inspec 1.4.1 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bca4fcc30155e9c8a8e2ff7a8ce6fc2b597a8d79
-  data.tar.gz: e8c2c7f7b0c6769c471c02886926fa8413f3cadf
+  metadata.gz: b497b451c9ceeebee2eaddce3fe68b30beacb61b
+  data.tar.gz: 788aab0d94d912e9ec52e05eaf781ce7ccf575eb
 SHA512:
-  metadata.gz: 1e7937ad40da9cc29944dd82d3140275dc607e3970731b69945a7d523434778c304952b17742a75aec3482fceb6c7e6df0ec2f0f2b6928b90c878d4b6a3cfc68
-  data.tar.gz: 9b44c4bb35f154720e89e3844fb72fcea39f7f0491543a007faeb921f5dcaa5786d709bf33195f53111760832da040c580415969a86f443163a2442ebab3600c
+  metadata.gz: 70bf74fd78213f63be4607ba96fb7abd1282903c606e28ca469c080719c1a0886ae77a4a0b074361a7d5ec7f73a9dbb5852c9e25eb230117319a7c110e340077
+  data.tar.gz: 89eb02e30a5a1ebd6b1af5f6fa60ae2bca85411caee9c59f9fef97d9363bb2ef7f7da3a2cf67238b243b394b8819f1b90152ad53143ee2b8a3f08e15613834fb

data/CHANGELOG.md

@@ -1,7 +1,30 @@
 # Change Log
 
-## [1.4.1](https://github.com/chef/inspec/tree/1.4.1) (2016-11-04)
-[Full Changelog](https://github.com/chef/inspec/compare/v1.4.0...1.4.1)
+## [1.5.0](https://github.com/chef/inspec/tree/1.5.0) (2016-11-20)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.4.1...1.5.0)
+
+**Implemented enhancements:**
+
+- inspec supermarket profiles - update for new supermarket api [\#1255](https://github.com/chef/inspec/issues/1255)
+
+**Fixed bugs:**
+
+- File resource permissions for windows [\#783](https://github.com/chef/inspec/issues/783)
+- docs: quoted version for package resource example [\#1296](https://github.com/chef/inspec/pull/1296) ([alexpop](https://github.com/alexpop))
+
+**Merged pull requests:**
+
+- ensure metadata release entry is a string [\#1305](https://github.com/chef/inspec/pull/1305) ([chris-rock](https://github.com/chris-rock))
+- Fixes resources in the docs [\#1303](https://github.com/chef/inspec/pull/1303) ([burtlo](https://github.com/burtlo))
+- copy vendored dependencies into cache [\#1291](https://github.com/chef/inspec/pull/1291) ([chris-rock](https://github.com/chris-rock))
+- fix double-log-level [\#1290](https://github.com/chef/inspec/pull/1290) ([chris-rock](https://github.com/chris-rock))
+- update supermarket profile search to use new type param [\#1289](https://github.com/chef/inspec/pull/1289) ([robbkidd](https://github.com/robbkidd))
+- Change `Inpsec` to `Inspec` [\#1286](https://github.com/chef/inspec/pull/1286) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- improve vendor command [\#1285](https://github.com/chef/inspec/pull/1285) ([chris-rock](https://github.com/chris-rock))
+- improved regex for matching deb sources [\#1280](https://github.com/chef/inspec/pull/1280) ([grimm26](https://github.com/grimm26))
+
+## [v1.4.1](https://github.com/chef/inspec/tree/v1.4.1) (2016-11-04)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.4.0...v1.4.1)
 
 **Fixed bugs:**
 

data/docs/resources/npm.md.erb

@@ -11,7 +11,7 @@ Use the `npm` InSpec audit resource to test if a global NPM package is installed
 
 A `npm` resource block declares a package and (optionally) a package version:
 
-    describe gem('npm_package_name') do
+    describe npm('npm_package_name') do
       it { should be_installed }
     end
 

data/docs/resources/package.md.erb

@@ -64,7 +64,7 @@ The following examples show how to use this InSpec audit resource.
 
