inspec 2.1.84 → 2.2.10

data/lib/resources/aws/aws_flow_log.rb

@@ -0,0 +1,102 @@
+class AwsFlowLog < Inspec.resource(1)
+  name 'aws_flow_log'
+  supports platform: 'aws'
+  desc 'This resource is used to test the attributes of a Flow Log.'
+  example <<~EOT
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should exist }
+    end
+    EOT
+
+  include AwsSingularResourceMixin
+
+  def to_s
+    "AWS Flow Log #{id}"
+  end
+
+  def resource_type
+    case @resource_id
+    when /^eni/
+      @resource_type = 'eni'
+    when /^subnet/
+      @resource_type = 'subnet'
+    when /^vpc/
+      @resource_type = 'vpc'
+    end
+  end
+
+  def attached_to_eni?
+    resource_type.eql?('eni') ? true : false
+  end
+
+  def attached_to_subnet?
+    resource_type.eql?('subnet') ? true : false
+  end
+
+  def attached_to_vpc?
+    resource_type.eql?('vpc') ? true : false
+  end
+
+  attr_reader :log_group_name, :resource_id, :flow_log_id
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:flow_log_id, :subnet_id, :vpc_id],
+      allowed_scalar_name: :flow_log_id,
+      allowed_scalar_type: String,
+    )
+
+    if validated_params.empty?
+      raise ArgumentError,
+            'aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id'
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    resp = backend.describe_flow_logs(filter_args)
+    flow_log = resp.to_h[:flow_logs].first
+    @exists = !flow_log.nil?
+    unless flow_log.nil?
+      @log_group_name = flow_log[:log_group_name]
+      @resource_id = flow_log[:resource_id]
+      @flow_log_id = flow_log[:flow_log_id]
+    end
+  end
+
+  def filter_args
+    if @flow_log_id
+      { filter: [{ name: 'flow-log-id', values: [@flow_log_id] }] }
+    elsif @subnet_id || @vpc_id
+      filter = @subnet_id || @vpc_id
+      { filter: [{ name: 'resource-id', values: [filter] }] }
+    end
+  end
+
+  def id
+    return @flow_log_id if @flow_log_id
+    return @subnet_id if @subnet_id
+    return @vpc_id if @vpc_id
+  end
+
+  def backend
+    BackendFactory.create(inspec_runner)
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsFlowLog::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_flow_logs(query)
+        aws_service_client.describe_flow_logs(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_groups.rb

@@ -19,8 +19,7 @@ class AwsIamGroups < Inspec.resource(1)
 
   # Underlying FilterTable implementation.
   filter = FilterTable.create
-  filter.add_accessor(:entries)
-        .add(:exists?) { |x| !x.entries.empty? }
+  filter.add(:group_names, field: :group_name)
   filter.connect(self, :table)
 
   def to_s

data/lib/resources/aws/aws_iam_users.rb

@@ -23,27 +23,73 @@ class AwsIamUsers < Inspec.resource(1)
 
