inspec 0.32.0 → 0.33.0

data/lib/inspec/profile_context.rb

@@ -3,7 +3,9 @@
 # author: Christoph Hartmann
 require 'inspec/log'
 require 'inspec/rule'
-require 'inspec/dsl'
+require 'inspec/resource'
+require 'inspec/library_eval_context'
+require 'inspec/control_eval_context'
 require 'inspec/require_loader'
 require 'securerandom'
 require 'inspec/objects/attribute'
@@ -14,7 +16,7 @@ module Inspec
       new(profile.name, backend, { 'profile' => profile })
     end
 
-    attr_reader :attributes, :rules, :profile_id
+    attr_reader :attributes, :rules, :profile_id, :resource_registry
     def initialize(profile_id, backend, conf)
       if backend.nil?
         fail 'ProfileContext is initiated with a backend == nil. ' \
@@ -25,17 +27,35 @@ module Inspec
       @conf = conf.dup
       @rules = {}
       @subcontexts = []
-      @dependencies = {}
-      @dependencies = conf['profile'].locked_dependencies unless conf['profile'].nil?
       @require_loader = ::Inspec::RequireLoader.new
       @attributes = []
-      reload_dsl
+      # A local resource registry that only contains resources defined
+      # in the transitive dependency tree of the loaded profile.
+      @resource_registry = Inspec::Resource.new_registry
+      @library_eval_context = Inspec::LibraryEvalContext.create(@resource_registry, @require_loader)
+    end
+
+    def dependencies
+      if @conf['profile'].nil?
+        {}
+      else
+        @conf['profile'].locked_dependencies
+      end
+    end
+
+    def to_resources_dsl
+      Inspec::Resource.create_dsl(@backend, @resource_registry)
+    end
+
+    def control_eval_context
+      @control_eval_context ||= begin
+                                  ctx = Inspec::ControlEvalContext.create(self, to_resources_dsl)
+                                  ctx.new(@backend, @conf, dependencies, @require_loader)
+                                end
     end
 
     def reload_dsl
-      resources_dsl = Inspec::Resource.create_dsl(@backend)
-      ctx = create_context(resources_dsl, rule_context(resources_dsl))
-      @profile_context = ctx.new(@backend, @conf, @dependencies, @require_loader)
+      @control_eval_context = nil
     end
 
     def all_rules
@@ -44,6 +64,12 @@ module Inspec
       ret
     end
 
+    def add_resources(context)
+      @resource_registry.merge!(context.resource_registry)
+      control_eval_context.add_resources(context)
+      reload_dsl
+    end
+
     def add_subcontext(context)
       @subcontexts << context
     end
@@ -65,21 +91,29 @@ module Inspec
       # load all files directly that are flat inside the libraries folder
       autoloads.each do |path|
         next unless path.end_with?('.rb')
-        load(*@require_loader.load(path)) unless @require_loader.loaded?(path)
+        load_library_file(*@require_loader.load(path)) unless @require_loader.loaded?(path)
       end
-
       reload_dsl
     end
 
-    def load(content, source = nil, line = nil)
+    def load_control_file(*args)
+      load_with_context(control_eval_context, *args)
+    end
+    alias load load_control_file
+
+    def load_library_file(*args)
+      load_with_context(@library_eval_context, *args)
+    end
+
+    def load_with_context(context, content, source = nil, line = nil)
       Inspec::Log.debug("Loading #{source || '<anonymous content>'} into #{self}")
       @current_load = { file: source }
       if content.is_a? Proc
-        @profile_context.instance_eval(&content)
+        context.instance_eval(&content)
       elsif source.nil? && line.nil?
-        @profile_context.instance_eval(content)
+        context.instance_eval(content)
       else
-        @profile_context.instance_eval(content, source || 'unknown', line || 1)
+        context.instance_eval(content, source || 'unknown', line || 1)
       end
     end
 
