RubyGems - inspec - Versions diffs - 1.0.0.beta2 → 1.0.0.beta3 - Mend

inspec 1.0.0.beta2 → 1.0.0.beta3

Files changed (95) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +41 -2
data/Gemfile +4 -0
data/Rakefile +2 -1
data/docs/.gitignore +2 -0
data/docs/README.md +21 -1
data/docs/resources/apache_conf.md.erb +75 -0
data/docs/resources/apt.md.erb +84 -0
data/docs/resources/audit_policy.md.erb +61 -0
data/docs/resources/auditd_conf.md.erb +79 -0
data/docs/resources/auditd_rules.md.erb +132 -0
data/docs/resources/bash.md.erb +84 -0
data/docs/resources/bond.md.erb +97 -0
data/docs/resources/bridge.md.erb +67 -0
data/docs/resources/bsd_service.md.erb +76 -0
data/docs/resources/command.md.erb +151 -0
data/docs/resources/csv.md.erb +62 -0
data/docs/resources/directory.md.erb +43 -0
data/docs/resources/etc_group.md.erb +116 -0
data/docs/resources/etc_passwd.md.erb +155 -0
data/docs/resources/etc_shadow.md.erb +149 -0
data/docs/resources/file.md.erb +460 -0
data/docs/resources/gem.md.erb +73 -0
data/docs/resources/group.md.erb +74 -0
data/docs/resources/grub_conf.md.erb +115 -0
data/docs/resources/host.md.erb +85 -0
data/docs/resources/iis_site.md.erb +142 -0
data/docs/resources/inetd_conf.md.erb +99 -0
data/docs/resources/ini.md.erb +69 -0
data/docs/resources/interface.md.erb +66 -0
data/docs/resources/iptables.md.erb +70 -0
data/docs/resources/json.md.erb +76 -0
data/docs/resources/kernel_module.md.erb +60 -0
data/docs/resources/kernel_parameter.md.erb +72 -0
data/docs/resources/launchd_service.md.erb +76 -0
data/docs/resources/limits_conf.md.erb +80 -0
data/docs/resources/login_def.md.erb +77 -0
data/docs/resources/mount.md.erb +83 -0
data/docs/resources/mysql_conf.md.erb +102 -0
data/docs/resources/mysql_session.md.erb +63 -0
data/docs/resources/npm.md.erb +75 -0
data/docs/resources/ntp_conf.md.erb +76 -0
data/docs/resources/oneget.md.erb +67 -0
data/docs/resources/os.md.erb +154 -0
data/docs/resources/os_env.md.erb +98 -0
data/docs/resources/package.md.erb +115 -0
data/docs/resources/parse_config.md.erb +122 -0
data/docs/resources/parse_config_file.md.erb +143 -0
data/docs/resources/pip.md.erb +74 -0
data/docs/resources/port.md.erb +150 -0
data/docs/resources/postgres_conf.md.erb +90 -0
data/docs/resources/postgres_session.md.erb +75 -0
data/docs/resources/powershell.md.erb +116 -0
data/docs/resources/process.md.erb +73 -0
data/docs/resources/registry_key.md.erb +149 -0
data/docs/resources/runit_service.md.erb +76 -0
data/docs/resources/security_policy.md.erb +61 -0
data/docs/resources/service.md.erb +135 -0
data/docs/resources/ssh_config.md.erb +94 -0
data/docs/resources/sshd_config.md.erb +97 -0
data/docs/resources/ssl.md.erb +133 -0
data/docs/resources/sys_info.md.erb +55 -0
data/docs/resources/systemd_service.md.erb +76 -0
data/docs/resources/sysv_service.md.erb +76 -0
data/docs/resources/upstart_service.md.erb +76 -0
data/docs/resources/user.md.erb +154 -0
data/docs/resources/users.md.erb +140 -0
data/docs/resources/vbscript.md.erb +69 -0
data/docs/resources/windows_feature.md.erb +61 -0
data/docs/resources/wmi.md.erb +95 -0
data/docs/resources/xinetd_conf.md.erb +170 -0
data/docs/resources/yaml.md.erb +69 -0
data/docs/resources/yum.md.erb +103 -0
data/docs/ruby_usage.md +154 -0
data/docs/shared/matcher_be.md.erb +1 -0
data/docs/shared/matcher_cmp.md.erb +45 -0
data/docs/shared/matcher_eq.md.erb +3 -0
data/docs/shared/matcher_include.md.erb +1 -0
data/docs/shared/matcher_match.md.erb +1 -0
data/lib/fetchers/url.rb +27 -29
data/lib/inspec/cached_fetcher.rb +67 -0
data/lib/inspec/dependencies/requirement.rb +6 -7
data/lib/inspec/objects/each_loop.rb +5 -2
data/lib/inspec/plugins/fetcher.rb +2 -0
data/lib/inspec/profile.rb +9 -41
data/lib/inspec/resource.rb +1 -1
data/lib/inspec/rspec_json_formatter.rb +11 -5
data/lib/inspec/version.rb +1 -1
data/lib/resources/groups.rb +190 -0
data/lib/resources/users.rb +3 -2
metadata +79 -6
data/docs/cli.rst +0 -448
data/docs/resources.rst +0 -4836
data/docs/ruby_usage.rst +0 -145
data/lib/resources/group.rb +0 -137

