inspec 1.26.0 → 1.27.0

data/lib/inspec/dependencies/cache.rb

@@ -1,5 +1,4 @@
 # encoding: utf-8
-require 'digest'
 require 'fileutils'
 
 module Inspec

data/lib/inspec/dependencies/requirement.rb

@@ -1,7 +1,6 @@
 # encoding: utf-8
 require 'inspec/cached_fetcher'
 require 'inspec/dependencies/dependency_set'
-require 'digest'
 
 module Inspec
   #

data/lib/inspec/metadata.rb

@@ -7,6 +7,7 @@ require 'logger'
 require 'rubygems/version'
 require 'rubygems/requirement'
 require 'semverse'
+require 'utils/spdx'
 
 module Inspec
   # Extract metadata.rb information
@@ -102,7 +103,7 @@ module Inspec
     end
 
     # return all warn and errors
-    def valid
+    def valid # rubocop:disable Metrics/AbcSize
       errors = []
       warnings = []
 
@@ -116,11 +117,16 @@ module Inspec
         errors.push('Version needs to be in SemVer format')
       end
 
-      %w{ title summary maintainer copyright }.each do |field|
+      %w{ title summary maintainer copyright license }.each do |field|
         next unless params[field.to_sym].nil?
         warnings.push("Missing profile #{field} in #{ref}")
       end
 
+      # if version is set, ensure it is in SPDX format
+      if !params[:license].nil? && !Spdx.valid_license?(params[:license])
+        warnings.push("License '#{params[:license]}' needs to be in SPDX format. See https://spdx.org/licenses/.")
+      end
+
       [errors, warnings]
     end
 

data/lib/inspec/plugins/fetcher.rb

@@ -3,7 +3,6 @@
 # author: Christoph Hartmann
 require 'utils/plugin_registry'
 require 'inspec/file_provider'
-require 'digest'
 
 module Inspec
   module Plugins

data/lib/inspec/profile.rb

@@ -4,7 +4,7 @@
 # author: Christoph Hartmann
 
 require 'forwardable'
-require 'digest'
+require 'openssl'
 require 'inspec/polyfill'
 require 'inspec/cached_fetcher'
 require 'inspec/file_provider'
@@ -406,7 +406,7 @@ module Inspec
       # get all dependency checksums
       deps = Hash[locked_dependencies.list.map { |k, v| [k, v.profile.sha256] }]
 
-      res = Digest::SHA256.new
+      res = OpenSSL::Digest::SHA256.new
       files = source_reader.tests.to_a + source_reader.libraries.to_a +
               source_reader.data_files.to_a +
               [['inspec.yml', source_reader.metadata.content]] +
@@ -415,7 +415,7 @@ module Inspec
       files.sort { |a, b| a[0] <=> b[0] }
            .map { |f| res << f[0] << "\0" << f[1] << "\0" }
 
-      res.hexdigest
+      res.digest.unpack('H*')[0]
     end
 
     private

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.26.0'.freeze
+  VERSION = '1.27.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -88,7 +88,6 @@ end
 
 RSpec::Matchers.define :contain_duplicates do
   match do |arr|
-    warn '[DEPRECATION] `contain_duplicates` is deprecated and will be removed in the next major version. See https://github.com/chef/inspec/issues/738 for more details'
     dup = arr.select { |element| arr.count(element) > 1 }
     !dup.uniq.empty?
   end

data/lib/resources/command.rb

@@ -50,7 +50,7 @@ module Inspec::Resources
       if inspec.os.linux?
         res = inspec.backend.run_command("bash -c 'type \"#{@command}\"'")
       elsif inspec.os.windows?
-        res = inspec.backend.run_command("where.exe \"#{@command}\"")
+        res = inspec.backend.run_command("Get-Command \"#{@command}\"")
       elsif inspec.os.unix?
         res = inspec.backend.run_command("type \"#{@command}\"")
       else

data/lib/resources/crontab.rb

@@ -46,15 +46,30 @@ module Inspec::Resources
       data, = parse_comment_line(l, comment_char: '#', standalone_comments: false)
       return nil if data.nil? || data.empty?
 