@@ -121,131 +155,5 @@ module Inspec
       return rid.to_s if pid.to_s.empty?
       pid.to_s + '/' + rid.to_s
     end
-
-    # Create the context for controls. This includes all components of the DSL,
-    # including matchers and resources.
-    #
-    # @param [ResourcesDSL] resources_dsl which has all resources to attach
-    # @return [RuleContext] the inner context of rules
-    def rule_context(resources_dsl)
-      require 'rspec/core/dsl'
-      Class.new(Inspec::Rule) do
-        include RSpec::Core::DSL
-        include resources_dsl
-      end
-    end
-
-    # Creates the heart of the profile context:
-    # An instantiated object which has all resources registered to it
-    # and exposes them to the a test file. The profile context serves as a
-    # container for all profiles which are registered. Within the context
-    # profiles get access to all DSL calls for creating tests and controls.
-    #
-    # @param outer_dsl [OuterDSLClass]
-    # @return [ProfileContextClass]
-    def create_context(resources_dsl, rule_class) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
-      profile_context_owner = self
-      profile_id = @profile_id
-
-      # rubocop:disable Lint/NestedMethodDefinition
-      Class.new do
-        include Inspec::DSL
-        include resources_dsl
-
-        def initialize(backend, conf, dependencies, require_loader) # rubocop:disable Lint/NestedMethodDefinition, Lint/DuplicateMethods
-          @backend = backend
-          @conf = conf
-          @dependencies = dependencies
-          @require_loader = require_loader
-          @skip_profile = false
-        end
-
-        # Save the toplevel require method to load all ruby dependencies.
-        # It is used whenever the `require 'lib'` is not in libraries.
-        alias_method :__ruby_require, :require
-
-        def require(path)
-          rbpath = path + '.rb'
-          return __ruby_require(path) if !@require_loader.exists?(rbpath)
-          return false if @require_loader.loaded?(rbpath)
-
-          # This is equivalent to calling `require 'lib'` with lib on disk.
-          # We cannot rely on libraries residing on disk however.
-          # TODO: Sandboxing.
-          content, path, line = @require_loader.load(rbpath)
-          eval(content, TOPLEVEL_BINDING, path, line) # rubocop:disable Lint/Eval
-        end
-
-        define_method :title do |arg|
-          profile_context_owner.set_header(:title, arg)
-        end
-
-        def to_s
-          "Profile Context Run #{profile_name}"
-        end
-
-        define_method :profile_name do
-          profile_id
-        end
-
-        define_method :control do |*args, &block|
-          id = args[0]
-          opts = args[1] || {}
-          register_control(rule_class.new(id, profile_id, opts, &block))
-        end
-
-        define_method :describe do |*args, &block|
-          loc = block_location(block, caller[0])
-          id = "(generated from #{loc} #{SecureRandom.hex})"
-
-          res = nil
-          rule = rule_class.new(id, profile_id, {}) do
-            res = describe(*args, &block)
-          end
-          register_control(rule, &block)
-
-          res
-        end
-
-        define_method :add_subcontext do |context|
-          profile_context_owner.add_subcontext(context)
-        end
-
-        define_method :register_control do |control, &block|
-          ::Inspec::Rule.set_skip_rule(control, true) if @skip_profile
-
-          profile_context_owner.register_rule(control, &block) unless control.nil?
-        end
-
-        # method for attributes; import attribute handling
-        define_method :attribute do |name, options|
-          profile_context_owner.register_attribute(name, options)
-        end
-
-        define_method :skip_control do |id|
-          profile_context_owner.unregister_rule(id)
-        end
-
-        def only_if
-          return unless block_given?
-          @skip_profile ||= !yield
-        end
-
-        alias_method :rule, :control
-        alias_method :skip_rule, :skip_control
-
-        private
-
-        def block_location(block, alternate_caller)
-          if block.nil?
-            alternate_caller[/^(.+:\d+):in .+$/, 1] || 'unknown'
-          else
-            path, line = block.source_location
-            "#{File.basename(path)}:#{line}"
-          end
-        end
-      end
-      # rubocop:enable all
-    end
   end
 end

data/lib/inspec/resource.rb

@@ -3,17 +3,20 @@
 # license: All rights reserved
 # author: Dominik Richter
 # author: Christoph Hartmann
-
 require 'inspec/plugins'
 
 module Inspec
   class Resource
-    class Registry
-      # empty class for namespacing resource classes in the registry
+    def self.default_registry
+      @default_registry ||= {}
     end
 
     def self.registry
-      @registry ||= {}
+      @registry ||= default_registry
+    end
+
+    def self.new_registry
+      default_registry.dup
     end
 
