inspec 2.2.55 → 2.2.61

data/lib/inspec/base_cli.rb

@@ -67,6 +67,8 @@ module Inspec
     def self.profile_options
       option :profiles_path, type: :string,
         desc: 'Folder which contains referenced profiles.'
+      option :vendor_cache, type: :string,
+        desc: 'Use the given path for caching dependencies. (default: ~/.inspec/cache)'
     end
 
     def self.exec_options
@@ -83,8 +85,6 @@ module Inspec
         desc: 'Use colors in output.'
       option :attrs, type: :array,
         desc: 'Load attributes file (experimental)'
-      option :vendor_cache, type: :string,
-        desc: 'Use the given path for caching dependencies. (default: ~/.inspec/cache)'
       option :create_lockfile, type: :boolean,
         desc: 'Write out a lockfile based on this execution (unless one already exists)'
       option :backend_cache, type: :boolean,

data/lib/inspec/cli.rb

@@ -34,9 +34,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   def json(target)
     o = opts.dup
     diagnose(o)
-    o[:ignore_supports] = true
     o[:backend] = Inspec::Backend.create(target: 'mock://')
     o[:check_mode] = true
+    o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
     profile = Inspec::Profile.for_target(target, o)
     info = profile.info
@@ -67,9 +67,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   def check(path) # rubocop:disable Metrics/AbcSize
     o = opts.dup
     diagnose(o)
-    o[:ignore_supports] = true # we check for integrity only
     o[:backend] = Inspec::Backend.create(target: 'mock://')
     o[:check_mode] = true
+    o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
     # run check
     profile = Inspec::Profile.for_target(path, o)
@@ -140,6 +140,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     o[:logger] = Logger.new(STDOUT)
     o[:logger].level = get_log_level(o.log_level)
     o[:backend] = Inspec::Backend.create(target: 'mock://')
+    o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
 
     profile = Inspec::Profile.for_target(path, o)
     result = profile.check

data/lib/inspec/resource.rb

@@ -128,6 +128,7 @@ require 'resources/directory'
 require 'resources/docker'
 require 'resources/docker_container'
 require 'resources/docker_image'
+require 'resources/docker_plugin'
 require 'resources/docker_service'
 require 'resources/elasticsearch'
 require 'resources/etc_fstab'
@@ -143,6 +144,7 @@ require 'resources/grub_conf'
 require 'resources/host'
 require 'resources/http'
 require 'resources/iis_app'
+require 'resources/iis_app_pool'
 require 'resources/iis_site'
 require 'resources/inetd_conf'
 require 'resources/interface'

data/lib/inspec/runner.rb

@@ -39,7 +39,6 @@ module Inspec
       @target_profiles = []
       @controls = @conf[:controls] || []
       @depends = @conf[:depends] || []
-      @ignore_supports = @conf[:ignore_supports]
       @create_lockfile = @conf[:create_lockfile]
       @cache = Inspec::Cache.new(@conf[:vendor_cache])
 
@@ -108,7 +107,8 @@ module Inspec
       return if @conf['reporter'].nil?
 
       @conf['reporter'].each do |reporter|
-        Inspec::Reporters.render(reporter, run_data)
+        result = Inspec::Reporters.render(reporter, run_data)
+        raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
       end
     end
 
@@ -196,8 +196,6 @@ module Inspec
     end
 
     def supports_profile?(profile)
-      return true if @ignore_supports
-
       if !profile.supports_runtime?
         raise 'This profile requires InSpec version '\
              "#{profile.metadata.inspec_requirement}. You are running "\

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.2.55'
+  VERSION = '2.2.61'
 end

data/lib/resource_support/aws.rb

@@ -21,6 +21,7 @@ require 'resources/aws/aws_config_recorder'
 require 'resources/aws/aws_ec2_instance'
 require 'resources/aws/aws_flow_log'
 require 'resources/aws/aws_ec2_instances'
+require 'resources/aws/aws_ecs_cluster'
 require 'resources/aws/aws_elb'
 require 'resources/aws/aws_elbs'
 require 'resources/aws/aws_iam_access_key'

