inspec 1.35.1 → 1.36.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75f7ef6bcd93aae1ea6bda13e5d50675fa234afa
-  data.tar.gz: a43bc69d1420af04b82860164873a42f5fc0ba4b
+  metadata.gz: 1e657ef01d81b9cfa453584a6b27a56219faab15
+  data.tar.gz: ec4faacc317379e4dbd095fc45c1a58f76eb7cd5
 SHA512:
-  metadata.gz: 0f7bffcdfa35005e4805026dd0028031713f1ecb30b7fae10d811c79bde5840599df4e35dc9631ffea18d637c768abed92dbe05392d1a7c77efaf1332629e445
-  data.tar.gz: b24fc841af39b05e38ee9537e76da3d1b68bcdd07349e59af1c6b140a5298cec578fef54e1167d7b48b348829d02a59054c785a4fb265fd7cce9767868d3f1b5
+  metadata.gz: 1e21aed7d8cce4934e220299434dfc0af90e9bbda871f6026c4db94e61e7d94509bf048cd2961d2127149b34d6ba928e435d9cedb07fd677a73132479a7b9a7e
+  data.tar.gz: cda173a2a0071274fc294dbff1cd69d0ffae1b7bd2b4baa16eac8758609ba31c7ccc5f534f6746da38b523ed51ead932af9444f120a30673a9167f6d41cb33b6

data/CHANGELOG.md

@@ -1,39 +1,49 @@
 # Change Log
 
-<!-- latest_release 1.34.10 -->
-## [v1.34.10](https://github.com/chef/inspec/tree/v1.34.10) (2017-08-31)
+<!-- latest_release 1.35.5 -->
+## [v1.35.5](https://github.com/chef/inspec/tree/v1.35.5) (2017-09-06)
 
-#### New Resources
-- etc_hosts resource: test the contents of the /etc/hosts file [#2065](https://github.com/chef/inspec/pull/2065) ([dromazmj](https://github.com/dromazmj))
+#### Enhancements
+- add nginx_conf accessors for http, servers, and locations [#2119](https://github.com/chef/inspec/pull/2119) ([arlimus](https://github.com/arlimus))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.34.1 -->
-### Changes since 1.34.1 release
-
-#### Enhancements
-- port resource: support ss instead of netstat [#2110](https://github.com/chef/inspec/pull/2110) ([adamleff](https://github.com/adamleff)) <!-- 1.34.8 -->
-- pip resource: support non-default pip locations, such as virtualenvs [#2097](https://github.com/chef/inspec/pull/2097) ([tonybaloney](https://github.com/tonybaloney)) <!-- 1.34.7 -->
+<!-- release_rollup since=1.35.1 -->
+### Changes since 1.35.1 release
 
 #### Bug Fixes
-- Support mixed-case group entries [#2101](https://github.com/chef/inspec/pull/2101) ([adamleff](https://github.com/adamleff)) <!-- 1.34.6 -->
-- http resource: prevent repeat calls during a control with multiple tests [#2108](https://github.com/chef/inspec/pull/2108) ([mivok](https://github.com/mivok)) <!-- 1.34.5 -->
-- auditd_rules resource: fix get_keys error on lines that have no keys [#2103](https://github.com/chef/inspec/pull/2103) ([jburns12](https://github.com/jburns12)) <!-- 1.34.4 -->
+- Fix alternate path profile chaining [#2121](https://github.com/chef/inspec/pull/2121) ([trevor-vaughan](https://github.com/trevor-vaughan)) <!-- 1.35.4 -->
+- Modify linux regular expression to handle process names with spaces [#2117](https://github.com/chef/inspec/pull/2117) ([ChadScott](https://github.com/ChadScott)) <!-- 1.35.3 -->
 
-#### Merged Pull Requests
-- Add sensitive flag to resources to restrict logging output [#2017](https://github.com/chef/inspec/pull/2017) ([arothian](https://github.com/arothian)) <!-- 1.34.3 -->
+#### Enhancements
+- add nginx_conf accessors for http, servers, and locations [#2119](https://github.com/chef/inspec/pull/2119) ([arlimus](https://github.com/arlimus)) <!-- 1.35.5 -->
+- File Resource: add be_setgid, be_setuid, be_sticky matchers [#2104](https://github.com/chef/inspec/pull/2104) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 1.35.2 -->
+<!-- release_rollup -->
+
+<!-- latest_stable_release -->
+## [v1.35.1](https://github.com/chef/inspec/tree/v1.35.1) (2017-08-31)
 
