RubyGems - inspec - Versions diffs - 0.9.0 - Mend

inspec 0.9.0

Files changed (247) hide show

checksums.yaml +7 -0
data/.gitignore +8 -0
data/.rubocop.yml +65 -0
data/.travis.yml +23 -0
data/CHANGELOG.md +38 -0
data/Gemfile +33 -0
data/LICENSE +201 -0
data/MAINTAINERS.md +28 -0
data/MAINTAINERS.toml +42 -0
data/README.md +257 -0
data/Rakefile +47 -0
data/bin/inspec +109 -0
data/docs/ctl_inspec.rst +195 -0
data/docs/dsl_inspec.rst +182 -0
data/docs/readme.rst +100 -0
data/docs/resources.rst +4319 -0
data/docs/template.rst +51 -0
data/examples/test-kitchen/.kitchen.yml +20 -0
data/examples/test-kitchen/Berksfile +3 -0
data/examples/test-kitchen/Gemfile +21 -0
data/examples/test-kitchen/README.md +27 -0
data/examples/test-kitchen/metadata.rb +7 -0
data/examples/test-kitchen/recipes/default.rb +6 -0
data/examples/test-kitchen/recipes/nginx.rb +30 -0
data/examples/test-kitchen/test/integration/default/web_spec.rb +28 -0
data/inspec.gemspec +30 -0
data/lib/inspec.rb +20 -0
data/lib/inspec/backend.rb +42 -0
data/lib/inspec/dsl.rb +151 -0
data/lib/inspec/log.rb +34 -0
data/lib/inspec/metadata.rb +79 -0
data/lib/inspec/plugins.rb +9 -0
data/lib/inspec/plugins/resource.rb +62 -0
data/lib/inspec/profile.rb +138 -0
data/lib/inspec/profile_context.rb +170 -0
data/lib/inspec/resource.rb +76 -0
data/lib/inspec/rspec_json_formatter.rb +27 -0
data/lib/inspec/rule.rb +170 -0
data/lib/inspec/runner.rb +154 -0
data/lib/inspec/shell.rb +66 -0
data/lib/inspec/targets.rb +9 -0
data/lib/inspec/targets/core.rb +27 -0
data/lib/inspec/targets/dir.rb +67 -0
data/lib/inspec/targets/file.rb +29 -0
data/lib/inspec/targets/folder.rb +43 -0
data/lib/inspec/targets/tar.rb +34 -0
data/lib/inspec/targets/url.rb +39 -0
data/lib/inspec/targets/zip.rb +47 -0
data/lib/inspec/version.rb +7 -0
data/lib/matchers/matchers.rb +221 -0
data/lib/resources/apache.rb +29 -0
data/lib/resources/apache_conf.rb +113 -0
data/lib/resources/apt.rb +140 -0
data/lib/resources/audit_policy.rb +63 -0
data/lib/resources/auditd_conf.rb +56 -0
data/lib/resources/auditd_rules.rb +53 -0
data/lib/resources/bond.rb +65 -0
data/lib/resources/bridge.rb +114 -0
data/lib/resources/command.rb +57 -0
data/lib/resources/csv.rb +32 -0
data/lib/resources/directory.rb +15 -0
data/lib/resources/etc_group.rb +150 -0
data/lib/resources/file.rb +110 -0
data/lib/resources/gem.rb +46 -0
data/lib/resources/group.rb +132 -0
data/lib/resources/host.rb +143 -0
data/lib/resources/inetd_conf.rb +56 -0
data/lib/resources/interface.rb +127 -0
data/lib/resources/iptables.rb +65 -0
data/lib/resources/json.rb +64 -0
data/lib/resources/kernel_module.rb +40 -0
