inspec 2.2.112 → 2.3.4

data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb

@@ -0,0 +1,71 @@
+require_relative '../../../shared/core_plugin_test_helper.rb'
+
+#-----------------------------------------------------------------------#
+# Thor option defs
+#-----------------------------------------------------------------------#
+class PluginManagerCliOptions < MiniTest::Test
+  include CorePluginUnitHelper
+  let(:cli_class) { InspecPlugins::PluginManager::CliCommand }
+
+  def setup
+    require_relative '../../lib/inspec-plugin-manager-cli/cli_command'
+  end
+
+  def test_list_args
+    arg_config = cli_class.all_commands['list'].options
+    assert_equal 1, arg_config.count, 'The list command should have 1 option'
+
+    assert_includes arg_config.keys, :all, 'The list command should have an --all option'
+    assert_equal :boolean, arg_config[:all].type, 'The --all option should be boolean'
+    assert_equal :a, arg_config[:all].aliases.first, 'The --all option should be aliased as -a'
+    refute_nil arg_config[:all].description, 'The --all option should have a description'
+    refute arg_config[:all].required, 'The --all option should not be required'
+
+    assert_equal 0, cli_class.instance_method(:list).arity, 'The list command should take no arguments'
+  end
+
+  def test_search_args
+    arg_config = cli_class.all_commands['search'].options
+    assert_equal 2, arg_config.count, 'The search command should have 2 options'
+
+    assert_includes arg_config.keys, :all, 'The search command should have an --all option'
+    assert_equal :boolean, arg_config[:all].type, 'The --all option should be boolean'
+    assert_equal :a, arg_config[:all].aliases.first, 'The --all option should be aliased as -a'
+    refute_nil arg_config[:all].description, 'The --all option should have a description'
+    refute arg_config[:all].required, 'The --all option should not be required'
+
+    assert_includes arg_config.keys, :exact, 'The search command should have an --exact option'
+    assert_equal :boolean, arg_config[:exact].type, 'The --exact option should be boolean'
+    assert_equal :e, arg_config[:exact].aliases.first, 'The --exact option should be aliased as -e'
+    refute_nil arg_config[:exact].description, 'The --exact option should have a description'
+    refute arg_config[:exact].required, 'The --exact option should not be required'
+
+    assert_equal 1, cli_class.instance_method(:search).arity, 'The search command should take one argument'
+  end
+
+  def test_install_args
+    arg_config = cli_class.all_commands['install'].options
+    assert_equal 1, arg_config.count, 'The install command should have 1 option'
+
+    assert_includes arg_config.keys, :version, 'The install command should have a --version option'
+    assert_equal :string, arg_config[:version].type, 'The --version option should be a string'
+    assert_equal :v, arg_config[:version].aliases.first, 'The --version option should be aliased as -v'
+    refute_nil arg_config[:version].description, 'The --version option should have a description'
+    refute arg_config[:version].required, 'The --version option should not be required'
+
+    assert_equal 1, cli_class.instance_method(:install).arity, 'The install command should take one argument'
+  end
+
+  def test_update_args
+    # TODO: allow specifying version
+    arg_config = cli_class.all_commands['update'].options
+    assert_equal 0, arg_config.count, 'The update command should have no options'
+    assert_equal 1, cli_class.instance_method(:update).arity, 'The update command should take one argument'
+  end
+
+  def test_uninstall_args
+    arg_config = cli_class.all_commands['uninstall'].options
+    assert_equal 0, arg_config.count, 'The uninstall command should have no options'
+    assert_equal 1, cli_class.instance_method(:uninstall).arity, 'The uninstall command should take one argument'
+  end
+end

data/lib/plugins/inspec-plugin-manager-cli/test/unit/plugin_def_test.rb

@@ -0,0 +1,20 @@
+require_relative '../../../shared/core_plugin_test_helper.rb'
+
+#-----------------------------------------------------------------------#
+# Plugin Definition
+#-----------------------------------------------------------------------#
+class PluginManagerCliDefinitionTests < MiniTest::Test
+  include CorePluginUnitHelper
+
+  def test_plugin_registered
+    loader = Inspec::Plugin::V2::Loader.new
+    loader.load_all # We want to ensure it is auto-loaded
+
+    assert registry.known_plugin?(:'inspec-plugin-manager-cli'), 'inspec-plugin-manager-cli should be registered'
+    assert registry.loaded_plugin?(:'inspec-plugin-manager-cli'), 'inspec-plugin-manager-cli should be loaded'
+
+    status = registry[:'inspec-plugin-manager-cli']
+    assert_equal 2, status.api_generation, 'inspec-plugin-manager-cli should be v2'
+    assert_includes status.plugin_types, :cli_command, 'inspec-plugin-manager-cli should have cli_command activators'
+  end
+end

data/lib/plugins/shared/core_plugin_test_helper.rb

@@ -11,12 +11,32 @@ require 'ostruct'
 
