inspec 1.48.0 → 1.49.2

data/lib/inspec/control_eval_context.rb

@@ -13,7 +13,7 @@ module Inspec
   # as the basic DSL of the control files (describe, control, title,
   # etc).
   #
-  class ControlEvalContext # rubocop:disable Metrics/ClassLength
+  class ControlEvalContext
     # Create the context for controls. This includes all components of the DSL,
     # including matchers and resources.
     #
@@ -117,10 +117,21 @@ module Inspec
         end
 
         define_method :register_control do |control, &block|
-          if @skip_file || !profile_context_owner.profile_supports_os?
+          if @skip_file
             ::Inspec::Rule.set_skip_rule(control, true)
           end
 
+          unless profile_context_owner.profile_supports_platform?
+            platform = inspec.platform
+            msg = "Profile #{profile_context_owner.profile_id} is not supported on platform #{platform.name}/#{platform.release}."
+            ::Inspec::Rule.set_skip_rule(control, msg)
+          end
+
+          unless profile_context_owner.profile_supports_inspec_version?
+            msg = "Profile #{profile_context_owner.profile_id} is not supported on InSpec version (#{Inspec::VERSION})."
+            ::Inspec::Rule.set_skip_rule(control, msg)
+          end
+
           profile_context_owner.register_rule(control, &block) unless control.nil?
         end
 

data/lib/inspec/dependencies/lockfile.rb

@@ -28,7 +28,6 @@ module Inspec
       from_content(content)
     end
 
-    # rubocop:disable Style/GuardClause
     def self.validate_lockfile_version!(version)
       if version < MINIMUM_SUPPORTED_VERSION
         raise <<~EOF
@@ -49,7 +48,6 @@ module Inspec
         EOF
       end
     end
-    # rubocop:enable Style/GuardClause
 
     attr_reader :version, :deps
     def initialize(lockfile_content_hash)

data/lib/inspec/dsl_shared.rb

@@ -18,6 +18,14 @@ module Inspec
         # We cannot rely on libraries residing on disk however.
         # TODO: Sandboxing.
         content, path, line = @require_loader.load(rbpath)
+
+        # If we are in the realm of libraries and the LibraryEvalContext
+        # we should have access to the __inspec_binding, which is a Binding
+        # context that provides the correct plane to evaluate all required files to.
+        # It will ensure that embedded calls to `require` still call this
+        # method and get loaded from their correct paths.
+        return __inspec_binding.eval(content, path, line) if defined?(__inspec_binding)
+
         eval(content, TOPLEVEL_BINDING, path, line) # rubocop:disable Security/Eval
       end
     end

data/lib/inspec/library_eval_context.rb

@@ -37,11 +37,22 @@ module Inspec
         include Inspec::DSL::RequireOverride
         def initialize(require_loader)
           @require_loader = require_loader
+          @inspec_binding = nil
+        end
+
+        def __inspec_binding
+          @inspec_binding
         end
       end
 
       c3.const_set(:Inspec, c2)
-      c3.new(require_loader)
+      res = c3.new(require_loader)
+
+      # Provide the local binding for this context which is necessary for
+      # calls to `require` to create all dependent objects in the correct
+      # context.
+      res.instance_variable_set('@inspec_binding', res.instance_eval('binding'))
+      res
     end
   end
 end

data/lib/inspec/metadata.rb

@@ -14,7 +14,7 @@ module Inspec
   # A Metadata object may be created and finalized with invalid data.
   # This allows the check CLI command to analyse the issues.
   # Use valid? to determine if the metadata is coherent.
-  class Metadata # rubocop:disable Metrics/ClassLength
+  class Metadata
     attr_reader :ref
     attr_accessor :params, :content
     def initialize(ref, logger = nil)
@@ -36,6 +36,7 @@ module Inspec
       summary
       description
       version
+      inspec_version
     }.each do |name|
       define_method name.to_sym do |arg|
         params[name.to_sym] = arg
@@ -52,38 +53,16 @@ module Inspec
       # already.
     end
 