data/lib/resources/kernel_parameter.rb +55 -0
data/lib/resources/limits_conf.rb +55 -0
data/lib/resources/login_def.rb +60 -0
data/lib/resources/mysql.rb +81 -0
data/lib/resources/mysql_conf.rb +116 -0
data/lib/resources/mysql_session.rb +52 -0
data/lib/resources/npm.rb +44 -0
data/lib/resources/ntp_conf.rb +58 -0
data/lib/resources/oneget.rb +63 -0
data/lib/resources/os.rb +22 -0
data/lib/resources/os_env.rb +34 -0
data/lib/resources/package.rb +169 -0
data/lib/resources/parse_config.rb +75 -0
data/lib/resources/passwd.rb +93 -0
data/lib/resources/pip.rb +75 -0
data/lib/resources/port.rb +296 -0
data/lib/resources/postgres.rb +37 -0
data/lib/resources/postgres_conf.rb +87 -0
data/lib/resources/postgres_session.rb +59 -0
data/lib/resources/processes.rb +57 -0
data/lib/resources/registry_key.rb +54 -0
data/lib/resources/script.rb +34 -0
data/lib/resources/security_policy.rb +73 -0
data/lib/resources/service.rb +379 -0
data/lib/resources/ssh_conf.rb +75 -0
data/lib/resources/user.rb +374 -0
data/lib/resources/windows_feature.rb +77 -0
data/lib/resources/yaml.rb +23 -0
data/lib/resources/yum.rb +154 -0
data/lib/utils/convert.rb +12 -0
data/lib/utils/detect.rb +15 -0
data/lib/utils/find_files.rb +36 -0
data/lib/utils/hash.rb +13 -0
data/lib/utils/modulator.rb +12 -0
data/lib/utils/parser.rb +61 -0
data/lib/utils/simpleconfig.rb +115 -0
data/tasks/maintainers.rb +213 -0
data/test/docker_run.rb +156 -0
data/test/docker_test.rb +51 -0
data/test/helper.rb +200 -0
data/test/integration/.kitchen.yml +42 -0
data/test/integration/Berksfile +4 -0
data/test/integration/cookbooks/os_prepare/metadata.rb +8 -0
data/test/integration/cookbooks/os_prepare/recipes/apt.rb +20 -0
data/test/integration/cookbooks/os_prepare/recipes/default.rb +9 -0
data/test/integration/cookbooks/os_prepare/recipes/file.rb +21 -0
data/test/integration/cookbooks/os_prepare/recipes/package.rb +26 -0
data/test/integration/default/_debug_spec.rb +1 -0
data/test/integration/default/apt_spec.rb +42 -0
data/test/integration/default/file_spec.rb +109 -0
data/test/integration/default/group_spec.rb +32 -0
data/test/integration/default/kernel_module_spec.rb +17 -0
data/test/integration/default/kernel_parameter_spec.rb +56 -0
data/test/integration/default/package_spec.rb +11 -0
data/test/integration/default/service_spec.rb +28 -0
data/test/integration/default/user_spec.rb +44 -0
data/test/resource/command_test.rb +33 -0
data/test/resource/dsl_test.rb +45 -0
data/test/resource/file_test.rb +130 -0
data/test/resource/ssh_config.rb +9 -0
data/test/resource/sshd_config.rb +9 -0
data/test/test-extra.yaml +11 -0
data/test/test.yaml +11 -0
