inspec 1.17.0 → 1.18.0

data/lib/inspec/secrets/yaml.rb

@@ -9,7 +9,7 @@ module Secrets
     attr_reader :attributes
 
     def self.resolve(target)
-      unless target.is_a?(String) && File.file?(target) && target.end_with?('.yml')
+      unless target.is_a?(String) && File.file?(target) && ['.yml', '.yaml'].include?(File.extname(target).downcase)
         return nil
       end
       new(target)
@@ -18,6 +18,8 @@ module Secrets
     # array of yaml file paths
     def initialize(target)
       @attributes = ::YAML.load_file(target)
+    rescue => e
+      raise "Error reading Inspec attributes: #{e}"
     end
   end
 end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.17.0'.freeze
+  VERSION = '1.18.0'.freeze
 end

data/lib/resources/gem.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
+# author: Joe Nuspl
 
 module Inspec::Resources
   class GemPackage < Inspec.resource(1)
@@ -13,16 +14,32 @@ module Inspec::Resources
       end
     "
 
-    def initialize(package_name)
+    attr_reader :gem_binary
+
+    def initialize(package_name, gem_binary = nil)
       @package_name = package_name
+      @gem_binary = case gem_binary
+                    when nil
+                      'gem'
+                    when :chef
+                      if inspec.os.windows?
+                        'c:\opscode\chef\embedded\bin\gem'
+                      else
+                        '/opt/chef/embedded/bin/gem'
+                      end
+                    when :chef_server
+                      '/opt/opscode/embedded/bin/gem'
+                    else
+                      gem_binary
+                    end
     end
 
     def info
       return @info if defined?(@info)
 
-      cmd = inspec.command("gem list --local -a -q \^#{@package_name}\$")
+      cmd = inspec.command("#{@gem_binary} list --local -a -q \^#{@package_name}\$")
       @info = {
-        installed: cmd.exit_status == 0,
+        installed: cmd.exit_status.zero?,
         type: 'gem',
       }
       return @info unless @info[:installed]

data/lib/resources/key_rsa.rb

@@ -0,0 +1,67 @@
+# encoding: utf-8
+# author: Richard Nixon
+# author: Christoph Hartmann
+
+require 'openssl'
+require 'hashie/mash'
+
+module Inspec::Resources
+  class RsaKey < Inspec.resource(1)
+    name 'key_rsa'
+    desc 'public/private RSA key pair test'
+    example "
+      describe rsa_key('/etc/pki/www.mywebsite.com.key') do
+        its('public_key') { should match /BEGIN RSA PUBLIC KEY/ }
+      end
+
+      describe rsa_key('/etc/pki/www.mywebsite.com.key', 'passphrase') do
+        it { should be_private }
+        it { should be_public }
+      end
+    "
+
+    def initialize(keypath, passphrase = nil)
+      @key_path = keypath
+      @key_file = inspec.file(@key_path)
+      @key = nil
+      @passphrase = passphrase
+
+      return skip_resource "Unable to find key file #{@key_path}" unless @key_file.exist?
+
+      begin
+        @key = OpenSSL::PKey.read(@key_file.content, @passphrase)
+      rescue OpenSSL::PKey::RSAError => _
+        return skip_resource "Unable to load key file #{@key_path}"
+      end
+    end
+
+    def public?
+      return if @key.nil?
+      @key.public?
+    end
+
+    def public_key
+      return if @key.nil?
+      @key.public_key.to_s
+    end
+
+    def private?
+      return if @key.nil?
+      @key.private?
+    end
+
+    def private_key
+      return if @key.nil?
+      @key.to_s
+    end
+
+    def key_length
+      return if @key.nil?
+      @key.public_key.n.num_bytes * 8
+    end
+
+    def to_s
+      "rsa_key #{@key_path}"
+    end
+  end
+end

data/lib/resources/port.rb

@@ -294,11 +294,24 @@ module Inspec::Resources
         # uses a double-colon for short-hand notation.
         ip6addr += ':' if ip6addr =~ /\w:$/
 
