inspec 2.2.102 → 2.2.112

data/lib/plugins/inspec-habitat/test/unit/profile_test.rb

@@ -0,0 +1,184 @@
+require 'mixlib/log'
+require 'ostruct'
+require 'minitest/autorun'
+require 'mocha/setup'
+require_relative '../../lib/inspec-habitat/profile.rb'
+
+describe InspecPlugins::Habitat::Profile do
+  let(:profile) do
+    OpenStruct.new(
+      name:    'my_profile',
+      version: '1.2.3',
+      files:   %w(file1 file2)
+    )
+  end
+
+  let(:subject) { InspecPlugins::Habitat::Profile.new('/path/to/profile', { 'log_level' => 'fatal' }) }
+
+  before do
+    Inspec::Log.level(:fatal)
+  end
+
+  describe '#verify_profile' do
+    it 'exits if the profile is not valid' do
+      profile = mock
+      profile.stubs(:check).returns(summary: { valid: false })
+      subject.expects(:profile).returns(profile)
+      proc { subject.send(:verify_profile) }.must_raise SystemExit
+    end
+
+    it 'does not exist if the profile is valid' do
+      profile = mock
+      profile.stubs(:check).returns(summary: { valid: true })
+      subject.expects(:profile).returns(profile)
+      subject.send(:verify_profile)
+    end
+  end
+
+  describe '#vendor_profile_dependencies' do
+    let(:profile_vendor) do
+      profile_vendor = mock
+      profile_vendor.stubs(:lockfile).returns(lockfile)
+      profile_vendor.stubs(:cache_path).returns(cache_path)
+      profile_vendor
+    end
+    let(:lockfile) { mock }
+    let(:cache_path) { mock }
+
+    before do
+      Inspec::ProfileVendor.expects(:new).returns(profile_vendor)
+    end
+
+    describe 'when lockfile exists and cache dir exists' do
+      it 'does not vendor the dependencies' do
+        lockfile.expects(:exist?).returns(true)
+        cache_path.expects(:exist?).returns(true)
+        profile_vendor.expects(:vendor!).never
+        profile_vendor.expects(:make_readable).never
+        subject.send(:vendor_profile_dependencies)
+      end
+    end
+
+    describe 'when the lockfile exists but the cache dir does not' do
+      it 'vendors the dependencies and refreshes the profile object' do
+        lockfile.expects(:exist?).returns(true)
+        cache_path.expects(:exist?).returns(false)
+        profile_vendor.expects(:vendor!)
+        profile_vendor.expects(:make_readable)
+        subject.expects(:create_profile_object)
+
+        subject.send(:vendor_profile_dependencies)
+      end
+    end
+
+    describe 'when the lockfile does not exist' do
+      it 'vendors the dependencies and refreshes the profile object' do
+        lockfile.expects(:exist?).returns(false)
+        profile_vendor.expects(:vendor!)
+        profile_vendor.expects(:make_readable)
+        subject.expects(:create_profile_object)
+
+        subject.send(:vendor_profile_dependencies)
+      end
+    end
+  end
+
+  describe '#validate_habitat_installed' do
+    it 'exits if hab --version fails' do
+      cmd = mock
+      cmd.stubs(:error?).returns(true)
+      cmd.stubs(:run_command)
+      cmd.stubs(:stdout)
+      cmd.stubs(:stderr)
+      Mixlib::ShellOut.expects(:new).with('hab --version').returns(cmd)
+      proc { subject.send(:validate_habitat_installed) }.must_raise SystemExit
+    end
+  end
+
+  describe '#validate_habitat_origin' do
+    it 'does not exit if the origin key exists' do
+      subject.expects(:habitat_origin).returns('12345')
+      subject.send(:validate_habitat_origin)
+    end
+
+    it 'exits if no origin key exists' do
+      subject.expects(:habitat_origin).returns(nil)
+      proc { subject.send(:validate_habitat_origin) }.must_raise SystemExit
+    end
+  end
+
+  describe '#validate_habitat_auth_token' do
+    it 'does not exit if the auth_token exists' do
+      subject.expects(:habitat_auth_token).returns('12345')
+      subject.send(:validate_habitat_auth_token)
+    end
+
+    it 'exits if no auth_token exists' do
+      subject.expects(:habitat_auth_token).returns(nil)
+      proc { subject.send(:validate_habitat_auth_token) }.must_raise SystemExit
+    end
+  end
+
+  describe '#build_hart' do
+    before do
+      subject.expects(:work_dir).at_least_once.returns(Dir.tmpdir)
+    end
+
+    it 'exits if the build fails' do
+      subject.expects(:system).returns(false)
+      proc { subject.send(:build_hart) }.must_raise SystemExit
+    end
+
+    it 'exits if more than one hart is created' do
+      subject.expects(:system).returns(true)
+      Dir.expects(:glob).returns(%w(hart1 hart2))
+      proc { subject.send(:build_hart) }.must_raise SystemExit
+    end
+
+    it 'exits if more than no hart is created' do
+      subject.expects(:system).returns(true)
+      Dir.expects(:glob).returns([])
+      proc { subject.send(:build_hart) }.must_raise SystemExit
+    end
+
+    it 'returns the hart filename' do
+      subject.expects(:system).returns(true)
+      Dir.expects(:glob).returns(%w(hart1))
+      subject.send(:build_hart).must_equal('hart1')
+    end
+  end
+
+  describe '#upload_hart' do
+    it 'exits if the upload failed' do
+      env = {
+        'TERM'               => 'vt100',
+        'HAB_AUTH_TOKEN'     => 'my_token',
+        'HAB_NONINTERACTIVE' => 'true',
+      }
+
+      cmd = mock
+      cmd.stubs(:run_command)
+      cmd.stubs(:error?).returns(true)
+      cmd.stubs(:stdout)
+      cmd.stubs(:stderr)
+
+      subject.expects(:habitat_auth_token).returns('my_token')
+      Mixlib::ShellOut.expects(:new).with("hab pkg upload my_hart", env: env).returns(cmd)
+      proc { subject.send(:upload_hart, 'my_hart') }.must_raise SystemExit
+    end
+  end
+
+  describe '#habitat_cli_config' do
+    it 'returns an empty hash if the CLI config does not exist' do
+      File.expects(:exist?).with(File.join(ENV['HOME'], '.hab', 'etc', 'cli.toml')).returns(false)
+      subject.send(:habitat_cli_config).must_equal({})
+    end
+
+    it 'returns parsed TOML from the hab config file' do
+      config_file = File.join(ENV['HOME'], '.hab', 'etc', 'cli.toml')
+      File.expects(:exist?).with(config_file).returns(true)
+      Tomlrb.expects(:load_file).with(config_file).returns(foo: 1)
+      subject.send(:habitat_cli_config).must_equal(foo: 1)
+    end
+  end
+end