data/test/unit/mock/cmd/Get-NetAdapter +24 -0
data/test/unit/mock/cmd/GetUserAccount +33 -0
data/test/unit/mock/cmd/GetWin32Group +23 -0
data/test/unit/mock/cmd/PATH +1 -0
data/test/unit/mock/cmd/Resolve-DnsName +26 -0
data/test/unit/mock/cmd/Test-NetConnection +4 -0
data/test/unit/mock/cmd/auditctl +7 -0
data/test/unit/mock/cmd/auditpol +2 -0
data/test/unit/mock/cmd/brew-info-jq +1 -0
data/test/unit/mock/cmd/chage-l-root +7 -0
data/test/unit/mock/cmd/dpkg-s-curl +21 -0
data/test/unit/mock/cmd/dscl +5 -0
data/test/unit/mock/cmd/etc-apt +7 -0
data/test/unit/mock/cmd/find-etc-rc-d-name-S +12 -0
data/test/unit/mock/cmd/find-net-interface +9 -0
data/test/unit/mock/cmd/gem-list-local-a-q-rubocop +1 -0
data/test/unit/mock/cmd/get-net-tcpconnection +24 -0
data/test/unit/mock/cmd/get-netadapter-binding-bridge +4 -0
data/test/unit/mock/cmd/get-package-firefox +30 -0
data/test/unit/mock/cmd/get-package-ruby +18 -0
data/test/unit/mock/cmd/get-service-dhcp +10 -0
data/test/unit/mock/cmd/get-windows-feature +7 -0
data/test/unit/mock/cmd/getent-hosts-example.com +1 -0
data/test/unit/mock/cmd/getent-passwd-root +1 -0
data/test/unit/mock/cmd/id-chartmann +1 -0
data/test/unit/mock/cmd/id-root +1 -0
data/test/unit/mock/cmd/initctl-show-config-ssh +3 -0
data/test/unit/mock/cmd/initctl-status-ssh +1 -0
data/test/unit/mock/cmd/iptables-s +6 -0
data/test/unit/mock/cmd/launchctl-list +3 -0
data/test/unit/mock/cmd/ls-1-etc-init.d +2 -0
data/test/unit/mock/cmd/ls-sys-class-net-br +2 -0
data/test/unit/mock/cmd/lsmod +2 -0
data/test/unit/mock/cmd/lsof-np-itcp +4 -0
data/test/unit/mock/cmd/netstat-tulpen +5 -0
data/test/unit/mock/cmd/npm-ls-g--json-bower +9 -0
data/test/unit/mock/cmd/pacman-qi-curl +21 -0
data/test/unit/mock/cmd/ping-example.com +6 -0
data/test/unit/mock/cmd/pip-show-jinja2 +11 -0
data/test/unit/mock/cmd/ps-aux +3 -0
data/test/unit/mock/cmd/pw-usershow-root-7 +1 -0
data/test/unit/mock/cmd/reg_schedule +1 -0
data/test/unit/mock/cmd/rpm-qia-curl +24 -0
data/test/unit/mock/cmd/sbin_sysctl +1 -0
data/test/unit/mock/cmd/secedit-export +7 -0
data/test/unit/mock/cmd/service-e +2 -0
data/test/unit/mock/cmd/service-sendmail-onestatus +3 -0
data/test/unit/mock/cmd/service-sshd-status +1 -0
data/test/unit/mock/cmd/sockstat +5 -0
data/test/unit/mock/cmd/success +0 -0
data/test/unit/mock/cmd/systemctl-show-all-sshd +6 -0
data/test/unit/mock/cmd/win32_product +8 -0
data/test/unit/mock/cmd/yum-repolist-all +52 -0
data/test/unit/mock/files/auditd.conf +4 -0
data/test/unit/mock/files/bond0 +37 -0
data/test/unit/mock/files/etcgroup +3 -0
data/test/unit/mock/files/example.csv +6 -0