     describe package('nginx') do
       it { should be_installed }
-      its('version') { should eq 1.9.5 }
+      its('version') { should eq '1.9.5' }
     end
 
 ### Test that a package is not installed

data/docs/resources/pip.md.erb

@@ -10,14 +10,14 @@ Use the `pip` InSpec audit resource to test packages that are installed using th
 
 A `pip` resource block declares a package and (optionally) a package version:
 
-    describe pip('Jinja2') do
+    describe pip('package_name') do
       it { should be_installed }
     end
 
 where
 
-* `'Jinja2'` is the name of the package
-* `be_installed` tests to see if the `Jinja2` package is installed
+* `'package_name'` is the name of the package, such as `'Jinja2'`
+* `be_installed` tests to see if the package described above is installed
 
 
 ## Matchers

data/docs/resources/powershell.md.erb

@@ -14,7 +14,7 @@ A `powershell` resource block declares a Powershell script to be tested, and the
       # a PowerShell script
     EOH
 
-    describe script(script) do
+    describe powershell(script) do
       its('matcher') { should eq 'output' }
     end
 

data/docs/resources/vbscript.md.erb

@@ -10,7 +10,7 @@ Use the `vbscript` InSpec audit resource to test a VBScript on the Windows platf
 
 A `vbscript` resource block tests the output of a VBScript on the Windows platform:
 
-    describe vbscript('script_name') do
+    describe vbscript('script contents') do
       its('stdout') { should eq 'output' }
     end
 
@@ -52,18 +52,18 @@ The following examples show how to use this InSpec audit resource.
 
 A VBScript file similar to:
 
-    vbscript = <<-EOH
+    script = <<-EOH
       WScript.Echo "hello"
     EOH
 
 may be tested for multiple lines:
 
-    describe vbscript(vbscript) do
+    describe vbscript(script) do
       its('stdout') { should eq "hello\r\n" }
     end
 
 and tested for whitespace removal from standard output:
 
-    describe vbscript(vbscript) do
+    describe vbscript(script) do
       its('strip') { should eq "hello" }
     end

data/examples/meta-profile/README.md

@@ -4,3 +4,34 @@ The inspec.yml file in this profile shows how one can use dependencies
 from non-local sources such as Git or an HTTP url. This feature can
 be used to build up a environment-wide profile that is based on more
 specific profiles managed by others.
+
+InSpec supports multiple profile locations:
+
+```
+depends:
+  # defaults to supermarket
+  - name: hardening/ssh-hardening  
+  # remote tar or zip file
+  - name: os-hardening
+    url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
+  # git
+  - git: https://github.com/dev-sec/ssl-benchmark.git
+  - name: windows-patch-benchmark
+    git: https://github.com/chris-rock/windows-patch-benchmark.git
+  # Chef Compliance
+  - name: linux
+    compliance: base/linux
+```
+
+You could use those dependencies in your `exmaple.rb`:
+
+```
+
+include_controls 'hardening/ssh-hardening'
+include_controls 'os-hardening'
+include_controls 'ssl-benchmark'
+include_controls 'linux'
+include_controls 'windows-patch-benchmark'
+```
+
+Further details are described in our [InSpec Docs](http://inspec.io/docs/reference/profiles/)

data/examples/meta-profile/controls/example.rb

@@ -1,8 +1,14 @@
 # encoding: utf-8
 # copyright: 2015, The Authors
 # license: All rights reserved
-include_controls 'ssh-hardening'
-include_controls 'os-hardening'
-include_controls 'ssl-benchmark'
-include_controls 'linux'
+
+# import full profile
+include_controls 'hardening/ssh-hardening'
+
+# select only individual controls
+include_controls 'ssl-benchmark' do
+  control "tls1.2"
+end
+
+# inspec knows that it cannot run Windows tests on Linux
 include_controls 'windows-patch-benchmark'

