inspec 1.29.0 → 1.30.0

data/lib/resources/nginx_conf.rb

@@ -0,0 +1,95 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'utils/nginx_parser'
+
+# STABILITY: Experimental
+# This resouce needs a proper interace to the underlying data, which is currently missing.
+# Until it is added, we will keep it experimental.
+#
+# TODO: Support it on Windows. To do so, we need to recognize the base os and how
+# it combines the file path. Calling `File.join` or similar methods may lead to errors
+# when running remotely.
+module Inspec::Resources
+  class NginxConf < Inspec.resource(1)
+    name 'nginx_conf'
+    desc 'Use the nginx_conf InSpec resource to test configuration data '\
+         'for the NginX web server located in /etc/nginx/nginx.conf on '\
+         'Linux and UNIX platforms.'
+    example "
+      describe nginx_conf.params ...
+      describe nginx_conf('/path/to/my/nginx.conf').params ...
+    "
+
+    attr_reader :contents
+
+    def initialize(conf_path = nil)
+      @conf_path = conf_path || '/etc/nginx/nginx.conf'
+      @contents = {}
+      return skip_resource 'The `nginx_conf` resource is currently not supported on Windows.' if inspec.os.windows?
+    end
+
+    def params
+      @params ||= parse_nginx(@conf_path)
+    rescue StandardError => e
+      skip_resource e.message
+      @params = {}
+    end
+
+    def to_s
+      "nginx_conf #{@conf_path}"
+    end
+
+    private
+
+    def read_content(path)
+      return @contents[path] if @contents.key?(path)
+      file = inspec.file(path)
+      if !file.file?
+        return skip_resource "Can't find file \"#{path}\""
+      end
+      @contents[path] = file.content
+    end
+
+    def parse_nginx(path)
+      return nil if inspec.os.windows?
+      content = read_content(path)
+      data = NginxConfig.parse(content)
+      resolve_references(data, File.dirname(path))
+    rescue StandardError => _
+      raise "Cannot parse NginX config in #{path}."
+    end
+
+    # Cycle through the complete parsed data structure and try to find any
+    # calls to `include`. In NginX, this is used to embed data from other
+    # files into the current data structure.
+    #
+    # The method steps through the object structure that is passed in to
+    # find any calls to 'include' and returns the object structure with the
+    # included data merged in.
+    #
+    # @param data [Hash] data structure from NginxConfig.parse
+    # @param rel_path [String] the relative path from which this config is read
+    # @return [Hash] data structure with references included
+    def resolve_references(data, rel_path)
+      # Walk through all array entries to find more references
+      return data.map { |x| resolve_references(x, rel_path) } if data.is_a?(Array)
+
+      # Return any data that we cannot step into to find more `include` calls
+      return data unless data.is_a?(Hash)
+
+      # Any call to `include` gets its data read, parsed, and merged back
+      # into the current data structure
+      if data.key?('include')
+        data.delete('include').flatten
+            .map { |x| File.expand_path(x, rel_path) }
+            .map { |path| parse_nginx(path) }
+            .map { |e| data.merge!(e) }
+      end
+
+      # Walk through the remaining hash fields to find more references
+      Hash[data.map { |k, v| [k, resolve_references(v, rel_path)] }]
+    end
+  end
+end

data/lib/resources/ntp_conf.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 

data/lib/resources/oracledb_session.rb

@@ -1,42 +1,139 @@
 # encoding: utf-8
 # author: Nolan Davidson
-# license: All rights reserved
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+require 'hashie/mash'
+require 'utils/database_helpers'
+require 'htmlentities'
+require 'rexml/document'
+require 'csv'
 
 module Inspec::Resources
+  # STABILITY: Experimental
+  # This resource needs further testing and refinement
+  #
   class OracledbSession < Inspec.resource(1)
     name 'oracledb_session'
     desc 'Use the oracledb_session InSpec resource to test commands against an Oracle database'
     example "
       sql = oracledb_session(user: 'my_user', pass: 'password')
-      describe sql.query('SELECT NAME FROM v$database;') do
-        its('stdout') { should_not match(/test/) }
+      describe sql.query(\"SELECT UPPER(VALUE) AS VALUE FROM V$PARAMETER WHERE UPPER(NAME)='AUDIT_SYS_OPERATIONS'\").row(0).column('value') do
+        its('value') { should eq 'TRUE' }
       end
     "
 
