inspec 0.33.2 → 0.34.0

data/lib/inspec/file_provider.rb

@@ -0,0 +1,219 @@
+# encoding: utf-8
+require 'rubygems/package'
+require 'zlib'
+require 'zip'
+
+module Inspec
+  class FileProvider
+    def self.for_path(path)
+      if path.is_a?(Hash)
+        MockProvider.new(path)
+      elsif File.directory?(path)
+        DirProvider.new(path)
+      elsif File.exist?(path) && path.end_with?('.tar.gz', 'tgz')
+        TarProvider.new(path)
+      elsif File.exist?(path) && path.end_with?('.zip')
+        ZipProvider.new(path)
+      elsif File.exist?(path)
+        DirProvider.new(path)
+      else
+        fail "No file provider for the provided path: #{path}"
+      end
+    end
+
+    def initialize(_path)
+    end
+
+    def read(_file)
+      fail "#{self} does not implement `read(...)`. This is required."
+    end
+
+    def files
+      fail "Fetcher #{self} does not implement `files()`. This is required."
+    end
+
+    def relative_provider
+      RelativeFileProvider.new(self)
+    end
+  end
+
+  class MockProvider < FileProvider
+    attr_reader :files
+    def initialize(path)
+      @data = path[:mock]
+      @files = @data.keys
+    end
+
+    def read(file)
+      @data[file]
+    end
+  end
+
+  class DirProvider < FileProvider
+    attr_reader :files
+    def initialize(path)
+      @files = if File.file?(path)
+                 [path]
+               else
+                 Dir[File.join(path, '**', '*')]
+               end
+      @path = path
+    end
+
+    def read(file)
+      return nil unless files.include?(file)
+      return nil unless File.file?(file)
+      File.read(file)
+    end
+  end
+
+  class ZipProvider < FileProvider
+    attr_reader :files
+
+    def initialize(path)
+      @path = path
+      @contents = {}
+      @files = []
+      ::Zip::InputStream.open(@path) do |io|
+        while (entry = io.get_next_entry)
+          @files.push(entry.name.sub(%r{/+$}, ''))
+        end
+      end
+    end
+
+    def read(file)
+      @contents[file] ||= read_from_zip(file)
+    end
+
+    private
+
+    def read_from_zip(file)
+      return nil unless @files.include?(file)
+      res = nil
+      ::Zip::InputStream.open(@path) do |io|
+        while (entry = io.get_next_entry)
+          next unless file == entry.name
+          res = io.read
+          break
+        end
+      end
+      res
+    end
+  end
+
+  class TarProvider < FileProvider
+    attr_reader :files
+
+    def initialize(path)
+      @path = path
+      @contents = {}
+      @files = []
+      Gem::Package::TarReader.new(Zlib::GzipReader.open(@path)) do |tar|
+        @files = tar.map(&:full_name)
+      end
+    end
+
+    def read(file)
+      @contents[file] ||= read_from_tar(file)
+    end
+
+    private
+
+    def read_from_tar(file)
+      return nil unless @files.include?(file)
+      res = nil
+      # NB `TarReader` includes `Enumerable` beginning with Ruby 2.x
+      Gem::Package::TarReader.new(Zlib::GzipReader.open(@path)) do |tar|
+        tar.each do |entry|
+          next unless entry.file? && file == entry.full_name
+          res = entry.read
+          break
+        end
+      end
+      res
+    end
+  end
+
+  class RelativeFileProvider
+    BLACKLIST_FILES = [
+      '/pax_global_header',
+      'pax_global_header',
+    ].freeze
+
+    attr_reader :files
+    attr_reader :prefix
+    attr_reader :parent
+
+    def initialize(parent_provider)
+      @parent = parent_provider
+      @prefix = get_prefix(parent.files)
+      if @prefix.nil?
+        fail "Could not determine path prefix for #{parent}"
+      end
+      @files = parent.files.find_all { |x| x.start_with?(prefix) && x != prefix }
+                     .map { |x| x[prefix.length..-1] }
+    end
+
+    def abs_path(file)
+      return nil if file.nil?
+      prefix + file
+    end
+
+    def read(file)
+      parent.read(abs_path(file))
+    end
+
+    private
+
+    def get_prefix(fs)
+      return '' if fs.empty?
+
+      # filter backlisted files
+      fs -= BLACKLIST_FILES
+
+      sorted = fs.sort_by(&:length)
+      get_folder_prefix(sorted)
+    end
+
+    def prefix_candidate_for(file)
+      if file.end_with?(File::SEPARATOR)
+        file
+      else
+        file + File::SEPARATOR
+      end
+    end
+
+    def get_folder_prefix(fs)
+      return get_files_prefix(fs) if fs.length == 1
+      first, *rest = fs
+      pre = prefix_candidate_for(first)
+
+      if rest.all? { |i| i.start_with? pre }
+        return get_folder_prefix(rest)
+      end
+      get_files_prefix(fs)
+    end
+
+    def get_files_prefix(fs)
+      return '' if fs.empty?
+
+      file = fs[0]
+      bn = File.basename(file)
+      # no more prefixes
+      return '' if bn == file
+
+      i = file.rindex(bn)
+      pre = file[0..i-1]
+
+      rest = fs.find_all { |f| !f.start_with?(pre) }
+      return pre if rest.empty?
+
+      new_pre = get_prefix(rest)
+      return new_pre if pre.start_with? new_pre
+      # edge case: completely different prefixes; retry prefix detection
+      a = File.dirname(pre + 'a')
+      b = File.dirname(new_pre + 'b')
+      get_prefix([a, b])
+    end
+  end
+end

