inspec 2.0.32 → 2.0.45

data/examples/profile/controls/example.rb

@@ -1,23 +1,23 @@
-# encoding: utf-8
-# copyright: 2015, Chef Software, Inc.
-
-title '/tmp profile'
-
-# you add controls here
-control "tmp-1.0" do                        # A unique ID for this control
-  impact 0.7                                # The criticality, if this control fails.
-  title "Create /tmp directory"             # A human-readable title
-  desc "An optional description..."         # Describe why this is needed
-  tag data: "temp data"                     # A tag allows you to associate key information
-  tag "security"                            # to the test
-  ref "Document A-12", url: 'http://...'    # Additional references
-
-  describe file('/tmp') do                  # The actual test
-    it { should be_directory }
-  end
-end
-
-# you can also use plain tests
-describe file('/tmp') do
-  it { should be_directory }
-end
+# encoding: utf-8
+# copyright: 2015, Chef Software, Inc.
+
+title '/tmp profile'
+
+# you add controls here
+control "tmp-1.0" do                        # A unique ID for this control
+  impact 0.7                                # The criticality, if this control fails.
+  title "Create /tmp directory"             # A human-readable title
+  desc "An optional description..."         # Describe why this is needed
+  tag data: "temp data"                     # A tag allows you to associate key information
+  tag "security"                            # to the test
+  ref "Document A-12", url: 'http://...'    # Additional references
+
+  describe file('/tmp') do                  # The actual test
+    it { should be_directory }
+  end
+end
+
+# you can also use plain tests
+describe file('/tmp') do
+  it { should be_directory }
+end

data/examples/profile/controls/gordon.rb

@@ -1,36 +1,36 @@
-# encoding: utf-8
-# copyright: 2016, Chef Software, Inc.
-
-title 'Gordon Config Checks'
-
-# To pass the test, create the following file
-# ```bash
-# mkdir -p /tmp/gordon
-# cat <<EOF > /tmp/gordon/config.yaml
-# version: '1.0'
-# EOF
-# ```
-control 'gordon-1.0' do
-  impact 0.7
-  title 'Verify the version number of Gordon'
-  desc 'An optional description...'
-  tag 'gordon'
-  ref 'Gordon Requirements 1.0', uri: 'http://...'
-
-  # Test using the custom gordon_config Inspec resource
-  # Find the resource content here: ../libraries/
-  describe gordon_config do
-    it { should exist }
-    its('version') { should eq('1.0') }
-    its('file_size') { should <= 20 }
-    its('comma_count') { should eq 0 }
-  end
-
-  # Test the version again to showcase variables
-  g = gordon_config
-  g_path = g.file_path
-  g_version = g.version
-  describe file(g_path) do
-    its('content') { should match g_version }
-  end
-end
+# encoding: utf-8
+# copyright: 2016, Chef Software, Inc.
+
+title 'Gordon Config Checks'
+
+# To pass the test, create the following file
+# ```bash
+# mkdir -p /tmp/gordon
+# cat <<EOF > /tmp/gordon/config.yaml
+# version: '1.0'
+# EOF
+# ```
+control 'gordon-1.0' do
+  impact 0.7
+  title 'Verify the version number of Gordon'
+  desc 'An optional description...'
+  tag 'gordon'
+  ref 'Gordon Requirements 1.0', uri: 'http://...'
+
+  # Test using the custom gordon_config Inspec resource
+  # Find the resource content here: ../libraries/
+  describe gordon_config do
+    it { should exist }
+    its('version') { should eq('1.0') }
+    its('file_size') { should <= 20 }
+    its('comma_count') { should eq 0 }
+  end
+
+  # Test the version again to showcase variables
+  g = gordon_config
+  g_path = g.file_path
+  g_version = g.version
+  describe file(g_path) do
+    its('content') { should match g_version }
+  end
+end

