inspec 1.48.0 → 1.49.2

data/lib/inspec/schema.rb

@@ -2,7 +2,7 @@
 require 'json'
 
 module Inspec
-  class Schema # rubocop:disable Metrics/ClassLength
+  class Schema
     STATISTICS = {
       'type' => 'object',
       'additionalProperties' => false,

data/lib/inspec/shell.rb

@@ -9,7 +9,7 @@ module Inspec
   # A pry based shell for inspec. Given a runner (with a configured backend and
   # all that jazz), this shell will produce a pry shell from which you can run
   # inspec/ruby commands that will be run within the context of the runner.
-  class Shell # rubocop:disable Metrics/ClassLength
+  class Shell
     def initialize(runner)
       @runner = runner
     end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.48.0'
+  VERSION = '1.49.2'
 end

data/lib/resources/aide_conf.rb

@@ -3,8 +3,6 @@
 
 require 'utils/filter'
 require 'utils/parser'
-
-# rubocop:disable Metrics/ClassLength
 module Inspec::Resources
   class AideConf < Inspec.resource(1)
     name 'aide_conf'

data/lib/resources/apache_conf.rb

@@ -78,10 +78,17 @@ module Inspec::Resources
         raw_conf = read_file(to_read[0])
         @content += raw_conf
 
-        # parse include file parameters
+        # An explaination of the below regular expression.
+        # Creates two capture groups.
+        # The first group captures the first group of non-whitespace character
+        # surrounded whitespace characters.
+        # The second group contains a conditional with a positive lookahead
+        # (does the line end with one or more spaces?). If the lookahead succeeds
+        # a non-greedy capture takes place, if it fails then a greedy capture takes place.
+        # The regex is terminated by an expression that matches zero or more spaces.
         params = SimpleConfig.new(
           raw_conf,
-          assignment_regex: /^\s*(\S+)\s+(.*)\s*$/,
+          assignment_regex: /^\s*(\S+)\s+((?=.*\s+$).*?|.*)\s*$/,
           multiple_values: true,
         ).params
         @params.merge!(params)

data/lib/resources/auditd.rb

@@ -9,7 +9,6 @@ require 'utils/filter'
 require 'utils/parser'
 
 module Inspec::Resources
-  # rubocop:disable Metrics/ClassLength
   class AuditDaemon < Inspec.resource(1)
     extend Forwardable
     attr_accessor :lines

data/lib/resources/auditd_rules.rb

@@ -43,8 +43,6 @@ module Inspec::Resources
       'Audit Daemon Rules (for auditd version < 2.3)'
     end
   end
-
-  # rubocop:disable Metrics/ClassLength
   class AuditDaemonRules < Inspec.resource(1)
     extend Forwardable
     attr_accessor :rules, :lines

data/lib/resources/bond.rb

@@ -58,6 +58,10 @@ module Inspec::Resources
       params['Slave Interface']
     end
 
+    def mode
+      params['Bonding Mode'].first
+    end
+
     def to_s
       "Bond #{@bond}"
     end

data/lib/resources/crontab.rb

@@ -4,7 +4,7 @@ require 'utils/parser'
 require 'utils/filter'
 
 module Inspec::Resources
-  class Crontab < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+  class Crontab < Inspec.resource(1)
     name 'crontab'
     desc 'Use the crontab InSpec audit resource to test the contents of the crontab for a given user which contains information about scheduled tasks owned by that user.'
     example "

data/lib/resources/docker.rb

@@ -63,7 +63,7 @@ module Inspec::Resources
   # For compatability with Serverspec we also offer the following resouses:
   # - docker_container
   # - docker_image
-  class Docker < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+  class Docker < Inspec.resource(1)
     name 'docker'
 
     desc "

data/lib/resources/elasticsearch.rb

@@ -5,7 +5,7 @@ require 'hashie/mash'
 require 'resources/package'
 
 module Inspec::Resources
-  class Elasticsearch < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+  class Elasticsearch < Inspec.resource(1)
     name 'elasticsearch'
     desc "Use the Elasticsearch InSpec audit resource to test the status of nodes in
       an Elasticsearch cluster."