data/test/unit/mock/files/inetd.conf +2 -0
data/test/unit/mock/files/kitchen.yml +7 -0
data/test/unit/mock/files/limits.conf +5 -0
data/test/unit/mock/files/login.defs +5 -0
data/test/unit/mock/files/mysql.conf +8 -0
data/test/unit/mock/files/mysql2.conf +2 -0
data/test/unit/mock/files/ntp.conf +5 -0
data/test/unit/mock/files/passwd +2 -0
data/test/unit/mock/files/policyfile.lock.json +12 -0
data/test/unit/mock/files/ssh_config +5 -0
data/test/unit/mock/files/sshd_config +7 -0
data/test/unit/mock/profiles/empty/metadata.rb +0 -0
data/test/unit/mock/profiles/metadata/metadata.rb +1 -0
data/test/unit/profile_context_test.rb +140 -0
data/test/unit/profile_test.rb +49 -0
data/test/unit/resources/apt_test.rb +46 -0
data/test/unit/resources/audit_policy_test.rb +13 -0
data/test/unit/resources/auditd_conf_test.rb +15 -0
data/test/unit/resources/auditd_rules_test.rb +21 -0
data/test/unit/resources/bond_test.rb +24 -0
data/test/unit/resources/bridge_test.rb +56 -0
data/test/unit/resources/csv_test.rb +35 -0
data/test/unit/resources/etc_group_test.rb +37 -0
data/test/unit/resources/gem_test.rb +20 -0
data/test/unit/resources/group_test.rb +96 -0
data/test/unit/resources/host_test.rb +38 -0
data/test/unit/resources/inetd_conf_test.rb +15 -0
data/test/unit/resources/interface_test.rb +54 -0
data/test/unit/resources/iptables_test.rb +30 -0
data/test/unit/resources/json_test.rb +36 -0
data/test/unit/resources/kernel_module_test.rb +23 -0
data/test/unit/resources/kernel_parameter_test.rb +13 -0
data/test/unit/resources/limits_conf_test.rb +14 -0
data/test/unit/resources/login_def_test.rb +16 -0
data/test/unit/resources/mysql_conf_test.rb +14 -0
data/test/unit/resources/npm_test.rb +20 -0
data/test/unit/resources/ntp_conf_test.rb +16 -0
data/test/unit/resources/oneget_test.rb +45 -0
data/test/unit/resources/os_env_test.rb +13 -0
data/test/unit/resources/package_test.rb +51 -0
data/test/unit/resources/passwd_test.rb +24 -0
data/test/unit/resources/pip_test.rb +15 -0
data/test/unit/resources/port_test.rb +46 -0
data/test/unit/resources/processes_test.rb +32 -0
data/test/unit/resources/registry_key_test.rb +19 -0
data/test/unit/resources/script_test.rb +19 -0
data/test/unit/resources/security_policy_test.rb +16 -0
data/test/unit/resources/service_test.rb +116 -0
data/test/unit/resources/ssh_conf_test.rb +33 -0
data/test/unit/resources/user_test.rb +93 -0
data/test/unit/resources/windows_feature.rb +17 -0
data/test/unit/resources/yaml_test.rb +34 -0
data/test/unit/resources/yum_test.rb +68 -0
data/test/unit/simpleconfig_test.rb +80 -0
data/test/unit/utils/content_parser_test.rb +30 -0
metadata +555 -0