data/examples/profile/controls/meta.rb

@@ -1,34 +1,34 @@
-title 'SSH Server Configuration'
-
-control 'ssh-1' do
-  impact 1.0
-
-  title 'Allow only SSH Protocol 2'
-  desc 'Only SSH protocol version 2 connections should be permitted.
-        The default setting in /etc/ssh/sshd_config is correct, and can be
-        verified by ensuring that the following line appears: Protocol 2'
-
-  tag 'production','development'
-  tag 'ssh','sshd','openssh-server'
-
-  tag cce: 'CCE-27072-8'
-  tag disa: 'RHEL-06-000227'
-
-  tag nist: 'AC-3(10).i'
-  tag nist: 'IA-5(1)'
-
-  tag cci: 'CCI-000776'
-  tag cci: 'CCI-000774'
-  tag cci: 'CCI-001436'
-
-  tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
-  tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
-
-  ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
-  ref 'DISA-RHEL6-SG - Section 9.2.1', url: 'http://iasecontent.disa.mil/stigs/zip/Jan2016/U_RedHat_6_V1R10_STIG.zip'
-  ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
-
-  describe file('/bin/sh') do
-    it { should be_owned_by 'root' }
-  end
-end
+title 'SSH Server Configuration'
+
+control 'ssh-1' do
+  impact 1.0
+
+  title 'Allow only SSH Protocol 2'
+  desc 'Only SSH protocol version 2 connections should be permitted.
+        The default setting in /etc/ssh/sshd_config is correct, and can be
+        verified by ensuring that the following line appears: Protocol 2'
+
+  tag 'production','development'
+  tag 'ssh','sshd','openssh-server'
+
+  tag cce: 'CCE-27072-8'
+  tag disa: 'RHEL-06-000227'
+
+  tag nist: 'AC-3(10).i'
+  tag nist: 'IA-5(1)'
+
+  tag cci: 'CCI-000776'
+  tag cci: 'CCI-000774'
+  tag cci: 'CCI-001436'
+
+  tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
+  tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
+
+  ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
+  ref 'DISA-RHEL6-SG - Section 9.2.1', url: 'http://iasecontent.disa.mil/stigs/zip/Jan2016/U_RedHat_6_V1R10_STIG.zip'
+  ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
+
+  describe file('/bin/sh') do
+    it { should be_owned_by 'root' }
+  end
+end

data/examples/profile/inspec.yml

@@ -1,10 +1,10 @@
-name: profile
-title: InSpec Example Profile
-maintainer: Chef Software, Inc.
-copyright: Chef Software, Inc.
-copyright_email: support@chef.io
-license: Apache-2.0
-summary: Demonstrates the use of InSpec Compliance Profile
-version: 1.0.0
-supports:
-  - os-family: unix
+name: profile
+title: InSpec Example Profile
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache-2.0
+summary: Demonstrates the use of InSpec Compliance Profile
+version: 1.0.0
+supports:
+  - os-family: unix

data/examples/profile/libraries/gordon_config.rb

@@ -1,53 +1,53 @@
-require 'yaml'
-
-# Custom resource based on the InSpec resource DSL
-class GordonConfig < Inspec.resource(1)
-  name 'gordon_config'
-
-  desc "
-    Gordon's resource description ...
-  "
-
-  example "
-    describe gordon_config do
-      its('version') { should eq('1.0') }
-      its('file_size') { should > 1 }
-    end
-  "
-
-  # Load the configuration file on initialization
-  def initialize
-    @params = {}
-    @path = '/tmp/gordon/config.yaml'
-    @file = inspec.file(@path)
-    return skip_resource "Can't find file \"#{@path}\"" if !@file.file?
-
-    # Protect from invalid YAML content
-    begin
-      @params = YAML.load(@file.content)
-      # Add two extra matchers
-      @params['file_size'] = @file.size
-      @params['file_path'] = @path
-      @params['ruby'] = 'RUBY IS HERE TO HELP ME!'
-    rescue Exception
-      return skip_resource "#{@file}: #{$!}"
-    end
-  end
-
-  # Example method called by 'it { should exist }'
-  # Returns true or false from the 'File.exists?' method
-  def exists?
-    return File.exists?(@path)
-  end
-
-  # Example matcher for the number of commas in the file
-  def comma_count
-    text = @file.content
-    return text.count(',')
-  end
-
-  # Expose all parameters
-  def method_missing(name)
-    return @params[name.to_s]
-  end
-end
+require 'yaml'
+
+# Custom resource based on the InSpec resource DSL
+class GordonConfig < Inspec.resource(1)
+  name 'gordon_config'
+
+  desc "
+    Gordon's resource description ...
+  "
+
+  example "
+    describe gordon_config do
+      its('version') { should eq('1.0') }
+      its('file_size') { should > 1 }
+    end
+  "
+
+  # Load the configuration file on initialization
+  def initialize
+    @params = {}
+    @path = '/tmp/gordon/config.yaml'
+    @file = inspec.file(@path)
+    return skip_resource "Can't find file \"#{@path}\"" if !@file.file?
+
+    # Protect from invalid YAML content
+    begin
+      @params = YAML.load(@file.content)
+      # Add two extra matchers
+      @params['file_size'] = @file.size
+      @params['file_path'] = @path
+      @params['ruby'] = 'RUBY IS HERE TO HELP ME!'
+    rescue Exception
+      return skip_resource "#{@file}: #{$!}"
+    end
+  end
+
+  # Example method called by 'it { should exist }'
+  # Returns true or false from the 'File.exists?' method
+  def exists?
+    return File.exists?(@path)
+  end
+
+  # Example matcher for the number of commas in the file
+  def comma_count
+    text = @file.content
+    return text.count(',')
+  end
+
+  # Expose all parameters
+  def method_missing(name)
+    return @params[name.to_s]
+  end
+end