 # Utilities often needed
 require 'fileutils'
+require 'tmpdir'
+require 'pathname'
+require 'forwardable'
 
 # Configure MiniTest to expose things like `let`
 class Module
   include Minitest::Spec::DSL
 end
 
+module Inspec
+  class FuncTestRunResult
+    attr_reader :train_result
+    attr_reader :payload
+
+    extend Forwardable
+    def_delegator :train_result, :stdout
+    def_delegator :train_result, :stderr
+    def_delegator :train_result, :exit_status
+
+    def initialize(train_result)
+      @train_result = train_result
+      @payload = OpenStruct.new
+    end
+  end
+end
+
 module CorePluginBaseHelper
   let(:repo_path) { File.expand_path(File.join(__FILE__, '..', '..', '..', '..')) }
   let(:inspec_bin_path) { File.join(repo_path, 'bin', 'inspec') }
@@ -40,11 +60,90 @@ module CorePluginFunctionalHelper
     elsif opts.key?(:env)
       prefix = opts[:env].to_a.map { |assignment| "#{assignment[0]}=#{assignment[1]}" }.join(' ')
     end
-    TRAIN_CONNECTION.run_command("#{prefix} #{inspec_bin_path} #{command_line}")
+    Inspec::FuncTestRunResult.new(TRAIN_CONNECTION.run_command("#{prefix} #{inspec_bin_path} #{command_line}"))
+  end
+
+  # This helper does some fancy footwork to make InSpec think a plugin
+  # under development is temporarily installed.
+  # @param String command_line Invocation, without the word 'inspec'
+  # @param Hash opts options as for run_inspec_process, with more options:
+  #    :pre_run: Proc(plugin_statefile_data, tmp_dir_path) - optional setup block.
+  #       Modify plugin_statefile_data as needed; it will be written to a plugins.json
+  #       in tmp_dir_path.  You may also copy in other things to the tmp_dir_path. Your PWD
+  #       will be in the tmp_dir, and it will exist and be empty.
+  #    :post_run: Proc(FuncTestRunResult, tmp_dir_path) - optional result capture block.
+  #       run_result will be populated, but you can add more to the ostruct .payload
+  #       Your PWD will be the tmp_dir, and it will still exist (for a moment!)
+  def run_inspec_process_with_this_plugin(command_line, opts = {})
+    plugin_path = __find_plugin_path_from_caller
+
+    # If it looks like it is a core plugin under test, don't add it to the plugin file
+    # since the loader will auto-load it anyway
+    if plugin_path.include?('lib/plugins/inspec-')
+      plugin_file_data = __make_empty_plugin_file_data_structure
+    else
+      plugin_file_data = __make_plugin_file_data_structure_with_path(plugin_path)
+    end
+
+    Dir.mktmpdir do |tmp_dir|
+      opts[:pre_run]&.call(plugin_file_data, tmp_dir)
+      plugin_file_path = File.join(tmp_dir, 'plugins.json')
+      # HACK: If the block cleared the hash, take that to mean it will provide a plugins.json file of its own.
+      File.write(plugin_file_path, JSON.generate(plugin_file_data)) unless plugin_file_data.empty?
+      opts[:env] ||= {}
+      opts[:env]['INSPEC_CONFIG_DIR'] = tmp_dir
+      run_result = run_inspec_process(command_line, opts)
+
+      # Read the resulting plugins.json into memory, if any
+      if File.exist?(plugin_file_path)
+        run_result.payload.plugin_data = JSON.parse(File.read(plugin_file_path))
+      end
+
+      opts[:post_run]&.call(run_result, tmp_dir)
+      run_result
+    end
+  end
+
+  def __find_plugin_path_from_caller(frames_back = 2)
+    caller_path = Pathname.new(caller_locations(frames_back, 1).first.absolute_path)
+    # Typical caller path:
+    # /Users/cwolfe/sandbox/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb
+    # We want:
+    # /Users/cwolfe/sandbox/inspec-resource-lister/lib/inspec-resource-lister.rb
+    cursor = caller_path
+    until cursor.basename.to_s == 'test' && cursor.parent.basename.to_s =~ /^(inspec|train)-/
+      cursor = cursor.parent
+      break if cursor.nil?
+    end
+    raise 'Could not comprehend plugin project directory structure' if cursor.nil?
+
+    project_dir = cursor.parent
+    plugin_name = project_dir.basename
+    entry_point = File.join(project_dir.to_s, 'lib', plugin_name.to_s + '.rb')
+    raise 'Could not find plugin entry point' unless File.exist?(entry_point)
+    entry_point
+  end
+
+  def __make_plugin_file_data_structure_with_path(path)
+    # TODO: dry this up, refs #3350
+    plugin_name = File.basename(path, '.rb')
+    data = __make_empty_plugin_file_data_structure
+    data['plugins'] << {
+      'name' => plugin_name,
+      'installation_type' => 'path',
+      'installation_path' => path,
+    }
+  end
+
+  def __make_empty_plugin_file_data_structure
+    # TODO: dry this up, refs #3350
+    {
+      'plugins_config_version' => '1.0.0',
+      'plugins' => [],
+    }
   end
 end
 