data/lib/resources/aws/aws_ecs_cluster.rb

@@ -0,0 +1,84 @@
+class AwsEcsCluster < Inspec.resource(1)
+  name 'aws_ecs_cluster'
+  desc 'Verifies settings for an ECS cluster'
+
+  example <<-EOX
+    describe aws_ecs_cluster('default') do
+      it { should exist }
+    end
+EOX
+  supports platform: 'aws'
+
+  include AwsSingularResourceMixin
+  attr_reader :cluster_arn, :cluster_name, :status,
+              :registered_container_instances_count, :running_tasks_count,
+              :pending_tasks_count, :active_services_count, :statistics
+
+  def to_s
+    "AWS ECS cluster #{cluster_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:cluster_name],
+      allowed_scalar_name: :cluster_name,
+      allowed_scalar_type: String,
+    )
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    begin
+      # Use default cluster if no cluster name is specified
+      params = cluster_name.nil? ? {} : { clusters: [cluster_name] }
+      clusters = backend.describe_clusters(params).clusters
+
+      # Cluster name is unique, we either get back one cluster, or none
+      if clusters.length == 1
+        @exists = true
+        unpack_describe_clusters_response(clusters.first)
+      else
+        @exists = false
+        populate_as_missing
+      end
+    end
+  end
+
+  def unpack_describe_clusters_response(cluster_struct)
+    @cluster_arn = cluster_struct.cluster_arn
+    @cluster_name = cluster_struct.cluster_name
+    @status = cluster_struct.status
+    @registered_container_instances_count = cluster_struct.registered_container_instances_count
+    @running_tasks_count = cluster_struct.running_tasks_count
+    @pending_tasks_count = cluster_struct.pending_tasks_count
+    @active_services_count = cluster_struct.active_services_count
+    @statistics = cluster_struct.statistics
+  end
+
+  def populate_as_missing
+    @cluster_arn = ''
+    @cluster_name = ''
+    @status = ''
+    @registered_container_instances_count = 0
+    @running_tasks_count = 0
+    @pending_tasks_count = 0
+    @active_services_count = 0
+    @statistics = []
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ECS::Client
+
+      def describe_clusters(query = {})
+        aws_service_client.describe_clusters(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_route_table.rb

@@ -3,7 +3,7 @@ class AwsRouteTable < Inspec.resource(1)
   desc 'Verifies settings for an AWS Route Table'
   example "
     describe aws_route_table do
-      its('route_table_id') { should cmp 'rtb-2c60ec44' }
+      its('route_table_id') { should cmp 'rtb-05462d2278326a79c' }
     end
   "
   supports platform: 'aws'
@@ -27,10 +27,10 @@ class AwsRouteTable < Inspec.resource(1)
     )
 
     if validated_params.key?(:route_table_id) &&
-       validated_params[:route_table_id] !~ /^rtb\-[0-9a-f]{8}$/
+       validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
       raise ArgumentError,
             'aws_route_table Route Table ID must be in the' \
-            ' format "rtb-" followed by 8 hexadecimal characters.'
+            ' format "rtb-" followed by 8 or 17 hexadecimal characters.'
     end
 
     validated_params

data/lib/resources/docker.rb

@@ -52,6 +52,20 @@ module Inspec::Resources
     end
   end
 
+  class DockerPluginFilter
+    filter = FilterTable.create
+    filter.add(:ids,              field: 'id')
+          .add(:names,            field: 'name')
+          .add(:versions,         field: 'version')
+          .add(:enabled,          field: 'enabled')
+    filter.connect(self, :plugins)
+
+    attr_reader :plugins
+    def initialize(plugins)
+      @plugins = plugins
+    end
+  end
+
   class DockerServiceFilter
     filter = FilterTable.create
     filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
@@ -89,6 +103,10 @@ module Inspec::Resources
         its('repositories') { should_not include 'inssecure_image' }
       end
 
+      describe docker.plugins.where { name == 'rexray/ebs' } do
+        it { should exist }
+      end
+
       describe docker.services do
         its('images') { should_not include 'inssecure_image' }
       end
@@ -119,6 +137,10 @@ module Inspec::Resources
       DockerImageFilter.new(parse_images)
     end
 
+    def plugins
+      DockerPluginFilter.new(parse_plugins)
+    end
+
     def services
       DockerServiceFilter.new(parse_services)
     end
@@ -226,5 +248,17 @@ module Inspec::Resources
       warn 'Could not parse `docker images` output'
       []
     end
+
+    def parse_plugins
+      plugins = inspec.command('docker plugin ls --format \'{"id": {{json .ID}}, "name": "{{ with split .Name ":"}}{{index . 0}}{{end}}", "version": "{{ with split .Name ":"}}{{index . 1}}{{end}}", "enabled": {{json .Enabled}} }\'').stdout
+      c_plugins = []
+      plugins.each_line { |entry|
+        c_plugins.push(JSON.parse(entry))
+      }
+      c_plugins
+    rescue JSON::ParserError => _e
+      warn 'Could not parse `docker plugin ls` output'
+      []
+    end
   end
 end