data/inspec.gemspec

@@ -1,47 +1,47 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'inspec/version'
-
-Gem::Specification.new do |spec|
-  spec.name          = 'inspec'
-  spec.version       = Inspec::VERSION
-  spec.authors       = ['Dominik Richter']
-  spec.email         = ['dominik.richter@gmail.com']
-  spec.summary       = 'Infrastructure and compliance testing.'
-  spec.description   = 'InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification.'
-  spec.homepage      = 'https://github.com/chef/inspec'
-  spec.license       = 'Apache-2.0'
-
-  spec.files = %w{
-    README.md Rakefile MAINTAINERS.toml MAINTAINERS.md LICENSE inspec.gemspec
-    Gemfile CHANGELOG.md .rubocop.yml
-  } + Dir.glob(
-    '{bin,docs,examples,lib}/**/*', File::FNM_DOTMATCH
-  ).reject { |f| File.directory?(f) }
-
-  spec.executables   = %w{inspec}
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ['lib']
-
-  spec.required_ruby_version = '>= 2.3'
-
-  spec.add_dependency 'train', '~> 1.1'
-  spec.add_dependency 'thor', '~> 0.19'
-  spec.add_dependency 'json', '>= 1.8', '< 3.0'
-  spec.add_dependency 'method_source', '~> 0.8'
-  spec.add_dependency 'rubyzip', '~> 1.1'
-  spec.add_dependency 'rspec', '~> 3'
-  spec.add_dependency 'rspec-its', '~> 1.2'
-  spec.add_dependency 'pry', '~> 0'
-  spec.add_dependency 'hashie', '~> 3.4'
-  spec.add_dependency 'mixlib-log'
-  spec.add_dependency 'sslshake', '~> 1.2'
-  spec.add_dependency 'parallel', '~> 1.9'
-  spec.add_dependency 'faraday', '>=0.9.0'
-  spec.add_dependency 'tomlrb', '~> 1.2'
-  spec.add_dependency 'addressable', '~> 2.4'
-  spec.add_dependency 'parslet', '~> 1.5'
-  spec.add_dependency 'semverse'
-  spec.add_dependency 'htmlentities'
-end
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'inspec/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'inspec'
+  spec.version       = Inspec::VERSION
+  spec.authors       = ['Dominik Richter']
+  spec.email         = ['dominik.richter@gmail.com']
+  spec.summary       = 'Infrastructure and compliance testing.'
+  spec.description   = 'InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification.'
+  spec.homepage      = 'https://github.com/chef/inspec'
+  spec.license       = 'Apache-2.0'
+
+  spec.files = %w{
+    README.md Rakefile MAINTAINERS.toml MAINTAINERS.md LICENSE inspec.gemspec
+    Gemfile CHANGELOG.md .rubocop.yml
+  } + Dir.glob(
+    '{bin,docs,examples,lib}/**/*', File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+
+  spec.executables   = %w{inspec}
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.required_ruby_version = '>= 2.3'
+
+  spec.add_dependency 'train', '~> 1.1'
+  spec.add_dependency 'thor', '~> 0.19'
+  spec.add_dependency 'json', '>= 1.8', '< 3.0'
+  spec.add_dependency 'method_source', '~> 0.8'
+  spec.add_dependency 'rubyzip', '~> 1.1'
+  spec.add_dependency 'rspec', '~> 3'
+  spec.add_dependency 'rspec-its', '~> 1.2'
+  spec.add_dependency 'pry', '~> 0'
+  spec.add_dependency 'hashie', '~> 3.4'
+  spec.add_dependency 'mixlib-log'
+  spec.add_dependency 'sslshake', '~> 1.2'
+  spec.add_dependency 'parallel', '~> 1.9'
+  spec.add_dependency 'faraday', '>=0.9.0'
+  spec.add_dependency 'tomlrb', '~> 1.2'
+  spec.add_dependency 'addressable', '~> 2.4'
+  spec.add_dependency 'parslet', '~> 1.5'
+  spec.add_dependency 'semverse'
+  spec.add_dependency 'htmlentities'
+end

