inspec 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1f48211d9143cfdb1bdf736389d72e2048bc26b3
-  data.tar.gz: 697546cf50666e244c114390238fbe1f0de18a91
+  metadata.gz: bc80c218f1945dc66bf6d693530077e66212968a
+  data.tar.gz: b54754846a031670396d5069a43f7434113e7fde
 SHA512:
-  metadata.gz: c8cf98323a40791eecd63b25cc6af48f49b2d139069f4f0e02d92e8daa03862048a01eec1c10f5d1b0008083eb43d6478b1721da7e3af8e30c87740cf61a54af
-  data.tar.gz: 5942695dbda9915900163f637ad847e0e75a7072ea0f5e415b74776a1c6158e0c4ccd0d80cfafb4c42c018b1f2c5a1dda76b88861c7a11ee92e41d89a4c05366
+  metadata.gz: 60442e056460a6c14ed1c7587b499f75f40f942f4064f43275ac11943ddb881968edcae4d5c49f49a37b551330d72aa89289438418e6cc24c5d992024365f102
+  data.tar.gz: fa8866e5fc94fc087908b6bd313d50295077b436757e70b49e1c4e7c1caed27c344908c548183f0c73096bb1c574b91bebcbd9d67d11b81cf235060ba7a29b66

data/CHANGELOG.md

@@ -1,7 +1,52 @@
 # Change Log
 
-## [1.2.1](https://github.com/chef/inspec/tree/1.2.1) (2016-10-15)
-[Full Changelog](https://github.com/chef/inspec/compare/v1.2.0...1.2.1)
+## [1.3.0](https://github.com/chef/inspec/tree/1.3.0) (2016-10-28)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.2.1...1.3.0)
+
+**Implemented enhancements:**
+
+- extend the attributes object with helper methods [\#1220](https://github.com/chef/inspec/pull/1220) ([chris-rock](https://github.com/chris-rock))
+
+**Fixed bugs:**
+
+- inetd\_conf resource error [\#1253](https://github.com/chef/inspec/issues/1253)
+- Process user should eq \["longusername"\]: usernames get truncated with a '+' at the end [\#995](https://github.com/chef/inspec/issues/995)
+- Remove wildcard from windows package detection [\#1259](https://github.com/chef/inspec/pull/1259) ([chris-rock](https://github.com/chris-rock))
+- Fix nil timeout and retries [\#1256](https://github.com/chef/inspec/pull/1256) ([alexpop](https://github.com/alexpop))
+- Supermarket tools get and filter by tool\_type [\#1254](https://github.com/chef/inspec/pull/1254) ([alexpop](https://github.com/alexpop))
+- Fix processes resource user and command truncation [\#1225](https://github.com/chef/inspec/pull/1225) ([alexpop](https://github.com/alexpop))
+
+**Closed issues:**
+
+- inetd and xinetd resources inconsistencies [\#1252](https://github.com/chef/inspec/issues/1252)
+- TestKitchen - Duplicate testing when verifier specified in suite definition [\#1240](https://github.com/chef/inspec/issues/1240)
+- Document new DCO process in contributing.md [\#1223](https://github.com/chef/inspec/issues/1223)
+- Move InSpec Community to https://community-slack.chef.io/ [\#1222](https://github.com/chef/inspec/issues/1222)
+- Export Docker package for InSpec from Habitat [\#1212](https://github.com/chef/inspec/issues/1212)
+- Test verify action on Windows 2012 fails - \[no implicit conversion of nil into Array\] on default-windows-2012r2 [\#1193](https://github.com/chef/inspec/issues/1193)
+- Add InSpec habitat plan [\#843](https://github.com/chef/inspec/issues/843)
+
+**Merged pull requests:**
+
+- Use Slack Badge instead of Gitter badge [\#1262](https://github.com/chef/inspec/pull/1262) ([chris-rock](https://github.com/chris-rock))
+- remove accidentally added file [\#1260](https://github.com/chef/inspec/pull/1260) ([chris-rock](https://github.com/chris-rock))
+- overwrite exec for inetd because respec its is executing `exec` [\#1257](https://github.com/chef/inspec/pull/1257) ([chris-rock](https://github.com/chris-rock))
+- Use include instead of match in the error message [\#1248](https://github.com/chef/inspec/pull/1248) ([artem-sidorenko](https://github.com/artem-sidorenko))
+- Code-block directive is not needed here [\#1247](https://github.com/chef/inspec/pull/1247) ([artem-sidorenko](https://github.com/artem-sidorenko))
+- Set the global message to display again [\#1246](https://github.com/chef/inspec/pull/1246) ([ryankeairns](https://github.com/ryankeairns))
+- Ignore RVM files [\#1245](https://github.com/chef/inspec/pull/1245) ([artem-sidorenko](https://github.com/artem-sidorenko))
+- Change global message regarding 10/25 webinar [\#1244](https://github.com/chef/inspec/pull/1244) ([ryankeairns](https://github.com/ryankeairns))
+- Fix issue with registry\_key example [\#1243](https://github.com/chef/inspec/pull/1243) ([seththoenen](https://github.com/seththoenen))
+- Accessing nested mappings in a yam file [\#1242](https://github.com/chef/inspec/pull/1242) ([chriswessells](https://github.com/chriswessells))
+- Fix broken link in README.md [\#1233](https://github.com/chef/inspec/pull/1233) ([swalberg](https://github.com/swalberg))
+- DOCS: fix commit amend dash [\#1232](https://github.com/chef/inspec/pull/1232) ([alexpop](https://github.com/alexpop))
+- Headers and list elements that include more than one `\_` character we… [\#1231](https://github.com/chef/inspec/pull/1231) ([nathenharvey](https://github.com/nathenharvey))
+- Implements profile signing and verification \[Experimental\] [\#1228](https://github.com/chef/inspec/pull/1228) ([metadave](https://github.com/metadave))
+- Document new DCO process [\#1224](https://github.com/chef/inspec/pull/1224) ([chris-rock](https://github.com/chris-rock))
+- adding by\_user permissions support for windows [\#1215](https://github.com/chef/inspec/pull/1215) ([jeremymv2](https://github.com/jeremymv2))
+
+## [v1.2.1](https://github.com/chef/inspec/tree/v1.2.1) (2016-10-15)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.2.0...v1.2.1)
 