-      elements = data.split(/\s+/, 6)
-      {
-        'minute'  => elements.at(0),
-        'hour'    => elements.at(1),
-        'day'     => elements.at(2),
-        'month'   => elements.at(3),
-        'weekday' => elements.at(4),
-        'command' => elements.at(5),
-      }
+      case data
+      when /@hourly .*/
+        { 'minute' => '0', 'hour' => '*', 'day' => '*', 'month' => '*', 'weekday' => '*', 'command' => data.split(/\s+/, 2).at(1) }
+      when /@(midnight|daily) .*/
+        { 'minute' => '0', 'hour' => '0', 'day' => '*', 'month' => '*', 'weekday' => '*', 'command' => data.split(/\s+/, 2).at(1) }
+      when /@weekly .*/
+        { 'minute' => '0', 'hour' => '0', 'day' => '*', 'month' => '*', 'weekday' => '0', 'command' => data.split(/\s+/, 2).at(1) }
+      when /@monthly ./
+        { 'minute' => '0', 'hour' => '0', 'day' => '1', 'month' => '*', 'weekday' => '*', 'command' => data.split(/\s+/, 2).at(1) }
+      when /@(annually|yearly) .*/
+        { 'minute' => '0', 'hour' => '0', 'day' => '1', 'month' => '1', 'weekday' => '*', 'command' => data.split(/\s+/, 2).at(1) }
+      when /@reboot .*/
+        { 'minute' => '-1', 'hour' => '-1', 'day' => '-1', 'month' => '-1', 'weekday' => '-1', 'command' => data.split(/\s+/, 2).at(1) }
+      else
+        elements = data.split(/\s+/, 6)
+        {
+          'minute'  => elements.at(0),
+          'hour'    => elements.at(1),
+          'day'     => elements.at(2),
+          'month'   => elements.at(3),
+          'weekday' => elements.at(4),
+          'command' => elements.at(5),
+        }
+      end
     end
 
     def crontab_cmd

data/lib/resources/host.rb

@@ -148,7 +148,7 @@ module Inspec::Resources
     def ping(hostname, port = nil, _proto = nil)
       # ICMP: Test-NetConnection www.microsoft.com
       # TCP and port: Test-NetConnection -ComputerName www.microsoft.com -RemotePort 80
-      request = "Test-NetConnection -ComputerName #{hostname}"
+      request = "Test-NetConnection -ComputerName #{hostname} -WarningAction SilentlyContinue"
       request += " -RemotePort #{port}" unless port.nil?
       request += '| Select-Object -Property ComputerName, TcpTestSucceeded, PingSucceeded | ConvertTo-Json'
       cmd = inspec.command(request)

data/lib/resources/interface.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
+# author: Aaron Lippold
 
 require 'utils/convert'
 
@@ -64,7 +65,7 @@ module Inspec::Resources
   class LinuxInterface < InterfaceInfo
     def interface_info(iface)
       # will return "[mtu]\n1500\n[type]\n1"
-      cmd = inspec.command("find /sys/class/net/#{iface}/ -type f -maxdepth 1 -exec sh -c 'echo \"[$(basename {})]\"; cat {} || echo -n' \\;")
+      cmd = inspec.command("find /sys/class/net/#{iface}/ -maxdepth 1 -type f -exec sh -c 'echo \"[$(basename {})]\"; cat {} || echo -n' \\;")
       return nil if cmd.exit_status.to_i != 0
 
       # parse values, we only recieve values, therefore we threat them as keys

data/lib/resources/postgres.rb

@@ -2,13 +2,14 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
+# author: Aaron Lippold
 # license: All rights reserved
 
 module Inspec::Resources
   class Postgres < Inspec.resource(1)
     name 'postgres'
 