data/docs/shared/matcher_be.md.erb ADDED Viewed

	@@ -0,0 +1 @@
1	+ Use the `be` matcher to use a comparison operator---`=` (equal to), `>` (greater than), `<` (less than), `>=` (greater than or equal to), and `<=` (less than or equal to)---to compare two values: `its('value') { should be >= value }`, `its('value') { should be < value }`, and so on.

data/docs/shared/matcher_cmp.md.erb ADDED Viewed

@@ -0,0 +1,45 @@
+Use the `cmp` matcher compare two values, such as comparing strings to numbers, comparing a single value to an array of values, comparing an array of strings to a regular expression, improving the printing of octal values, and comparing while ignoring case sensitivity.
+Compare a single value to an array:
+    describe some_resource do
+      its('users') { should cmp 'root' }
+      its('users') { should cmp ['root'] }
+    end
+Compare strings and regular expressions:
+    describe some_resource do
+      its('setting') { should cmp /raw/i }
+    end
+Compare strings and numbers:
+    describe some_resource do
+      its('setting') { should eq '2' }
+    end
+vs:
+    describe some_resource do
+      its('setting') { should cmp '2' }
+      its('setting') { should cmp 2 }
+    end
+Ignoring case sensitivity:
+.. code-block:: ruby
+   describe some_resource do
+     its('setting') { should cmp 'raw' }
+     its('setting') { should cmp 'RAW' }
+   end
+Printing octal values:
+    describe some_resource('/proc/cpuinfo') do
+      its('mode') { should cmp '0345' }
+    end
+    expected: 0345
+    got: 0444

data/docs/shared/matcher_eq.md.erb ADDED Viewed

@@ -0,0 +1,3 @@
+Use the `eq` matcher to test the equality of two values: `its('Port') { should eq '22' }`.
+Using `its('Port') { should eq 22 }` will fail because `22` is not a string value! Use the `cmp` matcher for less restrictive value comparisons.

data/docs/shared/matcher_include.md.erb ADDED Viewed

	@@ -0,0 +1 @@
1	+ Use the `include` matcher to verify that a string value is included in a list: `its('list') { should include 'string' }`.

data/docs/shared/matcher_match.md.erb ADDED Viewed

	@@ -0,0 +1 @@
1	+ Use the `match` matcher to check if a string matches a regular expression: `its('string') { should_not match /regex/ }`.