 **Implemented enhancements:**
 

data/README.md

@@ -1,6 +1,6 @@
 # InSpec: Inspect Your Infrastructure
 
-[![Join the chat at https://gitter.im/chef/inspec](https://badges.gitter.im/chef/inspec.svg)](https://gitter.im/chef/inspec?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Slack](https://community-slack.chef.io/badge.svg)](https://community-slack.chef.io/)
 [![Build Status Master](https://travis-ci.org/chef/inspec.svg?branch=master)](https://travis-ci.org/chef/inspec)
 [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/inspec?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/inspec/branch/master)
 
@@ -45,6 +45,10 @@ inspec exec test.rb -t docker://container_id
 
 InSpec requires Ruby ( >1.9 ).
 
+### Install as package
+
+The InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [InSpec Downloads](https://downloads.chef.io/inspec). 
+
 ### Install it via rubygems.org
 
 When installing from source, gem dependencies may require ruby build tools to be installed.
@@ -114,7 +118,7 @@ On Windows, you need to install [Ruby](http://rubyinstaller.org/downloads/) with
 
 Currently, this method of installation only supports Linux. See the [Habitat site](https://www.habitat.sh/) for more information.
 
-Download the `hab` binary from the [Habitat](https://www.habitat.sh/docs/get-habitat/) site. 
+Download the `hab` binary from the [Habitat](https://www.habitat.sh/docs/get-habitat/) site.
 
 ```bash
 hab pkg install chef/inspec
@@ -169,11 +173,12 @@ describe sshd_config do
 end
 ```
 
-* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver.
+* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver.  The %w() formatting will
+pass rubocop lintng and allow you to access nested mappings.
 
 ```ruby
 describe yaml('.kitchen.yml') do
-  its('driver.name') { should eq('vagrant') }
+  its(%w(driver name)) { should eq('vagrant') }
 end
 ```
 
@@ -284,28 +289,13 @@ Windows | 2012+
 
 Documentation
 
+ * http://inspec.io/docs/
+ * http://inspec.io/docs/reference/resources/
  * https://github.com/chef/inspec/tree/master/docs
 
