inspec 2.1.10 → 2.1.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dd6ca3d6046fbcd15e86a238fbb76e2afa538e2e
-  data.tar.gz: 947fa82e657f26f88cb8ffc992b58190043f2d05
+  metadata.gz: 6cdce0354c3cafed2dcccede01e6a0bfb657a260
+  data.tar.gz: 56946a1e833a47bedb93542f07c62612bda4f69e
 SHA512:
-  metadata.gz: 98b909132cb1199ac0b9e96e9e818adac20a53199b7544b04982f87adf9c8dd814df2105b20a0443e5cfceda5365936473d0bdcfae9fd84bfbba8363693e13e1
-  data.tar.gz: e3e75bc3944070b62dd1c7f8452d15f54154860b4d4b2bf9621a090624d4f5faf68570d1e331b884e8a451ecbe97bc43630043a12f4232abad74ca625af82199
+  metadata.gz: 0dbfa4bff6f9d0ef9e5df5d1996f6ad456c6946d69c7c5ebc202ed270f491efc813e8a52dd3a04ba86fd98ef084877c1031d503f7f97ae346af31ae3739e17e1
+  data.tar.gz: 28b4defab9878584b4731a70907cf07df0d370ab1f414ba0e5be7907160310c86db562251344c2a51452f877ca3f3af55880d39fed3bccf7c927e66936068f0b

data/CHANGELOG.md

@@ -1,35 +1,57 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.1.10 -->
-## [v2.1.10](https://github.com/chef/inspec/tree/v2.1.10) (2018-03-22)
+<!-- latest_release 2.1.21 -->
+## [v2.1.21](https://github.com/chef/inspec/tree/v2.1.21) (2018-03-29)
 
-#### Merged Pull Requests
-- Remove obsolete mock [#2869](https://github.com/chef/inspec/pull/2869) ([TrevorBramble](https://github.com/TrevorBramble))
+#### Bug Fixes
+- Pw/pip windows bug [#2883](https://github.com/chef/inspec/pull/2883) ([pwelch](https://github.com/pwelch))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.1.0 -->
-### Changes since 2.1.0 release
+<!-- release_rollup since=2.1.10 -->
+### Changes since 2.1.10 release
 
 #### Merged Pull Requests
-- Remove obsolete mock [#2869](https://github.com/chef/inspec/pull/2869) ([TrevorBramble](https://github.com/TrevorBramble)) <!-- 2.1.10 -->
-
-#### Bug Fixes
-- Revise /etc/hosts for correctness and clarity [#2863](https://github.com/chef/inspec/pull/2863) ([TrevorBramble](https://github.com/TrevorBramble)) <!-- 2.1.7 -->
-- Correct support platform for audit_policy [#2850](https://github.com/chef/inspec/pull/2850) ([pwelch](https://github.com/pwelch)) <!-- 2.1.4 -->
+- Pin to Train 1.3.0. [#2898](https://github.com/chef/inspec/pull/2898) ([jquick](https://github.com/jquick)) <!-- 2.1.20 -->
+- Add `pry-byebug` to our Gemfile.  [#2889](https://github.com/chef/inspec/pull/2889) ([miah](https://github.com/miah)) <!-- 2.1.16 -->
+- Mitigate trivial warning output on test [#2872](https://github.com/chef/inspec/pull/2872) ([eramoto](https://github.com/eramoto)) <!-- 2.1.15 -->
 
 #### Enhancements
-- Added support for proxy_command for remote SSH connections [#2385](https://github.com/chef/inspec/pull/2385) ([cbeckr](https://github.com/cbeckr)) <!-- 2.1.9 -->
-- Unify method in which file content is read across all resources [#2359](https://github.com/chef/inspec/pull/2359) ([eramoto](https://github.com/eramoto)) <!-- 2.1.5 -->
-- Remove supports binding for generic resources [#2848](https://github.com/chef/inspec/pull/2848) ([jquick](https://github.com/jquick)) <!-- 2.1.3 -->
-- Upgrade Thor to version 0.20.0. [#2843](https://github.com/chef/inspec/pull/2843) ([jquick](https://github.com/jquick)) <!-- 2.1.2 -->
+- powershell resource: Add support other OSs [#2894](https://github.com/chef/inspec/pull/2894) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.18 -->
+- registry_key resource was returning an incorrect value [#2871](https://github.com/chef/inspec/pull/2871) ([omar-irizarry](https://github.com/omar-irizarry)) <!-- 2.1.14 -->
+
+#### Bug Fixes
+- Pw/pip windows bug [#2883](https://github.com/chef/inspec/pull/2883) ([pwelch](https://github.com/pwelch)) <!-- 2.1.21 -->
+- Change route_table_id Regular Expression for correctness [#2885](https://github.com/chef/inspec/pull/2885) ([TrevorBramble](https://github.com/TrevorBramble)) <!-- 2.1.19 -->
+- Pin concurrent-ruby to version 1.0 to fix kitchen-ansible example [#2879](https://github.com/chef/inspec/pull/2879) ([visibilityspots](https://github.com/visibilityspots)) <!-- 2.1.13 -->
 
