inspec 1.51.6 → 1.51.15

data/lib/resources/etc_hosts.rb

@@ -1,81 +1,81 @@
-# encoding: utf-8
-# author: Matthew Dromazos
-
-require 'utils/parser'
-
-class EtcHosts < Inspec.resource(1)
-  name 'etc_hosts'
-  desc 'Use the etc_hosts InSpec audit resource to find an
-    ip_address and its associated hosts'
-  example "
-    describe etc_hosts.where { ip_address == '127.0.0.1' } do
-      its('ip_address') { should cmp '127.0.0.1' }
-      its('primary_name') { should cmp 'localhost' }
-      its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4']] }
-    end
-  "
-
-  attr_reader :params
-
-  include CommentParser
-
-  def initialize(hosts_path = nil)
-    return skip_resource 'The `etc_hosts` resource is not supported on your OS.' unless inspec.os.bsd? || inspec.os.linux? || inspec.os.windows?
-    @conf_path      = hosts_path || default_hosts_file_path
-    @content        = nil
-    @params         = nil
-    read_content
-  end
-
-  filter = FilterTable.create
-  filter.add_accessor(:where)
-        .add_accessor(:entries)
-        .add(:ip_address,     field: 'ip_address')
-        .add(:primary_name,   field: 'primary_name')
-        .add(:all_host_names, field: 'all_host_names')
-
-  filter.connect(self, :params)
-
-  private
-
-  def default_hosts_file_path
-    inspec.os.windows? ? 'C:\windows\system32\drivers\etc\hosts' : '/etc/hosts'
-  end
-
-  def read_content
-    @content = ''
-    @params  = {}
-    @content = read_file(@conf_path)
-    @params  = parse_conf(@content)
-  end
-
-  def parse_conf(content)
-    content.map do |line|
-      data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-      parse_line(data) unless data == ''
-    end.compact
-  end
-
-  def parse_line(line)
-    line_parts = line.split
-    return nil unless line_parts.length >= 2
-    {
-      'ip_address'     => line_parts[0],
-      'primary_name'   => line_parts[1],
-      'all_host_names' => line_parts[1..-1],
-    }
-  end
-
-  def read_file(conf_path = @conf_path)
-    file = inspec.file(conf_path)
-    if !file.file?
-      return skip_resource "Can't find file. \"#{@conf_path}\""
-    end
-
-    raw_conf = file.content
-    if raw_conf.empty? && !file.empty?
-      return skip_resource("Could not read file contents\" #{@conf_path}\"")
-    end
-    raw_conf.lines
-  end
-end
+# encoding: utf-8
+# author: Matthew Dromazos
+
+require 'utils/parser'
+
+class EtcHosts < Inspec.resource(1)
+  name 'etc_hosts'
+  desc 'Use the etc_hosts InSpec audit resource to find an
+    ip_address and its associated hosts'
+  example "
+    describe etc_hosts.where { ip_address == '127.0.0.1' } do
+      its('ip_address') { should cmp '127.0.0.1' }
+      its('primary_name') { should cmp 'localhost' }
+      its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4']] }
+    end
+  "
+
+  attr_reader :params
+
+  include CommentParser
+
+  def initialize(hosts_path = nil)
+    return skip_resource 'The `etc_hosts` resource is not supported on your OS.' unless inspec.os.bsd? || inspec.os.linux? || inspec.os.windows?
+    @conf_path      = hosts_path || default_hosts_file_path
+    @content        = nil
+    @params         = nil
+    read_content
+  end
+
+  filter = FilterTable.create
+  filter.add_accessor(:where)
+        .add_accessor(:entries)
+        .add(:ip_address,     field: 'ip_address')
+        .add(:primary_name,   field: 'primary_name')
+        .add(:all_host_names, field: 'all_host_names')
+
+  filter.connect(self, :params)
+
+  private
+
+  def default_hosts_file_path
+    inspec.os.windows? ? 'C:\windows\system32\drivers\etc\hosts' : '/etc/hosts'
+  end
+
+  def read_content
+    @content = ''
+    @params  = {}
+    @content = read_file(@conf_path)
+    @params  = parse_conf(@content)
+  end
+
+  def parse_conf(content)
+    content.map do |line|
+      data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+      parse_line(data) unless data == ''
+    end.compact
+  end
+
+  def parse_line(line)
+    line_parts = line.split
+    return nil unless line_parts.length >= 2
+    {
+      'ip_address'     => line_parts[0],
+      'primary_name'   => line_parts[1],
+      'all_host_names' => line_parts[1..-1],
+    }
+  end
+
+  def read_file(conf_path = @conf_path)
+    file = inspec.file(conf_path)
+    if !file.file?
