inspec 1.17.0 → 1.18.0

data/docs/resources/yum.md.erb

@@ -101,3 +101,11 @@ The following examples show how to use this InSpec audit resource.
       it { should exist }
       it { should be_enabled }
     end
+
+### Test a particular repository configuration, such as its Base URL
+
+    describe yum.repo('mycompany-artifacts') do
+      it { should exist }
+      it { should be_enabled }
+      its('baseurl') { should include 'mycompany.biz' }
+    end

data/inspec.gemspec

@@ -24,6 +24,8 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
+  spec.required_ruby_version = '>= 2.1'
+
   spec.add_dependency 'train', '>=0.22.0', '<1.0'
   spec.add_dependency 'thor', '~> 0.19'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
@@ -40,4 +42,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'nokogiri', '~> 1.6'
   spec.add_dependency 'faraday', '>=0.9.0'
   spec.add_dependency 'toml', '~> 0.1'
+  spec.add_dependency 'addressable', '~> 2.5'
 end

data/lib/bundles/inspec-habitat/cli.rb

@@ -11,7 +11,6 @@ module Habitat
     option :output_dir, type: :string, required: false,
       desc: 'Directory in which to save the generated Habitat artifact. Default: current directory'
     def create(path)
-      puts options
       Habitat::Profile.create(path, options)
     end
 

data/lib/bundles/inspec-habitat/profile.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 # author: Adam Leff
 
+require 'inspec/profile_vendor'
 require 'mixlib/shellout'
 require 'toml'
 
@@ -37,6 +38,8 @@ module Habitat
       validate_habitat_installed
       validate_habitat_origin
       create_profile_object
+      verify_profile
+      vendor_profile_dependencies
       copy_profile_to_work_dir
       create_plan
       create_run_hook
@@ -79,7 +82,10 @@ module Habitat
     private
 
     def create_profile_object
-      @profile = Inspec::Profile.for_target(path, backend: Inspec::Backend.create(target: 'mock://'))
+      @profile = Inspec::Profile.for_target(
+        path,
+        backend: Inspec::Backend.create(target: 'mock://'),
+      )
     end
 
     def verify_profile
@@ -92,6 +98,22 @@ module Habitat
       Habitat::Log.info('Profile is valid.')
     end
 
+    def vendor_profile_dependencies
+      profile_vendor = Inspec::ProfileVendor.new(path)
+      if profile_vendor.lockfile.exist? && profile_vendor.cache_path.exist?
+        Habitat::Log.info("Profile's dependencies are already vendored, skipping vendor process.")
+      else
+        Habitat::Log.info("Vendoring the profile's dependencies...")
+        profile_vendor.vendor!
+
+        Habitat::Log.info('Ensuring all vendored content has read permissions...')
+        profile_vendor.make_readable
+
+        # refresh the profile object since the profile now has new files
+        create_profile_object
+      end
+    end
+
     def validate_habitat_installed
       Habitat::Log.info('Checking to see if Habitat is installed...')
       cmd = Mixlib::ShellOut.new('hab --version')

data/lib/bundles/inspec-supermarket/api.rb

@@ -4,6 +4,7 @@
 # author: Dominik Richter
 
 require 'net/http'
+require 'addressable/uri'
 
 module Supermarket
   class API
@@ -26,9 +27,10 @@ module Supermarket
     end
 
     def self.profile_name(profile)
-      uri = URI(profile)
+      # We use Addressable::URI here because URI has a bug in Ruby 2.1.x where it doesn't allow underscore in host
+      uri = Addressable::URI.parse profile
       [uri.host, uri.path[1..-1]]
-    rescue URI::Error => _e
+    rescue
       nil
     end
 
@@ -50,8 +52,8 @@ module Supermarket
       supermarket_tool['tool_owner'] == tool_owner && supermarket_tool['tool'] == tool
     end
 
-    def self.find(profile, supermarket_url)
-      profiles = Supermarket::API.profiles(supermarket_url=SUPERMARKET_URL)
+    def self.find(profile, supermarket_url = SUPERMARKET_URL)
+      profiles = Supermarket::API.profiles(supermarket_url)
       if !profiles.empty?
         index = profiles.index { |t| same?(profile, t, supermarket_url) }
         # return profile or nil

data/lib/fetchers/git.rb

@@ -24,7 +24,7 @@ module Fetchers
   # you got to this file during debugging, you may want to look at the
   # omnibus source for hints.
   #
-  class Git < Inspec.fetcher(1)
+  class Git < Inspec.fetcher(1) # rubocop:disable ClassLength
     name 'git'
     priority 200
 
