inspec 0.9.8 → 0.9.9

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.9.8'
+  VERSION = '0.9.9'.freeze
 end

data/lib/matchers/matchers.rb

@@ -70,7 +70,7 @@ end
 # matcher to check /etc/passwd, /etc/shadow and /etc/group
 RSpec::Matchers.define :contain_legacy_plus do
   match do |file|
-    file.content.match(/^\+:/)
+    file.content =~ /^\+:/
   end
 end
 

data/lib/resources/audit_policy.rb

@@ -44,7 +44,7 @@ class AuditPolicy < Inspec.resource(1)
     # find line
     target = nil
     result.each_line {|s|
-      target = s.strip if s.match(/\b.*#{key}.*\b/)
+      target = s.strip if s =~ /\b.*#{key}.*\b/
     }
 
     # extract value

data/lib/resources/command.rb

@@ -39,15 +39,15 @@ class Cmd < Inspec.resource(1)
   end
 
   def exist?
+    # silent for mock resources
+    return false if inspec.os[:family].to_s == 'unknown'
+
     if inspec.os.linux?
       res = inspec.backend.run_command("bash -c 'type \"#{@command}\"'")
     elsif inspec.os.windows?
       res = inspec.backend.run_command("where.exe \"#{@command}\"")
     elsif inspec.os.unix?
       res = inspec.backend.run_command("type \"#{@command}\"")
-    elsif inspec.os[:family].to_s == 'unknown'
-      # silent for mock resources
-      return false
     else
       warn "`command(#{@command}).exist?` is not suported on you OS: #{inspec.os[:family]}"
       return false

data/lib/resources/etc_group.rb

@@ -45,7 +45,7 @@ class EtcGroup < Inspec.resource(1)
 
     # skip resource if it is not supported on current OS
     return skip_resource 'The `etc_group` resource is not supported on your OS.' \
-    unless %w{ubuntu debian redhat fedora centos arch darwin freebsd wrlinux}.include?(inspec.os[:family])
+    unless %w{ubuntu debian redhat fedora centos arch darwin freebsd wrlinux aix}.include?(inspec.os[:family])
   end
 
   def groups(filter = nil)

data/lib/resources/file.rb

@@ -92,9 +92,8 @@ module Inspec::Resources
     def file_permission_granted?(flag, by_usergroup, by_specific_user)
       fail 'Checking file permissions is not supported on your os' unless unix?
 
-      usergroup = usergroup_for(by_usergroup, by_specific_user)
-
-      if by_specific_user.nil?
+      if by_specific_user.nil? || by_specific_user.empty?
+        usergroup = usergroup_for(by_usergroup, by_specific_user)
         check_file_permission_by_mask(usergroup, flag)
       else
         check_file_permission_by_user(by_specific_user, flag)
@@ -113,6 +112,8 @@ module Inspec::Resources
         perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{path}\" #{user}"
       elsif family == 'freebsd'
         perm_cmd = "sudo -u #{user} test -#{flag} #{path}"
+      elsif family == 'aix'
+        perm_cmd = "su #{user} -c test -#{flag} #{path}"
       else
         return skip_resource 'The `file` resource does not support `by_user` on your OS.'
       end

data/lib/resources/group.rb

@@ -48,15 +48,13 @@ class Group < Inspec.resource(1)
   end
 
   def gid
-    if group_info.nil? || group_info.size == 0
-      return nil
-    elsif group_info.size == 1
-      # the default case should be one group
-      return group_info[0][:gid]
-    else
-      # return array if we got multiple gids
-      return group_info.map { |grp| grp[:gid] }
-    end
+    return nil if group_info.nil? || group_info.size == 0
+
+    # the default case should be one group
+    return group_info[0][:gid] if group_info.size == 1
+
+    # return array if we got multiple gids
+    group_info.map { |grp| grp[:gid] }
   end
 
