inspec 2.2.70 → 2.2.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6dc6fb470460ab2b0b96771d62cb0daf7c236d69ddb6dd79f213656a55d54e5f
4
- data.tar.gz: 239448502597b1907e8d35761ca18317ed75462cf0063105a6a770e4949b861d
3
+ metadata.gz: 842e90c7b84b1e95a0ca1989f26048ab81a67a5e4f602461c7f6eb6a9ac8a0df
4
+ data.tar.gz: 0c9220d4fdd48bece5981ff0a7599e070742208de5520f449d79068031c9b839
5
5
  SHA512:
6
- metadata.gz: d173ad69e9b20522dff8a485c50d3e11c429115eea183ce558871f4a826d5c2bbde620798dceb6840ddf017e18eb7f59e5fc1f53ddc020c6c84f3c145abb3e8b
7
- data.tar.gz: cfc9224a29d43af3dbbc4e5da21c9a64af68cf27a7e1d2cef471506662046080f627055f8217cd34dc368f3ebeca6c49b0a0da569c30e428b40d0c7f32207502
6
+ metadata.gz: d52ea98ca54e58a0191968e445c7e5f32c7cac9fd58be5f7e00acba5fed6ec5bb4f9cb9bcdc8bc1fe988b925f8c9c64a80283a4309b20135d1d2d395362c8ff0
7
+ data.tar.gz: ad42da9cb733b08b50f5082742fda88147ca7f6c8a3739fac19ad74d4fe5acc88f5ce92ff4e7be28e013637dbae009fccb32811ef9baed9727a66cb4b8d5236f
@@ -1,35 +1,51 @@
1
1
  # Change Log
2
2
  <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
3
- <!-- latest_release 2.2.70 -->
4
- ## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-23)
3
+ <!-- latest_release 2.2.78 -->
4
+ ## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
5
5
 
6
6
  #### Merged Pull Requests
7
- - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
7
+ - Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
8
8
  <!-- latest_release -->
9
9
 
10
- <!-- release_rollup since=2.2.64 -->
11
- ### Changes since 2.2.64 release
10
+ <!-- release_rollup since=2.2.70 -->
11
+ ### Changes since 2.2.70 release
12
12
 
13
- #### Enhancements
14
- - Infer `--sudo` when `--sudo-password` is used [#3313](https://github.com/inspec/inspec/pull/3313) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.68 -->
13
+ #### New Features
14
+ - Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo)) <!-- 2.2.77 -->
15
+ - Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo)) <!-- 2.2.76 -->
15
16
 
16
17
  #### Bug Fixes
17
- - Fix skip hash being passed instead of boolean value [#3323](https://github.com/inspec/inspec/pull/3323) ([frezbo](https://github.com/frezbo)) <!-- 2.2.67 -->
18
+ - fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo)) <!-- 2.2.73 -->
18
19
 
19
20
  #### Merged Pull Requests
20
- - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick)) <!-- 2.2.70 -->
21
- - Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick)) <!-- 2.2.66 -->
22
- - Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil)) <!-- 2.2.65 -->
21
+ - Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah)) <!-- 2.2.78 -->
22
+ - Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50)) <!-- 2.2.75 -->
23
+ - Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick)) <!-- 2.2.74 -->
24
+ - bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu)) <!-- 2.2.72 -->
25
+ - Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj)) <!-- 2.2.71 -->
23
26
  <!-- release_rollup -->
24
27
 
25
28
  <!-- latest_stable_release -->
29
+ ## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-24)
30
+
31
+ #### Enhancements
32
+ - Infer `--sudo` when `--sudo-password` is used [#3313](https://github.com/inspec/inspec/pull/3313) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
33
+
34
+ #### Bug Fixes
35
+ - Fix skip hash being passed instead of boolean value [#3323](https://github.com/inspec/inspec/pull/3323) ([frezbo](https://github.com/frezbo))
36
+
37
+ #### Merged Pull Requests
38
+ - Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil))
39
+ - Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick))
40
+ - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
41
+ <!-- latest_stable_release -->
42
+
26
43
  ## [v2.2.64](https://github.com/inspec/inspec/tree/v2.2.64) (2018-08-17)
27
44
 
