eq 5 }
+#   its('uid') { should eq 0 }
+#   its('gid') { should eq 0 }
+#   its('group') { should eq 'root' }
+#   its('groups') { should eq ['root', 'wheel']}
+#   its('home') { should eq '/root' }
+#   its('shell') { should eq '/bin/bash' }
+#   its('mindays') { should eq 0 }
+#   its('maxdays') { should eq 99 }
+#   its('warndays') { should eq 5 }
 # end
 #
 # The following  Serverspec  matchers are deprecated in favor for direct value access
@@ -24,8 +24,8 @@
 #   it { should have_uid 0 }
 #   it { should have_home_directory '/root' }
 #   it { should have_login_shell '/bin/bash' }
-#   its(:minimum_days_between_password_change) { should eq 0 }
-#   its(:maximum_days_between_password_change) { should eq 99 }
+#   its('minimum_days_between_password_change') { should eq 0 }
+#   its('maximum_days_between_password_change') { should eq 99 }
 # end
 
 # ServerSpec tests that are not supported:
@@ -119,13 +119,13 @@ module Inspec::Resources
 
     # implement 'mindays' method to be compatible with serverspec
     def minimum_days_between_password_change
-      deprecated('minimum_days_between_password_change', "Please use 'its(:mindays)'")
+      deprecated('minimum_days_between_password_change', "Please use: its('mindays')")
       mindays
     end
 
     # implement 'maxdays' method to be compatible with serverspec
     def maximum_days_between_password_change
-      deprecated('maximum_days_between_password_change', "Please use 'its(:maxdays)'")
+      deprecated('maximum_days_between_password_change', "Please use: its('maxdays')")
       maxdays
     end
 
@@ -137,12 +137,12 @@ module Inspec::Resources
     end
 
     def has_home_directory?(compare_home)
-      deprecated('has_home_directory?', "Please use 'its(:home)'")
+      deprecated('has_home_directory?', "Please use: its('home')")
       home == compare_home
     end
 
     def has_login_shell?(compare_shell)
-      deprecated('has_login_shell?', "Please use 'its(:shell)'")
+      deprecated('has_login_shell?', "Please use: its('shell')")
       shell == compare_shell
     end
 

data/lib/utils/base_cli.rb

@@ -45,8 +45,6 @@ module Inspec
     end
 
     def self.exec_options
-      option :id, type: :string,
-        desc: 'Attach a profile ID to all test results'
       target_options
       profile_options
       option :controls, type: :array,
@@ -68,7 +66,7 @@ module Inspec
       runner = Inspec::Runner.new(o)
       targets.each { |target| runner.add_target(target, opts) }
       exit runner.run
-    rescue RuntimeError => e
+    rescue RuntimeError, Train::UserError => e
       $stderr.puts e.message
       exit 1
     end

data/lib/utils/filter.rb

@@ -95,15 +95,38 @@ module FilterTable
 
     private
 
+    def matches_float(x, y)
+      return false if x.nil?
+      return false if !x.is_a?(Float) && (x =~ /\A[-+]?(\d+\.?\d*|\.\d+)\z/).nil?
+      x.to_f == y
+    end
+
+    def matches_int(x, y)
+      return false if x.nil?
+      return false if !x.is_a?(Integer) && (x =~ /\A[-+]?\d+\z/).nil?
+      x.to_i == y
+    end
+
+    def matches_regex(x, y)
+      return x == y if x.is_a?(Regexp)
+      !x.to_s.match(y).nil?
+    end
+
+    def matches(x, y)
+      x === y # rubocop:disable Style/CaseEquality
+    end
+
     def filter_lines(table, field, condition)
+      m = case condition
+          when Float   then method(:matches_float)
+          when Integer then method(:matches_int)
+          when Regexp  then method(:matches_regex)
+          else              method(:matches)
+          end
+
       table.find_all do |line|
         next unless line.key?(field)
-        case line[field]
-        when condition
-          true
-        else
-          false
-        end
+        m.call(line[field], condition)
       end
     end
   end
@@ -134,7 +157,7 @@ module FilterTable
         fields.each do |method, field_name|
           block = blocks[method]
           define_method method.to_sym do |condition = Show, &cond_block|
-            return block.call(self) unless block.nil?
+            return block.call(self, condition) unless block.nil?
             return where(nil).get_fields(field_name) if condition == Show && !block_given?
             where({ field_name => condition }, &cond_block)
           end

data/test/cookbooks/os_prepare/recipes/_upstart_service_centos.rb

@@ -1,6 +1,10 @@
 # encoding: utf-8
 # author: Stephan Renatus
 
+directory '/etc/init' do
+  action :create
+end
+
 file "/etc/init/upstart-running.conf" do
   content "exec tail -f /dev/null"
 end

data/test/functional/helper.rb

@@ -20,6 +20,7 @@ module FunctionalHelper
   let(:examples_path) { File.join(repo_path, 'examples') }
 
   let(:example_profile) { File.join(examples_path, 'profile') }
+  let(:example_control) { File.join(example_profile, 'controls', 'example.rb') }
   let(:inheritance_profile) { File.join(examples_path, 'profile') }
 
   let(:dst) {

data/test/functional/inheritance_test.rb

@@ -44,6 +44,6 @@ describe 'example inheritance profile' do
     s = out.stdout
     hm = JSON.load(s)
     hm['name'].must_equal 'inheritance'
-    hm['rules'].length.must_equal 1 # TODO: flatten out or search deeper!
+    hm['controls'].length.must_equal 3
   end
 end