@@ -44,6 +44,8 @@ module Fetchers
 
     def fetch(dir)
       @repo_directory = dir
+      FileUtils.mkdir_p(dir) unless Dir.exist?(dir)
+
       if cloned?
         checkout
       else

data/lib/fetchers/url.rb

@@ -153,6 +153,7 @@ module Fetchers
     def download_archive(path)
       download_archive_to_temp
       final_path = "#{path}#{@archive_type}"
+      FileUtils.mkdir_p(File.dirname(final_path))
       FileUtils.mv(temp_archive_path, final_path)
       Inspec::Log.debug("Fetched archive moved to: #{final_path}")
       @temp_archive_path = nil

data/lib/inspec/base_cli.rb

@@ -4,6 +4,7 @@
 
 require 'thor'
 require 'inspec/log'
+require 'inspec/profile_vendor'
 
 module Inspec
   class BaseCLI < Thor # rubocop:disable Metrics/ClassLength
@@ -147,30 +148,16 @@ module Inspec
     end
 
     def vendor_deps(path, opts)
-      path.nil? ? path = Pathname.new(Dir.pwd) : path = Pathname.new(path)
-      cache_path = path.join('vendor')
-      inspec_lock = path.join('inspec.lock')
+      profile_path = path || Dir.pwd
+      profile_vendor = Inspec::ProfileVendor.new(profile_path)
 
-      if (cache_path.exist? || inspec_lock.exist?) && !opts[:overwrite]
+      if (profile_vendor.cache_path.exist? || profile_vendor.lockfile.exist?) && !opts[:overwrite]
         puts 'Profile is already vendored. Use --overwrite.'
         return false
       end
 
-      # remove existing
-      FileUtils.rm_rf(cache_path) if cache_path.exist?
-      File.delete(inspec_lock) if inspec_lock.exist?
-
-      puts "Vendor dependencies of #{path} into #{cache_path}"
-      opts[:logger] = Logger.new(STDOUT)
-      opts[:logger].level = get_log_level(opts.log_level)
-      opts[:cache] = Inspec::Cache.new(cache_path.to_s)
-      opts[:backend] = Inspec::Backend.create(target: 'mock://')
-      configure_logger(opts)
-
-      # vendor dependencies and generate lockfile
-      profile = Inspec::Profile.for_target(path.to_s, opts)
-      lockfile = profile.generate_lockfile
-      File.write(inspec_lock, lockfile.to_yaml)
+      profile_vendor.vendor!
+      puts "Dependencies for profile #{profile_path} successfully vendored to #{profile_vendor.cache_path}"
     rescue StandardError => e
       pretty_handle_exception(e)
     end

data/lib/inspec/cli.rb

@@ -14,6 +14,7 @@ require 'inspec/base_cli'
 require 'inspec/plugins'
 require 'inspec/runner_mock'
 require 'inspec/env_printer'
+require 'inspec/schema'
 
 class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   class_option :log_level, aliases: :l, type: :string,
@@ -221,6 +222,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     pretty_handle_exception(e)
   end
 
+  desc 'schema NAME', 'print the JSON schema', hide: true
+  def schema(name)
+    puts Inspec::Schema.json(name)
+  rescue StandardError => e
+    puts e
+    puts "Valid schemas are #{Inspec::Schema.names.join(', ')}"
+  end
+
   desc 'version', 'prints the version of this tool'
   def version
     puts Inspec::VERSION

data/lib/inspec/objects.rb

@@ -2,6 +2,7 @@
 
 module Inspec
   autoload :Attribute, 'inspec/objects/attribute'
+  autoload :Tag, 'inspec/objects/tag'
   autoload :Control, 'inspec/objects/control'
   autoload :EachLoop, 'inspec/objects/each_loop'
   autoload :List, 'inspec/objects/list'

data/lib/inspec/objects/control.rb

@@ -2,17 +2,22 @@
 
 module Inspec
   class Control
-    attr_accessor :id, :title, :desc, :impact, :tests
+    attr_accessor :id, :title, :desc, :impact, :tests, :tags
     def initialize
       @tests = []
+      @tags = []
     end
 
