inspec 1.42.3 → 1.43.5

data/lib/bundles/inspec-compliance/target.rb

@@ -32,7 +32,7 @@ module Compliance
         if config['token'].nil? && config['refresh_token'].nil?
           if config['server_type'] == 'automate'
             server = 'automate'
-            msg = 'inspec compliance login_automate https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --usertoken USERTOKEN'
+            msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
           else
             server = 'compliance'
             msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
@@ -90,8 +90,7 @@ EOF
 
       raise 'Unable to determine compliance profile name. This can be caused by ' \
         'an incorrect server in your configuration. Try to login to compliance ' \
-        'via the `inspec compliance login` or `inspec compliance login_automate` ' \
-        'commands.' if m.nil?
+        'via the `inspec compliance login` command.' if m.nil?
 
       "#{m[:owner]}/#{m[:id]}"
     end

data/lib/inspec/objects/control.rb

@@ -2,10 +2,11 @@
 
 module Inspec
   class Control
-    attr_accessor :id, :title, :desc, :impact, :tests, :tags
+    attr_accessor :id, :title, :desc, :impact, :tests, :tags, :refs
     def initialize
       @tests = []
       @tags = []
+      @refs = []
     end
 
     def add_test(t)
@@ -20,12 +21,13 @@ module Inspec
       { id: id, title: title, desc: desc, impact: impact, tests: tests.map(&:to_hash), tags: tags.map(&:to_hash) }
     end
 
-    def to_ruby
+    def to_ruby # rubocop:disable Metrics/AbcSize
       res = ["control #{id.inspect} do"]
       res.push "  title #{title.inspect}" unless title.to_s.empty?
       res.push "  desc  #{prettyprint_text(desc, 2)}" unless desc.to_s.empty?
       res.push "  impact #{impact}" unless impact.nil?
       tags.each { |t| res.push(indent(t.to_ruby, 2)) }
+      refs.each { |t| res.push("  ref   #{print_ref(t)}") }
       tests.each { |t| res.push(indent(t.to_ruby, 2)) }
       res.push 'end'
       res.join("\n")
@@ -33,6 +35,12 @@ module Inspec
 
     private
 
+    def print_ref(x)
+      return x.inspect if x.is_a?(String)
+      raise "Cannot process the ref: #{x}" unless x.is_a?(Hash)
+      '('+x.inspect+')'
+    end
+
     # Pretty-print a text block of InSpec code
     #
     # @param s [String] should not be empty

data/lib/inspec/profile.rb

@@ -106,7 +106,8 @@ module Inspec
       # we share the backend between profiles.
       #
       # This will cause issues if a profile attempts to load a file via `inspec.profile.file`
-      @backend = options[:backend].nil? ? Inspec::Backend.create(options) : options[:backend].dup
+      train_options = options.select { |k, _| k != 'target' } # See https://github.com/chef/inspec/pull/1646
+      @backend = options[:backend].nil? ? Inspec::Backend.create(train_options) : options[:backend].dup
       @runtime_profile = RuntimeProfile.new(self)
       @backend.profile = @runtime_profile
 

data/lib/inspec/resource.rb

@@ -84,12 +84,15 @@ require 'resources/bash'
 require 'resources/bond'
 require 'resources/bridge'
 require 'resources/command'
+require 'resources/cran'
+require 'resources/cpan'
 require 'resources/crontab'
 require 'resources/dh_params'
 require 'resources/directory'
 require 'resources/docker'
 require 'resources/docker_container'
 require 'resources/docker_image'
+require 'resources/elasticsearch'
 require 'resources/etc_fstab'
 require 'resources/etc_group'
 require 'resources/etc_hosts_allow_deny'

