inspec 0.35.0 → 1.0.0.beta2

data/lib/inspec/base_cli.rb

@@ -58,6 +58,10 @@ module Inspec
         desc: 'Use colors in output.'
       option :attrs, type: :array,
         desc: 'Load attributes file (experimental)'
+      option :cache, type: :string,
+        desc: 'Use the given path for caching dependencies. (default: ~/.inspec/cache)'
+      option :create_lockfile, type: :boolean, default: true,
+        desc: 'Write out a lockfile based on this execution (unless one already exists)'
     end
 
     private

data/lib/inspec/cli.rb

@@ -102,8 +102,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   desc 'vendor', 'Download all dependencies and generate a lockfile'
   def vendor(path = nil)
     configure_logger(opts)
-    profile = Inspec::Profile.for_target('./', opts)
-    lockfile = profile.generate_lockfile(path)
+    profile = Inspec::Profile.for_target('./', opts.merge(cache: Inspec::Cache.new(path)))
+    lockfile = profile.generate_lockfile
     File.write('inspec.lock', lockfile.to_yaml)
   end
 
@@ -213,13 +213,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
 
   def run_command(opts)
     runner = Inspec::Runner.new(opts)
-    ctx = runner.create_context(opts)
-    res = ctx.load(opts[:command])
+    res = runner.eval_with_virtual_profile(opts[:command])
+    runner.load
 
-    return :ruby_eval, res if ctx.rules.empty?
-
-    runner.register_rules(ctx)
-    return :rspec_run, runner.run # rubocop:disable Style/RedundantReturn
+    return :ruby_eval, res if runner.all_rules.empty?
+    return :rspec_run, runner.run_tests # rubocop:disable Style/RedundantReturn
   end
 end
 

data/lib/inspec/control_eval_context.rb

@@ -92,6 +92,14 @@ module Inspec
           res
         end
 
+        define_method :add_resource do |name, new_res|
+          resources_dsl.module_exec do
+            define_method name.to_sym do |*args|
+              new_res.new(@backend, name.to_s, *args)
+            end
+          end
+        end
+
         define_method :add_resources do |context|
           self.class.class_eval do
             include context.to_resources_dsl

data/lib/inspec/dependencies/{vendor_index.rb → cache.rb}

@@ -4,7 +4,7 @@ require 'fileutils'
 
 module Inspec
   #
-  # VendorIndex manages an on-disk cache of inspec profiles.  The
+  # Inspec::Cache manages an on-disk cache of inspec profiles.  The
   # cache can contain:
   #
   #  - .tar.gz profile archives
@@ -16,7 +16,7 @@ module Inspec
   # sources.
   #
   #
-  class VendorIndex
+  class Cache
     attr_reader :path
     def initialize(path = nil)
       @path = path || File.join(Dir.home, '.inspec', 'cache')
@@ -43,19 +43,20 @@ module Inspec
 
     #
     # For a given name and source_url, return true if the
-    # profile exists in the VendorIndex.
+    # profile exists in the Cache.
     #
     # @param [String] name
     # @param [String] source_url
     # @return [Boolean]
     #
     def exists?(key)
+      return false if key.nil? || key.empty?
       path = base_path_for(key)
       File.directory?(path) || File.exist?("#{path}.tar.gz") || File.exist?("#{path}.zip")
     end
 
     #
-    # Return the path to given profile in the vendor index.
+    # Return the path to given profile in the cache.
     #
     # The `source_url` parameter should be a URI-like string that
     # fully specifies the source of the exact version we want to pull

data/lib/inspec/dependencies/dependency_set.rb

@@ -1,5 +1,4 @@
 # encoding: utf-8
-require 'inspec/dependencies/vendor_index'
 require 'inspec/dependencies/requirement'
 require 'inspec/dependencies/resolver'
 
@@ -7,9 +6,6 @@ module Inspec
   #
   # A DependencySet manages a list of dependencies for a profile.
   #
-  # Currently this class is a thin wrapper interface to coordinate the
-  # VendorIndex and the Resolver.
-  #
   class DependencySet
     #
     # Return a dependency set given a lockfile.
@@ -18,22 +14,21 @@ module Inspec
     # @param cwd [String] Current working directory for relative path includes
     # @param vendor_path [String] Path to the vendor directory
     #
-    def self.from_lockfile(lockfile, cwd, vendor_path, backend)
-      vendor_index = VendorIndex.new(vendor_path)
+    def self.from_lockfile(lockfile, cwd, cache, backend)
       dep_tree = lockfile.deps.map do |dep|
-        Inspec::Requirement.from_lock_entry(dep, cwd, vendor_index, backend)
+        Inspec::Requirement.from_lock_entry(dep, cwd, cache, backend)
       end
 
       dep_list = flatten_dep_tree(dep_tree)
-      new(cwd, vendor_path, dep_list, backend)
+      new(cwd, cache, dep_list, backend)
     end
 
