inspec 2.2.20 → 2.2.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e42bda28814bf570413a78722e5d9b8533e3e993ba01aacea19822b4bd2a8fb5
-  data.tar.gz: d4c231e279a19a1875aaa21d1eb82cc507c942f4bd82051146f52b61fd9331ff
+  metadata.gz: 8d1fd91c23f600805625f0091a060ed582d7037cf057f5d302f9d8251807ae64
+  data.tar.gz: 168ceacd5af2cc37cfd5728c11f22045efe2146ebd4ef7e0838e799b7591ad31
 SHA512:
-  metadata.gz: bbe7929ee06d7a836d46e2d661048631b5bb32e2214ce13c67a6a3cfa2efb51db9469e3832d90de76d87193bcf70c29a9379c3ef8a4b95d0c8ad241ef3396e4f
-  data.tar.gz: 432df70f939256dbd22e5f8e8a8399030650c0bd9ee042eb4d89370ea151e17cafff810b012afba07ddb67b35c7bad4999067a496afcfc944593c1520c0095f5
+  metadata.gz: '018755cf06f189d55edf114bcddc147e1ebfb4cf14c46b0363d20408cf90a4e6682df07c706aff1290f6848b50072fd7204ae493463ae97d8f89db84c745c86b'
+  data.tar.gz: ff105b814bbeb16760bed805bb6ea6a31af22e686bbc005ba25176e2d953a10052496bd5d0cb174258ec50f02a0b18f62540db6ed344733fde116a96c0690a65

data/CHANGELOG.md

@@ -1,25 +1,43 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.20 -->
-## [v2.2.20](https://github.com/inspec/inspec/tree/v2.2.20) (2018-06-21)
+<!-- latest_release 2.2.27 -->
+## [v2.2.27](https://github.com/inspec/inspec/tree/v2.2.27) (2018-06-29)
 
-#### Merged Pull Requests
-- Accept symbols and downcased criteria in aws_iam_policy have_statement matcher [#3129](https://github.com/inspec/inspec/pull/3129) ([clintoncwolfe](https://github.com/clintoncwolfe))
+#### New Features
+- Document exit codes for &#39;inspec exec&#39; and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.16 -->
-### Changes since 2.2.16 release
+<!-- release_rollup since=2.2.20 -->
+### Changes since 2.2.20 release
 
-#### Merged Pull Requests
-- Accept symbols and downcased criteria in aws_iam_policy have_statement matcher [#3129](https://github.com/inspec/inspec/pull/3129) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.20 -->
+#### New Features
+- Document exit codes for &#39;inspec exec&#39; and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.27 -->
+- Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick)) <!-- 2.2.25 -->
 
 #### Enhancements
-- Fix control merging when overriding child controls [#3155](https://github.com/inspec/inspec/pull/3155) ([jquick](https://github.com/jquick)) <!-- 2.2.19 -->
-- auditd resource: Add handling for sudo/no command [#3151](https://github.com/inspec/inspec/pull/3151) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.18 -->
-- updated skip message to reflect accurate version of audit support [#3153](https://github.com/inspec/inspec/pull/3153) ([jeremymv2](https://github.com/jeremymv2)) <!-- 2.2.17 -->
+- Update core resources with filtertable API changes [#3117](https://github.com/inspec/inspec/pull/3117) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.26 -->
+- apache_conf resource: Strip quotes from values [#3142](https://github.com/inspec/inspec/pull/3142) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.24 -->
+
+#### Merged Pull Requests
+- Add functional tests for nested attributes [#3157](https://github.com/inspec/inspec/pull/3157) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.23 -->
+
+#### Bug Fixes
+- Detect inspec-core mode and do not attempt to load cloud resources [#3163](https://github.com/inspec/inspec/pull/3163) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.22 -->
+- Add support for shallow link paths [#3168](https://github.com/inspec/inspec/pull/3168) ([ColinHebert](https://github.com/ColinHebert)) <!-- 2.2.21 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.2.20](https://github.com/inspec/inspec/tree/v2.2.20) (2018-06-21)
+
+#### Enhancements
+- updated skip message to reflect accurate version of audit support [#3153](https://github.com/inspec/inspec/pull/3153) ([jeremymv2](https://github.com/jeremymv2))
+- auditd resource: Add handling for sudo/no command [#3151](https://github.com/inspec/inspec/pull/3151) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Fix control merging when overriding child controls [#3155](https://github.com/inspec/inspec/pull/3155) ([jquick](https://github.com/jquick))
+
+#### Merged Pull Requests
+- Accept symbols and downcased criteria in aws_iam_policy have_statement matcher [#3129](https://github.com/inspec/inspec/pull/3129) ([clintoncwolfe](https://github.com/clintoncwolfe))
+<!-- latest_stable_release -->
+
 ## [v2.2.16](https://github.com/inspec/inspec/tree/v2.2.16) (2018-06-15)
 
