inspec 1.45.13 → 1.46.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 942384b7fafcd0d8318201eec37d4a08556d3080
-  data.tar.gz: 8823e1de51315eec835891df623ea55f6dca3059
+  metadata.gz: 275cc93db905d4d442e1c7c897a197c0123e1671
+  data.tar.gz: '097b235e017ce4fdde8e890a12e4221de4fd7330'
 SHA512:
-  metadata.gz: 8fa3b0ea4482dc3f5562610a64fb6b878e97c6ad6b614564f7f6a2742d66ead3620c770ec379347373ed5e0182557d4c80100d219cef7d77c70ff87cdaaa89e6
-  data.tar.gz: 0c82db93fca88e51f51d936aaa792e124ba3826033963918e0bb8faca4b3a18bcaad3f64d3773db8ecfc62df22962e8c58ffa6055aad875e8563888c6a74322e
+  metadata.gz: c4424e307b2c5d474cb040e4fa023f98c9507c764edd84684cb286bf21c36a83395f5cd2d8a4f1f87d14a271e7b0a6d281eabe140065dcdd012f3780f3d390d1
+  data.tar.gz: 35a966232190612e93daac133334c5f7f2f5c705261d0155dc2758168c0f2b15865cfd52f47d635065a754f4b1f239216dd5c1574a4657024d0d92a008c6e0b4

data/CHANGELOG.md

@@ -1,23 +1,37 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 1.45.13 -->
-## [v1.45.13](https://github.com/chef/inspec/tree/v1.45.13) (2017-11-21)
+<!-- latest_release 1.46.2 -->
+## [v1.46.2](https://github.com/chef/inspec/tree/v1.46.2) (2017-11-29)
 
-#### Merged Pull Requests
-- Bump train to 0.29.2 [#2327](https://github.com/chef/inspec/pull/2327) ([adamleff](https://github.com/adamleff))
+#### Bug Fixes
+- Allow skipping/failing resources in FilterTable [#2349](https://github.com/chef/inspec/pull/2349) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.45.9 -->
-### Changes since 1.45.9 release
+<!-- release_rollup since=1.45.13 -->
+### Changes since 1.45.13 release
 
-#### Merged Pull Requests
-- Bump train to 0.29.2 [#2327](https://github.com/chef/inspec/pull/2327) ([adamleff](https://github.com/adamleff)) <!-- 1.45.13 -->
-- Bump Rubocop to 0.49.1 [#2323](https://github.com/chef/inspec/pull/2323) ([adamleff](https://github.com/adamleff)) <!-- 1.45.12 -->
-- Remove bundler install during Appveyor tests [#2322](https://github.com/chef/inspec/pull/2322) ([adamleff](https://github.com/adamleff)) <!-- 1.45.11 -->
-- Remove debug message from unit test [#2313](https://github.com/chef/inspec/pull/2313) ([eramoto](https://github.com/eramoto)) <!-- 1.45.10 -->
+#### Enhancements
+- allow override of attribute identifier  [#2347](https://github.com/chef/inspec/pull/2347) ([chris-rock](https://github.com/chris-rock)) <!-- 1.46.0 -->
+
+#### Bug Fixes
+- Allow skipping/failing resources in FilterTable [#2349](https://github.com/chef/inspec/pull/2349) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.46.2 -->
+- wmi resource: properly escape quotes in WMI query [#2342](https://github.com/chef/inspec/pull/2342) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 1.46.1 -->
+- file resource: fix NilClass error when using advanced windows permissions [#2344](https://github.com/chef/inspec/pull/2344) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 1.45.17 -->
+- http resource: properly support HEAD request with remote worker [#2340](https://github.com/chef/inspec/pull/2340) ([adamleff](https://github.com/adamleff)) <!-- 1.45.16 -->
+- grub_conf resource: correct grub path for RHEL-7-based OS [#2332](https://github.com/chef/inspec/pull/2332) ([atomic111](https://github.com/atomic111)) <!-- 1.45.15 -->
+- json resource (et. al.): allow inspec check to succeed when using command [#2317](https://github.com/chef/inspec/pull/2317) ([adamleff](https://github.com/adamleff)) <!-- 1.45.14 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v1.45.13](https://github.com/chef/inspec/tree/v1.45.13) (2017-11-21)
+
+#### Merged Pull Requests
+- Remove debug message from unit test [#2313](https://github.com/chef/inspec/pull/2313) ([eramoto](https://github.com/eramoto))
+- Remove bundler install during Appveyor tests [#2322](https://github.com/chef/inspec/pull/2322) ([adamleff](https://github.com/adamleff))
+- Bump Rubocop to 0.49.1 [#2323](https://github.com/chef/inspec/pull/2323) ([adamleff](https://github.com/adamleff))
+- Bump train to 0.29.2 [#2327](https://github.com/chef/inspec/pull/2327) ([adamleff](https://github.com/adamleff))
+<!-- latest_stable_release -->
+
 ## [v1.45.9](https://github.com/chef/inspec/tree/v1.45.9) (2017-11-16)
 