   include AwsPluralResourceMixin
 
+  def self.lazy_get_login_profile(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    begin
+      _login_profile = backend.get_login_profile(user_name: row[:user_name])
+      row[:has_console_password] = true
+    rescue Aws::IAM::Errors::NoSuchEntity
+      row[:has_console_password] = false
+    end
+    row[:has_console_password?] = row[:has_console_password]
+  end
+
+  def self.lazy_list_mfa_devices(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    begin
+      aws_mfa_devices = backend.list_mfa_devices(user_name: row[:user_name])
+      row[:has_mfa_enabled] = !aws_mfa_devices.mfa_devices.empty?
+    rescue Aws::IAM::Errors::NoSuchEntity
+      row[:has_mfa_enabled] = false
+    end
+    row[:has_mfa_enabled?] = row[:has_mfa_enabled]
+  end
+
+  def self.lazy_list_user_policies(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    row[:inline_policy_names] = backend.list_user_policies(user_name: row[:user_name]).policy_names
+    row[:has_inline_policies] = !row[:inline_policy_names].empty?
+    row[:has_inline_policies?] = row[:has_inline_policies]
+  end
+
+  def self.lazy_list_attached_policies(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    attached_policies = backend.list_attached_user_policies(user_name: row[:user_name]).attached_policies
+    row[:has_attached_policies] = !attached_policies.empty?
+    row[:has_attached_policies?] = row[:has_attached_policies]
+    row[:attached_policy_names] = attached_policies.map { |p| p[:policy_name] }
+    row[:attached_policy_arns] = attached_policies.map { |p| p[:policy_arn] }
+  end
+
   filter = FilterTable.create
   filter.add_accessor(:where)
         .add_accessor(:entries)
-        .add(:exists?) { |x| !x.entries.empty? }
-        .add(:has_mfa_enabled?, field: :has_mfa_enabled)
-        .add(:has_console_password?, field: :has_console_password)
-        .add(:has_inline_policies?, field: :has_inline_policies)
-        .add(:has_attached_policies?, field: :has_attached_policies)
+  # Summary methods
+  filter.add(:exists?) { |table| !table.params.empty? }
+        .add(:count) { |table| table.params.count }
+
+  # These are included on the initial fetch
+  filter.add(:usernames, field: :user_name)
+        .add(:username) { |res| res.entries.map { |row| row[:user_name] } } # We should deprecate this; plural resources get plural properties
         .add(:password_ever_used?, field: :password_ever_used?)
         .add(:password_never_used?, field: :password_never_used?)
         .add(:password_last_used_days_ago, field: :password_last_used_days_ago)
-        .add(:usernames, field: :user_name)
-        .add(:username) { |res| res.entries.map { |row| row[:user_name] } } # We should deprecate this; plural resources get plural properties
-  # Next three are needed to declare fields for use by the de-duped set
-  filter.add(:dupe_inline_policy_names, field: :inline_policy_names_source)
-        .add(:dupe_attached_policy_names, field: :attached_policy_names_source)
-        .add(:dupe_attached_policy_arns, field: :attached_policy_arns_source)
-  # These three are now able to access the above three in .entries
-  filter.add(:inline_policy_names) { |obj| obj.dupe_inline_policy_names.flatten.uniq }
-        .add(:attached_policy_names) { |obj| obj.dupe_attached_policy_names.flatten.uniq }
-        .add(:attached_policy_arns) { |obj| obj.dupe_attached_policy_arns.flatten.uniq }
+
+  # Remaining properties / criteria are handled lazily, grouped by fetcher
+  filter.add(:has_console_password?, field: :has_console_password?, lazy: method(:lazy_get_login_profile))
+        .add(:has_console_password, field: :has_console_password, lazy: method(:lazy_get_login_profile))
+
+  filter.add(:has_mfa_enabled?, field: :has_mfa_enabled?, lazy: method(:lazy_list_mfa_devices))
+        .add(:has_mfa_enabled, field: :has_mfa_enabled, lazy: method(:lazy_list_mfa_devices))
+
+  filter.add(:has_inline_policies?, field: :has_inline_policies?, lazy: method(:lazy_list_user_policies))
+        .add(:has_inline_policies, field: :has_inline_policies, lazy: method(:lazy_list_user_policies))
+        .add(:inline_policy_names, field: :inline_policy_names, style: :simple, lazy: method(:lazy_list_user_policies))
+
+  filter.add(:has_attached_policies?, field: :has_attached_policies?, lazy: method(:lazy_list_attached_policies))
+        .add(:has_attached_policies, field: :has_attached_policies, lazy: method(:lazy_list_attached_policies))
+        .add(:attached_policy_names, field: :attached_policy_names, style: :simple, lazy: method(:lazy_list_attached_policies))
+        .add(:attached_policy_arns, field: :attached_policy_arns, style: :simple, lazy: method(:lazy_list_attached_policies))
   filter.connect(self, :table)
 
   def validate_params(raw_params)
@@ -66,45 +112,17 @@ class AwsIamUsers < Inspec.resource(1)
     table
   end
 