   # implements rspec has matcher, to be compatible with serverspec
@@ -65,15 +63,13 @@ class Group < Inspec.resource(1)
   end
 
   def local
-    if group_info.nil? || group_info.size == 0
-      return nil
-    elsif group_info.size == 1
-      # the default case should be one group
-      return group_info[0][:local]
-    else
-      # return array if we got multiple gids
-      return group_info.map { |grp| grp[:local] }
-    end
+    return nil if group_info.nil? || group_info.size == 0
+
+    # the default case should be one group
+    return group_info[0][:local] if group_info.size == 1
+
+    # return array if we got multiple gids
+    group_info.map { |grp| grp[:local] }
   end
 
   def to_s

data/lib/resources/iptables.rb

@@ -47,7 +47,7 @@ class IpTables < Inspec.resource(1)
     retrieve_rules.each { |line|
       # checks if the rule is part of the ruleset
       # for now, we expect an excact match
-      found = true if line.downcase == rule.downcase
+      found = true if line.casecmp(rule) == 0
     }
     found
   end

data/lib/resources/json.rb

@@ -74,11 +74,9 @@ class JsonConfig < Inspec.resource(1)
       value = value[key.to_s].nil? ? nil : value[key.to_s]
     end
 
-    # check if further keys exist
-    if !keys.first.nil?
-      return extract_value(keys.clone, value)
-    else
-      return value
-    end
+    # if there are no more keys, just return the value
+    return value if keys.first.nil?
+    # if there are more keys, extract more
+    extract_value(keys.clone, value)
   end
 end

data/lib/resources/kernel_parameter.rb

@@ -24,7 +24,7 @@ class KernelParameter < Inspec.resource(1)
     # remove whitespace
     cmd = cmd.stdout.chomp.strip
     # convert to number if possible
-    cmd = cmd.to_i if cmd.match(/^\d+$/)
+    cmd = cmd.to_i if cmd =~ /^\d+$/
     cmd
   end
 

data/lib/resources/os.rb

@@ -13,7 +13,7 @@ class OS < Inspec.resource(1)
 
   # reuse helper methods from backend
   %w{redhat? debian? suse? bsd? solaris? linux? unix? windows?}.each do |os_family|
-    define_method((os_family).to_sym) do
+    define_method(os_family.to_sym) do
       inspec.backend.os.send(os_family)
     end
   end

data/lib/resources/package.rb

@@ -36,6 +36,8 @@ class Package < Inspec.resource(1)
       @pkgman = Brew.new(inspec)
     when 'windows'
       @pkgman = WindowsPkg.new(inspec)
+    when 'aix'
+      @pkgman = BffPkg.new(inspec)
     else
       return skip_resource 'The `package` resource is not supported on your OS yet.'
     end
@@ -134,9 +136,9 @@ class Brew < PkgManagement
     # parse data
     pkg = JSON.parse(cmd.stdout)[0]
     {
-      name: "#{pkg.name}",
+      name: pkg.name.to_s,
       installed: true,
-      version: "#{pkg.installed.version}",
+      version: pkg.installed.version.to_s,
       type: 'brew',
     }
   end
@@ -186,3 +188,19 @@ class WindowsPkg < PkgManagement
     }
   end
 end
+
+# AIX
+class BffPkg < PkgManagement
+  def info(package_name)
+    cmd = inspec.command("lslpp -cL #{package_name}")
+    return nil if cmd.exit_status.to_i != 0
+
+    bff_pkg = cmd.stdout.split("\n").last.split(':')
+    {
+      name:      bff_pkg[1],
+      installed: true,
+      version:   bff_pkg[2],
+      type:      'bff',
+    }
+  end
+end

data/lib/resources/passwd.rb

@@ -87,7 +87,7 @@ end
 class PasswdUid
   def initialize(passwd, uid)
     @passwd = passwd
-    @users = @passwd.parsed.select { |x| x['uid'] == "#{uid}" }
+    @users = @passwd.parsed.select { |x| x['uid'] == uid.to_s }
   end
 
   def username

data/lib/resources/port.rb

@@ -34,8 +34,11 @@ class Port < Inspec.resource(1)
     case inspec.os[:family]
     when 'ubuntu', 'debian', 'redhat', 'fedora', 'centos', 'arch', 'wrlinux'
       @port_manager = LinuxPorts.new(inspec)
-    when 'darwin'
-      @port_manager = DarwinPorts.new(inspec)
+    when 'darwin', 'aix'
+      # AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
+      #      and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
+      # Darwin: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/lsof.8.html
+      @port_manager = LsofPorts.new(inspec)
     when 'windows'
       @port_manager = WindowsPorts.new(inspec)
     when 'freebsd'
@@ -129,44 +132,110 @@ class WindowsPorts < PortsInfo
   end
 end
 