+      return skip_resource "Can't find file. \"#{@conf_path}\""
+    end
+
+    raw_conf = file.content
+    if raw_conf.empty? && !file.empty?
+      return skip_resource("Could not read file contents\" #{@conf_path}\"")
+    end
+    raw_conf.lines
+  end
+end

data/lib/resources/etc_hosts_allow_deny.rb

@@ -1,122 +1,122 @@
-# encoding: utf-8
-# author: Matthew Dromazos
-
-require 'utils/parser'
-
-module Inspec::Resources
-  class EtcHostsAllow < Inspec.resource(1)
-    name 'etc_hosts_allow'
-    desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
-          the client will allow. Controlled by the /etc/hosts.allow file.'
-    example "
-      describe etc_hosts_allow.where { daemon == 'ALL' } do
-        its('client_list') { should include ['127.0.0.1', '[::1]'] }
-        its('options') { should eq [[]] }
-      end
-    "
-
-    attr_reader :params
-
-    include CommentParser
-
-    def initialize(hosts_allow_path = nil)
-      return skip_resource 'The `etc_hosts_allow` resource is not supported on your OS.' unless inspec.os.linux?
-      @conf_path      = hosts_allow_path || '/etc/hosts.allow'
-      @content        = nil
-      @params         = nil
-      read_content
-    end
-
-    filter = FilterTable.create
-    filter.add_accessor(:where)
-          .add_accessor(:entries)
-          .add(:daemon,      field: 'daemon')
-          .add(:client_list, field: 'client_list')
-          .add(:options,     field: 'options')
-
-    filter.connect(self, :params)
-
-    private
-
-    def read_content
-      @content = ''
-      @params  = {}
-      @content = split_daemons(read_file(@conf_path))
-      @params  = parse_conf(@content)
-    end
-
-    def split_daemons(content)
-      split_daemons_list = []
-      content.each do |line|
-        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-        next unless data != ''
-        data.split(':')[0].split(',').each do |daemon|
-          split_daemons_list.push("#{daemon} : " + line.split(':', 2)[1])
-        end
-      end
-      split_daemons_list
-    end
-
-    def parse_conf(content)
-      content.map do |line|
-        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-        parse_line(data) unless data == ''
-      end.compact
-    end
-
-    def parse_line(line)
-      daemon, clients_and_options = line.split(/:\s+/, 2)
-      daemon = daemon.strip
-
-      clients_and_options ||= ''
-      clients, options = clients_and_options.split(/\s+:\s+/, 2)
-      client_list = clients.split(/,/).map(&:strip)
-
-      options ||= ''
-      options_list = options.split(/:\s+/).map(&:strip)
-
-      {
-        'daemon'      => daemon,
-        'client_list' => client_list,
-        'options'     => options_list,
-      }
-    end
-
-    def read_file(conf_path = @conf_path)
-      # Determine if the file exists and contains anything, if not
-      # then access control is turned off.
-      file = inspec.file(conf_path)
-      if !file.file?
-        return skip_resource "Can't find file at \"#{@conf_path}\""
-      end
-      raw_conf = file.content
-      if raw_conf.empty? && !file.empty?
-        return skip_resource("Unable to read file \"#{@conf_path}\"")
-      end
-
-      # If there is a file and it contains content, continue
-      raw_conf.lines
-    end
-  end
-
-  class EtcHostsDeny < EtcHostsAllow
-    name 'etc_hosts_deny'
-    desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
-          the client will deny. Controlled by the /etc/hosts.deny file.'
-    example "
-      describe etc_hosts_deny.where { daemon_list == 'ALL' } do
-        its('client_list') { should eq [['127.0.0.1', '[::1]']] }
-        its('options') { should eq [] }
-      end
-    "
-
-    def initialize(path = nil)
-      return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?
-      super(path || '/etc/hosts.deny')
-    end
-
-    def to_s
-      'hosts.deny Configuration'
-    end
-  end
-end
+# encoding: utf-8
+# author: Matthew Dromazos
+
+require 'utils/parser'
+
+module Inspec::Resources
+  class EtcHostsAllow < Inspec.resource(1)
+    name 'etc_hosts_allow'
+    desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
+          the client will allow. Controlled by the /etc/hosts.allow file.'