 #### Enhancements
@@ -36,7 +50,6 @@
 - Fix gid filtering for etc_group resource [#2297](https://github.com/chef/inspec/pull/2297) ([eramoto](https://github.com/eramoto))
 - Require Ruby 2.3 and later [#2293](https://github.com/chef/inspec/pull/2293) ([adamleff](https://github.com/adamleff))
 - Update Rubocop to TargetRubyVersion 2.3 [#2311](https://github.com/chef/inspec/pull/2311) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 ## [v1.44.8](https://github.com/chef/inspec/tree/v1.44.8) (2017-11-09)
 

data/docs/resources/file.md.erb

@@ -200,6 +200,20 @@ For example, for the following symlink:
 
 This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
 
+### be\_allowed
+
+The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
+
+    it { should be_allowed('read') }
+
+Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
+
+    it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
+
+OR
+
+    it { should be_allowed('write', by: 'root') }
+
 ### be\_block\_device
 
 The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:

data/docs/resources/kernel_module.md.erb

@@ -25,7 +25,6 @@ blacklisted:
       it { should_not be_disabled }
       it { should_not be_blacklisted }
     end
-    end
 
 where
 
@@ -40,53 +39,53 @@ where
 
 The following examples show how to use this InSpec audit resource.
 
-  ### Test a modules 'version'
+### Test a modules 'version'
 
-  describe kernel_module('bridge') do
-    it { should be_loaded }
-    its(:version) { should cmp >= '2.2.2' }
-  end
+      describe kernel_module('bridge') do
+        it { should be_loaded }
+        its(:version) { should cmp >= '2.2.2' }
+      end
 
-  ### Test if a module is loaded, not disabled and not blacklisted
+### Test if a module is loaded, not disabled and not blacklisted
 
-  describe kernel_module('video') do
-    it { should be_loaded }
-    it { should_not be_disabled }
-    it { should_not be_blacklisted }
-  end
+      describe kernel_module('video') do
+        it { should be_loaded }
+        it { should_not be_disabled }
+        it { should_not be_blacklisted }
+      end
 
-  ### Check if a module is blacklisted
+### Check if a module is blacklisted
 
-  describe kernel_module('floppy') do
-    it { should be_blacklisted }
-  end
+      describe kernel_module('floppy') do
+        it { should be_blacklisted }
+      end
 
-  ### Ensure a module is *not* blacklisted and it is loaded
+### Ensure a module is *not* blacklisted and it is loaded
 
-  describe kernel_module('video') do
-    it { should_not be_blacklisted }
-    it { should be_loaded }
-  end
+      describe kernel_module('video') do
+        it { should_not be_blacklisted }
+        it { should be_loaded }
+      end
 
-  ### Ensure a module is disabled via 'bin_false'
+### Ensure a module is disabled via 'bin_false'
 
-  describe kernel_module('sstfb') do
-    it { should_not be_loaded }
-    it { should be_disabled }
-  end
+      describe kernel_module('sstfb') do
+        it { should_not be_loaded }
+        it { should be_disabled }
+      end
 
-  ### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
+### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
 
-  describe kernel_module('nvidiafb') do
-    it { should_not be_loaded }
-    it { should be_blacklisted }
-  end
+      describe kernel_module('nvidiafb') do
+        it { should_not be_loaded }
+        it { should be_blacklisted }
+      end
 
-  ### Ensure a module is not loaded
+### Ensure a module is not loaded
 
-  describe kernel_module('dhcp') do
-    it { should_not be_loaded }
-  end
+      describe kernel_module('dhcp') do
+        it { should_not be_loaded }
+      end
 