data/lib/inspec/plugins/fetcher.rb

@@ -1,106 +1,85 @@
 # encoding: utf-8
 # author: Dominik Richter
 # author: Christoph Hartmann
-
 require 'utils/plugin_registry'
+require 'inspec/file_provider'
+require 'digest'
 
 module Inspec
   module Plugins
+    #
+    # An Inspec::Plugins::Fetcher is responsible for fetching a remote
+    # source to a local directory or file provided by the user.
+    #
+    # In general, there are two kinds of fetchers.  (1) Fetchers that
+    # implement this entire API (see the Git or Url fetchers for
+    # examples), and (2) fetchers that only implement self.resolve and
+    # then call the resolve_next method with a modified target hash.
+    # Fetchers in (2) do not need to implement the functions in this
+    # class because the caller will never actually get an instance of
+    # those fetchers.
+    #
     class Fetcher < PluginRegistry::Plugin
       def self.plugin_registry
         Inspec::Fetcher
       end
 
-      # Provide a list of files that are available to this fetcher.
       #
-      # @return [Array[String]] A list of filenames
-      def files
-        fail "Fetcher #{self} does not implement `files()`. This is required."
-      end
-
-      # Read a file using this fetcher. The name must correspond to a file
-      # available to this fetcher. Use #files to retrieve the list of
-      # files.
+      # The path to the archive on disk.  This can be passed to a
+      # FileProvider to get access to the files in the fetched
+      # profile.
       #
-      # @param [String] _file The filename you are interested in
-      # @return [String] The file's contents
-      def read(_file)
-        fail "Fetcher #{self} does not implement `read(...)`. This is required."
-      end
-
-      def relative_target
-        RelFetcher.new(self)
-      end
-    end
-
-    BLACKLIST_FILES = [
-      '/pax_global_header',
-      'pax_global_header',
-    ].freeze
-
-    class RelFetcher < Fetcher
-      attr_reader :files
-      attr_reader :prefix
-
-      def initialize(fetcher)
-        @parent = fetcher
-        @prefix = get_prefix(fetcher.files)
-        @files = fetcher.files.find_all { |x| x.start_with? prefix }
-                        .map { |x| x[prefix.length..-1] }
+      def archive_path
+        fail "Fetcher #{self} does not implement `archive_path()`. This is required."
       end
 