 #### Enhancements
@@ -31,7 +49,6 @@
 - Add insecure option to the automate report json [#3124](https://github.com/inspec/inspec/pull/3124) ([jquick](https://github.com/jquick))
 - Bump train version for inspec [#3147](https://github.com/inspec/inspec/pull/3147) ([jquick](https://github.com/jquick))
 - deprecate azure_generic_resource [#3132](https://github.com/inspec/inspec/pull/3132) ([chris-rock](https://github.com/chris-rock))
-<!-- latest_stable_release -->
 
 ## [v2.2.10](https://github.com/inspec/inspec/tree/v2.2.10) (2018-06-08)
 

data/docs/resources/file.md.erb

@@ -33,7 +33,7 @@ content, size, basename, path, owner, group, type
 
 ### Unix/Linux Properties
 
-symlink, mode, link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
+symlink, mode, link_path, shallow_link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
 
 ### Windows Properties
 
@@ -74,10 +74,17 @@ The following examples show how to use this InSpec audit resource.
 ### link_path
 
 The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
-InSpec will resolve the symlink and return the ultimate linked file.
+InSpec will resolve the symlink recursively and return the ultimate linked file.
 
     its('link_path') { should eq '/some/path/to/file' }
 
+### shallow_link_path
+
+The `shallow_link_path`` property returns the path that the file refers to, only resolving
+it once (that is, it performs a readlink operation). If the file is not a symlink, nil is returned.
+
+    its('shallow_link_path') { should eq '/some/path/to/file' }
+
 ### md5sum
 
 The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
@@ -316,7 +323,7 @@ The following example shows how to use the `file` audit resource to verify if th
 
 ### Test parameters of symlinked file
 
-If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
+If you need to test the parameters of the target file for a symlink, you can use the `link_path` (recursive resolution) or `shallow_link_path` (direct link) method for the `file` resource.
 
 For example, for the following symlink:
 

data/lib/inspec/base_cli.rb

@@ -83,6 +83,8 @@ module Inspec
         desc: 'Allow caching for backend command output. (default: true)'
       option :show_progress, type: :boolean,
         desc: 'Show progress while executing tests.'
+      option :distinct_exit, type: :boolean, default: true,
+        desc: 'Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures.'
     end
 
     def self.default_options

data/lib/inspec/cli.rb

@@ -156,6 +156,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   desc 'exec PATHS', 'run all test files at the specified PATH.'
+  long_desc <<~EOT
+    Loads the given profile(s) and fetches their dependencies if needed.  Then connects to the target and executes any controls contained in the profiles.  One or more reporters are used to generate output.  If all tests passed (no fails, no skips) exit code 0 is returned.  If some tests skipped but none failed, exit code 101 is returned. If at least one test failed, exit code 100 is returned.  If inspec failed for any other reason, exit code 1 is returned.
+  EOT
   exec_options
   def exec(*targets)
     o = opts(:exec).dup
@@ -204,6 +207,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: 'Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit'
   option :depends, type: :array, default: [],
     desc: 'A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell'
+  option :distinct_exit, type: :boolean, default: true,
+    desc: 'Exit with code 101 if any tests fail, and 100 if any are skipped (default).  If disabled, exit 0 on skips and 1 for failures.'
   def shell_func
     o = opts(:shell).dup
     diagnose(o)