 <br>
 

data/examples/kitchen-ansible/Gemfile

@@ -7,7 +7,6 @@ group :test do
   gem 'bundler', '~> 1.5'
   gem 'minitest', '~> 5.5'
   gem 'rake', '~> 10'
-  gem 'rubocop', '~> 0.33.0'
   gem 'simplecov', '~> 0.10'
 end
 

data/examples/kitchen-chef/Gemfile

@@ -7,7 +7,6 @@ group :test do
   gem 'bundler', '~> 1.5'
   gem 'minitest', '~> 5.5'
   gem 'rake', '~> 10'
-  gem 'rubocop', '~> 0.33.0'
   gem 'simplecov', '~> 0.10'
 end
 

data/examples/kitchen-puppet/Gemfile

@@ -7,7 +7,6 @@ group :test do
   gem 'bundler', '~> 1.5'
   gem 'minitest', '~> 5.5'
   gem 'rake', '~> 10'
-  gem 'rubocop', '~> 0.33.0'
   gem 'simplecov', '~> 0.10'
 end
 

data/lib/inspec/objects/attribute.rb

@@ -39,7 +39,7 @@ module Inspec
     end
 
     def ruby_var_identifier
-      'attr_' + @name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
+      @opts[:identifier] || 'attr_' + @name.downcase.strip.gsub(/\s+/, '-').gsub(/[^\w-]/, '')
     end
 
     def to_hash
@@ -52,7 +52,7 @@ module Inspec
     def to_ruby
       res = ["#{ruby_var_identifier} = attribute('#{@name}',{"]
       res.push "  title: '#{title}'," unless title.to_s.empty?
-      res.push "  default: '#{default}'," unless default.to_s.empty?
+      res.push "  default: #{default.inspect}," unless default.to_s.empty?
       res.push "  description: '#{description}'," unless description.to_s.empty?
       res.push '})'
       res.join("\n")

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.45.13'
+  VERSION = '1.46.2'
 end

data/lib/resources/csv.rb

@@ -34,6 +34,8 @@ module Inspec::Resources
 
       # convert to hash
       csv.to_a.map(&:to_hash)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse CSV: #{e.message}"
     end
 
     # override the value method from JsonConfig
@@ -45,8 +47,12 @@ module Inspec::Resources
       @params.map { |x| x[key.first.to_s] }.compact
     end
 
-    def to_s
-      "Csv #{@path}"
+    private
+
+    # used by JsonConfig to build up a full to_s method
+    # based on whether a file path, content, or command was supplied.
+    def resource_base_name
+      'CSV'
     end
   end
 end

data/lib/resources/file.rb

@@ -240,6 +240,8 @@ module Inspec::Resources
       names ||= translate_granular_perms(access_type)
       names ||= translate_uncommon_perms(access_type)
       raise 'Invalid access_type provided' unless names
+
+      names
     end
 
     def translate_common_perms(access_type)

data/lib/resources/grub_conf.rb

@@ -50,7 +50,7 @@ class GrubConfig < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
       @conf_path = path || '/etc/grub.conf'
       @version = 'legacy'
     else
-      @conf_path = path || '/boot/grub/grub.cfg'
+      @conf_path = path || '/boot/grub2/grub.cfg'
       @defaults_path = '/etc/default/grub'
       @version = 'grub2'
     end

data/lib/resources/http.rb

@@ -203,7 +203,17 @@ module Inspec::Resources
         end
 
         def curl_command # rubocop:disable Metrics/AbcSize
-          cmd = ["curl -i -X #{http_method}"]
+          cmd = ['curl -i']
+
+          # Use curl's --head option when the method requested is HEAD. Otherwise,
+          # the user may experience a timeout when curl does not properly close
+          # the connection after the response is received.
+          if http_method.casecmp('HEAD') == 0
+            cmd << '--head'
+          else
+            cmd << "-X #{http_method}"
+          end
+
           cmd << "--connect-timeout #{open_timeout}"
           cmd << "--max-time #{open_timeout+read_timeout}"
           cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?

data/lib/resources/ini.rb

@@ -18,8 +18,12 @@ module Inspec::Resources
       SimpleConfig.new(content).params
     end
 