 #### New Resources
-- New Skeletal Resource aws_sns_subscription [#2697](https://github.com/chef/inspec/pull/2697) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.8 -->
-- New Skeletal Resource aws_sns_topics [#2696](https://github.com/chef/inspec/pull/2696) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.6 -->
-- Skelatal resource: aws_s3_bucket_object [#2620](https://github.com/chef/inspec/pull/2620) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.1 -->
+- new resource: aws rds instance (singular) [#2866](https://github.com/chef/inspec/pull/2866) ([HackerShark](https://github.com/HackerShark)) <!-- 2.1.17 -->
+- New Skeletal Resource aws_config_delivery_channel [#2641](https://github.com/chef/inspec/pull/2641) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.12 -->
+- New Skeletal Resource aws_kms_key [#2746](https://github.com/chef/inspec/pull/2746) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.11 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.1.10](https://github.com/chef/inspec/tree/v2.1.10) (2018-03-22)
+
+#### New Resources
+- Skelatal resource: aws_s3_bucket_object [#2620](https://github.com/chef/inspec/pull/2620) ([dromazmj](https://github.com/dromazmj))
+- New Skeletal Resource aws_sns_topics [#2696](https://github.com/chef/inspec/pull/2696) ([dromazmj](https://github.com/dromazmj))
+- New Skeletal Resource aws_sns_subscription [#2697](https://github.com/chef/inspec/pull/2697) ([dromazmj](https://github.com/dromazmj))
+
+#### Enhancements
+- Upgrade Thor to version 0.20.0. [#2843](https://github.com/chef/inspec/pull/2843) ([jquick](https://github.com/jquick))
+- Remove supports binding for generic resources [#2848](https://github.com/chef/inspec/pull/2848) ([jquick](https://github.com/jquick))
+- Unify method in which file content is read across all resources [#2359](https://github.com/chef/inspec/pull/2359) ([eramoto](https://github.com/eramoto))
+- Added support for proxy_command for remote SSH connections [#2385](https://github.com/chef/inspec/pull/2385) ([cbeckr](https://github.com/cbeckr))
+
+#### Bug Fixes
+- Correct support platform for audit_policy [#2850](https://github.com/chef/inspec/pull/2850) ([pwelch](https://github.com/pwelch))
+- Revise /etc/hosts for correctness and clarity [#2863](https://github.com/chef/inspec/pull/2863) ([TrevorBramble](https://github.com/TrevorBramble))
+
+#### Merged Pull Requests
+- Remove obsolete mock [#2869](https://github.com/chef/inspec/pull/2869) ([TrevorBramble](https://github.com/TrevorBramble))
+<!-- latest_stable_release -->
+
 ## [v2.1.0](https://github.com/chef/inspec/tree/v2.1.0) (2018-03-15)
 
 #### Enhancements
@@ -42,7 +64,6 @@
 #### Merged Pull Requests
 - Docs: Describe support boundary between RSpec and InSpec [#2753](https://github.com/chef/inspec/pull/2753) ([clintoncwolfe](https://github.com/clintoncwolfe))
 - Sort file list for unit tests [#2812](https://github.com/chef/inspec/pull/2812) ([eramoto](https://github.com/eramoto))
-<!-- latest_stable_release -->
 
 ## [v2.0.45](https://github.com/chef/inspec/tree/v2.0.45) (2018-03-08)
 

data/Gemfile

@@ -23,6 +23,7 @@ group :test do
   gem 'jsonschema', '~> 2.0.2'
   gem 'passgen'
   gem 'm'
+  gem 'pry-byebug'
 end
 
