inspec 0.9.5 → 0.9.6

data/lib/resources/postgres_conf.rb

@@ -10,6 +10,12 @@ require 'resources/postgres'
 
 class PostgresConf < Inspec.resource(1)
   name 'postgres_conf'
+  desc 'Use the postgres_conf InSpec audit resource to test the contents of the configuration file for PostgreSQL, typically located at /etc/postgresql/<version>/main/postgresql.conf or /var/lib/postgres/data/postgresql.conf, depending on the platform.'
+  example "
+    describe postgres_conf do
+      its('max_connections') { should eq '5' }
+    end
+  "
 
   include FindFiles
 

data/lib/resources/postgres_session.rb

@@ -25,6 +25,14 @@ end
 
 class PostgresSession < Inspec.resource(1)
   name 'postgres_session'
+  desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
+  example "
+    sql = postgres_session('username', 'password')
+
+    describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
+      its('output') { should eq('') }
+    end
+  "
 
   def initialize(user, pass)
     @user = user || 'postgres'

data/lib/resources/processes.rb

@@ -6,8 +6,19 @@
 
 class Processes < Inspec.resource(1)
   name 'processes'
+  desc 'Use the processes InSpec audit resource to test properties for programs that are running on the system.'
+  example "
+    describe processes('mysqld') do
+      its('list.length') { should eq 1 }
+      its('users') { should eq ['mysql'] }
+      its('states') { should include 'S' }
+    end
+  "
+
+  attr_reader :list,
+              :users,
+              :states
 
-  attr_reader :list
   def initialize(grep)
     # turn into a regexp if it isn't one yet
     if grep.class == String
@@ -19,6 +30,11 @@ class Processes < Inspec.resource(1)
     @list = all_cmds.find_all do |hm|
       hm[:command] =~ grep
     end
+
+    { users: :user,
+      states: :stat }.each do |var, key|
+      instance_variable_set("@#{var}", @list.map { |l| l[key] }.uniq)
+    end
   end
 
   def to_s

data/lib/resources/registry_key.rb

@@ -12,6 +12,12 @@ require 'json'
 
 class RegistryKey < Inspec.resource(1)
   name 'registry_key'
+  desc 'Use the registry_key InSpec audit resource to test key values in the Microsoft Windows registry.'
+  example "
+    describe registry_key('path\to\key') do
+      its('name') { should eq 'value' }
+    end
+  "
 
   attr_accessor :reg_key
 
@@ -20,6 +26,7 @@ class RegistryKey < Inspec.resource(1)
     reg_key ||= name
     @name = name
     @reg_key = reg_key
+    skip_resource 'The `registry_key` resource is not supported on your OS yet.'
   end
 
   def exists?

data/lib/resources/script.rb

@@ -6,6 +6,16 @@
 
 class Script < Cmd
   name 'script'
+  desc 'Use the script InSpec audit resource to test a Windows PowerShell script on the Microsoft Windows platform.'
+  example "
+    script = <<-EOH
+      # you powershell script
+    EOH
+
+    describe script(script) do
+      its('matcher') { should eq 'output' }
+    end
+  "
 
   def initialize(script)
     case inspec.os[:family]
@@ -16,6 +26,7 @@ class Script < Cmd
       script = WinRM::PowershellScript.new(script)
       cmd = "powershell -encodedCommand #{script.encoded}"
     else
+      cmd = ''
       return skip_resource 'The `script` resource is not supported on your OS yet.'
     end
     super(cmd)

data/lib/resources/security_policy.rb

@@ -15,7 +15,12 @@
 
 class SecurityPolicy < Inspec.resource(1)
   name 'security_policy'
-
+  desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
+  example "
+    describe security_policy do
+      its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
+    end
+  "
   def initialize
     @loaded = false
     @policy = nil

data/lib/resources/service.rb

@@ -21,6 +21,14 @@
 # TODO: extend the logic to detect the running init system, independently of OS
 class Service < Inspec.resource(1)
   name 'service'
+  desc 'Use the service InSpec audit resource to test if the named service is installed, running and/or enabled.'
+  example "
+    describe service('service_name') do
+      it { should be_installed }
+      it { should be_enabled }
+      it { should be_running }
+    end
+  "
 
   def initialize(service_name)
     @service_name = service_name
@@ -62,6 +70,8 @@ class Service < Inspec.resource(1)
       else
         @service_mgmt = SysV.new(inspec)
       end
+    when 'wrlinux'
+      @service_mgmt = SysV.new(inspec)
     when 'darwin'
       @service_mgmt = LaunchCtl.new(inspec)
     when 'windows'

data/lib/resources/ssh_conf.rb

@@ -8,6 +8,12 @@ require 'utils/simpleconfig'
 
 class SshConf < Inspec.resource(1)
   name 'ssh_config'
+  desc 'Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.'
+  example "
+    describe sshd_config do
+      its('Protocol') { should eq '2' }
+    end
+  "
 
   def initialize(conf_path = nil, type = nil)
     @conf_path = conf_path || '/etc/ssh/ssh_config'

data/lib/resources/user.rb

@@ -40,14 +40,21 @@ require 'utils/convert'
 
 class User < Inspec.resource(1)
   name 'user'
-
+  desc 'Use the user InSpec audit resource to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.'
+  example "
+    describe user('root') do
+      it { should exist }
+      its('uid') { should eq 1234 }
+      its('gid') { should eq 1234 }
+    end
+  "
   def initialize(user)
     @user = user
 
