inspec 1.23.0 → 1.24.0

data/lib/inspec/metadata.rb

@@ -11,10 +11,11 @@ module Inspec
   # Extract metadata.rb information
   class Metadata # rubocop:disable Metrics/ClassLength
     attr_reader :ref
-    attr_accessor :params
+    attr_accessor :params, :content
     def initialize(ref, logger = nil)
       @ref = ref
       @logger = logger || Logger.new(nil)
+      @content = ''
       @params = {}
       @missing_methods = []
     end
@@ -206,26 +207,28 @@ module Inspec
       metadata
     end
 
-    def self.from_yaml(ref, contents, profile_id, logger = nil)
+    def self.from_yaml(ref, content, profile_id, logger = nil)
       res = Metadata.new(ref, logger)
-      res.params = YAML.load(contents)
+      res.params = YAML.load(content)
+      res.content = content
       finalize(res, profile_id, {}, logger)
     end
 
-    def self.from_ruby(ref, contents, profile_id, logger = nil)
+    def self.from_ruby(ref, content, profile_id, logger = nil)
       res = Metadata.new(ref, logger)
-      res.instance_eval(contents, ref, 1)
+      res.instance_eval(content, ref, 1)
+      res.content = content
       finalize(res, profile_id, {}, logger)
     end
 
-    def self.from_ref(ref, contents, profile_id, logger = nil)
+    def self.from_ref(ref, content, profile_id, logger = nil)
       # NOTE there doesn't have to exist an actual file, it may come from an
-      # archive (i.e., contents)
+      # archive (i.e., content)
       case File.basename(ref)
       when 'inspec.yml'
-        from_yaml(ref, contents, profile_id, logger)
+        from_yaml(ref, content, profile_id, logger)
       when 'metadata.rb'
-        from_ruby(ref, contents, profile_id, logger)
+        from_ruby(ref, content, profile_id, logger)
       else
         logger ||= Logger.new(nil)
         logger.error "Don't know how to handle metadata in #{ref}"

data/lib/inspec/profile.rb

@@ -4,6 +4,7 @@
 # author: Christoph Hartmann
 
 require 'forwardable'
+require 'digest'
 require 'inspec/polyfill'
 require 'inspec/cached_fetcher'
 require 'inspec/file_provider'
@@ -208,6 +209,7 @@ module Inspec
 
       # add information about the required attributes
       res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
+      res[:sha256] = sha256
       res
     end
 
@@ -395,6 +397,26 @@ module Inspec
       Inspec::DependencySet.from_lockfile(lockfile, cwd, @cache, @backend, { attributes: @attr_values })
     end
 
+    # Calculate this profile's SHA256 checksum. Includes metadata, dependencies,
+    # libraries, data files, and controls.
+    #
+    # @return [Type] description of returned object
+    def sha256
+      # get all dependency checksums
+      deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]
+
+      res = Digest::SHA256.new
+      files = source_reader.tests.to_a + source_reader.libraries.to_a +
+              source_reader.data_files.to_a +
+              [['inspec.yml', source_reader.metadata.content]] +
+              [['inspec.lock.deps', YAML.dump(deps)]]
+
+      files.sort { |a, b| a[0] <=> b[0] }
+           .map { |f| res << f[0] << "\0" << f[1] << "\0" }
+
+      res.hexdigest
+    end
+
     private
 
     # Create an archive name for this profile and an additional options

data/lib/inspec/resource.rb

@@ -114,6 +114,7 @@ require 'resources/mysql_session'
 require 'resources/npm'
 require 'resources/ntp_conf'
 require 'resources/oneget'
+require 'resources/oracledb_session'
 require 'resources/os'
 require 'resources/os_env'
 require 'resources/package'

data/lib/inspec/rspec_json_formatter.rb

@@ -114,6 +114,10 @@ class InspecRspecJson < InspecRspecMiniJson # rubocop:disable Metrics/ClassLengt
 