 group :integration do

data/docs/resources/aws_config_delivery_channel.md

@@ -0,0 +1,79 @@
+---
+title: About the aws_config_delivery_channel Resource
+---
+
+# aws_config_delivery_channel
+
+The AWS Config service can monitor and record changes to your AWS resource configurations.  A Delivery Channel can record the changes
+to an S3 Bucket, an SNS or both.
+
+Use the `aws_config_delivery_channel` InSpec audit resource to examine how the AWS Config service delivers those change notifications.
+
+<br>
+
+## Syntax
+
+An `aws_config_delivery_channel` resource block declares the tests for a single AWS Config delivery channel.
+
+    describe aws_config_delivery_channel('my_channel') do
+      it { should exist }
+    end
+
+    describe aws_config_delivery_channel(channel_name: 'my-channel') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test how frequent the channel writes configuration changes to the s3 bucket.
+
+    describe aws_config_delivery_channel(channel_name: 'my-recorder') do
+      its(delivery_frequency_in_hours) { should be > 3 }
+    end
+    
+## Properties
+    
+### s3_bucket_name
+
+Provides the name of the s3 bucket that the channel sends configuration changes to.  This is an optional value since a Delivery Channel can also talk to an SNS.
+
+    describe aws_config_delivery_channel(channel_name: 'my_channel')
+      its('s3_bucket_name') { should eq 'my_bucket' }
+    end
+    
+### s3_key_prefix
+
+Provides the s3 object key prefix (or "path") under which configuration data will be recorded.
+
+    describe aws_config_delivery_channel(channel_name: 'my_channel')
+      its('s3_key_prefix') { should eq 'log/' }
+    end
+    
+### sns_topic_arn
+
+Provides the ARN of the SNS topic for which the channel sends notifications about configuration changes.
+
+    describe aws_config_delivery_channel(channel_name: 'my_channel')
+      its('sns_topic_arn') { should eq 'arn:aws:sns:us-east-1:721741954427:sns_topic' }
+    end
+    
+### delivery_frequency_in_hours
+
+Provides how often the AWS Config sends configuration changes to the s3 bucket in the delivery channel.
+
+    describe aws_config_delivery_channel(channel_name: 'my_channel')
+      its('delivery_frequency_in_hours') { should eq 24 }
+      its('delivery_frequency_in_hours') { should be > 24 }
+    end
+    
+    
+<br>
+
+## Matchers
+
+This resource provides no matchers, aside from the standard exists matcher.
+

data/docs/resources/aws_iam_users.md.erb

@@ -59,7 +59,7 @@ The following examples show how to use this InSpec audit resource.
 
     console_users_with_unused_password = aws_iam_users
                                          .where(has_console_password?: true)
-                                         .where(password_never_used?: false)
+                                         .where(password_never_used?: true)
 
     describe console_users_with_unused_password do
       it { should_not exist }
@@ -69,7 +69,7 @@ The following examples show how to use this InSpec audit resource.
 
     console_users_with_used_password = aws_iam_users
                                        .where(has_console_password?: true)
-                                       .where(password_ever_used?: false)
+                                       .where(password_ever_used?: true)
 
     describe console_users_with_used_password do
       it { should exist }

data/docs/resources/aws_kms_key.md.erb

@@ -0,0 +1,171 @@
+---
+title: About the aws_kms_key Resource
+---
+
+# aws\_kms\_key
+
+Use the `aws_kms_key` InSpec audit resource to test properties of a single AWS KMS Key.
+
+Use aws_kms_key to verify the properties of a single key. Use aws_kms_keys to verify the properties of all or a group of keys.
+
+AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS lets you create master keys that can never be exported from the service and which can be used to encrypt and decrypt data based on policies you define.
+
+Each AWS KMS Key is uniquely identified by its key_id or arn.
+
+<br>
+
+## Syntax
+
+An aws_kms_key resource block identifies a key by key_arn or the key id.
+
+    # Find a kms key by arn
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should exist }
+    end
+    
+    # Find a kms key by just the id
+    describe aws_kms_key('4321dcba-21io-23de-85he-ab0987654321') do
+      it { should exist }
+    end
+
+    # Hash syntax for key arn
+    describe aws_kms_key(key_arn: 'arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that the specified key does exist
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should exist }
+    end
+
+### Test that the specified key is enabled
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should be_enabled }
+    end
+
+### Test that the specified key is rotation enabled
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should have_rotation_enabled }
+    end
+
+<br>
+
+## Properties
+
+### key\_id
+
+The globally unique identifier for the key.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('key_id') { should cmp '4321dcba-21io-23de-85he-ab0987654321' }
+    end
+
+### arn
+
+The ARN identifier of the specified key. An ARN uniquely identifies the key within AWS.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('arn') { should cmp "arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321" }
+    end
+
+### creation_date
+
+Specifies the date and time when the key was created. 
+
+    # Makes sure that the key was created at least 10 days ago
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('creation_date') { should be < Time.now - 10 * 86400 }
+    end
+
+### created\_days\_ago
+
+Specifies the number of days since the key was created.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('created_days_ago') { should be > 10 }
+    end
+
+
+### key\_state
+
+Specifies the state of the key one of "Enabled", "Disabled", "PendingDeletion", "PendingImport". To just check if the key is enabled or not, use the `be_enabled` matcher.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('key_state') { should cmp "Enabled" }
+    end
+
+### description
+
+Specifies the description of the key.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('description') { should cmp "key-description" }
+    end
+
+### deletion\_time
+
+Specifies the date and time after which AWS KMS deletes the key. This value is present only when KeyState is PendingDeletion , otherwise this value is nil.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('deletion_time') { should cmp > Time.now + 7 * 86400 }
+    end
+
+### invalidation\_time
+
+Provides the date and time until the key is not valid.  Once the key is not valid, AWS KMS deletes the key and it becomes unusable.  This value will be null unless the keys Origin is EXTERNAL and its matcher have_key_expiration is set to true.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its('invalidation_time') { should cmp > Time.now + 7 * 86400 }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### be\_enabled
+
+The test will pass if the specified key's key_state is set to enabled.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should be_enabled }
+    end
+    
+### be\_external
+Provides whether the source of the key's key material is external or not.  If it is not external than it was created by AWS KMS.  When it is external, the key material was imported from an existing key management infrastructure or the key lacks key material.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its { should be_external }
+    end
+    
+### be\_managed\_by\_aws
+
+Provides whether or not the key manager is from AWS. If it is not managed by AWS, it is managed by the customer.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its { should be_managed_by_aws }
+    end
+    
+### have\_key\_expiration
+
+Specifies whether the key's key material expires. This value is null unless the keys Origin is External.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      its { should have_key_expiration }
+    end
+
+### have\_rotation\_enabled
+
+The test will pass if automatic rotation of the key material is enabled for the specified key.
+
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should have_rotation_enabled }
+    end