data/lib/fetchers/url.rb CHANGED Viewed

@@ -85,21 +85,12 @@ module Fetchers
       @archive_path ||= download_archive(path)
     end
-    def sha256
-      c = if @archive_path
-            File.read(@archive_path)
-          else
-            content
-          end
-      Digest::SHA256.hexdigest c
-    end
     def resolved_source
       @resolved_source ||= { url: @target, sha256: sha256 }
     end
     def cache_key
-      sha256
+      @archive_shasum ||= sha256
     end
     def to_s
@@ -108,16 +99,9 @@ module Fetchers
     private
-    def open_target
-      Inspec::Log.debug("Fetching URL: #{@target}")
-      http_opts = {}
-      http_opts['ssl_verify_mode'.to_sym] = OpenSSL::SSL::VERIFY_NONE if @insecure
-      http_opts['Authorization'] = "Bearer #{@token}" if @token
-      open(@target, http_opts)
-    end
-    def content
-      open_target.read
+    def sha256
+      file = @archive_path || temp_archive_path
+      Digest::SHA256.hexdigest File.read(file)
     end
     def file_type_from_remote(remote)
@@ -132,20 +116,34 @@ module Fetchers
       file_type
     end
-    # download url into archive using opts,
-    # returns File object and content-type from HTTP headers
-    def download_archive(path)
-      remote = open_target
-      file_type = file_type_from_remote(remote)
-      final_path = "#{path}#{file_type}"
-      # download content
-      archive = Tempfile.new(['inspec-dl-', file_type])
+    def temp_archive_path
+      @temp_archive_path ||= download_archive_to_temp
+    end
+    # Downloads archive to temporary file with side effect :( of setting @archive_type
+    def download_archive_to_temp
+      return @temp_archive_path if ! @temp_archive_path.nil?
+      Inspec::Log.debug("Fetching URL: #{@target}")
+      http_opts = {}
+      http_opts['ssl_verify_mode'.to_sym] = OpenSSL::SSL::VERIFY_NONE if @insecure
+      http_opts['Authorization'] = "Bearer #{@token}" if @token
+      remote = open(@target, http_opts)
+      @archive_type = file_type_from_remote(remote) # side effect :(
+      archive = Tempfile.new(['inspec-dl-', @archive_type])
       archive.binmode
       archive.write(remote.read)
       archive.rewind
       archive.close
-      FileUtils.mv(archive.path, final_path)
+      Inspec::Log.debug("Archive stored at temporary location: #{archive.path}")
+      @temp_archive_path = archive.path
+    end
+    def download_archive(path)
+      download_archive_to_temp
+      final_path = "#{path}#{@archive_type}"
+      FileUtils.mv(temp_archive_path, final_path)
       Inspec::Log.debug("Fetched archive moved to: #{final_path}")
+      @temp_archive_path = nil
       final_path
     end
   end

data/lib/inspec/cached_fetcher.rb ADDED Viewed

@@ -0,0 +1,67 @@
+# encoding: utf-8
+require 'inspec/fetcher'
+require 'forwardable'
+module Inspec
+  class CachedFetcher
+    extend Forwardable
+    attr_reader :cache, :target, :fetcher
+    def initialize(target, cache)
+      @target = target
+      @fetcher = Inspec::Fetcher.resolve(target)
+      if @fetcher.nil?
+        fail("Could not fetch inspec profile in #{target.inspect}.")
+      end
+      @cache = cache
+    end
+    def resolved_source
+      fetch
+      @fetcher.resolved_source
+    end
+    def cache_key
+      k = if target.is_a?(Hash)
+            target[:sha256] || target[:ref]
+          end
+      if k.nil?
+        fetcher.cache_key
+      else
+        k
+      end
+    end
+    def fetch
+      if cache.exists?(cache_key)
+        Inspec::Log.debug "Using cached dependency for #{target}"
+        [cache.prefered_entry_for(cache_key), false]
+      else
+        Inspec::Log.debug "Dependency does not exist in the cache #{target}"
+        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        assert_cache_sanity!
+        [fetcher.archive_path, fetcher.writable?]
+      end
+    end
+    def assert_cache_sanity!
+      if target.respond_to?(:key?) && target.key?(:sha256)
+        if fetcher.resolved_source[:sha256] != target[:sha256]
+          fail <<EOF
+The remote source #{fetcher} no longer has the requested content:
+Request Content Hash: #{target[:sha256]}
+ Actual Content Hash: #{fetcher.resolved_source[:sha256]}
+For URL, supermarket, compliance, and other sources that do not
+provide versioned artifacts, this likely means that the remote source
+has changed since your lockfile was generated.
+EOF
+        end
+      end
+    end
+  end
+end