data/lib/resources/file.rb

@@ -269,6 +269,8 @@ module Inspec::Resources
         translate_perm_names('full-control') + %w{ChangePermissions}
       when 'take-ownership'
         translate_perm_names('full-control') + %w{TakeOwnership}
+      when 'synchronize'
+        translate_perm_names('full-control') + %w{Synchronize}
       end
     end
 

data/lib/resources/groups.rb

@@ -13,11 +13,13 @@ module Inspec::Resources
     # select group provider based on the operating system
     # returns nil, if no group manager was found for the operating system
     def select_group_manager(os)
-      if os.unix?
-        @group_provider = UnixGroup.new(inspec)
-      elsif os.windows?
-        @group_provider = WindowsGroup.new(inspec)
-      end
+      @group_provider = if os.darwin?
+                          DarwinGroup.new(inspec)
+                        elsif os.unix?
+                          UnixGroup.new(inspec)
+                        elsif os.windows?
+                          WindowsGroup.new(inspec)
+                        end
     end
   end
 
@@ -154,6 +156,28 @@ module Inspec::Resources
     end
   end
 
+  # OSX uses opendirectory for groups, so `/etc/group` may not be fully accurate
+  # This uses `dscacheutil` to get the group info instead of `etc_group`
+  class DarwinGroup < GroupInfo
+    def groups
+      group_info = inspec.command('dscacheutil -q group').stdout.split("\n\n")
+
+      groups = []
+      regex = /^([^:]*?)\s*:\s(.*?)\s*$/
+      group_info.each do |data|
+        groups << inspec.parse_config(data, assignment_regex: regex).params
+      end
+
+      # Convert the `dscacheutil` groups to match `inspec.etc_group.entries`
+      groups.each { |g| g['gid'] = g['gid'].to_i }
+      groups.each do |g|
+        next if g['users'].nil?
+        g['members'] = g.delete('users')
+        g['members'].tr!(' ', ',')
+      end
+    end
+  end
+
   class WindowsGroup < GroupInfo
     # returns all local groups
     def groups

data/lib/resources/grub_conf.rb

@@ -3,7 +3,7 @@
 
 require 'utils/simpleconfig'
 
-class GrubConfig < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+class GrubConfig < Inspec.resource(1)
   name 'grub_conf'
   desc 'Use the grub_conf InSpec audit resource to test the boot config of Linux systems that use Grub.'
   example "

data/lib/resources/os.rb

@@ -2,8 +2,10 @@
 # author: Dominik Richter
 # author: Christoph Hartmann
 
+require 'resources/platform'
+
 module Inspec::Resources
-  class OSResource < Inspec.resource(1)
+  class OSResource < PlatformResource
     name 'os'
     desc 'Use the os InSpec audit resource to test the platform on which the system is running.'
     example "
@@ -23,31 +25,17 @@ module Inspec::Resources
     # reuse helper methods from backend
     %w{aix? redhat? debian? suse? bsd? solaris? linux? unix? windows? hpux? darwin?}.each do |os_family|
       define_method(os_family.to_sym) do
-        inspec.backend.os.send(os_family)
-      end
-    end
-
-    def [](name)
-      # convert string to symbol
-      name = name.to_sym if name.is_a? String
-      inspec.backend.os[name]
-    end
-
-    # add helper methods for easy access of properties
-    # allows users to use os.name, os.family, os.release, os.arch
-    %w{name family release arch}.each do |property|
-      define_method(property.to_sym) do
-        inspec.backend.os[property.to_sym]
+        @platform.send(os_family)
       end
     end
 
     # helper to collect a hash object easily
     def params
       {
-        name: inspec.backend.os[:name],
-        family: inspec.backend.os[:family],
-        release: inspec.backend.os[:release],
-        arch: inspec.backend.os[:arch],
+        name: name,
+        family: @platform[:family],
+        release: @platform[:release],
+        arch: @platform[:arch],
       }
     end
 

data/lib/resources/package.rb

@@ -20,7 +20,7 @@ module Inspec::Resources
       end
     "
 
