inspec 2.1.72 → 2.1.78

data/docs/resources/aws_security_groups.md.erb

@@ -89,3 +89,9 @@ The control will pass if the filter returns at least one result. Use `should_not
     describe aws_security_groups
       it { should exist }
     end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeSecurityGroups` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/aws_sns_subscription.md.erb

@@ -34,7 +34,7 @@ This InSpec resource accepts the following parameters, which are used to search
 
 The ARN (Amazon Resource Name) of the AWS SNS Subscription.
 
-    # Using Hash syntax 
+    # Using Hash syntax
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
       it { should exist }
     end
@@ -52,23 +52,23 @@ The ARN (Amazon Resource Name) of the AWS SNS Subscription.
 
 The control will pass if the specified Aws Subscription was found.  Use should_not if you want to verify that the specified Subscription does not exist.
 
-    # Test that a specific subscription exists. 
+    # Test that a specific subscription exists.
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6')
       it { should exist }
-    end   
+    end
 
     # Test that a Subscription does not exist.
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
       it { should_not exist }
-    end 
-    
+    end
+
 ### be\_confirmation\_authenticated
 
 Provides whether or not the subscription confirmation request was authenticated.
 
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
       it { should be_confirmation_authenticated }
-    end 
+    end
 
 ### have\_raw\_message\_delivery
 
@@ -76,7 +76,7 @@ Provides whether or not the original message is passed as is, not formatted as a
 
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
       it { should have_raw_message_delivery }
-    end 
+    end
 
 ## Properties
 
@@ -95,19 +95,19 @@ Provides the destination that the SNS Topic will send notifications to.
       # If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function
       its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }
     end
-    
+
 ### owner
 
-Provides the AWS Owners ID. 
+Provides the AWS Owners ID.
 
     # Inspect the owners ID
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
       its('owner') { should cmp '12345678' }
     end
-    
+
 ### protocol
 
-Provides the Subscriptions protocol used. For example http, https, email, email-json, sqs, etc.  For more information about protocols please visit https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html 
+Provides the Subscriptions protocol used. For example http, https, email, email-json, sqs, etc.  For more information about protocols please visit https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html
 
     # Inspect the endpoint
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
@@ -122,4 +122,9 @@ Provides the SNS Topic arn that the Subscription is associated with.
     describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
       its('topic_arn') { should cmp 'arn:aws:sns:us-east-1::test-topic-01' }
     end
-    
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `sns:GetSubscriptionAttributes` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SNS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsns.html).

data/docs/resources/aws_sns_topic.md.erb

@@ -61,3 +61,9 @@ Indicates that the ARN provided was found.  Use `should_not` to test for SNS top
     describe aws_sns_topic('arn:aws:sns:*::bad-news') do
       it { should_not exist }
     end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `sns:GetTopicAttributes` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SNS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsns.html).

data/docs/resources/aws_sns_topics.md.erb

@@ -50,3 +50,9 @@ Provides an array of all SNS Topic arns.
     describe aws_sns_topics do
       its('topic_arns') { should include 'arn:aws:sns:us-east-1:333344445555:MyTopic' }
     end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `sns:ListTopics` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SNS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsns.html).

data/docs/resources/aws_subnet.md.erb

@@ -34,7 +34,7 @@ A string identifying the subnet that the VPC contains.
 
     # This will error if there is more than the default SG
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      it { should exist }    
+      it { should exist }
     end
 
 <br>
@@ -52,7 +52,7 @@ A string identifying the subnet that the VPC contains.
 Provides the Availability Zone of the subnet.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      its('availability_zone') { should eq 'us-east-1c' }    
+      its('availability_zone') { should eq 'us-east-1c' }
     end
 
 ### available\_ip\_address\_count
@@ -60,7 +60,7 @@ Provides the Availability Zone of the subnet.
 Provides the number of available IPv4 addresses on the subnet.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      its('available_ip_address_count') { should eq 251 }    
+      its('available_ip_address_count') { should eq 251 }
     end
 