-# extracts udp and tcp ports from macos
-class DarwinPorts < PortsInfo
-  def info
-    # collects UDP and TCP information
-    cmd = inspec.command('lsof -nP -iTCP -iUDP -sTCP:LISTEN')
-    return nil if cmd.exit_status.to_i != 0
+# extracts udp and tcp ports from the lsof command
+class LsofPorts < PortsInfo
+  attr_reader :lsof
 
+  def initialize(inspec, lsofpath = nil)
+    @lsof = lsofpath || 'lsof'
+    super(inspec)
+  end
+
+  def info
     ports = []
-    # split on each newline
-    cmd.stdout.each_line do |line|
-      # parse each line
-      # 1 - COMMAND, 2 - PID, 3 - USER, 4 - FD, 5 - TYPE, 6 - DEVICE, 7 - SIZE/OFF, 8 - NODE, 9 - NAME
-      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+).*$/.match(line)
-      # extract network info
-      net_addr = parsed[9].split(':')
-      # convert to number if possible
-      net_port = net_addr[1]
-      net_port = net_port.to_i if /^\d+$/.match(net_port)
-      protocol = parsed[8].downcase
-
-      # add version to protocol
-      type = parsed[5].downcase
-      protocol += '6' if type == 'IPv6'
-
-      # map data
-      port_info = {
-        port: net_port,
-        address: net_addr[0],
-        protocol: protocol,
-        process: parsed[1],
-        pid: parsed[2].to_i,
-      }
 
-      # push data, if not headerfile
-      ports.push(port_info) if %w{tcp tcp6 udp udp6}.include?(protocol)
+    # check that lsof is available, otherwise fail
+    fail 'Please ensure `lsof` is available on the machine.' if !inspec.command(@lsof.to_s).exist?
+
+    # -F p=pid, c=command, P=protocol name, t=type, n=internet addresses
+    # see 'OUTPUT FOR OTHER PROGRAMS' in LSOF(8)
+    lsof_cmd = inspec.command("#{@lsof} -nP -i -FpctPn")
+    return nil if lsof_cmd.exit_status.to_i != 0
+
+    # map to desired return struct
+    lsof_parser(lsof_cmd).each do |process, port_ids|
+      pid, cmd = process.split(':')
+      port_ids.each do |port_str|
+        # should not break on ipv6 addresses
+        ipv, proto, port, host = port_str.split(':', 4)
+        ports.push({ port:  port.to_i,
+                     address:  host,
+                     protocol: ipv == 'ipv6' ? proto + '6' : proto,
+                     process:  cmd,
+                     pid:      pid.to_i })
+      end
     end
+
     ports
   end
+
+  # rubocop:disable Metrics/CyclomaticComplexity
+  # rubocop:disable Metrics/AbcSize
+  def lsof_parser(lsof_cmd)
+    procs = {}
+    # build this with formatted output (-F) from lsof
+    # procs = {
+    #   '123:sshd' => [
+    #      'ipv4:tcp:22:127.0.0.1',
+    #      'ipv6:tcp:22:::1',
+    #      'ipv4:tcp:*',
+    #      'ipv6:tcp:*',
+    #   ],
+    #   '456:ntpd' => [
+    #      'ipv4:udp:123:*',
+    #      'ipv6:udp:123:*',
+    #   ]
+    # }
+    proc_id = port_id = nil
+    lsof_cmd.stdout.each_line do |line|
+      line.chomp!
+      key = line.slice!(0)
+      case key
+      when 'p'
+        proc_id = line
+        port_id = nil
+      when 'c'
+        proc_id += ':' + line
+      when 't'
+        port_id = line.downcase
+      when 'P'
+        port_id += ':' + line.downcase
+      when 'n'
+        src, dst = line.split('->')
+
+        # skip active comm streams
+        next if dst
+
+        host, port = /^(\S+):(\d+|\*)$/.match(src)[1, 2]
+
+        # skip channels from port 0 - what does this mean?
+        next if port == '*'
+
+        # create new array stub if !exist?
+        procs[proc_id] = [] unless procs.key?(proc_id)
+
+        # change address '*' to zero
+        host = (port_id =~ /^ipv6:/) ? '[::]' : '0.0.0.0' if host == '*'
+        # entrust URI to scrub the host and port
+        begin
+          uri = URI("addr://#{host}:#{port}")
+          uri.host && uri.port
+        rescue => e
+          warn "could not parse URI 'addr://#{host}:#{port}' - #{e}"
+          next
+        end
+
+        # e.g. 'ipv4:tcp:22:127.0.0.1'
+        #                             strip ipv6 squares for inspec
+        port_id += ':' + port + ':' + host.gsub(/^\[|\]$/, '')
+
+        # lsof will give us another port unless it's done
+        procs[proc_id] << port_id
+      end
+    end
+
+    procs
+  end
 end
 
