inspec 1.0.0.beta2 → 1.0.0.beta3

data/docs/shared/matcher_be.md.erb

@@ -0,0 +1 @@
+Use the `be` matcher to use a comparison operator---`=` (equal to), `>` (greater than), `<` (less than), `>=` (greater than or equal to), and `<=` (less than or equal to)---to compare two values: `its('value') { should be >= value }`, `its('value') { should be < value }`, and so on.

data/docs/shared/matcher_cmp.md.erb

@@ -0,0 +1,45 @@
+Use the `cmp` matcher compare two values, such as comparing strings to numbers, comparing a single value to an array of values, comparing an array of strings to a regular expression, improving the printing of octal values, and comparing while ignoring case sensitivity.
+
+Compare a single value to an array:
+
+    describe some_resource do
+      its('users') { should cmp 'root' }
+      its('users') { should cmp ['root'] }
+    end
+
+Compare strings and regular expressions:
+
+    describe some_resource do
+      its('setting') { should cmp /raw/i }
+    end
+
+Compare strings and numbers:
+
+    describe some_resource do
+      its('setting') { should eq '2' }
+    end
+
+vs:
+
+    describe some_resource do
+      its('setting') { should cmp '2' }
+      its('setting') { should cmp 2 }
+    end
+
+Ignoring case sensitivity:
+
+.. code-block:: ruby
+
+   describe some_resource do
+     its('setting') { should cmp 'raw' }
+     its('setting') { should cmp 'RAW' }
+   end
+
+Printing octal values:
+
+    describe some_resource('/proc/cpuinfo') do
+      its('mode') { should cmp '0345' }
+    end
+
+    expected: 0345
+    got: 0444

data/docs/shared/matcher_eq.md.erb

@@ -0,0 +1,3 @@
+Use the `eq` matcher to test the equality of two values: `its('Port') { should eq '22' }`.
+
+Using `its('Port') { should eq 22 }` will fail because `22` is not a string value! Use the `cmp` matcher for less restrictive value comparisons.

data/docs/shared/matcher_include.md.erb

@@ -0,0 +1 @@
+Use the `include` matcher to verify that a string value is included in a list: `its('list') { should include 'string' }`.

data/docs/shared/matcher_match.md.erb

@@ -0,0 +1 @@
+Use the `match` matcher to check if a string matches a regular expression: `its('string') { should_not match /regex/ }`.

data/lib/fetchers/url.rb

@@ -85,21 +85,12 @@ module Fetchers
       @archive_path ||= download_archive(path)
     end
 
-    def sha256
-      c = if @archive_path
-            File.read(@archive_path)
-          else
-            content
-          end
-      Digest::SHA256.hexdigest c
-    end
-
     def resolved_source
       @resolved_source ||= { url: @target, sha256: sha256 }
     end
 
     def cache_key
-      sha256
+      @archive_shasum ||= sha256
     end
 
     def to_s
@@ -108,16 +99,9 @@ module Fetchers
 
     private
 
-    def open_target
-      Inspec::Log.debug("Fetching URL: #{@target}")
-      http_opts = {}
-      http_opts['ssl_verify_mode'.to_sym] = OpenSSL::SSL::VERIFY_NONE if @insecure
-      http_opts['Authorization'] = "Bearer #{@token}" if @token
-      open(@target, http_opts)
-    end
-
-    def content
-      open_target.read
+    def sha256
+      file = @archive_path || temp_archive_path
+      Digest::SHA256.hexdigest File.read(file)
     end
 
     def file_type_from_remote(remote)
@@ -132,20 +116,34 @@ module Fetchers
       file_type
     end
 
-    # download url into archive using opts,
-    # returns File object and content-type from HTTP headers
-    def download_archive(path)
-      remote = open_target
-      file_type = file_type_from_remote(remote)
-      final_path = "#{path}#{file_type}"
-      # download content
-      archive = Tempfile.new(['inspec-dl-', file_type])
+    def temp_archive_path
+      @temp_archive_path ||= download_archive_to_temp
+    end
+
+    # Downloads archive to temporary file with side effect :( of setting @archive_type
+    def download_archive_to_temp
+      return @temp_archive_path if ! @temp_archive_path.nil?
+      Inspec::Log.debug("Fetching URL: #{@target}")
+      http_opts = {}
+      http_opts['ssl_verify_mode'.to_sym] = OpenSSL::SSL::VERIFY_NONE if @insecure
+      http_opts['Authorization'] = "Bearer #{@token}" if @token
+      remote = open(@target, http_opts)
+      @archive_type = file_type_from_remote(remote) # side effect :(
+      archive = Tempfile.new(['inspec-dl-', @archive_type])
       archive.binmode
       archive.write(remote.read)
       archive.rewind
       archive.close
-      FileUtils.mv(archive.path, final_path)
+      Inspec::Log.debug("Archive stored at temporary location: #{archive.path}")
+      @temp_archive_path = archive.path
+    end
+
+    def download_archive(path)
+      download_archive_to_temp
+      final_path = "#{path}#{@archive_type}"
+      FileUtils.mv(temp_archive_path, final_path)
       Inspec::Log.debug("Fetched archive moved to: #{final_path}")
+      @temp_archive_path = nil
       final_path
     end
   end