-    attr_reader :service, :data_dir, :conf_dir, :conf_path
+    attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster
     def initialize
       os = inspec.os
       if os.debian?
@@ -18,48 +19,26 @@ module Inspec::Resources
         # Debian allows multiple versions of postgresql to be
         # installed as well as multiple "clusters" to be configured.
         #
-        version = version_from_dir('/etc/postgresql')
-        cluster = cluster_from_dir("/etc/postgresql/#{version}")
-        @conf_dir = "/etc/postgresql/#{version}/#{cluster}"
-        @data_dir = "/var/lib/postgresql/#{version}/#{cluster}"
-      elsif os.redhat?
-        #
-        # /var/lib/pgsql/data is the default data directory on RHEL6
-        # and RHEL7. However, PR #824 explicitly added version-based
-        # directories. Thus, we call #version_from_dir unless it looks
-        # like we are using unversioned directories.
-        #
-        # TODO(ssd): This has the potential to be noisy because of the
-        # warning in version_from_dir. We should determine which case
-        # is more common and only warn in the less common case.
-        #
-        version = if inspec.directory('/var/lib/pgsql/data').exist?
-                    warn 'Found /var/lib/pgsql/data. Assuming postgresql install uses un-versioned directories.'
-                    nil
-                  else
-                    version_from_dir('/var/lib/pgsql/')
-                  end
-
-        @data_dir = File.join('/var/lib/pgsql/', version.to_s, 'data')
-      elsif os[:name] == 'arch'
-        #
-        # https://wiki.archlinux.org/index.php/PostgreSQL
-        #
-        # The archlinux wiki points to /var/lib/postgresql/data as the
-        # main data directory.
-        #
-        @data_dir = '/var/lib/postgres/data'
+        @version = version_from_psql || version_from_dir('/etc/postgresql')
+        @cluster = cluster_from_dir("/etc/postgresql/#{@version}")
+        @conf_dir = "/etc/postgresql/#{@version}/#{@cluster}"
+        @data_dir = "/var/lib/postgresql/#{@version}/#{@cluster}"
       else
-        #
-        # According to https://www.postgresql.org/docs/9.5/static/creating-cluster.html
-        #
-        # > There is no default, although locations such as
-        # > /usr/local/pgsql/data or /var/lib/pgsql/data are popular.
-        #
-        @data_dir = '/var/lib/pgsql/data'
+        @version = version_from_psql
+        if @version.nil?
+          if inspec.directory('/var/lib/pgsql/data').exist?
+            warn 'Unable to determine PostgreSQL version: psql did not return
+             a version number and unversioned data directories were found.'
+            nil
+          else
+            @version = version_from_dir('/var/lib/pgsql/')
+          end
+        end
+        @data_dir = locate_data_dir_location_by_version(@version)
       end
 
       @service = 'postgresql'
+      @service += "-#{@version}" if @version.to_f >= 9.4
       @conf_dir ||= @data_dir
       verify_dirs
       @conf_path = File.join @conf_dir, 'postgresql.conf'
@@ -81,6 +60,33 @@ module Inspec::Resources
       end
     end
 
+    def version_from_psql
+      return unless inspec.command('psql').exist?
+      inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip
+    end
+
+    def locate_data_dir_location_by_version(ver = @version)
+      data_dir_loc = nil
+      dir_list = [
+        "/var/lib/pgsql/#{ver}/data",
+        '/var/lib/pgsql/data',
+        '/var/lib/postgres/data',
+        '/var/lib/postgresql/data',
+      ]
+
+      dir_list.each do |dir|
+        data_dir_loc if inspec.directory(dir).exists?
+        break
+      end
+
+      if data_dir_loc.nil?
+        warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
+        execute "psql -t -A -p <port> -h <host> -c "show hba_file";" as the PostgreSQL
+        DBA to find the non-starndard data_dir location.'
+      end
+      data_dir_loc
+    end
+
     def version_from_dir(dir)
       dirs = inspec.command("ls -d #{dir}/*/").stdout
       entries = dirs.lines.count

data/lib/resources/processes.rb

@@ -25,15 +25,24 @@ module Inspec::Resources
       @grep = grep
       # turn into a regexp if it isn't one yet
       if grep.class == String
-        grep = '(/[^/]*)*' + grep if grep[0] != '/'
-        grep = Regexp.new('^' + grep + '(\s|$)')
+        # if windows ignore case as we can't make up our minds
+        if inspec.os.windows?
+          grep = '(?i)' + grep
+        else
+          grep = '(/[^/]*)*' + grep unless grep[0] == '/'
+          grep = '^' + grep + '(\s|$)'
+        end
+        grep = Regexp.new(grep)
       end
+
       all_cmds = ps_axo
       @list = all_cmds.find_all do |hm|
         hm[:command] =~ grep
       end
+    end
 
