inspec 2.1.30 → 2.1.43

data/lib/inspec/base_cli.rb

@@ -26,6 +26,8 @@ module Inspec
         desc: 'The login user for a remote scan.'
       option :password, type: :string, lazy_default: -1,
         desc: 'Login password for a remote scan, if required.'
+      option :enable_password, type: :string, lazy_default: -1,
+        desc: 'Password for enable mode on Cisco IOS devices.'
       option :key_files, aliases: :i, type: :array,
         desc: 'Login key or certificate file for a remote scan.'
       option :path, type: :string,

data/lib/inspec/objects/attribute.rb

@@ -6,7 +6,17 @@ module Inspec
     attr_writer :value
 
     DEFAULT_ATTRIBUTE = Class.new do
+      def initialize(name)
+        @name = name
+      end
+
       def method_missing(*_)
+        Inspec::Log.warn(
+          "Returning DEFAULT_ATTRIBUTE for '#{@name}'. "\
+          "Use --attrs to provide a value for '#{@name}' or specify a default  "\
+          "value with `attribute('#{@name}', default: 'somedefault', ...)`.",
+        )
+
         self
       end
 
@@ -27,7 +37,7 @@ module Inspec
     end
 
     def default
-      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new
+      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new(@name)
     end
 
     def title

data/lib/inspec/reporters/junit.rb

@@ -43,6 +43,7 @@ module Inspec::Reporters
       result_xml = REXML::Element.new('testcase')
       result_xml.add_attribute('name', result[:code_desc])
       result_xml.add_attribute('classname', control[:title].nil? ? "#{profile_name}.Anonymous" : "#{profile_name}.#{control[:id]}")
+      result_xml.add_attribute('target', run_data[:platform][:target].nil? ? '' : run_data[:platform][:target].to_s)
       result_xml.add_attribute('time', result[:run_time])
 
       if result[:status] == 'failed'

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.1.30'
+  VERSION = '2.1.43'
 end

data/lib/resources/aws/aws_cloudtrail_trail.rb

@@ -29,6 +29,18 @@ class AwsCloudTrailTrail < Inspec.resource(1)
     !kms_key_id.nil?
   end
 
+  def delivered_logs_days_ago
+    query = { name: @trail_name }
+    catch_aws_errors do
+      begin
+        resp = BackendFactory.create(inspec_runner).get_trail_status(query).to_h
+        ((Time.now - resp[:latest_cloud_watch_logs_delivery_time])/(24*60*60)).to_i unless resp[:latest_cloud_watch_logs_delivery_time].nil?
+      rescue Aws::CloudTrail::Errors::TrailNotFoundException
+        nil
+      end
+    end
+  end
+
   private
 
   def validate_params(raw_params)
@@ -72,6 +84,10 @@ class AwsCloudTrailTrail < Inspec.resource(1)
       def describe_trails(query)
         aws_service_client.describe_trails(query)
       end
+
+      def get_trail_status(query)
+        aws_service_client.get_trail_status(query)
+      end
     end
   end
 end

data/lib/resources/aws/aws_cloudwatch_alarm.rb

@@ -3,7 +3,7 @@ class AwsCloudwatchAlarm < Inspec.resource(1)
   desc <<-EOD
   # Look for a specific alarm
   aws_cloudwatch_alarm(
-    metric: 'my-metric-name',
+    metric_name: 'my-metric-name',
     metric_namespace: 'my-metric-namespace',
   ) do
     it { should exist }

data/lib/resources/aws/aws_iam_group.rb

@@ -9,7 +9,7 @@ class AwsIamGroup < Inspec.resource(1)
   supports platform: 'aws'
 
   include AwsSingularResourceMixin
-  attr_reader :group_name
+  attr_reader :group_name, :users
 
   def to_s
     "IAM Group #{group_name}"
@@ -36,8 +36,10 @@ class AwsIamGroup < Inspec.resource(1)
     backend = AwsIamGroup::BackendFactory.create(inspec_runner)
 
     begin
-      @aws_group_struct = backend.get_group(group_name: group_name)[:group]
+      resp = backend.get_group(group_name: group_name)
       @exists = true
+      @aws_group_struct = resp[:group]
+      @users = resp[:users].map(&:user_name)
     rescue Aws::IAM::Errors::NoSuchEntity
       @exists = false
     end

data/lib/resources/aws/aws_iam_policy.rb

@@ -1,3 +1,7 @@
+require 'json'
+require 'set'
+require 'uri'
+
 class AwsIamPolicy < Inspec.resource(1)
   name 'aws_iam_policy'
   desc 'Verifies settings for individual AWS IAM Policy'
@@ -12,6 +16,21 @@ class AwsIamPolicy < Inspec.resource(1)
 
   attr_reader :arn, :attachment_count, :default_version_id
 
+  EXPECTED_CRITERIA = %w{
+    Action
+    Effect
+    Resource
+    Sid
+  }.freeze
+
+  UNIMPLEMENTED_CRITERIA = %w{
+    Conditional
+    NotAction
+    NotPrincipal
+    NotResource
+    Principal
+  }.freeze
+
   def to_s
     "Policy #{@policy_name}"
   end
@@ -50,8 +69,133 @@ class AwsIamPolicy < Inspec.resource(1)
     attached_roles.include?(role_name)
   end
 
