inspec 1.23.0 → 1.24.0

data/Rakefile

@@ -4,6 +4,7 @@
 require 'bundler'
 require 'bundler/gem_tasks'
 require 'rake/testtask'
+require_relative 'tasks/changelog'
 require_relative 'tasks/maintainers'
 
 # The docs tasks rely on ruby-progressbar. If we can't load it, then don't
@@ -128,14 +129,6 @@ end
 # Check the requirements for running an update of this repository.
 def check_update_requirements
   require_command 'git'
-  require_command 'github_changelog_generator', "\n"\
-    "For more information on how to install it see:\n"\
-    "  https://github.com/skywinder/github-changelog-generator\n"
-  require_env 'CHANGELOG_GITHUB_TOKEN', "\n"\
-    "Please configure this token to make sure you can run all commands\n"\
-    "against GitHub.\n\n"\
-    "See github_changelog_generator homepage for more information:\n"\
-    "  https://github.com/skywinder/github-changelog-generator\n"
 end
 
 # Show the current version of this gem.
@@ -144,12 +137,6 @@ task :version do
   inspec_version
 end
 
-desc 'Generate the changelog'
-task :changelog do
-  require_relative 'lib/inspec/version'
-  system "github_changelog_generator -u chef -p inspec --future-release v#{Inspec::VERSION} --since-tag 0.7.0"
-end
-
 # Update the version of this gem and create an updated
 # changelog. It covers everything short of actually releasing
 # the gem.

data/docs/migration.md

@@ -46,7 +46,7 @@ The following resources are available in InSpec:
 | [`yumrepo`](http://serverspec.org/resource_types.html#yumrepo)                               | [`yum`](https://www.inspec.io/docs/reference/resources/yum/)                           |
 | [`zfs`](http://serverspec.org/resource_types.html#zfs)                                       | [`zfs_pool`](https://www.inspec.io/docs/reference/resources/zfs_pool/)                 |
 
-Some Serverspec resources are not available yet. We implement those resources based on user feedback. If you need a resource that is not available in InSpec, please open an [Github issue](https://github.com/chef/inspec/issues). The list of resources that are not available in InSpec:
+Some Serverspec resources are not available yet. We will implement those resources based on user feedback. If you need a resource that is not available in InSpec, please open an [Github issue](https://github.com/chef/inspec/issues). The list of resources that are not available in InSpec:
 
 * [`cgroup`](http://serverspec.org/resource_types.html#cgroup)
 * [`default_gateway`](http://serverspec.org/resource_types.html#default_gateway)

data/docs/profiles.md

@@ -157,31 +157,33 @@ For example:
 
 ## Chef Supermarket
 
-A `supermarket` setting specifies a profile that is located in a cookbook hosted on Chef Supermarket, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version indexing via semantic versioning as git tags.
+A `supermarket` setting specifies a profile that is located in a cookbook hosted on Chef Supermarket. The source location is translated into a URL upon resolution.
 
 For example:
 
     depends:
     - name: supermarket-profile
-      git: username/profile
-      branch:  desired_branch
-      tag:     desired_version
-      commit:  pinned_commit
-      version: semver_via_tags
+      supermarket: supermarket-username/supermarket-profile
+
+Available Supermarket profiles can be listed with `inspec supermarket profiles`.
 
 ## GitHub
 
-A `github` setting specifies a profile that is located in a repository hosted on GitHub, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version indexing via semantic versioning as git tags.
+A `github` setting specifies a profile that is located in a repository hosted on GitHub. The source location is translated into a URL upon resolution.
 
 For example:
 
     depends:
     - name: gh-profile
-      git: username/project
-      branch:  desired_branch
-      tag:     desired_version
-      commit:  pinned_commit
-      version: semver_via_tags
+      github: username/project
+
+A path to a Git commit or tag on GitHub can also be used:
+
+    dev-sec/linux-baseline
+    dev-sec/linux-baseline/tree/2.0
+    dev-sec/linux-baseline/tree/48bd4388ddffde68badd83aefa654e7af3231876
+
+would all download profiles corresponding to the GitHub URL, https://github.com/dev-sec/linux-baseline/tree/48bd4388ddffde68badd83aefa654e7af3231876, for example.
 