 ### cidr\_block
@@ -68,7 +68,7 @@ Provides the number of available IPv4 addresses on the subnet.
 Provides the block of ip addresses specified to the subnet.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      its('cidr_block') { should eq '10.0.1.0/24' }    
+      its('cidr_block') { should eq '10.0.1.0/24' }
     end
 
 ### subnet\_id
@@ -76,7 +76,7 @@ Provides the block of ip addresses specified to the subnet.
 Provides the ID of the Subnet.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      its('subnet_id') { should eq 'subnet-12345678' }    
+      its('subnet_id') { should eq 'subnet-12345678' }
     end
 
 ### vpc\_id
@@ -84,10 +84,10 @@ Provides the ID of the Subnet.
 Provides the ID of the VPC the subnet is in.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      its('vpc_id') { should eq 'vpc-12345678' }    
+      its('vpc_id') { should eq 'vpc-12345678' }
     end
 
-<br> 
+<br>
 
 ## Matchers
 
@@ -98,15 +98,15 @@ This InSpec audit resource has the following special matchers. For a full list o
 Detects if the network interface on the subnet accepts IPv6 addresses.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      it { should be_assigning_ipv_6_address_on_creation }    
+      it { should be_assigning_ipv_6_address_on_creation }
     end
-    
+
 ### available
 
 Provides the current state of the subnet.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      it { should be_available }    
+      it { should be_available }
     end
 
 ### default\_for\_az
@@ -114,7 +114,7 @@ Provides the current state of the subnet.
 Detects if the subnet is the default subnet for the Availability Zone.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      it { should be_default_for_az }    
+      it { should be_default_for_az }
     end
 
 ### exist
@@ -124,11 +124,17 @@ The `exist` matcher indicates that a subnet exists for the specified vpc.
     describe aws_subnet(subnet_id: 'subnet-12345678') do
       it { should exist }
     end
-    
+
 ### mapping\_public\_ip\_on\_launch
 
 Provides the VPC ID for the subnet.
 
     describe aws_subnet(subnet_id: 'subnet-12345678') do
-      it { should be_mapping_public_ip_on_launch }    
+      it { should be_mapping_public_ip_on_launch }
     end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeSubnets` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/aws_subnets.md.erb

@@ -124,3 +124,9 @@ The control will pass if the filter returns at least one result. Use `should_not
     describe aws_subnets.where(vpc_id: 'vpc-12345678')
       it { should exist }
     end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeSubnets` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/aws_vpc.md.erb

@@ -11,7 +11,7 @@ To test properties of all or multiple VPCs, use the `aws_vpcs` resource.
 
 A VPC is a networking construct that provides an isolated environment. A VPC is contained in a geographic region, but spans availability zones in that region. A VPC may have multiple subnets, internet gateways, and other networking resources. Computing resources--such as EC2 instances--reside on subnets within the VPC.
 
-Each VPC is uniquely identified by its VPC ID. In addition, each VPC has a non-unique CIDR IP Address range (such as 10.0.0.0/16) which it manages. 
+Each VPC is uniquely identified by its VPC ID. In addition, each VPC has a non-unique CIDR IP Address range (such as 10.0.0.0/16) which it manages.
 
 Every AWS account has at least one VPC, the "default" VPC, in every region.
 
@@ -118,3 +118,8 @@ The test will pass if the identified VPC is the default VPC for the region.
       it { should be_default }
     end
 
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeVpcs` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/aws_vpcs.md.erb

@@ -117,3 +117,9 @@ The control will pass if the filter returns at least one result. Use `should_not
     describe aws_vpcs
       it { should exist }
     end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeVpcs` action with Effect set to Allow.
+
+You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

data/docs/resources/http.md.erb

@@ -113,7 +113,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
       ...
     end
 
-### headers 
+### headers
 
 `{headers}` may be specified for http request headers.
 
@@ -135,7 +135,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
 
 `open_timeout` may be specified for a timeout for opening connections (default to 60).
 
-    describe('http://localhost:8080/ping', 
+    describe('http://localhost:8080/ping',
                   open_timeout: '90') do
       ...
     end
@@ -144,7 +144,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
 
 `read_timeout` may be specified for a timeout for reading connections (default to 60).
 