 # extract port information from netstat
@@ -192,17 +261,18 @@ class LinuxPorts < PortsInfo
       # prep for URI parsing, parse ip6 port
       ip6 = /^(\S+):(\d+)$/.match(net_addr)
       ip6addr = ip6[1]
-      ip6addr = '::' if /^:::$/.match(ip6addr)
+      ip6addr = '::' if ip6addr =~ /^:::$/
       # build uri
       ip_addr = URI("addr://[#{ip6addr}]:#{ip6[2]}")
       # replace []
       host = ip_addr.host[1..ip_addr.host.size-2]
-      port = ip_addr.port
     else
       ip_addr = URI('addr://'+net_addr)
       host = ip_addr.host
-      port = ip_addr.port
     end
+
+    port = ip_addr.port
+
     [host, port]
   rescue URI::InvalidURIError => e
     warn "Could not parse #{net_addr}, #{e}"
@@ -212,7 +282,7 @@ class LinuxPorts < PortsInfo
   def parse_netstat_line(line)
     # parse each line
     # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - Inode, 8 - PID/Program name
-    parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/.match(line)
+    parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?\s+(\S+)\s+(\S+)\s+(\S+)/.match(line)
 
     return {} if parsed.nil? || line.match(/^proto/i)
 
@@ -228,7 +298,7 @@ class LinuxPorts < PortsInfo
     # extract PID
     process = parsed[9].split('/')
     pid = process[0]
-    pid = pid.to_i if /^\d+$/.match(pid)
+    pid = pid.to_i if pid =~ /^\d+$/
     process = process[1]
 
     # map data
@@ -264,14 +334,14 @@ class FreeBsdPorts < PortsInfo
     case protocol
     when 'tcp4', 'udp4'
       # replace * with 0.0.0.0
-      net_addr = net_addr.gsub(/^\*:/, '0.0.0.0:') if /^*:(\d+)$/.match(net_addr)
+      net_addr = net_addr.gsub(/^\*:/, '0.0.0.0:') if net_addr =~ /^*:(\d+)$/
       ip_addr = URI('addr://'+net_addr)
       host = ip_addr.host
       port = ip_addr.port
     when 'tcp6', 'udp6'
       return [] if net_addr == '*:*' # abort for now
       # replace * with 0:0:0:0:0:0:0:0
-      net_addr = net_addr.gsub(/^\*:/, '0:0:0:0:0:0:0:0:') if /^*:(\d+)$/.match(net_addr)
+      net_addr = net_addr.gsub(/^\*:/, '0:0:0:0:0:0:0:0:') if net_addr =~ /^*:(\d+)$/
       # extract port
       ip6 = /^(\S+):(\d+)$/.match(net_addr)
       ip6addr = ip6[1]
@@ -301,7 +371,7 @@ class FreeBsdPorts < PortsInfo
 
     # extract PID
     pid = parsed[3]
-    pid = pid.to_i if /^\d+$/.match(pid)
+    pid = pid.to_i if pid =~ /^\d+$/
 
     # map tcp4 and udp4
     protocol = 'tcp' if protocol.eql?('tcp4')

data/lib/resources/postgres_conf.rb

@@ -21,7 +21,7 @@ class PostgresConf < Inspec.resource(1)
 
   def initialize(conf_path = nil)
     @conf_path = conf_path || inspec.postgres.conf_path
-    @conf_dir = File.expand_path(File.dirname @conf_path)
+    @conf_dir = File.expand_path(File.dirname(@conf_path))
     @files_contents = {}
     @content = nil
     @params = nil