inspec 0.30.0 → 0.31.0

data/lib/inspec/runner.rb

@@ -66,6 +66,7 @@ module Inspec
       options['attributes'] = attributes
     end
 
+    # Returns the profile context used the profile at this target.
     def add_target(target, options = {})
       profile = Inspec::Profile.for_target(target, options)
       fail "Could not resolve #{target} to valid input." if profile.nil?
@@ -89,6 +90,7 @@ module Inspec
       true
     end
 
+    # Returns the profile context used to initialize this profile.
     def add_profile(profile, options = {})
       return if !options[:ignore_supports] && !supports_profile?(profile)
 
@@ -115,6 +117,8 @@ module Inspec
       Inspec::ProfileContext.new(profile_id, @backend, @conf.merge(options))
     end
 
+    # Returns the profile context used to evaluate the given content.
+    # Calling this method again will use a different context each time.
     def add_content(tests, libs, options = {})
       return if tests.nil? || tests.empty?
 
@@ -127,21 +131,29 @@ module Inspec
         profile.runner_context = ctx
       end
 
+      append_content(ctx, tests, libs, options)
+    end
+
+    # Returns the profile context used to evaluate the given content.
+    def append_content(ctx, tests, _libs, options = {})
       # evaluate the test content
       tests = [tests] unless tests.is_a? Array
       tests.each { |t| add_test_to_context(t, ctx) }
 
-      # merge all collect all attributes
+      # merge and collect all attributes
       @attributes |= ctx.attributes
 
       # process the resulting rules
       filter_controls(ctx.rules, options[:controls]).each do |rule_id, rule|
         register_rule(rule_id, rule)
       end
+
+      ctx
     end
 
     def_delegator :@test_collector, :run
     def_delegator :@test_collector, :report
+    def_delegator :@test_collector, :reset
 
     private
 

data/lib/inspec/runner_mock.rb

@@ -7,6 +7,10 @@ module Inspec
     attr_reader :tests, :profiles
     attr_writer :backend
     def initialize
+      reset
+    end
+
+    def reset
       @tests = []
       @profiles = []
     end

data/lib/inspec/runner_rspec.rb

@@ -15,6 +15,10 @@ module Inspec
     def initialize(conf)
       @conf = conf
       @formatter = nil
+      reset
+    end
+
+    def reset
       reset_tests
       configure_output
     end
@@ -87,8 +91,6 @@ module Inspec
       reporter.output_hash
     end
 
-    private
-
     # Empty the list of registered tests.
     #
     # @return [nil]
@@ -98,6 +100,8 @@ module Inspec
       RSpec.configuration.reset
     end
 
+    private
+
     FORMATTERS = {
       'json-min' => 'InspecRspecMiniJson',
       'json' => 'InspecRspecJson',

data/lib/inspec/shell.rb

@@ -5,6 +5,9 @@
 require 'rspec/core/formatters/base_text_formatter'
 
 module Inspec
+  # A pry based shell for inspec. Given a runner (with a configured backend and
+  # all that jazz), this shell will produce a pry shell from which you can run
+  # inspec/ruby commands that will be run within the context of the runner.
   class Shell
     def initialize(runner)
       @runner = runner
@@ -17,7 +20,6 @@ module Inspec
       # store context to run commands in this context
       c = { content: 'binding.pry', ref: nil, line: nil }
       @runner.add_content(c, [])
-      @runner.run
     end
 
     def configure_pry
@@ -38,6 +40,25 @@ module Inspec
       Pry.hooks.add_hook(:before_session, :intro) do
         intro
       end
+
+      # execute describe blocks
+      Pry.hooks.add_hook(:after_eval, 'run_controls') do |output, _binding, _pry_|
+        next unless output.is_a?(Inspec::Rule)
+        # reset tests, register the control and execute the runner
+        @runner.reset
+        @runner.method(:register_rule).call(output.id, output)
+        @runner.run
+      end
+
+      # Don't print out control class inspection when the user uses DSL methods.
+      # Instead produce a result of evaluating their control.
+      Pry.config.print = proc do |_output, value, pry_|
+        next if value.is_a?(Inspec::Rule)
+        pry_.pager.open do |pager|
+          pager.print pry_.config.output_prefix
+          Pry::ColorPrinter.pp(value, pager, Pry::Terminal.width! - 1)
+        end
+      end
     end
 
     def readline_ignore(code)