     @output_hash[:other_checks] = examples_without_controls
     @output_hash[:profiles] = profiles_info
+    @output_hash[:platform] = {
+      name: os(:name),
+      release: os(:release),
+    }
 
     examples_with_controls.each do |example|
       control = example2control(example)
@@ -123,6 +127,11 @@ class InspecRspecJson < InspecRspecMiniJson # rubocop:disable Metrics/ClassLengt
 
   private
 
+  def os(field)
+    return nil if @backend.nil?
+    @backend.os.params[field]
+  end
+
   def all_unique_controls
     Array(@all_controls).uniq
   end

data/lib/inspec/runner.rb

@@ -119,18 +119,23 @@ module Inspec
 
     # determine all attributes before the execution, fetch data from secrets backend
     def load_attributes(options)
-      attributes = {}
-      # read endpoints for secrets eg. yml file
+      options[:attributes] ||= {}
+
       secrets_targets = options[:attrs]
-      unless secrets_targets.nil?
-        secrets_targets.each do |target|
-          secrets = Inspec::SecretsBackend.resolve(target)
-          # merge hash values
-          attributes = attributes.merge(secrets.attributes) unless secrets.nil? || secrets.attributes.nil?
+      return options[:attributes] if secrets_targets.nil?
+
+      secrets_targets.each do |target|
+        secrets = Inspec::SecretsBackend.resolve(target)
+        if secrets.nil?
+          raise Inspec::Exceptions::SecretsBackendNotFound,
+                "Unable to find a parser for attributes file #{target}. " \
+                'Check to make sure the file exists and has the appropriate extension.'
         end
+
+        next if secrets.attributes.nil?
+        options[:attributes].merge!(secrets.attributes)
       end
-      options[:attributes] = options[:attributes] || {}
-      options[:attributes] = options[:attributes].merge(attributes)
+
       options[:attributes]
     end
 

data/lib/inspec/schema.rb

@@ -11,6 +11,15 @@ module Inspec
       },
     }.freeze
 
+    PLATFORM = {
+      'type' => 'object',
+      'additionalProperties' => false,
+      'properties' => {
+        'name' => { 'type' => 'string' },
+        'release' => { 'type' => 'string' },
+      },
+    }.freeze
+
     # Tags are open right, with simple key-value associations and not restrictions
     TAGS = { 'type' => 'object' }.freeze
 
@@ -85,6 +94,7 @@ module Inspec
       'properties' => {
         'name' => { 'type' => 'string' },
         'version' => { 'type' => 'string', 'optional' => true },
+        'sha256' => { 'type' => 'string', 'optional' => false },
 
         'title' => { 'type' => 'string', 'optional' => true },
         'maintainer' => { 'type' => 'string', 'optional' => true },
@@ -117,6 +127,7 @@ module Inspec
       'type' => 'object',
       'additionalProperties' => false,
       'properties' => {
+        'platform' => PLATFORM,
         'profiles' => {
           'type' => 'array',
           'items' => PROFILE,

data/lib/inspec/secrets/yaml.rb

@@ -18,6 +18,11 @@ module Secrets
     # array of yaml file paths
     def initialize(target)
       @attributes = ::YAML.load_file(target)
+
+      if @attributes == false || !@attributes.is_a?(Hash)
+        Inspec::Log.warn("#{self.class} unable to parse #{target}: invalid YAML or contents is not a Hash")
+        @attributes = nil
+      end
     rescue => e
       raise "Error reading Inspec attributes: #{e}"
     end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.23.0'.freeze
+  VERSION = '1.24.0'.freeze
 end

data/lib/resources/mssql_session.rb

@@ -7,27 +7,48 @@ module Inspec::Resources
     name 'mssql_session'
     desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
     example "
-      sql = mssql_session('myuser','mypassword')
+      # Using SQL authentication
+      sql = mssql_session(user: 'myuser', pass: 'mypassword')
       describe sql.query('select * from sys.databases where name like \'*test*\') do
-        its('stdout') {should_not match(/test/) }
+        its('stdout') { should_not match(/test/) }
+      end
+
+      # Passing no credentials to mssql_session forces it to use Windows authentication
+      sql_windows_auth = mssql_session
+      describe sql_window_auth.query('select * from sys.databases where name like \'*test*\') do
+        its('stdout') { should_not match(/test/) }
       end
     "
 