-Blogs:
-
- * [The Road to InSpec](https://www.chef.io/blog/2015/11/04/the-road-to-inspec/)
- * [Introduction to InSpec](http://tfitch.com/automation-tools-bootcamp/inspec.html)
- * [InSpec Tutorial: Day 1 - Hello World](http://www.anniehedgie.com/inspec-basics-1)
- * [InSpec Tutorial: Day 2 - Command Resource Blog Logo](http://www.anniehedgie.com/inspec-basics-2)
- * [InSpec Tutorial: Day 3 - File Resource](http://www.anniehedgie.com/inspec-basics-3)
- * [InSpec Tutorial: Day 4 - Custom Matchers](http://www.anniehedgie.com/inspec-basics-4)
- * [InSpec Tutorial: Day 5 - Creating a Profile](http://www.anniehedgie.com/inspec-basics-5)
- * [InSpec Tutorial: Day 6 - Ways to Run It and Places to Store It](http://www.anniehedgie.com/inspec-basics-6)
- * [InSpec Tutorial: Day 7 - How to Inherit a Profile from Chef Compliance Server](http://www.anniehedgie.com/inspec-basics-7)
- * [Windows infrastructure testing using InSpec – Part I](http://datatomix.com/?p=236)
- * [Windows infrastructure testing using InSpec and Profiles – Part II](http://datatomix.com/?p=238)
- * [Testing Ansible with Inspec](http://scienceofficersblog.blogspot.de/2016/02/testing-ansible-with-inspec.html)
- * [Operating Chef/InSpec in an air gapped environment](https://github.com/jeremymv2/chef-intranet-scaffolding/blob/master/README.md)
-
-Podcasts:
-
- * [InSpec Foodfight](http://foodfightshow.org/2016/02/inspec.html)
- * [Test Driven Infrastructure With Arthur Maltson And Michael Goetz](https://www.arresteddevops.com/tdi/)
+Tutorials/Blogs/Podcasts:
+
+ * http://inspec.io/tutorials/
 
 ## Share your Profiles
 

data/docs/resources/file.md.erb

@@ -29,13 +29,13 @@ This InSpec audit resource has the following matchers:
 
 <%= partial "/shared/matcher_be" %>
 
-### be_block_device
+### be\_block\_device
 
 The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
 
     it { should be_block_device }
 
-### be_character_device
+### be\_character\_device
 
 The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
 
@@ -71,7 +71,7 @@ The `be_file` matcher tests if the file exists as a file. This can be useful wit
 
     it { should be_file }
 
-### be_grouped_into
+### be\_grouped\_into
 
 The `be_grouped_into` matcher tests if the file exists as part of the named group:
 
@@ -83,7 +83,7 @@ The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be chang
 
     it { should be_immutable }
 
-### be_linked_to
+### be\_linked\_to
 
 The `be_linked_to` matcher tests if the file is linked to the named target:
 
@@ -95,7 +95,7 @@ The `be_mounted` matcher tests if the file is accessible from the file system:
 
     it { should be_mounted }
 
-### be_owned_by
+### be\_owned\_by
 
 The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
 

data/docs/resources/iis_site.md.erb

@@ -64,7 +64,7 @@ The `exist` matcher tests if the site exists:
 
     it { should exist }
 
-### have_app_pool
+### have\_app\_pool
 
 The `have_app_pool` matcher tests if the named application pool exists for the site:
 

data/docs/resources/parse_config_file.md.erb

@@ -2,7 +2,7 @@
 title: About the parse_config_file Resource
 ---
 
-# parse_config_file
+# parse\_config\_file
 
 Use the `parse_config_file` InSpec audit resource to test arbitrary configuration files. It works in the same way as `parse_config`. Instead of using a command output, this resource works with files.
 

data/docs/resources/registry_key.md.erb

@@ -73,9 +73,8 @@ For example, to get all child items for a registry key:
 The following example shows how find a property that may exist against multiple registry keys, and then test that property for every registry key in which that property is located:
 
     describe registry_key({
-      hive: HKEY_USERS
-    }).children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}\\Software\\Policies\\Microsoft\\Windows\\Installer/).each
-      { |key|
+      hive: 'HKEY_USERS'
+    }).children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}\\Software\\Policies\\Microsoft\\Windows\\Installer/).each { |key|
         describe registry_key(key) do
           its('AlwaysInstallElevated') { should eq 'value' }
         end
@@ -101,7 +100,7 @@ The `have_property` matcher tests if a property exists for a registry key:
 
     it { should have_property 'value' }
 
-### have_property_value
+### have\_property\_value
 
 The `have_property_value` matcher tests if a property value exists for a registry key:
 

data/docs/shared/matcher_cmp.md.erb

@@ -28,8 +28,6 @@ vs:
 
 Ignoring case sensitivity:
 
-.. code-block:: ruby
-
    describe some_resource do
      its('setting') { should cmp 'raw' }
      its('setting') { should cmp 'RAW' }

data/examples/profile/README.md

@@ -1,6 +1,6 @@
 # Example InSpec Profile
 
-This example shows the implementation of an InSpec [profile](../../docs/profiles.rst).
+This example shows the implementation of an InSpec [profile](../../docs/profiles.md).
 