data/lib/inspec/dependencies/dependency_set.rb

@@ -14,13 +14,13 @@ module Inspec
     # @param cwd [String] Current working directory for relative path includes
     # @param vendor_path [String] Path to the vendor directory
     #
-    def self.from_lockfile(lockfile, cwd, cache, backend, opts = {})
+    def self.from_lockfile(lockfile, config, opts = {})
       dep_tree = lockfile.deps.map do |dep|
-        Inspec::Requirement.from_lock_entry(dep, cwd, cache, backend, opts)
+        Inspec::Requirement.from_lock_entry(dep, config, opts)
       end
 
       dep_list = flatten_dep_tree(dep_tree)
-      new(cwd, cache, dep_list, backend)
+      new(config[:cwd], config[:cache], dep_list, config[:backend])
     end
 
     def self.from_array(dependencies, cwd, cache, backend)

data/lib/inspec/dependencies/requirement.rb

@@ -17,37 +17,42 @@ module Inspec
       if dep[:path]
         req_path = File.expand_path(dep[:path], req_path)
       end
+      config = {
+        cache: cache,
+        cwd: req_path,
+      }
 
       new(dep[:name],
           dep[:version],
-          cache,
-          req_path,
+          config,
           opts.merge(dep))
     end
 
-    def self.from_lock_entry(entry, cwd, cache, backend, opts = {})
+    def self.from_lock_entry(entry, config, opts = {})
       req = new(entry[:name],
                 entry[:version_constraints],
-                cache,
-                cwd,
-                entry[:resolved_source].merge(backend: backend).merge(opts))
+                config,
+                entry[:resolved_source].merge(backend: config[:backend]).merge(opts))
 
       locked_deps = []
       Array(entry[:dependencies]).each do |dep_entry|
-        locked_deps << Inspec::Requirement.from_lock_entry(dep_entry, cwd, cache, backend, opts)
+        dep_config = config.dup
+        dep_config[:parent_profile] = entry[:name]
+        locked_deps << Inspec::Requirement.from_lock_entry(dep_entry, dep_config, opts)
       end
       req.lock_deps(locked_deps)
       req
     end
 
     attr_reader :cwd, :opts, :version_constraints
-    def initialize(name, version_constraints, cache, cwd, opts)
+    def initialize(name, version_constraints, config, opts)
       @name = name
       @version_constraints = Array(version_constraints)
-      @cache = cache
+      @cache = config[:cache]
       @backend = opts[:backend]
       @opts = opts
-      @cwd = cwd
+      @cwd = config[:cwd]
+      @parent_profile = config[:parent_profile]
     end
 
     #
@@ -114,10 +119,12 @@ module Inspec
       return @profile unless @profile.nil?
       opts = @opts.dup
       opts[:backend] = @backend
-      if !@dependencies.nil?
+      if !@dependencies.nil? && !@dependencies.empty?
         opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end
       @profile = Inspec::Profile.for_fetcher(fetcher, opts)
+      @profile.parent_profile = @parent_profile
+      @profile
     end
   end
 end

data/lib/inspec/profile.rb

@@ -79,6 +79,7 @@ module Inspec
     end
 
     attr_reader :source_reader, :backend, :runner_context, :check_mode
+    attr_accessor :parent_profile
     def_delegator :@source_reader, :tests
     def_delegator :@source_reader, :libraries
     def_delegator :@source_reader, :metadata
@@ -230,6 +231,7 @@ module Inspec
       # add information about the required attributes
       res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
       res[:sha256] = sha256
+      res[:parent_profile] = parent_profile unless parent_profile.nil?
       res
     end
 
@@ -414,7 +416,13 @@ module Inspec
     end
 
     def load_dependencies
-      Inspec::DependencySet.from_lockfile(lockfile, cwd, @cache, @backend, { attributes: @attr_values })
+      config = {
+        cwd: cwd,
+        cache: @cache,
+        backend: @backend,
+        parent_profile: name,
+      }
+      Inspec::DependencySet.from_lockfile(lockfile, config, { attributes: @attr_values })
     end
 