-  def fetch_from_api # rubocop: disable Metrics/AbcSize
+  def fetch_from_api
     backend = BackendFactory.create(inspec_runner)
     @table = fetch_from_api_paginated(backend)
 
-    # TODO: lazy columns - https://github.com/chef/inspec-aws/issues/100
     @table.each do |user|
-      # Some of these throw exceptions to indicate empty results;
-      # others return empty arrays
-      begin
-        _login_profile = backend.get_login_profile(user_name: user[:user_name])
-        user[:has_console_password] = true
-      rescue Aws::IAM::Errors::NoSuchEntity
-        user[:has_console_password] = false
-      end
-      user[:has_console_password?] = user[:has_console_password]
-
-      begin
-        aws_mfa_devices = backend.list_mfa_devices(user_name: user[:user_name])
-        user[:has_mfa_enabled] = !aws_mfa_devices.mfa_devices.empty?
-      rescue Aws::IAM::Errors::NoSuchEntity
-        user[:has_mfa_enabled] = false
-      end
-      user[:has_mfa_enabled?] = user[:has_mfa_enabled]
-
-      user[:inline_policy_names_source] = backend.list_user_policies(user_name: user[:user_name]).policy_names
-      user[:has_inline_policies] = !user[:inline_policy_names_source].empty?
-      user[:has_inline_policies?] = user[:has_inline_policies]
-
-      attached_policies = backend.list_attached_user_policies(user_name: user[:user_name]).attached_policies
-      user[:has_attached_policies] = !attached_policies.empty?
-      user[:has_attached_policies?] = user[:has_attached_policies]
-      user[:attached_policy_names_source] = attached_policies.map { |p| p[:policy_name] }
-      user[:attached_policy_arns_source] = attached_policies.map { |p| p[:policy_arn] }
-
       password_last_used = user[:password_last_used]
       user[:password_ever_used?] = !password_last_used.nil?
       user[:password_never_used?] = password_last_used.nil?
-      next unless user[:password_ever_used?]
-      user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24*60*60)).to_i
+      if user[:password_ever_used?]
+        user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24*60*60)).to_i
+      end
     end
     @table
   end

data/lib/resources/npm.rb

@@ -1,5 +1,7 @@
 # encoding: utf-8
 
+require 'shellwords'
+
 module Inspec::Resources
   class NpmPackage < Inspec.resource(1)
     name 'npm'
@@ -10,17 +12,28 @@ module Inspec::Resources
       describe npm('bower') do
         it { should be_installed }
       end
+
+      describe npm('tar', path: '/path/to/project') do
+        it { should be_installed }
+      end
     "
 
-    def initialize(package_name)
+    def initialize(package_name, opts = {})
       @package_name = package_name
+      @location = opts[:path]
       @cache = nil
     end
 
     def info
       return @info if defined?(@info)
 
-      cmd = inspec.command("npm ls -g --json #{@package_name}")
+      if @location
+        npm = "cd #{Shellwords.escape @location} && npm"
+      else
+        npm = 'npm -g'
+      end
+
+      cmd = inspec.command("#{npm} ls --json #{@package_name}")
       @info = {
         name: @package_name,
         type: 'npm',

data/lib/resources/package.rb

@@ -270,7 +270,7 @@ module Inspec::Resources
       # Find the package
       cmd = inspec.command <<-EOF.gsub(/^\s*/, '')
         Get-ItemProperty (@("#{search_paths.join('", "')}") | Where-Object { Test-Path $_ }) |
-        Where-Object { $_.DisplayName -like "#{package_name}" -or $_.PSChildName -like "#{package_name}" } |
+        Where-Object { $_.DisplayName -match "^\\s*#{package_name}\\s*$" -or $_.PSChildName -match "^\\s*#{package_name}\\s*$" } |
         Select-Object -Property DisplayName,DisplayVersion | ConvertTo-Json
       EOF
 

data/lib/utils/filter.rb

@@ -4,7 +4,8 @@
 # author: Christoph Hartmann
 
 module FilterTable
-  module Show; end
+  # This is used as a sentinel value in custom property filtering
+  module NoCriteriaProvided; end
 