 #### New Resources
-- etc_hosts resource: test the contents of the /etc/hosts file [#2065](https://github.com/chef/inspec/pull/2065) ([dromazmj](https://github.com/dromazmj)) <!-- 1.34.10 -->
-- Add support for XML files [#2107](https://github.com/chef/inspec/pull/2107) ([jonathanmorley](https://github.com/jonathanmorley)) <!-- 1.34.9 -->
-- aide_conf resource: test configuration of the AIDE file integrity tool [#2063](https://github.com/chef/inspec/pull/2063) ([jburns12](https://github.com/jburns12)) <!-- 1.34.2 -->
-<!-- release_rollup -->
+- aide_conf resource: test configuration of the AIDE file integrity tool [#2063](https://github.com/chef/inspec/pull/2063) ([jburns12](https://github.com/jburns12))
+- Add support for XML files [#2107](https://github.com/chef/inspec/pull/2107) ([jonathanmorley](https://github.com/jonathanmorley))
+- etc_hosts resource: test the contents of the /etc/hosts file [#2065](https://github.com/chef/inspec/pull/2065) ([dromazmj](https://github.com/dromazmj))
 
+#### Enhancements
+- pip resource: support non-default pip locations, such as virtualenvs [#2097](https://github.com/chef/inspec/pull/2097) ([tonybaloney](https://github.com/tonybaloney))
+- port resource: support ss instead of netstat [#2110](https://github.com/chef/inspec/pull/2110) ([adamleff](https://github.com/adamleff))
+
+#### Bug Fixes
+- auditd_rules resource: fix get_keys error on lines that have no keys [#2103](https://github.com/chef/inspec/pull/2103) ([jburns12](https://github.com/jburns12))
+- http resource: prevent repeat calls during a control with multiple tests [#2108](https://github.com/chef/inspec/pull/2108) ([mivok](https://github.com/mivok))
+- Support mixed-case group entries [#2101](https://github.com/chef/inspec/pull/2101) ([adamleff](https://github.com/adamleff))
+
+#### Merged Pull Requests
+- Add sensitive flag to resources to restrict logging output [#2017](https://github.com/chef/inspec/pull/2017) ([arothian](https://github.com/arothian))
 <!-- latest_stable_release -->
+
 ## [v1.34.1](https://github.com/chef/inspec/tree/v1.34.1) (2017-08-24)
 
 #### Enhancements
 - Refine the profile/test summary output of the CLI formatter [#2094](https://github.com/chef/inspec/pull/2094) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 ## [v1.33.12](https://github.com/chef/inspec/tree/v1.33.12) (2017-08-18)
 

data/README.md

@@ -339,11 +339,10 @@ The InSpec community and maintainers are very active and helpful. This project b
 
 ## Testing InSpec
 
-We perform `unit`, `resource` and `integration` tests.
+We perform `unit` and `integration` tests.
 
-* `unit` tests ensure the intended behaviour of the implementation
-* `resource` tests run against docker containers
-* `integration` tests run against VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
+- `unit` tests ensure the intended behaviour of the implementation
+- `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
 
 ### Unit tests
 
@@ -351,60 +350,51 @@ We perform `unit`, `resource` and `integration` tests.
 bundle exec rake test
 ```
 
-If you like to run only one test, use
+If you like to run only one test file:
 
 ```bash
-bundle exec ruby -W -Ilib:test test/unit/resources/user_test.rb
+bundle exec m test/unit/resources/user_test.rb
 ```
 
-### Resource tests
-
-Resource tests make sure the backend execution layer behaves as expected. These tests will take a while, as a lot of different operating systems and configurations are being tested.
-
-You will require:
-
-* docker
-
-Run `resource` tests with
+You may also run a single test within a file by line number:
 