data/lib/bundles/README.md

@@ -1,3 +1,3 @@
-# InSpec Bundled Plugins
-
-This directory contains bundled InSpec plugins. Those plugins are shipped with InSpec temporarily only. Over the next months we are going to stabilize the InSpec Plugin API. Once this API reached stability, all bundled plugins will be externalized.
+# InSpec Bundled Plugins
+
+This directory contains bundled InSpec plugins. Those plugins are shipped with InSpec temporarily only. Over the next months we are going to stabilize the InSpec Plugin API. Once this API reached stability, all bundled plugins will be externalized.

data/lib/bundles/inspec-artifact.rb

@@ -1,7 +1,7 @@
-# encoding: utf-8
-# author: Dave Parfitt
-
-libdir = File.dirname(__FILE__)
-$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
-
-require 'inspec-artifact/cli'
+# encoding: utf-8
+# author: Dave Parfitt
+
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require 'inspec-artifact/cli'

data/lib/bundles/inspec-artifact/README.md

@@ -1 +1 @@
-# TODO
+# TODO

data/lib/bundles/inspec-artifact/cli.rb

@@ -1,277 +1,277 @@
-# encoding: utf-8
-# frozen_string_literal: true
-require 'base64'
-require 'openssl'
-require 'pathname'
-require 'set'
-require 'tempfile'
-require 'yaml'
-
-# Notes:
-#
-# Generate keys
-#   The initial implementation uses 2048 bit RSA key pairs (public + private).
-#   Public keys must be available for a customer to install and verify an artifact.
-#   Private keys should be stored in a secure location and NOT be distributed.
-#     (They're only for creating artifacts).
-#
-#
-# .IAF file format
-#   .iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
-#   The iaf file wraps a binary artifact with some metadata. The first implementation
-#   looks like this:
-#
-# INSPEC-PROFILE-1
-# name_of_signing_key
-# algorithm
-# signature
-# <empty line>
-# binary-blob
-# <eof>
-#
-# Let's look at each line:
-# INSPEC-PROFILE-1:
-#   This is the artifact version descriptor. It should't change unless the
-#   format of the archive changes.
-#
-# name_of_signing_key
-#   The name of the public key that can be used to verify an artifact
-#
-# algorithm
-#   The digest used to sign, I picked SHA512 to start with.
-#   If we support multiple digests, we'll need to have the verify() method
-#   support each digest.
-#
-# signature
-#   The result of passing the binary artifact through the digest algorithm above.
-#   Result is base64 encoded.
-#
-# <empty line>
-#   We use an empty line to separate artifact header from artifact body (binary blob).
-#   The artifact body can be anything you like.
-#
-# binary-blob
-#   A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
-#   stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
-#   format, the artifact version descriptor must be incremented, and the sign()
-#   and verify() methods must be updated to support a newer version.
-#
-#
-# Key revocation
-#   This implementation doesn't support key revocation. However, a customer
-#   can remove the public cert file before installation, and artifacts will then
-#   fail verification.
-#
-# Key locations
-#   This implementation uses the current working directory to find public and
-#   private keys. We should establish a common key directory (similar to /hab/cache/keys
-#   or ~/.hab/cache/keys in Habitat).
-#
-# Extracting artifacts outside of Inspec
-#   As in Habitat, the artifact format for Inspec allows the use of common
-#   Unix tools to read the header and body of an artifact.
-# To extract the header from a .iaf:
-#        sed '/^$/q' foo.iaf
-# To extract the raw content from a .iaf:
-#        sed '1,/^$/d' foo.iaf
-
-module Artifact
-  KEY_BITS=2048
-  KEY_ALG=OpenSSL::PKey::RSA
-
-  INSPEC_PROFILE_VERSION_1='INSPEC-PROFILE-1'
-  INSPEC_REPORT_VERSION_1='INSPEC-REPORT-1'
-
-  ARTIFACT_DIGEST=OpenSSL::Digest::SHA512
-  ARTIFACT_DIGEST_NAME='SHA512'
-