     # Creates the inner DSL which includes all resources for
@@ -22,9 +25,8 @@ module Inspec
     #
     # @param backend [BackendRunner] exposing the target to resources
     # @return [ResourcesDSL]
-    def self.create_dsl(backend)
+    def self.create_dsl(backend, my_registry = registry)
       # need the local name, to use it in the module creation further down
-      my_registry = registry
       Module.new do
         my_registry.each do |id, r|
           define_method id.to_sym do |*args|
@@ -41,10 +43,14 @@ module Inspec
   # @param [int] version the resource version to use
   # @return [Resource] base class for creating a new resource
   def self.resource(version)
+    validate_resource_dsl_version!(version)
+    Inspec::Plugins::Resource
+  end
+
+  def self.validate_resource_dsl_version!(version)
     if version != 1
       fail 'Only resource version 1 is supported!'
     end
-    Inspec::Plugins::Resource
   end
 end
 

data/lib/inspec/rspec_json_formatter.rb

@@ -164,10 +164,32 @@ class InspecRspecJson < InspecRspecMiniJson
     [info[:name], info]
   end
 
+  #
+  # TODO(ssd+vj): We should probably solve this by either ensuring the example has
+  # the profile_id of the top level profile when it is included as a dependency, or
+  # by registrying all dependent profiles with the formatter. The we could remove
+  # this heuristic matching.
+  #
+  def example2profile(example, profiles)
+    profiles.values.find { |p| profile_contains_example?(p, example) }
+  end
+
+  def profile_contains_example?(profile, example)
+    # Heuristic for finding the profile an example came from:
+    # Case 1: The profile_id on the example matches the name of the profile
+    # Case 2: The profile contains a control that matches the id of the example
+    if profile[:name] == example[:profile_id]
+      true
+    elsif profile[:controls] && profile[:controls].key?(example[:id])
+      true
+    else
+      false
+    end
+  end
+
   def example2control(example, profiles)
-    profile = profiles[example[:profile_id]]
-    return nil if profile.nil? || profile[:controls].nil?
-    profile[:controls][example[:id]]
+    p = example2profile(example, profiles)
+    p[:controls][example[:id]] if p && p[:controls]
   end
 
   def format_example(example)
@@ -240,7 +262,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
       print_line(
         color: '', indicator: @indicators['empty'], id: '', profile: '',
         summary: 'No tests executed.'
-      )
+      ) if @current_control.nil?
       output.puts('')
     end
 
@@ -348,7 +370,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
       test_status = x[:status_type]
       test_color = @colors[test_status]
       indicator = @indicators[x[:status]]
-      indicator = @indicators['empty'] if all.length == 1 || indicator.nil?
+      indicator = @indicators['empty'] if indicator.nil?
       msg = x[:message] || x[:skip_message] || x[:code_desc]
       print_line(
         color:      test_color,
@@ -364,9 +386,18 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
       control_result = control[:results]
       title = control_result[0][:code_desc].split[0..1].join(' ')
       puts '  ' + title
+      # iterate over all describe blocks in anonoymous control block
       control_result.each do |test|
         control_id = ''
-        test_result = test[:code_desc].split[2..-1].join(' ')
+        # display exceptions
+        unless test[:exception].nil?
+          test_result = test[:message]
+        else
+          # determine title
+          test_result = test[:code_desc].split[2..-1].join(' ')
+          # show error message
+          test_result += "\n" + test[:message] unless test[:message].nil?
+        end
         status_indicator = test[:status_type]
         print_line(
           color:      @colors[status_indicator] || '',

data/lib/inspec/rule.rb

@@ -33,6 +33,10 @@ module Inspec
       instance_eval(&block) if block_given?
     end
 