data/lib/inspec/dependencies/requirement.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # encoding: utf-8
-require 'inspec/fetcher'
+require 'inspec/cached_fetcher'
 require 'inspec/dependencies/dependency_set'
 require 'digest'
@@ -82,9 +82,7 @@ module Inspec
     end
     def fetcher
-      @fetcher ||= Inspec::Fetcher.resolve(opts)
-      fail "No fetcher for #{name} (options: #{opts})" if @fetcher.nil?
-      @fetcher
+      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache)
     end
     def dependencies
@@ -94,17 +92,18 @@ module Inspec
     end
     def to_s
-      "#{name ? name : '<unfetched>'} (#{resolved_source})"
+      name
     end
     def profile
+      return @profile if ! @profile.nil?
       opts = @opts.dup
-      opts[:cache] = @cache
       opts[:backend] = @backend
       if !@dependencies.nil?
         opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end
-      @profile ||= Inspec::Profile.for_target(opts, opts)
+      @profile = Inspec::Profile.for_fetcher(fetcher, opts)
     end
   end
 end

data/lib/inspec/objects/each_loop.rb CHANGED Viewed

@@ -2,10 +2,11 @@
 module Inspec
   class EachLoop < List
-    attr_reader :tests
+    attr_reader :tests, :variables
     def initialize
       super
       @tests = []
+      @variables = []
     end
     def add_test(t = nil)
@@ -24,9 +25,11 @@ module Inspec
     end
     def to_ruby
+      vars = variables.map(&:to_ruby).join("\n")
+      vars += "\n" unless vars.empty?
       obj = super
       all_tests = @tests.map(&:to_ruby).join("\n").gsub("\n", "\n  ")
-      format("%s.each do |entry|\n  %s\nend", obj, all_tests)
+      format("%s%s.each do |entry|\n  %s\nend", vars, obj, all_tests)
     end
   end
 end

data/lib/inspec/plugins/fetcher.rb CHANGED Viewed

@@ -24,6 +24,8 @@ module Inspec
         Inspec::Fetcher
       end
+      attr_accessor :target
       def writable?
         false
       end

data/lib/inspec/profile.rb CHANGED Viewed

@@ -5,7 +5,7 @@
 require 'forwardable'
 require 'inspec/polyfill'
-require 'inspec/fetcher'
+require 'inspec/cached_fetcher'
 require 'inspec/file_provider'
 require 'inspec/source_reader'
 require 'inspec/metadata'
@@ -21,45 +21,8 @@ module Inspec
   class Profile # rubocop:disable Metrics/ClassLength
     extend Forwardable
-    #
-    # TODO: This function is getting pretty gross.
-    #
     def self.resolve_target(target, cache = nil)
-      cache ||= Cache.new
-      fetcher = Inspec::Fetcher.resolve(target)
-      if fetcher.nil?
-        fail("Could not fetch inspec profile in #{target.inspect}.")
-      end
-      cache_key = if target.is_a?(Hash)
-                    target[:sha256] || target[:ref] || fetcher.cache_key
-                  else
-                    fetcher.cache_key
-                  end
-      if cache.exists?(cache_key)
-        Inspec::Log.debug "Using cached dependency for #{target}"
-        [cache.prefered_entry_for(cache_key), false]
-      else
-        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
-        if target.respond_to?(:key?) && target.key?(:sha256)
-          if fetcher.resolved_source[:sha256] != target[:sha256]
-            fail <<EOF
-The remote source #{fetcher} no longer has the requested content:
-Request Content Hash: #{target[:sha256]}
- Actual Content Hash: #{fetcher.resolved_source[:sha256]}
-For URL, supermarket, compliance, and other sources that do not
-provide versioned artifacts, this likely means that the remote source
-has changed since your lockfile was generated.
-EOF
-          end
-        end
-        [fetcher.archive_path, fetcher.writable?]
-      end
+      Inspec::CachedFetcher.new(target, cache || Cache.new)
     end
     def self.for_path(path, opts)
@@ -72,9 +35,14 @@ EOF
       new(reader, opts)
     end
+    def self.for_fetcher(fetcher, opts)
+      path, writable = fetcher.fetch
+      for_path(path, opts.merge(target: fetcher.target, writable: writable))
+    end
     def self.for_target(target, opts = {})
-      path, writable = resolve_target(target, opts[:cache])
-      for_path(path, opts.merge(target: target, writable: writable))
+      fetcher = resolve_target(target, opts[:cache])
+      for_fetcher(fetcher, opts)
     end
     attr_reader :source_reader, :backend, :runner_context