   class ExceptionCatcher
     def initialize(original_resource, original_exception)
@@ -82,60 +83,139 @@ module FilterTable
   end
 
   class Table
-    attr_reader :params, :resource
-    def initialize(resource, params, filters)
-      @resource = resource
-      @params = params
-      @params = [] if @params.nil?
-      @filters = filters
+    attr_reader :raw_data, :resource_instance, :criteria_string
+    def initialize(resource_instance, raw_data, criteria_string)
+      @resource_instance = resource_instance
+      @raw_data = raw_data
+      @raw_data = [] if @raw_data.nil?
+      @criteria_string = criteria_string
+      @populated_lazy_columns = {}
     end
 
+    # Filter the raw data based on criteria (as method params) or by evaling a
+    # block; then construct a new Table of the same class as ourselves,
+    # wrapping the filtered data, and return it.
     def where(conditions = {}, &block)
       return self if !conditions.is_a?(Hash)
       return self if conditions.empty? && !block_given?
 
-      filters = ''
-      table = @params
-      conditions.each do |field, condition|
-        filters += " #{field} == #{condition.inspect}"
-        table = filter_lines(table, field, condition)
+      # Initialize the details of the new Table.
+      new_criteria_string = criteria_string
+      filtered_raw_data = raw_data
+
+      # If we were provided params, interpret them as criteria to be evaluated
+      # against the raw data. Criteria are assumed to be hash keys.
+      conditions.each do |raw_field_name, desired_value|
+        raise(ArgumentError, "'#{raw_field_name}' is not a recognized criterion - expected one of #{list_fields.join(', ')}'") unless field?(raw_field_name)
+        populate_lazy_field(raw_field_name, desired_value) if is_field_lazy?(raw_field_name)
+        new_criteria_string += " #{raw_field_name} == #{desired_value.inspect}"
+        filtered_raw_data = filter_raw_data(filtered_raw_data, raw_field_name, desired_value)
       end
 
+      # If we were given a block, make a special Struct for each row, that has an accessor
+      # for each field declared using `register_custom_property`, then instance-eval the block
+      # against the struct.
       if block_given?
-        table = table.find_all { |e| new_entry(e, '').instance_eval(&block) }
+        # Perform the filtering.
+        filtered_raw_data = filtered_raw_data.find_all { |row_as_hash| create_eval_context_for_row(row_as_hash, '').instance_eval(&block) }
+        # Try to interpret the block for updating the stringification.
         src = Trace.new
-        src.instance_eval(&block)
-        filters += Trace.to_ruby(src)
+        # Swallow any exceptions raised here.
+        # See https://github.com/chef/inspec/issues/2929
+        begin
+          src.instance_eval(&block)
+        rescue # rubocop: disable Lint/HandleExceptions
+          # Yes, robocop, ignoring all exceptions is normally
+          # a bad idea.  Here, an exception just means we don't
+          # understand what was in a `where` block, so we can't
+          # meaningfully sytringify it.  We still have a decent
+          # default stringification.
+        end
+        new_criteria_string += Trace.to_ruby(src)
       end
 
-      self.class.new(@resource, table, @filters + filters)
+      self.class.new(resource, filtered_raw_data, new_criteria_string)
     end
 
-    def new_entry(*_)
+    def create_eval_context_for_row(*_)
       raise "#{self.class} must not be used on its own. It must be inherited "\
-           'and the #new_entry method must be implemented. This is an internal '\
+           'and the #create_eval_context_for_row method must be implemented. This is an internal '\
            'error and should not happen.'
     end
 
+    def resource
+      resource_instance
+    end
+
+    def params
+      # TODO: consider deprecating
+      raw_data
+    end
+
     def entries
-      f = @resource.to_s + @filters.to_s + ' one entry'
-      @params.map do |line|
-        new_entry(line, f)
+      row_criteria_string = resource.to_s + criteria_string + ' one entry'
+      raw_data.map do |row|
+        create_eval_context_for_row(row, row_criteria_string)
       end
     end
 
