inspec 2.0.32 → 2.0.45

data/lib/resource_support/aws.rb

@@ -1,41 +1,41 @@
-# Main AWS loader file.  The intent is for this to be
-# loaded only if AWS resources are needed.
-
-require 'aws-sdk' # TODO: split once ADK v3 is in use
-
-require 'resource_support/aws/aws_backend_factory_mixin'
-require 'resource_support/aws/aws_resource_mixin'
-require 'resource_support/aws/aws_singular_resource_mixin'
-require 'resource_support/aws/aws_plural_resource_mixin'
-require 'resource_support/aws/aws_backend_base'
-
-# Load all AWS resources
-# TODO: loop over and load entire directory
-# for f in ls lib/resources/aws/*; do t=$(echo $f | cut -c 5- | cut -f1 -d. ); echo "require '${t}'"; done
-require 'resources/aws/aws_cloudtrail_trail'
-require 'resources/aws/aws_cloudtrail_trails'
-require 'resources/aws/aws_cloudwatch_alarm'
-require 'resources/aws/aws_cloudwatch_log_metric_filter'
-require 'resources/aws/aws_config_recorder'
-require 'resources/aws/aws_ec2_instance'
-require 'resources/aws/aws_iam_access_key'
-require 'resources/aws/aws_iam_access_keys'
-require 'resources/aws/aws_iam_group'
-require 'resources/aws/aws_iam_groups'
-require 'resources/aws/aws_iam_password_policy'
-require 'resources/aws/aws_iam_policies'
-require 'resources/aws/aws_iam_policy'
-require 'resources/aws/aws_iam_role'
-require 'resources/aws/aws_iam_root_user'
-require 'resources/aws/aws_iam_user'
-require 'resources/aws/aws_iam_users'
-require 'resources/aws/aws_kms_keys'
-require 'resources/aws/aws_route_table'
-require 'resources/aws/aws_s3_bucket'
-require 'resources/aws/aws_security_group'
-require 'resources/aws/aws_security_groups'
-require 'resources/aws/aws_sns_topic'
-require 'resources/aws/aws_subnet'
-require 'resources/aws/aws_subnets'
-require 'resources/aws/aws_vpc'
-require 'resources/aws/aws_vpcs'
+# Main AWS loader file.  The intent is for this to be
+# loaded only if AWS resources are needed.
+
+require 'aws-sdk' # TODO: split once ADK v3 is in use
+
+require 'resource_support/aws/aws_backend_factory_mixin'
+require 'resource_support/aws/aws_resource_mixin'
+require 'resource_support/aws/aws_singular_resource_mixin'
+require 'resource_support/aws/aws_plural_resource_mixin'
+require 'resource_support/aws/aws_backend_base'
+
+# Load all AWS resources
+# TODO: loop over and load entire directory
+# for f in ls lib/resources/aws/*; do t=$(echo $f | cut -c 5- | cut -f1 -d. ); echo "require '${t}'"; done
+require 'resources/aws/aws_cloudtrail_trail'
+require 'resources/aws/aws_cloudtrail_trails'
+require 'resources/aws/aws_cloudwatch_alarm'
+require 'resources/aws/aws_cloudwatch_log_metric_filter'
+require 'resources/aws/aws_config_recorder'
+require 'resources/aws/aws_ec2_instance'
+require 'resources/aws/aws_iam_access_key'
+require 'resources/aws/aws_iam_access_keys'
+require 'resources/aws/aws_iam_group'
+require 'resources/aws/aws_iam_groups'
+require 'resources/aws/aws_iam_password_policy'
+require 'resources/aws/aws_iam_policies'
+require 'resources/aws/aws_iam_policy'
+require 'resources/aws/aws_iam_role'
+require 'resources/aws/aws_iam_root_user'
+require 'resources/aws/aws_iam_user'
+require 'resources/aws/aws_iam_users'
+require 'resources/aws/aws_kms_keys'
+require 'resources/aws/aws_route_table'
+require 'resources/aws/aws_s3_bucket'
+require 'resources/aws/aws_security_group'
+require 'resources/aws/aws_security_groups'
+require 'resources/aws/aws_sns_topic'
+require 'resources/aws/aws_subnet'
+require 'resources/aws/aws_subnets'
+require 'resources/aws/aws_vpc'
+require 'resources/aws/aws_vpcs'