     # Calculate this profile's SHA256 checksum. Includes metadata, dependencies,

data/lib/inspec/reporters/json.rb

@@ -105,6 +105,7 @@ module Inspec::Reporters
           copyright_email: p[:copyright_email],
           supports: p[:supports],
           attributes: p[:attributes],
+          parent_profile: p[:parent_profile],
           depends: p[:depends],
           groups: profile_groups(p),
           controls: profile_controls(p),

data/lib/inspec/resource.rb

@@ -85,15 +85,27 @@ end
 # Many resources use FilterTable.
 require 'utils/filter'
 
-# AWS resources are included via their own file.
-require 'resource_support/aws' if Gem.loaded_specs.key?('aws-sdk')
-
-if Gem.loaded_specs.key?('azure_mgmt_resources')
-  require 'resources/azure/azure_backend.rb'
-  require 'resources/azure/azure_generic_resource.rb'
-  require 'resources/azure/azure_resource_group.rb'
-  require 'resources/azure/azure_virtual_machine.rb'
-  require 'resources/azure/azure_virtual_machine_data_disk.rb'
+# Detect if we are running the stripped-down inspec-core
+# This relies on AWS being stripped from the inspec-core gem
+inspec_core_only = !File.exist?(File.join(File.dirname(__FILE__), '..', 'resource_support', 'aws.rb'))
+
+# Do not attempt to load cloud resources if we are in inspec-core mode
+unless inspec_core_only
+  # AWS resources are included via their own file,
+  # but only consider loading them if we have the SDK available, and is v2.
+  # https://github.com/inspec/inspec/issues/2571
+  if Gem.loaded_specs.key?('aws-sdk') && Gem.loaded_specs['aws-sdk'].version < Gem::Version.new('3.0.0')
+    require 'resource_support/aws'
+  end
+
+  # Azure resources
+  if Gem.loaded_specs.key?('azure_mgmt_resources')
+    require 'resources/azure/azure_backend.rb'
+    require 'resources/azure/azure_generic_resource.rb'
+    require 'resources/azure/azure_resource_group.rb'
+    require 'resources/azure/azure_virtual_machine.rb'
+    require 'resources/azure/azure_virtual_machine_data_disk.rb'
+  end
 end
 
 require 'resources/aide_conf'

data/lib/inspec/runner_rspec.rb

@@ -87,9 +87,9 @@ module Inspec
       if stats[:failed][:total] == 0 && stats[:skipped][:total] == 0
         0
       elsif stats[:failed][:total] > 0
-        100
+        @conf['distinct_exit'] ? 100 : 1
       elsif stats[:skipped][:total] > 0
-        101
+        @conf['distinct_exit'] ? 101 : 0
       else
         @rspec_exit_code
       end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.2.20'
+  VERSION = '2.2.27'
 end

data/lib/resources/aide_conf.rb

@@ -44,12 +44,10 @@ module Inspec::Resources
     end
 
     filter = FilterTable.create
-    filter.add_accessor(:where)
-          .add_accessor(:entries)
-          .add(:selection_lines, field: 'selection_line')
-          .add(:rules,           field: 'rules')
+    filter.register_column(:selection_lines, field: 'selection_line')
+          .register_column(:rules,           field: 'rules')
 
-    filter.connect(self, :params)
+    filter.install_filter_methods_on_resource(self, :params)
 
     private
 

data/lib/resources/apache_conf.rb

@@ -85,6 +85,14 @@ module Inspec::Resources
           assignment_regex: /^\s*(\S+)\s+((?=.*\s+$).*?|.*)\s*$/,
           multiple_values: true,
         ).params
+
+        # Capture any characters between quotes that are not escaped in values
+        params.values.map! do |value|
+          value.map! do |sub_value|
+            sub_value[/(?<=["|'])(?:\\.|[^"'\\])*(?=["|'])/] || sub_value
+          end
+        end
+
         @params.merge!(params)
 
         to_read = to_read.drop(1)