+    def to_s
+      Inspec::Rule.rule_id(self)
+    end
+
     def id(*_)
       # never overwrite the ID
       @id

data/lib/inspec/runner.rb

@@ -14,13 +14,34 @@ require 'inspec/secrets'
 # spec requirements
 
 module Inspec
+  #
+  # Inspec::Runner coordinates the running of tests and is the main
+  # entry point to the application.
+  #
+  # Users are expected to insantiate a runner, add targets to be run,
+  # and then call the run method:
+  #
+  # ```
+  # r = Inspec::Runner.new()
+  # r.add_target("/path/to/some/profile")
+  # r.add_target("http://url/to/some/profile")
+  # r.run
+  # ```
+  #
   class Runner # rubocop:disable Metrics/ClassLength
     extend Forwardable
+
+    def_delegator :@test_collector, :report
+    def_delegator :@test_collector, :reset
+
     attr_reader :backend, :rules, :attributes
     def initialize(conf = {})
       @rules = []
       @conf = conf.dup
       @conf[:logger] ||= Logger.new(nil)
+      @target_profiles = []
+      @controls = @conf[:controls] || []
+      @ignore_supports = @conf[:ignore_supports]
 
       @test_collector = @conf.delete(:test_collector) || begin
         require 'inspec/runner_rspec'
@@ -38,19 +59,31 @@ module Inspec
       @test_collector.tests
     end
 
-    def normalize_map(hm)
-      res = {}
-      hm.each {|k, v|
-        res[k.to_s] = v
-      }
-      res
-    end
-
     def configure_transport
       @backend = Inspec::Backend.create(@conf)
       @test_collector.backend = @backend
     end
 
+    def run(with = nil)
+      Inspec::Log.debug "Starting run with targets: #{@target_profiles.map(&:to_s)}"
+      Inspec::Log.debug "Backend is #{@backend}"
+      all_controls = []
+
+      @target_profiles.each do |profile|
+        @test_collector.add_profile(profile)
+        profile.locked_dependencies
+        profile.load_libraries
+        @attributes |= profile.runner_context.attributes
+        all_controls += profile.collect_tests
+      end
+
+      all_controls.each do |rule|
+        register_rule(rule)
+      end
+
+      @test_collector.run(with)
+    end
+
     # determine all attributes before the execution, fetch data from secrets backend
     def load_attributes(options)
       attributes = {}
@@ -66,15 +99,54 @@ module Inspec
       options['attributes'] = attributes
     end
 
-    # Returns the profile context used the profile at this target.
-    def add_target(target, options = {})
-      profile = Inspec::Profile.for_target(target, options)
+    #
+    # add_target allows the user to add a target whose tests will be
+    # run when the user calls the run method.
+    #
+    # A target is a path or URL that points to a profile. Using this
+    # target we generate a Profile and a ProfileContext. The content
+    # (libraries, tests, and attributes) from the Profile are loaded
+    # into the ProfileContext.
+    #
+    # If the profile depends on other profiles, those profiles will be
+    # loaded on-demand when include_content or required_content are
+    # called using similar code in Inspec::DSL.
+    #
+    # Once the we've loaded all of the tests files in the profile, we
+    # query the profile for the full list of rules. Those rules are
+    # registered with the @test_collector which is ultimately
+    # responsible for actually running the tests.
+    #
+    # TODO: Deduplicate/clarify the loading code that exists in here,
+    # the ProfileContext, the Profile, and Inspec::DSL
+    #
+    # @params target [String] A path or URL to a profile or raw test.
+    # @params _opts [Hash] Unused, but still here to avoid breaking kitchen-inspec
+    #
+    # @eturns [Inspec::ProfileContext]
+    #
+    def add_target(target, _opts = [])
+      profile = Inspec::Profile.for_target(target, backend: @backend, controls: @controls)
       fail "Could not resolve #{target} to valid input." if profile.nil?
-      add_profile(profile, options)
+      @target_profiles << profile if supports_profile?(profile)
+    end
+
+    #
+    # This is used by inspec-shell and inspec-detect.  This should
+    # probably be cleaned up a bit.
+    #
+    # @params [Hash] Options
+    # @returns [Inspec::ProfileContext]
+    #
+    def create_context(options = {})
+      meta = options[:metadata]
+      profile_id = nil
+      profile_id = meta.params[:name] unless meta.nil?
+      Inspec::ProfileContext.new(profile_id, @backend, @conf.merge(options))
     end
 