-    def initialize(package_name = nil, opts = {}) # rubocop:disable Metrics/AbcSize
+    def initialize(package_name, opts = {}) # rubocop:disable Metrics/AbcSize
       @package_name = package_name
       @name = @package_name
       @cache = nil
@@ -45,7 +45,7 @@ module Inspec::Resources
       elsif ['hpux'].include?(os[:family])
         @pkgman = HpuxPkg.new(inspec)
       else
-        return skip_resource 'The `package` resource is not supported on your OS yet.'
+        raise Inspec::Exceptions::ResourceSkipped, 'The `package` resource is not supported on your OS yet.'
       end
 
       evaluate_missing_requirements
@@ -53,28 +53,23 @@ module Inspec::Resources
 
     # returns true if the package is installed
     def installed?(_provider = nil, _version = nil)
-      return false if info.nil?
       info[:installed] == true
     end
 
     # returns true it the package is held (if the OS supports it)
     def held?(_provider = nil, _version = nil)
-      return false if info.nil?
-      return false unless info.key?(:held)
       info[:held] == true
     end
 
     # returns the package description
     def info
       return @cache if !@cache.nil?
-      return nil if @pkgman.nil?
       @pkgman.info(@package_name)
     end
 
     # return the package version
     def version
       info = @pkgman.info(@package_name)
-      return nil if info.nil?
       info[:version]
     end
 
@@ -87,7 +82,7 @@ module Inspec::Resources
     def evaluate_missing_requirements
       missing_requirements_string = @pkgman.missing_requirements.uniq.join(', ')
       return if missing_requirements_string.empty?
-      skip_resource "The following requirements are not met for this resource: #{missing_requirements_string}"
+      raise Inspec::Exceptions::ResourceSkipped, "The following requirements are not met for this resource: #{missing_requirements_string}"
     end
   end
 
@@ -99,7 +94,7 @@ module Inspec::Resources
 
     def missing_requirements
       # Each provider can provide an Array of missing requirements that will be
-      # combined into a `skip_resource` message
+      # combined into a `ResourceSkipped` exception message.
       []
     end
   end
@@ -108,7 +103,7 @@ module Inspec::Resources
   class Deb < PkgManagement
     def info(package_name)
       cmd = inspec.command("dpkg -s #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
 
       params = SimpleConfig.new(
         cmd.stdout.chomp,
@@ -152,7 +147,7 @@ module Inspec::Resources
       cmd = inspec.command(rpm_cmd)
       # CentOS does not return an error code if the package is not installed,
       # therefore we need to check for emptyness
-      return nil if cmd.exit_status.to_i != 0 || cmd.stdout.chomp.empty?
+      return {} if cmd.exit_status.to_i != 0 || cmd.stdout.chomp.empty?
       params = SimpleConfig.new(
         cmd.stdout.chomp,
         assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
@@ -195,7 +190,7 @@ module Inspec::Resources
     def info(package_name)
       brew_path = inspec.command('brew').exist? ? 'brew' : '/usr/local/bin/brew'
       cmd = inspec.command("#{brew_path} info --json=v1 #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
       # parse data
       pkg = JSON.parse(cmd.stdout)[0]
       {
@@ -204,8 +199,10 @@ module Inspec::Resources
         version: pkg['installed'][0]['version'],
         type: 'brew',
       }
-    rescue JSON::ParserError => _e
-      return nil
+    rescue JSON::ParserError => e
+      raise Inspec::Exceptions::ResourceFailed,
+            'Failed to parse JSON from `brew` command. ' \
+            "Error: #{e}"
     end
   end
 
@@ -213,7 +210,7 @@ module Inspec::Resources
   class Pacman < PkgManagement
     def info(package_name)
       cmd = inspec.command("pacman -Qi #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
 
       params = SimpleConfig.new(
         cmd.stdout.chomp,
@@ -233,7 +230,7 @@ module Inspec::Resources
   class HpuxPkg < PkgManagement
     def info(package_name)
       cmd = inspec.command("swlist -l product | grep #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
       pkg = cmd.stdout.strip.split(' ')
       {
         name: pkg[0],
@@ -268,8 +265,10 @@ module Inspec::Resources
 
       begin
         package = JSON.parse(cmd.stdout)
-      rescue JSON::ParserError => _e
-        return nil
+      rescue JSON::ParserError => e
+        raise Inspec::Exceptions::ResourceFailed,
+              'Failed to parse JSON from PowerShell. ' \
+              "Error: #{e}"
       end
 