data/lib/resources/auditd.rb

@@ -55,21 +55,19 @@ module Inspec::Resources
     end
 
     filter = FilterTable.create
-    filter.add_accessor(:where)
-          .add_accessor(:entries)
-          .add(:file,         field: 'file')
-          .add(:list,         field: 'list')
-          .add(:action,       field: 'action')
-          .add(:fields,       field: 'fields')
-          .add(:fields_nokey, field: 'fields_nokey')
-          .add(:syscall,      field: 'syscall')
-          .add(:key,          field: 'key')
-          .add(:arch,         field: 'arch')
-          .add(:path,         field: 'path')
-          .add(:permissions,  field: 'permissions')
-          .add(:exit,         field: 'exit')
-
-    filter.connect(self, :params)
+    filter.register_column(:file,         field: 'file')
+          .register_column(:list,         field: 'list')
+          .register_column(:action,       field: 'action')
+          .register_column(:fields,       field: 'fields')
+          .register_column(:fields_nokey, field: 'fields_nokey')
+          .register_column(:syscall,      field: 'syscall')
+          .register_column(:key,          field: 'key')
+          .register_column(:arch,         field: 'arch')
+          .register_column(:path,         field: 'path')
+          .register_column(:permissions,  field: 'permissions')
+          .register_column(:exit,         field: 'exit')
+
+    filter.install_filter_methods_on_resource(self, :params)
 
     def status(name = nil)
       @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp

data/lib/resources/aws/aws_cloudtrail_trails.rb

@@ -19,11 +19,10 @@ class AwsCloudTrailTrails < Inspec.resource(1)
 
   # Underlying FilterTable implementation.
   filter = FilterTable.create
-  filter.add_accessor(:entries)
-        .add(:exists?) { |x| !x.entries.empty? }
-        .add(:names, field: :name)
-        .add(:trail_arns, field: :trail_arn)
-  filter.connect(self, :table)
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:trail_arns, field: :trail_arn)
+  filter.register_column(:names, field: :name)
+  filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
     'CloudTrail Trails'

data/lib/resources/aws/aws_ec2_instances.rb

@@ -18,10 +18,9 @@ class AwsEc2Instances < Inspec.resource(1)
 
   # Underlying FilterTable implementation.
   filter = FilterTable.create
-  filter.add_accessor(:entries)
-        .add(:exists?) { |x| !x.entries.empty? }
-        .add(:instance_ids, field: :instance_id)
-  filter.connect(self, :table)
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:instance_ids, field: :instance_id)
+  filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
     'EC2 Instances'

data/lib/resources/aws/aws_iam_access_keys.rb

@@ -38,24 +38,22 @@ class AwsIamAccessKeys < Inspec.resource(1)
 
   # Underlying FilterTable implementation.
   filter = FilterTable.create
-  filter.add_accessor(:where)
-        .add_accessor(:entries)
-        .add(:exists?) { |x| !x.entries.empty? }
-        .add(:access_key_ids, field: :access_key_id)
-        .add(:created_date, field: :create_date)
-        .add(:created_days_ago, field: :created_days_ago)
-        .add(:created_with_user, field: :created_with_user)
-        .add(:created_hours_ago, field: :created_hours_ago)
-        .add(:usernames, field: :username)
-        .add(:active, field: :active)
-        .add(:inactive, field: :inactive)
-        .add(:last_used_date, field: :last_used_date)
-        .add(:last_used_hours_ago, field: :last_used_hours_ago)
-        .add(:last_used_days_ago,  field: :last_used_days_ago)
-        .add(:ever_used,           field: :ever_used)
-        .add(:never_used,          field: :never_used)
-        .add(:user_created_date,   field: :user_created_date)
-  filter.connect(self, :table)
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:access_key_ids, field: :access_key_id)
+        .register_column(:created_date, field: :create_date)
+        .register_column(:created_days_ago, field: :created_days_ago)
+        .register_column(:created_with_user, field: :created_with_user)
+        .register_column(:created_hours_ago, field: :created_hours_ago)
+        .register_column(:usernames, field: :username)
+        .register_column(:active, field: :active)
+        .register_column(:inactive, field: :inactive)
+        .register_column(:last_used_date, field: :last_used_date)
+        .register_column(:last_used_hours_ago, field: :last_used_hours_ago)
+        .register_column(:last_used_days_ago,  field: :last_used_days_ago)
+        .register_column(:ever_used,           field: :ever_used)
+        .register_column(:never_used,          field: :never_used)
+        .register_column(:user_created_date,   field: :user_created_date)
+  filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
     'IAM Access Keys'