inspec 0.30.0 → 0.31.0

data/lib/bundles/inspec-compliance/test/integration/default/cli.rb

@@ -1,13 +1,17 @@
 # encoding: utf-8
 
 # options
-inspec_bin = '/opt/chef-compliance/embedded/bin/inspec'
+inspec_bin = 'BUNDLE_GEMFILE=/inspec/Gemfile bundle exec inspec'
 api_url = 'https://0.0.0.0'
 profile = '/inspec/examples/profile'
 
+user = command('whoami').stdout.strip
+pwd = command('pwd').stdout.strip
+puts "Run test as #{user} in path #{pwd}"
+
 # TODO: determine tokens automatically, define in kitchen yml
-access_token = ENV['COMPLIANCE_ACCESS_TOKEN']
-refresh_token = ENV['COMPLIANCE_REFRESH_TOKEN']
+access_token = ENV['COMPLIANCE_ACCESSTOKEN']
+refresh_token = ENV['COMPLIANCE_REFRESHTOKEN']
 
 %w{refresh_token access_token}.each do |type|
   case type
@@ -24,9 +28,35 @@ refresh_token = ENV['COMPLIANCE_REFRESH_TOKEN']
     its('exit_status') { should eq 0 }
   end
 
+  # version command fails gracefully when server not configured
+  describe command("#{inspec_bin} compliance version") do
+    its('stdout') { should include 'Server configuration information is missing' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 1 }
+  end
+
+  # submitting a wrong token should have an exit of 0
+  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user 'admin' --token 'wrong-token'") do
+    its('stdout') { should include 'token stored' }
+  end
+
+  # compliance login --help should give an accurate message for login
+  describe command("#{inspec_bin} compliance login --help") do
+    its('stdout') { should include "inspec compliance login SERVER --insecure --user='USER' --token='TOKEN'" }
+    its('exit_status') { should eq 0 }
+  end
+
+  # profiles command fails gracefully when token/server info is incorrect
+  describe command("#{inspec_bin} compliance profiles") do
+    its('stdout') { should include '401 Unauthorized. Please check your token' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 1 }
+  end
+
   # login via access token token
-  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user admin #{token_options}") do
-    its('stdout') { should include 'Successfully authenticated' }
+  describe command("#{inspec_bin} compliance login #{api_url} --insecure --user 'admin' #{token_options}") do
+    its('stdout') { should include 'token', 'stored' }
+    its('stdout') { should_not include 'Your server supports --user and --password only' }
     its('stderr') { should eq '' }
     its('exit_status') { should eq 0 }
   end
@@ -47,6 +77,13 @@ refresh_token = ENV['COMPLIANCE_REFRESH_TOKEN']
     its('exit_status') { should eq 0 }
   end
 
+  # returns the version of the server
+  describe command("#{inspec_bin} compliance version") do
+    its('stdout') { should include 'Chef Compliance version:' }
+    its('stderr') { should eq '' }
+    its('exit_status') { should eq 0 }
+  end
+
   # logout
   describe command("#{inspec_bin} compliance logout") do
     its('stdout') { should include 'Successfully logged out' }

data/lib/bundles/inspec-init/cli.rb

@@ -7,6 +7,15 @@ module Init
   class CLI < Inspec::BaseCLI
     namespace 'init'
 
+    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
+    def self.banner(command, _namespace = nil, _subcommand = false)
+      "#{basename} #{subcommand_prefix} #{command.usage}"
+    end
+
+    def self.subcommand_prefix
+      namespace
+    end
+
     # read template directoy
     template_dir = File.join(File.dirname(__FILE__), 'templates')
     Dir.glob(File.join(template_dir, '*')) do |template|

data/lib/bundles/inspec-supermarket/cli.rb

@@ -6,6 +6,15 @@ module Supermarket
   class SupermarketCLI < Inspec::BaseCLI
     namespace 'supermarket'
 