 ## Verify a profile
 

data/lib/bundles/inspec-artifact.rb

@@ -0,0 +1,7 @@
+# encoding: utf-8
+# author: Dave Parfitt
+
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require 'inspec-artifact/cli'

data/lib/bundles/inspec-artifact/README.md

@@ -0,0 +1 @@
+# TODO

data/lib/bundles/inspec-artifact/cli.rb

@@ -0,0 +1,284 @@
+# encoding: utf-8
+# frozen_string_literal: true
+require 'base64'
+require 'openssl'
+require 'pathname'
+require 'set'
+require 'tempfile'
+require 'yaml'
+
+# Notes:
+#
+# Generate keys
+#   The initial implementation uses 2048 bit RSA key pairs (public + private).
+#   Public keys must be available for a customer to install and verify an artifact.
+#   Private keys should be stored in a secure location and NOT be distributed.
+#     (They're only for creating artifacts).
+#
+#
+# .IAF file format
+#   .iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
+#   The iaf file wraps a binary artifact with some metadata. The first implementation
+#   looks like this:
+#
+# INSPEC-PROFILE-1
+# name_of_signing_key
+# algorithm
+# signature
+# <empty line>
+# binary-blob
+# <eof>
+#
+# Let's look at each line:
+# INSPEC-PROFILE-1:
+#   This is the artifact version descriptor. It should't change unless the
+#   format of the archive changes.
+#
+# name_of_signing_key
+#   The name of the public key that can be used to verify an artifact
+#
+# algorithm
+#   The digest used to sign, I picked SHA512 to start with.
+#   If we support multiple digests, we'll need to have the verify() method
+#   support each digest.
+#
+# signature
+#   The result of passing the binary artifact through the digest algorithm above.
+#   Result is base64 encoded.
+#
+# <empty line>
+#   We use an empty line to separate artifact header from artifact body (binary blob).
+#   The artifact body can be anything you like.
+#
+# binary-blob
+#   A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
+#   stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
+#   format, the artifact version descriptor must be incremented, and the sign()
+#   and verify() methods must be updated to support a newer version.
+#
+#
+# Key revocation
+#   This implementation doesn't support key revocation. However, a customer
+#   can remove the public cert file before installation, and artifacts will then
+#   fail verification.
+#
+# Key locations
+#   This implementation uses the current working directory to find public and
+#   private keys. We should establish a common key directory (similar to /hab/cache/keys
+#   or ~/.hab/cache/keys in Habitat).
+#
+# Extracting artifacts outside of Inspec
+#   As in Habitat, the artifact format for Inspec allows the use of common
+#   Unix tools to read the header and body of an artifact.
+# To extract the header from a .iaf:
+#        sed '/^$/q' foo.iaf
+# To extract the raw content from a .iaf:
+#        sed '1,/^$/d' foo.iaf
+
+module Artifact
+  KEY_BITS=2048
+  KEY_ALG=OpenSSL::PKey::RSA
+
+  INSPEC_PROFILE_VERSION_1='INSPEC-PROFILE-1'.freeze
+  INSPEC_REPORT_VERSION_1='INSPEC-REPORT-1'.freeze
+
+  ARTIFACT_DIGEST=OpenSSL::Digest::SHA512
+  ARTIFACT_DIGEST_NAME='SHA512'.freeze
+
+  VALID_PROFILE_VERSIONS=Set.new [INSPEC_PROFILE_VERSION_1]
+  VALID_PROFILE_DIGESTS=Set.new [ARTIFACT_DIGEST_NAME]
+
+  SIGNED_PROFILE_SUFFIX='iaf'.freeze
+  SIGNED_REPORT_SUFFIX='iar'.freeze
+
+  # rubocop:disable Metrics/ClassLength
+  class CLI < Inspec::BaseCLI
+    namespace 'artifact'
+
+    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
+    def self.banner(command, _namespace = nil, _subcommand = false)
+      "#{basename} #{subcommand_prefix} #{command.usage}"
+    end
+
+    def self.subcommand_prefix
+      namespace
+    end
+
+    desc 'generate', 'Generate a RSA key pair for signing and verification'
+    option :keyname, type: :string, required: true,
+      desc: 'Desriptive name of key'
+    option :keydir, type: :string, default: './',
+      desc: 'Directory to search for keys'
+    def generate_keys
+      puts 'Generating keys'
+      keygen
+    end
+
+    desc 'sign-profile', 'Create a signed .iaf artifact'
+    option :profile, type: :string, required: true,
+      desc: 'Path to profile directory'
+    option :keyname, type: :string, required: true,
+      desc: 'Desriptive name of key'
+    def sign_profile
+      profile_sign
+    end
+
+    desc 'verify-profile', 'Verify a signed .iaf artifact'
+    option :infile, type: :string, required: true,
+        desc: '.iaf file to verify'
+    def verify_profile
+      profile_verify
+    end
+
+    desc 'install-profile', 'Verify and install a signed .iaf artifact'
+    option :infile, type: :string, required: true,
+        desc: '.iaf file to install'
+    option :destdir, type: :string, required: true,
+      desc: 'Installation directory'