-  VALID_PROFILE_VERSIONS=Set.new [INSPEC_PROFILE_VERSION_1]
-  VALID_PROFILE_DIGESTS=Set.new [ARTIFACT_DIGEST_NAME]
-
-  SIGNED_PROFILE_SUFFIX='iaf'
-  SIGNED_REPORT_SUFFIX='iar'
-  class CLI < Inspec::BaseCLI
-    namespace 'artifact'
-
-    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
-    def self.banner(command, _namespace = nil, _subcommand = false)
-      "#{basename} #{subcommand_prefix} #{command.usage}"
-    end
-
-    def self.subcommand_prefix
-      namespace
-    end
-
-    desc 'generate', 'Generate a RSA key pair for signing and verification'
-    option :keyname, type: :string, required: true,
-      desc: 'Desriptive name of key'
-    option :keydir, type: :string, default: './',
-      desc: 'Directory to search for keys'
-    def generate_keys
-      puts 'Generating keys'
-      keygen
-    end
-
-    desc 'sign-profile', 'Create a signed .iaf artifact'
-    option :profile, type: :string, required: true,
-      desc: 'Path to profile directory'
-    option :keyname, type: :string, required: true,
-      desc: 'Desriptive name of key'
-    def sign_profile
-      profile_sign
-    end
-
-    desc 'verify-profile', 'Verify a signed .iaf artifact'
-    option :infile, type: :string, required: true,
-        desc: '.iaf file to verify'
-    def verify_profile
-      profile_verify
-    end
-
-    desc 'install-profile', 'Verify and install a signed .iaf artifact'
-    option :infile, type: :string, required: true,
-        desc: '.iaf file to install'
-    option :destdir, type: :string, required: true,
-      desc: 'Installation directory'
-    def install_profile
-      profile_install
-    end
-
-    private
-
-    def keygen
-      key = KEY_ALG.new KEY_BITS
-      puts 'Generating private key'
-      open "#{options['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end
-      puts 'Generating public key'
-      open "#{options['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end
-    end
-
-    def read_profile_metadata(path_to_profile)
-      begin
-        p = Pathname.new(path_to_profile)
-        p = p.join('inspec.yml')
-        if not p.exist?
-          raise "#{path_to_profile} doesn't appear to be a valid Inspec profile"
-        end
-        yaml = YAML.load_file(p.to_s)
-        yaml = yaml.to_hash
-
-        if not yaml.key? 'name'
-          raise 'Profile is invalid, name is not defined'
-        end
-
-        if not yaml.key? 'version'
-          raise 'Profile is invalid, version is not defined'
-        end
-      rescue => e
-        # rewrap it and pass it up to the CLI
-        raise "Error reading Inspec profile metadata: #{e}"
-      end
-
-      yaml
-    end
-
-    def profile_compress(path_to_profile, profile_md, workdir)
-      profile_name = profile_md['name']
-      profile_version = profile_md['version']
-      outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
-      `tar czf #{outfile_name} -C #{path_to_profile} .`
-      outfile_name
-    end
-
-    def profile_sign
-      Dir.mktmpdir do |workdir|
-        puts "Signing #{options['profile']} with key #{options['keyname']}"
-        path_to_profile = options['profile']
-        profile_md = read_profile_metadata(path_to_profile)
-        artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}"
-        tarfile = profile_compress(path_to_profile, profile_md, workdir)
-        content = IO.binread(tarfile)
-        signing_key = KEY_ALG.new File.read "#{options['keyname']}.pem.key"
-        sha = ARTIFACT_DIGEST.new
-        signature = signing_key.sign sha, content
-        # convert the signature to Base64
-        signature_base64 = Base64.encode64(signature)
-        tar_content = IO.binread(tarfile)
-        File.open(artifact_filename, 'wb') do |f|
-          f.puts(INSPEC_PROFILE_VERSION_1)
-          f.puts(options['keyname'])
-          f.puts(ARTIFACT_DIGEST_NAME)