data/lib/inspec/cached_fetcher.rb

@@ -0,0 +1,67 @@
+# encoding: utf-8
+require 'inspec/fetcher'
+require 'forwardable'
+
+module Inspec
+  class CachedFetcher
+    extend Forwardable
+
+    attr_reader :cache, :target, :fetcher
+    def initialize(target, cache)
+      @target = target
+      @fetcher = Inspec::Fetcher.resolve(target)
+
+      if @fetcher.nil?
+        fail("Could not fetch inspec profile in #{target.inspect}.")
+      end
+
+      @cache = cache
+    end
+
+    def resolved_source
+      fetch
+      @fetcher.resolved_source
+    end
+
+    def cache_key
+      k = if target.is_a?(Hash)
+            target[:sha256] || target[:ref]
+          end
+
+      if k.nil?
+        fetcher.cache_key
+      else
+        k
+      end
+    end
+
+    def fetch
+      if cache.exists?(cache_key)
+        Inspec::Log.debug "Using cached dependency for #{target}"
+        [cache.prefered_entry_for(cache_key), false]
+      else
+        Inspec::Log.debug "Dependency does not exist in the cache #{target}"
+        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
+        assert_cache_sanity!
+        [fetcher.archive_path, fetcher.writable?]
+      end
+    end
+
+    def assert_cache_sanity!
+      if target.respond_to?(:key?) && target.key?(:sha256)
+        if fetcher.resolved_source[:sha256] != target[:sha256]
+          fail <<EOF
+The remote source #{fetcher} no longer has the requested content:
+
+Request Content Hash: #{target[:sha256]}
+ Actual Content Hash: #{fetcher.resolved_source[:sha256]}
+
+For URL, supermarket, compliance, and other sources that do not
+provide versioned artifacts, this likely means that the remote source
+has changed since your lockfile was generated.
+EOF
+        end
+      end
+    end
+  end
+end

data/lib/inspec/dependencies/requirement.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
-require 'inspec/fetcher'
+require 'inspec/cached_fetcher'
 require 'inspec/dependencies/dependency_set'
 require 'digest'
 
@@ -82,9 +82,7 @@ module Inspec
     end
 
     def fetcher
-      @fetcher ||= Inspec::Fetcher.resolve(opts)
-      fail "No fetcher for #{name} (options: #{opts})" if @fetcher.nil?
-      @fetcher
+      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache)
     end
 
     def dependencies
@@ -94,17 +92,18 @@ module Inspec
     end
 
     def to_s
-      "#{name ? name : '<unfetched>'} (#{resolved_source})"
+      name
     end
 
     def profile
+      return @profile if ! @profile.nil?
+
       opts = @opts.dup
-      opts[:cache] = @cache
       opts[:backend] = @backend
       if !@dependencies.nil?
         opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end
-      @profile ||= Inspec::Profile.for_target(opts, opts)
+      @profile = Inspec::Profile.for_fetcher(fetcher, opts)
     end
   end
 end

data/lib/inspec/objects/each_loop.rb

@@ -2,10 +2,11 @@
 
 module Inspec
   class EachLoop < List
-    attr_reader :tests
+    attr_reader :tests, :variables
     def initialize
       super
       @tests = []
+      @variables = []
     end
 
     def add_test(t = nil)
@@ -24,9 +25,11 @@ module Inspec
     end
 
     def to_ruby
+      vars = variables.map(&:to_ruby).join("\n")
+      vars += "\n" unless vars.empty?
       obj = super
       all_tests = @tests.map(&:to_ruby).join("\n").gsub("\n", "\n  ")
-      format("%s.each do |entry|\n  %s\nend", obj, all_tests)
+      format("%s%s.each do |entry|\n  %s\nend", vars, obj, all_tests)
     end
   end
 end

data/lib/inspec/plugins/fetcher.rb

@@ -24,6 +24,8 @@ module Inspec
         Inspec::Fetcher
       end
 
+      attr_accessor :target
+
       def writable?
         false
       end

data/lib/inspec/profile.rb

@@ -5,7 +5,7 @@
 
 require 'forwardable'
 require 'inspec/polyfill'
-require 'inspec/fetcher'
+require 'inspec/cached_fetcher'
 require 'inspec/file_provider'
 require 'inspec/source_reader'
 require 'inspec/metadata'
@@ -21,45 +21,8 @@ module Inspec
   class Profile # rubocop:disable Metrics/ClassLength
     extend Forwardable
 