data/lib/resource_support/aws/aws_backend_base.rb

@@ -1,12 +1,12 @@
-class AwsBackendBase
-  attr_reader :aws_transport
-  class << self; attr_accessor :aws_client_class end
-
-  def initialize(inspec = nil)
-    @aws_transport = inspec ? inspec.backend : nil
-  end
-
-  def aws_service_client
-    aws_transport.aws_client(self.class.aws_client_class)
-  end
-end
+class AwsBackendBase
+  attr_reader :aws_transport
+  class << self; attr_accessor :aws_client_class end
+
+  def initialize(inspec = nil)
+    @aws_transport = inspec ? inspec.backend : nil
+  end
+
+  def aws_service_client
+    aws_transport.aws_client(self.class.aws_client_class)
+  end
+end

data/lib/resource_support/aws/aws_backend_factory_mixin.rb

@@ -1,12 +1,12 @@
-# Intended to be pulled in via extend, not include
-module AwsBackendFactoryMixin
-  def create(inspec)
-    @selected_backend.new(inspec)
-  end
-
-  def select(klass)
-    @selected_backend = klass
-  end
-
-  alias set_default_backend select
-end
+# Intended to be pulled in via extend, not include
+module AwsBackendFactoryMixin
+  def create(inspec)
+    @selected_backend.new(inspec)
+  end
+
+  def select(klass)
+    @selected_backend = klass
+  end
+
+  alias set_default_backend select
+end

data/lib/resource_support/aws/aws_plural_resource_mixin.rb

@@ -1,21 +1,21 @@
-module AwsPluralResourceMixin
-  include AwsResourceMixin
-  attr_reader :table
-
-  # This sets up a class, AwsSomeResource::BackendFactory, that
-  # provides a mechanism to create and use backends without
-  # having to know which is selected.  This is mainly used for
-  # unit testing.
-  # TODO: DRY up.  This code exists in both the Singular and Plural mixins.
-  # We'd like to put it in AwsResourceMixin, but included only sees the
-  # directly-including class - we can't see second-order includers.
-  def self.included(base)
-    # Create a new class, whose body is simply to extend the
-    # backend factory mixin
-    resource_backend_factory_class = Class.new(Object) do
-      extend AwsBackendFactoryMixin
-    end
-    # Name that class
-    base.const_set('BackendFactory', resource_backend_factory_class)
-  end
-end
+module AwsPluralResourceMixin
+  include AwsResourceMixin
+  attr_reader :table
+
+  # This sets up a class, AwsSomeResource::BackendFactory, that
+  # provides a mechanism to create and use backends without
+  # having to know which is selected.  This is mainly used for
+  # unit testing.
+  # TODO: DRY up.  This code exists in both the Singular and Plural mixins.
+  # We'd like to put it in AwsResourceMixin, but included only sees the
+  # directly-including class - we can't see second-order includers.
+  def self.included(base)
+    # Create a new class, whose body is simply to extend the
+    # backend factory mixin
+    resource_backend_factory_class = Class.new(Object) do
+      extend AwsBackendFactoryMixin
+    end
+    # Name that class
+    base.const_set('BackendFactory', resource_backend_factory_class)
+  end
+end