-          f.puts(signature_base64)
-          f.puts('') # newline separates artifact header with body
-          f.write(tar_content)
-        end
-        puts "Successfully generated #{artifact_filename}"
-      end
-    end
-
-    def valid_header?(file_alg, file_version, file_keyname)
-      public_keyfile = "#{file_keyname}.pem.pub"
-      puts "Looking for #{public_keyfile} to verify artifact"
-      if !File.exist? public_keyfile
-        raise "Can't find #{public_keyfile}"
-      end
-
-      raise 'Invalid artifact digest algorithm detected' if !VALID_PROFILE_DIGESTS.member?(file_alg)
-      raise 'Invalid artifact version detected' if !VALID_PROFILE_VERSIONS.member?(file_version)
-    end
-
-    def verify(file_to_verifiy, &content_block)
-      f = File.open(file_to_verifiy, 'r')
-      file_version = f.readline.strip!
-      file_keyname = f.readline.strip!
-      file_alg = f.readline.strip!
-
-      file_sig = ''
-      # the signature is multi-line
-      while (line = f.readline) != "\n"
-        file_sig += line
-      end
-      file_sig.strip!
-      f.close
-
-      valid_header?(file_alg, file_version, file_keyname)
-
-      public_keyfile = "#{file_keyname}.pem.pub"
-      verification_key = KEY_ALG.new File.read public_keyfile
-
-      f = File.open(file_to_verifiy, 'r')
-      while f.readline != "\n" do end
-      content = f.read
-
-      signature = Base64.decode64(file_sig)
-      digest = ARTIFACT_DIGEST.new
-      if verification_key.verify digest, signature, content
-        content_block.yield(content)
-      else
-        puts 'Artifact is invalid'
-      end
-    end
-
-    def profile_verify
-      file_to_verifiy = options['infile']
-      puts "Verifying #{file_to_verifiy}"
-      verify(file_to_verifiy) do ||
-        puts 'Artifact is valid'
-      end
-    end
-
-    def profile_install
-      puts 'Installing profile'
-      file_to_verifiy = options['infile']
-      dest_dir = options['destdir']
-      verify(file_to_verifiy) do |content|
-        Dir.mktmpdir do |workdir|
-          tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz')
-          File.write(tmpfile, content)
-          puts "Installing to #{dest_dir}"
-          `tar xzf #{tmpfile} -C #{dest_dir}`
-        end
-      end
-    end
-  end
-
-  # register the subcommand to Inspec CLI registry
-  Inspec::Plugins::CLI.add_subcommand(Artifact::CLI, 'artifact', 'artifact SUBCOMMAND ...', 'Sign, verify and install artifacts', {})
-end
+# encoding: utf-8
+# frozen_string_literal: true
+require 'base64'
+require 'openssl'
+require 'pathname'
+require 'set'
+require 'tempfile'
+require 'yaml'
+
+# Notes:
+#
+# Generate keys
+#   The initial implementation uses 2048 bit RSA key pairs (public + private).
+#   Public keys must be available for a customer to install and verify an artifact.
+#   Private keys should be stored in a secure location and NOT be distributed.
+#     (They're only for creating artifacts).
+#
+#
+# .IAF file format
+#   .iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
+#   The iaf file wraps a binary artifact with some metadata. The first implementation
+#   looks like this:
+#
+# INSPEC-PROFILE-1
+# name_of_signing_key
+# algorithm
+# signature
+# <empty line>
+# binary-blob
+# <eof>
+#
+# Let's look at each line:
+# INSPEC-PROFILE-1:
+#   This is the artifact version descriptor. It should't change unless the
+#   format of the archive changes.
+#
+# name_of_signing_key
+#   The name of the public key that can be used to verify an artifact
+#
+# algorithm
+#   The digest used to sign, I picked SHA512 to start with.
+#   If we support multiple digests, we'll need to have the verify() method
+#   support each digest.
+#
+# signature
+#   The result of passing the binary artifact through the digest algorithm above.
+#   Result is base64 encoded.
+#
+# <empty line>