+    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
+    def self.banner(command, _namespace = nil, _subcommand = false)
+      "#{basename} #{subcommand_prefix} #{command.usage}"
+    end
+
+    def self.subcommand_prefix
+      namespace
+    end
+
     desc 'profiles', 'list all available profiles in Chef Supermarket'
     def profiles
       # display profiles in format user/profile

data/lib/bundles/inspec-supermarket/target.rb

@@ -13,11 +13,12 @@ module Supermarket
     priority 500
 
     def self.resolve(target, opts = {})
+      return nil unless target.is_a?(String)
       return nil unless URI(target).scheme == 'supermarket'
       return nil unless Supermarket::API.exist?(target)
       tool_info = Supermarket::API.find(target)
       super(tool_info['tool_source_url'], opts)
-    rescue URI::Error => _e
+    rescue URI::Error
       nil
     end
 

data/lib/fetchers/local.rb

@@ -10,8 +10,11 @@ module Fetchers
     attr_reader :files
 
     def self.resolve(target)
-      return nil unless File.exist?(target)
-      new(target)
+      unless target.is_a?(String) && File.exist?(target)
+        nil
+      else
+        new(target)
+      end
     end
 
     def initialize(target)

data/lib/fetchers/url.rb

@@ -14,6 +14,7 @@ module Fetchers
     attr_reader :files
 
     def self.resolve(target, opts = {})
+      return nil unless target.is_a?(String)
       uri = URI.parse(target)
       return nil if uri.nil? or uri.scheme.nil?
       return nil unless %{ http https }.include? uri.scheme

data/lib/inspec/base_cli.rb

@@ -64,7 +64,8 @@ module Inspec
     # helper method to run tests
     def run_tests(targets, opts)
       o = opts.dup
-      o[:logger] = Logger.new(opts['format'] == 'json' ? nil : STDOUT)
+      log_device = opts['format'] == 'json' ? nil : STDOUT
+      o[:logger] = Logger.new(log_device)
       o[:logger].level = get_log_level(o.log_level)
 
       runner = Inspec::Runner.new(o)

data/lib/inspec/cli.rb

@@ -154,20 +154,29 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
 
   desc 'shell', 'open an interactive debugging shell'
   target_options
-  option :command, aliases: :c
-  option :format, type: :string, default: nil, hide: true
+  option :command, aliases: :c,
+    desc: 'A single command string to run instead of launching the shell'
+  option :format, type: :string, default: nil, hide: true,
+    desc: 'Which formatter to use: cli, progress, documentation, json, json-min'
   def shell_func
     diagnose
     o = opts.dup
-    o[:logger] = Logger.new(STDOUT)
+
+    log_device = opts['format'] == 'json' ? nil : STDOUT
+    o[:logger] = Logger.new(log_device)
     o[:logger].level = get_log_level(o.log_level)
+
     if o[:command].nil?
       runner = Inspec::Runner.new(o)
       return Inspec::Shell.new(runner).start
     else
       res = run_command(o)
-      jres = res.respond_to?(:to_json) ? res.to_json : JSON.dump(res)
-      puts jres
+      if opts['format'] == 'json'
+        jres = res.respond_to?(:to_json) ? res.to_json : JSON.dump(res)
+        puts jres
+      else
+        puts res
+      end
     end
   rescue RuntimeError, Train::UserError => e
     $stderr.puts e.message

data/lib/inspec/dependencies/dependency_set.rb

@@ -0,0 +1,38 @@
+# encoding: utf-8
+require 'inspec/dependencies/vendor_index'
+require 'inspec/dependencies/resolver'
+
+module Inspec
+  #
+  # A DependencySet manages a list of dependencies for a profile.
+  #
+  # Currently this class is a thin wrapper interface to coordinate the
+  # VendorIndex and the Resolver.
+  #
+  class DependencySet
+    attr_reader :list, :vendor_path
+
+    # initialize
+    #
+    # @param cwd [String] current working directory for relative path includes
+    # @param vendor_path [String] path which contains vendored dependencies
+    # @return [dependencies] this
+    def initialize(cwd, vendor_path)
+      @cwd = cwd
+      @vendor_path = vendor_path || File.join(Dir.home, '.inspec', 'cache')
+      @list = nil
+    end
+
+    #
+    # 1. Get dependencies, pull things to a local cache if necessary
+    # 2. Resolve dependencies
+    #
+    # @param dependencies [Gem::Dependency] list of dependencies
+    # @return [nil]
+    def vendor(dependencies)
+      return nil if dependencies.nil? || dependencies.empty?
+      @vendor_index ||= VendorIndex.new(@vendor_path)
+      @list = Resolver.resolve(dependencies, @vendor_index, @cwd)
+    end
+  end
+end