data/lib/inspec/targets.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+require 'inspec/targets/core'
+require 'inspec/targets/file'
+require 'inspec/targets/folder'
+require 'inspec/targets/url'
+require 'inspec/targets/dir'

data/lib/inspec/targets/core.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+require 'utils/modulator'
+module Inspec
+  module Targets
+    extend Modulator
+    def self.__resolve(items)
+      items.map do |_|
+        # @TODO
+      end.flatten
+    end
+    def self.resolve(targets)
+      Array(targets).map do |target|
+        handler = modules.values.find { |m| m.handles?(target) }
+        if handler.nil?
+          fail "Don't know how to handle target: #{target}"
+        end
+        handler.resolve(target)
+      end.flatten
+    end
+  end
+end

data/lib/inspec/targets/dir.rb ADDED Viewed

@@ -0,0 +1,67 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+module Inspec::Targets
+  module DirsHelper
+    class ProfileDir
+      def handles?(paths)
+        paths.include?('test') && paths.include?('metadata.rb')
+      end
+      def get_libraries(paths)
+        paths.find_all do |path|
+          path.start_with?('libraries') && path.end_with?('.rb')
+        end
+      end
+      def get_filenames(paths)
+        paths.find_all do |path|
+          path.start_with?('test') && path.end_with?('.rb')
+        end
+      end
+    end
+    class ChefAuditDir
+      def handles?(paths)
+        paths.include?('recipes') and paths.include?('metadata.rb')
+      end
+      def get_filenames(paths)
+        paths.find_all do |x|
+          x.start_with? 'recipes/' and x.end_with? '.rb'
+        end
+      end
+    end
+    class ServerspecDir
+      def handles?(paths)
+        paths.include?('spec')
+      end
+      def get_filenames(paths)
+        paths.find_all do |path|
+          path.start_with? 'spec' and path.end_with? '_spec.rb'
+        end
+      end
+    end
+    class FlatDir
+      def handles?(paths)
+        get_filenames(paths).empty? == false
+      end
+      def get_filenames(paths)
+        paths.find_all { |x| x.end_with?('.rb') and !x.include?('/') }
+      end
+    end
+    HANDLERS = [
+      ProfileDir, ChefAuditDir, ServerspecDir, FlatDir
+    ].map(&:new)
+    def self.get_handler(paths)
+      HANDLERS.find { |x| x.handles? paths }
+    end
+  end
+end

data/lib/inspec/targets/file.rb ADDED Viewed

@@ -0,0 +1,29 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+module Inspec::Targets
+  class FileHelper
+    def handles?(target)
+      File.file?(target) and target.end_with?('.rb')
+    end
+    def resolve(target, opts = {})
+      base = opts[:base_folder]
+      path = base.nil? ? target : File.join(base, target)
+      {
+        content: File.read(path),
+        type: opts[:as] || :test,
+        ref: path,
+      }
+    end
+    def resolve_all(targets, opts = {})
+      Array(targets).map do |target|
+        resolve(target, opts)
+      end
+    end
+  end
+  Inspec::Targets.add_module('file', FileHelper.new)
+end

data/lib/inspec/targets/folder.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+require 'inspec/targets/dir'
+require 'inspec/targets/file'
+module Inspec::Targets
+  class FolderHelper
+    def handles?(target)
+      File.directory?(target)
+    end
+    def resolve(target)
+      # find all files in the folder
+      files = Dir[File.join(target, '**', '*')]
+      # remove the prefix
+      prefix = File.join(target, '')
+      files = files.map { |x| x.sub(prefix, '') }
+      # get the dirs helper
+      helper = DirsHelper.get_handler(files)
+      if helper.nil?
+        fail "Don't know how to handle folder #{target}"
+      end
+      # get all test file contents
+      file_handler = Inspec::Targets.modules['file']
+      raw_files = helper.get_filenames(files)
+      tests = file_handler.resolve_all(raw_files, base_folder: target)
+      libs = []
+      if helper.respond_to? :get_libraries
+        raw_libs = helper.get_libraries(files)
+        libs = file_handler.resolve_all(raw_libs,
+                                        base_folder: target, as: :library)
+      end
+      libs + tests
+    end
+  end
+  Inspec::Targets.add_module('folder', FolderHelper.new)
+end

data/lib/inspec/targets/tar.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+require 'rubygems/package'
+require 'zlib'
+module Inspec::Targets
+  class TarHelper
+    def structure(input)
+      files = []
+      Gem::Package::TarReader.new(Zlib::GzipReader.open input) do |tar|
+        files = tar.map(&:full_name)
+      end
+      files
+    end
+    def content(input)
+      content = {}
+      Gem::Package::TarReader.new(Zlib::GzipReader.open input) do |tar|
+        tar.each do |entry|
+          if entry.directory?
+            # nothing to do
+          elsif entry.file?
+            content[entry.full_name] = entry.read
+          elsif entry.header.typeflag == '2'
+            # ignore symlinks for now
+          end
+        end
+      end
+      content
+    end
+  end
+end