data/docs/resources/aws_rds_instance.md.erb

@@ -0,0 +1,60 @@
+---
+title: About the aws_rds_instance Resource
+---
+
+# aws\_rds\_instance
+
+Use the `aws_rds_instance` InSpec audit resource to test detailed properties of an individual RDS instance.
+
+RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.
+
+<br>
+
+## Syntax
+
+An `aws_rds_instance` resource block uses resource parameters to search for an RDS instance, and then tests that RDS instance.  If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`.  If more than one RDS instance matches (due to vague search parameters), an error is raised.
+
+    # Ensure you have a RDS instance with a certain ID
+    # This is "safe" - RDS IDs are unique within an account
+    describe aws_rds_instance('test-instance-id') do
+      it { should exist }
+    end
+
+    # Ensure you have a RDS instance with a certain ID
+    # This uses hash syntax
+    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+As this is the initial release of `aws_rds_instance`, its limited functionality precludes examples.
+
+<br>
+
+## Resource Parameters
+
+This InSpec resource accepts the following parameters, which are used to search for the RDS instance.
+
+### exists
+
+The control will pass if the specified RDS instance was found.  Use should_not if you want to verify that the specified RDS instance does not exist.
+
+    # Using Hash syntax
+    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
+      it { should exist }
+    end
+
+    # Using the instance id directly from the terraform file
+    describe aws_rds_instance(fixtures['rds_db_instance_id']) do
+      it { should exist }
+    end
+
+    # Make sure we don't have any RDS instances with the name 'nogood'
+    describe aws_rds_instance('nogood') do
+      it { should_not exist }
+    end

data/docs/resources/yaml.md.erb

@@ -40,7 +40,7 @@ Like the `json` resource, the `yaml` resource can read a file, run a command, or
       its('state') { should eq 'open' }
     end
 
-    describe yaml({ content: \"key1: value1\nkey2: value2\" }) do
+    describe yaml({ content: "\"key1: value1\nkey2: value2\"" }) do
       its('key2') { should cmp 'value2' }
     end
 
@@ -53,7 +53,7 @@ The following examples show how to use this InSpec audit resource.
 ### Test a kitchen.yml file driver
 
     describe yaml('.kitchen.yaml') do
-      its('driver.name') { should eq('vagrant') }
+      its(['driver','name']) { should eq('vagrant') }
     end
 
 <br>

data/examples/kitchen-ansible/Gemfile

@@ -15,5 +15,5 @@ group :integration do
   gem 'kitchen-ansible'
   gem 'kitchen-vagrant'
   gem 'kitchen-inspec'
-  gem 'concurrent-ruby', '~> 0.9'
+  gem 'concurrent-ruby', '~> 1.0'
 end

data/inspec.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3'
 