-    attr_reader :user, :pass, :host, :sid, :sqlplus_bin
-
+    attr_reader :user, :password, :host, :service
     def initialize(opts = {})
       @user = opts[:user]
-      @pass = opts[:pass]
+      @password = opts[:password] || opts[:pass]
+      if opts[:pass]
+        warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
+      end
+
       @host = opts[:host] || 'localhost'
-      @sid = opts[:sid]
+      @port = opts[:port] || '1521'
+      @service = opts[:service]
+
+      # we prefer sqlci although it is way slower than sqlplus, but it understands csv properly
+      @sqlcl_bin = 'sql'
       @sqlplus_bin = opts[:sqlplus_bin] || 'sqlplus'
-      return skip_resource("Can't run Oracle checks without authentication") if @user.nil? or @pass.nil?
+
+      return skip_resource "Can't run Oracle checks without authentication" if @user.nil? || @password.nil?
+      return skip_resource 'You must provide a service name for the session' if @service.nil?
     end
 
     def query(q)
       escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"')
-      cmd = inspec.command("echo \"#{escaped_query}\" | #{@sqlplus_bin} -s #{@user}/#{@pass}@#{@host}/#{@sid}")
+      # escape tables with $
+      escaped_query = escaped_query.gsub('$', '\\$')
+
+      p = nil
+      # check if sqlplus is available and prefer that
+      if inspec.command(@sqlplus_bin).exist?
+        bin = @sqlplus_bin
+        opts = "SET MARKUP HTML ON\nSET FEEDBACK OFF"
+        p = :parse_html_result
+      elsif inspec.command(@sqlcl_bin).exist?
+        bin = @sqlcl_bin
+        opts = "set sqlformat csv\nSET FEEDBACK OFF"
+        p = :parse_csv_result
+      end
+
+      return skip_resource("Can't find suitable Oracle CLI") if p.nil?
+      command = "echo \"#{opts}\n#{verify_query(escaped_query)}\nEXIT\" | #{bin} -s #{@user}/#{@password}@//#{@host}:#{@port}/#{@service}"
+      cmd = inspec.command(command)
+
       out = cmd.stdout + "\n" + cmd.stderr
       if out.downcase =~ /^error/
-        skip_resource("Can't connect to Oracle instance for SQL checks.")
+        # TODO: we need to throw an exception here
+        # change once https://github.com/chef/inspec/issues/1205 is in
+        warn "Could not execute the sql query #{out}"
+        DatabaseHelper::SQLQueryResult.new(cmd, Hashie::Mash.new({}))
       end
-
-      cmd
+      DatabaseHelper::SQLQueryResult.new(cmd, send(p, cmd.stdout))
     end
 
     def to_s
       'Oracle Session'
     end
+
+    private
+
+    def verify_query(query)
+      # ensure we have a ; at the end
+      query + ';' if !query.strip.end_with?(';')
+      query
+    end
+
+    def parse_csv_result(stdout)
+      output = stdout.delete(/\r/)
+      table = CSV.parse(output, { headers: true })
+
+      # convert to hash
+      headers = table.headers
+
+      results = table.map { |row|
+        res = {}
+        headers.each { |header|
+          res[header.downcase] = row[header]
+        }
+        Hashie::Mash.new(res)
+      }
+      results
+    end
+
+    def parse_html_result(stdout) # rubocop:disable Metrics/AbcSize
+      result = stdout
+      # make oracle html valid html by removing the p tag, it does not include a closing tag
+      result = result.gsub('<p>', '').gsub('</p>', '').gsub('<br>', '')
+      doc = REXML::Document.new result
+      table = doc.elements['table']
+      hash = []
+      if !table.nil?
+        rows = table.elements.to_a
+        headers = rows[0].elements.to_a('th').map { |entry| entry.text.strip }
+        rows.delete_at(0)
+
+        # iterate over each row, first row is header
+        hash = []
+        if !rows.nil? && !rows.empty?
+          hash = rows.map { |row|
+            res = {}
+            entries = row.elements.to_a('td')
+            # ignore if we have empty entries, oracle is adding th rows in between
+            return nil if entries.empty?
+            headers.each_with_index { |header, index|
+              # we need htmlentities since we do not have nokogiri
+              coder = HTMLEntities.new
+              val = coder.decode(entries[index].text).strip
+              res[header.downcase] = val
+            }
+            Hashie::Mash.new(res)
+          }.compact
+        end
+      end
+      hash
+    end
   end
 end

data/lib/resources/os_env.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 # Usage:
 #

data/lib/resources/package.rb

@@ -19,7 +19,7 @@ module Inspec::Resources
       end
     "
 
-    def initialize(package_name = nil) # rubocop:disable Metrics/AbcSize
+    def initialize(package_name = nil, opts = {}) # rubocop:disable Metrics/AbcSize
       @package_name = package_name
       @name = @package_name
       @cache = nil
@@ -30,7 +30,7 @@ module Inspec::Resources
       if os.debian?
         @pkgman = Deb.new(inspec)
       elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
-        @pkgman = Rpm.new(inspec)
+        @pkgman = Rpm.new(inspec, opts)
       elsif ['arch'].include?(os[:family])
         @pkgman = Pacman.new(inspec)
       elsif ['darwin'].include?(os[:family])
@@ -46,6 +46,8 @@ module Inspec::Resources
       else
         return skip_resource 'The `package` resource is not supported on your OS yet.'
       end
+
+      evaluate_missing_requirements
     end
 