data/lib/resource_support/aws/aws_resource_mixin.rb

@@ -1,66 +1,66 @@
-module AwsResourceMixin
-  def initialize(resource_params = {})
-    validate_params(resource_params).each do |param, value|
-      instance_variable_set(:"@#{param}", value)
-    end
-    catch_aws_errors do
-      fetch_from_api
-    end
-  rescue ArgumentError => e
-    # continue with ArgumentError if testing
-    raise unless respond_to?(:inspec)
-    raise Inspec::Exceptions::ResourceFailed, e.message
-  end
-
-  # Default implementation of validate params accepts everything.
-  def validate_params(resource_params)
-    resource_params
-  end
-
-  def check_resource_param_names(raw_params: {}, allowed_params: [], allowed_scalar_name: nil, allowed_scalar_type: nil)
-    # Some resources allow passing in a single ID value.  Check and convert to hash if so.
-    if allowed_scalar_name && !raw_params.is_a?(Hash)
-      value_seen = raw_params
-      if value_seen.is_a?(allowed_scalar_type)
-        raw_params = { allowed_scalar_name => value_seen }
-      else
-        raise ArgumentError, 'If you pass a single value to the resource, it must ' \
-                             "be a #{allowed_scalar_type}, not an #{value_seen.class}."
-      end
-    end
-
-    # Remove all expected params from the raw param hash
-    recognized_params = {}
-    allowed_params.each do |expected_param|
-      recognized_params[expected_param] = raw_params.delete(expected_param) if raw_params.key?(expected_param)
-    end
-
-    # Any leftovers are unwelcome
-    unless raw_params.empty?
-      raise ArgumentError, "Unrecognized resource param '#{raw_params.keys.first}'. Expected parameters: #{allowed_params.join(', ')}"
-    end
-
-    recognized_params
-  end
-
-  def inspec_runner
-    # When running under inspec-cli, we have an 'inspec' method that
-    # returns the runner. When running under unit tests, we don't
-    # have that, but we still have to call this to pass something
-    # (nil is OK) to the backend.
-    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
-    inspec if respond_to?(:inspec)
-  end
-
-  # Intercept AWS exceptions
-  def catch_aws_errors
-    yield
-  rescue Aws::Errors::MissingCredentialsError
-    # The AWS error here is unhelpful:
-    # "unable to sign request without credentials set"
-    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
-    fail_resource('No AWS credentials available')
-  rescue Aws::Errors::ServiceError => e
-    fail_resource e.message
-  end
-end
+module AwsResourceMixin
+  def initialize(resource_params = {})
+    validate_params(resource_params).each do |param, value|
+      instance_variable_set(:"@#{param}", value)
+    end
+    catch_aws_errors do
+      fetch_from_api
+    end
+  rescue ArgumentError => e
+    # continue with ArgumentError if testing
+    raise unless respond_to?(:inspec)
+    raise Inspec::Exceptions::ResourceFailed, e.message
+  end
+
+  # Default implementation of validate params accepts everything.
+  def validate_params(resource_params)
+    resource_params
+  end
+
+  def check_resource_param_names(raw_params: {}, allowed_params: [], allowed_scalar_name: nil, allowed_scalar_type: nil)
+    # Some resources allow passing in a single ID value.  Check and convert to hash if so.
+    if allowed_scalar_name && !raw_params.is_a?(Hash)
+      value_seen = raw_params
+      if value_seen.is_a?(allowed_scalar_type)
+        raw_params = { allowed_scalar_name => value_seen }
+      else
+        raise ArgumentError, 'If you pass a single value to the resource, it must ' \
+                             "be a #{allowed_scalar_type}, not an #{value_seen.class}."
+      end
+    end
+
+    # Remove all expected params from the raw param hash
+    recognized_params = {}
+    allowed_params.each do |expected_param|
+      recognized_params[expected_param] = raw_params.delete(expected_param) if raw_params.key?(expected_param)
+    end
+
+    # Any leftovers are unwelcome
+    unless raw_params.empty?
+      raise ArgumentError, "Unrecognized resource param '#{raw_params.keys.first}'. Expected parameters: #{allowed_params.join(', ')}"
+    end
+
+    recognized_params
+  end
+
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    inspec if respond_to?(:inspec)
+  end
+
+  # Intercept AWS exceptions
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource('No AWS credentials available')
+  rescue Aws::Errors::ServiceError => e
+    fail_resource e.message
+  end
+end

data/lib/resource_support/aws/aws_singular_resource_mixin.rb

@@ -1,24 +1,24 @@
-module AwsSingularResourceMixin
-  include AwsResourceMixin
-
-  def exists?
-    @exists
-  end
-
-  # This sets up a class, AwsSomeResource::BackendFactory, that
-  # provides a mechanism to create and use backends without
-  # having to know which is selected.  This is mainly used for
-  # unit testing.
-  # TODO: DRY up.  This code exists in both the Singular and Plural mixins.
-  # We'd like to put it in AwsResourceMixin, but included only sees the
-  # directly-including class - we can't see second-order includers.
-  def self.included(base)
-    # Create a new class, whose body is simply to extend the
-    # backend factory mixin
-    resource_backend_factory_class = Class.new(Object) do
-      extend AwsBackendFactoryMixin
-    end
-    # Name that class
-    base.const_set('BackendFactory', resource_backend_factory_class)
-  end
-end
+module AwsSingularResourceMixin
+  include AwsResourceMixin
+
+  def exists?
+    @exists
+  end
+
+  # This sets up a class, AwsSomeResource::BackendFactory, that
+  # provides a mechanism to create and use backends without
+  # having to know which is selected.  This is mainly used for
+  # unit testing.
+  # TODO: DRY up.  This code exists in both the Singular and Plural mixins.
+  # We'd like to put it in AwsResourceMixin, but included only sees the
+  # directly-including class - we can't see second-order includers.
+  def self.included(base)
+    # Create a new class, whose body is simply to extend the
+    # backend factory mixin
+    resource_backend_factory_class = Class.new(Object) do
+      extend AwsBackendFactoryMixin
+    end
+    # Name that class
+    base.const_set('BackendFactory', resource_backend_factory_class)
+  end
+end