-  spec.add_dependency 'train', '~> 1.2'
+  spec.add_dependency 'train', '~> 1.3'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'

data/lib/bundles/inspec-habitat/profile.rb

@@ -31,6 +31,7 @@ module Habitat
     def initialize(path, options = {})
       @path    = path
       @options = options
+      @cli_config = nil
 
       log_level = options.fetch('log_level', 'info')
       Habitat::Log.level(log_level.to_sym)

data/lib/inspec/profile.rb

@@ -115,6 +115,9 @@ module Inspec
       @runner_context =
         options[:profile_context] ||
         Inspec::ProfileContext.for_profile(self, @backend, @attr_values)
+
+      @supports_platform = metadata.supports_platform?(@backend)
+      @supports_runtime = metadata.supports_runtime?
     end
 
     def name

data/lib/inspec/profile_context.rb

@@ -38,6 +38,7 @@ module Inspec
       # in the transitive dependency tree of the loaded profile.
       @resource_registry = Inspec::Resource.new_registry
       @library_eval_context = Inspec::LibraryEvalContext.create(@resource_registry, @require_loader)
+      @current_load = nil
     end
 
     def dependencies

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.1.10'
+  VERSION = '2.1.21'
 end

data/lib/resource_support/aws.rb

@@ -16,6 +16,7 @@ require 'resources/aws/aws_cloudtrail_trail'
 require 'resources/aws/aws_cloudtrail_trails'
 require 'resources/aws/aws_cloudwatch_alarm'
 require 'resources/aws/aws_cloudwatch_log_metric_filter'
+require 'resources/aws/aws_config_delivery_channel'
 require 'resources/aws/aws_config_recorder'
 require 'resources/aws/aws_ec2_instance'
 require 'resources/aws/aws_iam_access_key'
@@ -29,7 +30,9 @@ require 'resources/aws/aws_iam_role'
 require 'resources/aws/aws_iam_root_user'
 require 'resources/aws/aws_iam_user'
 require 'resources/aws/aws_iam_users'
+require 'resources/aws/aws_kms_key'
 require 'resources/aws/aws_kms_keys'
+require 'resources/aws/aws_rds_instance'
 require 'resources/aws/aws_route_table'
 require 'resources/aws/aws_s3_bucket'
 require 'resources/aws/aws_s3_bucket_object'

data/lib/resources/aws/aws_config_delivery_channel.rb

@@ -0,0 +1,76 @@
+class AwsConfigDeliveryChannel < Inspec.resource(1)
+  name 'aws_config_delivery_channel'
+  desc 'Verifies settings for AWS Config Delivery Channel'
+  example "
+    describe aws_config_delivery_channel do
+      it { should exist }
+      its('s3_bucket_name') { should eq 'my_bucket' }
+      its('sns_topic_arn') { should eq arn:aws:sns:us-east-1:721741954427:sns_topic' }
+    end
+  "
+  supports platform: 'aws'
+
+  include AwsSingularResourceMixin
+  attr_reader :channel_name, :s3_bucket_name, :s3_key_prefix, :sns_topic_arn,
+              :delivery_frequency_in_hours
+
+  def to_s
+    "Config_Delivery_Channel: #{@channel_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:channel_name],
+      allowed_scalar_name: :channel_name,
+      allowed_scalar_type: String,
+    )
+
+    # Make sure channel_name is given as param
+    if validated_params[:channel_name].nil?
+      raise ArgumentError, 'You must provide a channel_name to aws_config_delivery_channel'
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    query = { delivery_channel_names: [@channel_name] }
+    catch_aws_errors do
+      @resp = backend.describe_delivery_channels(query)
+    end
+    @exists = !@resp.empty?
+    return unless @exists
+
+    @channel = @resp.delivery_channels.first.to_h
+    @channel_name = @channel[:name]
+    @s3_bucket_name = @channel[:s3_bucket_name]
+    @s3_key_prefix = @channel[:s3_key_prefix]
+    @sns_topic_arn = @channel[:sns_topic_arn]
+    @delivery_frequency_in_hours = @channel[:config_snapshot_delivery_properties][:delivery_frequency] unless @channel[:config_snapshot_delivery_properties].nil?
+    frequencies = {
+      'One_Hour' => 1,
+      'TwentyFour_Hours' => 24,
+      'Three_Hours' => 3,
+      'Six_Hours' => 6,
+      'Twelve_Hours' => 12,
+    }
+    @delivery_frequency_in_hours = frequencies[@delivery_frequency_in_hours]
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ConfigService::Client
+
+      def describe_delivery_channels(query)
+        aws_service_client.describe_delivery_channels(query)
+      rescue Aws::ConfigService::Errors::NoSuchDeliveryChannelException
+        return {}
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_kms_key.rb

