inspec 0.9.2 → 0.9.3

data/examples/test-kitchen/test/integration/default/web_spec.rb

@@ -8,7 +8,7 @@ describe package('nginx') do
 end
 
 # extend tests with metadata
-rule '01' do
+control '01' do
   impact 0.7
   title 'Verify nginx service'
   desc 'Ensures nginx service is up and running'

data/inspec.gemspec

@@ -13,9 +13,14 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/chef/inspec'
   spec.license       = 'Apache 2.0'
 
-  spec.files = %w(README.md Rakefile MAINTAINERS.toml MAINTAINERS.md LICENSE inspec.gemspec Gemfile CHANGELOG.md .rubocop.yml) +
-    Dir.glob("{bin,docs,examples,lib,tasks,test}/**/*", File::FNM_DOTMATCH).reject { |f|  File.directory?(f) }
-  spec.executables   = %w( inspec )
+  spec.files = %w{
+    README.md Rakefile MAINTAINERS.toml MAINTAINERS.md LICENSE inspec.gemspec
+    Gemfile CHANGELOG.md .rubocop.yml
+  } + Dir.glob(
+    '{bin,docs,examples,lib,tasks,test}/**/*', File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+
+  spec.executables   = %w{ inspec }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 

data/lib/inspec/profile_context.rb

@@ -5,6 +5,7 @@
 require 'inspec/rule'
 require 'inspec/dsl'
 require 'rspec/core/dsl'
+require 'securerandom'
 
 module Inspec
   class ProfileContext # rubocop:disable Metrics/ClassLength
@@ -110,7 +111,7 @@ module Inspec
         define_method :describe do |*args, &block|
           path = block.source_location[0]
           line = block.source_location[1]
-          id = "#{File.basename(path)}:#{line}"
+          id = "#{File.basename(path)}:#{line} #{SecureRandom.hex}"
           rule = rule_class.new(id, {}) do
             describe(*args, &block)
           end

data/lib/inspec/runner.rb

@@ -52,6 +52,14 @@ module Inspec
       tests = items.find_all { |i| i[:type] == :test }
       libs = items.find_all { |i| i[:type] == :library }
 
+      # Ensure each test directory exists on the $LOAD_PATH. This
+      # will ensure traditional RSpec-isms like `require 'spec_helper'`
+      # continue to work.
+      tests.flatten.each do |test|
+        test_directory = File.dirname(test[:ref])
+        $LOAD_PATH.unshift test_directory unless $LOAD_PATH.include?(test_directory)
+      end
+
       # add all tests (raw) to the runtime
       tests.flatten.each do |test|
         add_content(test, libs)

data/lib/inspec/shell.rb

@@ -13,8 +13,8 @@ module Inspec
 
     def start
       # store context to run commands in this context
-      @runner.add_content({
-        content: 'binding.pry', ref: __FILE__, line: __LINE__}, [])
+      c = { content: 'binding.pry', ref: __FILE__, line: __LINE__ }
+      @runner.add_content(c, [])
       @runner.run
     end
 

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.9.2'
+  VERSION = '0.9.3'
 end

data/lib/resources/command.rb

@@ -14,6 +14,8 @@
 
 class Cmd < Inspec.resource(1)
   name 'command'
+  attr_reader :command
+
   def initialize(cmd)
     @command = cmd
   end

data/lib/resources/os_env.rb

@@ -11,24 +11,56 @@
 #   its(:split) { should_not include('.') }
 # end
 
+require 'utils/simpleconfig'
+
 class OsEnv < Inspec.resource(1)
   name 'os_env'
 
   attr_reader :content
-  def initialize(env)
+  def initialize(env = nil)
     @osenv = env
-    cmd = inspec.command("su - root -c 'echo $#{env}'")
-    @content = cmd.stdout.chomp
-    @content = nil if cmd.exit_status != 0
+    @content = nil
+    @content = value_for(env) unless env.nil?
   end
 
   def split
+    # we can't take advantage of `File::PATH_SEPARATOR` as code is
+    # evaluated on the host machine
+    path_separator = inspec.os.windows? ? ';' : ':'
     # -1 is required to catch cases like dir1::dir2:
     # where we have a trailing :
-    @content.nil? ? [] : @content.split(':', -1)
+    @content.nil? ? [] : @content.split(path_separator, -1)
   end
 
   def to_s
-    "Environment Variable #{@osenv}"
+    if @osenv.nil?
+      'Environment variables'
+    else
+      "Environment variable #{@osenv}"
+    end
+  end
+
+  private
+
+  def value_for(env)
+    command = if inspec.os.windows?
+                "$Env:#{env}"
+              else
+                'env'
+              end
+
+    out = inspec.command(command)
+
+    unless out.exit_status == 0
+      skip_resource "Can't read environment variables on #{os[:family]}. "\
+        "Tried `#{command}` which returned #{out.exit_status}"
+    end
+
+    if inspec.os.windows?
+      out.stdout.strip
+    else
+      params = SimpleConfig.new(out.stdout).params
+      params[env]
+    end
   end
 end