-    def is_supported?(os, entry)
-      name = entry[:'os-name'] || entry[:os]
-      family = entry[:'os-family']
-      release = entry[:release]
-
-      # return true if the backend matches the supported OS's
-      # fields act as masks, i.e. any value configured for os-name, os-family,
-      # or release must be met by the backend; any field that is nil acts as
-      # a glob expression i.e. is true
-
-      # os name is both saved in :family and :name, so check both
-      name_ok = name.nil? ||
-                os[:name] == name || os[:family] == name
-
-      family_check = family.to_s + '?'
-      family_ok = family.nil? || os[:family] == family ||
-                  (
-                    os.respond_to?(family_check) &&
-                    # this call will return true if the family matches
-                    os.method(family_check).call
-                  )
-
-      # ensure we do have a string if we have a non-nil value eg. 16.06
-      release_ok = release.nil? || os[:release] == release
-
-      # we want to make sure that all matchers are true
-      name_ok && family_ok && release_ok
-    end
-
     def inspec_requirement
-      inspec = params[:supports].find { |x| !x[:inspec].nil? } || {}
-      Gem::Requirement.create(inspec[:inspec])
+      inspec_in_supports = params[:supports].find { |x| !x[:inspec].nil? }
+      if inspec_in_supports
+        Inspec::Log.warn '[DEPRECATED] The use of inspec.yml `supports:inspec` is deprecated and will be removed in InSpec 2.0. Please use `inspec_version` instead.'
+        Gem::Requirement.create(inspec_in_supports[:inspec])
+      else
+        # using Gem::Requirement here to allow nil values which
+        # translate to [">= 0"]
+        Gem::Requirement.create(params[:inspec_version])
+      end
     end
 
     def supports_runtime?
@@ -91,18 +70,8 @@ module Inspec
       inspec_requirement.satisfied_by?(running)
     end
 
-    def supports_transport?(backend)
-      # with no supports specified, always return true, as there are no
-      # constraints on the supported backend; it is equivalent to putting
-      # all fields into accept-all mode
-      return true if params[:supports].empty?
-
-      found = params[:supports].find do |entry|
-        is_supported?(backend.os, entry)
-      end
-
-      # finally, if we found a supported entry, we are good to go
-      !found.nil?
+    def supports_platform?(backend)
+      backend.platform.supported?(params[:supports])
     end
 
     # return all warn and errors

data/lib/inspec/objects/attribute.rb

@@ -27,7 +27,7 @@ module Inspec
     end
 
     def default
-      @opts[:default] || DEFAULT_ATTRIBUTE.new
+      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new
     end
 
     def title

data/lib/inspec/plugins/resource.rb

@@ -28,6 +28,12 @@ module Inspec
       __resource_registry[@name].desc(description)
     end
 
+    def supports(criteria = nil)
+      return if criteria.nil?
+      Inspec::Resource.supports[@name] ||= []
+      Inspec::Resource.supports[@name].push(criteria)
+    end
+
     def example(example = nil)
       return if example.nil?
       __resource_registry[@name].example(example)
@@ -37,18 +43,22 @@ module Inspec
       Inspec::Resource.registry
     end
 
-    def __register(name, obj) # rubocop:disable Metrics/MethodLength
-      cl = Class.new(obj) do
+    def __register(name, obj) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+      cl = Class.new(obj) do # rubocop:disable Metrics/BlockLength
         attr_reader :resource_exception_message
 
         def initialize(backend, name, *args)
           @resource_skipped = false
           @resource_failed = false
+          @supports = Inspec::Resource.supports[name]
 
           # attach the backend to this instance
           @__backend_runner__ = backend
           @__resource_name__ = name
 
+          # check resource supports
+          check_supports unless @supports.nil?
+
           # call the resource initializer
           begin
             super(*args)
@@ -69,6 +79,12 @@ module Inspec
           @example = example
         end
 