data/lib/inspec/dependencies/requirement.rb

@@ -0,0 +1,103 @@
+# encoding: utf-8
+require 'inspec/fetcher'
+
+module Inspec
+  #
+  # Inspec::Requirement represents a given profile dependency, where
+  # appropriate we delegate to Inspec::Profile directly.
+  #
+  class Requirement
+    attr_reader :name, :dep, :cwd, :opts
+
+    def initialize(name, version_constraints, vendor_index, cwd, opts)
+      @name = name
+      @dep = Gem::Dependency.new(name,
+                                 Gem::Requirement.new(Array(version_constraints)),
+                                 :runtime)
+      @vendor_index = vendor_index
+      @opts = opts
+      @cwd = cwd
+    end
+
+    def matches_spec?(spec)
+      params = spec.profile.metadata.params
+      @dep.match?(params[:name], params[:version])
+    end
+
+    def source_url
+      case source_type
+      when :local_path
+        "file://#{File.expand_path(opts[:path])}"
+      when :url
+        @opts[:url]
+      end
+    end
+
+    def local_path
+      @local_path ||= case source_type
+                      when :local_path
+                        File.expand_path(opts[:path], @cwd)
+                      else
+                        @vendor_index.prefered_entry_for(@name, source_url)
+                      end
+    end
+
+    def source_type
+      @source_type ||= if @opts[:path]
+                         :local_path
+                       elsif opts[:url]
+                         :url
+                       else
+                         fail "Cannot determine source type from #{opts}"
+                       end
+    end
+
+    def fetcher_class
+      @fetcher_class ||= case source_type
+                         when :local_path
+                           Fetchers::Local
+                         when :url
+                           Fetchers::Url
+                         else
+                           fail "No known fetcher for dependency #{name} with source_type #{source_type}"
+                         end
+
+      fail "No fetcher for #{name} (options: #{opts})" if @fetcher_class.nil?
+      @fetcher_class
+    end
+
+    def pull
+      case source_type
+      when :local_path
+        local_path
+      else
+        if @vendor_index.exists?(@name, source_url)
+          local_path
+        else
+          archive = fetcher_class.download_archive(source_url)
+          @vendor_index.add(@name, source_url, archive.path)
+        end
+      end
+    end
+
+    def to_s
+      dep.to_s
+    end
+
+    def path
+      @path ||= pull
+    end
+
+    def profile
+      return nil if path.nil?
+      @profile ||= Inspec::Profile.for_target(path, {})
+    end
+
+    def self.from_metadata(dep, vendor_index, opts)
+      fail 'Cannot load empty dependency.' if dep.nil? || dep.empty?
+      name = dep[:name] || fail('You must provide a name for all dependencies')
+      version = dep[:version]
+      new(name, version, vendor_index, opts[:cwd], opts.merge(dep))
+    end
+  end
+end

data/lib/inspec/{dependencies.rb → dependencies/resolver.rb}

@@ -1,28 +1,32 @@
 # encoding: utf-8
 # author: Dominik Richter
 # author: Christoph Hartmann
-
 require 'logger'
-require 'fileutils'
 require 'molinillo'
 require 'inspec/errors'
+require 'inspec/dependencies/requirement'
 
 module Inspec
+  #
+  # Inspec::Resolver is responsible for recursively resolving all the
+  # depenendencies for a given top-level dependency set.
+  #
   class Resolver
     def self.resolve(requirements, vendor_index, cwd, opts = {})
       reqs = requirements.map do |req|
-        Requirement.from_metadata(req, cwd: cwd) ||
-          fail("Cannot initialize dependency: #{req}")
+        req = Inspec::Requirement.from_metadata(req, vendor_index, cwd: cwd)
+        req || fail("Cannot initialize dependency: #{req}")
       end
 
-      new(vendor_index, opts).resolve(reqs)
+      new(vendor_index, opts.merge(cwd: cwd)).resolve(reqs)
     end
 
     def initialize(vendor_index, opts = {})
       @logger = opts[:logger] || Logger.new(nil)
-      @debug_mode = false # TODO: hardcoded for now, grab from options
+      @debug_mode = false
 
       @vendor_index = vendor_index
+      @cwd = opts[:cwd] || './'
       @resolver = Molinillo::Resolver.new(self, self)
       @search_cache = {}
     end
@@ -87,7 +91,9 @@ module Inspec
     # @return [Array<Object>] the dependencies that are required by the given
     #   `specification`.
     def dependencies_for(specification)
-      specification.profile.metadata.dependencies
+      specification.profile.metadata.dependencies.map do |r|
+        Inspec::Requirement.from_metadata(r, @vendor_index, cwd: @cwd)
+      end
     end
 