     def add_test(t)
       @tests.push(t)
     end
 
+    def add_tag(t)
+      @tags.push(t)
+    end
+
     def to_hash
-      { id: id, title: title, desc: desc, impact: impact, tests: tests.map(&:to_hash) }
+      { id: id, title: title, desc: desc, impact: impact, tests: tests.map(&:to_hash), tags: tags.map(&:to_hash) }
     end
 
     def to_ruby
@@ -20,6 +25,7 @@ module Inspec
       res.push "  title #{title.inspect}" unless title.to_s.empty?
       res.push "  desc  #{desc.inspect}" unless desc.to_s.empty?
       res.push "  impact #{impact}" unless impact.nil?
+      tags.each { |t| res.push(indent(t.to_ruby, 2)) }
       tests.each { |t| res.push(indent(t.to_ruby, 2)) }
       res.push 'end'
       res.join("\n")

data/lib/inspec/objects/tag.rb

@@ -0,0 +1,27 @@
+# encoding:utf-8
+
+module Inspec
+  class Tag
+    attr_accessor :key, :value
+
+    def initialize(key, value)
+      @key = key
+      @value = value
+    end
+
+    def to_hash
+      {
+        name: key,
+        value: value,
+      }
+    end
+
+    def to_ruby
+      "tag #{key.inspect}: #{value.inspect}"
+    end
+
+    def to_s
+      "Tag #{key} with #{value}"
+    end
+  end
+end

data/lib/inspec/profile_vendor.rb

@@ -0,0 +1,66 @@
+# encoding: utf-8
+# author: Adam Leff
+
+require 'inspec/profile'
+
+module Inspec
+  class ProfileVendor
+    attr_reader :profile_path
+
+    def initialize(path)
+      @profile_path = Pathname.new(path)
+    end
+
+    def vendor!
+      vendor_dependencies
+    end
+
+    # The URL fetcher uses a Tempfile to retrieve the vendored
+    # profile, which creates a file that is only readable by
+    # the current user. In most circumstances, this is likely OK.
+    # However, in environments like a Habitat package, these files
+    # need to be readable by all users or the Habitat Supervisor
+    # may not be able to start InSpec correctly.
+    #
+    # This method makes sure all vendored files are mode 644 for this
+    # use case. This method is not called by default - the caller
+    # vendoring the profile must make the decision as to whether this
+    # is necessary.
+    def make_readable
+      Dir.glob("#{cache_path}/**/*") do |e|
+        FileUtils.chmod(0644, e) if File.file?(e)
+      end
+    end
+
+    def cache_path
+      profile_path.join('vendor')
+    end
+
+    def lockfile
+      profile_path.join('inspec.lock')
+    end
+
+    private
+
+    def profile
+      @profile ||= Inspec::Profile.for_target(profile_path.to_s, profile_opts)
+    end
+
+    def profile_opts
+      {
+        cache: Inspec::Cache.new(cache_path.to_s),
+        backend: Inspec::Backend.create(target: 'mock://'),
+      }
+    end
+
+    def vendor_dependencies
+      delete_vendored_data
+      File.write(lockfile, profile.generate_lockfile.to_yaml)
+    end
+
+    def delete_vendored_data
+      FileUtils.rm_rf(cache_path) if cache_path.exist?
+      File.delete(lockfile) if lockfile.exist?
+    end
+  end
+end

data/lib/inspec/resource.rb

@@ -95,6 +95,7 @@ require 'resources/iptables'
 require 'resources/json'
 require 'resources/kernel_module'
 require 'resources/kernel_parameter'
+require 'resources/key_rsa'
 require 'resources/limits_conf'
 require 'resources/login_def'
 require 'resources/mount'
@@ -131,6 +132,7 @@ require 'resources/windows_feature'
 require 'resources/windows_task'
 require 'resources/xinetd'
 require 'resources/wmi'
+require 'resources/x509_certificate'
 require 'resources/yum'
 require 'resources/zfs_dataset'
 require 'resources/zfs_pool'