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.30.0'.freeze
+  VERSION = '0.31.0'.freeze
 end

data/lib/resources/iis_site.rb

@@ -0,0 +1,107 @@
+# encoding: utf-8
+# check for site in IIS
+# Usage:
+# describe iis_site('Default Web Site') do
+#   it{ should exist }
+#   it{ should be_running }
+#   it{ should be_in_app_pool('Default App Pool') }
+#   it{ should have_path('C:\\inetpub\wwwroot\\DefaultWebSite') }
+#   it{ should have_binding('https :443:www.contoso.com sslFlags=0') }
+#   it{ should have_binding('net.pipe *') }
+# end
+#
+# Note: this is only supported in windows 2012 and later
+
+module Inspec::Resources
+  class IisSite < Inspec.resource(1)
+    name 'iis_site'
+    desc 'Tests IIS site configuration on windows. Supported in server 2012+ only'
+    example "
+      describe iis_site('Default Web Site') do
+        it { should exist }
+        it { should be_running }
+        it { should have_app_pool('DefaultAppPool') }
+        it { should have_binding('https :443:www.contoso.com sslFlags=0') }
+        it { should have_binding('net.pipe *') }
+        it { should have_path('C:\\inetpub\\wwwroot') }
+      end
+    "
+
+    def initialize(site_name)
+      @site_name = site_name
+      @cache = nil
+
+      @site_provider = SiteProvider.new(inspec)
+
+      # verify that this resource is only supported on Windows
+      return skip_resource 'The `iis_site` resource is not supported on your OS.' if inspec.os[:family] != 'windows'
+    end
+
+    def exists?
+      !iis_site.nil? && !iis_site[:name].nil?
+    end
+
+    def running?
+      iis_site.nil? ? false : (iis_site[:state] == 'Started')
+    end
+
+    def has_app_pool?(app_pool)
+      iis_site.nil? ? false : iis_site[:app_pool] == app_pool
+    end
+
+    def has_path?(path)
+      iis_site.nil? ? false : iis_site[:path] == path
+    end
+
+    def has_binding?(binding)
+      iis_site.nil? ? false : (iis_site[:bindings].include? binding)
+    end
+
+    def to_s
+      "iis_site '#{@site_name}'"
+    end
+
+    def iis_site
+      return @cache if !@cache.nil?
+      @cache = @site_provider.iis_site(@site_name) if !@site_provider.nil?
+    end
+  end
+
+  class SiteProvider
+    attr_reader :inspec
+
+    def initialize(inspec)
+      @inspec = inspec
+    end
+
+    # want to populate everything using one powershell command here and spit it out as json
+    def iis_site(name)
+      command = "Get-Website '#{name}' | select-object -Property Name,State,PhysicalPath,bindings,ApplicationPool | ConvertTo-Json"
+      cmd = @inspec.command(command)
+
+      begin
+        site = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+
+      bindings_array = site['bindings']['Collection'].map { |k, _str|
+        k['protocol'] <<
+          ' ' <<
+          k['bindingInformation'] <<
+          (k['protocol'] == 'https' ? ' sslFlags=' << flags : '')
+      }
+
+      # map our values to a hash table
+      info = {
+        name: site['name'],
+        state: site['state'],
+        path: site['physicalPath'],
+        bindings: bindings_array,
+        app_pool: site['applicationPool'],
+      }
+
+      info
+    end
+  end
+end