28
45
  #### Merged Pull Requests
29
46
  - Update `only_if` to allow user specified messages. [#3267](https://github.com/inspec/inspec/pull/3267) ([miah](https://github.com/miah))
30
47
  - Allow the jsonAutomate report to be executed from cli [#3285](https://github.com/inspec/inspec/pull/3285) ([jquick](https://github.com/jquick))
31
48
  - Dummy PR to bump expeditor version. [#3298](https://github.com/inspec/inspec/pull/3298) ([jquick](https://github.com/jquick))
32
- <!-- latest_stable_release -->
33
49
 
34
50
  ## [v2.2.61](https://github.com/inspec/inspec/tree/v2.2.61) (2018-08-09)
35
51
 
@@ -71,6 +71,24 @@ depends:
71
71
  inspec_version: "~> 2.1"
72
72
  ```
73
73
 
74
+ The `inspec.yml` also supports embedded ERB in the file. For example:
75
+
76
+ ```YAML
77
+ name: dummy
78
+ title: InSpec Profile
79
+ maintainer: The Authors
80
+ copyright: The Authors
81
+ copyright_email: you@example.com
82
+ license: Apache-2.0
83
+ summary: An InSpec Compliance Profile
84
+ version: 0.1.0
85
+ depends:
86
+ - name: inherit
87
+ url: "https://artifactory.com/artifactory/example-repo-local/inspec/0.4.1.tar.gz"
88
+ username: <%= ENV['USERNAME'] %>
89
+ password: <%= ENV['API_KEY'] %>
90
+ ```
91
+
74
92
  ## Verify Profiles
75
93
 
76
94
  Use the `inspec check` command to verify the implementation of a profile:
@@ -181,6 +199,16 @@ depends:
181
199
  url: https://github.com/myusername/myprofile-repo/archive/master.tar.gz
182
200
  ```
183
201
 
202
+ `url` also supports basic authentication.
203
+
204
+ ```YAML
205
+ depends:
206
+ - name: my-profile
207
+ url: https://my.domain/path/to/profile.tgz
208
+ username: user
209
+ password: password
210
+ ```
211
+
184
212
  ### git
185
213
 
186
214
  A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.
@@ -180,4 +180,4 @@ This InSpec audit resource has the following special matchers. For a full list o
180
180
 
181
181
  Please see the integration tests for in depth examples of how this resource can be used.
182
182
 
183
- [Inspec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/azure/verify/controls)
183
+ [Inspec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/integration/azure/verify/controls)
@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
26
26
 
27
27
  spec.required_ruby_version = '>= 2.3'
28
28
 
29
- spec.add_dependency 'train', '~> 1.4', '>= 1.4.15'
29
+ spec.add_dependency 'train', '~> 1.4', '>= 1.4.35'
30
30
  spec.add_dependency 'thor', '~> 0.20'
31
31
  spec.add_dependency 'json', '>= 1.8', '< 3.0'
32
32
  spec.add_dependency 'method_source', '~> 0.8'
@@ -19,7 +19,7 @@ module Compliance
19
19
  # return all compliance profiles available for the user
20
20
  # the user is either specified in the options hash or by default
21
21
  # the username of the account is used that is logged in
22
- def self.profiles(config) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
22
+ def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
23
23
  owner = config['owner'] || config['user']
24
24
 
25
25
  # Chef Compliance
@@ -36,9 +36,14 @@ module Compliance
36
36
  end
37
37
 
38
38
  headers = get_headers(config)
39
+ if profile_filter
40
+ _owner, id, ver = profile_split(profile_filter)
41
+ else
42
+ id, ver = nil
43
+ end
39
44
 