data/lib/resources/docker_plugin.rb

@@ -0,0 +1,63 @@
+# encoding: utf-8
+
+module Inspec::Resources
+  class DockerPlugin < Inspec.resource(1)
+    name 'docker_plugin'
+    supports platform: 'unix'
+    desc 'Retrieves info about docker plugins'
+    example "
+      describe docker_plugin('rexray/ebs') do
+        it { should exist }
+        its('id') { should_not eq '0ac30b93ad40' }
+        its('version') { should eq '0.11.1' }
+        it { should be_enabled }
+      end
+
+      describe docker_plugin('alpine:latest') do
+        it { should exist }
+      end
+
+      describe docker_plugin(id: '4a415e366388') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # do sanitizion of input values
+      o = opts.dup
+      o = { name: opts } if opts.is_a?(String)
+      @opts = o
+    end
+
+    def exist?
+      object_info.entries.size == 1
+    end
+
+    def enabled?
+      object_info.enabled[0]
+    end
+
+    def id
+      object_info.ids[0] if object_info.entries.size == 1
+    end
+
+    def version
+      object_info.versions[0] if object_info.entries.size == 1
+    end
+
+    def to_s
+      plugin = @opts[:name] || @opts[:id]
+      "Docker plugin #{plugin}"
+    end
+
+    private
+
+    def object_info
+      return @info if defined?(@info)
+      opts = @opts
+      @info = inspec.docker.plugins.where {
+        (name == opts[:name]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id]))
+      }
+    end
+  end
+end

data/lib/resources/iis_app_pool.rb

@@ -0,0 +1,116 @@
+# encoding: utf-8
+# frozen_string_literal: true
+# check for web applications in IIS
+# Note: this is only supported in windows 2012 and later
+
+class IisAppPool < Inspec.resource(1)
+  name 'iis_app_pool'
+  desc 'Tests IIS application pool configuration on windows.'
+  example "
+    describe iis_app_pool('DefaultAppPool') do
+      it { should exist }
+      its('enable32bit') { should cmp 'True' }
+      its('runtime_version') { should eq 'v4.0' }
+      its('pipeline_mode') { should eq 'Integrated' }
+    end
+  "
+
+  def initialize(pool_name)
+    @pool_name = pool_name
+    @pool_path = "IIS:\\AppPools\\#{@pool_name}"
+    @cache = nil
+
+    # verify that this resource is only supported on Windows
+    return skip_resource 'The `iis_app_pool` resource is not supported on your OS.' unless inspec.os.windows?
+  end
+
+  def pool_name
+    iis_app_pool[:pool_name]
+  end
+
+  def runtime_version
+    iis_app_pool[:version]
+  end
+
+  def enable32bit
+    iis_app_pool[:e32b]
+  end
+
+  def pipeline_mode
+    iis_app_pool[:mode]
+  end
+
+  def max_processes
+    iis_app_pool[:processes]
+  end
+
+  def timeout
+    iis_app_pool[:timeout]
+  end
+
+  def timeout_days
+    iis_app_pool[:timeout_days]
+  end
+
+  def timeout_hours
+    iis_app_pool[:timeout_hours]
+  end
+
+  def timeout_minutes
+    iis_app_pool[:timeout_minutes]
+  end
+
+  def timeout_seconds
+    iis_app_pool[:timeout_seconds]
+  end
+
+  def user_identity_type
+    iis_app_pool[:user_identity_type]
+  end
+
+  def username
+    iis_app_pool[:username]
+  end
+
+  def exists?
+    !iis_app_pool[:pool_name].empty?
+  end
+
+  def to_s
+    "iis_app_pool '#{@pool_name}'"
+  end
+
+  private
+
+  # I cannot think of a way to shorten this method
+  # rubocop:disable Metrics/AbcSize
+  def iis_app_pool
+    return @cache unless @cache.nil?
+
+    command = "Import-Module WebAdministration; Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json"
+    cmd = inspec.command(command)
+
+    begin
+      pool = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      raise Inspec::Exceptions::ResourceFailed, 'Unable to parse app pool JSON'
+    end
+
+    # map our values to a hash table
+    @cache = {
+      pool_name: pool['name'],
+      version: pool['managedRuntimeVersion'],
+      e32b: pool['enable32BitAppOnWin64'],
+      mode: pool['managedPipelineMode'],
+      processes: pool['processModel']['maxProcesses'],
+      timeout: "#{pool['processModel']['idleTimeout']['Hours']}:#{pool['processModel']['idleTimeout']['Minutes']}:#{pool['processModel']['idleTimeout']['Seconds']}",
+      timeout_days: pool['processModel']['idleTimeout']['Days'],
+      timeout_hours: pool['processModel']['idleTimeout']['Hours'],
+      timeout_minutes: pool['processModel']['idleTimeout']['Minutes'],
+      timeout_seconds: pool['processModel']['idleTimeout']['Seconds'],
+      user_identity_type: pool['processModel']['identityType'],
+      username: pool['processModel']['userName'],
+    }
+  end
+  # rubocop:enable Metrics/AbcSize
+end