+  def policy
+    return nil unless exists?
+    return @policy if defined?(@policy)
+
+    catch_aws_errors do
+      backend = BackendFactory.create(inspec_runner)
+      gpv_response = backend.get_policy_version(policy_arn: arn, version_id: default_version_id)
+      @policy = JSON.parse(URI.decode_www_form_component(gpv_response.policy_version.document))
+    end
+    @policy
+  end
+
+  def statement_count
+    return nil unless exists?
+    policy['Statement'].count
+  end
+
+  def has_statement?(raw_criteria = {})
+    return nil unless exists?
+    criteria = has_statement__normalize_criteria(has_statement__validate_criteria(raw_criteria))
+    @normalized_statements ||= has_statement__normalize_statements
+    statements = has_statement__focus_on_sid(@normalized_statements, criteria)
+    statements.any? do |statement|
+      true && \
+        has_statement__effect(statement, criteria) && \
+        has_statement__array_criterion(:action, statement, criteria) && \
+        has_statement__array_criterion(:resource, statement, criteria)
+    end
+  end
+
   private
 
+  def has_statement__validate_criteria(raw_criteria)
+    recognized_criteria = {}
+    EXPECTED_CRITERIA.each do |expected_criterion|
+      if raw_criteria.key?(expected_criterion)
+        recognized_criteria[expected_criterion] = raw_criteria.delete(expected_criterion)
+      end
+    end
+
+    # Special message for valid, but unimplemented statement attributes
+    UNIMPLEMENTED_CRITERIA.each do |unimplemented_criterion|
+      if raw_criteria.key?(unimplemented_criterion)
+        raise ArgumentError, "Criterion '#{unimplemented_criterion}' is not supported for performing have_statement queries."
+      end
+    end
+
+    # If anything is left, it's spurious
+    unless raw_criteria.empty?
+      raise ArgumentError, "Unrecognized criteria #{raw_criteria.keys.join(', ')} to have_statement.  Recognized criteria: #{EXPECTED_CRITERIA.join(', ')}"
+    end
+
+    # Effect has only 2 permitted values
+    if recognized_criteria.key?('Effect')
+      unless %w{Allow Deny}.include?(recognized_criteria['Effect'])
+        raise ArgumentError, "Criterion 'Effect' for have_statement must be one of 'Allow' or 'Deny' - got '#{recognized_criteria['Effect']}'"
+      end
+    end
+
+    recognized_criteria
+  end
+
+  def has_statement__normalize_criteria(criteria)
+    # Transform keys into lowercase symbols
+    criteria.keys.each do |provided_key|
+      criteria[provided_key.downcase.to_sym] = criteria.delete(provided_key)
+    end
+
+    criteria
+  end
+
+  def has_statement__normalize_statements
+    policy['Statement'].map do |statement|
+      # Coerce some values into arrays
+      %w{Action Resource}.each do |field|
+        if statement.key?(field)
+          statement[field] = Array(statement[field])
+        end
+      end
+
+      # Symbolize all keys
+      statement.keys.each do |field|
+        statement[field.downcase.to_sym] = statement.delete(field)
+      end
+
+      statement
+    end
+  end
+
+  def has_statement__focus_on_sid(statements, criteria)
+    return statements unless criteria.key?(:sid)
+    sid_seek = criteria[:sid]
+    statements.select do |statement|
+      if sid_seek.is_a? Regexp
+        statement[:sid] =~ sid_seek
+      else
+        statement[:sid] == sid_seek
+      end
+    end
+  end
+
+  def has_statement__effect(statement, criteria)
+    !criteria.key?(:effect) || criteria[:effect] == statement[:effect]
+  end
+
+  def has_statement__array_criterion(crit_name, statement, criteria)
+    return true unless criteria.key?(crit_name)
+    check = criteria[crit_name]
+    values = statement[crit_name] # This is an array due to normalize_statements
+
+    if check.is_a?(String)
+      # If check is a string, it only has to match one of the values
+      values.any? { |v| v == check }
+    elsif check.is_a?(Regexp)
+      # If check is a regex, it only has to match one of the values
+      values.any? { |v| v =~ check }
+    elsif check.is_a?(Array) && check.all? { |c| c.is_a? String }
+      # If check is an array of strings, perform setwise check
+      Set.new(values) == Set.new(check)
+    elsif check.is_a?(Array) && check.all? { |c| c.is_a? Regexp }
+      # If check is an array of regexes, all values must match all regexes
+      values.all? { |v| check.all? { |r| v =~ r } }
+    else
+      false
+    end
+  end
+
   def validate_params(raw_params)
     validated_params = check_resource_param_names(
       raw_params: raw_params,
@@ -113,6 +257,10 @@ class AwsIamPolicy < Inspec.resource(1)
       BackendFactory.set_default_backend(self)
       self.aws_client_class = Aws::IAM::Client
 
+      def get_policy_version(criteria)
+        aws_service_client.get_policy_version(criteria)
+      end
+
       def list_policies(criteria)
         aws_service_client.list_policies(criteria)
       end