data/lib/plugins/inspec-init/lib/inspec-init.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Init
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-init'
+
+      cli_command :init do
+        require_relative 'inspec-init/cli'
+        InspecPlugins::Init::CLI
+      end
+    end
+  end
+end

data/lib/plugins/inspec-init/lib/inspec-init/cli.rb

@@ -0,0 +1,28 @@
+# encoding: utf-8
+
+require 'pathname'
+require_relative 'renderer'
+
+module InspecPlugins
+  module Init
+    class CLI < Inspec.plugin(2, :cli_command)
+      subcommand_desc 'init SUBCOMMAND', 'Initialize InSpec objects'
+
+      # Look in the 'template' directory, and register a subcommand
+      # for each template directory found there.
+      template_dir = File.join(File.dirname(__FILE__), 'templates')
+      Dir.glob(File.join(template_dir, '*')) do |template|
+        template_name = Pathname.new(template).relative_path_from(Pathname.new(template_dir)).to_s
+
+        # register command for the template
+        desc "#{template_name} NAME", "Create a new #{template_name}"
+        option :overwrite, type: :boolean, default: false,
+          desc: 'Overwrites existing directory'
+        define_method template_name.to_sym do |name_for_new_structure|
+          renderer = InspecPlugins::Init::Renderer.new(self, options)
+          renderer.render_with_values(template_name, name: name_for_new_structure)
+        end
+      end
+    end
+  end
+end