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.42.3'.freeze
+  VERSION = '1.43.5'.freeze
 end

data/lib/resources/cpan.rb

@@ -0,0 +1,60 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+# author: Markus Grobelin
+
+# Usage:
+# describe cpan('DBD::Pg') do
+#   it { should be_installed }
+# end
+#
+
+module Inspec::Resources
+  class CpanPackage < Inspec.resource(1)
+    name 'cpan'
+    desc 'Use the `cpan` InSpec audit resource to test Perl modules that are installed by system packages or the CPAN installer.'
+    example "
+      describe cpan('DBD::Pg') do
+        it { should be_installed }
+      end
+    "
+
+    def initialize(package_name, perl_lib_path = nil)
+      @package_name = package_name
+      @perl_lib_path = perl_lib_path
+      @perl_cmd = 'perl'
+
+      # this resource is not supported on Windows
+      return skip_resource 'The `cpan` resource is not supported on your OS yet.' if inspec.os.windows?
+      return skip_resource 'perl not found' unless inspec.command(@perl_cmd).exist?
+    end
+
+    def info
+      return @info if defined?(@info)
+
+      @info = {}
+      @info[:type] = 'cpan'
+      @info[:name] = @package_name
+      # set PERL5LIB environment variable if a custom lib path is given
+      lib_path = @perl_lib_path.nil? ? '' : "PERL5LIB=#{@perl_lib_path} "
+      cmd = inspec.command("#{lib_path+@perl_cmd} -le 'eval \"require $ARGV[0]\" and print $ARGV[0]->VERSION or exit 1' #{@package_name}")
+      @info[:installed] = cmd.exit_status.zero?
+      return @info unless cmd.exit_status.zero?
+
+      @info[:version] = cmd.stdout.strip
+      @info
+    end
+
+    def installed?
+      info[:installed] == true
+    end
+
+    def version
+      info[:version]
+    end
+
+    def to_s
+      "Perl Module #{@package_name}"
+    end
+  end
+end

data/lib/resources/cran.rb

@@ -0,0 +1,66 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+# author: Markus Grobelin
+
+# Usage:
+# describe cran('DBI') do
+#   it { should be_installed }
+# end
+#
+
+module Inspec::Resources
+  class CranPackage < Inspec.resource(1)
+    name 'cran'
+    desc 'Use the `cran` InSpec audit resource to test R modules that are installed from CRAN package repository.'
+    example "
+      describe cran('DBI') do
+        it { should be_installed }
+      end
+    "
+
+    def initialize(package_name)
+      @package_name = package_name
+      @r_cmd = 'Rscript'
+
+      # this resource is not supported on Windows
+      return skip_resource 'The `cran` resource is not supported on your OS yet.' if inspec.os.windows?
+      return skip_resource 'Rscript not found' unless inspec.command(@r_cmd).exist?
+    end
+
+    def info
+      return @info if defined?(@info)
+
+      @info = {}
+      @info[:type] = 'cran'
+      @info[:name] = @package_name
+      cmd = inspec.command("#{@r_cmd} -e 'packageVersion(\"#{@package_name}\")'")
+      return @info unless cmd.exit_status.zero?
+
+      # Extract package version from Rscript output
+      # Output includes unicode punctuation (backticks) characters like so:
+      # [1] '0.5.1'
+      #
+      # So make sure command output is converted to unicode, as it returns ASCII-8BIT by default
+      utf8_stdout = cmd.stdout.chomp.force_encoding(Encoding::UTF_8)
+      params = /^\[\d+\]\s+(?:\p{Initial_Punctuation})(.+)(?:\p{Final_Punctuation})$/.match(utf8_stdout)
+      @info[:installed] = !params.nil?
+      return @info unless @info[:installed]
+
+      @info[:version] = params[1]
+      @info
+    end
+
+    def installed?
+      info[:installed] == true
+    end
+
+    def version
+      info[:version]
+    end
+
+    def to_s
+      "R Module #{@package_name}"
+    end
+  end
+end