     # Determines whether the given `requirement` is satisfied by the given
@@ -179,129 +185,4 @@ module Inspec
     end
     alias puts print
   end
-
-  class Package
-    def initialize(path, version)
-      @path = path
-      @version = version
-    end
-  end
-
-  class VendorIndex
-    attr_reader :list, :path
-    def initialize(path)
-      @path = path
-      FileUtils.mkdir_p(path) unless File.directory?(path)
-      @list = Dir[File.join(path, '*')].map { |x| load_path(x) }
-    end
-
-    def find(_dependency)
-      # TODO
-      fail NotImplementedError, '#find(dependency) on VendorIndex seeks implementation.'
-    end
-
-    private
-
-    def load_path(_path)
-      # TODO
-      fail NotImplementedError, '#load_path(path) on VendorIndex wants to be implemented.'
-    end
-  end
-
-  class Requirement
-    attr_reader :name, :dep, :cwd, :opts
-    def initialize(name, dep, cwd, opts)
-      @name = name
-      @dep = Gem::Dependency.new(name, Gem::Requirement.new(Array(dep)), :runtime)
-      @opts = opts
-      @cwd = cwd
-    end
-
-    def matches_spec?(spec)
-      params = spec.profile.metadata.params
-      @dep.match?(params[:name], params[:version])
-    end
-
-    def pull
-      case
-      when @opts[:path] then pull_path(@opts[:path])
-      else
-        # TODO: should default to supermarket
-        fail 'You must specify the source of the dependency (for now...)'
-      end
-    end
-
-    def path
-      @path || pull
-    end
-
-    def profile
-      return nil if path.nil?
-      @profile ||= Inspec::Profile.for_target(path, {})
-    end
-
-    def self.from_metadata(dep, opts)
-      fail 'Cannot load empty dependency.' if dep.nil? || dep.empty?
-      name = dep[:name] || fail('You must provide a name for all dependencies')
-      version = dep[:version]
-      new(name, version, opts[:cwd], dep)
-    end
-
-    def to_s
-      @dep.to_s
-    end
-
-    private
-
-    def pull_path(path)
-      abspath = File.absolute_path(path, @cwd)
-      fail "Dependency path doesn't exist: #{path}" unless File.exist?(abspath)
-      fail "Dependency path isn't a folder: #{path}" unless File.directory?(abspath)
-      @path = abspath
-      true
-    end
-  end
-
-  class SupermarketDependency
-    def initialize(url, requirement)
-      @url = url
-      @requirement = requirement
-    end
-
-    def self.load(dep)
-      return nil if dep.nil?
-      sname = dep[:supermarket]
-      return nil if sname.nil?
-      surl = dep[:supermarket_url] || 'default_url...'
-      requirement = dep[:version]
-      url = surl + '/' + sname
-      new(url, requirement)
-    end
-  end
-
-  class Dependencies
-    attr_reader :list, :vendor_path
-
-    # initialize
-    #
-    # @param cwd [String] current working directory for relative path includes
-    # @param vendor_path [String] path which contains vendored dependencies
-    # @return [dependencies] this
-    def initialize(cwd, vendor_path)
-      @cwd = cwd
-      @vendor_path = vendor_path || File.join(Dir.home, '.inspec', 'cache')
-      @list = nil
-    end
-
-    # 1. Get dependencies, pull things to a local cache if necessary
-    # 2. Resolve dependencies
-    #
-    # @param dependencies [Gem::Dependency] list of dependencies
-    # @return [nil]
-    def vendor(dependencies)
-      return if dependencies.nil? || dependencies.empty?
-      @vendor_index ||= VendorIndex.new(@vendor_path)
-      @list = Resolver.resolve(dependencies, @vendor_index, @cwd)
-    end
-  end
 end