-    def self.from_array(dependencies, cwd, vendor_path, backend)
+    def self.from_array(dependencies, cwd, cache, backend)
       dep_list = {}
       dependencies.each do |d|
         dep_list[d.name] = d
       end
-      new(cwd, vendor_path, dep_list, backend)
+      new(cwd, cache, dep_list, backend)
     end
 
     # This is experimental code to test the working of the
@@ -58,9 +53,9 @@ module Inspec
     # @param cwd [String] current working directory for relative path includes
     # @param vendor_path [String] path which contains vendored dependencies
     # @return [dependencies] this
-    def initialize(cwd, vendor_path, dep_list, backend)
+    def initialize(cwd, cache, dep_list, backend)
       @cwd = cwd
-      @vendor_path = vendor_path
+      @cache = cache
       @dep_list = dep_list
       @backend = backend
     end
@@ -91,8 +86,7 @@ module Inspec
     #
     def vendor(dependencies)
       return nil if dependencies.nil? || dependencies.empty?
-      @vendor_index ||= VendorIndex.new(@vendor_path)
-      @dep_list = Resolver.resolve(dependencies, @vendor_index, @cwd, @backend)
+      @dep_list = Resolver.resolve(dependencies, @cache, @cwd, @backend)
     end
   end
 end

data/lib/inspec/dependencies/requirement.rb

@@ -9,31 +9,31 @@ module Inspec
   # appropriate we delegate to Inspec::Profile directly.
   #
   class Requirement
-    def self.from_metadata(dep, vendor_index, opts)
+    def self.from_metadata(dep, cache, opts)
       fail 'Cannot load empty dependency.' if dep.nil? || dep.empty?
-      new(dep[:name], dep[:version], vendor_index, opts[:cwd], opts.merge(dep))
+      new(dep[:name], dep[:version], cache, opts[:cwd], opts.merge(dep))
     end
 
-    def self.from_lock_entry(entry, cwd, vendor_index, backend)
+    def self.from_lock_entry(entry, cwd, cache, backend)
       req = new(entry[:name],
                 entry[:version_constraints],
-                vendor_index,
+                cache,
                 cwd,
                 entry[:resolved_source].merge(backend: backend))
 
       locked_deps = []
       Array(entry[:dependencies]).each do |dep_entry|
-        locked_deps << Inspec::Requirement.from_lock_entry(dep_entry, cwd, vendor_index, backend)
+        locked_deps << Inspec::Requirement.from_lock_entry(dep_entry, cwd, cache, backend)
       end
       req.lock_deps(locked_deps)
       req
     end
 
     attr_reader :cwd, :opts, :required_version
-    def initialize(name, version_constraints, vendor_index, cwd, opts)
+    def initialize(name, version_constraints, cache, cwd, opts)
       @name = name
       @required_version = Gem::Requirement.new(Array(version_constraints))
-      @vendor_index = vendor_index
+      @cache = cache
       @backend = opts[:backend]
       @opts = opts
       @cwd = cwd
@@ -74,7 +74,6 @@ module Inspec
         h['dependencies'] = dependencies.map(&:to_hash)
       end
 
-      h['content_hash'] = content_hash if content_hash
       h
     end
 
@@ -82,15 +81,6 @@ module Inspec
       @dependencies = dep_array
     end
 
-    def content_hash
-      @content_hash ||= begin
-                          archive_path = @vendor_index.archive_entry_for(fetcher.cache_key) || fetcher.archive_path
-                          if archive_path && File.file?(archive_path)
-                            Digest::SHA256.hexdigest File.read(archive_path)
-                          end
-                        end
-    end
-
     def fetcher
       @fetcher ||= Inspec::Fetcher.resolve(opts)
       fail "No fetcher for #{name} (options: #{opts})" if @fetcher.nil?
@@ -99,7 +89,7 @@ module Inspec
 
     def dependencies
       @dependencies ||= profile.metadata.dependencies.map do |r|
-        Inspec::Requirement.from_metadata(r, @vendor_index, cwd: @cwd, backend: @backend)
+        Inspec::Requirement.from_metadata(r, @cache, cwd: @cwd, backend: @backend)
       end
     end
 