+    example "
+      describe etc_hosts_allow.where { daemon == 'ALL' } do
+        its('client_list') { should include ['127.0.0.1', '[::1]'] }
+        its('options') { should eq [[]] }
+      end
+    "
+
+    attr_reader :params
+
+    include CommentParser
+
+    def initialize(hosts_allow_path = nil)
+      return skip_resource 'The `etc_hosts_allow` resource is not supported on your OS.' unless inspec.os.linux?
+      @conf_path      = hosts_allow_path || '/etc/hosts.allow'
+      @content        = nil
+      @params         = nil
+      read_content
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:daemon,      field: 'daemon')
+          .add(:client_list, field: 'client_list')
+          .add(:options,     field: 'options')
+
+    filter.connect(self, :params)
+
+    private
+
+    def read_content
+      @content = ''
+      @params  = {}
+      @content = split_daemons(read_file(@conf_path))
+      @params  = parse_conf(@content)
+    end
+
+    def split_daemons(content)
+      split_daemons_list = []
+      content.each do |line|
+        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        next unless data != ''
+        data.split(':')[0].split(',').each do |daemon|
+          split_daemons_list.push("#{daemon} : " + line.split(':', 2)[1])
+        end
+      end
+      split_daemons_list
+    end
+
+    def parse_conf(content)
+      content.map do |line|
+        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        parse_line(data) unless data == ''
+      end.compact
+    end
+
+    def parse_line(line)
+      daemon, clients_and_options = line.split(/:\s+/, 2)
+      daemon = daemon.strip
+
+      clients_and_options ||= ''
+      clients, options = clients_and_options.split(/\s+:\s+/, 2)
+      client_list = clients.split(/,/).map(&:strip)
+
+      options ||= ''
+      options_list = options.split(/:\s+/).map(&:strip)
+
+      {
+        'daemon'      => daemon,
+        'client_list' => client_list,
+        'options'     => options_list,
+      }
+    end
+
+    def read_file(conf_path = @conf_path)
+      # Determine if the file exists and contains anything, if not
+      # then access control is turned off.
+      file = inspec.file(conf_path)
+      if !file.file?
+        return skip_resource "Can't find file at \"#{@conf_path}\""
+      end
+      raw_conf = file.content
+      if raw_conf.empty? && !file.empty?
+        return skip_resource("Unable to read file \"#{@conf_path}\"")
+      end
+
+      # If there is a file and it contains content, continue
+      raw_conf.lines
+    end
+  end
+
+  class EtcHostsDeny < EtcHostsAllow
+    name 'etc_hosts_deny'
+    desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
+          the client will deny. Controlled by the /etc/hosts.deny file.'
+    example "
+      describe etc_hosts_deny.where { daemon_list == 'ALL' } do
+        its('client_list') { should eq [['127.0.0.1', '[::1]']] }
+        its('options') { should eq [] }
+      end
+    "
+
+    def initialize(path = nil)
+      return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?
+      super(path || '/etc/hosts.deny')
+    end
+
+    def to_s
+      'hosts.deny Configuration'
+    end
+  end
+end

data/lib/resources/file.rb

@@ -1,298 +1,298 @@
-# encoding: utf-8
-# copyright: 2015, Vulcano Security GmbH
-# author: Dominik Richter
-# author: Christoph Hartmann
-
-require 'shellwords'
-
-module Inspec::Resources
-  module FilePermissionsSelector
-    def select_file_perms_style(os)
-      if os.unix?
-        UnixFilePermissions.new(inspec)
-      elsif os.windows?
-        WindowsFilePermissions.new(inspec)
-      end
-    end
-  end
-
-  class FileResource < Inspec.resource(1)
-    include FilePermissionsSelector
-    include LinuxMountParser
-
-    name 'file'
-    desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
-    example "
-      describe file('path') do
-        it { should exist }
-        it { should be_file }
-        it { should be_readable }
-        it { should be_writable }
-        it { should be_executable.by_user('root') }
-        it { should be_owned_by 'root' }
-        its('mode') { should cmp '0644' }
-      end
-    "
-
-    attr_reader :file, :mount_options
-    def initialize(path)
-      # select permissions style
-      @perms_provider = select_file_perms_style(inspec.os)
-      @file = inspec.backend.file(path)
-    end
-
-    %w{
-      type exist? file? block_device? character_device? socket? directory?