data/lib/inspec/resource.rb CHANGED Viewed

@@ -83,7 +83,7 @@ require 'resources/directory'
 require 'resources/etc_group'
 require 'resources/file'
 require 'resources/gem'
-require 'resources/group'
+require 'resources/groups'
 require 'resources/grub_conf'
 require 'resources/host'
 require 'resources/iis_site'

data/lib/inspec/rspec_json_formatter.rb CHANGED Viewed

@@ -63,10 +63,18 @@ class InspecRspecMiniJson < RSpec::Core::Formatters::JsonFormatter
   private
   def format_example(example)
+    if example.metadata[:description_args].length == 0
+      code_description = example.metadata[:full_description]
+    else
+      # For skipped profiles, rspec returns in full_description the skip_message as well. We don't want
+      # to mix the two, so we pick the full_description from the example.metadata[:example_group] hash.
+      code_description = example.metadata[:example_group][:description]
+    end
     res = {
       id: example.metadata[:id],
       status: example.execution_result.status.to_s,
-      code_desc: example.full_description,
+      code_desc: code_description,
     }
     unless (pid = example.metadata[:profile_id]).nil?
@@ -374,8 +382,6 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
       if res.length == 1
         # Single test - be nice and just print the exception message if the test
         # failed. No need to say "1 failed".
-        fails.clear
-        skips.clear
         res[0][:message].to_s
       else
         [
@@ -425,7 +431,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
     end
   end
-  def print_tests
+  def print_tests # rubocop:disable Metrics/AbcSize
     @anonymous_tests.each do |control|
       control_result = control[:results]
       title = control_result[0][:code_desc].split[0..1].join(' ')
@@ -438,7 +444,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
           test_result = test[:message]
         else
           # determine title
-          test_result = test[:code_desc].split[2..-1].join(' ')
+          test_result = test[:skip_message] || test[:code_desc].split[2..-1].join(' ')
           # show error message
           test_result += "\n" + test[:message] unless test[:message].nil?
         end

data/lib/inspec/version.rb CHANGED Viewed

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 module Inspec
-  VERSION = '1.0.0.beta2'.freeze
+  VERSION = '1.0.0.beta3'.freeze
 end