-    def get_field(field)
-      @params.map do |line|
-        line[field]
+    def get_column_values(field)
+      raw_data.map do |row|
+        row[field]
       end
     end
 
+    def list_fields
+      @__fields_in_raw_data ||= raw_data.reduce([]) do |fields, row|
+        fields.concat(row.keys).uniq
+      end
+    end
+
+    def field?(proposed_field)
+      # Currently we only know about a field if it is present in a at least one row of the raw data.
+      # If we have no rows in the raw data, assume all fields are acceptable (and rely on failing to match on value, nil)
+      return true if raw_data.empty?
+      list_fields.include?(proposed_field) || is_field_lazy?(proposed_field)
+    end
+
     def to_s
-      @resource.to_s + @filters
+      resource.to_s + criteria_string
     end
 
     alias inspect to_s
 
+    def populate_lazy_field(field_name, criterion)
+      return unless is_field_lazy?(field_name)
+      return if field_populated?(field_name)
+      raw_data.each do |row|
+        next if row.key?(field_name) # skip row if pre-existing data is present
+        callback_for_lazy_field(field_name).call(row, criterion, self)
+      end
+      mark_lazy_field_populated(field_name)
+    end
+
+    def is_field_lazy?(sought_field_name)
+      custom_properties_schema.values.any? do |property_struct|
+        sought_field_name == property_struct.field_name && \
+          property_struct.opts[:lazy]
+      end
+    end
+
+    def callback_for_lazy_field(field_name)
+      return unless is_field_lazy?(field_name)
+      custom_properties_schema.values.find do |property_struct|
+        property_struct.field_name == field_name
+      end.opts[:lazy]
+    end
+
+    def field_populated?(field_name)
+      @populated_lazy_columns[field_name]
+    end
+
+    def mark_lazy_field_populated(field_name)
+      @populated_lazy_columns[field_name] = true
+    end
+
     private
 
     def matches_float(x, y)
@@ -159,111 +239,189 @@ module FilterTable
       x === y # rubocop:disable Style/CaseEquality
     end
 
-    def filter_lines(table, field, condition)
-      m = case condition
-          when Float   then method(:matches_float)
-          when Integer then method(:matches_int)
-          when Regexp  then method(:matches_regex)
-          else              method(:matches)
-          end
-
-      table.find_all do |line|
-        next unless line.key?(field)
-        m.call(line[field], condition)
+    def filter_raw_data(current_raw_data, field, desired_value)
+      method_ref = case desired_value
+                   when Float   then method(:matches_float)
+                   when Integer then method(:matches_int)
+                   when Regexp  then method(:matches_regex)
+                   else              method(:matches)
+                   end
+
+      current_raw_data.find_all do |row|
+        next unless row.key?(field)
+        method_ref.call(row[field], desired_value)
       end
     end
   end
 
   class Factory
-    Connector = Struct.new(:field_name, :block, :opts)
+    CustomPropertyType = Struct.new(:field_name, :block, :opts)
 
     def initialize
-      @accessors = []
-      @connectors = {}
-      @resource = nil
+      @filter_methods = [:where, :entries, :raw_data]
+      @custom_properties = {}
+      register_custom_matcher(:exist?) { |table| !table.raw_data.empty? }
+      register_custom_property(:count) { |table|  table.raw_data.count }
+
+      @resource = nil # TODO: this variable is never initialized
     end
 
-    def connect(resource, table_accessor) # rubocop:disable Metrics/AbcSize
-      # create the table structure
-      connectors = @connectors
-      struct_fields = connectors.values.map(&:field_name)
-      connector_blocks = connectors.map do |method, c|
-        [method.to_sym, create_connector(c)]
+    def install_filter_methods_on_resource(resource_class, raw_data_fetcher_method_name) # rubocop: disable Metrics/AbcSize, Metrics/MethodLength
+      # A context in which you can access the fields as accessors
+      non_block_struct_fields = @custom_properties.values.reject(&:block).map(&:field_name)
+      row_eval_context_type = Struct.new(*non_block_struct_fields.map(&:to_sym)) do
+        attr_accessor :criteria_string
+        attr_accessor :filter_table
+        def to_s
+          @criteria_string || super
+        end
+      end unless non_block_struct_fields.empty?
+
+      properties_to_define = @custom_properties.map do |method_name, custom_property_structure|
+        { method_name: method_name, method_body: create_custom_property_body(custom_property_structure) }
       end
 