 ```bash
-bundle exec rake test:resources config=test/test.yaml
-bundle exec rake test:resources config=test/test-extra.yaml
+bundle exec m test/unit/resources/user_test.rb -l 123
 ```
 
 ### Integration tests
 
 These tests download various virtual machines, to ensure InSpec is working as expected across different operating systems.
 
-You will require:
+These tests require the following gems:
+
+- test-kitchen
+- kitchen-dokken
+- kitchen-inspec
 
-* vagrant with virtualbox
-* test-kitchen
+These gems are provided via the `integration` group in the project's Gemfile.
 
-**Run `integration` tests with vagrant:**
+In addition, these test require Docker to be available on your machine or a remote Docker machine configured via the standard Docker environment variables.
+
+#### Running Integration tests
+
+List the various test instances available:
 
 ```bash
-KITCHEN_YAML=.kitchen.vagrant.yml bundle exec kitchen test
+bundle exec kitchen list`
 ```
 
-**Run `integration` tests with AWS EC2:**
+The platforms and test suites are configured in the `.kitchen.yml` file. Once you know which instance you wish to test, test that instance:
 
 ```bash
-export AWS_ACCESS_KEY_ID=enteryouryourkey
-export AWS_SECRET_ACCESS_KEY=enteryoursecreykey
-export AWS_KEYPAIR_NAME=enteryoursshkeyid
-export EC2_SSH_KEY_PATH=~/.ssh/id_aws.pem
-KITCHEN_YAML=.kitchen.ec2.yml bundle exec kitchen test
+bundle exec kitchen test <INSTANCE_NAME>
 ```
 
-In addition you may need to add your ssh key to `.kitchen.ec2.yml`
+You may test all instances in parallel with:
 
+```bash
+bundle exec kitchen test -c
 ```
-transport:
-  ssh_key: /Users/chartmann/aws/aws_chartmann.pem
-  username: ec2-user
-```
-
 
 ## License
 

data/docs/resources/file.md.erb

@@ -125,12 +125,30 @@ a user:
 
     it { should be_readable.by_user('user') }
 
+### be_setgid
+
+The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory.  On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user.  This can result in escalation of privilege.  On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set.  To use this matcher:
+
+    it { should be_setgid } 
+
 ### be_socket
 
 The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
 
     it { should be_socket }
 
+### be_sticky
+
+The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory.  On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others.  This is commonly used on /tmp filesystems.  To use this matcher:
+
+    it { should be_sticky } 
+
+### be_setuid
+
+The `be_setuid` matcher tests if the 'setuid' permission is set on the file.  On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user.  This can result in escalation of privilege.  To use this matcher:
+
+    it { should be_setuid } 
+
 ### be_symlink
 
 The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
@@ -213,16 +231,11 @@ The `have_mode` matcher tests if a file has a mode assigned to it:
 
 ### link_path
 
-The `link_path` matcher tests if the file exists at the specified path:
+The `link_path` matcher tests if the file exists at the specified path. If the file is a symlink,
+InSpec will resolve the symlink and return the ultimate linked file:
 
     its('link_path') { should eq '/some/path/to/file' }
 
-### link_target
-
-The `link_target` matcher tests if a file that is linked to this file exists at the specified path:
-
-    its('link_target') { should eq '/some/path/to/file' }
-
 ### match
 