+    def install_profile
+      profile_install
+    end
+
+    private
+
+    def keygen
+      key = KEY_ALG.new KEY_BITS
+      puts 'Generating private key'
+      open "#{options['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end
+      puts 'Generating public key'
+      open "#{options['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end
+    end
+
+    def read_profile_metadata(path_to_profile)
+      begin
+        p = Pathname.new(path_to_profile)
+        p = p.join('inspec.yml')
+        if not p.exist?
+          fail "#{path_to_profile} doesn't appear to be a valid Inspec profile"
+        end
+        yaml = YAML.load_file(p.to_s)
+        yaml = yaml.to_hash
+
+        if not yaml.key? 'name'
+          fail 'Profile is invalid, name is not defined'
+        end
+
+        if not yaml.key? 'version'
+          fail 'Profile is invalid, version is not defined'
+        end
+      rescue => e
+        # rewrap it and pass it up to the CLI
+        raise "Error reading Inspec profile metadata: #{e}"
+      end
+
+      yaml
+    end
+
+    def profile_compress(path_to_profile, profile_md, workdir)
+      profile_name = profile_md['name']
+      profile_version = profile_md['version']
+      outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
+      `tar czf #{outfile_name} -C #{path_to_profile} .`
+      outfile_name
+    end
+
+    def profile_sign
+      Dir.mktmpdir do |workdir|
+        puts "Signing #{options['profile']} with key #{options['keyname']}"
+        path_to_profile = options['profile']
+        profile_md = read_profile_metadata(path_to_profile)
+        artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}"
+        tarfile = profile_compress(path_to_profile, profile_md, workdir)
+        content = IO.binread(tarfile)
+        signing_key = KEY_ALG.new File.read "#{options['keyname']}.pem.key"
+        sha = ARTIFACT_DIGEST.new
+        signature = signing_key.sign sha, content
+        # convert the signature to Base64
+        signature_base64 = Base64.encode64(signature)
+        tar_content = IO.binread(tarfile)
+        File.open(artifact_filename, 'wb') do |f|
+          f.puts(INSPEC_PROFILE_VERSION_1)
+          f.puts(options['keyname'])
+          f.puts(ARTIFACT_DIGEST_NAME)
+          f.puts(signature_base64)
+          f.puts('') # newline separates artifact header with body
+          f.write(tar_content)
+        end
+        puts "Successfully generated #{artifact_filename}"
+      end
+    end
+
+    def valid_header?(file_alg, file_version, file_keyname)
+      public_keyfile = "#{file_keyname}.pem.pub"
+      puts "Looking for #{public_keyfile} to verify artifact"
+      if not File.exist? public_keyfile
+        fail "Can't find #{public_keyfile}"
+      end
+
+      if not VALID_PROFILE_DIGESTS.member? file_alg
+        fail 'Invalid artifact digest algorithm detected'
+      end
+
+      if not VALID_PROFILE_VERSIONS.member? file_version
+        fail 'Invalid artifact version detected'
+      end
+    end
+
+    def verify(file_to_verifiy, &content_block)
+      f = File.open(file_to_verifiy, 'r')
+      file_version = f.readline.strip!
+      file_keyname = f.readline.strip!
+      file_alg = f.readline.strip!
+
+      file_sig = ''
+      # the signature is multi-line
+      while (line = f.readline) != "\n"
+        file_sig += line
+      end
+      file_sig.strip!
+      f.close
+
+      valid_header?(file_alg, file_version, file_keyname)
+
+      public_keyfile = "#{file_keyname}.pem.pub"
+      verification_key = KEY_ALG.new File.read public_keyfile
+
+      f = File.open(file_to_verifiy, 'r')
+      while f.readline != "\n" do end
+      content = f.read
+
+      signature = Base64.decode64(file_sig)
+      digest = ARTIFACT_DIGEST.new
+      if verification_key.verify digest, signature, content
+        content_block.yield(content)
+      else
+        puts 'Artifact is invalid'
+      end
+    end
+
+    def profile_verify
+      file_to_verifiy = options['infile']
+      puts "Verifying #{file_to_verifiy}"
+      verify(file_to_verifiy) do ||
+        puts 'Artifact is valid'
+      end
+    end
+
+    def profile_install
+      puts 'Installing profile'
+      file_to_verifiy = options['infile']
+      dest_dir = options['destdir']
+      verify(file_to_verifiy) do |content|
+        Dir.mktmpdir do |workdir|
+          tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz')
+          File.write(tmpfile, content)
+          puts "Installing to #{dest_dir}"
+          `tar xzf #{tmpfile} -C #{dest_dir}`
+        end
+      end
+    end
+  end
+
+  # register the subcommand to Inspec CLI registry
+  Inspec::Plugins::CLI.add_subcommand(Artifact::CLI, 'artifact', 'artifact SUBCOMMAND ...', 'Sign, verify and install artifacts', {})
+end