 module CorePluginUnitHelper
   include CorePluginBaseHelper
-  require 'inspec'
 end

data/lib/plugins/things-for-train-integration.rb

@@ -0,0 +1,14 @@
+# docs/plugins
+# Update that train plugins are now possible
+
+# test/unit/plugin/v2/loader_test.rb
+# TODO: loading all plugins does not activate Train plugins
+
+# lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb
+# ~ Should be able to install a train plugin - in place, will fail until plugin published
+# ~ Should be able to search for a train plugin - in place, will fail until plugin published
+
+# test/functional/plugins_test.rb
+# % Should be able to suggest a train transport plugin when an unsupported --target schema is used and a gem search is successful
+# % Should be able to suggest a train transport plugin when an unrecognized profile platform declaration is used and a gem search is successful
+# - Should be able to run inspec detect targeting a test target

data/lib/resource_support/aws.rb

@@ -19,6 +19,8 @@ require 'resources/aws/aws_cloudwatch_log_metric_filter'
 require 'resources/aws/aws_config_delivery_channel'
 require 'resources/aws/aws_config_recorder'
 require 'resources/aws/aws_ec2_instance'
+require 'resources/aws/aws_ebs_volume'
+require 'resources/aws/aws_ebs_volumes'
 require 'resources/aws/aws_flow_log'
 require 'resources/aws/aws_ec2_instances'
 require 'resources/aws/aws_ecs_cluster'

data/lib/resources/aws/aws_ebs_volume.rb

@@ -0,0 +1,122 @@
+class AwsEbsVolume < Inspec.resource(1)
+  name 'aws_ebs_volume'
+  desc 'Verifies settings for an EBS volume'
+
+  example <<-EOX
+    describe aws_ebs_volume('vol-123456') do
+      it { should be_encrypted }
+      its('size') { should cmp 8 }
+    end
+
+    describe aws_ebs_volume(name: 'my-volume') do
+      its('encrypted') { should eq true }
+      its('iops') { should cmp 100 }
+    end
+EOX
+  supports platform: 'aws'
+
+  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
+  def initialize(opts, conn = nil)
+    @opts = opts
+    @display_name = opts.is_a?(Hash) ? @opts[:name] : opts
+    @ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
+    @ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_resource_mixin.rb
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials. You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target. See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource('No AWS credentials available')
+  rescue Aws::Errors::ServiceError => e
+    fail_resource(e.message)
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    # TODO: remove after rewrite to include AwsSingularResource
+    inspec if respond_to?(:inspec)
+  end
+
+  def id
+    return @volume_id if defined?(@volume_id)
+    catch_aws_errors do
+      if @opts.is_a?(Hash)
+        first = @ec2_resource.volumes(
+          {
+            filters: [{
+              name: 'tag:Name',
+              values: [@opts[:name]],
+            }],
+          },
+        ).first
+        # catch case where the volume is not known
+        @volume_id = first.id unless first.nil?
+      else
+        @volume_id = @opts
+      end
+    end
+  end
+  alias volume_id id
+
+  def exists?
+    !volume.nil?
+  end
+
+  def encrypted?
+    volume.encrypted
+  end
+
+  # attributes that we want to expose
+  %w{
+    availability_zone encrypted iops kms_key_id size snapshot_id state volume_type
+  }.each do |attribute|
+    define_method attribute do
+      catch_aws_errors do
+        volume.send(attribute) if volume
+      end
+    end
+  end
+
+  # Don't document this - it's a bit hard to use.  Our current doctrine
+  # is to use dumb things, like arrays of strings - use security_group_ids instead.
+  def security_groups
+    catch_aws_errors do
+      @security_groups ||= volume.security_groups.map { |sg|
+        { id: sg.group_id, name: sg.group_name }
+      }
+    end
+  end
+
+  def security_group_ids
+    catch_aws_errors do
+      @security_group_ids ||= volume.security_groups.map(&:group_id)
+    end
+  end
+
+  def tags
+    catch_aws_errors do
+      @tags ||= volume.tags.map { |tag| { key: tag.key, value: tag.value } }
+    end
+  end
+
+  def to_s
+    "EBS Volume #{@display_name}"
+  end
+
+  private
+
+  def volume
+    catch_aws_errors { @volume ||= @ec2_resource.volume(id) }
+  end
+end