+#   We use an empty line to separate artifact header from artifact body (binary blob).
+#   The artifact body can be anything you like.
+#
+# binary-blob
+#   A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
+#   stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
+#   format, the artifact version descriptor must be incremented, and the sign()
+#   and verify() methods must be updated to support a newer version.
+#
+#
+# Key revocation
+#   This implementation doesn't support key revocation. However, a customer
+#   can remove the public cert file before installation, and artifacts will then
+#   fail verification.
+#
+# Key locations
+#   This implementation uses the current working directory to find public and
+#   private keys. We should establish a common key directory (similar to /hab/cache/keys
+#   or ~/.hab/cache/keys in Habitat).
+#
+# Extracting artifacts outside of Inspec
+#   As in Habitat, the artifact format for Inspec allows the use of common
+#   Unix tools to read the header and body of an artifact.
+# To extract the header from a .iaf:
+#        sed '/^$/q' foo.iaf
+# To extract the raw content from a .iaf:
+#        sed '1,/^$/d' foo.iaf
+
+module Artifact
+  KEY_BITS=2048
+  KEY_ALG=OpenSSL::PKey::RSA
+
+  INSPEC_PROFILE_VERSION_1='INSPEC-PROFILE-1'
+  INSPEC_REPORT_VERSION_1='INSPEC-REPORT-1'
+
+  ARTIFACT_DIGEST=OpenSSL::Digest::SHA512
+  ARTIFACT_DIGEST_NAME='SHA512'
+
+  VALID_PROFILE_VERSIONS=Set.new [INSPEC_PROFILE_VERSION_1]
+  VALID_PROFILE_DIGESTS=Set.new [ARTIFACT_DIGEST_NAME]
+
+  SIGNED_PROFILE_SUFFIX='iaf'
+  SIGNED_REPORT_SUFFIX='iar'
+  class CLI < Inspec::BaseCLI
+    namespace 'artifact'
+
+    # TODO: find another solution, once https://github.com/erikhuda/thor/issues/261 is fixed
+    def self.banner(command, _namespace = nil, _subcommand = false)
+      "#{basename} #{subcommand_prefix} #{command.usage}"
+    end
+
+    def self.subcommand_prefix
+      namespace
+    end
+
+    desc 'generate', 'Generate a RSA key pair for signing and verification'
+    option :keyname, type: :string, required: true,
+      desc: 'Desriptive name of key'
+    option :keydir, type: :string, default: './',
+      desc: 'Directory to search for keys'
+    def generate_keys
+      puts 'Generating keys'
+      keygen
+    end
+
+    desc 'sign-profile', 'Create a signed .iaf artifact'
+    option :profile, type: :string, required: true,
+      desc: 'Path to profile directory'
+    option :keyname, type: :string, required: true,
+      desc: 'Desriptive name of key'
+    def sign_profile
+      profile_sign
+    end
+
+    desc 'verify-profile', 'Verify a signed .iaf artifact'
+    option :infile, type: :string, required: true,
+        desc: '.iaf file to verify'
+    def verify_profile
+      profile_verify
+    end
+
+    desc 'install-profile', 'Verify and install a signed .iaf artifact'
+    option :infile, type: :string, required: true,
+        desc: '.iaf file to install'
+    option :destdir, type: :string, required: true,
+      desc: 'Installation directory'
+    def install_profile
+      profile_install
+    end
+
+    private
+
+    def keygen
+      key = KEY_ALG.new KEY_BITS
+      puts 'Generating private key'
+      open "#{options['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end
+      puts 'Generating public key'
+      open "#{options['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end
+    end
+
+    def read_profile_metadata(path_to_profile)
+      begin
+        p = Pathname.new(path_to_profile)
+        p = p.join('inspec.yml')
+        if not p.exist?
+          raise "#{path_to_profile} doesn't appear to be a valid Inspec profile"
+        end
+        yaml = YAML.load_file(p.to_s)
+        yaml = yaml.to_hash
+
+        if not yaml.key? 'name'
+          raise 'Profile is invalid, name is not defined'
+        end
+
+        if not yaml.key? 'version'
+          raise 'Profile is invalid, version is not defined'