-      # the struct to hold single items from the #entries method
-      entry_struct = Struct.new(*struct_fields.map(&:to_sym)) do
-        attr_accessor :__filter
-        def to_s
-          @__filter || super
+      # Define the filter table subclass
+      custom_properties = @custom_properties # We need a local var, not an instance var, for a closure below
+      table_class = Class.new(Table) {
+        # Install each custom property onto the FilterTable subclass
+        properties_to_define.each do |property_info|
+          define_method property_info[:method_name], &property_info[:method_body]
         end
-      end unless struct_fields.empty?
 
-      # the main filter table
-      table = Class.new(Table) {
-        connector_blocks.each do |x|
-          define_method x[0], &x[1]
+        define_method :custom_properties_schema do
+          custom_properties
         end
 
-        define_method :new_entry do |hashmap, filter = ''|
-          return entry_struct.new if hashmap.nil?
-          res = entry_struct.new(*struct_fields.map { |x| hashmap[x] })
-          res.__filter = filter
-          res
+        # Install a method that can wrap all the fields into a context with accessors
+        define_method :create_eval_context_for_row do |row_as_hash, criteria_string = ''|
+          return row_eval_context_type.new if row_as_hash.nil?
+          context = row_eval_context_type.new(*non_block_struct_fields.map { |field| row_as_hash[field] })
+          context.criteria_string = criteria_string
+          context.filter_table = self
+          context
         end
       }
 
+      # Now that the table class is defined and the row eval context struct is defined,
+      # extend the row eval context struct to support triggering population of lazy fields
+      # in where blocks. To do that, we'll need a reference to the table (which
+      # knows which fields are populated, and how to populate them) and we'll need to
+      # override the getter method for each lazy field, so it will trigger
+      # population if needed.  Keep in mind we don't have to adjust the constructor
+      # args of the row struct; also the Struct class will already have provided
+      # a setter for each field.
+      @custom_properties.values.each do |property_info|
+        next unless property_info.opts[:lazy]
+        field_name = property_info.field_name.to_sym
+        row_eval_context_type.send(:define_method, field_name) do
+          unless filter_table.field_populated?(field_name)
+            filter_table.populate_lazy_field(field_name, NoCriteriaProvided) # No access to criteria here
+            # OK, the underlying raw data has the value in the first row
+            # (because we would trigger population only on the first row)
+            # We could just return the value, but we need to set it on this Struct in case it is referenced multiple times
+            # in the where block.
+            self[field_name] = filter_table.raw_data[0][field_name]
+          end
+          # Now return the value using the Struct getter, whether newly populated or not
+          self[field_name]
+        end
+      end
+
       # Define all access methods with the parent resource
       # These methods will be configured to return an `ExceptionCatcher` object
       # that will always return the original exception, but only when called
       # upon. This will allow method chains in `describe` statements to pass the
       # `instance_eval` when loaded and only throw-and-catch the exception when
       # the tests are run.
-      accessors = @accessors + @connectors.keys
-      accessors.each do |method_name|
-        resource.send(:define_method, method_name.to_sym) do |*args, &block|
+      methods_to_install_on_resource_class = @filter_methods + @custom_properties.keys
+      methods_to_install_on_resource_class.each do |method_name|
+        resource_class.send(:define_method, method_name.to_sym) do |*args, &block|
           begin
-            filter = table.new(self, method(table_accessor).call, ' with')
-            filter.method(method_name.to_sym).call(*args, &block)
+            # self here is the resource instance
+            filter_table_instance = table_class.new(self, method(raw_data_fetcher_method_name).call, ' with')
+            filter_table_instance.method(method_name.to_sym).call(*args, &block)
           rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e
-            FilterTable::ExceptionCatcher.new(resource, e)
+            FilterTable::ExceptionCatcher.new(resource_class, e)
           end
         end
       end
     end
 