     def supports_profile?(profile)
-      return true if profile.metadata.nil?
+      return true if profile.metadata.nil? || @ignore_supports
 
       if !profile.metadata.supports_runtime?
         fail 'This profile requires InSpec version '\
@@ -90,61 +162,6 @@ module Inspec
       true
     end
 
-    # Returns the profile context used to initialize this profile.
-    def add_profile(profile, options = {})
-      return if !options[:ignore_supports] && !supports_profile?(profile)
-
-      @test_collector.add_profile(profile)
-      options[:metadata] = profile.metadata
-      options[:profile] = profile
-
-      libs = profile.libraries.map do |k, v|
-        { ref: k, content: v }
-      end
-
-      tests = profile.tests.map do |ref, content|
-        r = profile.source_reader.target.abs_path(ref)
-        { ref: r, content: content }
-      end
-
-      add_content(tests, libs, options)
-    end
-
-    def create_context(options = {})
-      meta = options[:metadata]
-      profile_id = nil
-      profile_id = meta.params[:name] unless meta.nil?
-      Inspec::ProfileContext.new(profile_id, @backend, @conf.merge(options))
-    end
-
-    # Returns the profile context used to evaluate the given content.
-    # Calling this method again will use a different context each time.
-    def add_content(tests, libs, options = {})
-      return if tests.nil? || tests.empty?
-
-      # load all libraries
-      ctx = create_context(options)
-      ctx.load_libraries(libs.map { |x| [x[:content], x[:ref], x[:line]] })
-
-      # hand the context to the profile for further evaluation
-      unless (profile = options[:profile]).nil?
-        profile.runner_context = ctx
-      end
-
-      # evaluate the test content
-      Array(tests).each { |t| add_test_to_context(t, ctx) }
-
-      # merge and collect all attributes
-      @attributes |= ctx.attributes
-
-      # process the resulting rules
-      filter_controls(ctx.all_rules, options[:controls]).each do |rule|
-        register_rule(rule)
-      end
-
-      ctx
-    end
-
     # In some places we read the rules off of the runner, in other
     # places we read it off of the profile context. To keep the API's
     # the same, we provide an #all_rules method here as well.
@@ -162,26 +179,8 @@ module Inspec
       new_tests
     end
 
-    def_delegator :@test_collector, :run
-    def_delegator :@test_collector, :report
-    def_delegator :@test_collector, :reset
-
     private
 
-    def add_test_to_context(test, ctx)
-      content = test[:content]
-      return if content.nil? || content.empty?
-      ctx.load(content, test[:ref], test[:line])
-    end
-
-    def filter_controls(controls_array, include_list)
-      return controls_array if include_list.nil? || include_list.empty?
-      controls_array.select do |c|
-        id = ::Inspec::Rule.rule_id(c)
-        include_list.include?(id)
-      end
-    end
-
     def block_source_info(block)
       return {} if block.nil? || !block.respond_to?(:source_location)
       opts = {}
@@ -226,6 +225,7 @@ module Inspec
     end
 
     def register_rule(rule)
+      Inspec::Log.debug "Registering rule #{rule}"
       @rules << rule
       checks = ::Inspec::Rule.prepare_checks(rule)
       examples = checks.map do |m, a, b|