-      symlink? pipe? mode mode? owner owned_by? group grouped_into?
-      link_path linked_to? mtime size selinux_label immutable?
-      product_version file_version version? md5sum sha256sum
-      path basename source source_path uid gid
-    }.each do |m|
-      define_method m.to_sym do |*args|
-        file.method(m.to_sym).call(*args)
-      end
-    end
-
-    def content
-      res = file.content
-      return nil if res.nil?
-      res.force_encoding('utf-8')
-    end
-
-    def contain(*_)
-      raise 'Contain is not supported. Please use standard RSpec matchers.'
-    end
-
-    def readable?(by_usergroup, by_specific_user)
-      return false unless exist?
-      return skip_resource '`readable?` is not supported on your OS yet.' if @perms_provider.nil?
-
-      file_permission_granted?('read', by_usergroup, by_specific_user)
-    end
-
-    def writable?(by_usergroup, by_specific_user)
-      return false unless exist?
-      return skip_resource '`writable?` is not supported on your OS yet.' if @perms_provider.nil?
-
-      file_permission_granted?('write', by_usergroup, by_specific_user)
-    end
-
-    def executable?(by_usergroup, by_specific_user)
-      return false unless exist?
-      return skip_resource '`executable?` is not supported on your OS yet.' if @perms_provider.nil?
-
-      file_permission_granted?('execute', by_usergroup, by_specific_user)
-    end
-
-    def allowed?(permission, opts = {})
-      return false unless exist?
-      return skip_resource '`allowed?` is not supported on your OS yet.' if @perms_provider.nil?
-
-      file_permission_granted?(permission, opts[:by], opts[:by_user])
-    end
-
-    def mounted?(expected_options = nil, identical = false)
-      mounted = file.mounted
-
-      # return if no additional parameters have been provided
-      return file.mounted? if expected_options.nil?
-
-      # deprecation warning, this functionality will be removed in future version
-      warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated.  Please use `mount('#{source_path}')` instead."
-
-      # we cannot read mount data on non-Linux systems
-      return nil if !inspec.os.linux?
-
-      # parse content if we are on linux
-      @mount_options ||= parse_mount_options(mounted.stdout, true)
-
-      if identical
-        # check if the options should be identical
-        @mount_options == expected_options
-      else
-        # otherwise compare the selected values
-        @mount_options.contains(expected_options)
-      end
-    end
-
-    def suid
-      (mode & 04000) > 0
-    end
-
-    alias setuid? suid
-
-    def sgid
-      (mode & 02000) > 0
-    end
-
-    alias setgid? sgid
-
-    def sticky
-      (mode & 01000) > 0
-    end
-
-    alias sticky? sticky
-
-    def to_s
-      "File #{source_path}"
-    end
-
-    private
-
-    def file_permission_granted?(access_type, by_usergroup, by_specific_user)
-      raise '`file_permission_granted?` is not supported on your OS' if @perms_provider.nil?
-      if by_specific_user.nil? || by_specific_user.empty?
-        @perms_provider.check_file_permission_by_mask(file, access_type, by_usergroup, by_specific_user)
-      else
-        @perms_provider.check_file_permission_by_user(access_type, by_specific_user, source_path)
-      end
-    end
-  end
-
-  class FilePermissions
-    attr_reader :inspec
-    def initialize(inspec)
-      @inspec = inspec
-    end
-  end
-
-  class UnixFilePermissions < FilePermissions
-    def permission_flag(access_type)
-      case access_type
-      when 'read'
-        'r'
-      when 'write'
-        'w'
-      when 'execute'
-        'x'
-      else
-        raise 'Invalid access_type provided'
-      end
-    end
-
-    def usergroup_for(usergroup, specific_user)
-      if usergroup == 'others'
-        'other'
-      elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
-        'all'
-      else
-        usergroup
-      end
-    end
-
-    def check_file_permission_by_mask(file, access_type, usergroup, specific_user)
-      usergroup = usergroup_for(usergroup, specific_user)
-      flag = permission_flag(access_type)
-      mask = file.unix_mode_mask(usergroup, flag)
-      raise 'Invalid usergroup/owner provided' if mask.nil?