data/lib/resources/port.rb

@@ -24,7 +24,7 @@ class Port < Inspec.resource(1)
     @cache = nil
 
     case inspec.os[:family]
-    when 'ubuntu', 'debian', 'redhat', 'fedora', 'arch'
+    when 'ubuntu', 'debian', 'redhat', 'fedora', 'centos', 'arch'
       @port_manager = LinuxPorts.new(inspec)
     when 'darwin'
       @port_manager = DarwinPorts.new(inspec)
@@ -179,7 +179,7 @@ class LinuxPorts < PortsInfo
   def parse_net_address(net_addr, protocol)
     if protocol.eql?('tcp6') || protocol.eql?('udp6')
       # prep for URI parsing, parse ip6 port
-      ip6 = /^(\S+:)(\d+)$/.match(net_addr)
+      ip6 = /^(\S+):(\d+)$/.match(net_addr)
       ip6addr = ip6[1]
       ip6addr = '::' if /^:::$/.match(ip6addr)
       # build uri
@@ -193,16 +193,25 @@ class LinuxPorts < PortsInfo
       port = ip_addr.port
     end
     [host, port]
+  rescue URI::InvalidURIError => e
+    warn "Could not parse #{net_addr}, #{e}"
+    nil
   end
 
   def parse_netstat_line(line)
     # parse each line
     # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - Inode, 8 - PID/Program name
-    parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)$/.match(line)
-    return {} if parsed.nil?
+    parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/.match(line)
+
+    return {} if parsed.nil? || line.match(/^proto/i)
 
     # parse ip4 and ip6 addresses
     protocol = parsed[1].downcase
+
+    # detect protocol if not provided
+    protocol += '6' if parsed[4].count(':') > 1 && %w{tcp udp}.include?(protocol)
+
+    # extract host and port information
     host, port = parse_net_address(parsed[4], protocol)
 
     # extract PID
@@ -261,6 +270,9 @@ class FreeBsdPorts < PortsInfo
       port = ip_addr.port
     end
     [host, port]
+  rescue URI::InvalidURIError => e
+    warn "Could not parse #{net_addr}, #{e}"
+    nil
   end
 
   def parse_sockstat_line(line)

data/lib/resources/registry_key.rb

@@ -22,33 +22,129 @@ class RegistryKey < Inspec.resource(1)
     @reg_key = reg_key
   end
 
-  def registry_value(path, key)
-    cmd = "(Get-Item 'Registry::#{path}').GetValue('#{key}')"
-    command_result ||= inspec.command(cmd)
-    val = { exit_code: command_result.exit_status.to_i, data: command_result.stdout }
-    val
+  def exists?
+    !registry_value(@reg_key).nil?
   end
 
-  def convert_value(value)
-    val = value.strip
-    val = val.to_i if val.match(/^\d+$/)
-    val
+  def has_value?(value)
+    val = registry_value(@reg_key)
+    !val.nil? && val['(default)'.to_s]['value'] == value ? true : false
+  end
+
+  def has_property?(property_name, property_type = nil)
+    val = registry_value(@reg_key)
+    !val.nil? && !val[property_name.to_s].nil? && (property_type.nil? || val[property_name.to_s]['type'] == map2type(property_type)) ? true : false
+  end
+
+  # deactivate rubocop, because we need to stay compatible with Serverspe
+  # rubocop:disable Style/OptionalArguments
+  def has_property_value?(property_name, property_type = nil, value)
+    # rubocop:enable Style/OptionalArguments
+    val = registry_value(@reg_key)
+
+    # convert value to binary if required
+    value = value.bytes if !property_type.nil? && map2type(property_type) == 3 && !value.is_a?(Array)
+
+    !val.nil? && val[property_name.to_s]['value'] == value && (property_type.nil? || val[property_name.to_s]['type'] == map2type(property_type)) ? true : false
   end
 
   # returns nil, if not existant or value
   def method_missing(meth)
     # get data
-    val = registry_value(@reg_key, meth)
-
-    # verify data
-    if (val[:exit_code] == 0)
-      return convert_value(val[:data])
-    else
-      return nil
-    end
+    val = registry_value(@reg_key)
+    return nil if val.nil?
+    val[meth.to_s]['value']
   end
 