data/lib/resources/port.rb

@@ -122,13 +122,13 @@ module Inspec::Resources
   # @see https://connect.microsoft.com/PowerShell/feedback/details/1349420/get-nettcpconnection-does-not-show-processid
   class WindowsPorts < PortsInfo
     def info
-      powershell_info || netstat_info
+      netstat_info || powershell_info
     end
 
     private
 
     def powershell_info
-      cmd = inspec.command('Get-NetTCPConnection | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json')
+      cmd = inspec.command('Get-NetTCPConnection -state Listen | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json')
       return nil if cmd.exit_status != 0
 
       entries = JSON.parse(cmd.stdout)
@@ -146,14 +146,21 @@ module Inspec::Resources
     end
 
     def netstat_info
-      cmd = inspec.command('netstat -an')
+      # retrieve processes grepping by LISTENING state with 0 lines before and 1 after to catch the process name
+      # also UDP ports have nothing in the State column
+      cmd = inspec.command('netstat -anbo | Select-String  -CaseSensitive -pattern "^\s+UDP|\s+LISTENING\s+\d+$" -context 0,1')
       return nil if cmd.exit_status != 0
-      lines = cmd.stdout.scan(/^\s*(tcp\S*|udp\S*)\s+(\S+):(\d+)\s+/i)
+      lines = cmd.stdout.scan(/^>\s*(tcp\S*|udp\S*)\s+(\S+):(\d+)\s+(\S+)\s+(\S*)\s+(\d+)\s+(.+)/i)
       lines.map do |line|
+        pid = line[5].to_i
+        process = line[6].delete('[').delete(']').strip
+        process = 'System' if process == 'Can not obtain ownership information' && pid == 4
         {
           'port'     => line[2].to_i,
           'address'  => line[1].delete('[').delete(']'),
           'protocol' => line[0].downcase,
+          'pid'      => pid,
+          'process'  => process,
         }
       end
     end

data/lib/resources/ssh_conf.rb

@@ -32,8 +32,16 @@ module Inspec::Resources
       end
     end
 
+    def convert_hash(hash)
+      new_hash = {}
+      hash.each do |k, v|
+        new_hash[k.downcase] = v
+      end
+      new_hash
+    end
+
     def method_missing(name)
-      param = read_params[name.to_s]
+      param = read_params[name.to_s.downcase]
       return nil if param.nil?
       # extract first value if we have only one value in array
       return param[0] if param.length == 1
@@ -69,7 +77,7 @@ module Inspec::Resources
         assignment_re: /^\s*(\S+?)\s+(.*?)\s*$/,
         multiple_values: true,
       )
-      @params = conf.params
+      @params = convert_hash(conf.params)
     end
   end
 