@@ -0,0 +1,96 @@
+class AwsKmsKey < Inspec.resource(1)
+  name 'aws_kms_key'
+  desc 'Verifies settings for an individual AWS KMS Key'
+  example "
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should exist }
+    end
+  "
+
+  supports platform: 'aws'
+
+  include AwsSingularResourceMixin
+  attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
+              :deletion_date, :valid_to, :external, :has_key_expiration, :managed_by_aws,
+              :has_rotation_enabled, :enabled
+  # Use aliases for matchers
+  alias deletion_time deletion_date
+  alias invalidation_time valid_to
+  alias external? external
+  alias enabled? enabled
+  alias managed_by_aws? managed_by_aws
+  alias has_key_expiration? has_key_expiration
+  alias has_rotation_enabled? has_rotation_enabled
+
+  def to_s
+    "KMS Key #{@key_id}"
+  end
+
+  def created_days_ago
+    ((Time.now - creation_date)/(24*60*60)).to_i unless creation_date.nil?
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:key_id],
+      allowed_scalar_name: :key_id,
+      allowed_scalar_type: String,
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide the parameter 'key_id' to aws_kms_key."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    query = { key_id: @key_id }
+    catch_aws_errors do
+      begin
+        resp = backend.describe_key(query)
+
+        @exists = true
+        @key = resp.key_metadata.to_h
+        @key_id = @key[:key_id]
+        @arn = @key[:arn]
+        @creation_date = @key[:creation_date]
+        @enabled = @key[:enabled]
+        @description = @key[:description]
+        @key_usage = @key[:key_usage]
+        @key_state = @key[:key_state]
+        @deletion_date = @key[:deletion_date]
+        @valid_to = @key[:valid_to]
+        @external = @key[:origin] == 'EXTERNAL'
+        @has_key_expiration = @key[:expiration_model] == 'KEY_MATERIAL_EXPIRES'
+        @managed_by_aws = @key[:key_manager] == 'AWS'
+
+        resp = backend.get_key_rotation_status(query)
+        @has_rotation_enabled = resp.key_rotation_enabled unless resp.empty?
+      rescue Aws::KMS::Errors::NotFoundException
+        @exists = false
+        return
+      end
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::KMS::Client
+
+      def describe_key(query)
+        aws_service_client.describe_key(query)
+      end
+
+      def get_key_rotation_status(query)
+        aws_service_client.get_key_rotation_status(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_rds_instance.rb

@@ -0,0 +1,71 @@
+# author: Mohamed El-Sharkawi
+class AwsRdsInstance < Inspec.resource(1)
+  name 'aws_rds_instance'
+  desc 'Verifies settings for an rds instance'
+  example "
+    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
+      it { should exist }
+    end
+  "
+  supports platform: 'aws'
+
+  include AwsSingularResourceMixin
+  attr_reader :db_instance_identifier
+
+  def to_s
+    "RDS Instance #{@db_instance_identifier}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:db_instance_identifier],
+      allowed_scalar_name: :db_instance_identifier,
+      allowed_scalar_type: String,
+    )
+    if validated_params.empty? or !validated_params.key?(:db_instance_identifier)
+      raise ArgumentError, 'You must provide an id for the aws_rds_instance.'
+    end
+
+    if validated_params.key?(:db_instance_identifier) && validated_params[:db_instance_identifier] !~ /^[a-z]{1}[0-9a-z\-]{0,62}$/
+      raise ArgumentError, 'aws_rds_instance Database Instance ID must be in the format: start with a letter followed by up to 62 letters/numbers/hyphens.'
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    dsg_response = nil
+    catch_aws_errors do
+      begin
+        dsg_response = backend.describe_db_instances(db_instance_identifier: db_instance_identifier)
+        @exists = true
+      rescue Aws::RDS::Errors::DBInstanceNotFound
+        @exists = false
+        return
+      end
+    end
+
+    if dsg_response.db_instances.empty?
+      @exists = false
+      return
+    end
+
+    @db_instance_identifier = dsg_response.db_instances[0].db_instance_identifier
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::RDS::Client
+
+      def describe_db_instances(query)
+        aws_service_client.describe_db_instances(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_route_table.rb

@@ -26,9 +26,11 @@ class AwsRouteTable < Inspec.resource(1)
       allowed_scalar_type: String,
     )
 
-    if validated_params.key?(:route_table_id) && validated_params[:route_table_id] !~ /^rtb\-[0-9a-f]{8}/
-      raise ArgumentError, 'aws_route_table Route Table ID must be in the' \
-       ' format "rtb-" followed by 8 hexadecimal characters.'
+    if validated_params.key?(:route_table_id) &&
+       validated_params[:route_table_id] !~ /^rtb\-[0-9a-f]{8}$/
+      raise ArgumentError,
+            'aws_route_table Route Table ID must be in the' \
+            ' format "rtb-" followed by 8 hexadecimal characters.'
     end
 
     validated_params

data/lib/resources/azure/azure_virtual_machine_data_disk.rb

@@ -17,8 +17,6 @@ module Inspec::Resources
     filter = FilterTable.create
     filter.add_accessor(:where)
           .add_accessor(:entries)
-          .add_accessor(:has_data_disks?)
-          .add_accessor(:count)
           .add(:exists?) { |x| !x.entries.empty? }
           .add(:disk, field: :disk)
           .add(:number, field: :number)

data/lib/resources/http.rb

@@ -74,6 +74,7 @@ module Inspec::Resources
           @http_method = http_method
           @url = url
           @opts = opts
+          @response = nil
         end
 
         private
@@ -152,6 +153,7 @@ module Inspec::Resources
                   'curl is not available on the target machine'
           end
 