data/lib/inspec/targets/url.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+require 'uri'
+require 'tempfile'
+require 'open-uri'
+require 'inspec/targets/zip'
+module Inspec::Targets
+  class UrlHelper
+    def handles?(target)
+      uri = URI.parse(target)
+      return false if uri.nil? or uri.scheme.nil?
+      %{ http https }.include? uri.scheme
+    end
+    def resolve(target)
+      return nil unless target.start_with? 'https://github.com' and
+                        target.end_with? '.git'
+      url = target.sub(/.git$/, '') + '/archive/master.zip'
+      resolve_zip(url)
+    end
+    def resolve_zip(url)
+      zipfile = Tempfile.new('inspec-dl-')
+      zipfile.binmode
+      zipfile.write(open(url).read)
+      zipfile.rewind
+      content = ZipHelper.new.resolve(zipfile.path)
+      zipfile.close
+      zipfile.unlink
+      content
+    end
+  end
+  Inspec::Targets.add_module('url', UrlHelper.new)
+end

data/lib/inspec/targets/zip.rb ADDED Viewed

@@ -0,0 +1,47 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+require 'zip'
+require 'inspec/targets/dir'
+module Inspec::Targets
+  class ZipHelper
+    def content(input, _filter)
+      content = []
+      ::Zip::InputStream.open(input) do |io|
+        while (entry = io.get_next_entry)
+          h = {
+            content: io.read,
+            ref: File.join(input, entry.name),
+          }
+          content.push(h)
+        end
+      end
+      content
+    end
+    def structure(input)
+      files = []
+      ::Zip::InputStream.open(input) do |io|
+        while (entry = io.get_next_entry)
+          files.push(entry.name)
+        end
+      end
+      files
+    end
+    def resolve(path)
+      files = structure(path)
+      helper = DirsHelper.get_handler(files)
+      if helper.nil?
+        fail "Don't know how to handle folder #{path}"
+      end
+      # get all file contents
+      # @TODO
+      _file_handler = Inspec::Targets.modules['file']
+      test_files = helper.get_filenames(files)
+      content(path, test_files)
+    end
+  end
+end

data/lib/inspec/version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+module Inspec
+  VERSION = '0.9.0'
+end