@@ -109,10 +99,10 @@ module Inspec
 
     def profile
       opts = @opts.dup
-      opts[:cache] = @vendor_index
+      opts[:cache] = @cache
       opts[:backend] = @backend
       if !@dependencies.nil?
-        opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @vendor_index, @backend)
+        opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end
       @profile ||= Inspec::Profile.for_target(opts, opts)
     end

data/lib/inspec/dependencies/resolver.rb

@@ -23,9 +23,9 @@ module Inspec
   # implementation of the fetcher being used.
   #
   class Resolver
-    def self.resolve(dependencies, vendor_index, working_dir, backend)
+    def self.resolve(dependencies, cache, working_dir, backend)
       reqs = dependencies.map do |dep|
-        req = Inspec::Requirement.from_metadata(dep, vendor_index, cwd: working_dir, backend: backend)
+        req = Inspec::Requirement.from_metadata(dep, cache, cwd: working_dir, backend: backend)
         req || fail("Cannot initialize dependency: #{req}")
       end
       new.resolve(reqs)

data/lib/inspec/dsl.rb

@@ -18,6 +18,15 @@ module Inspec::DSL
   alias require_rules require_controls
   alias include_rules include_controls
 
+  def require_resource(options = {})
+    fail 'You must specify a specific resource name when calling require_resource()' if options[:resource].nil?
+
+    from_profile = options[:profile] || profile_name
+    target_name = options[:as] || options[:resource]
+    res = resource_class(from_profile, options[:resource])
+    add_resource(target_name, res)
+  end
+
   def self.load_spec_files_for_profile(bind_context, opts, &block)
     dependencies = opts[:dependencies]
     profile_id = opts[:profile_id]

data/lib/inspec/fetcher.rb

@@ -16,7 +16,7 @@ module Inspec
       end
     end
 
-    NON_FETCHER_KEYS = [:name, :version_constraint, :cwd, :backend, :cache].freeze
+    NON_FETCHER_KEYS = [:name, :version_constraint, :cwd, :backend, :cache, :sha256].freeze
     def fetcher_specified?(target)
       # Only set a default for Hash-based (i.e. from
       # inspec.yml/inspec.lock) targets

data/lib/inspec/objects/test.rb

@@ -66,8 +66,14 @@ module Inspec
       res, xtra = describe_chain
       itsy = xtra.nil? ? 'it' : 'its(' + xtra.to_s.inspect + ')'
       naughty = @negated ? '_not' : ''
-      xpect = defined?(@expectation) ? expectation.inspect+' ' : ''
-      format("%sdescribe %s do\n  %s { should%s %s %s}\nend",
+      xpect = defined?(@expectation) ? expectation.inspect : ''
+      if matcher == 'match'
+        # without this, xpect values like / \/zones\// will not be parsed properly
+        xpect = "(#{xpect})"
+      elsif xpect != ''
+        xpect = ' ' + xpect
+      end
+      format("%sdescribe %s do\n  %s { should%s %s%s }\nend",
              vars, res, itsy, naughty, matcher, xpect)
     end
 

data/lib/inspec/plugins/fetcher.rb

@@ -24,6 +24,10 @@ module Inspec
         Inspec::Fetcher
       end
 
+      def writable?
+        false
+      end
+
       #
       # The path to the archive on disk.  This can be passed to a
       # FileProvider to get access to the files in the fetched
@@ -56,6 +60,13 @@ module Inspec
         fail "Fetcher #{self} does not implement `resolved_source()`. This is required for terminal fetchers."
       end
 
+      #
+      # The unique key based on the content of the remote archive.
+      #
+      def cache_key
+        fail "Fetcher #{self} does not implement `cache_key()`. This is required for terminal fetchers."
+      end
+
       #
       # relative_target is provided to keep compatibility with 3rd
       # party plugins.
@@ -69,18 +80,6 @@ module Inspec
         file_provider = Inspec::FileProvider.for_path(archive_path)
         file_provider.relative_provider
       end
-
-      #
-      # A string based on the components of the resolved source,
-      # suitable for constructing per-source file names.
-      #
-      def cache_key
-        key = ''
-        resolved_source.each do |k, v|
-          key << "#{k}:#{v}"
-        end
-        Digest::SHA256.hexdigest key
-      end
     end
   end
 end

data/lib/inspec/plugins/resource.rb

@@ -72,6 +72,9 @@ module Inspec
       end
 
       # rubocop:enable Lint/NestedMethodDefinition
+      if __resource_registry.key?(name)
+        Inspec::Log.warn("Overwriting resource #{name}. To reference a specific version of #{name} use the resource() method")
+      end
       __resource_registry[name] = cl
     end
   end

data/lib/inspec/profile.rb

@@ -13,7 +13,7 @@ require 'inspec/backend'
 require 'inspec/rule'
 require 'inspec/log'
 require 'inspec/profile_context'
-require 'inspec/dependencies/vendor_index'
+require 'inspec/dependencies/cache'
 require 'inspec/dependencies/lockfile'
 require 'inspec/dependencies/dependency_set'
 
@@ -21,19 +21,44 @@ module Inspec
   class Profile # rubocop:disable Metrics/ClassLength
     extend Forwardable
 
+    #
+    # TODO: This function is getting pretty gross.
+    #
     def self.resolve_target(target, cache = nil)
-      cache ||= VendorIndex.new
+      cache ||= Cache.new
       fetcher = Inspec::Fetcher.resolve(target)
+
       if fetcher.nil?
         fail("Could not fetch inspec profile in #{target.inspect}.")
       end
 