data/examples/meta-profile/inspec.yml

@@ -8,10 +8,6 @@ summary: InSpec Profile that is only consuming dependencies
 version: 0.2.0
 depends:
   - name: hardening/ssh-hardening  # defaults to supermarket
-  - name: os-hardening
-    url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
   - git: https://github.com/dev-sec/ssl-benchmark.git
   - name: windows-patch-benchmark
     git: https://github.com/chris-rock/windows-patch-benchmark.git
-  - name: linux
-    compliance: base/linux

data/lib/bundles/inspec-compliance/target.rb

@@ -40,7 +40,7 @@ EOF
       # verifies that the target e.g base/ssh exists
       profile = uri.host + uri.path
       if !Compliance::API.exist?(config, profile)
-        fail Inpsec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
+        fail Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
       end
       new(target_url(profile, config), config)
     rescue URI::Error => _e

data/lib/bundles/inspec-supermarket/api.rb

@@ -11,11 +11,11 @@ module Supermarket
 
     # displays a list of profiles
     def self.profiles(supermarket_url = SUPERMARKET_URL)
-      url = "#{supermarket_url}/api/v1/tools"
-      _success, data = get(url, { start: 0, items: 100, order: 'recently_added' })
+      url = "#{supermarket_url}/api/v1/tools-search"
+      _success, data = get(url, { type: 'compliance_profile', items: 100, order: 'recently_added' })
       if !data.nil?
         profiles = JSON.parse(data)
-        profiles['items'].select { |p| p['tool_type'] == 'compliance_profile' }.map { |x|
+        profiles['items'].map { |x|
           m = %r{^#{supermarket_url}/api/v1/tools/(?<slug>[\w-]+)(/)?$}.match(x['tool'])
           x['slug'] = m[:slug]
           x

data/lib/inspec/base_cli.rb

@@ -44,8 +44,6 @@ module Inspec
         desc: 'Allow remote scans with self-signed certificates (WinRM).'
       option :json_config, type: :string,
         desc: 'Read configuration from JSON file (`-` reads from stdin).'
-      option :log_level, aliases: :l, type: :string,
-        desc: 'Set the log level: info (default), debug, warn, error'
     end
 
     def self.profile_options

data/lib/inspec/cli.rb

@@ -105,16 +105,36 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     pretty_handle_exception(e)
   end
 
-  desc 'vendor', 'Download all dependencies and generate a lockfile'
-  def vendor(path = nil)
+  desc 'vendor PATH', 'Download all dependencies and generate a lockfile in a `vendor` directory'
+  option :overwrite, type: :boolean, default: false,
+    desc: 'Overwrite existing vendored dependencies and lockfile.'
+  def vendor(path = nil) # rubocop:disable Metrics/AbcSize
     o = opts.dup
-    o[:cache] = Inspec::Cache.new(path)
+
+    path.nil? ? path = Pathname.new(Dir.pwd) : path = Pathname.new(path)
+    cache_path = path.join('vendor')
+    inspec_lock = path.join('inspec.lock')
+
+    if (cache_path.exist? || inspec_lock.exist?) && !opts[:overwrite]
+      puts 'Profile is already vendored. Use --overwrite.'
+      return false
+    end
+
+    # remove existing
+    FileUtils.rm_rf(cache_path) if cache_path.exist?
+    File.delete(inspec_lock) if inspec_lock.exist?
+
+    puts "Vendor dependencies of #{path} into #{cache_path}"
+    o[:logger] = Logger.new(STDOUT)
+    o[:logger].level = get_log_level(o.log_level)
+    o[:cache] = Inspec::Cache.new(cache_path.to_s)
     o[:backend] = Inspec::Backend.create(target: 'mock://')
     configure_logger(o)
 
-    profile = Inspec::Profile.for_target('./', o)
+    # vendor dependencies and generate lockfile
+    profile = Inspec::Profile.for_target(path.to_s, o)
     lockfile = profile.generate_lockfile
-    File.write('inspec.lock', lockfile.to_yaml)
+    File.write(inspec_lock, lockfile.to_yaml)
   rescue StandardError => e
     pretty_handle_exception(e)
   end

data/lib/inspec/metadata.rb

@@ -68,6 +68,7 @@ module Inspec
                     os.method(family_check).call
                   )
 