data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb

@@ -0,0 +1,81 @@
+require 'fileutils'
+require 'erb'
+
+module InspecPlugins
+  module Init
+    class Renderer
+      # Creates a renderer able to render the given template type
+      # 1. iterate over all files
+      # 2. read content in erb
+      # 3. write to full_destination_root_path
+
+      attr_reader :overwrite_mode, :ui
+      def initialize(cli_ui, cli_options = {})
+        @ui = cli_ui
+        @overwrite_mode = cli_options['overwrite']
+      end
+
+      # rubocop: disable Metrics/AbcSize
+      def render_with_values(template_type, template_values = {})
+        # look for template directory
+        base_dir = File.join(File.dirname(__FILE__), 'templates', template_type)
+        # prepare glob for all subdirectories and files
+        template_glob = File.join(base_dir, '**', '{*,.*}')
+        # Use the name attribute to define the path to the profile.
+        profile_path = template_values[:name]
+        # Use slashes (\, /) to split up the name into an Array then use the last entry
+        # to reset the name of the profile.
+        template_values[:name] = template_values[:name].split(%r{\\|\/}).last
+        # Generate the full full_destination_root_path path on disk
+        full_destination_root_path = Pathname.new(Dir.pwd).join(profile_path)
+        ui.plain_text "Create new #{template_type} at #{ui.mark_text(full_destination_root_path)}"
+
+        # check that the directory does not exist
+        if File.exist?(full_destination_root_path) && !overwrite_mode
+          ui.plain_text "#{ui.mark_text(full_destination_root_path)} exists already, use --overwrite"
+          ui.exit(1)
+        end
+
+        # ensure that full_destination_root_path directory is available
+        FileUtils.mkdir_p(full_destination_root_path)
+
+        # iterate over files and write to full_destination_root_path
+        Dir.glob(template_glob) do |file|
+          relative_destination_item_path = Pathname.new(file).relative_path_from(Pathname.new(base_dir))
+          full_destination_item_path = Pathname.new(full_destination_root_path).join(relative_destination_item_path)
+          if File.directory?(file)
+            ui.li "Create directory #{ui.mark_text(relative_destination_item_path)}"
+            FileUtils.mkdir_p(full_destination_item_path)
+          elsif File.file?(file)
+            ui.li "Create file #{ui.mark_text(relative_destination_item_path)}"
+            # read & render content
+            content = render(File.read(file), template_values)
+            # write file content
+            File.write(full_destination_item_path, content)
+          else
+            ui.plain_text "Ignore #{file}, because its not an file or directoy"
+          end
+        end
+      end
+      # rubocop: enable Metrics/AbcSize
+
+      # This is a render helper to bind hash values to a ERB template
+      # ERB provides result_with_hash in ruby 2.5.0+, which does exactly this
+      def render(template_content, hash)
+        # create a new binding class
+        cls = Class.new do
+          hash.each do |key, value|
+            define_method key.to_sym do
+              value
+            end
+          end
+          # expose binding
+          define_method :bind do
+            binding
+          end
+        end
+        ERB.new(template_content).result(cls.new.bind)
+      end
+    end
+  end
+end

data/lib/plugins/inspec-init/test/functional/inspec_init_test.rb

@@ -0,0 +1,30 @@
+# encoding: utf-8
+
+require_relative '../../../shared/core_plugin_test_helper.rb'
+
+class InitCli < MiniTest::Test
+  include CorePluginFunctionalHelper
+
+  def test_generating_inspec_profile
+    Dir.mktmpdir do |dir|
+      profile = File.join(dir, 'test-profile')
+      out = run_inspec_process("init profile test-profile", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+      assert_includes out.stdout, 'Create new profile at'
+      assert_includes out.stdout, profile
+      assert_includes Dir.entries(profile).join, 'inspec.yml'
+      assert_includes Dir.entries(profile).join, 'README.md'
+    end
+  end
+
+  def test_profile_with_slash_name
+    Dir.mktmpdir do |dir|
+      profile = dir + '/test/deeper/profile'
+      out = run_inspec_process("init profile test/deeper/profile", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+      assert_equal true, File.exist?(profile)
+      profile = YAML.load_file("#{profile}/inspec.yml")
+      assert_equal 'profile', profile['name']
+    end
+  end
+end

data/lib/plugins/shared/core_plugin_test_helper.rb

@@ -0,0 +1,50 @@
+
+# Load test harness - MiniTest
+require 'minitest/autorun'
+require 'minitest/unit'
+require 'minitest/pride'
+require 'minitest/spec'
+
+# Data formats commonly used in testing
+require 'json'
+require 'ostruct'
+
+# Utilities often needed
+require 'fileutils'
+
+# Configure MiniTest to expose things like `let`
+class Module
+  include Minitest::Spec::DSL
+end
+
+module CorePluginBaseHelper
+  let(:repo_path) { File.expand_path(File.join(__FILE__, '..', '..', '..', '..')) }
+  let(:inspec_bin_path) { File.join(repo_path, 'bin', 'inspec') }
+  let(:core_mock_path) { File.join(repo_path, 'test', 'unit', 'mock') }
+  let(:core_fixture_plugins_path) { File.join(core_mock_path, 'plugins') }
+  let(:core_config_dir_path) { File.join(core_mock_path, 'config_dirs') }
+
+  let(:registry) { Inspec::Plugin::V2::Registry.instance }
+end
+
+module CorePluginFunctionalHelper
+  include CorePluginBaseHelper
+
+  require 'train'
+  TRAIN_CONNECTION = Train.create('local', command_runner: :generic).connection
+
+  def run_inspec_process(command_line, opts = {})
+    prefix = ''
+    if opts.key?(:prefix)
+      prefix = opts[:prefix]
+    elsif opts.key?(:env)
+      prefix = opts[:env].to_a.map { |assignment| "#{assignment[0]}=#{assignment[1]}" }.join(' ')
+    end
+    TRAIN_CONNECTION.run_command("#{prefix} #{inspec_bin_path} #{command_line}")
+  end
+end
+
+module CorePluginUnitHelper
+  include CorePluginBaseHelper
+  require 'inspec'
+end