-    def initialize(user = nil, pass = nil)
-      @user = user
-      @pass = pass
-      skip_resource('user and pass are required for MSSQL tests') if @user.nil? or @pass.nil?
+    attr_reader :user, :pass, :host
+
+    def initialize(opts = {})
+      @user = opts[:user]
+      @pass = opts[:pass]
+      @host = opts[:host] || 'localhost'
+      @instance = opts[:instance]
     end
 
     def query(q)
       escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$').gsub(/\@/, '`@')
-      cmd = inspec.command("sqlcmd -U #{@user} -P #{@pass} -Q \"#{escaped_query}\"")
-
+      cmd_string = "sqlcmd -Q \"#{escaped_query}\""
+      cmd_string += " -U #{@user} -P #{@pass}" unless @user.nil? or @pass.nil?
+      if @instance.nil?
+        cmd_string += " -S #{@host}"
+      else
+        cmd_string += " -S #{@host}\\#{@instance}"
+      end
+      puts cmd_string
+      cmd = inspec.command(cmd_string)
+      out = cmd.stdout + "\n" + cmd.stderr
+      if out =~ /Sqlcmd: Error/
+        skip_resource("Can't connect to the MS SQL Server.")
+      end
       cmd
     end
 
     def to_s
-      'MSSQL'
+      'MSSQL session'
     end
   end
 end

data/lib/resources/mysql_session.rb

@@ -2,6 +2,7 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
+# author: Aaron Lippold
 # license: All rights reserved
 
 module Inspec::Resources
@@ -9,15 +10,16 @@ module Inspec::Resources
     name 'mysql_session'
     desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
     example "
-      sql = mysql_session('my_user','password')
+      sql = mysql_session('my_user','password','host')
       describe sql.query('show databases like \'test\';') do
         its('stdout') { should_not match(/test/) }
       end
     "
 
-    def initialize(user = nil, pass = nil)
+    def initialize(user = nil, pass = nil, host = 'localhost')
       @user = user
       @pass = pass
+      @host = host
       init_fallback if user.nil? or pass.nil?
       skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
     end
@@ -28,7 +30,7 @@ module Inspec::Resources
       escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
 
       # run the query
-      cmd = inspec.command("mysql -u#{@user} -p#{@pass} #{db} -s -e \"#{escaped_query}\"")
+      cmd = inspec.command("mysql -u#{@user} -p#{@pass} -h #{@host} #{db} -s -e \"#{escaped_query}\"")
       out = cmd.stdout + "\n" + cmd.stderr
       if out =~ /Can't connect to .* MySQL server/ or
          out.downcase =~ /^error/

data/lib/resources/oracledb_session.rb

@@ -0,0 +1,42 @@
+# encoding: utf-8
+# author: Nolan Davidson
+# license: All rights reserved
+
+module Inspec::Resources
+  class OracledbSession < Inspec.resource(1)
+    name 'oracledb_session'
+    desc 'Use the oracledb_session InSpec resource to test commands against an Oracle database'
+    example "
+      sql = oracledb_session(user: 'my_user', pass: 'password')
+      describe sql.query('SELECT NAME FROM v$database;') do
+        its('stdout') { should_not match(/test/) }
+      end
+    "
+
+    attr_reader :user, :pass, :host, :sid, :sqlplus_bin
+
+    def initialize(opts = {})
+      @user = opts[:user]
+      @pass = opts[:pass]
+      @host = opts[:host] || 'localhost'
+      @sid = opts[:sid]
+      @sqlplus_bin = opts[:sqlplus_bin] || 'sqlplus'
+      return skip_resource("Can't run Oracle checks without authentication") if @user.nil? or @pass.nil?
+    end
+
+    def query(q)
+      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"')
+      cmd = inspec.command("echo \"#{escaped_query}\" | #{@sqlplus_bin} -s #{@user}/#{@pass}@#{@host}/#{@sid}")
+      out = cmd.stdout + "\n" + cmd.stderr
+      if out.downcase =~ /^error/
+        skip_resource("Can't connect to Oracle instance for SQL checks.")
+      end
+
+      cmd
+    end
+
+    def to_s
+      'Oracle Session'
+    end
+  end
+end

data/lib/resources/postgres_session.rb

@@ -2,6 +2,7 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
+# author: Aaron Lippold
 # license: All rights reserved
 
 module Inspec::Resources
@@ -26,16 +27,23 @@ module Inspec::Resources
     name 'postgres_session'
     desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
     example "
-      sql = postgres_session('username', 'password')
+      sql = postgres_session('username', 'password', 'host')
+      query('sql_query', ['database_name'])` contains the query and (optional) database to execute
+
+      # default values:
+      # username: 'postgres'
+      # host: 'localhost'
+      # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
         its('output') { should eq('') }
       end
     "
 