+        begin
+          ip_parser = IPAddr.new(ip6addr)
+        rescue IPAddr::InvalidAddressError
+          # This IP is not parsable. There appears to be a bug in netstat
+          # output that truncates link-local IP addresses:
+          # example: udp6 0 0 fe80::42:acff:fe11::123 :::* 0 54550 3335/ntpd
+          # actual link address: inet6 fe80::42:acff:fe11:5/64 scope link
+          #
+          # in this example, the "5" is truncated making the netstat output
+          # an invalid IP address.
+          return [nil, nil]
+        end
+
         # Check to see if this is a IPv4 address in a tcp6/udp6 line.
         # If so, don't put brackets around the IP or URI won't know how
         # to properly handle it.
         # example: tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN
-        if IPAddr.new(ip6addr).ipv4?
+        if ip_parser.ipv4?
           ip_addr = URI("addr://#{ip6addr}:#{ip6[2]}")
           host = ip_addr.host
         else
@@ -333,6 +346,7 @@ module Inspec::Resources
 
       # extract host and port information
       host, port = parse_net_address(parsed[4], protocol)
+      return {} if host.nil?
 
       # extract PID
       process = parsed[9].split('/')
@@ -450,13 +464,17 @@ module Inspec::Resources
         # the last . to :
         local_addr[local_addr.rindex('.')] = ':'
         host, port = parse_net_address(local_addr, protocol)
-        {
-          'port'     => port,
-          'address'  => host,
-          'protocol' => protocol,
-        }
+        if host.nil?
+          nil
+        else
+          {
+            'port'     => port,
+            'address'  => host,
+            'protocol' => protocol,
+          }
+        end
       }
-      ports
+      ports.compact
     end
   end
 
@@ -492,6 +510,7 @@ module Inspec::Resources
       local_addr[local_addr.rindex('.')] = ':'
       # extract host and port information
       host, port = parse_net_address(local_addr, protocol)
+      return {} if host.nil?
       # map data
       {
         'port'     => port,