-      def abs_path(file)
-        return nil if file.nil?
-        prefix + file
+      #
+      # Fetches the remote source to a local source, using the
+      # provided path as a partial filename. That is, if you pass
+      # /foo/bar/baz, the fetcher can create:
+      #
+      # /foo/bar/baz/: A profile directory, or
+      # /foo/bar/baz.tar.gz: A profile tarball, or
+      # /foo/bar/baz.zip
+      #
+      def fetch(_path)
+        fail "Fetcher #{self} does not implement `fetch()`. This is required."
       end
 
-      def read(file)
-        @parent.read(abs_path(file))
+      #
+      # The full specification of the remote source, with any
+      # ambigious references provided by the user resolved to an exact
+      # reference where possible.  For example, in the Git provide, a
+      # tag will be resolved to an exact revision.
+      #
+      def resolved_source
+        fail "Fetcher #{self} does not implement `resolved_source()`. This is required for terminal fetchers."
       end
 
-      private
-
-      def get_prefix(fs)
-        return '' if fs.empty?
-
-        # filter backlisted files
-        fs -= BLACKLIST_FILES
-
-        sorted = fs.sort_by(&:length)
-        get_folder_prefix(sorted)
+      #
+      # relative_target is provided to keep compatibility with 3rd
+      # party plugins.
+      #
+      # Deprecated: This function may be removed in future versions of
+      # Inspec, don't depend on it in new plugins.
+      #
+      # @returns [Inspec::RelativeFileProvider]
+      #
+      def relative_target
+        file_provider = Inspec::FileProvider.for_path(archive_path)
+        file_provider.relative_provider
       end
 
-      def get_folder_prefix(fs, first_iteration = true)
-        return get_files_prefix(fs) if fs.length == 1
-        pre = fs[0] + File::SEPARATOR
-        rest = fs[1..-1]
-        if rest.all? { |i| i.start_with? pre }
-          return get_folder_prefix(rest, false)
+      #
+      # A string based on the components of the resolved source,
+      # suitable for constructing per-source file names.
+      #
+      def cache_key
+        key = ''
+        resolved_source.each do |k, v|
+          key << "#{k}:#{v}"
         end
-        return get_files_prefix(fs) if first_iteration
-        fs
-      end
-
-      def get_files_prefix(fs)
-        return '' if fs.empty?
-
-        file = fs[0]
-        bn = File.basename(file)
-        # no more prefixes
-        return '' if bn == file
-
-        i = file.rindex(bn)
-        pre = file[0..i-1]
-
-        rest = fs.find_all { |f| !f.start_with?(pre) }
-        return pre if rest.empty?
-
-        new_pre = get_prefix(rest)
-        return new_pre if pre.start_with? new_pre
-        # edge case: completely different prefixes; retry prefix detection
-        a = File.dirname(pre + 'a')
-        b = File.dirname(new_pre + 'b')
-        get_prefix([a, b])
+        Digest::SHA256.hexdigest key
       end
     end
   end

data/lib/inspec/profile.rb

@@ -6,11 +6,14 @@
 require 'forwardable'
 require 'inspec/polyfill'
 require 'inspec/fetcher'
+require 'inspec/file_provider'
 require 'inspec/source_reader'
 require 'inspec/metadata'
 require 'inspec/backend'
 require 'inspec/rule'
+require 'inspec/log'
 require 'inspec/profile_context'
+require 'inspec/dependencies/vendor_index'
 require 'inspec/dependencies/lockfile'
 require 'inspec/dependencies/dependency_set'
 
@@ -18,24 +21,34 @@ module Inspec
   class Profile # rubocop:disable Metrics/ClassLength
     extend Forwardable
 