 ## Chef Compliance
 

data/docs/resources/mssql_session.md.erb

@@ -0,0 +1,79 @@
+---
+title: About the mssql_session Resource
+---
+
+# mssql_session
+
+Use the `mssql_session` InSpec audit resource to test SQL commands run against a Microsoft SQL database.
+
+## Syntax
+
+A `mssql_session` resource block declares the username and password to use for the session, and then the command to be run:
+
+    describe mssql_session(user: 'username', pass: 'password').query('QUERY') do
+      its('output') { should eq('') }
+    end
+
+where
+
+* `mssql_session` declares a username and password with permission to run the query.  Omitting the username or password parameters results in the use of Windows authentication as the user InSpec is executing as.  You may also optionally pass a host and instance name.  If omitted, they will default to host: localhost and the default instance.
+* `query('QUERY')` contains the query to be run
+* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+### output
+
+The `output` matcher tests the results of the query:
+
+    its('output') { should eq(/^0/) }
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test for matching databases
+
+    sql = mssql_session(user: 'my_user', pass: 'password')
+
+    describe sql.query('show databases like \'test\';') do
+      its('stdout') { should_not match(/test/) }
+    end
+
+### Test using Windows authentication
+
+    sql = mssql_session
+
+    describe sql.query('show databases like \'test\';') do
+      its('stdout') { should_not match(/test/) }
+    end
+
+### Test a specific host and instance
+
+    sql = mssql_session(user: 'my_user', pass: 'password', host: 'mssqlserver', instance: 'foo')
+
+    describe sql.query('show databases like \'test\';') do
+      its('stdout') { should_not match(/test/) }
+    end

data/docs/resources/oracledb_session.md.erb

@@ -0,0 +1,71 @@
+---
+title: About the oracledb_session Resource
+---
+
+# oracledb_session
+
+Use the `oracledb_session` InSpec audit resource to test SQL commands run against a Oracle database.
+
+## Syntax
+
+A `oracledb_session` resource block declares the username and password to use for the session with an optional service to connect to, and then the command to be run:
+
+    describe oracledb_session(user: 'username', pass: 'password').query('QUERY') do
+      its('output') { should eq('') }
+    end
+
+where
+
+* `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`).  
+* `query('QUERY')` contains the query to be run
+* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+### output
+
+The `output` matcher tests the results of the query:
+
+    its('output') { should eq(/^0/) }
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test for matching databases
+
+    sql = oracledb_session(user: 'my_user', pass: 'password')
+    
+    describe sql.query('SELECT NAME FROM v$database;') do
+      its('stdout') { should_not match(/test/) }
+    end
+
+### Test for matching databases with custom host, SID and sqlplus binary location
+
+    sql = oracledb_session(user: 'my_user', pass: 'password', host: 'oraclehost', sid: 'mysid', sqlplus_bin: '/u01/app/oracle/product/12.1.0/dbhome_1/bin/sqlplus')
+    
+    describe sql.query('SELECT NAME FROM v$database;') do
+      its('stdout') { should_not match(/test/) }
+    end

data/docs/resources/postgres_session.md.erb

@@ -10,17 +10,24 @@ Use the `postgres_session` InSpec audit resource to test SQL commands run agains
 
 A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
 
-    sql = postgres_session('username', 'password')
+    # Create a PostgreSQL session:
+    sql = postgres_session('username', 'password', 'host')
 
+    # default values:
+    #   username: 'postgres'
+    #   host: 'localhost'
+
+    # Run an SQL query with an optional database to execute
+    sql.query('sql_query', ['database_name'])`
+
+A full example is:
+
+    sql = postgres_session('username', 'password', 'host')
     describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
-      its('output') { should eq('') }
+      its('output') { should eq '' }
     end
 
-where
-
-* `sql = postgres_session` declares a username and password with permission to run the query
-* `sql.query('')` contains the query to be run
-* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
+where `its('output') { should eq '' }` compares the results of the query against the expected result in the test
 
 ## Matchers
 
@@ -58,9 +65,9 @@ The following examples show how to use this InSpec audit resource.
 