-    describe('http://localhost:8080/ping', 
+    describe('http://localhost:8080/ping',
                   read_timeout: '90') do
       ...
     end
@@ -153,8 +153,8 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
 
 `ssl_verify` may be specified to enable or disable verification of SSL certificates (default to `true`).
 
-    describe('http://localhost:8080/ping', 
-                  ssl_verify: 'true') do
+    describe('http://localhost:8080/ping',
+                  ssl_verify: true) do
       ...
     end
 
@@ -194,4 +194,4 @@ The `status` matcher tests status of the http response:
 
 ## Matchers
 
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/inspec.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3'
 
-  spec.add_dependency 'train', '~> 1.4'
+  spec.add_dependency 'train', '~> 1.4.9'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'
@@ -39,6 +39,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'sslshake', '~> 1.2'
   spec.add_dependency 'parallel', '~> 1.9'
   spec.add_dependency 'faraday', '>=0.9.0'
+  # Used for Azure profile until integrated into train
+  spec.add_dependency 'faraday_middleware', '~> 0.12.2'
   spec.add_dependency 'tomlrb', '~> 1.2'
   spec.add_dependency 'addressable', '~> 2.4'
   spec.add_dependency 'parslet', '~> 1.5'

data/lib/inspec/reporters/automate.rb

@@ -23,7 +23,7 @@ module Inspec::Reporters
       final_report[:node_uuid] = @config['node_uuid'] || @run_data[:platform][:uuid]
       raise Inspec::ReporterError, 'Cannot find a UUID for your node. Please specify one via json-config.' if final_report[:node_uuid].nil?
 
-      final_report[:report_uuid] = uuid_from_string(final_report[:end_time] + final_report[:node_uuid])
+      final_report[:report_uuid] = @config['report_uuid'] || uuid_from_string(final_report[:end_time] + final_report[:node_uuid])
 
       # optional json-config passthrough options
       %w{node_name environment roles recipies}.each do |option|

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.1.72'
+  VERSION = '2.1.78'
 end

data/lib/resources/aws/aws_iam_policy.rb

@@ -93,8 +93,9 @@ class AwsIamPolicy < Inspec.resource(1)
     end
   end
 
-  def has_statement?(raw_criteria = {})
+  def has_statement?(provided_criteria = {})
     return nil unless exists?
+    raw_criteria = provided_criteria.dup # provided_criteria is used for output formatting - can't delete from it.
     criteria = has_statement__normalize_criteria(has_statement__validate_criteria(raw_criteria))
     @normalized_statements ||= has_statement__normalize_statements
     statements = has_statement__focus_on_sid(@normalized_statements, criteria)

data/lib/resources/aws/aws_security_group.rb

@@ -19,22 +19,22 @@ class AwsSecurityGroup < Inspec.resource(1)
   end
 
   def allow_in?(criteria = {})
-    allow(inbound_rules, criteria)
+    allow(inbound_rules, criteria.dup)
   end
   RSpec::Matchers.alias_matcher :allow_in, :be_allow_in
 
   def allow_out?(criteria = {})
-    allow(outbound_rules, criteria)
+    allow(outbound_rules, criteria.dup)
   end
   RSpec::Matchers.alias_matcher :allow_out, :be_allow_out
 
   def allow_in_only?(criteria = {})
-    allow_only(inbound_rules, criteria)
+    allow_only(inbound_rules, criteria.dup)
   end
   RSpec::Matchers.alias_matcher :allow_in_only, :be_allow_in_only
 
   def allow_out_only?(criteria = {})
-    allow_only(outbound_rules, criteria)
+    allow_only(outbound_rules, criteria.dup)
   end
   RSpec::Matchers.alias_matcher :allow_out_only, :be_allow_out_only
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 2.1.72
+  version: 2.1.78
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-10 00:00:00.000000000 Z
+date: 2018-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 1.4.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 1.4.9
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -198,6 +198,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.9.0
+- !ruby/object:Gem::Dependency
+  name: faraday_middleware
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.2
 - !ruby/object:Gem::Dependency
   name: tomlrb
   requirement: !ruby/object:Gem::Requirement