       # What if we match multiple packages?  just pick the first one for now.
@@ -288,7 +287,7 @@ module Inspec::Resources
   class BffPkg < PkgManagement
     def info(package_name)
       cmd = inspec.command("lslpp -cL #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
 
       bff_pkg = cmd.stdout.split("\n").last.split(':')
       {
@@ -313,7 +312,7 @@ module Inspec::Resources
     # solaris 10
     def solaris10_info(package_name)
       cmd = inspec.command("pkginfo -l #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
 
       params = SimpleConfig.new(
         cmd.stdout.chomp,
@@ -334,7 +333,7 @@ module Inspec::Resources
     # solaris 11
     def solaris11_info(package_name)
       cmd = inspec.command("pkg info #{package_name}")
-      return nil if cmd.exit_status.to_i != 0
+      return {} if cmd.exit_status.to_i != 0
 
       params = SimpleConfig.new(
         cmd.stdout.chomp,

data/lib/resources/platform.rb

@@ -0,0 +1,112 @@
+# encoding: utf-8
+
+module Inspec::Resources
+  class PlatformResource < Inspec.resource(1)
+    name 'platform'
+    desc 'Use the platform InSpec resource to test the platform on which the system is running.'
+    example "
+      describe platform do
+        its('name') { should eq 'redhat' }
+      end
+
+      describe platform do
+        it { should be_in_family('unix') }
+      end
+    "
+
+    def initialize
+      @platform = inspec.backend.os
+    end
+
+    # add helper methods for easy access of properties
+    %w{family release arch}.each do |property|
+      define_method(property.to_sym) do
+        @platform.send(property)
+      end
+    end
+
+    # This is a string override for platform.name.
+    # TODO: removed in inspec 2.0
+    class NameCleaned < String
+      def ==(other)
+        if other =~ /[A-Z ]/
+          cleaned = other.downcase.tr(' ', '_')
+          Inspec::Log.warn "[DEPRECATED] Platform names will become lowercase in InSpec 2.0. Please match on '#{cleaned}' instead of '#{other}'"
+          super(cleaned)
+        else
+          super(other)
+        end
+      end
+    end
+
+    def name
+      NameCleaned.new(@platform.name)
+    end
+
+    def [](key)
+      # convert string to symbol
+      key = key.to_sym if key.is_a? String
+      return name if key == :name
+
+      @platform[key]
+    end
+
+    def platform?(name)
+      @platform.name == name ||
+        @platform.family_hierarchy.include?(name)
+    end
+
+    def in_family?(family)
+      @platform.family_hierarchy.include?(family)
+    end
+
+    def families
+      @platform.family_hierarchy
+    end
+
+    def supported?(supports)
+      return true if supports.nil? || supports.empty?
+
+      status = true
+      supports.each do |s|
+        s.each do |k, v|
+          # ignore the inspec check for supports
+          # TODO: remove in inspec 2.0
+          if k == :inspec
+            next
+          elsif %i(os_family os-family platform_family platform-family).include?(k)
+            status = in_family?(v)
+          elsif %i(os platform).include?(k)
+            status = platform?(v)
+          elsif %i(os_name os-name platform_name platform-name).include?(k)
+            status = name == v
+          elsif k == :release
+            status = check_release(v)
+          else
+            status = false
+          end
+          break if status == false
+        end
+        return true if status == true
+      end
+
+      status
+    end
+
+    def to_s
+      'Platform Detection'
+    end
+
+    private
+
+    def check_release(value)
+      # allow wild card matching
+      if value.include?('*')
+        cleaned = Regexp.escape(value).gsub('\*', '.*?')
+        !(release =~ /#{cleaned}/).nil?
+      else
+        release == value
+      end
+    end
+  end
+end