 ### Test the PostgreSQL shadow password
 
-    sql = postgres_session('my_user', 'password')
+    sql = postgres_session('my_user', 'password', '192.168.1.2')
 
-    describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
+    describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;', ['testdb']) do
       its('output') { should eq('') }
     end
 
@@ -70,6 +77,6 @@ The following examples show how to use this InSpec audit resource.
                   FROM pg_language
                   WHERE lanpltrusted = \'f\'
                   AND lanname!=\'internal\'
-                  AND lanname!=\'c\';') do
+                  AND lanname!=\'c\';', ['postgres']) do
       its('output') { should eq '0' }
     end

data/docs/resources/processes.md.erb

@@ -16,7 +16,7 @@ A `processes` resource block declares the name of the process to be tested, and
 
 where
 
-* `processes('process_name')` must specify the name of a process that is running on the system
+* `processes('process_name')` specifies the name of a process to check. If this is a string, it will be converted to a Regexp. For more specificity, pass a Regexp directly.
 * `property_name` may be used to test user (`its('users')`) and state properties (`its('states')`)
 
 
@@ -71,3 +71,13 @@ The following examples show how to use this InSpec audit resource.
     describe processes('some_process') do
       its('states') { should eq ['R<'] }
     end
+
+### Test for a process using a specific Regexp
+
+If the process name is too common for a string to uniquely find it,
+you may use a regexp. Inclusion of whitespace characters may be
+needed.
+
+    describe processes(Regexp.new("/usr/local/bin/swap -d")) do
+      its('list.length') { should eq 1 }
+    end

data/docs/resources/service.md.erb

@@ -6,7 +6,7 @@ title: About the service Resource
 
 Use the `service` InSpec audit resource to test if the named service is installed, running and/or enabled.
 
-Under some circumstances, it may be necessary to specify the service manager by using one of the following service manager-specific resources: `bsd_service`, `launchd_service`, `runit_service`, `systemd_service`, `sysv_service`, oe `upstart_service`. These resources are based on the `service` resource.
+Under some circumstances, it may be necessary to specify the service manager by using one of the following service manager-specific resources: `bsd_service`, `launchd_service`, `runit_service`, `systemd_service`, `sysv_service`, or `upstart_service`. These resources are based on the `service` resource.
 
 ## Syntax
 

data/examples/inheritance/inspec.lock

@@ -0,0 +1,11 @@
+---
+lockfile_version: 1
+depends:
+- name: profile
+  resolved_source:
+    path: "/Users/aleff/projects/inspec/examples/profile"
+  version_constraints: ">= 0"
+- name: profile-attribute
+  resolved_source:
+    path: "/Users/aleff/projects/inspec/examples/profile-attribute"
+  version_constraints: ">= 0"

data/examples/meta-profile/README.md

@@ -15,7 +15,7 @@ depends:
   - name: os-hardening
     url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
   # git
-  - git: https://github.com/dev-sec/ssl-benchmark.git
+  - git: https://github.com/dev-sec/ssl-baseline.git
   - name: windows-patch-benchmark
     git: https://github.com/chris-rock/windows-patch-benchmark.git
   # Chef Compliance
@@ -29,7 +29,7 @@ You could use those dependencies in your `exmaple.rb`:
 