data/lib/resources/aide_conf.rb

@@ -1,160 +1,159 @@
-# encoding: utf-8
-
-require 'utils/filter'
-require 'utils/parser'
-module Inspec::Resources
-  class AideConf < Inspec.resource(1)
-    name 'aide_conf'
-    supports platform: 'unix'
-    desc 'Use the aide_conf InSpec audit resource to test the rules established for
-      the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.'
-    example "
-      describe aide_conf do
-        its('selection_lines') { should include '/sbin' }
-      end
-
-      describe aide_conf.where { selection_line == '/bin' } do
-        its('rules.flatten') { should include 'r' }
-      end
-
-      describe aide_conf.all_have_rule('sha512') do
-        it { should eq true }
-      end
-    "
-
-    attr_reader :params
-
-    include CommentParser
-
-    def initialize(aide_conf_path = nil)
-      return skip_resource 'The `aide_conf` resource is not supported on your OS.' unless inspec.os.linux?
-      @conf_path = aide_conf_path || '/etc/aide.conf'
-      @content = nil
-      @rules = nil
-      read_content
-    end
-
-    def all_have_rule(rule)
-      # Case when file didn't exist or perms didn't allow an open
-      return false if @content.nil?
-
-      lines = @params.reject { |line| line['rules'].include? rule }
-      lines.empty?
-    end
-
-    filter = FilterTable.create
-    filter.add_accessor(:where)
-          .add_accessor(:entries)
-          .add(:selection_lines, field: 'selection_line')
-          .add(:rules,           field: 'rules')
-
-    filter.connect(self, :params)
-
-    private
-
-    def read_content
-      return @content unless @content.nil?
-      @rules = {}
-
-      file = inspec.file(@conf_path)
-      if !file.file?
-        return skip_resource "Can't find file \"#{@conf_path}\""
-      end
-      raw_conf = file.content
-      if raw_conf.nil?
-        return skip_resource "File can't be opened or is empty \"#{@conf_path}\""
-      end
-      if raw_conf.empty? && !file.empty?
-        return skip_resource "Can't read file \"#{@conf_path}\""
-      end
-
-      # If there is a file and it contains content, continue
-      @content = filter_comments(inspec.file(@conf_path).content.lines)
-      @params = parse_conf(@content)
-    end
-
-    def filter_comments(data)
-      content = []
-      data.each do |line|
-        content_line, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-        content.push(content_line)
-      end
-      content
-    end
-
-    def parse_conf(content)
-      params = []
-      content.each do |line|
-        param = parse_line(line)
-        if !param['selection_line'].nil?
-          params.push(param)
-        end
-      end
-      params
-    end
-
-    def parse_line(line)
-      line_and_rules = {}
-      # Case when line is a rule line
-      if line.include?(' = ')
-        parse_rule_line(line)
-      # Case when line is a selection line
-      elsif line.start_with?('/', '!', '=')
-        line_and_rules = parse_selection_line(line)
-      end
-      line_and_rules
-    end
-
-    def parse_rule_line(line)
-      line.gsub!(/\s+/, '')
-      rule_line_arr = line.split('=')
-      rules_list = rule_line_arr.last.split('+')
-      rule_name = rule_line_arr.first
-      rules_list.each_index do |i|
-        # Cases where rule respresents one or more other rules
-        if @rules.key?(rules_list[i])
-          rules_list[i] = @rules[rules_list[i]]
-        end
-        rules_list[i] = handle_multi_rule(rules_list, i)
-      end
-      @rules[rule_name] = rules_list.flatten
-    end
-
-    def parse_selection_line(line)
-      selec_line_arr = line.split(' ')
-      selection_line = selec_line_arr.first
-      selection_line.chop! if selection_line.end_with?('/')
-      rule_list = selec_line_arr.last.split('+')
-      rule_list.each_index do |i|
-        hash_list = @rules[rule_list[i]]
-        # Cases where rule respresents one or more other rules
-        if !hash_list.nil?
-          rule_list[i] = hash_list
-        end
-        rule_list[i] = handle_multi_rule(rule_list, i)
-      end
-      rule_list.flatten!
-      {
-        'selection_line' => selection_line,
-        'rules' => rule_list,
-      }
-    end
-
-    def handle_multi_rule(rule_list, i)
-      # Rules that represent multiple rules (R,L,>)
-      r_rules = %w{p i l n u g s m c md5}
-      l_rules = %w{p i l n u g}
-      grow_log_rules = %w{p l u g i n S}
-
-      case rule_list[i]
-      when 'R'
-        return r_rules
-      when 'L'