data/lib/bundles/inspec-supermarket/api.rb

@@ -11,11 +11,11 @@ module Supermarket
 
     # displays a list of profiles
     def self.profiles(supermarket_url = SUPERMARKET_URL)
-      url = "#{supermarket_url}/api/v1/tools-search"
-      _success, data = get(url, { q: 'compliance_profile' })
+      url = "#{supermarket_url}/api/v1/tools"
+      _success, data = get(url, { start: 0, items: 100, order: 'recently_added' })
       if !data.nil?
         profiles = JSON.parse(data)
-        profiles['items'].map { |x|
+        profiles['items'].select { |p| p['tool_type'] == 'compliance_profile' }.map { |x|
           m = %r{^#{supermarket_url}/api/v1/tools/(?<slug>[\w-]+)(/)?$}.match(x['tool'])
           x['slug'] = m[:slug]
           x

data/lib/inspec/objects/attribute.rb

@@ -21,6 +21,18 @@ module Inspec
       @opts[:default]
     end
 
+    def title
+      @opts[:title]
+    end
+
+    def description
+      @opts[:description]
+    end
+
+    def ruby_var_identifier
+      'attr_' + @name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
+    end
+
     def to_hash
       {
         name: @name,
@@ -28,6 +40,15 @@ module Inspec
       }
     end
 
+    def to_ruby
+      res = ["#{ruby_var_identifier} = attribute('#{@name}',{"]
+      res.push "  title: '#{title}'," unless title.to_s.empty?
+      res.push "  default: '#{default}'," unless default.to_s.empty?
+      res.push "  description: '#{description}'," unless description.to_s.empty?
+      res.push '})'
+      res.join("\n")
+    end
+
     def to_s
       "Attribute #{@name} with #{@value}"
     end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.2.1'.freeze
+  VERSION = '1.3.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -219,7 +219,7 @@ end
 # unsupported
 RSpec::Matchers.define :contain do |_rule|
   match do |_resource|
-    fail "[UNSUPPORTED] `contain` matcher. Please use the following syntax `its('content') { should match('value') }`."
+    fail "[UNSUPPORTED] `contain` matcher. Please use the following syntax `its('content') { should include('value') }`."
   end
 end
 

data/lib/resources/file.rb

@@ -7,7 +7,20 @@
 require 'shellwords'
 
 module Inspec::Resources
+  module FilePermissionsSelector
+    def select_file_perms_style(os)
+      if os.unix?
+        UnixFilePermissions.new(inspec)
+      elsif os.windows?
+        WindowsFilePermissions.new(inspec)
+      end
+    end
+  end
+
   class FileResource < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+    include FilePermissionsSelector
+    include MountParser
+
     name 'file'
     desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
     example "
@@ -16,14 +29,16 @@ module Inspec::Resources
         it { should be_file }
         it { should be_readable }
         it { should be_writable }
+        it { should be_executable.by_user('root') }
         it { should be_owned_by 'root' }
         its('mode') { should cmp '0644' }
       end
     "
-    include MountParser
 
     attr_reader :file, :mount_options
     def initialize(path)
+      # select permissions style
+      @perms_provider = select_file_perms_style(inspec.os)
       @file = inspec.backend.file(path)
     end
 
@@ -51,20 +66,23 @@ module Inspec::Resources
 
     def readable?(by_usergroup, by_specific_user)
       return false unless exist?
+      return skip_resource '`readable?` is not supported on your OS yet.' if @perms_provider.nil?
 
-      file_permission_granted?('r', by_usergroup, by_specific_user)
+      file_permission_granted?('read', by_usergroup, by_specific_user)
     end
 
     def writable?(by_usergroup, by_specific_user)
       return false unless exist?
+      return skip_resource '`writable?` is not supported on your OS yet.' if @perms_provider.nil?
 
-      file_permission_granted?('w', by_usergroup, by_specific_user)
+      file_permission_granted?('write', by_usergroup, by_specific_user)
     end
 
     def executable?(by_usergroup, by_specific_user)
       return false unless exist?
+      return skip_resource '`executable?` is not supported on your OS yet.' if @perms_provider.nil?
 