data/lib/resources/elasticsearch.rb

@@ -0,0 +1,172 @@
+# encoding: utf-8
+
+require 'utils/filter'
+require 'hashie/mash'
+require 'resources/package'
+
+module Inspec::Resources
+  class Elasticsearch < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+    name 'elasticsearch'
+    desc "Use the Elasticsearch InSpec audit resource to test the status of nodes in
+      an Elasticsearch cluster."
+
+    example "
+      describe elasticsearch('http://eshost.mycompany.biz:9200/', username: 'elastic', password: 'changeme', ssl_verify: false) do
+        its('node_count') { should >= 3 }
+      end
+
+      describe elasticsearch do
+        its('node_name') { should include 'node1' }
+        its('os') { should_not include 'MacOS' }
+        its('version') { should cmp > 1.2.0 }
+      end
+    "
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:cluster_name,          field: 'cluster_name')
+          .add(:node_name,             field: 'name')
+          .add(:transport_address,     field: 'transport_address')
+          .add(:host,                  field: 'host')
+          .add(:ip,                    field: 'ip')
+          .add(:version,               field: 'version')
+          .add(:build_hash,            field: 'build_hash')
+          .add(:total_indexing_buffer, field: 'total_indexing_buffer')
+          .add(:roles,                 field: 'roles')
+          .add(:settings,              field: 'settings')
+          .add(:os,                    field: 'os')
+          .add(:process,               field: 'process')
+          .add(:jvm,                   field: 'jvm')
+          .add(:transport,             field: 'transport')
+          .add(:http,                  field: 'http')
+          .add(:plugins,               field: 'plugins')
+          .add(:plugin_list,           field: 'plugin_list')
+          .add(:modules,               field: 'modules')
+          .add(:module_list,           field: 'module_list')
+          .add(:node_id,               field: 'node_id')
+          .add(:ingest,                field: 'ingest')
+          .add(:exists?) { |x| !x.entries.empty? }
+          .add(:node_count) { |t, _|
+            t.entries.length
+          }
+
+    filter.connect(self, :nodes)
+
+    attr_reader :nodes, :url
+
+    def initialize(opts = {})
+      return skip_resource 'Package `curl` not avaiable on the host' unless inspec.command('curl').exist?
+
+      @url = opts.fetch(:url, 'http://localhost:9200')
+
+      username   = opts.fetch(:username, nil)
+      password   = opts.fetch(:password, nil)
+      ssl_verify = opts.fetch(:ssl_verify, true)
+
+      cmd = inspec.command(curl_command_string(username, password, ssl_verify))
+
+      # after implementation of PR #2235, this begin..rescue won't be necessary.
+      # The checks in verify_curl_success! can raise their own skip message exception.
+      begin
+        verify_curl_success!(cmd)
+      rescue => e
+        return skip_resource e.message
+      end
+
+      begin
+        content = JSON.parse(cmd.stdout)
+        # after implementation of PR #2235, this can be broken out of the begin..rescue
+        # clause. The checks in verify_json_payload! can raise their own skip message exception.
+        verify_json_payload!(content)
+      rescue JSON::ParserError => e
+        return skip_resource "Couldn't parse the Elasticsearch response: #{e.message}"
+      rescue => e
+        return skip_resource e.message
+      end
+
+      @nodes = parse_cluster(content)
+    end
+
+    def to_s
+      "Elasticsearch Cluster #{url}"
+    end
+
+    private
+
+    def parse_cluster(content)
+      return [] unless content['nodes']
+
+      nodes = []
+
+      content['nodes'].each do |node_id, node_data|
+        node_data = fix_mash_key_collision(node_data)
+