-      (file.mode & mask) != 0
-    end
-
-    def check_file_permission_by_user(access_type, user, path)
-      flag = permission_flag(access_type)
-      if inspec.os.linux?
-        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{path}\" #{user}"
-      elsif inspec.os.bsd? || inspec.os.solaris?
-        perm_cmd = "sudo -u #{user} test -#{flag} #{path}"
-      elsif inspec.os.aix?
-        perm_cmd = "su #{user} -c test -#{flag} #{path}"
-      elsif inspec.os.hpux?
-        perm_cmd = "su #{user} -c \"test -#{flag} #{path}\""
-      else
-        return skip_resource 'The `file` resource does not support `by_user` on your OS.'
-      end
-
-      cmd = inspec.command(perm_cmd)
-      cmd.exit_status == 0 ? true : false
-    end
-  end
-
-  class WindowsFilePermissions < FilePermissions
-    def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
-      raise '`check_file_permission_by_mask` is not supported on Windows'
-    end
-
-    def check_file_permission_by_user(access_type, user, path)
-      access_rule = translate_perm_names(access_type)
-      access_rule = convert_to_powershell_array(access_rule)
-
-      cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
-      cmd.stdout.chomp == '0' ? false : true
-    end
-
-    private
-
-    def convert_to_powershell_array(arr)
-      if arr.empty?
-        '@()'
-      else
-        %{@('#{arr.join("', '")}')}
-      end
-    end
-
-    # Translates a developer-friendly string into a list of acceptable
-    # FileSystemRights that match it, because Windows has a fun heirarchy
-    # of permissions that are able to be noted in multiple ways.
-    #
-    # See also: https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table
-    def translate_perm_names(access_type)
-      names = translate_common_perms(access_type)
-      names ||= translate_granular_perms(access_type)
-      names ||= translate_uncommon_perms(access_type)
-      raise 'Invalid access_type provided' unless names
-
-      names
-    end
-
-    def translate_common_perms(access_type)
-      case access_type
-      when 'full-control'
-        %w{FullControl}
-      when 'modify'
-        translate_perm_names('full-control') + %w{Modify}
-      when 'read'
-        translate_perm_names('modify') + %w{ReadAndExecute Read}
-      when 'write'
-        translate_perm_names('modify') + %w{Write}
-      when 'execute'
-        translate_perm_names('modify') + %w{ReadAndExecute ExecuteFile Traverse}
-      when 'delete'
-        translate_perm_names('modify') + %w{Delete}
-      end
-    end
-
-    def translate_uncommon_perms(access_type)
-      case access_type
-      when 'delete-subdirectories-and-files'
-        translate_perm_names('full-control') + %w{DeleteSubdirectoriesAndFiles}
-      when 'change-permissions'
-        translate_perm_names('full-control') + %w{ChangePermissions}
-      when 'take-ownership'
-        translate_perm_names('full-control') + %w{TakeOwnership}
-      when 'synchronize'
-        translate_perm_names('full-control') + %w{Synchronize}
-      end
-    end
-
-    def translate_granular_perms(access_type)
-      case access_type
-      when 'write-data', 'create-files'
-        translate_perm_names('write') + %w{WriteData CreateFiles}
-      when 'append-data', 'create-directories'
-        translate_perm_names('write') + %w{CreateDirectories AppendData}
-      when 'write-extended-attributes'
-        translate_perm_names('write') + %w{WriteExtendedAttributes}
-      when 'write-attributes'
-        translate_perm_names('write') + %w{WriteAttributes}
-      when 'read-data', 'list-directory'
-        translate_perm_names('read') + %w{ReadData ListDirectory}
-      when 'read-attributes'
-        translate_perm_names('read') + %w{ReadAttributes}
-      when 'read-extended-attributes'
-        translate_perm_names('read') + %w{ReadExtendedAttributes}
-      when 'read-permissions'
-        translate_perm_names('read') + %w{ReadPermissions}
-      end
-    end
-  end
-end
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'shellwords'
+
+module Inspec::Resources
+  module FilePermissionsSelector
+    def select_file_perms_style(os)
+      if os.unix?
+        UnixFilePermissions.new(inspec)
+      elsif os.windows?