-      file_permission_granted?('x', by_usergroup, by_specific_user)
+      file_permission_granted?('execute', by_usergroup, by_specific_user)
     end
 
     def mounted?(expected_options = nil, identical = false)
@@ -109,16 +127,14 @@ module Inspec::Resources
 
     private
 
-    def file_permission_granted?(flag, by_usergroup, by_specific_user)
-      unless inspec.os.unix?
-        fail 'Checking file permissions is not supported on your os'
-      end
-
+    def file_permission_granted?(access, by_usergroup, by_specific_user)
+      fail '`file_permission_granted?` is not supported on your OS' if @perms_provider.nil?
       if by_specific_user.nil? || by_specific_user.empty?
+        fail '`check_file_permission_by_mask` is not supported on your OS' unless inspec.os.unix?
         usergroup = usergroup_for(by_usergroup, by_specific_user)
-        check_file_permission_by_mask(usergroup, flag)
+        check_file_permission_by_mask(usergroup, access)
       else
-        check_file_permission_by_user(by_specific_user, flag)
+        @perms_provider.check_file_permission_by_user(by_specific_user, access, source_path)
       end
     end
 
@@ -129,15 +145,44 @@ module Inspec::Resources
       (file.mode & mask) != 0
     end
 
-    def check_file_permission_by_user(user, flag)
+    def usergroup_for(usergroup, specific_user)
+      if usergroup == 'others'
+        'other'
+      elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
+        'all'
+      else
+        usergroup
+      end
+    end
+  end
+
+  class FilePermissions
+    attr_reader :inspec
+    def initialize(inspec)
+      @inspec = inspec
+    end
+  end
+
+  class UnixFilePermissions < FilePermissions
+    def check_file_permission_by_user(user, access_type, path)
+      flag = case access_type
+             when 'read'
+               'r'
+             when 'write'
+               'w'
+             when 'execute'
+               'x'
+             else
+               fail 'Invalid access_type provided'
+             end
       if inspec.os.linux?
-        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{source_path}\" #{user}"
+        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{path}\" #{user}"
       elsif inspec.os.bsd? || inspec.os.solaris?
-        perm_cmd = "sudo -u #{user} test -#{flag} #{source_path}"
+        perm_cmd = "sudo -u #{user} test -#{flag} #{path}"
       elsif inspec.os.aix?
-        perm_cmd = "su #{user} -c test -#{flag} #{source_path}"
+        perm_cmd = "su #{user} -c test -#{flag} #{path}"
       elsif inspec.os.hpux?
-        perm_cmd = "su #{user} -c \"test -#{flag} #{source_path}\""
+        perm_cmd = "su #{user} -c \"test -#{flag} #{path}\""
       else
         return skip_resource 'The `file` resource does not support `by_user` on your OS.'
       end
@@ -145,15 +190,22 @@ module Inspec::Resources
       cmd = inspec.command(perm_cmd)
       cmd.exit_status == 0 ? true : false
     end
+  end
 
-    def usergroup_for(usergroup, specific_user)
-      if usergroup == 'others'
-        'other'
-      elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
-        'all'
-      else
-        usergroup
-      end
+  class WindowsFilePermissions < FilePermissions
+    def check_file_permission_by_user(user, access_type, path)
+      access_rule = case access_type
+                    when 'read'
+                      '@(\'FullControl\', \'Modify\', \'ReadAndExecute\', \'Read\', \'ListDirectory\')'
+                    when 'write'
+                      '@(\'FullControl\', \'Modify\', \'Write\')'
+                    when 'execute'
+                      '@(\'FullControl\', \'Modify\', \'ReadAndExecute\', \'ExecuteFile\')'
+                    else
+                      fail 'Invalid access_type provided'
+                    end
+      cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
+      cmd.stdout.chomp == '0' ? false : true
     end
   end
 end

data/lib/resources/inetd_conf.rb

@@ -22,6 +22,12 @@ module Inspec::Resources
       @conf_path = path || '/etc/inetd.conf'
     end
 
+    # overwrite exec to ensure it works with its
+    # TODO: this needs to be fixed in RSpec
+    def exec
+      read_params['exec']
+    end
+
     def method_missing(name)
       read_params[name.to_s]
     end

data/lib/resources/package.rb

@@ -204,7 +204,7 @@ module Inspec::Resources
       # Find the package
       cmd = inspec.command <<-EOF.gsub(/^\s*/, '')
         Get-ItemProperty (@("#{search_paths.join('", "')}") | Where-Object { Test-Path $_ }) |
-        Where-Object { $_.DisplayName -like "#{package_name}*" -or $_.PSChildName -like "#{package_name}" } |
+        Where-Object { $_.DisplayName -like "#{package_name}" -or $_.PSChildName -like "#{package_name}" } |
         Select-Object -Property DisplayName,DisplayVersion | ConvertTo-Json
       EOF
 