 include_controls 'hardening/ssh-hardening'
 include_controls 'os-hardening'
-include_controls 'ssl-benchmark'
+include_controls 'ssl-baseline'
 include_controls 'linux'
 include_controls 'windows-patch-benchmark'
 ```

data/examples/meta-profile/controls/example.rb

@@ -6,7 +6,7 @@
 include_controls 'dev-sec/ssh-baseline'
 
 # select only individual controls
-include_controls 'ssl-benchmark' do
+include_controls 'ssl-baseline' do
   control "tls1.2"
 end
 

data/examples/meta-profile/inspec.lock

@@ -0,0 +1,18 @@
+---
+lockfile_version: 1
+depends:
+- name: dev-sec/ssh-baseline
+  resolved_source:
+    url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
+    sha256: 79e6b9846ab539669bbfcf5adcd246f1be484d4b55acb7c1c3dbd852203e4fae
+  version_constraints: ">= 0"
+- name: ssl-benchmark
+  resolved_source:
+    url: https://github.com/dev-sec/ssl-benchmark/archive/master.tar.gz
+    sha256: 4d5c9187409941b96f00fb25d0888c301ede999fd63149f35ad4594d698d6535
+  version_constraints: ">= 0"
+- name: windows-patch-benchmark
+  resolved_source:
+    url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
+    sha256: dbb5602f09f58d86f8743dfb44327207e9a23a49ef34f65614f1c1d8cc145f6b
+  version_constraints: ">= 0"

data/examples/meta-profile/inspec.yml

@@ -8,6 +8,6 @@ summary: InSpec Profile that is only consuming dependencies
 version: 0.2.0
 depends:
   - name: dev-sec/ssh-baseline  # defaults to supermarket
-  - url: https://github.com/dev-sec/ssl-benchmark
+  - url: https://github.com/dev-sec/ssl-baseline
   - name: windows-patch-benchmark
     url: https://github.com/chris-rock/windows-patch-benchmark

data/lib/bundles/inspec-habitat/profile.rb

@@ -346,7 +346,7 @@ mkdir -p {{pkg.svc_var_path}}/inspec_results
 
 while true; do
   echo "Executing InSpec for ${PROFILE_IDENT}"
-  hab pkg exec chef/inspec inspec exec {{pkg.path}}/dist --format=json > ${RESULTS_FILE} 2>${ERROR_FILE}
+  inspec exec {{pkg.path}}/dist --format=json > ${RESULTS_FILE} 2>${ERROR_FILE}
 
   if [ $? -eq 0 ]; then
     echo "InSpec run completed successfully."

data/lib/inspec.rb

@@ -8,6 +8,7 @@ libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
 require 'inspec/version'
+require 'inspec/exceptions'
 require 'inspec/profile'
 require 'inspec/rspec_json_formatter'
 require 'inspec/rule'

data/lib/inspec/base_cli.rb

@@ -81,7 +81,7 @@ module Inspec
       runner = Inspec::Runner.new(o)
       targets.each { |target| runner.add_target(target) }
       exit runner.run
-    rescue RuntimeError, Train::UserError => e
+    rescue ArgumentError, RuntimeError, Train::UserError => e
       $stderr.puts e.message
       exit 1
     end

data/lib/inspec/dsl.rb

@@ -34,11 +34,9 @@ module Inspec::DSL
     dep_entry = dependencies.list[profile_id]
     if dep_entry.nil?
       raise <<EOF
-Cannot load #{profile_id} since it is not listed as a dependency
-of #{bind_context.profile_name}.
+Cannot load #{profile_id} since it is not listed as a dependency of #{bind_context.profile_name}.
 
 Dependencies available from this context are:
-
     #{dependencies.list.keys.join("\n    ")}
 EOF
     end

data/lib/inspec/exceptions.rb

@@ -0,0 +1,8 @@
+# encoding: utf-8
+# copyright: 2017, Chef Software Inc.
+
+module Inspec
+  module Exceptions
+    class SecretsBackendNotFound < ArgumentError; end
+  end
+end