+        WindowsFilePermissions.new(inspec)
+      end
+    end
+  end
+
+  class FileResource < Inspec.resource(1)
+    include FilePermissionsSelector
+    include LinuxMountParser
+
+    name 'file'
+    desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
+    example "
+      describe file('path') do
+        it { should exist }
+        it { should be_file }
+        it { should be_readable }
+        it { should be_writable }
+        it { should be_executable.by_user('root') }
+        it { should be_owned_by 'root' }
+        its('mode') { should cmp '0644' }
+      end
+    "
+
+    attr_reader :file, :mount_options
+    def initialize(path)
+      # select permissions style
+      @perms_provider = select_file_perms_style(inspec.os)
+      @file = inspec.backend.file(path)
+    end
+
+    %w{
+      type exist? file? block_device? character_device? socket? directory?
+      symlink? pipe? mode mode? owner owned_by? group grouped_into?
+      link_path linked_to? mtime size selinux_label immutable?
+      product_version file_version version? md5sum sha256sum
+      path basename source source_path uid gid
+    }.each do |m|
+      define_method m.to_sym do |*args|
+        file.method(m.to_sym).call(*args)
+      end
+    end
+
+    def content
+      res = file.content
+      return nil if res.nil?
+      res.force_encoding('utf-8')
+    end
+
+    def contain(*_)
+      raise 'Contain is not supported. Please use standard RSpec matchers.'
+    end
+
+    def readable?(by_usergroup, by_specific_user)
+      return false unless exist?
+      return skip_resource '`readable?` is not supported on your OS yet.' if @perms_provider.nil?
+
+      file_permission_granted?('read', by_usergroup, by_specific_user)
+    end
+
+    def writable?(by_usergroup, by_specific_user)
+      return false unless exist?
+      return skip_resource '`writable?` is not supported on your OS yet.' if @perms_provider.nil?
+
+      file_permission_granted?('write', by_usergroup, by_specific_user)
+    end
+
+    def executable?(by_usergroup, by_specific_user)
+      return false unless exist?
+      return skip_resource '`executable?` is not supported on your OS yet.' if @perms_provider.nil?
+
+      file_permission_granted?('execute', by_usergroup, by_specific_user)
+    end
+
+    def allowed?(permission, opts = {})
+      return false unless exist?
+      return skip_resource '`allowed?` is not supported on your OS yet.' if @perms_provider.nil?
+
+      file_permission_granted?(permission, opts[:by], opts[:by_user])
+    end
+
+    def mounted?(expected_options = nil, identical = false)
+      mounted = file.mounted
+
+      # return if no additional parameters have been provided
+      return file.mounted? if expected_options.nil?
+
+      # deprecation warning, this functionality will be removed in future version
+      warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated.  Please use `mount('#{source_path}')` instead."
+
+      # we cannot read mount data on non-Linux systems
+      return nil if !inspec.os.linux?
+
+      # parse content if we are on linux
+      @mount_options ||= parse_mount_options(mounted.stdout, true)
+
+      if identical
+        # check if the options should be identical
+        @mount_options == expected_options
+      else
+        # otherwise compare the selected values
+        @mount_options.contains(expected_options)
+      end
+    end
+
+    def suid
+      (mode & 04000) > 0
+    end
+
+    alias setuid? suid
+
+    def sgid
+      (mode & 02000) > 0
+    end
+
+    alias setgid? sgid
+
+    def sticky
+      (mode & 01000) > 0
+    end
+
+    alias sticky? sticky
+
+    def to_s
+      "File #{source_path}"
+    end
+
+    private
+
+    def file_permission_granted?(access_type, by_usergroup, by_specific_user)
+      raise '`file_permission_granted?` is not supported on your OS' if @perms_provider.nil?
+      if by_specific_user.nil? || by_specific_user.empty?
+        @perms_provider.check_file_permission_by_mask(file, access_type, by_usergroup, by_specific_user)
+      else
+        @perms_provider.check_file_permission_by_user(access_type, by_specific_user, source_path)
+      end
+    end
+  end
+
+  class FilePermissions
+    attr_reader :inspec
+    def initialize(inspec)
+      @inspec = inspec
+    end
+  end
+
+  class UnixFilePermissions < FilePermissions
+    def permission_flag(access_type)
+      case access_type
+      when 'read'
+        'r'
+      when 'write'
+        'w'
+      when 'execute'
+        'x'
+      else
+        raise 'Invalid access_type provided'
+      end
+    end
+
+    def usergroup_for(usergroup, specific_user)
+      if usergroup == 'others'
+        'other'
+      elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
+        'all'
+      else
+        usergroup
+      end
+    end
+
+    def check_file_permission_by_mask(file, access_type, usergroup, specific_user)
+      usergroup = usergroup_for(usergroup, specific_user)
+      flag = permission_flag(access_type)
+      mask = file.unix_mode_mask(usergroup, flag)
+      raise 'Invalid usergroup/owner provided' if mask.nil?