+        end
+      rescue => e
+        # rewrap it and pass it up to the CLI
+        raise "Error reading Inspec profile metadata: #{e}"
+      end
+
+      yaml
+    end
+
+    def profile_compress(path_to_profile, profile_md, workdir)
+      profile_name = profile_md['name']
+      profile_version = profile_md['version']
+      outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
+      `tar czf #{outfile_name} -C #{path_to_profile} .`
+      outfile_name
+    end
+
+    def profile_sign
+      Dir.mktmpdir do |workdir|
+        puts "Signing #{options['profile']} with key #{options['keyname']}"
+        path_to_profile = options['profile']
+        profile_md = read_profile_metadata(path_to_profile)
+        artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}"
+        tarfile = profile_compress(path_to_profile, profile_md, workdir)
+        content = IO.binread(tarfile)
+        signing_key = KEY_ALG.new File.read "#{options['keyname']}.pem.key"
+        sha = ARTIFACT_DIGEST.new
+        signature = signing_key.sign sha, content
+        # convert the signature to Base64
+        signature_base64 = Base64.encode64(signature)
+        tar_content = IO.binread(tarfile)
+        File.open(artifact_filename, 'wb') do |f|
+          f.puts(INSPEC_PROFILE_VERSION_1)
+          f.puts(options['keyname'])
+          f.puts(ARTIFACT_DIGEST_NAME)
+          f.puts(signature_base64)
+          f.puts('') # newline separates artifact header with body
+          f.write(tar_content)
+        end
+        puts "Successfully generated #{artifact_filename}"
+      end
+    end
+
+    def valid_header?(file_alg, file_version, file_keyname)
+      public_keyfile = "#{file_keyname}.pem.pub"
+      puts "Looking for #{public_keyfile} to verify artifact"
+      if !File.exist? public_keyfile
+        raise "Can't find #{public_keyfile}"
+      end
+
+      raise 'Invalid artifact digest algorithm detected' if !VALID_PROFILE_DIGESTS.member?(file_alg)
+      raise 'Invalid artifact version detected' if !VALID_PROFILE_VERSIONS.member?(file_version)
+    end
+
+    def verify(file_to_verifiy, &content_block)
+      f = File.open(file_to_verifiy, 'r')
+      file_version = f.readline.strip!
+      file_keyname = f.readline.strip!
+      file_alg = f.readline.strip!
+
+      file_sig = ''
+      # the signature is multi-line
+      while (line = f.readline) != "\n"
+        file_sig += line
+      end
+      file_sig.strip!
+      f.close
+
+      valid_header?(file_alg, file_version, file_keyname)
+
+      public_keyfile = "#{file_keyname}.pem.pub"
+      verification_key = KEY_ALG.new File.read public_keyfile
+
+      f = File.open(file_to_verifiy, 'r')
+      while f.readline != "\n" do end
+      content = f.read
+
+      signature = Base64.decode64(file_sig)
+      digest = ARTIFACT_DIGEST.new
+      if verification_key.verify digest, signature, content
+        content_block.yield(content)
+      else
+        puts 'Artifact is invalid'
+      end
+    end
+
+    def profile_verify
+      file_to_verifiy = options['infile']
+      puts "Verifying #{file_to_verifiy}"
+      verify(file_to_verifiy) do ||
+        puts 'Artifact is valid'
+      end
+    end
+
+    def profile_install
+      puts 'Installing profile'
+      file_to_verifiy = options['infile']
+      dest_dir = options['destdir']
+      verify(file_to_verifiy) do |content|
+        Dir.mktmpdir do |workdir|
+          tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz')
+          File.write(tmpfile, content)
+          puts "Installing to #{dest_dir}"
+          `tar xzf #{tmpfile} -C #{dest_dir}`
+        end
+      end
+    end
+  end
+
+  # register the subcommand to Inspec CLI registry
+  Inspec::Plugins::CLI.add_subcommand(Artifact::CLI, 'artifact', 'artifact SUBCOMMAND ...', 'Sign, verify and install artifacts', {})
+end