+        node = Hashie::Mash.new(node_data)
+        node.node_id = node_id
+        node.plugin_list = node.plugins.map(&:name)
+        node.module_list = node.modules.map(&:name)
+        node.cluster_name = node.settings.cluster.name
+        nodes << node
+      end
+
+      nodes
+    end
+
+    #
+    # Hashie::Mash will throw warnings if the Mash contains a key that is the same as a built-in
+    # method on a Hashie::Mash instance. This is a crude way of avoiding those warnings without
+    # hard-coding a bunch of key renames.
+    #
+    # Any key that is in conflict will be renamed "es_ORIGINALKEY"
+    #
+    def fix_mash_key_collision(data)
+      test_mash = Hashie::Mash.new
+
+      new_data = {}
+      data.each do |key, value|
+        new_key = test_mash.respond_to?(key.to_sym) ? "es_#{key}" : key
+        new_value = value.is_a?(Hash) ? fix_mash_key_collision(value) : value
+
+        new_data[new_key] = new_value
+      end
+
+      new_data
+    end
+
+    def curl_command_string(username, password, ssl_verify)
+      cmd_string = ['curl']
+      cmd_string << '-k' unless ssl_verify
+      cmd_string << "-H 'Content-Type: application/json'"
+      cmd_string << " -u #{username}:#{password}" unless username.nil? || password.nil?
+      cmd_string << URI.join(url, '_nodes')
+
+      cmd_string.join(' ')
+    end
+
+    def verify_curl_success!(cmd)
+      # the following lines captures known possible curl command errors and provides compact skip resource messeges
+      if cmd.stderr =~ /Failed to connect/
+        raise "Connection refused - please check the URL #{url} for accuracy"
+      end
+
+      if cmd.stderr =~ /Peer's Certificate issuer is not recognized/
+        raise 'Connection refused - peer certificate issuer is not recognized'
+      end
+
+      if !cmd.exit_status.zero?
+        raise "Error fetching Elastcsearch data from curl #{url}: #{cmd.stderr}"
+      end
+    end
+
+    def verify_json_payload!(content)
+      unless content['error'].nil?
+        raise "#{content['error']['type']}: #{content['error']['reason']}"
+      end
+
+      if content['_nodes']['successful'].zero?
+        raise 'No successful nodes available in cluster'
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.42.3
+  version: 1.43.5
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-18 00:00:00.000000000 Z
+date: 2017-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -324,6 +324,8 @@ files:
 - docs/resources/bridge.md.erb
 - docs/resources/bsd_service.md.erb
 - docs/resources/command.md.erb
+- docs/resources/cpan.md.erb
+- docs/resources/cran.md.erb
 - docs/resources/crontab.md.erb
 - docs/resources/csv.md.erb
 - docs/resources/dh_params.md
@@ -331,6 +333,7 @@ files:
 - docs/resources/docker.md.erb
 - docs/resources/docker_container.md.erb
 - docs/resources/docker_image.md.erb
+- docs/resources/elasticsearch.md.erb
 - docs/resources/etc_fstab.md.erb
 - docs/resources/etc_group.md.erb
 - docs/resources/etc_hosts.md.erb
@@ -467,6 +470,7 @@ files:
 - lib/bundles/inspec-compliance/.kitchen.yml
 - lib/bundles/inspec-compliance/README.md
 - lib/bundles/inspec-compliance/api.rb
+- lib/bundles/inspec-compliance/api/login.rb
 - lib/bundles/inspec-compliance/bootstrap.sh
 - lib/bundles/inspec-compliance/cli.rb
 - lib/bundles/inspec-compliance/configuration.rb
@@ -572,6 +576,8 @@ files:
 - lib/resources/bond.rb
 - lib/resources/bridge.rb
 - lib/resources/command.rb
+- lib/resources/cpan.rb
+- lib/resources/cran.rb
 - lib/resources/crontab.rb
 - lib/resources/csv.rb
 - lib/resources/dh_params.rb
@@ -579,6 +585,7 @@ files:
 - lib/resources/docker.rb
 - lib/resources/docker_container.rb
 - lib/resources/docker_image.rb
+- lib/resources/elasticsearch.rb
 - lib/resources/etc_fstab.rb
 - lib/resources/etc_group.rb
 - lib/resources/etc_hosts.rb