-    def self.resolve_target(target)
-      # Fetchers retrieve file contents
+    def self.resolve_target(target, cache = nil)
+      cache ||= VendorIndex.new
       fetcher = Inspec::Fetcher.resolve(target)
       if fetcher.nil?
         fail("Could not fetch inspec profile in #{target.inspect}.")
       end
-      # Source readers understand the target's structure and provide
-      # access to tests, libraries, and metadata
-      reader = Inspec::SourceReader.resolve(fetcher.relative_target)
+
+      if cache.exists?(fetcher.cache_key)
+        Inspec::Log.debug "Using cached dependency for #{target}"
+        cache.prefered_entry_for(fetcher.cache_key)
+      else
+        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        fetcher.archive_path
+      end
+    end
+
+    def self.for_path(path, opts)
+      file_provider = FileProvider.for_path(path)
+      reader = Inspec::SourceReader.resolve(file_provider.relative_provider)
       if reader.nil?
-        fail("Don't understand inspec profile in #{target.inspect}, it "\
+        fail("Don't understand inspec profile in #{path}, it " \
              "doesn't look like a supported profile structure.")
       end
-      reader
+      new(reader, opts)
     end
 
     def self.for_target(target, opts = {})
-      new(resolve_target(target), opts.merge(target: target))
+      for_path(resolve_target(target, opts[:cache]), opts.merge(target: target))
     end
 
     attr_reader :source_reader
@@ -46,18 +59,18 @@ module Inspec
 
     # rubocop:disable Metrics/AbcSize
     def initialize(source_reader, options = {})
-      @options = options
-      @target = @options.delete(:target)
-      @logger = @options[:logger] || Logger.new(nil)
-      @source_reader = source_reader
-      if options[:dependencies]
-        @locked_dependencies = options[:dependencies]
-      end
+      @target = options.delete(:target)
+      @logger = options[:logger] || Logger.new(nil)
+      @locked_dependencies = options[:dependencies]
       @controls = options[:controls] || []
-      @profile_id = @options[:id]
-      @backend = @options[:backend] || Inspec::Backend.create(options)
+      @profile_id = options[:id]
+      @backend = options[:backend] || Inspec::Backend.create(options)
+      @source_reader = source_reader
+      @tests_collected = false
       Metadata.finalize(@source_reader.metadata, @profile_id)
-      @runner_context = @options[:profile_context] || Inspec::ProfileContext.for_profile(self, @backend, @options[:attributes])
+      @runner_context = options[:profile_context] || Inspec::ProfileContext.for_profile(self,
+                                                                                        @backend,
+                                                                                        options[:attributes])
     end
 
     def name

data/lib/inspec/resource.rb

@@ -106,7 +106,8 @@ require 'resources/service'
 require 'resources/shadow'
 require 'resources/ssl'
 require 'resources/ssh_conf'
-require 'resources/user'
+require 'resources/sys_info'
+require 'resources/users'
 require 'resources/vbscript'
 require 'resources/windows_feature'
 require 'resources/xinetd'

data/lib/inspec/source_reader.rb

@@ -11,9 +11,6 @@ module Inspec
   class SourceReaderRegistry < PluginRegistry
     def resolve(target)
       return nil if target.nil?
-      unless target.is_a? Inspec::Plugins::Fetcher
-        fail "SourceReader cannot resolve targets that aren't Fetchers: #{target.class}"
-      end
       super(target)
     end
   end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.33.2'.freeze
+  VERSION = '0.34.0'.freeze
 end

data/lib/resources/security_policy.rb

@@ -13,72 +13,101 @@
 # All local GPO parameters can be examined via Registry, but not all security
 # parameters. Therefore we need a combination of Registry and secedit output
 