+        def check_supports
+          status = inspec.platform.supported?(@supports)
+          skip_msg = "Resource #{@__resource_name__.capitalize} is not supported on platform #{inspec.platform.name}/#{inspec.platform.release}."
+          skip_resource(skip_msg) unless status
+        end
+
         def skip_resource(message)
           @resource_skipped = true
           @resource_exception_message = message

data/lib/inspec/profile.rb

@@ -21,7 +21,7 @@ require 'inspec/dependencies/lockfile'
 require 'inspec/dependencies/dependency_set'
 
 module Inspec
-  class Profile # rubocop:disable Metrics/ClassLength
+  class Profile
     extend Forwardable
 
     def self.resolve_target(target, cache)
@@ -43,7 +43,7 @@ module Inspec
         next if content[key].nil?
         # remove prefix
         rel = Pathname.new(key).relative_path_from(Pathname.new('vendor')).to_s
-        tar = Pathname.new(opts[:cache].path).join(rel)
+        tar = Pathname.new(opts[:vendor_cache].path).join(rel)
 
         FileUtils.mkdir_p tar.dirname.to_s
         Inspec::Log.debug "Copy #{tar} to cache directory"
@@ -56,7 +56,7 @@ module Inspec
       rp = file_provider.relative_provider
 
       # copy embedded dependecies into global cache
-      copy_deps_into_cache(rp, opts) unless opts[:cache].nil?
+      copy_deps_into_cache(rp, opts) unless opts[:vendor_cache].nil?
 
       reader = Inspec::SourceReader.resolve(rp)
       if reader.nil?
@@ -67,14 +67,14 @@ module Inspec
     end
 
     def self.for_fetcher(fetcher, opts)
-      opts[:cache] = opts[:cache] || Cache.new
+      opts[:vendor_cache] = opts[:vendor_cache] || Cache.new
       path, writable = fetcher.fetch
       for_path(path, opts.merge(target: fetcher.target, writable: writable))
     end
 
     def self.for_target(target, opts = {})
-      opts[:cache] = opts[:cache] || Cache.new
-      fetcher = resolve_target(target, opts[:cache])
+      opts[:vendor_cache] = opts[:vendor_cache] || Cache.new
+      fetcher = resolve_target(target, opts[:vendor_cache])
       for_fetcher(fetcher, opts)
     end
 
@@ -92,7 +92,7 @@ module Inspec
       @controls = options[:controls] || []
       @writable = options[:writable] || false
       @profile_id = options[:id]
-      @cache = options[:cache] || Cache.new
+      @cache = options[:vendor_cache] || Cache.new
       @attr_values = options[:attributes]
       @tests_collected = false
       @libraries_loaded = false
@@ -136,15 +136,21 @@ module Inspec
     # @returns [TrueClass, FalseClass]
     #
     def supported?
-      supports_os? && supports_runtime?
+      supports_platform? && supports_runtime?
     end
 
-    def supports_os?
-      metadata.supports_transport?(@backend)
+    def supports_platform?
+      if @supports_platform.nil?
+        @supports_platform = metadata.supports_platform?(@backend)
+      end
+      @supports_platform
     end
 
     def supports_runtime?
-      metadata.supports_runtime?
+      if @supports_runtime.nil?
+        @supports_runtime = metadata.supports_runtime?
+      end
+      @supports_runtime
     end
 
     def params

data/lib/inspec/profile_context.rb

@@ -11,7 +11,7 @@ require 'securerandom'
 require 'inspec/objects/attribute'
 
 module Inspec
-  class ProfileContext # rubocop:disable Metrics/ClassLength
+  class ProfileContext
     def self.for_profile(profile, backend, attributes)
       new(profile.name, backend, { 'profile' => profile,
                                    'attributes' => attributes,
@@ -63,10 +63,16 @@ module Inspec
       @control_eval_context = nil
     end
 
-    def profile_supports_os?
+    def profile_supports_platform?
       return true if @conf['profile'].nil?
 