data/lib/matchers/matchers.rb ADDED Viewed

@@ -0,0 +1,221 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Dominik Richter
+# author: Christoph Hartmann
+# license: All rights reserved
+RSpec::Matchers.define :be_readable do
+  match do |file|
+    file.readable?(@by, @by_user)
+  end
+  chain :by do |by|
+    @by = by
+  end
+  chain :by_user do |by_user|
+    @by_user = by_user
+  end
+  description do
+    res = 'be readable'
+    res += " by #{@by}" unless @by.nil?
+    res += " by user #{@by_user}" unless @by_user.nil?
+    res
+  end
+end
+RSpec::Matchers.define :be_writable do
+  match do |file|
+    file.writable?(@by, @by_user)
+  end
+  chain :by do |by|
+    @by = by
+  end
+  chain :by_user do |by_user|
+    @by_user = by_user
+  end
+  description do
+    res = 'be writable'
+    res += " by #{@by}" unless @by.nil?
+    res += " by user #{@by_user}" unless @by_user.nil?
+    res
+  end
+end
+RSpec::Matchers.define :be_executable do
+  match do |file|
+    file.executable?(@by, @by_user)
+  end
+  chain :by do |by|
+    @by = by
+  end
+  chain :by_user do |by_user|
+    @by_user = by_user
+  end
+  description do
+    res = 'be executable'
+    res += " by #{@by}" unless @by.nil?
+    res += " by user #{@by_user}" unless @by_user.nil?
+    res
+  end
+end
+# matcher to check /etc/passwd, /etc/shadow and /etc/group
+RSpec::Matchers.define :contain_legacy_plus do
+  match do |file|
+    file.content.match(/^\+:/)
+  end
+end
+# verifies that no entry in an array contains a value
+RSpec::Matchers.define :contain_match do |regex|
+  match do |arr|
+    arr.inject { |result, i|
+      result = i.match(regex)
+      result || i.match(/$/)
+    }
+  end
+end
+RSpec::Matchers.define :contain_duplicates do
+  match do |arr|
+    dup = arr.select { |element| arr.count(element) > 1 }
+    !dup.uniq.empty?
+  end
+end
+# for packages
+RSpec::Matchers.define :be_installed do
+  match do |package|
+    package.installed? == true
+  end
+  failure_message do |package|
+    "expected that `#{package}` is installed"
+  end
+  chain :by do
+    fail "[UNSUPPORTED] Please use the new resources 'gem', 'npm' or 'pip'."
+  end
+  chain :with_version do |version|
+    warn "[DEPRECATION] `with_version` is deprecated.  Please use `its(:version) { should eq '1.4.1' }` instead."
+    @version = version
+  end
+end
+# for services
+RSpec::Matchers.define :be_enabled do
+  match do |service|
+    service.enabled? == true
+  end
+  chain :with_level do |_level|
+    fail '[UNSUPPORTED] with level is not supported'
+  end
+  failure_message do |service|
+    "expected that `#{service}` is enabled"
+  end
+end
+# service resource matcher for serverspec compatibility
+# Deprecated: You should not use this matcher anymore
+RSpec::Matchers.define :be_running do
+  match do |service|
+    service.running? == true
+  end
+  chain :under do |_under|
+    fail '[UNSUPPORTED] under is not supported'
+  end
+  failure_message do |service|
+    "expected that `#{service}` is running"
+  end
+end
+# user resource matcher for serverspec compatibility
+# Deprecated: You should not use this matcher anymore
+RSpec::Matchers.define :belong_to_group do |compare_group|
+  match do |user|
+    warn "[DEPRECATION] `belong_to_group` is deprecated.  Please use `its(:groups) { should include('root') }` instead."
+    user.groups.include?(compare_group)
+  end
+  failure_message do |group|
+    "expected that the user belongs to group `#{group}`"
+  end
+end
+# user resource matcher for serverspec compatibility
+# Deprecated: You should not use this matcher anymore
+RSpec::Matchers.define :belong_to_primary_group do |compare_group|
+  match do |user|
+    warn "[DEPRECATION] `belong_to_primary_group` is deprecated.  Please use `its(:group) { should eq 'root' }` instead."
+    user.group == compare_group
+  end
+  failure_message do |group|
+    "expected that the user belongs to primary group `#{group}`"
+  end
+end
+# matcher to check if host is reachable
+RSpec::Matchers.define :be_reachable do
+  match do |host|
+    host.reachable? == true
+  end
+  chain :with do |_attr|
+    fail '[UNSUPPORTED] `with` is not supported in combination with `be_reachable`'
+  end
+  failure_message do |host|
+    "expected that host #{host} is reachable"
+  end
+end
+# matcher to check if host is resolvable
+RSpec::Matchers.define :be_resolvable do
+  match do |host|
+    host.resolvable? == true
+  end
+  chain :by do |_type|
+    fail "[UNSUPPORTED] `by` is not supported in combination with `be_resolvable`. Please use the following syntax `host('example.com', port: 53, proto: 'udp')`."
+  end
+  failure_message do |host|
+    "expected that host #{host} is resolvable"
+  end
+end
+# matcher for iptables
+RSpec::Matchers.define :have_rule do |rule|
+  match do |tables|
+    tables.has_rule?(rule)
+  end
+  chain :with_table do |_table|
+    fail "[UNSUPPORTED] `with_table` is not supported in combination with `have_rule`. Please use the following syntax `iptables(table:'mangle', chain: 'input')`."
+  end
+  chain :with_chain do |_chain|
+    fail "[UNSUPPORTED] `with_table` is not supported in combination with `with_chain`. Please use the following syntax `iptables(table:'mangle', chain: 'input')`."
+  end
+end
+# unsupported
+RSpec::Matchers.define :contain do |_rule|
+  match do |_resource|
+    fail "[UNSUPPORTED] `contain` matcher. Please use the following syntax `its('content') { should match('value') }`."
+  end
+end