-      return skip_resource 'The `processes` resource is not supported on your OS yet.' if inspec.os.windows?
+    def exists?
+      !@list.empty?
     end
 
     def to_s
@@ -74,6 +83,10 @@ module Inspec::Resources
       if os.linux?
         command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
         regex = /^([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+      elsif os.windows?
+        command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
+        # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
+        regex = /^(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+)$/
       else
         command = 'ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command'
         regex = /^\s*([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
@@ -95,7 +108,7 @@ module Inspec::Resources
       end.compact
       lines.map do |m|
         a = m.to_a[1..-1] # grab all matching groups
-        a.unshift(nil) unless os.linux?
+        a.unshift(nil) unless os.linux? || os.windows?
         a[1] = a[1].to_i
         a[4] = a[4].to_i
         a[5] = a[5].to_i

data/lib/utils/find_files.rb

@@ -26,8 +26,8 @@ module FindFiles
     type = TYPES[opts[:type].to_sym] if opts[:type]
 
     cmd = "find #{path}"
-    cmd += " -maxdepth #{depth.to_i}" if depth.to_i > 0
     cmd += " -type #{type}" unless type.nil?
+    cmd += " -maxdepth #{depth.to_i}" if depth.to_i > 0
 
     result = inspec.command(cmd)
     exit_status = result.exit_status

data/lib/utils/nginx_parser.rb

@@ -0,0 +1,74 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'parslet'
+
+class NginxParser < Parslet::Parser
+  root :outermost
+  # only designed for rabbitmq config files for now:
+  rule(:outermost) { filler? >> exp.repeat }
+
+  rule(:filler?) { one_filler.repeat }
+  rule(:one_filler) { match('\s+') | match["\n"] | comment }
+  rule(:space)   { match('\s+') }
+  rule(:comment) { str('#') >> (match["\n\r"].absent? >> any).repeat }
+
+  rule(:exp) {
+    section | assignment
+  }
+  rule(:assignment) {
+    (identifier >> values.maybe.as(:args)).as(:assignment) >> str(';') >> filler?
+  }
+
+  rule(:identifier) {
+    (match('[a-zA-Z]') >> match('[a-zA-Z0-9_]').repeat).as(:identifier) >> space >> space.repeat
+  }
+
+  rule(:value) {
+    ((match('[#;{]').absent? >> any) >> (
+      str('\\') >> any | match('[#;{]|\s').absent? >> any
+    ).repeat).as(:value) >> space.repeat
+  }
+  rule(:values) {
+    value.repeat >> space.maybe
+  }
+
+  rule(:section) {
+    identifier.as(:section) >> values.maybe.as(:args) >> str('{') >> filler? >> exp.repeat.as(:expressions) >> str('}') >> filler?
+  }
+end
+
+class NginxTransform < Parslet::Transform
+  Group = Struct.new(:id, :args, :body)
+  Exp = Struct.new(:key, :vals)
+
+  def self.assemble_binary(seq)
+    b = ErlangBitstream.new
+    seq.each { |i| b.add(i) }
+    b.value
+  end
+
+  rule(section: { identifier: simple(:x) }, args: subtree(:y), expressions: subtree(:z)) { Group.new(x.to_s, y, z) }
+  rule(assignment: { identifier: simple(:x), args: subtree(:y) }) { Exp.new(x.to_s, y) }
+  rule(value: simple(:x)) { x.to_s }
+end
+
+class NginxConfig
+  def self.parse(content)
+    lex = NginxParser.new.parse(content)
+    tree = NginxTransform.new.apply(lex)
+    gtree = NginxTransform::Group.new(nil, '', tree)
+    read_nginx_group(gtree)
+  end
+
+  def self.read_nginx_group(t)
+    agg_conf = Hash.new([])
+    agg_conf['_'] = t.args unless t.args == ''
+
+    groups, conf = t.body.partition { |i| i.is_a? NginxTransform::Group }
+    conf.each { |x| agg_conf[x.key] += [x.vals.join(' ')] }
+    groups.each { |x| agg_conf[x.id] += [read_nginx_group(x)] }
+    agg_conf
+  end
+end

data/lib/utils/spdx.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+class Spdx
+  def self.licenses
+    spdx_file = File.join(File.dirname(__FILE__), 'spdx.txt').freeze
+    File.read(spdx_file).split("\n")
+  end
+
+  def self.valid_license?(license)
+    licenses.include?(license)
+  end
+end