-      @conf['profile'].supports_os?
+      @conf['profile'].supports_platform?
+    end
+
+    def profile_supports_inspec_version?
+      return true if @conf['profile'].nil?
+
+      @conf['profile'].supports_runtime?
     end
 
     def remove_rule(id)

data/lib/inspec/profile_vendor.rb

@@ -48,7 +48,7 @@ module Inspec
 
     def profile_opts
       {
-        cache: Inspec::Cache.new(cache_path.to_s),
+        vendor_cache: Inspec::Cache.new(cache_path.to_s),
         backend: Inspec::Backend.create(target: 'mock://'),
       }
     end

data/lib/inspec/resource.rb

@@ -16,6 +16,10 @@ module Inspec
       @registry ||= default_registry
     end
 
+    def self.supports
+      @supports ||= {}
+    end
+
     def self.new_registry
       default_registry.dup
     end
@@ -131,6 +135,7 @@ require 'resources/packages'
 require 'resources/parse_config'
 require 'resources/passwd'
 require 'resources/pip'
+require 'resources/platform'
 require 'resources/port'
 require 'resources/postgres'
 require 'resources/postgres_conf'

data/lib/inspec/rspec_json_formatter.rb

@@ -110,7 +110,7 @@ class InspecRspecMiniJson < RSpec::Core::Formatters::JsonFormatter
   end
 end
 
-class InspecRspecJson < InspecRspecMiniJson # rubocop:disable Metrics/ClassLength
+class InspecRspecJson < InspecRspecMiniJson
   RSpec::Core::Formatters.register self, :stop, :dump_summary
   attr_writer :backend
 
@@ -279,7 +279,7 @@ class InspecRspecJson < InspecRspecMiniJson # rubocop:disable Metrics/ClassLengt
   end
 end
 
-class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
+class InspecRspecCli < InspecRspecJson
   RSpec::Core::Formatters.register self, :close
 
   case RUBY_PLATFORM
@@ -685,7 +685,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
   # This class wraps a control hash object to provide a useful inteface for
   # maintaining the associated profile, ids, results, title, etc.
   #
-  class Control # rubocop:disable Metrics/ClassLength
+  class Control
     include Comparable
 
     STATUS_TYPES = {

data/lib/inspec/rule.rb

@@ -8,7 +8,7 @@ require 'inspec/describe'
 require 'inspec/expect'
 
 module Inspec
-  class Rule # rubocop:disable Metrics/ClassLength
+  class Rule
     include ::RSpec::Matchers
 
     #

data/lib/inspec/runner.rb

@@ -28,7 +28,7 @@ module Inspec
   # r.run
   # ```
   #
-  class Runner # rubocop:disable Metrics/ClassLength
+  class Runner
     extend Forwardable
 
     def_delegator :@test_collector, :report
@@ -40,9 +40,10 @@ module Inspec
       @conf[:logger] ||= Logger.new(nil)
       @target_profiles = []
       @controls = @conf[:controls] || []
+      @depends = @conf[:depends] || []
       @ignore_supports = @conf[:ignore_supports]
       @create_lockfile = @conf[:create_lockfile]
-      @cache = Inspec::Cache.new(@conf[:cache])
+      @cache = Inspec::Cache.new(@conf[:vendor_cache])
       @test_collector = @conf.delete(:test_collector) || begin
         require 'inspec/runner_rspec'
         RunnerRspec.new(@conf)
@@ -168,7 +169,7 @@ module Inspec
     #
     def add_target(target, _opts = [])
       profile = Inspec::Profile.for_target(target,
-                                           cache: @cache,
+                                           vendor_cache: @cache,
                                            backend: @backend,
                                            controls: @controls,
                                            attributes: @conf[:attributes])
@@ -185,8 +186,8 @@ module Inspec
              "InSpec v#{Inspec::VERSION}.\n"
       end
 
-      if !profile.supports_os?
-        raise "This OS/platform (#{@backend.os[:name]}) is not supported by this profile."
+      if !profile.supports_platform?
+        raise "This OS/platform (#{@backend.platform.name}/#{@backend.platform.release}) is not supported by this profile."
       end
 
       true
@@ -214,6 +215,13 @@ module Inspec
       add_target({ 'inspec.yml' => 'name: inspec-shell' })
       our_profile = @target_profiles.first
       ctx = our_profile.runner_context
+
+      # Load local profile dependencies. This is used in inspec shell
+      # to provide access to local profiles that add resources.
+      @depends
+        .map { |x| Inspec::Profile.for_path(x, { profile_context: ctx }) }
+        .each(&:load_libraries)
+
       ctx.load(command)
     end