data/lib/resources/x509_certificate.rb

@@ -0,0 +1,143 @@
+# encoding: utf-8
+# author: Richard Nixon
+# author: Christoph Hartmann
+
+require 'openssl'
+require 'hashie/mash'
+
+module Inspec::Resources
+  class X509CertificateResource < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+    name 'x509_certificate'
+    desc 'Used to test x.509 certificates'
+    example "
+      describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
+        its('subject') { should match /CN=My Website/ }
+        its('validity_in_days') { should be > 30 }
+      end
+
+      describe x509_certificate('trials/x509/cert.pem') do
+        it { should be_certificate }
+        it { should be_valid }
+        its('fingerprint') { should eq '62b137bdf427e7273dc2e487877b3033e4c8ce17' }
+        its('signature_algorithm') { should eq 'sha1WithRSAEncryption' }
+        its('validity_in_days') { should_not be < 100 }
+        its('validity_in_days') { should be >= 100 }
+        its('subject_dn') { should eq '/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/emailAddress=support@chef.io' }
+        its('subject.C') { should eq 'DE' }
+        its('subject.emailAddress') { should_not be_empty }
+        its('subject.emailAddress') { should eq 'support@chef.io' }
+        its('issuer_dn') { should eq '/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/emailAddress=support@chef.io' }
+        its('key_length') { should be >= 2048 }
+        its('extensions.subjectKeyIdentifier') { should cmp 'A5:16:0B:12:F4:48:0F:06:6C:32:29:67:98:12:DF:3D:0D:75:9D:5C' }
+      end
+    "
+
+    # @see https://tools.ietf.org/html/rfc5280#page-23
+    def initialize(filename)
+      @certpath = filename
+      @issuer = nil
+      @parsed_subject = nil
+      @parsed_issuer = nil
+      @extensions = nil
+
+      file = inspec.file(@certpath)
+      return skip_resource "Unable to find certificate file #{@certpath}" unless file.exist?
+
+      begin
+        @cert = OpenSSL::X509::Certificate.new file.content
+      rescue OpenSSL::X509::CertificateError
+        @cert = nil
+        return skip_resource "Unable to load certificate #{@certpath}"
+      end
+    end
+
+    # Forward these methods directly to OpenSSL::X509::Certificate instance
+    %w{version not_before not_after signature_algorithm public_key }.each do |m|
+      define_method m.to_sym do |*args|
+        @cert.method(m.to_sym).call(*args)
+      end
+    end
+
+    def certificate?
+      !@cert.nil?
+    end
+
+    def fingerprint
+      return if @cert.nil?
+      OpenSSL::Digest::SHA1.new(@cert.to_der).to_s
+    end
+
+    def serial
+      return if @cert.nil?
+      @cert.serial.to_i
+    end
+
+    def subject_dn
+      return if @cert.nil?
+      @cert.subject.to_s
+    end
+
+    def subject
+      return if @cert.nil?
+      # Return cached subject if we have already parsed it
+      return @parsed_subject if @parsed_subject
+      # Use a Mash to make it easier to access hash elements in "its('subject') {should ...}"
+      @parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
+    end
+
+    def issuer_dn
+      return if @cert.nil?
+      @cert.issuer.to_s
+    end
+
+    def issuer
+      return if @cert.nil?
+      # Return cached subject if we have already parsed it
+      return @parsed_issuer if @parsed_issuer
+      # Use a Mash to make it easier to access hash elements in "its('issuer') {should ...}"
+      @parsed_issuer = Hashie::Mash.new(Hash[@cert.issuer.to_a.map { |k, v, _| [k, v] }])
+    end
+
+    def key_length
+      return if @cert.nil?
+      @cert.public_key.n.num_bytes * 8
+    end
+
+    def validity_in_days
+      (not_after - Time.now.utc) / 86400
+    end
+
+    def valid?
+      now = Time.now
+      certificate? && (now >= not_before && now <= not_after)
+    end
+
+    def extensions
+      # Return cached Mash if we already parsed the certificate extensions
+      return @extensions if @extensions
+      # Return the exception class if we failed to instantiate a Cert from file
+      return @cert unless @cert.respond_to? :extensions
+      # Use a Mash to make it easier to access hash elements in "its('entensions') {should ...}"
+      @extensions = Hashie::Mash.new({})
+      # Make sure standard extensions exist so we don't get nil for nil:NilClass
+      # when the user tests for extensions which aren't present
+      %w{
+        keyUsage extendedKeyUsage basicConstraints subjectKeyIdentifier
+        authorityKeyIdentifier subjectAltName issuerAltName authorityInfoAccess
+        crlDistributionPoints issuingDistributionPoint certificatePolicies
+        policyConstraints nameConstraints noCheck tlsfeature nsComment
+      }.each { |extension| @extensions[extension] ||= [] }
+      # Now parse the extensions into the Mash
+      extension_array = @cert.extensions.map(&:to_s)
+      extension_array.each do |extension|
+        kv = extension.split(/ *= */, 2)
+        @extensions[kv.first] = kv.last.split(/ *, */)
+      end
+      @extensions
+    end
+
+    def to_s
+      "x509_certificate #{@certpath}"
+    end
+  end
+end

data/lib/resources/yum.rb

@@ -2,8 +2,6 @@
 # author: Christoph Hartmann
 # author: Dominik Richter
 
-require 'resources/file'
-
 # Usage:
 # describe yum do
 #   its('repos') { should exist }
@@ -22,6 +20,7 @@ require 'resources/file'
 # describe yum.repo('epel') do
 #   it { should exist }
 #   it { should be_enabled }
+#   its('baseurl') { should include 'mycompany.biz' }
 # end
 #
 # deprecated:
@@ -33,7 +32,7 @@ require 'resources/file'
 module Inspec::Resources
   class Yum < Inspec.resource(1)
     name 'yum'
-    desc 'Use the yum InSpec audit resource to test packages in the Yum repository.'
+    desc 'Use the yum InSpec audit resource to test the configuration of Yum repositories.'
     example "
       describe yum.repo('name') do
         it { should exist }
@@ -121,22 +120,37 @@ module Inspec::Resources
     def info
       return @cache if defined?(@cache)
       selection = @yum.repositories.select { |e| e['id'] == @reponame || shortname(e['id']) == @reponame }
-      @cache = selection[0] if !selection.nil? && selection.length == 1
+      @cache = selection.empty? ? {} : selection.first
       @cache
     end
 
     def exist?
-      !info.nil?
+      !info.empty?
     end
 
     def enabled?
-      repo = info
-      return false if repo.nil?
+      return false unless exist?
       info['status'] == 'enabled'
     end
 