-    def add_accessor(method_name)
+    alias connect install_filter_methods_on_resource
+
+    # TODO: This should almost certainly be privatized.  Every FilterTable client should get :entries and :where;
+    # InSpec core resources do not define anything else, other than azure_generic_resource, which is likely a mis-use.
+    def register_filter_method(method_name)
       if method_name.nil?
-        throw RuntimeError, "Called filter.add_delegator for resource #{@resource} with method name nil!"
+        # TODO: @resource is never initialized
+        throw RuntimeError, "Called filter.add_accessor for resource #{@resource} with method name nil!"
+      end
+      if @filter_methods.include? method_name.to_sym
+        # TODO: issue deprecation warning?
+      else
+        @filter_methods.push(method_name.to_sym)
       end
-      @accessors.push(method_name)
       self
     end
 
-    def add(method_name, opts = {}, &block)
-      if method_name.nil?
+    alias add_accessor register_filter_method
+
+    def register_custom_property(property_name, opts = {}, &property_implementation)
+      if property_name.nil?
+        # TODO: @resource is never initialized
         throw RuntimeError, "Called filter.add for resource #{@resource} with method name nil!"
       end
 
-      @connectors[method_name.to_sym] =
-        Connector.new(opts[:field] || method_name, block, opts)
+      if @custom_properties.key?(property_name.to_sym)
+        # TODO: issue deprecation warning?
+      else
+        @custom_properties[property_name.to_sym] =
+          CustomPropertyType.new(opts[:field] || property_name, property_implementation, opts)
+      end
       self
     end
 
-    private
+    alias add register_custom_property
+    alias register_column register_custom_property
+    alias register_custom_matcher register_custom_property
 
-    def create_connector(c)
-      return ->(cond = Show) { c.block.call(self, cond) } if !c.block.nil?
+    private
 
-      lambda { |condition = Show, &cond_block|
-        if condition == Show && !block_given?
-          r = where(nil).get_field(c.field_name)
-          r = r.flatten.uniq.compact if c.opts[:style] == :simple
-          r
-        else
-          where({ c.field_name => condition }, &cond_block)
+    # This provides the implementation for methods requested using
+    # register_custom_property(:some_method_name, opts, &block)
+    # Some usage in the wild involves people passing a desired value to the generated method, like:
+    #  things.ids(23)
+    # I'm calling this the 'filter_criterion_value'. I speculate that a default value is
+    # provided here so that users can meaningfully query for nil.
+    def create_custom_property_body(custom_property_struct)
+      if !custom_property_struct.block.nil?
+        # If the custom method provided its own block, rely on it.
+        lambda do |filter_criteria_value = NoCriteriaProvided|
+          # Here self is an instance of the FilterTable subclass that wraps the raw data.
+          # Call the block with two args - the table instance, and any filter criteria value.
+          custom_property_struct.block.call(self, filter_criteria_value)
         end
-      }
+      else
+        # No block definition, so the property was registered using (field: :some_field)
+        # This does however support passing a block to this method, and filtering using it, like Enumerable#select.
+        lambda do |filter_criteria_value = NoCriteriaProvided, &cond_block|
+          if filter_criteria_value == NoCriteriaProvided && !block_given?
+            # No second-order block given.  Just return an array of the values in the selected column.
+            result = where(nil)
+            if custom_property_struct.opts[:lazy]
+              result.populate_lazy_field(custom_property_struct.field_name, filter_criteria_value)
+            end
+            result = where(nil).get_column_values(custom_property_struct.field_name) # TODO: the where(nil). is likely unneeded
+            result = result.flatten.uniq.compact if custom_property_struct.opts[:style] == :simple
+            result
+          else
+            # A secondary block was provided.  Rely on where() to execute the block, while also filtering on any single value
+            # Suspected bug: if filter_criteria_value == NoCriteriaProvided, this is unlikely to match - see hash condition handling in where() above.
+            where(custom_property_struct.field_name => filter_criteria_value, &cond_block)
+          end
+        end
+      end
     end
   end