+require 'hashie'
+
 module Inspec::Resources
   class SecurityPolicy < Inspec.resource(1)
     name 'security_policy'
     desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
     example "
       describe security_policy do
-        its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
+        its('SeNetworkLogonRight') { should include 'S-1-5-11' }
       end
     "
-    def initialize
-      @loaded = false
-      @policy = nil
-      @exit_status = nil
+
+    def content
+      read_content
+    end
+
+    def params(*opts)
+      opts.inject(read_params) do |res, nxt|
+        res.respond_to?(:key) ? res[nxt] : nil
+      end
+    end
+
+    def method_missing(name)
+      params = read_params
+      return nil if params.nil?
+
+      # deep search for hash key
+      params.extend Hashie::Extensions::DeepFind
+      res = params.deep_find(name.to_s)
+      res
+    end
+
+    def to_s
+      'Security Policy'
     end
 
-    # load security content
-    def load
+    private
+
+    def read_content
+      return @content if defined?(@content)
+
       # export the security policy
       cmd = inspec.command('secedit /export /cfg win_secpol.cfg')
       return nil if cmd.exit_status.to_i != 0
 
       # store file content
       cmd = inspec.command('Get-Content win_secpol.cfg')
-      @exit_status = cmd.exit_status.to_i
-      return nil if @exit_status != 0
-      @policy = cmd.stdout
-      @loaded = true
-
-      # returns self
-      self
+      return skip_resource "Can't read security policy" if cmd.exit_status.to_i != 0
+      @content = cmd.stdout
 
+      if @content.empty? && file.size > 0
+        return skip_resource "Can't read security policy"
+      end
+      @content
     ensure
       # delete temp file
       inspec.command('Remove-Item win_secpol.cfg').exit_status.to_i
     end
 
-    def method_missing(method)
-      # load data if needed
-      if @loaded == false
-        load
-      end
-
-      # find line with key
-      key = Regexp.escape(method.to_s)
-      target = ''
-      @policy.each_line {|s|
-        target = s.strip if s =~ /^\s*#{key}\s*=\s*(.*)\b/
-      }
+    def read_params
+      return @params if defined?(@params)
+      return @params = {} if read_content.nil?
 
-      # extract variable value
-      result = target.match(/[=]{1}\s*(?<value>.*)/)
+      conf = SimpleConfig.new(
+        @content,
+        assignment_re: /^\s*(.*)=\s*(\S*)\s*$/,
+      )
+      @params = convert_hash(conf.params)
+    end
 
-      if !result.nil?
-        val = result[:value]
-        val = val.to_i if val =~ /^\d+$/
+    # extracts the values, this methods detects:
+    # numbers and SIDs and optimizes them for further usage
+    def extract_value(val)
+      if val =~ /^\d+$/
+        val.to_i
+      # special handling for SID array
+      elsif val =~ /^\*\S/
+        val.split(',').map { |v|
+          v.sub('*S', 'S')
+        }
+      # special handling for string values with "
+      elsif !(m = /^\"(.*)\"$/.match(val)).nil?
+        m[1]
       else
-        # TODO: we may need to return skip or failure if the
-        # requested value is not available
-        val = nil
+        val
       end
-
-      val
     end
 
-    def to_s
-      'Security Policy'
+    def convert_hash(hash)
+      new_hash = {}
+      hash.each do |k, v|
+        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
+        new_hash[k.strip] = value
+      end
+      new_hash
     end
   end
 end

data/lib/resources/sys_info.rb

@@ -0,0 +1,26 @@
+# encoding: utf-8
+module Inspec::Resources
+  # this resource returns additional system informatio
+  class System < Inspec.resource(1)
+    name 'sys_info'
+
+    desc 'Use the user InSpec system resource to test for operating system properties.'
+    example "
+      describe sysinfo do
+        its('hostname') { should eq 'example.com' }
+      end
+    "
+
+    # returns the hostname of the local system
+    def hostname
+      os = inspec.os
+      if os.linux?
+        inspec.command('hostname').stdout.chomp
+      elsif os.windows?
+        inspec.powershell('$env:computername').stdout.chomp
+      else
+        skip_resource 'The `sys_info.hostname` resource is not supported on your OS yet.'
+      end
+    end
+  end
+end