-    def to_s
-      "INI #{@path}"
+    private
+
+    # used by JsonConfig to build up a full to_s method
+    # based on whether a file path, content, or command was supplied.
+    def resource_base_name
+      'INI'
     end
   end
 end

data/lib/resources/json.rb

@@ -26,45 +26,11 @@ module Inspec::Resources
     include ObjectTraverser
 
     # make params readable
-    attr_reader :params
+    attr_reader :params, :raw_content
 
     def initialize(opts)
-      @opts = opts
-      if opts.is_a?(Hash)
-        if opts.key?(:content)
-          @file_content = opts[:content]
-        elsif opts.key?(:command)
-          @command = inspec.command(opts[:command])
-          @file_content = @command.stdout
-        end
-      else
-        @path = opts
-        @file = inspec.file(@opts)
-        @file_content = @file.content
-
-        # check if file is available
-        if !@file.file?
-          skip_resource "Can't find file \"#{@path}\""
-          return @params = {}
-        end
-
-        # check if file is readable
-        if @file_content.nil? && !@file.empty?
-          skip_resource "Can't read file \"#{@path}\""
-          return @params = {}
-        end
-      end
-
-      @params = parse(@file_content)
-    end
-
-    def parse(content)
-      require 'json'
-      JSON.parse(content)
-    end
-
-    def value(key)
-      extract_value(key, @params)
+      @raw_content = load_raw_content(opts)
+      @params = parse(@raw_content)
     end
 
     # Shorthand to retrieve a parameter name via `#its`.
@@ -79,12 +45,65 @@ module Inspec::Resources
       value(keys)
     end
 
+    def value(key)
+      # uses ObjectTraverser.extract_value to walk the hash looking for the key,
+      # which may be an Array of keys for a nested Hash.
+      extract_value(key, params)
+    end
+
     def to_s
-      if @opts.is_a?(Hash) && @opts.key?(:content)
-        'Json content'
+      "#{resource_base_name} #{@resource_name_supplement || 'content'}"
+    end
+
+    private
+
+    def parse(content)
+      require 'json'
+      JSON.parse(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse JSON: #{e.message}"
+    end
+
+    def load_raw_content(opts)
+      # if the opts isn't a hash, we assume it's a path to a file
+      unless opts.is_a?(Hash)
+        @resource_name_supplement = opts
+        return load_raw_from_file(opts)
+      end
+
+      if opts.key?(:command)
+        @resource_name_supplement = "from command: #{opts[:command]}"
+        load_raw_from_command(opts[:command])
+      elsif opts.key?(:content)
+        opts[:content]
       else
-        "Json #{@path}"
+        raise Inspec::Exceptions::ResourceFailed, 'No JSON content; must specify a file, command, or raw JSON content'
       end
     end
+
+    def load_raw_from_file(path)
+      file = inspec.file(path)
+
+      # these are currently ResourceSkipped to maintain consistency with the resource
+      # pre-refactor (which used skip_resource). These should likely be changed to
+      # ResourceFailed during a major version bump.
+      raise Inspec::Exceptions::ResourceSkipped, "No such file: #{path}" unless file.file?
+      raise Inspec::Exceptions::ResourceSkipped, "File #{path} is empty or is not readable by current user" if file.content.nil? || file.content.empty?
+
+      file.content
+    end
+
+    def load_raw_from_command(command)
+      command_output = inspec.command(command).stdout
+      raise Inspec::Exceptions::ResourceSkipped, "No output from command: #{command}" if command_output.nil? || command_output.empty?
+
+      command_output
+    end
+
+    # for resources the subclass JsonConfig, this allows specification of the resource
+    # base name in each subclass so we can build a good to_s method
+    def resource_base_name
+      'JSON'
+    end
   end
 end

data/lib/resources/toml.rb

@@ -17,10 +17,16 @@ module Inspec::Resources
 
     def parse(content)
       Tomlrb.parse(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse TOML: #{e.message}"
     end
 
-    def to_s
-      "TOML #{@path}"
+    private
+
+    # used by JsonConfig to build up a full to_s method
+    # based on whether a file path, content, or command was supplied.
+    def resource_base_name
+      'TOML'
     end
   end
 end

data/lib/resources/wmi.rb

@@ -27,7 +27,7 @@ module Inspec::Resources
 
     def initialize(wmiclass = nil, opts = nil)
       # verify that this resource is only supported on Windows
-      return skip_resource 'The `windows_feature` resource is not supported on your OS.' unless inspec.os.windows?
+      return skip_resource 'The `wmi` resource is not supported on your OS.' unless inspec.os.windows?
 