40
45
  if is_automate2_server?(config)
41
- body = { owner: owner }.to_json
46
+ body = { owner: owner, name: id }.to_json
42
47
  response = Compliance::HTTP.post_with_headers(url, headers, body, config['insecure'])
43
48
  else
44
49
  response = Compliance::HTTP.get(url, headers, config['insecure'])
@@ -69,6 +74,10 @@ module Compliance
69
74
  e
70
75
  }
71
76
  end
77
+ # filter by name and version if they were specified in profile_filter
78
+ mapped_profiles.select! do |p|
79
+ (!ver || p['version'] == ver) && (!id || p['name'] == id)
80
+ end
72
81
  return msg, mapped_profiles
73
82
  when '401'
74
83
  msg = '401 Unauthorized. Please check your token.'
@@ -101,25 +110,10 @@ module Compliance
101
110
  parsed
102
111
  end
103
112
 
104
- # verifies that a profile
113
+ # verifies that a profile exists
105
114
  def self.exist?(config, profile)
106
- owner, id, ver = profile_split(profile)
107
-
108
- # ensure that we do not manipulate the configuration object
109
- user_config = config.dup
110
- user_config['owner'] = owner
111
- _msg, profiles = Compliance::API.profiles(user_config)
112
-
113
- if !profiles.empty?
114
- profiles.any? do |p|
115
- profile_owner = p['owner_id'] || p['owner']
116
- profile_owner == owner &&
117
- p['name'] == id &&
118
- (ver.nil? || p['version'] == ver)
119
- end
120
- else
121
- false
122
- end
115
+ _msg, profiles = Compliance::API.profiles(config, profile)
116
+ !profiles.empty?
123
117
  end
124
118
 
125
119
  def self.upload(config, owner, profile_name, archive_path)
@@ -13,50 +13,81 @@ module Compliance
13
13
  class Fetcher < Fetchers::Url
14
14
  name 'compliance'
15
15
  priority 500
16
- def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize
17
- uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
18
- URI(target)
19
- elsif target.respond_to?(:key?) && target.key?(:compliance)
20
- URI("compliance://#{target[:compliance]}")
21
- end
16
+ attr_reader :upstream_sha256
17
+
18
+ def initialize(target, opts)
19
+ super(target, opts)
20
+ if target.is_a?(Hash) && target.key?(:url)
21
+ @target = target[:url]
22
+ @upstream_sha256 = target[:sha256]
23
+ elsif target.is_a?(String)
24
+ @target = target
25
+ @upstream_sha256 = ''
26
+ end
27
+ end
22
28
 
23
- return nil if uri.nil?
29
+ def sha256
30
+ upstream_sha256.empty? ? super : upstream_sha256
31
+ end
24
32
 
25
- # we have detailed information available in our lockfile, no need to ask the server
26
- if target.respond_to?(:key?) && target.key?(:url)
27
- profile_fetch_url = target[:url]
28
- config = {}
29
- else
30
- # check if we have a compliance token
31
- config = Compliance::Configuration.new
32
- if config['token'].nil? && config['refresh_token'].nil?
33
- if config['server_type'] == 'automate'
34
- server = 'automate'
35
- msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
36
- elsif config['server_type'] == 'automate2'
37
- server = 'automate2'
38
- msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
39
- else
40
- server = 'compliance'
41
- msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
42
- end
43
- raise Inspec::FetcherFailure, <<~EOF
33
+ def self.check_compliance_token(config)
34
+ if config['token'].nil? && config['refresh_token'].nil?
35
+ if config['server_type'] == 'automate'
36
+ server = 'automate'
37
+ msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
38
+ elsif config['server_type'] == 'automate2'
39
+ server = 'automate2'
40
+ msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
41
+ else
42
+ server = 'compliance'
43
+ msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
44
+ end
45
+ raise Inspec::FetcherFailure, <<~EOF
44
46
 