     # returns true if the package is installed
@@ -71,6 +73,14 @@ module Inspec::Resources
     def to_s
       "System Package #{@package_name}"
     end
+
+    private
+
+    def evaluate_missing_requirements
+      missing_requirements_string = @pkgman.missing_requirements.uniq.join(', ')
+      return if missing_requirements_string.empty?
+      skip_resource "The following requirements are not met for this resource: #{missing_requirements_string}"
+    end
   end
 
   class PkgManagement
@@ -78,6 +88,12 @@ module Inspec::Resources
     def initialize(inspec)
       @inspec = inspec
     end
+
+    def missing_requirements
+      # Each provider can provide an Array of missing requirements that will be
+      # combined into a `skip_resource` message
+      []
+    end
   end
 
   # Debian / Ubuntu
@@ -104,8 +120,25 @@ module Inspec::Resources
 
   # RHEL family
   class Rpm < PkgManagement
+    def initialize(inspec, opts)
+      super(inspec)
+
+      @dbpath = opts.fetch(:rpm_dbpath, nil)
+    end
+
+    def missing_requirements
+      missing_requirements = []
+
+      unless @dbpath.nil? || inspec.directory(@dbpath).directory?
+        missing_requirements << "RPMDB #{@dbpath} does not exist"
+      end
+
+      missing_requirements
+    end
+
     def info(package_name)
-      cmd = inspec.command("rpm -qia #{package_name}")
+      rpm_cmd = rpm_command(package_name)
+      cmd = inspec.command(rpm_cmd)
       # CentOS does not return an error code if the package is not installed,
       # therefore we need to check for emptyness
       return nil if cmd.exit_status.to_i != 0 || cmd.stdout.chomp.empty?
@@ -133,6 +166,17 @@ module Inspec::Resources
         type: 'rpm',
       }
     end
+
+    private
+
+    def rpm_command(package_name)
+      cmd = ''
+      cmd += 'rpm -qia'
+      cmd += " --dbpath #{@dbpath}" if @dbpath
+      cmd += ' ' + package_name
+
+      cmd
+    end
   end
 
   # MacOS / Darwin implementation

data/lib/resources/packages.rb

@@ -2,7 +2,6 @@
 # copyright: 2017, Chef Software, Inc. <legal@chef.io>
 # author: Joshua Timberman
 # author: Alex Pop
-# license: All rights reserved
 
 require 'utils/filter'
 

data/lib/resources/parse_config.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 # Usage example:
 #

data/lib/resources/passwd.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 # The file format consists of
 # - username

data/lib/resources/postgres.rb

@@ -3,7 +3,6 @@
 # author: Dominik Richter
 # author: Christoph Hartmann
 # author: Aaron Lippold
-# license: All rights reserved
 
 module Inspec::Resources
   class Postgres < Inspec.resource(1)
@@ -11,8 +10,7 @@ module Inspec::Resources
 
     attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster
     def initialize
-      os = inspec.os
-      if os.debian?
+      if inspec.os.debian?
         #
         # https://wiki.debian.org/PostgreSql
         #
@@ -31,7 +29,7 @@ module Inspec::Resources
              a version number and unversioned data directories were found.'
             nil
           else
-            @version = version_from_dir('/var/lib/pgsql/')
+            @version = version_from_dir('/var/lib/pgsql')
           end
         end
         @data_dir = locate_data_dir_location_by_version(@version)
@@ -40,8 +38,14 @@ module Inspec::Resources
       @service = 'postgresql'
       @service += "-#{@version}" if @version.to_f >= 9.4
       @conf_dir ||= @data_dir
+
       verify_dirs
-      @conf_path = File.join @conf_dir, 'postgresql.conf'
+      if !@version.nil? && !@conf_dir.empty?
+        @conf_path = File.join @conf_dir, 'postgresql.conf'
+      else
+        @conf_path = nil
+        return skip_resource 'Seems like PostgreSQL is not installed on your system'
+      end
     end
 
     def to_s

data/lib/resources/postgres_conf.rb

@@ -2,7 +2,7 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
+# author: Aaron Lippold
 
 require 'utils/simpleconfig'
 require 'utils/find_files'
@@ -19,9 +19,13 @@ module Inspec::Resources
     "
 
     include FindFiles
+    include ObjectTraverser
 
     def initialize(conf_path = nil)
       @conf_path = conf_path || inspec.postgres.conf_path
+      if @conf_path.nil?
+        return skip_resource 'PostgreSQL conf path is not set'
+      end
       @conf_dir = File.expand_path(File.dirname(@conf_path))
       @files_contents = {}
       @content = nil
@@ -42,8 +46,13 @@ module Inspec::Resources
       res
     end
 
-    def method_missing(name)
-      param = params[name.to_s]
+    def value(key)
+      extract_value(key, @params)
+    end
+
+    def method_missing(*keys)
+      keys.shift if keys.is_a?(Array) && keys[0] == :[]
+      param = value(keys)
       return nil if param.nil?
       # extract first value if we have only one value in array
       return param[0] if param.length == 1