-    #
-    # TODO: This function is getting pretty gross.
-    #
     def self.resolve_target(target, cache = nil)
-      cache ||= Cache.new
-      fetcher = Inspec::Fetcher.resolve(target)
-
-      if fetcher.nil?
-        fail("Could not fetch inspec profile in #{target.inspect}.")
-      end
-
-      cache_key = if target.is_a?(Hash)
-                    target[:sha256] || target[:ref] || fetcher.cache_key
-                  else
-                    fetcher.cache_key
-                  end
-
-      if cache.exists?(cache_key)
-        Inspec::Log.debug "Using cached dependency for #{target}"
-        [cache.prefered_entry_for(cache_key), false]
-      else
-        fetcher.fetch(cache.base_path_for(fetcher.cache_key))
-        if target.respond_to?(:key?) && target.key?(:sha256)
-          if fetcher.resolved_source[:sha256] != target[:sha256]
-            fail <<EOF
-The remote source #{fetcher} no longer has the requested content:
-
-Request Content Hash: #{target[:sha256]}
- Actual Content Hash: #{fetcher.resolved_source[:sha256]}
-
-For URL, supermarket, compliance, and other sources that do not
-provide versioned artifacts, this likely means that the remote source
-has changed since your lockfile was generated.
-EOF
-          end
-        end
-
-        [fetcher.archive_path, fetcher.writable?]
-      end
+      Inspec::CachedFetcher.new(target, cache || Cache.new)
     end
 
     def self.for_path(path, opts)
@@ -72,9 +35,14 @@ EOF
       new(reader, opts)
     end
 
+    def self.for_fetcher(fetcher, opts)
+      path, writable = fetcher.fetch
+      for_path(path, opts.merge(target: fetcher.target, writable: writable))
+    end
+
     def self.for_target(target, opts = {})
-      path, writable = resolve_target(target, opts[:cache])
-      for_path(path, opts.merge(target: target, writable: writable))
+      fetcher = resolve_target(target, opts[:cache])
+      for_fetcher(fetcher, opts)
     end
 
     attr_reader :source_reader, :backend, :runner_context

data/lib/inspec/resource.rb

@@ -83,7 +83,7 @@ require 'resources/directory'
 require 'resources/etc_group'
 require 'resources/file'
 require 'resources/gem'
-require 'resources/group'
+require 'resources/groups'
 require 'resources/grub_conf'
 require 'resources/host'
 require 'resources/iis_site'

data/lib/inspec/rspec_json_formatter.rb

@@ -63,10 +63,18 @@ class InspecRspecMiniJson < RSpec::Core::Formatters::JsonFormatter
   private
 
   def format_example(example)
+    if example.metadata[:description_args].length == 0
+      code_description = example.metadata[:full_description]
+    else
+      # For skipped profiles, rspec returns in full_description the skip_message as well. We don't want
+      # to mix the two, so we pick the full_description from the example.metadata[:example_group] hash.
+      code_description = example.metadata[:example_group][:description]
+    end
+
     res = {
       id: example.metadata[:id],
       status: example.execution_result.status.to_s,
-      code_desc: example.full_description,
+      code_desc: code_description,
     }
 
     unless (pid = example.metadata[:profile_id]).nil?
@@ -374,8 +382,6 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
       if res.length == 1
         # Single test - be nice and just print the exception message if the test
         # failed. No need to say "1 failed".
-        fails.clear
-        skips.clear
         res[0][:message].to_s
       else
         [
@@ -425,7 +431,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
     end
   end
 
-  def print_tests
+  def print_tests # rubocop:disable Metrics/AbcSize
     @anonymous_tests.each do |control|
       control_result = control[:results]
       title = control_result[0][:code_desc].split[0..1].join(' ')
@@ -438,7 +444,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
           test_result = test[:message]
         else
           # determine title
-          test_result = test[:code_desc].split[2..-1].join(' ')
+          test_result = test[:skip_message] || test[:code_desc].split[2..-1].join(' ')
           # show error message
           test_result += "\n" + test[:message] unless test[:message].nil?
         end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.0.0.beta2'.freeze
+  VERSION = '1.0.0.beta3'.freeze
 end