data/lib/resources/ssl.rb

@@ -0,0 +1,94 @@
+# encoding: utf-8
+# copyright: 2015, Chef Software Inc.
+# license: All rights reserved
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'sslshake'
+require 'utils/filter'
+
+# Custom resource based on the InSpec resource DSL
+class SSL < Inspec.resource(1)
+  name 'ssl'
+
+  desc "
+    SSL test resource
+  "
+
+  example "
+    describe ssl(port: 443) do
+      it { should be_enabled }
+    end
+
+    # protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2
+    describe ssl(port: 443).protocols('ssl2') do
+      it { should_not be_enabled }
+    end
+
+    # any ciphers, filter by name or regex
+    describe ssl(port: 443).ciphers(/rc4/i) do
+      it { should_not be_enabled }
+    end
+  "
+
+  VERSIONS = [
+    'ssl2',
+    'ssl3',
+    'tls1.0',
+    'tls1.1',
+    'tls1.2',
+  ].freeze
+
+  attr_reader :host, :port
+
+  def initialize(opts = {})
+    @host = opts[:host] ||
+            inspec.backend.instance_variable_get(:@hostname)
+    if @host.nil? && inspec.backend.class.to_s == 'Train::Transports::Local::Connection'
+      @host = 'localhost'
+    end
+    if @host.nil?
+      fail 'Cannot determine host for SSL test. Please specify it or use a different target.'
+    end
+    @port = opts[:port] || 443
+    @timeout = opts[:timeout]
+    @retries = opts[:retries]
+  end
+
+  filter = FilterTable.create
+  filter.add_accessor(:where)
+        .add_accessor(:entries)
+        .add(:ciphers, field: 'cipher')
+        .add(:protocols, field: 'protocol')
+        .add(:enabled?) { |x| x.handshake.values.any? { |i| i['success'] } }
+        .add(:handshake) { |x|
+          groups = x.entries.group_by(&:protocol)
+          res = groups.map do |proto, e|
+            [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
+              protocol: proto, ciphers: e.map(&:cipher),
+              timeout: @timeout, retries: @retries)]
+          end
+          Hash[res]
+        }
+        .connect(self, :scan_config)
+
+  def to_s
+    "SSL/TLS on #{@host}:#{@port}"
+  end
+
+  private
+
+  def scan_config
+    [
+      { 'protocol' => 'ssl2', 'ciphers' => SSLShake::SSLv2::CIPHERS.keys },
+      { 'protocol' => 'ssl3', 'ciphers' => SSLShake::TLS::SSL3_CIPHERS.keys },
+      { 'protocol' => 'tls1.0', 'ciphers' => SSLShake::TLS::TLS10_CIPHERS.keys },
+      { 'protocol' => 'tls1.1', 'ciphers' => SSLShake::TLS::TLS10_CIPHERS.keys },
+      { 'protocol' => 'tls1.2', 'ciphers' => SSLShake::TLS::TLS_CIPHERS.keys },
+    ].map do |line|
+      line['ciphers'].map do |cipher|
+        { 'protocol' => line['protocol'], 'cipher' => cipher }
+      end
+    end.flatten
+  end
+end

data/lib/resources/xinetd.rb

@@ -66,17 +66,26 @@ module Inspec::Resources
     def read_params
       return {} if read_content.nil?
       flat_params = parse_xinetd(read_content)
+      # we need to map service data in order to use it with filtertable
       params = { 'services' => {} }
 
-      # parse services that were defined:
+      # map services that were defined and map it to the service hash
       flat_params.each do |k, v|
         name = k[/^service (.+)$/, 1]
+        # its not a service, no change required
         if name.nil?
           params[k] = v
+        # handle service entries
         else
+          # store service
           params['services'][name] = v
+
           # add the service identifier to its parameters
-          v.each { |service| service.params['service'] = name }
+          if v.is_a?(Array)
+            v.each { |service| service.params['service'] = name }
+          else
+            v.params['service'] = name
+          end
         end
       end
       params

data/lib/utils/parser.rb

@@ -9,8 +9,9 @@ module PasswdParser
   # @return [Array] Collection of passwd entries
   def parse_passwd(content)
     content.to_s.split("\n").map do |line|
+      next if line[0] == '#'
       parse_passwd_line(line)
-    end
+    end.compact
   end
 
   # Parse a line of /etc/passwd
@@ -178,6 +179,7 @@ module SolarisNetstatParser
   end
 end
 
+# This parser for xinetd (extended Internet daemon) configuration files
 module XinetdParser
   def xinetd_include_dir(dir)
     return [] if dir.nil?
@@ -197,10 +199,12 @@ module XinetdParser
     simple_conf = []
     rest = raw
     until rest.empty?
+      # extract content line
       nl = rest.index("\n") || (rest.length-1)
       comment = rest.index('#') || (rest.length-1)
       dst_idx = (comment < nl) ? comment : nl
       inner_line = (dst_idx == 0) ? '' : rest[0..dst_idx-1].strip
+      # update unparsed content
       rest = rest[nl+1..-1]
       next if inner_line.empty?
 
@@ -212,6 +216,7 @@ module XinetdParser
         simple_conf = []
         rest = rest[rest.index("\n")+1..-1]
       elsif cur_group.nil?
+        # parse all included files
         others = xinetd_include_dir(inner_line[/includedir (.+)/, 1])
 
         # complex merging of included configurations, as multiple services