 <%= partial "/shared/matcher_match" %>

data/docs/resources/nginx_conf.md.erb

@@ -0,0 +1,122 @@
+---
+title: About the nginx_conf Resource
+---
+
+# nginx_conf
+
+Use the `nginx_conf` InSpec resource to test configuration data for the NGINX server located at `/etc/nginx/nginx.conf` on Linux and Unix platforms.
+
+**Stability: Experimental**
+
+## Syntax
+
+An `nginx_conf` resource block declares the client NGINX configuration data to be tested:
+
+    describe nginx_conf.params['pid'] do
+      it { should cmp 'logs/nginx.pid' }
+    end
+
+where
+
+* `nginx_conf` is the resource to reference your NGINX configuration
+* `params` accesses all its parameters
+* `params['pid']` selects the `pid` entry from the global NGINX configuration
+* `{ should cmp 'logs/nginx.pid' }` tests if the PID is set to `logs/nginx.pid` (via `cmp` matcher)
+
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### http
+
+Retrieves all `http` entries in the configuration file.
+
+    nginx_conf.http
+    => nginx_conf /etc/nginx/nginx.conf, http entries
+
+It provides further access to all individual entries, servers, and locations.
+
+    nginx_conf.http.entries
+    => [nginx_conf /etc/nginx/nginx.conf, http entry ...]
+
+    nginx_conf.http.servers
+    => [nginx_conf /etc/nginx/nginx.conf, server entry ...]
+
+    nginx_conf.http.locations
+    => [nginx_conf /etc/nginx/nginx.conf, location entry ...]
+
+You can access each of these from the array and inspect it further (see below).
+
+### servers
+
+Retrieve all `servers` entries in the configuration:
+
+    # all servers across all configs aggregated:
+    nginx_conf.servers
+    => [nginx_conf /etc/nginx/nginx.conf, server entry ...]
+
+    # servers that belong to a specific http entry:
+    nginx_conf.http.entries[0].servers
+    => [nginx_conf /etc/nginx/nginx.conf, server entry ...]
+
+Servers provide access to all their locations, parent http entry, and raw parameters:
+
+    server = nginx_conf.servers[0]
+
+    server.locations
+    => [nginx_conf /etc/nginx/nginx.conf, location entry ...]
+
+    server.parent
+    => nginx_conf /etc/nginx/nginx.conf, http entry
+
+    server.params
+    => {"listen"=>[["85"]],
+       "server_name"=>[["domain1.com", "www.domain1.com"]],
+       "root"=>[["html"]],
+       "location"=>[{"_"=>["~", "\\.php$"], "fastcgi_pass"=>[["127.0.0.1:1025"]]}]}
+
+### locations
+
+Retrieve all `location` entries in the configuration:
+
+    # all locations across all configs aggregated:
+    nginx_conf.locations
+    => [nginx_conf /etc/nginx/nginx.conf, location entry ...]
+
+    # locations of a http entry aggregated:
+    nginx_conf.http.entries[0].locations
+    => [nginx_conf /etc/nginx/nginx.conf, location entry ...]
+
+    # locations of a specific server:
+    nginx_conf.servers[0].locations
+    => [nginx_conf /etc/nginx/nginx.conf, location entry ...]
+
+Locations provide access to their parent server entry and raw parameters:
+
+    location = nginx_conf.locations[0]
+
+    location.parent
+    => nginx_conf /etc/nginx/nginx.conf, server entry
+
+    location.params
+    => {"_"=>["~", "\\.php$"], "fastcgi_pass"=>[["127.0.0.1:1025"]]}
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Find a specific server
+
+    servers = nginx_conf.servers
+    domain2 = servers.find { |s| s.params['server_name'].flatten.include? 'domain2.com' }
+    describe 'No server serves domain2' do
+      subject { domain2 }
+      it { should be_nil }
+    end
+
+### Test a raw parameter
+
+    describe nginx_conf.params['worker_processes'].flatten do
+      it { should cmp 5 }
+    end

data/docs/resources/package.md.erb

@@ -67,7 +67,7 @@ The `version` matcher tests if the named package version is on the system:
 
 The following examples show how to use this InSpec audit resource.
 
-### Test if nginx version 1.9.5 is installed
+### Test if NGINX version 1.9.5 is installed
 
     describe package('nginx') do
       it { should be_installed }

data/lib/inspec/dependencies/requirement.rb

@@ -10,7 +10,18 @@ module Inspec
   class Requirement
     def self.from_metadata(dep, cache, opts)
       raise 'Cannot load empty dependency.' if dep.nil? || dep.empty?
-      new(dep[:name], dep[:version], cache, opts[:cwd], opts.merge(dep))
+
+      req_path = opts[:cwd]
+
+      if dep[:path]
+        req_path = File.expand_path(dep[:path], req_path)
+      end
+
+      new(dep[:name],
+          dep[:version],
+          cache,
+          req_path,
+          opts.merge(dep))
     end
 
     def self.from_lock_entry(entry, cwd, cache, backend, opts = {})

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.35.1'.freeze
+  VERSION = '1.36.1'.freeze
 end

data/lib/resources/file.rb

@@ -112,14 +112,20 @@ module Inspec::Resources
       (mode & 04000) > 0
     end
 