-    def initialize(user, pass)
+    def initialize(user, pass, host = nil)
       @user = user || 'postgres'
       @pass = pass
+      @host = host || 'localhost'
     end
 
     def query(query, db = [])
@@ -44,7 +52,7 @@ module Inspec::Resources
       # that does this securely
       escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
       # run the query
-      cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h localhost -c \"#{escaped_query}\"")
+      cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c \"#{escaped_query}\"")
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 or
          out =~ /could not connect to .*/ or
@@ -52,12 +60,7 @@ module Inspec::Resources
         # skip this test if the server can't run the query
         skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"
       else
-        # remove the whole header (i.e. up to the first ^-----+------+------$)
-        # remove the tail
-        lines = cmd.stdout
-                   .sub(/(.*\n)+([-]+[+])*[-]+\n/, '')
-                   .sub(/\n[^\n]*\n\n$/, '')
-        Lines.new(lines.strip, "PostgreSQL query: #{query}")
+        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.23.0
+  version: 1.24.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-04 00:00:00.000000000 Z
+date: 2017-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -291,6 +291,7 @@ files:
 - docs/migration.md
 - docs/plugin_kitchen_inspec.html.md
 - docs/profiles.md
+- docs/resources.md
 - docs/resources/apache_conf.md.erb
 - docs/resources/apt.md.erb
 - docs/resources/audit_policy.md.erb
@@ -330,11 +331,13 @@ files:
 - docs/resources/limits_conf.md.erb
 - docs/resources/login_def.md.erb
 - docs/resources/mount.md.erb
+- docs/resources/mssql_session.md.erb
 - docs/resources/mysql_conf.md.erb
 - docs/resources/mysql_session.md.erb
 - docs/resources/npm.md.erb
 - docs/resources/ntp_conf.md.erb
 - docs/resources/oneget.md.erb
+- docs/resources/oracledb_session.md.erb
 - docs/resources/os.md.erb
 - docs/resources/os_env.md.erb
 - docs/resources/package.md.erb
@@ -380,6 +383,7 @@ files:
 - examples/README.md
 - examples/inheritance/README.md
 - examples/inheritance/controls/example.rb
+- examples/inheritance/inspec.lock
 - examples/inheritance/inspec.yml
 - examples/kitchen-ansible/.kitchen.yml
 - examples/kitchen-ansible/Gemfile
@@ -405,7 +409,11 @@ files:
 - examples/kitchen-puppet/test/integration/default/web_spec.rb
 - examples/meta-profile/README.md
 - examples/meta-profile/controls/example.rb
+- examples/meta-profile/inspec.lock
 - examples/meta-profile/inspec.yml
+- examples/meta-profile/vendor/4d5c9187409941b96f00fb25d0888c301ede999fd63149f35ad4594d698d6535.tar.gz
+- examples/meta-profile/vendor/79e6b9846ab539669bbfcf5adcd246f1be484d4b55acb7c1c3dbd852203e4fae.tar.gz
+- examples/meta-profile/vendor/dbb5602f09f58d86f8743dfb44327207e9a23a49ef34f65614f1c1d8cc145f6b.tar.gz
 - examples/profile-attribute.yml
 - examples/profile-attribute/README.md
 - examples/profile-attribute/controls/example.rb
@@ -474,6 +482,7 @@ files:
 - lib/inspec/dsl_shared.rb
 - lib/inspec/env_printer.rb
 - lib/inspec/errors.rb
+- lib/inspec/exceptions.rb
 - lib/inspec/expect.rb
 - lib/inspec/fetcher.rb
 - lib/inspec/file_provider.rb
@@ -559,6 +568,7 @@ files:
 - lib/resources/npm.rb
 - lib/resources/ntp_conf.rb
 - lib/resources/oneget.rb
+- lib/resources/oracledb_session.rb
 - lib/resources/os.rb
 - lib/resources/os_env.rb
 - lib/resources/package.rb