data/lib/resources/groups.rb ADDED Viewed

@@ -0,0 +1,190 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+require 'utils/filter'
+module Inspec::Resources
+  # This file contains two resources, the `group` and `groups` resource.
+  # The `group` resource is optimized for requests that verify specific groups
+  # that you know upfront for testing. If you need to query all groups or search
+  # specific groups with certain properties, use the `groups` resource.
+  module GroupManagementSelector
+    # select group provider based on the operating system
+    # returns nil, if no group manager was found for the operating system
+    def select_group_manager(os)
+      if os.unix?
+        @group_provider = UnixGroup.new(inspec)
+      elsif os.windows?
+        @group_provider = WindowsGroup.new(inspec)
+      end
+    end
+  end
+  class Groups < Inspec.resource(1)
+    include GroupManagementSelector
+    name 'groups'
+    desc 'Use the group InSpec audit resource to test groups on the system. Groups can be filtered.'
+    example "
+      describe groups.where { name == 'root'} do
+        its('names') { should eq ['root'] }
+        its('gids') { should eq [0] }
+      end
+      describe groups.where { name == 'Administrators'} do
+        its('names') { should eq ['Administrators'] }
+        its('gids') { should eq ['S-1-5-32-544'] }
+      end
+    "
+    def initialize
+      # select group manager
+      @group_provider = select_group_manager(inspec.os)
+      return skip_resource 'The `groups` resource is not supported on your OS yet.' if @group_provider.nil?
+    end
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:names,     field: 'name')
+          .add(:gids,      field: 'gid')
+          .add(:domains,   field: 'domain')
+          .add(:exists?) { |x| !x.entries.empty? }
+    filter.connect(self, :collect_group_details)
+    def to_s
+      'Groups'
+    end
+    private
+    # collects information about every group
+    def collect_group_details
+      return @groups_cache ||= @group_provider.groups unless @group_provider.nil?
+      []
+    end
+  end
+  # Usage:
+  # describe group('root') do
+  #   it { should exist }
+  #   its('gid') { should eq 0 }
+  # end
+  #
+  # deprecated has matcher
+  # describe group('root') do
+  #  it { should have_gid 0 }
+  # end
+  class Group < Inspec.resource(1)
+    include GroupManagementSelector
+    name 'group'
+    desc 'Use the group InSpec audit resource to test groups on the system.'
+    example "
+      describe group('root') do
+        it { should exist }
+        its('gid') { should eq 0 }
+      end
+    "
+    def initialize(groupname)
+      @group = groupname
+      @group = @group.downcase unless inspec.os.windows?
+      # select group manager
+      @group_provider = select_group_manager(inspec.os)
+      return skip_resource 'The `group` resource is not supported on your OS yet.' if @group_provider.nil?
+    end
+    # verifies if a group exists
+    def exists?
+      group_info.entries.size > 0
+    end
+    def gid
+      gids = group_info.gids
+      if gids.size == 0
+        nil
+      # the default case should be one group
+      elsif gids.size == 1
+        gids.entries[0]
+      else
+        fail 'found more than one group with the same name, please use `groups` resource'
+      end
+    end
+    # implements rspec has matcher, to be compatible with serverspec
+    def has_gid?(compare_gid)
+      gid == compare_gid
+    end
+    def local
+      # at this point the implementation only returns local groups
+      true
+    end
+    def to_s
+      "Group #{@group}"
+    end
+    private
+    def group_info
+      # we need a local copy for the block
+      group = @group.dup
+      @groups_cache ||= inspec.groups.where { name == group }
+    end
+  end
+  class GroupInfo
+    attr_reader :inspec
+    def initialize(inspec)
+      @inspec = inspec
+    end
+    def groups
+      fail 'group provider must implement the `groups` method'
+    end
+  end
+  # implements generic unix groups via /etc/group
+  class UnixGroup < GroupInfo
+    def groups
+      inspec.etc_group.entries
+    end
+  end
+  class WindowsGroup < GroupInfo
+    # returns all local groups
+    def groups
+      script = <<-EOH
+Function  ConvertTo-SID { Param([byte[]]$BinarySID)
+  (New-Object  System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
+}
+$Computername =  $Env:Computername
+$adsi  = [ADSI]"WinNT://$Computername"
+$groups = $adsi.Children | where {$_.SchemaClassName -eq  'group'} |  ForEach {
+  $name = $_.Name[0]
+  $sid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
+  $group =[ADSI]$_.Path
+  new-object psobject -property @{name = $group.Name[0]; gid = $sid; domain=$Computername}
+}
+$groups | ConvertTo-Json -Depth 3
+      EOH
+      cmd = inspec.powershell(script)
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0, try to parse json
+      begin
+        groups = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return []
+      end
+      # ensure we have an array of groups
+      groups = [groups] if !groups.is_a?(Array)
+      groups
+    end
+  end
+end