     # select package manager
     @user_provider = nil
     case inspec.os[:family]
-    when 'ubuntu', 'debian', 'redhat', 'fedora', 'centos', 'arch', 'opensuse'
+    when 'ubuntu', 'debian', 'redhat', 'fedora', 'centos', 'arch', 'opensuse', 'wrlinux'
       @user_provider = LinuxUser.new(inspec)
     when 'windows'
       @user_provider = WindowsUser.new(inspec)

data/lib/resources/windows_feature.rb

@@ -29,6 +29,12 @@
 # }
 class WindowsFeature < Inspec.resource(1)
   name 'windows_feature'
+  desc 'Use the windows_feature InSpec audit resource to test features on Microsoft Windows.'
+  example "
+    describe windows_feature('dhcp') do
+      it { should be_installed }
+    end
+  "
 
   def initialize(feature)
     @feature = feature

data/lib/resources/yaml.rb

@@ -11,6 +11,12 @@ require 'yaml'
 # end
 class YamlConfig < JsonConfig
   name 'yaml'
+  desc 'Use the yaml InSpec audit resource to test configuration data in a YAML file.'
+  example "
+    describe yaml do
+      its('name') { should eq 'foo' }
+    end
+  "
 
   # override file load and parse hash from yaml
   def parse(content)

data/lib/resources/yum.rb

@@ -32,6 +32,13 @@ require 'resources/file'
 
 class Yum < Inspec.resource(1)
   name 'yum'
+  desc 'Use the yum InSpec audit resource to test packages in the Yum repository.'
+  example "
+    describe yum.repo('name') do
+      it { should exist }
+      it { should be_enabled }
+    end
+  "
 
   # returns all repositories
   # works as following:

data/lib/utils/find_files.rb

@@ -16,21 +16,29 @@ module FindFiles
     door: 'D',
   }
 
+  # ignores errors
   def find_files(path, opts = {})
+    find_files_or_error(path, opts) || []
+  end
+
+  def find_files_or_error(path, opts = {})
     depth = opts[:depth]
-    type = TYPES[opts[:type].to_sym]
+    type = TYPES[opts[:type].to_sym] if opts[:type]
 
     cmd = "find #{path}"
     cmd += " -maxdepth #{depth.to_i}" if depth.to_i > 0
     cmd += " -type #{type}" unless type.nil?
 
-    result = inspec.run_command(cmd)
+    result = inspec.command(cmd)
     exit_status = result.exit_status
 
-    return [nil, exit_status] unless exit_status == 0
-    files = result.stdout.split("\n")
-            .map(&:strip)
-            .find_all { |x| !x.empty? }
-    [files, exit_status]
+    unless exit_status == 0
+      warn "find_files(): exit #{exit_status} from `#{find}`"
+      return nil
+    end
+
+    result.stdout.split("\n")
+      .map(&:strip)
+      .find_all { |x| !x.empty? }
   end
 end

data/test/helper.rb

@@ -4,6 +4,7 @@
 
 require 'minitest/autorun'
 require 'minitest/spec'
+require 'mocha/setup'
 
 require 'simplecov'
 SimpleCov.start do
@@ -36,6 +37,7 @@ class MockLoader
       ubuntu1404: { family: 'ubuntu', release: '14.04', arch: 'x86_64' },
       ubuntu1504: { family: 'ubuntu', release: '15.04', arch: 'x86_64' },
       windows:    { family: 'windows', release: nil, arch: nil },
+      wrlinux:    { family: 'wrlinux', release: '7.0(3)I2(2)', arch: 'x86_64' },
       undefined:  { family: nil, release: nil, arch: nil },
     }
 
@@ -92,6 +94,9 @@ class MockLoader
       'policyfile.lock.json' => mockfile.call('policyfile.lock.json'),
       '/sys/class/net/br0/bridge' => mockdir.call(true),
       'rootwrap.conf' => mockfile.call('rootwrap.conf'),
+      '/etc/apache2/apache2.conf' => mockfile.call('apache2.conf'),
+      '/etc/apache2/ports.conf' => mockfile.call('ports.conf'),
+      '/etc/apache2/conf-enabled/serve-cgi-bin.conf' => mockfile.call('serve-cgi-bin.conf'),
     }
 
     # create all mock commands
@@ -188,6 +193,10 @@ class MockLoader
       "find /etc/apt/ -name *.list -exec sh -c 'cat {} || echo -n' \\;" => cmd.call('etc-apt'),
       # iptables
       'iptables  -S' => cmd.call('iptables-s'),
+      # apache_conf
+      'find /etc/apache2/ports.conf -maxdepth 1 -type f' => cmd.call('find-apache2-ports-conf'),
+      'find /etc/apache2/conf-enabled/*.conf -maxdepth 1 -type f' => cmd.call('find-apache2-conf-enabled'),
+
     }
 