+    # provide a method for each of the repo metadata items we know about
+    [
+      :baseurl,
+      :expire,
+      :filename,
+      :mirrors,
+      :pkgs,
+      :size,
+      :status,
+      :updated,
+    ].each do |key|
+      define_method key do
+        info[key.to_s]
+      end
+    end
+
     def to_s
-      "YumRepo #{shortname(info['id'])}"
+      "YumRepo #{@reponame}"
     end
   end
 

data/lib/utils/simpleconfig.rb

@@ -73,7 +73,13 @@ class SimpleConfig
     m = opts[:group_re].match(line)
     return nil if m.nil?
     @groups.push(m[1])
-    @vals = @params[m[1]] = {}
+
+    # We use a Hashie::Mash to provide method syntax for retrieving
+    # values. For configs that have keys whose values may be hashes
+    # (such as a mysql config that has [sections]), providing
+    # a hash whose values are accessible via methods provide
+    # a better user experience with `its` blocks.
+    @vals = @params[m[1]] = Hashie::Mash.new
   end
 
   def parse_implicit_assignment_line(line, opts)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-21 00:00:00.000000000 Z
+date: 2017-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -246,6 +246,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
 description: InSpec provides a framework for creating end-to-end infrastructure tests.
   You can use it for integration or even compliance testing. Create fully portable
   test profiles and use them in your workflow to ensure stability and security. Integrate
@@ -271,11 +285,13 @@ files:
 - docs/cli.md
 - docs/dsl_inspec.md
 - docs/dsl_resource.md
+- docs/habitat.md
 - docs/inspec_and_friends.md
 - docs/matchers.md
 - docs/migration.md
 - docs/plugin_kitchen_inspec.html.md
 - docs/profiles.md
+- docs/resources.md
 - docs/resources/apache_conf.md.erb
 - docs/resources/apt.md.erb
 - docs/resources/audit_policy.md.erb
@@ -306,6 +322,7 @@ files:
 - docs/resources/json.md.erb
 - docs/resources/kernel_module.md.erb
 - docs/resources/kernel_parameter.md.erb
+- docs/resources/key_rsa.md
 - docs/resources/launchd_service.md.erb
 - docs/resources/limits_conf.md.erb
 - docs/resources/login_def.md.erb
@@ -343,6 +360,7 @@ files:
 - docs/resources/windows_feature.md.erb
 - docs/resources/windows_task.md.erb
 - docs/resources/wmi.md.erb
+- docs/resources/x509_certificate.md
 - docs/resources/xinetd_conf.md.erb
 - docs/resources/yaml.md.erb
 - docs/resources/yum.md.erb
@@ -469,6 +487,7 @@ files:
 - lib/inspec/objects/list.rb
 - lib/inspec/objects/or_test.rb
 - lib/inspec/objects/ruby_helper.rb
+- lib/inspec/objects/tag.rb
 - lib/inspec/objects/test.rb
 - lib/inspec/objects/value.rb
 - lib/inspec/plugins.rb
@@ -480,6 +499,7 @@ files:
 - lib/inspec/polyfill.rb
 - lib/inspec/profile.rb
 - lib/inspec/profile_context.rb
+- lib/inspec/profile_vendor.rb
 - lib/inspec/require_loader.rb
 - lib/inspec/resource.rb
 - lib/inspec/rspec_json_formatter.rb
@@ -487,6 +507,7 @@ files:
 - lib/inspec/runner.rb
 - lib/inspec/runner_mock.rb
 - lib/inspec/runner_rspec.rb
+- lib/inspec/schema.rb
 - lib/inspec/secrets.rb
 - lib/inspec/secrets/yaml.rb
 - lib/inspec/shell.rb
@@ -522,6 +543,7 @@ files:
 - lib/resources/json.rb
 - lib/resources/kernel_module.rb
 - lib/resources/kernel_parameter.rb
+- lib/resources/key_rsa.rb
 - lib/resources/limits_conf.rb
 - lib/resources/login_def.rb
 - lib/resources/mount.rb
@@ -557,6 +579,7 @@ files:
 - lib/resources/windows_feature.rb
 - lib/resources/windows_task.rb
 - lib/resources/wmi.rb
+- lib/resources/x509_certificate.rb
 - lib/resources/xinetd.rb
 - lib/resources/yaml.rb
 - lib/resources/yum.rb
@@ -589,7 +612,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="