-      if cache.exists?(fetcher.cache_key)
+      cache_key = if target.is_a?(Hash)
+                    target[:sha256] || target[:ref] || fetcher.cache_key
+                  else
+                    fetcher.cache_key
+                  end
+
+      if cache.exists?(cache_key)
         Inspec::Log.debug "Using cached dependency for #{target}"
-        cache.prefered_entry_for(fetcher.cache_key)
+        [cache.prefered_entry_for(cache_key), false]
       else
         fetcher.fetch(cache.base_path_for(fetcher.cache_key))
-        fetcher.archive_path
+        if target.respond_to?(:key?) && target.key?(:sha256)
+          if fetcher.resolved_source[:sha256] != target[:sha256]
+            fail <<EOF
+The remote source #{fetcher} no longer has the requested content:
+
+Request Content Hash: #{target[:sha256]}
+ Actual Content Hash: #{fetcher.resolved_source[:sha256]}
+
+For URL, supermarket, compliance, and other sources that do not
+provide versioned artifacts, this likely means that the remote source
+has changed since your lockfile was generated.
+EOF
+          end
+        end
+
+        [fetcher.archive_path, fetcher.writable?]
       end
     end
 
@@ -48,7 +73,8 @@ module Inspec
     end
 
     def self.for_target(target, opts = {})
-      for_path(resolve_target(target, opts[:cache]), opts.merge(target: target))
+      path, writable = resolve_target(target, opts[:cache])
+      for_path(path, opts.merge(target: target, writable: writable))
     end
 
     attr_reader :source_reader, :backend, :runner_context
@@ -62,10 +88,13 @@ module Inspec
       @logger = options[:logger] || Logger.new(nil)
       @locked_dependencies = options[:dependencies]
       @controls = options[:controls] || []
+      @writable = options[:writable] || false
       @profile_id = options[:id]
+      @cache = options[:cache] || Cache.new
       @backend = options[:backend] || Inspec::Backend.create(options)
       @source_reader = source_reader
       @tests_collected = false
+      @libraries_loaded = false
       Metadata.finalize(@source_reader.metadata, @profile_id)
       @runner_context = options[:profile_context] || Inspec::ProfileContext.for_profile(self,
                                                                                         @backend,
@@ -80,6 +109,10 @@ module Inspec
       metadata.params[:version]
     end
 
+    def writable? # rubocop:disable Style/TrivialAccessors
+      @writable
+    end
+
     #
     # Is this profile is supported on the current platform of the
     # backend machine and the current inspec version.
@@ -125,6 +158,8 @@ module Inspec
     end
 
     def load_libraries
+      return @runner_context if @libraries_loaded
+
       locked_dependencies.each do |d|
         c = d.load_libraries
         @runner_context.add_resources(c)
@@ -135,6 +170,7 @@ module Inspec
       end
 
       @runner_context.load_libraries(libs)
+      @libraries_loaded = true
       @runner_context
     end
 
@@ -142,19 +178,29 @@ module Inspec
       "Inspec::Profile<#{name}>"
     end
 
-    def info
-      res = params.dup
+    # return info using uncached params
+    def info!
+      info(load_params.dup)
+    end
+
+    def info(res = params.dup)
       # add information about the controls
-      controls = res[:controls].map do |id, rule|
+      res[:controls] = res[:controls].map do |id, rule|
         next if id.to_s.empty?
         data = rule.dup
         data.delete(:checks)
         data[:impact] ||= 0.5
         data[:impact] = 1.0 if data[:impact] > 1.0
         data[:impact] = 0.0 if data[:impact] < 0.0
-        [id, data]
+        data[:id] = id
+        data
+      end.compact
+
+      # resolve hash structure in groups
+      res[:groups] = res[:groups].map do |id, group|
+        group[:id] = id
+        group
       end
-      res[:controls] = Hash[controls.compact]
 
       # add information about the required attributes
       res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
@@ -329,14 +375,14 @@ module Inspec
     # @param vendor_path [String] Path to the on-disk vendor dir
     # @return [Inspec::Lockfile]
     #
-    def generate_lockfile(vendor_path = nil)
-      res = Inspec::DependencySet.new(cwd, vendor_path, nil, @backend)
+    def generate_lockfile
+      res = Inspec::DependencySet.new(cwd, @cache, nil, @backend)
       res.vendor(metadata.dependencies)
       Inspec::Lockfile.from_dependency_set(res)
     end
 
     def load_dependencies
-      Inspec::DependencySet.from_lockfile(lockfile, cwd, nil, @backend)
+      Inspec::DependencySet.from_lockfile(lockfile, cwd, @cache, @backend)
     end
 
     private