+          @ran_curl = false
           @inspec = inspec
           super(http_method, url, opts)
         end

data/lib/resources/nginx.rb

@@ -34,7 +34,7 @@ module Inspec::Resources
       read_content
     end
 
-    %w{compiler_info error_log_path http_client_body_temp_path http_fastcgi_temp_path http_log_path http_proxy_temp_path http_scgi_temp_path http_uwsgi_temp_path lock_path modules_path openssl_version prefix sbin_path service support_info version}.each do |property|
+    %w{error_log_path http_client_body_temp_path http_fastcgi_temp_path http_log_path http_proxy_temp_path http_scgi_temp_path http_uwsgi_temp_path lock_path modules_path prefix sbin_path service version}.each do |property|
       define_method(property.to_sym) do
         @params[property.to_sym]
       end

data/lib/resources/os_env.rb

@@ -22,7 +22,6 @@ module Inspec::Resources
       end
     "
 
-    attr_reader :content
     def initialize(env = nil)
       @osenv = env
     end

data/lib/resources/pip.rb

@@ -26,7 +26,8 @@ module Inspec::Resources
     def initialize(package_name, pip_path = nil)
       @package_name = package_name
       @pip_cmd = pip_path || default_pip_path
-      return skip_resource 'pip not found' unless inspec.command(@pip_cmd).exist?
+
+      return skip_resource 'pip not found' if @pip_cmd.nil?
     end
 
     def info
@@ -34,8 +35,7 @@ module Inspec::Resources
 
       @info = {}
       @info[:type] = 'pip'
-      cmd = inspec.command("#{@pip_cmd} show #{@package_name}")
-      return @info if cmd.exit_status != 0
+      return @info unless cmd_successful?
 
       params = SimpleConfig.new(
         cmd.stdout,
@@ -62,19 +62,60 @@ module Inspec::Resources
 
     private
 
+    def cmd
+      @__cmd ||= inspec.command("#{@pip_cmd} show #{@package_name}")
+    end
+
+    def cmd_successful?
+      return true if cmd.exit_status == 0
+
+      if cmd.exit_status != 0
+        # If pip on windows is not the latest, it will create a stderr value along with stdout
+        # Example:
+        #   stdout: "Name: Jinja2\r\nVersion: 2.10..."
+        #   stderr: "You are using pip version 9.0.1, however version 9.0.3 is available..."
+        if inspec.os.windows? && !cmd.stdout.empty?
+          return true
+        end
+      end
+
+      false
+    end
+
+    # Paths of Python and Pip on windows
+    # {"Pip" => nil, "Python" => "/path/to/python"}
+    #
+    # @return [Hash] of windows_paths
+    def windows_paths
+      return @__windows_paths if @__windows_paths
+      cmd = inspec.command(
+        'New-Object -Type PSObject |
+         Add-Member -MemberType NoteProperty -Name Pip -Value (Invoke-Command -ScriptBlock {where.exe pip}) -PassThru |
+         Add-Member -MemberType NoteProperty -Name Python -Value (Invoke-Command -ScriptBlock {where.exe python}) -PassThru |
+         ConvertTo-Json',
+      )
+
+      @__windows_paths = JSON.parse(cmd.stdout)
+    end
+
+    # Default path of python pip installation
+    #
+    # @return [String] of python pip path
     def default_pip_path
       return 'pip' unless inspec.os.windows?
 