data/lib/inspec/schema.rb

@@ -0,0 +1,174 @@
+# encoding: utf-8
+require 'json'
+
+module Inspec
+  class Schema # rubocop:disable Metrics/ClassLength
+    STATISTICS = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'duration' => { 'type' => 'number' },
+      },
+    }.freeze
+
+    # Tags are open right, with simple key-value associations and not restrictions
+    TAGS = { 'type' => 'object' }.freeze
+
+    RESULT = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'status' => { 'type' => 'string' },
+        'code_desc' => { 'type' => 'string' },
+        'run_time' => { 'type' => 'number' },
+        'start_time' => { 'type' => 'string' },
+        'skip_message' => { 'type' => 'string', 'optional' => true },
+        'resource' => { 'type' => 'string', 'optional' => true },
+      },
+    }.freeze
+
+    REF = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'ref' => { 'type' => 'string' },
+        # TODO: One of these needs to be deprecated
+        'uri' => { 'type' => 'string', 'optional' => true },
+        'url' => { 'type' => 'string', 'optional' => true },
+      },
+    }.freeze
+    REFS = { 'type' => 'array', 'items' => REF }.freeze
+
+    CONTROL = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'id' => { 'type' => 'string' },
+        'title' => { 'type' => %w{string null} },
+        'desc' => { 'type' => %w{string null} },
+        'impact' => { 'type' => 'number' },
+        'refs' => REFS,
+        'tags' => TAGS,
+        'code' => { 'type' => 'string' },
+        'source_location' => {
+          'type' => 'object',
+          'properties' => {
+            'ref' => { 'type' => 'string' },
+            'line' => { 'type' => 'number' },
+          },
+        },
+        'results' => { 'type' => 'array', 'items' => RESULT },
+      },
+    }.freeze
+
+    SUPPORTS = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'os-family' => { 'type' => 'string', 'optional' => true },
+      },
+    }.freeze
+
+    CONTROL_GROUP = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'id' => { 'type' => 'string' },
+        'title' => { 'type' => 'string', 'optional' => true },
+        'controls' => { 'type' => 'array', 'items' => { 'type' => 'string' } },
+      },
+    }.freeze
+
+    PROFILE = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'name' => { 'type' => 'string' },
+        'version' => { 'type' => 'string', 'optional' => true },
+
+        'title' => { 'type' => 'string', 'optional' => true },
+        'maintainer' => { 'type' => 'string', 'optional' => true },
+        'copyright' => { 'type' => 'string', 'optional' => true },
+        'copyright_email' => { 'type' => 'string', 'optional' => true },
+        'license' => { 'type' => 'string', 'optional' => true },
+        'summary' => { 'type' => 'string', 'optional' => true },
+
+        'supports' => {
+          'type' => 'array',
+          'items' => SUPPORTS,
+          'optional' => true,
+        },
+        'controls' => {
+          'type' => 'array',
+          'items' => CONTROL,
+        },
+        'groups' => {
+          'type' => 'array',
+          'items' => CONTROL_GROUP,
+        },
+        'attributes' => {
+          'type' => 'array',
+          # TODO: more detailed specification needed
+        },
+      },
+    }.freeze
+
+    EXEC_JSON = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'profiles' => {
+          'type' => 'array',
+          'items' => PROFILE,
+        },
+        'statistics' => STATISTICS,
+        'version' => { 'type' => 'string' },
+
+        # DEPRECATED PROPERTIES!! These will be removed with the next major version bump
+        'controls' => 'array',
+        'other_checks' => 'array',
+      },
+    }.freeze
+
+    MIN_CONTROL = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'id' => { 'type' => 'string' },
+        'profile_id' => { 'type' => %w{string null} },
+        'status' => { 'type' => 'string' },
+        'code_desc' => { 'type' => 'string' },
+        'skip_message' => { 'type' => 'string', 'optional' => true },
+        'resource' => { 'type' => 'string', 'optional' => true },
+      },
+    }.freeze
+
+    EXEC_JSONMIN = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'statistics' => STATISTICS,
+        'version' => { 'type' => 'string' },
+        'controls' => {
+          'type' => 'array',
+          'items' => MIN_CONTROL,
+        },
+      },
+    }.freeze
+
+    LIST = {
+      'exec-json' => EXEC_JSON,
+      'exec-jsonmin' => EXEC_JSONMIN,
+    }.freeze
+
+    def self.names
+      LIST.keys
+    end
+
+    def self.json(name)
+      v = LIST[name] ||
+          raise("Cannot find schema #{name.inspect}.")
+      JSON.dump(v)
+    end
+  end
+end