     @backend

data/test/integration/.kitchen.yml

@@ -34,6 +34,9 @@ platforms:
   - name: ubuntu-12.04-i386
   - name: ubuntu-10.04
   - name: ubuntu-10.04-i386
+  - name: mint-17.2-cinnamon
+    driver_config:
+      box: artem-sidorenko/mint-17.2-cinnamon
 
 suites:
   - name: default

data/test/integration/test/integration/default/compare_matcher_spec.rb

@@ -0,0 +1,19 @@
+# encoding: utf-8
+
+# uses the `cmp` matcher instead of the eq matcher
+describe sshd_config do
+  its('Port') { should eq '22' }
+  its('Port') { should_not eq 22 }
+
+  its('Port') { should cmp '22' }
+  its('Port') { should cmp 22 }
+  its('Port') { should cmp 22.0 }
+  its('Port') { should_not cmp 22.1 }
+
+  its('LogLevel') { should eq 'INFO' }
+  its('LogLevel') { should_not eq 'info'}
+
+  its('LogLevel') { should cmp 'INFO' }
+  its('LogLevel') { should cmp 'info' }
+  its('LogLevel') { should cmp 'InfO' }
+end

data/test/integration/test/integration/default/etc_group.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+
+if os.unix?
+  describe etc_group do
+    its('gids') { should_not contain_duplicates }
+    its('groups') { should include 'root' }
+    its('users') { should include 'root' }
+  end
+
+  describe etc_group.where(name: 'root') do
+    its('users') { should include 'root' }
+  end
+end

data/test/integration/test/integration/default/os_spec.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+
+family = os[:family]
+
+# use symbol
+describe os[:family] do
+  it { should eq family }
+end
+
+# use string
+describe os['family'] do
+  it { should eq family }
+end

data/test/integration/test/integration/default/port_spec.rb

@@ -4,6 +4,6 @@ if os.unix?
   # check that ssh runs
   describe port(22) do
     it { should be_listening }
-    its('protocol') { should include('tcp') }
+    its('protocols') { should include('tcp') }
   end
 end

data/test/unit/mock/cmd/find-apache2-conf-enabled

@@ -0,0 +1 @@
+/etc/apache2/conf-enabled/serve-cgi-bin.conf

data/test/unit/mock/cmd/find-apache2-ports-conf

@@ -0,0 +1 @@
+/etc/apache2/ports.conf

data/test/unit/mock/cmd/ps-aux

@@ -1,3 +1,5 @@
 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 root         1  0.0  0.0  18084  3228 ?        Ss   14:15   0:00 /bin/bash
 root        13  0.0  0.0  15284  2148 ?        R+   15:08   0:00 ps aux
+noot        19  0.0  0.0  24521  1536 s001     Ss   09:23   0:00 svc
+noot        23  0.0  0.0  25044  1908 s000     S    08:46   0:00 svc

data/test/unit/mock/files/apache2.conf

@@ -0,0 +1,14 @@
+# This is the main Apache server configuration file.  It contains comments.
+ServerRoot "/etc/apache2"
+
+User ${APACHE_RUN_USER}
+Include ports.conf
+
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+# Include generic snippets of statements
+IncludeOptional conf-enabled/*.conf

data/test/unit/mock/files/ports.conf

@@ -0,0 +1,6 @@
+# apache ports.conf
+Listen 80
+
+<IfModule ssl_module>
+	Listen 443
+</IfModule>

data/test/unit/mock/files/serve-cgi-bin.conf

@@ -0,0 +1,20 @@
+<IfModule mod_alias.c>
+	<IfModule mod_cgi.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfModule mod_cgid.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfDefine ENABLE_USR_LIB_CGI_BIN>
+		ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+		<Directory "/usr/lib/cgi-bin">
+			AllowOverride None
+			Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+			Require all granted
+		</Directory>
+	</IfDefine>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

data/test/unit/resources/apache_conf_test.rb

@@ -0,0 +1,31 @@
+# encoding: utf-8
+# author: Stephan Renatus
+
+require 'helper'
+
+describe 'Inspec::Resources::ApacheConf' do
+  let(:resource) { load_resource('apache_conf') }
+
+  it 'verify content is a string' do
+    _(resource.content).must_be_kind_of String
+  end
+
+  it 'verify params is a hashmap' do
+    _(resource.params).must_be_kind_of Hash
+  end
+
+  it 'reads values in apache2.conf' do
+    _(resource.params('ServerRoot')).must_equal ['"/etc/apache2"']
+  end
+
+  it 'reads values in from the direct include ports.conf' do
+    _(resource.params('Listen').sort).must_equal ['443', '80']
+  end
+
+  it 'reads values in from wildcard include serve-cgi-bin.conf' do
+    # TODO(sr) currently, the parser only merges parameter across separate
+    # source files, not in one file
+    _(resource.params('Define')).must_equal ['ENABLE_USR_LIB_CGI_BIN',
+                                             'ENABLE_USR_LIB_CGI_BIN']
+  end
+end