data/test/functional/inspec_compliance_test.rb

@@ -37,7 +37,8 @@ describe 'inspec compliance' do
 
   it 'inspec compliance profiles without authentication' do
     out = inspec('compliance profile')
-    out.exit_status.must_equal 1
+    out.stdout.must_include 'You need to login first with `inspec compliance login`'
+    out.exit_status.must_equal 0
   end
 
   it 'try to upload a profile without directory' do
@@ -48,8 +49,8 @@ describe 'inspec compliance' do
 
   it 'try to upload a profile a non-existing path' do
     out = inspec('compliance upload /path/to/dir')
-    out.stdout.must_include 'Directory /path/to/dir does not exist.'
-    out.exit_status.must_equal 1
+    out.stdout.must_include 'You need to login first with `inspec compliance login`'
+    out.exit_status.must_equal 0
   end
 
   it 'logout' do

data/test/functional/inspec_exec_json_test.rb

@@ -0,0 +1,122 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'functional/helper'
+
+describe 'inspec exec with json formatter' do
+  include FunctionalHelper
+
+  it 'can execute a simple file with the json formatter' do
+    out = inspec('exec ' + example_control + ' --format json')
+    out.stderr.must_equal ''
+    out.exit_status.must_equal 0
+    JSON.load(out.stdout).must_be_kind_of Hash
+  end
+
+  it 'can execute the profile with the json formatter' do
+    out = inspec('exec ' + example_profile + ' --format json')
+    out.stderr.must_equal ''
+    out.exit_status.must_equal 0
+    JSON.load(out.stdout).must_be_kind_of Hash
+  end
+
+  describe 'execute a profile with json formatting' do
+    let(:json) { JSON.load(inspec('exec ' + example_profile + ' --format json').stdout) }
+    let(:profile) { json['profiles']['profile'] }
+    let(:controls) { profile['controls'] }
+    let(:ex1) { controls['tmp-1.0'] }
+    let(:ex2) {
+      k = controls.keys.find { |x| x =~ /generated/ }
+      controls[k]
+    }
+    let(:ex3) { profile['controls']['gordon-1.0'] }
+    let(:check_result) {
+      ex3['results'].find { |x| x['resource'] == 'gordon_config' }
+    }
+
+    it 'has all the metadata' do
+      actual = profile.dup
+      key = actual.delete('controls').keys
+                  .find { |x| x =~ /generated from example.rb/ }
+
+      actual.must_equal({
+        "name" => "profile",
+        "title" => "InSpec Example Profile",
+        "maintainer" => "Chef Software, Inc.",
+        "copyright" => "Chef Software, Inc.",
+        "copyright_email" => "support@chef.io",
+        "license" => "Apache 2 license",
+        "summary" => "Demonstrates the use of InSpec Compliance Profile",
+        "version" => "1.0.0",
+        "supports" => [{"os-family" => "unix"}],
+        "groups" => {
+          "controls/meta.rb" => {"title"=>"SSH Server Configuration", "controls"=>["ssh-1"]},
+          "controls/example.rb" => {"title"=>"/tmp profile", "controls"=>["tmp-1.0", key]},
+          "controls/gordon.rb" => {"title"=>"Gordon Config Checks", "controls"=>["gordon-1.0"]},
+        },
+      })
+    end
+
+    it 'must have 4 controls' do
+      controls.length.must_equal 4
+    end
+
+    it 'has an id for every control' do
+      controls.keys.find(&:nil?).must_be :nil?
+    end
+
+    it 'has no missing checks' do
+      json['other_checks'].must_equal([])
+    end
+
+    it 'has results for every control' do
+      ex1['results'].length.must_equal 1
+      ex2['results'].length.must_equal 1
+      ex3['results'].length.must_equal 2
+    end
+
+    it 'has the right result for tmp-1.0' do
+      actual = ex1.dup
+
+      src = actual.delete('source_location')
+      src[0].must_match %r{examples/profile/controls/example.rb$}
+      src[1].must_equal 8
+
+      result = actual.delete('results')[0]
+      result.wont_be :nil?
+      result['status'].must_equal 'passed'
+      result['code_desc'].must_equal 'File /tmp should be directory'
+      result['run_time'].wont_be :nil?
+      result['start_time'].wont_be :nil?
+
+      actual.must_equal({
+        "title" => "Create /tmp directory",
+        "desc" => "An optional description...",
+        "impact" => 0.7,
+        "refs" => [
+          {
+            "url" => "http://...",
+            "ref" => "Document A-12"
+          }
+        ],
+        "tags" => {
+          "data" => "temp data",
+          "security" => nil
+        },
+        "code" => "control \"tmp-1.0\" do                        # A unique ID for this control\n  impact 0.7                                # The criticality, if this control fails.\n  title \"Create /tmp directory\"             # A human-readable title\n  desc \"An optional description...\"         # Describe why this is needed\n  tag data: \"temp data\"                     # A tag allows you to associate key information\n  tag \"security\"                            # to the test\n  ref \"Document A-12\", url: 'http://...'    # Additional references\n\n  describe file('/tmp') do                  # The actual test\n    it { should be_directory }\n  end\nend\n",
+      })
+    end
+  end
+
+  describe 'with a profile that is not supported on this OS/platform' do
+    let(:out) { inspec('exec ' + File.join(profile_path, 'skippy-profile-os') + ' --format json') }
+    let(:json) { JSON.load(out.stdout) }
+
+    # TODO: failure handling in json formatters...
+
+    it 'never runs the actual resource' do
+      File.exist?('/tmp/inspec_test_DONT_CREATE').must_equal false
+    end
+  end
+end