       @options = opts || {}
       # if wmiclass is not a hash, we have to handle deprecation behavior
@@ -67,7 +67,7 @@ module Inspec::Resources
 
       # convert to Get-WmiObject arguments
       params = ''
-      args.each { |key, value| params += " -#{key} \"#{value}\"" }
+      args.each { |key, value| params += " -#{key} \"#{value.gsub('"', '`"')}\"" }
 
       # run wmi command and filter empty wmi
       script = <<-EOH

data/lib/resources/xml.rb

@@ -14,14 +14,20 @@ module Inspec::Resources
     def parse(content)
       require 'rexml/document'
       REXML::Document.new(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse XML: #{e.message}"
     end
 
     def value(key)
       REXML::XPath.each(@params, key.first.to_s).map(&:text)
     end
 
-    def to_s
-      "XML #{@path}"
+    private
+
+    # used by JsonConfig to build up a full to_s method
+    # based on whether a file path, content, or command was supplied.
+    def resource_base_name
+      'XML'
     end
   end
 end

data/lib/resources/yaml.rb

@@ -30,10 +30,16 @@ module Inspec::Resources
     # override file load and parse hash from yaml
     def parse(content)
       YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse YAML: #{e.message}"
     end
 
-    def to_s
-      "YAML #{@path}"
+    private
+
+    # used by JsonConfig to build up a full to_s method
+    # based on whether a file path, content, or command was supplied.
+    def resource_base_name
+      'YAML'
     end
   end
 end

data/lib/utils/filter.rb

@@ -6,6 +6,48 @@
 module FilterTable
   module Show; end
 
+  class ExceptionCatcher
+    def initialize(original_resource, original_exception)
+      @original_resource = original_resource
+      @original_exception = original_exception
+    end
+
+    # This method is called via the runner and signals RSpec to output a block
+    # showing why the resource was skipped. This prevents the resource from
+    # being added to the test collection and being evaluated.
+    def resource_skipped?
+      @original_exception.is_a?(Inspec::Exceptions::ResourceSkipped)
+    end
+
+    # This method is called via the runner and signals RSpec to output a block
+    # showing why the resource failed. This prevents the resource from
+    # being added to the test collection and being evaluated.
+    def resource_failed?
+      @original_exception.is_a?(Inspec::Exceptions::ResourceFailed)
+    end
+
+    def resource_exception_message
+      @original_exception.message
+    end
+
+    # Capture message chains and return `ExceptionCatcher` objects
+    def method_missing(*)
+      self
+    end
+
+    # RSpec will check the object returned to see if it responds to a method
+    # before calling it. We need to fake it out and tell it that it does. This
+    # allows it to skip past that check and fall through to #method_missing
+    def respond_to?(_method)
+      true
+    end
+
+    def to_s
+      @original_resource.to_s
+    end
+    alias inspect to_s
+  end
+
   class Trace
     def initialize
       @chain = []
@@ -140,7 +182,7 @@ module FilterTable
       @connectors = {}
     end
 
-    def connect(resource, table_accessor)
+    def connect(resource, table_accessor) # rubocop:disable Metrics/AbcSize
       # create the table structure
       connectors = @connectors
       struct_fields = connectors.values.map(&:field_name)
@@ -170,12 +212,21 @@ module FilterTable
         end
       }
 
-      # define all access methods with the parent resource
+      # Define all access methods with the parent resource
+      # These methods will be configured to return an `ExceptionCatcher` object
+      # that will always return the original exception, but only when called
+      # upon. This will allow method chains in `describe` statements to pass the
+      # `instance_eval` when loaded and only throw-and-catch the exception when
+      # the tests are run.
       accessors = @accessors + @connectors.keys
       accessors.each do |method_name|
         resource.send(:define_method, method_name.to_sym) do |*args, &block|
-          filter = table.new(self, method(table_accessor).call, ' with')
-          filter.method(method_name.to_sym).call(*args, &block)
+          begin
+            filter = table.new(self, method(table_accessor).call, ' with')
+            filter.method(method_name.to_sym).call(*args, &block)
+          rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e
+            FilterTable::ExceptionCatcher.new(resource, e)
+          end
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.45.13
+  version: 1.46.2
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-21 00:00:00.000000000 Z
+date: 2017-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train