data/lib/resources/processes.rb

@@ -26,7 +26,7 @@ module Inspec::Resources
         grep = '(/[^/]*)*'+grep if grep[0] != '/'
         grep = Regexp.new('^' + grep + '(\s|$)')
       end
-      all_cmds = ps_aux
+      all_cmds = ps_axo
       @list = all_cmds.find_all do |hm|
         hm[:command] =~ grep
       end
@@ -43,39 +43,37 @@ module Inspec::Resources
 
     private
 
-    def ps_aux
+    def ps_axo
       os = inspec.os
 
       if os.linux?
-        command = 'ps auxZ'
+        command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
         regex = /^([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
       else
-        command = 'ps aux'
-        regex = /^([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        command = 'ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command'
+        regex = /^\s*([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
       end
       build_process_list(command, regex, os)
     end
 
-    Process = Struct.new(:label, :user, :pid,
+    Process = Struct.new(:label, :pid,
                          :cpu, :mem, :vsz,
                          :rss, :tty, :stat,
-                         :start, :time, :command)
+                         :start, :time, :user, :command)
 
     def build_process_list(command, regex, os)
       cmd = inspec.command(command)
       all = cmd.stdout.split("\n")[1..-1]
       return [] if all.nil?
-
       lines = all.map do |line|
         line.match(regex)
       end.compact
-
       lines.map do |m|
         a = m.to_a[1..-1] # grab all matching groups
         a.unshift(nil) unless os.linux?
-        a[2] = a[2].to_i
+        a[1] = a[1].to_i
+        a[4] = a[4].to_i
         a[5] = a[5].to_i
-        a[6] = a[6].to_i
         Process.new(*a)
       end
     end

data/lib/resources/ssl.rb

@@ -41,7 +41,7 @@ class SSL < Inspec.resource(1)
     'tls1.2',
   ].freeze
 
-  attr_reader :host, :port
+  attr_reader :host, :port, :timeout, :retries
 
   def initialize(opts = {})
     @host = opts[:host]
@@ -71,7 +71,7 @@ class SSL < Inspec.resource(1)
           res = Parallel.map(groups, in_threads: 8) do |proto, e|
             [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
               protocol: proto, ciphers: e.map(&:cipher),
-              timeout: @timeout, retries: @retries)]
+              timeout: x.resource.timeout, retries: x.resource.retries)]
           end
           Hash[res]
         }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-15 00:00:00.000000000 Z
+date: 2016-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -344,17 +344,13 @@ files:
 - examples/profile/controls/example.rb
 - examples/profile/controls/gordon.rb
 - examples/profile/controls/meta.rb
-- examples/profile/inspec.lock
 - examples/profile/inspec.yml
 - examples/profile/libraries/gordon_config.rb
-- examples/ssh/README.md
-- examples/ssh/controls/example.rb
-- examples/ssh/inspec.lock
-- examples/ssh/inspec.yml
-- examples/ssh/libraries/.gitkeep
-- examples/ssh/libraries/habitat.rb
 - inspec.gemspec
 - lib/bundles/README.md
+- lib/bundles/inspec-artifact.rb
+- lib/bundles/inspec-artifact/README.md
+- lib/bundles/inspec-artifact/cli.rb
 - lib/bundles/inspec-compliance.rb
 - lib/bundles/inspec-compliance/.kitchen.yml
 - lib/bundles/inspec-compliance/README.md
@@ -537,7 +533,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
 summary: Infrastructure and compliance testing.

data/examples/profile/inspec.lock

@@ -1,3 +0,0 @@
----
-lockfile_version: 1
-depends: []

data/examples/ssh/README.md

@@ -1,3 +0,0 @@
-# Example InSpec Profile
-
-This example shows the implementation of an InSpec [profile](../../docs/profiles.rst).

data/examples/ssh/controls/example.rb

@@ -1,9 +0,0 @@
-# encoding: utf-8
-# copyright: 2015, The Authors
-# license: All rights reserved
-
-title 'my hab tests'
-
-describe habitat do
-  it { should exist }
-end

data/examples/ssh/inspec.lock

@@ -1,3 +0,0 @@
----
-lockfile_version: 1
-depends: []

data/examples/ssh/inspec.yml

@@ -1,8 +0,0 @@
-name: ssh
-title: InSpec Profile
-maintainer: The Authors
-copyright: The Authors
-copyright_email: you@example.com
-license: All Rights Reserved
-summary: An InSpec Compliance Profile
-version: 0.1.0

data/examples/ssh/libraries/habitat.rb

@@ -1,13 +0,0 @@
-
-class Habitat < Inspec.resource(1)
-  name "habitat"
-  example "
-    describe habitat do
-      it { should exist }
-    end
-  "
-
-  def exist?
-    inspec.file('hab').exist?
-  end
-end