data/lib/resources/aws/aws_ebs_volumes.rb

@@ -0,0 +1,63 @@
+class AwsEbsVolumes < Inspec.resource(1)
+  name 'aws_ebs_volumes'
+  desc 'Verifies settings for AWS EBS Volumes in bulk'
+  example '
+    describe aws_ebs_volumes do
+      it { should exist }
+    end
+  '
+  supports platform: 'aws'
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, 'aws_ebs_volumes does not accept resource parameters.'
+    end
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:volume_ids, field: :volume_id)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    'EBS Volumes'
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.describe_volumes(pagination_opts)
+      @table += unpack_describe_volumes_response(api_result.volumes)
+      break unless api_result.next_token
+      pagination_opts = { next_token: api_result.next_token }
+    end
+  end
+
+  def unpack_describe_volumes_response(volumes)
+    volume_rows = []
+    volumes.each do |res|
+      volume_rows += res.attachments.map do |volume_struct|
+        {
+          volume_id: volume_struct.volume_id,
+        }
+      end
+    end
+    volume_rows
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_volumes(query)
+        aws_service_client.describe_volumes(query)
+      end
+    end
+  end
+end

data/lib/resources/port.rb

@@ -473,22 +473,26 @@ module Inspec::Resources
 
     def parse_netstat_line(line)
       # parse each line
-      # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - Inode, 8 - PID/Program name
-      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?\s+(\S+)\s+(\S+)\s+(\S+)/.match(line)
+      # 1 - Proto, 2 - Recv-Q, 3 - Send-Q, 4 - Local Address, 5 - Foreign Address, 6 - State, 7 - User, 8 - Inode, 9 - PID/Program name
+      # * UDP lines have an empty State column and the Busybox variant lacks
+      # the User and Inode columns.
+      reg =  /^(?<proto>\S+)\s+(\S+)\s+(\S+)\s+(?<local_addr>\S+)\s+(?<foreign_addr>\S+)\s+(\S+)?\s+((\S+)\s+(\S+)\s+)?(?<pid_prog>\S+)/
+      parsed = reg.match(line)
+
       return {} if parsed.nil? || line.match(/^proto/i)
 
       # parse ip4 and ip6 addresses
-      protocol = parsed[1].downcase
+      protocol = parsed[:proto].downcase
 
       # detect protocol if not provided
-      protocol += '6' if parsed[4].count(':') > 1 && %w{tcp udp}.include?(protocol)
+      protocol += '6' if parsed[:local_addr].count(':') > 1 && %w{tcp udp}.include?(protocol)
 
       # extract host and port information
-      host, port = parse_net_address(parsed[4], protocol)
+      host, port = parse_net_address(parsed[:local_addr], protocol)
       return {} if host.nil?
 
       # extract PID
-      process = parsed[9].split('/')
+      process = parsed[:pid_prog].split('/')
       pid = process[0]
       pid = pid.to_i if pid =~ /^\d+$/
       process = process[1]