+      (file.mode & mask) != 0
+    end
+
+    def check_file_permission_by_user(access_type, user, path)
+      flag = permission_flag(access_type)
+      if inspec.os.linux?
+        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{path}\" #{user}"
+      elsif inspec.os.bsd? || inspec.os.solaris?
+        perm_cmd = "sudo -u #{user} test -#{flag} #{path}"
+      elsif inspec.os.aix?
+        perm_cmd = "su #{user} -c test -#{flag} #{path}"
+      elsif inspec.os.hpux?
+        perm_cmd = "su #{user} -c \"test -#{flag} #{path}\""
+      else
+        return skip_resource 'The `file` resource does not support `by_user` on your OS.'
+      end
+
+      cmd = inspec.command(perm_cmd)
+      cmd.exit_status == 0 ? true : false
+    end
+  end
+
+  class WindowsFilePermissions < FilePermissions
+    def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
+      raise '`check_file_permission_by_mask` is not supported on Windows'
+    end
+
+    def check_file_permission_by_user(access_type, user, path)
+      access_rule = translate_perm_names(access_type)
+      access_rule = convert_to_powershell_array(access_rule)
+
+      cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
+      cmd.stdout.chomp == '0' ? false : true
+    end
+
+    private
+
+    def convert_to_powershell_array(arr)
+      if arr.empty?
+        '@()'
+      else
+        %{@('#{arr.join("', '")}')}
+      end
+    end
+
+    # Translates a developer-friendly string into a list of acceptable
+    # FileSystemRights that match it, because Windows has a fun heirarchy
+    # of permissions that are able to be noted in multiple ways.
+    #
+    # See also: https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table
+    def translate_perm_names(access_type)
+      names = translate_common_perms(access_type)
+      names ||= translate_granular_perms(access_type)
+      names ||= translate_uncommon_perms(access_type)
+      raise 'Invalid access_type provided' unless names
+
+      names
+    end
+
+    def translate_common_perms(access_type)
+      case access_type
+      when 'full-control'
+        %w{FullControl}
+      when 'modify'
+        translate_perm_names('full-control') + %w{Modify}
+      when 'read'
+        translate_perm_names('modify') + %w{ReadAndExecute Read}
+      when 'write'
+        translate_perm_names('modify') + %w{Write}
+      when 'execute'
+        translate_perm_names('modify') + %w{ReadAndExecute ExecuteFile Traverse}
+      when 'delete'
+        translate_perm_names('modify') + %w{Delete}
+      end
+    end
+
+    def translate_uncommon_perms(access_type)
+      case access_type
+      when 'delete-subdirectories-and-files'
+        translate_perm_names('full-control') + %w{DeleteSubdirectoriesAndFiles}
+      when 'change-permissions'
+        translate_perm_names('full-control') + %w{ChangePermissions}
+      when 'take-ownership'
+        translate_perm_names('full-control') + %w{TakeOwnership}
+      when 'synchronize'
+        translate_perm_names('full-control') + %w{Synchronize}
+      end
+    end
+
+    def translate_granular_perms(access_type)
+      case access_type
+      when 'write-data', 'create-files'
+        translate_perm_names('write') + %w{WriteData CreateFiles}
+      when 'append-data', 'create-directories'
+        translate_perm_names('write') + %w{CreateDirectories AppendData}
+      when 'write-extended-attributes'
+        translate_perm_names('write') + %w{WriteExtendedAttributes}
+      when 'write-attributes'
+        translate_perm_names('write') + %w{WriteAttributes}
+      when 'read-data', 'list-directory'
+        translate_perm_names('read') + %w{ReadData ListDirectory}
+      when 'read-attributes'
+        translate_perm_names('read') + %w{ReadAttributes}
+      when 'read-extended-attributes'
+        translate_perm_names('read') + %w{ReadExtendedAttributes}
+      when 'read-permissions'
+        translate_perm_names('read') + %w{ReadPermissions}
+      end
+    end
+  end
+end