   def to_s
     "Registry Key #{@name}"
   end
+
+  private
+
+  def registry_value(path)
+    return @registy_cache if defined?(@registy_cache)
+
+    # load registry key and all properties
+    script = <<-EOH
+    $reg = Get-Item 'Registry::#{path}'
+    $object = New-Object -Type PSObject
+    $reg.Property | ForEach-Object {
+        $key = $_
+        if ("(default)".Equals($key)) { $key = '' }
+        $value = New-Object psobject -Property @{
+          "value" =  $reg.GetValue($key);
+          "type"  = $reg.GetValueKind($key);
+        }
+        $object | Add-Member –MemberType NoteProperty –Name $_ –Value $value
+    }
+    $object | ConvertTo-Json
+    EOH
+
+    cmd = inspec.script(script)
+
+    # cannot rely on exit code for now, successful command returns exit code 1
+    # return nil if cmd.exit_status != 0, try to parse json
+    begin
+      @registy_cache = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      @registy_cache = nil
+    end
+
+    @registy_cache
+  end
+
+  # Registry key value types
+  # @see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx
+  # REG_NONE 0
+  # REG_SZ 1
+  # REG_EXPAND_SZ 2
+  # REG_BINARY 3
+  # REG_DWORD 4
+  # REG_DWORD_LITTLE_ENDIAN 4
+  # REG_DWORD_BIG_ENDIAN 5
+  # REG_LINK 6
+  # REG_MULTI_SZ 7
+  # REG_RESOURCE_LIST 8
+  # REG_FULL_RESOURCE_DESCRIPTOR 9
+  # REG_RESOURCE_REQUIREMENTS_LIST 10
+  # REG_QWORD 11
+  # REG_QWORD_LITTLE_ENDIAN 11
+  def map2type(symbol)
+    options = {}
+
+    # chef symbols, we prefer those
+    options[:binary] = 3
+    options[:string] = 1
+    options[:multi_string] = 7
+    options[:expand_string] = 2
+    options[:dword] = 4
+    options[:dword_big_endian] = 5
+    options[:qword] = 11
+
+    # serverspec symbols
+    options[:type_string] = 1
+    options[:type_binary] = 3
+    options[:type_dword] = 4
+    options[:type_qword] = 11
+    options[:type_multistring] = 7
+    options[:type_expandstring] = 2
+
+    options[symbol]
+  end
+end
+
+# for compatability with serverspec
+# this is deprecated syntax and will be removed in future versions
+class WindowsRegistryKey < RegistryKey
+  name 'windows_registry_key'
+
+  def initialize(name)
+    deprecated
+    super(name)
+  end
+
+  def deprecated
+    warn '[DEPRECATION] `yumrepo(reponame)` is deprecated.  Please use `yum.repo(reponame)` instead.'
+  end
 end

data/lib/resources/script.rb

@@ -6,7 +6,6 @@
 
 class Script < Cmd
   name 'script'
-  attr_accessor :command
 
   def initialize(script)
     case inspec.os[:family]
@@ -19,8 +18,7 @@ class Script < Cmd
     else
       return skip_resource 'The `script` resource is not supported on your OS yet.'
     end
-
-    @command = cmd
+    super(cmd)
   end
 
   # we cannot determine if a command exists, because that does not work for scripts

data/lib/resources/security_policy.rb

@@ -41,7 +41,7 @@ class SecurityPolicy < Inspec.resource(1)
 
   def method_missing(method)
     # load data if needed
-    if (@loaded == false)
+    if @loaded == false
       load
     end
 

data/lib/resources/service.rb

@@ -149,39 +149,45 @@ end
 class Upstart < ServiceManager
   def info(service_name)
     # get the status of upstart service
-    cmd = inspec.command("initctl status #{service_name}")
-    return nil if cmd.exit_status != 0
+    status = inspec.command("initctl status #{service_name}")
+
+    # fallback for systemv services, those are not handled via `initctl`
+    return SysV.new(inspec).info(service_name) if status.exit_status.to_i != 0
 
     # @see: http://upstart.ubuntu.com/cookbook/#job-states
     # grep for running to indicate the service is there
-    match_running = /running/.match(cmd.stdout)
-    !match_running.nil? ? (running = true) : (running = false)
+    running = !status.stdout[/running/].nil?
+
+    {
+      name: service_name,
+      description: nil,
+      installed: true,
+      running: running,
+      enabled: info_enabled(status, service_name),
+      type: 'upstart',
+    }
+  end
 
+  private
+
+  def info_enabled(status, service_name)
     # check if a service is enabled
     # http://upstart.ubuntu.com/cookbook/#determine-if-a-job-is-disabled
     # $ initctl show-config $job | grep -q "^  start on" && echo enabled || echo disabled
     # Ubuntu 10.04 show-config is not supported
     # @see http://manpages.ubuntu.com/manpages/maverick/man8/initctl.8.html
     config = inspec.command("initctl show-config #{service_name}")
-    match_enabled = /^\s*start on/.match(config.stdout)
-    !match_enabled.nil? ? (enabled = true) : (enabled = false)
+    enabled = !config.stdout[/^\s*start on/].nil?
 
     # implement fallback for Ubuntu 10.04
     if inspec.os[:family] == 'ubuntu' &&
        inspec.os[:release].to_f >= 10.04 &&
        inspec.os[:release].to_f < 12.04 &&
-       cmd.exit_status == 0
+       status.exit_status == 0
       enabled = true
     end
 
-    {
-      name: service_name,
-      description: nil,
-      installed: true,
-      running: running,
-      enabled: enabled,
-      type: 'upstart',
-    }
+    enabled
   end
 end