+      # If python is not found, return with skip_resource
+      return skip_resource 'python not found' if windows_paths['Python'].nil?
+
       # Pip is not on the default path for Windows, therefore we do some logic
       # to find the binary on Windows
-      cmd = inspec.command('New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Pip -Value (Invoke-Command -ScriptBlock {where.exe pip}) -PassThru | Add-Member -MemberType NoteProperty -Name Python -Value (Invoke-Command -ScriptBlock {where.exe python}) -PassThru | ConvertTo-Json')
       begin
-        paths = JSON.parse(cmd.stdout)
         # use pip if it on system path
-        pipcmd = paths['Pip']
+        pipcmd = windows_paths['Pip']
         # calculate path on windows
-        if defined?(paths['Python']) && pipcmd.nil?
-          pipdir = paths['Python'].split('\\')
+        if defined?(windows_paths['Python']) && pipcmd.nil?
+          return nil if windows_paths['Pip'].nil?
+          pipdir = windows_paths['Python'].split('\\')
           # remove python.exe
           pipdir.pop
           pipcmd = pipdir.push('Scripts').push('pip.exe').join('/')

data/lib/resources/powershell.rb

@@ -17,9 +17,22 @@ module Inspec::Resources
     "
 
     def initialize(script)
-      # since WinRM 2.0 and the default use of powershell for local execution in
-      # train, we do not need to wrap the script here anymore
-      super(script)
+      # PowerShell is the default shell on Windows, use the `command` resource
+      return super(script) if inspec.os.windows?
+
+      unless inspec.command('pwsh').exist?
+        raise Inspec::Exceptions::ResourceSkipped, 'Can not find `pwsh` command'
+      end
+
+      # Prevent progress stream from leaking into stderr
+      command = "$ProgressPreference='SilentlyContinue';" + script
+
+      # Encode as Base64 to remove any quotes/escapes/etc issues
+      command = command.encode('UTF-16LE', 'UTF-8')
+      command = Base64.strict_encode64(command)
+
+      # Use the `command` resource to execute the command via `pwsh`
+      super("pwsh -encodedCommand '#{command}'")
     end
 
     # we cannot determine if a command exists, because that does not work for scripts

data/lib/resources/registry_key.rb

@@ -163,10 +163,11 @@ module Inspec::Resources
         $properties = New-Object -Type PSObject
         $reg.Property | ForEach-Object {
             $key = $_
-            if ("(default)".Equals($key)) { $key = '' }
+            $keytype = $key
+            if ("(default)".Equals($key)) { $keytype = '' }
             $value = New-Object psobject -Property @{
-              "value" =  $reg.GetValue($key);
-              "type"  = $reg.GetValueKind($key);
+              "value" =  $(Get-ItemProperty ('Registry::' + $path)).$key;
+              "type"  = $reg.GetValueKind($keytype);
             }
             $properties | Add-Member NoteProperty $_ $value
         }

data/lib/utils/filter.rb

@@ -180,6 +180,7 @@ module FilterTable
     def initialize
       @accessors = []
       @connectors = {}
+      @resource = nil
     end
 
     def connect(resource, table_accessor) # rubocop:disable Metrics/AbcSize

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 2.1.10
+  version: 2.1.21
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-22 00:00:00.000000000 Z
+date: 2018-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -312,6 +312,7 @@ files:
 - docs/resources/aws_cloudtrail_trails.md.erb
 - docs/resources/aws_cloudwatch_alarm.md.erb
 - docs/resources/aws_cloudwatch_log_metric_filter.md.erb
+- docs/resources/aws_config_delivery_channel.md
 - docs/resources/aws_config_recorder.md.erb
 - docs/resources/aws_ec2_instance.md.erb
 - docs/resources/aws_iam_access_key.md.erb
@@ -325,7 +326,9 @@ files:
 - docs/resources/aws_iam_root_user.md.erb
 - docs/resources/aws_iam_user.md.erb
 - docs/resources/aws_iam_users.md.erb
+- docs/resources/aws_kms_key.md.erb
 - docs/resources/aws_kms_keys.md.erb
+- docs/resources/aws_rds_instance.md.erb
 - docs/resources/aws_route_table.md.erb
 - docs/resources/aws_s3_bucket.md.erb
 - docs/resources/aws_s3_bucket_object.md.erb
@@ -626,6 +629,7 @@ files:
 - lib/resources/aws/aws_cloudtrail_trails.rb
 - lib/resources/aws/aws_cloudwatch_alarm.rb
 - lib/resources/aws/aws_cloudwatch_log_metric_filter.rb
+- lib/resources/aws/aws_config_delivery_channel.rb
 - lib/resources/aws/aws_config_recorder.rb
 - lib/resources/aws/aws_ec2_instance.rb
 - lib/resources/aws/aws_iam_access_key.rb
@@ -639,7 +643,9 @@ files:
 - lib/resources/aws/aws_iam_root_user.rb
 - lib/resources/aws/aws_iam_user.rb
 - lib/resources/aws/aws_iam_users.rb
+- lib/resources/aws/aws_kms_key.rb
 - lib/resources/aws/aws_kms_keys.rb
+- lib/resources/aws/aws_rds_instance.rb
 - lib/resources/aws/aws_route_table.rb
 - lib/resources/aws/aws_s3_bucket.rb
 - lib/resources/aws/aws_s3_bucket_object.rb