-        return l_rules
-      when '>'
-        return grow_log_rules
-      end
-      rule_list[i]
-    end
-  end
-end
+# encoding: utf-8
+
+require 'utils/filter'
+require 'utils/parser'
+module Inspec::Resources
+  class AideConf < Inspec.resource(1)
+    name 'aide_conf'
+    supports platform: 'unix'
+    desc 'Use the aide_conf InSpec audit resource to test the rules established for
+      the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.'
+    example "
+      describe aide_conf do
+        its('selection_lines') { should include '/sbin' }
+      end
+
+      describe aide_conf.where { selection_line == '/bin' } do
+        its('rules.flatten') { should include 'r' }
+      end
+
+      describe aide_conf.all_have_rule('sha512') do
+        it { should eq true }
+      end
+    "
+
+    attr_reader :params
+
+    include CommentParser
+
+    def initialize(aide_conf_path = nil)
+      @conf_path = aide_conf_path || '/etc/aide.conf'
+      @content = nil
+      @rules = nil
+      read_content
+    end
+
+    def all_have_rule(rule)
+      # Case when file didn't exist or perms didn't allow an open
+      return false if @content.nil?
+
+      lines = @params.reject { |line| line['rules'].include? rule }
+      lines.empty?
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:selection_lines, field: 'selection_line')
+          .add(:rules,           field: 'rules')
+
+    filter.connect(self, :params)
+
+    private
+
+    def read_content
+      return @content unless @content.nil?
+      @rules = {}
+
+      file = inspec.file(@conf_path)
+      if !file.file?
+        return skip_resource "Can't find file \"#{@conf_path}\""
+      end
+      raw_conf = file.content
+      if raw_conf.nil?
+        return skip_resource "File can't be opened or is empty \"#{@conf_path}\""
+      end
+      if raw_conf.empty? && !file.empty?
+        return skip_resource "Can't read file \"#{@conf_path}\""
+      end
+
+      # If there is a file and it contains content, continue
+      @content = filter_comments(inspec.file(@conf_path).content.lines)
+      @params = parse_conf(@content)
+    end
+
+    def filter_comments(data)
+      content = []
+      data.each do |line|
+        content_line, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        content.push(content_line)
+      end
+      content
+    end
+
+    def parse_conf(content)
+      params = []
+      content.each do |line|
+        param = parse_line(line)
+        if !param['selection_line'].nil?
+          params.push(param)
+        end
+      end
+      params
+    end
+
+    def parse_line(line)
+      line_and_rules = {}
+      # Case when line is a rule line
+      if line.include?(' = ')
+        parse_rule_line(line)
+      # Case when line is a selection line
+      elsif line.start_with?('/', '!', '=')
+        line_and_rules = parse_selection_line(line)
+      end
+      line_and_rules
+    end
+
+    def parse_rule_line(line)
+      line.gsub!(/\s+/, '')
+      rule_line_arr = line.split('=')
+      rules_list = rule_line_arr.last.split('+')
+      rule_name = rule_line_arr.first
+      rules_list.each_index do |i|
+        # Cases where rule respresents one or more other rules
+        if @rules.key?(rules_list[i])
+          rules_list[i] = @rules[rules_list[i]]
+        end
+        rules_list[i] = handle_multi_rule(rules_list, i)
+      end
+      @rules[rule_name] = rules_list.flatten
+    end
+
+    def parse_selection_line(line)
+      selec_line_arr = line.split(' ')
+      selection_line = selec_line_arr.first
+      selection_line.chop! if selection_line.end_with?('/')
+      rule_list = selec_line_arr.last.split('+')
+      rule_list.each_index do |i|
+        hash_list = @rules[rule_list[i]]
+        # Cases where rule respresents one or more other rules
+        if !hash_list.nil?
+          rule_list[i] = hash_list
+        end
+        rule_list[i] = handle_multi_rule(rule_list, i)
+      end
+      rule_list.flatten!
+      {
+        'selection_line' => selection_line,
+        'rules' => rule_list,
+      }
+    end
+
+    def handle_multi_rule(rule_list, i)
+      # Rules that represent multiple rules (R,L,>)
+      r_rules = %w{p i l n u g s m c md5}
+      l_rules = %w{p i l n u g}
+      grow_log_rules = %w{p l u g i n S}
+
+      case rule_list[i]
+      when 'R'
+        return r_rules
+      when 'L'
+        return l_rules
+      when '>'
+        return grow_log_rules
+      end
+      rule_list[i]
+    end
+  end
+end