+      # ensure we do have a string if we have a non-nil value eg. 16.06
       release_ok = release.nil? || os[:release] == release
 
       # we want to make sure that all matchers are true
@@ -143,7 +144,9 @@ module Inspec
 
     def self.finalize_supports_elem(elem, logger)
       case x = elem
-      when Hash then x
+      when Hash
+        x[:release] = x[:release].to_s if x[:release]
+        x
       when Array
         logger.warn(
           'Failed to read supports entry that is an array. Please use '\
@@ -162,7 +165,7 @@ module Inspec
 
     def self.finalize_supports(supports, logger)
       case x = supports
-      when Hash   then [x]
+      when Hash   then [finalize_supports_elem(x, logger)]
       when Array  then x.map { |e| finalize_supports_elem(e, logger) }.compact
       when nil    then []
       else

data/lib/inspec/profile.rb

@@ -22,12 +22,41 @@ module Inspec
     extend Forwardable
 
     def self.resolve_target(target, cache = nil)
+      c = cache || Cache.new
+      Inspec::Log.debug "Resolve #{target} into cache #{c.path}"
       Inspec::CachedFetcher.new(target, cache || Cache.new)
     end
 
+    # Check if the profile contains a vendored cache, move content into global cache
+    # TODO: use relative file provider
+    # TODO: use source reader for Cache as well
+    def self.copy_deps_into_cache(file_provider, opts)
+      # filter content
+      cache = file_provider.files.find_all do |entry|
+        entry.start_with?('vendor')
+      end
+      content = Hash[cache.map { |x| [x, file_provider.read(x)] }]
+      keys = content.keys
+      keys.each do |key|
+        next if content[key].nil?
+        # remove prefix
+        rel = Pathname.new(key).relative_path_from(Pathname.new('vendor')).to_s
+        tar = Pathname.new(opts[:cache].path).join(rel)
+
+        FileUtils.mkdir_p tar.dirname.to_s
+        Inspec::Log.debug "Copy #{tar} to cache directory"
+        File.write(tar.to_s, content[key].force_encoding('UTF-8'))
+      end
+    end
+
     def self.for_path(path, opts)
       file_provider = FileProvider.for_path(path)
-      reader = Inspec::SourceReader.resolve(file_provider.relative_provider)
+      rp = file_provider.relative_provider
+
+      # copy embedded dependecies into global cache
+      copy_deps_into_cache(rp, opts) unless opts[:cache].nil?
+
+      reader = Inspec::SourceReader.resolve(rp)
       if reader.nil?
         fail("Don't understand inspec profile in #{path}, it " \
              "doesn't look like a supported profile structure.")

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.4.1'.freeze
+  VERSION = '1.5.0'.freeze
 end

data/lib/resources/apt.rb

@@ -89,7 +89,8 @@ module Inspec::Resources
         active = false if raw_line != line
 
         # eg.: deb http://archive.ubuntu.com/ubuntu/ wily main restricted
-        parse_repo = /^\s*(\S+)\s+"?([^ "\t\r\n\f]+)"?\s+(\S+)\s+(.*)$/.match(line)
+        # or : deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted
+        parse_repo = /^\s*(\S+)\s+(?:\[\S+\])?\s*"?([^ "\t\r\n\f]+)"?\s+(\S+)\s+(.*)$/.match(line)
 
         # check if we got any result and the second param is an url
         next if parse_repo.nil? || !parse_repo[2] =~ HTTP_URL_RE

data/lib/source_readers/inspec.rb

@@ -25,6 +25,10 @@ module SourceReaders
 
     attr_reader :metadata, :tests, :libraries
 
+    # This create a new instance of an InSpec profile source reader
+    #
+    # @param [SourceReader] target
+    # @param [String] metadata_source eg. inspec.yml or metadata.rb
     def initialize(target, metadata_source)
       @target = target
       @metadata = Inspec::Metadata.from_ref(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.5.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-04 00:00:00.000000000 Z
+date: 2016-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train