data/lib/resources/groups.rb

@@ -0,0 +1,190 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'utils/filter'
+
+module Inspec::Resources
+  # This file contains two resources, the `group` and `groups` resource.
+  # The `group` resource is optimized for requests that verify specific groups
+  # that you know upfront for testing. If you need to query all groups or search
+  # specific groups with certain properties, use the `groups` resource.
+  module GroupManagementSelector
+    # select group provider based on the operating system
+    # returns nil, if no group manager was found for the operating system
+    def select_group_manager(os)
+      if os.unix?
+        @group_provider = UnixGroup.new(inspec)
+      elsif os.windows?
+        @group_provider = WindowsGroup.new(inspec)
+      end
+    end
+  end
+
+  class Groups < Inspec.resource(1)
+    include GroupManagementSelector
+
+    name 'groups'
+    desc 'Use the group InSpec audit resource to test groups on the system. Groups can be filtered.'
+    example "
+      describe groups.where { name == 'root'} do
+        its('names') { should eq ['root'] }
+        its('gids') { should eq [0] }
+      end
+
+      describe groups.where { name == 'Administrators'} do
+        its('names') { should eq ['Administrators'] }
+        its('gids') { should eq ['S-1-5-32-544'] }
+      end
+    "
+
+    def initialize
+      # select group manager
+      @group_provider = select_group_manager(inspec.os)
+      return skip_resource 'The `groups` resource is not supported on your OS yet.' if @group_provider.nil?
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:names,     field: 'name')
+          .add(:gids,      field: 'gid')
+          .add(:domains,   field: 'domain')
+          .add(:exists?) { |x| !x.entries.empty? }
+    filter.connect(self, :collect_group_details)
+
+    def to_s
+      'Groups'
+    end
+
+    private
+
+    # collects information about every group
+    def collect_group_details
+      return @groups_cache ||= @group_provider.groups unless @group_provider.nil?
+      []
+    end
+  end
+
+  # Usage:
+  # describe group('root') do
+  #   it { should exist }
+  #   its('gid') { should eq 0 }
+  # end
+  #
+  # deprecated has matcher
+  # describe group('root') do
+  #  it { should have_gid 0 }
+  # end
+  class Group < Inspec.resource(1)
+    include GroupManagementSelector
+
+    name 'group'
+    desc 'Use the group InSpec audit resource to test groups on the system.'
+    example "
+      describe group('root') do
+        it { should exist }
+        its('gid') { should eq 0 }
+      end
+    "
+
+    def initialize(groupname)
+      @group = groupname
+      @group = @group.downcase unless inspec.os.windows?
+
+      # select group manager
+      @group_provider = select_group_manager(inspec.os)
+      return skip_resource 'The `group` resource is not supported on your OS yet.' if @group_provider.nil?
+    end
+
+    # verifies if a group exists
+    def exists?
+      group_info.entries.size > 0
+    end
+
+    def gid
+      gids = group_info.gids
+      if gids.size == 0
+        nil
+      # the default case should be one group
+      elsif gids.size == 1
+        gids.entries[0]
+      else
+        fail 'found more than one group with the same name, please use `groups` resource'
+      end
+    end
+
+    # implements rspec has matcher, to be compatible with serverspec
+    def has_gid?(compare_gid)
+      gid == compare_gid
+    end
+
+    def local
+      # at this point the implementation only returns local groups
+      true
+    end
+
+    def to_s
+      "Group #{@group}"
+    end
+
+    private
+
+    def group_info
+      # we need a local copy for the block
+      group = @group.dup
+      @groups_cache ||= inspec.groups.where { name == group }
+    end
+  end
+
+  class GroupInfo
+    attr_reader :inspec
+    def initialize(inspec)
+      @inspec = inspec
+    end
+
+    def groups
+      fail 'group provider must implement the `groups` method'
+    end
+  end
+
+  # implements generic unix groups via /etc/group
+  class UnixGroup < GroupInfo
+    def groups
+      inspec.etc_group.entries
+    end
+  end
+
+  class WindowsGroup < GroupInfo
+    # returns all local groups
+    def groups
+      script = <<-EOH
+Function  ConvertTo-SID { Param([byte[]]$BinarySID)
+  (New-Object  System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
+}
+
+$Computername =  $Env:Computername
+$adsi  = [ADSI]"WinNT://$Computername"
+$groups = $adsi.Children | where {$_.SchemaClassName -eq  'group'} |  ForEach {
+  $name = $_.Name[0]
+  $sid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
+  $group =[ADSI]$_.Path
+  new-object psobject -property @{name = $group.Name[0]; gid = $sid; domain=$Computername}
+}
+$groups | ConvertTo-Json -Depth 3
+      EOH
+      cmd = inspec.powershell(script)
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0, try to parse json
+      begin
+        groups = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return []
+      end
+
+      # ensure we have an array of groups
+      groups = [groups] if !groups.is_a?(Array)
+      groups
+    end
+  end
+end