data/lib/inspec/dependencies/vendor_index.rb

@@ -0,0 +1,98 @@
+# encoding: utf-8
+require 'digest'
+require 'fileutils'
+
+module Inspec
+  #
+  # VendorIndex manages an on-disk cache of inspec profiles.  The
+  # cache can contain:
+  #
+  #  - .tar.gz profile archives
+  #  - .zip profile archives
+  #  - unpacked profiles
+  #
+  # Cache entries names include a hash of their source to prevent
+  # conflicts between depenedencies with the same name from different
+  # sources.
+  #
+  #
+  class VendorIndex
+    attr_reader :path
+    def initialize(path)
+      @path = path
+      FileUtils.mkdir_p(path) unless File.directory?(path)
+    end
+
+    def add(name, source, path_from)
+      path_to = base_path_for(name, source)
+      path_to = if File.directory?(path_to)
+                  path_to
+                elsif path_from.end_with?('.zip')
+                  "#{path_to}.tar.gz"
+                elsif path_from.end_with?('.tar.gz')
+                  "#{path_to}.tar.gz"
+                else
+                  fail "Cannot add unknown archive #{path} to vendor index"
+                end
+      FileUtils.cp_r(path_from, path_to)
+      path_to
+    end
+
+    def prefered_entry_for(name, source_url)
+      path = base_path_for(name, source_url)
+      if File.directory?(path)
+        path
+      elsif File.exist?("#{path}.tar.gz")
+        "#{path}.tar.gz"
+      elsif File.exist?("#{path}.zip")
+        "#{path}.zip"
+      end
+    end
+
+    #
+    # For a given name and source_url, return true if the
+    # profile exists in the VendorIndex.
+    #
+    # @param [String] name
+    # @param [String] source_url
+    # @return [Boolean]
+    #
+    def exists?(name, source_url)
+      path = base_path_for(name, source_url)
+      File.directory?(path) || File.exist?("#{path}.tar.gz") || File.exist?("#{path}.zip")
+    end
+
+    #
+    # Return the path to given profile in the vendor index.
+    #
+    # The `source_url` parameter should be a URI-like string that
+    # fully specifies the source of the exact version we want to pull
+    # down.
+    #
+    # @param [String] name
+    # @param [String] source_url
+    # @return [String]
+    #
+    def base_path_for(name, source_url)
+      File.join(@path, key_for(name, source_url))
+    end
+
+    private
+
+    #
+    # Return the key for a given profile in the vendor index.
+    #
+    # The `source_url` parameter should be a URI-like string that
+    # fully specifies the source of the exact version we want to pull
+    # down.
+    #
+    # @param [String] name
+    # @param [String] source_url
+    # @return [String]
+    #
+    def key_for(name, source_url)
+      source_hash = Digest::SHA256.hexdigest source_url
+      "#{name}-#{source_hash}"
+    end
+  end
+end

data/lib/inspec/plugins/source_reader.rb

@@ -20,6 +20,10 @@ module Inspec
 
       # Retrieve this profile's tests
       #
+      # "tests" here refers to a test file. Individual controls and anonymous
+      # tests are later extracted from the raw contents of a test file. The map
+      # her simply maps from a test file name to the file contents.
+      #
       # @return [Hash] Collection with references pointing to test contents
       def tests
         fail "SourceReader #{self} does not implement `tests()`. This method is required"

data/lib/inspec/profile.rb

@@ -8,7 +8,7 @@ require 'inspec/polyfill'
 require 'inspec/fetcher'
 require 'inspec/source_reader'
 require 'inspec/metadata'
-require 'inspec/dependencies'
+require 'inspec/dependencies/dependency_set'
 
 module Inspec
   class Profile # rubocop:disable Metrics/ClassLength
@@ -298,7 +298,7 @@ module Inspec
 
     def load_dependencies
       cwd = File.directory?(@target) ? @target : nil
-      res = Inspec::Dependencies.new(cwd, nil)
+      res = Inspec::DependencySet.new(cwd, nil)
       res.vendor(metadata.dependencies)
       res
     end

data/lib/inspec/resource.rb

@@ -65,6 +65,7 @@ require 'resources/gem'
 require 'resources/group'
 require 'resources/grub_conf'
 require 'resources/host'
+require 'resources/iis_site'
 require 'resources/inetd_conf'
 require 'resources/interface'
 require 'resources/iptables'
@@ -97,6 +98,7 @@ require 'resources/registry_key'
 require 'resources/security_policy'
 require 'resources/service'
 require 'resources/shadow'
+require 'resources/ssl'
 require 'resources/ssh_conf'
 require 'resources/user'
 require 'resources/vbscript'