data/lib/resources/aws/aws_security_group.rb

@@ -12,7 +12,7 @@ class AwsSecurityGroup < Inspec.resource(1)
   supports platform: 'aws'
 
   include AwsSingularResourceMixin
-  attr_reader :description, :group_id, :group_name, :vpc_id, :inbound_rules, :outbound_rules
+  attr_reader :description, :group_id, :group_name, :vpc_id, :inbound_rules, :outbound_rules, :inbound_rules_count, :outbound_rules_count
 
   def to_s
     "EC2 Security Group #{@group_id}"
@@ -57,6 +57,7 @@ class AwsSecurityGroup < Inspec.resource(1)
       matched &&= allow__match_port(rule, criteria)
       matched &&= allow__match_protocol(rule, criteria)
       matched &&= allow__match_ipv4_range(rule, criteria)
+      matched &&= allow__match_ipv6_range(rule, criteria)
       matched
     end
   end
@@ -65,6 +66,7 @@ class AwsSecurityGroup < Inspec.resource(1)
     allowed_criteria = [
       :from_port,
       :ipv4_range,
+      :ipv6_range,
       :port,
       :position,
       :protocol,
@@ -149,11 +151,17 @@ class AwsSecurityGroup < Inspec.resource(1)
     rule[:ip_protocol] == prot
   end
 
-  def allow__match_ipv4_range(rule, criteria)
-    return true unless criteria.key?(:ipv4_range)
-    query = criteria[:ipv4_range]
-    query = [query] unless query.is_a?(Array)
-    ranges = rule[:ip_ranges].map { |rng| rng[:cidr_ip] }
+  def match_ipv4_or_6_range(rule, criteria)
+    if criteria.key?(:ipv4_range)
+      query = criteria[:ipv4_range]
+      query = [query] unless query.is_a?(Array)
+      ranges = rule[:ip_ranges].map { |rng| rng[:cidr_ip] }
+    else # IPv6
+      query = criteria[:ipv6_range]
+      query = [query] unless query.is_a?(Array)
+      ranges = rule[:ipv_6_ranges].map { |rng| rng[:cidr_ipv_6] }
+    end
+
     if criteria[:exact]
       Set.new(query) == Set.new(ranges)
     else
@@ -169,6 +177,16 @@ class AwsSecurityGroup < Inspec.resource(1)
     end
   end
 
+  def allow__match_ipv4_range(rule, criteria)
+    return true unless criteria.key?(:ipv4_range)
+    match_ipv4_or_6_range(rule, criteria)
+  end
+
+  def allow__match_ipv6_range(rule, criteria)
+    return true unless criteria.key?(:ipv6_range)
+    match_ipv4_or_6_range(rule, criteria)
+  end
+
   def validate_params(raw_params)
     recognized_params = check_resource_param_names(
       raw_params: raw_params,
@@ -196,6 +214,18 @@ class AwsSecurityGroup < Inspec.resource(1)
     validated_params
   end
 
+  def count_sg_rules(ip_permissions)
+    rule_count = 0
+    ip_permissions.each do |ip_permission|
+      [:ip_ranges, :ipv_6_ranges, :user_id_group_pairs].each do |key|
+        if ip_permission.key? key
+          rule_count += ip_permission[key].length
+        end
+      end
+    end
+    rule_count
+  end
+
   def fetch_from_api # rubocop: disable Metrics/AbcSize
     backend = BackendFactory.create(inspec_runner)
 
@@ -233,7 +263,9 @@ class AwsSecurityGroup < Inspec.resource(1)
     @group_name = dsg_response.security_groups[0].group_name
     @vpc_id     = dsg_response.security_groups[0].vpc_id
     @inbound_rules = dsg_response.security_groups[0].ip_permissions.map(&:to_h)
+    @inbound_rules_count = count_sg_rules(dsg_response.security_groups[0].ip_permissions.map(&:to_h))
     @outbound_rules = dsg_response.security_groups[0].ip_permissions_egress.map(&:to_h)
+    @outbound_rules_count = count_sg_rules(dsg_response.security_groups[0].ip_permissions_egress.map(&:to_h))
   end
 
   class Backend