+    alias setuid? suid
+
     def sgid
       (mode & 02000) > 0
     end
 
+    alias setgid? sgid
+
     def sticky
       (mode & 01000) > 0
     end
 
+    alias sticky? sticky
+
     def to_s
       "File #{source_path}"
     end

data/lib/resources/nginx_conf.rb

@@ -3,6 +3,7 @@
 # author: Christoph Hartmann
 
 require 'utils/nginx_parser'
+require 'forwardable'
 
 # STABILITY: Experimental
 # This resouce needs a proper interace to the underlying data, which is currently missing.
@@ -22,6 +23,8 @@ module Inspec::Resources
       describe nginx_conf('/path/to/my/nginx.conf').params ...
     "
 
+    extend Forwardable
+
     attr_reader :contents
 
     def initialize(conf_path = nil)
@@ -37,6 +40,12 @@ module Inspec::Resources
       @params = {}
     end
 
+    def http
+      NginxConfHttp.new(params['http'], self)
+    end
+
+    def_delegators :http, :servers, :locations
+
     def to_s
       "nginx_conf #{@conf_path}"
     end
@@ -92,4 +101,101 @@ module Inspec::Resources
       Hash[data.map { |k, v| [k, resolve_references(v, rel_path)] }]
     end
   end
+
+  class NginxConfHttp
+    attr_reader :entries
+    def initialize(params, parent)
+      @parent = parent
+      @entries = (params || []).map { |x| NginxConfHttpEntry.new(x, parent) }
+    end
+
+    def servers
+      @entries.map(&:servers).flatten
+    end
+
+    def locations
+      servers.map(&:locations).flatten
+    end
+
+    def to_s
+      @parent.to_s + ', http entries'
+    end
+    alias inspect to_s
+  end
+
+  class NginxConfHttpEntry
+    attr_reader :params, :parent
+    def initialize(params, parent)
+      @params = params || {}
+      @parent = parent
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add(:servers, field: 'server')
+          .connect(self, :server_table)
+
+    def locations
+      servers.map(&:locations).flatten
+    end
+
+    def to_s
+      @parent.to_s + ', http entry'
+    end
+    alias inspect to_s
+
+    private
+
+    def server_table
+      @server_table ||= (params['server'] || []).map { |x| { 'server' => NginxConfServer.new(x, self) } }
+    end
+  end
+
+  class NginxConfServer
+    attr_reader :params, :parent
+    def initialize(params, parent)
+      @parent = parent
+      @params = params || {}
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add(:locations, field: 'location')
+          .connect(self, :location_table)
+
+    def to_s
+      server = ''
+      name = Array(params['server_name']).flatten.first
+      unless name.nil?
+        server += name
+        listen = Array(params['listen']).flatten.first
+        server += ":#{listen}" unless listen.nil?
+      end
+
+      # go two levels up: 1. to the http entry and 2. to the root nginx conf
+      @parent.parent.to_s + ", server #{server}"
+    end
+    alias inspect to_s
+
+    private
+
+    def location_table
+      @location_table ||= (params['location'] || []).map { |x| { 'location' => NginxConfLocation.new(x, self) } }
+    end
+  end
+
+  class NginxConfLocation
+    attr_reader :params, :parent
+    def initialize(params, parent)
+      @parent = parent
+      @params = params || {}
+    end
+
+    def to_s
+      location = Array(params['_']).join(' ')
+      # go three levels up: 1. to the server entry, 2. http entry and 3. to the root nginx conf
+      @parent.parent.parent.to_s + ", location #{location.inspect}"
+    end
+    alias inspect to_s
+  end
 end

data/lib/resources/processes.rb

@@ -81,7 +81,7 @@ module Inspec::Resources
 
       if os.linux?
         command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
-        regex = /^([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
       elsif os.windows?
         command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
         # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.35.1
+  version: 1.36.1
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-31 00:00:00.000000000 Z
+date: 2017-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -355,6 +355,7 @@ files:
 - docs/resources/mssql_session.md.erb
 - docs/resources/mysql_conf.md.erb
 - docs/resources/mysql_session.md.erb
+- docs/resources/nginx_conf.md.erb
 - docs/resources/npm.md.erb
 - docs/resources/ntp_conf.md.erb
 - docs/resources/oneget.md.erb