45
- Cannot fetch #{uri} because your #{server} token has not been
46
- configured.
47
+ Cannot fetch #{uri} because your #{server} token has not been
48
+ configured.
47
49
 
48
- Please login using
50
+ Please login using
49
51
 
50
- #{msg}
51
- EOF
52
- end
52
+ #{msg}
53
+ EOF
54
+ end
55
+ end
56
+
57
+ def self.get_target_uri(target)
58
+ if target.is_a?(String) && URI(target).scheme == 'compliance'
59
+ URI(target)
60
+ elsif target.respond_to?(:key?) && target.key?(:compliance)
61
+ URI("compliance://#{target[:compliance]}")
62
+ end
63
+ end
53
64
 
65
+ def self.resolve(target)
66
+ uri = get_target_uri(target)
67
+ return nil if uri.nil?
68
+
69
+ config = Compliance::Configuration.new
70
+ profile = Compliance::API.sanitize_profile_name(uri)
71
+ profile_fetch_url = Compliance::API.target_url(config, profile)
72
+ # we have detailed information available in our lockfile, no need to ask the server
73
+ if target.respond_to?(:key?) && target.key?(:sha256)
74
+ profile_checksum = target[:sha256]
75
+ else
76
+ check_compliance_token(config)
54
77
  # verifies that the target e.g base/ssh exists
55
- profile = Compliance::API.sanitize_profile_name(uri)
56
- if !Compliance::API.exist?(config, profile)
78
+ # Call profiles directly instead of exist? to capture the results
79
+ # so we can access the upstream sha256 from the results.
80
+ _msg, profile_result = Compliance::API.profiles(config, profile)
81
+ if profile_result.empty?
57
82
  raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
83
+ else
84
+ # Guarantee sorting by verison and grab the latest.
85
+ # If version was specified, it will be the first and only result.
86
+ # Note we are calling the sha256 as a string, not a symbol since
87
+ # it was returned as json from the Compliance API.
88
+ profile_info = profile_result.sort_by { |x| Gem::Version.new(x['version']) }[0]
89
+ profile_checksum = profile_info.key?('sha256') ? profile_info['sha256'] : ''
58
90
  end
59
- profile_fetch_url = Compliance::API.target_url(config, profile)
60
91
  end
61
92
  # We need to pass the token to the fetcher
62
93
  config['token'] = Compliance::API.get_token(config)
@@ -65,7 +96,7 @@ module Compliance
65
96
  profile_stub = profile || target[:compliance]
66
97
  config['profile'] = Compliance::API.profile_split(profile_stub)
67
98
 
68
- new(profile_fetch_url, config)
99
+ new({ url: profile_fetch_url, sha256: profile_checksum }, config)
69
100
  rescue URI::Error => _e
70
101
  nil
71
102
  end
@@ -21,17 +21,19 @@ module Fetchers
21
21
 
22
22
  def self.resolve(target, opts = {})
23
23
  if target.is_a?(Hash) && target.key?(:url)
24
- resolve_from_string(target[:url], opts)
24
+ resolve_from_string(target[:url], opts, target[:username], target[:password])
25
25
  elsif target.is_a?(String)
26
26
  resolve_from_string(target, opts)
27
27
  end
28
28
  end
29
29
 
30
- def self.resolve_from_string(target, opts)
30
+ def self.resolve_from_string(target, opts, username = nil, password = nil)
31
31
  uri = URI.parse(target)
32
32
  return nil if uri.nil? or uri.scheme.nil?
33
33
  return nil unless %{ http https }.include? uri.scheme
34
34
  target = transform(target)
35
+ opts[:username] = username if username
36
+ opts[:password] = password if password
35
37
  new(target, opts)
36
38
  rescue URI::Error
37
39
  nil
@@ -223,6 +225,8 @@ module Fetchers
223
225
  opts['Authorization'] = "Bearer #{@token}"
224
226
  end
225
227
 
228
+ opts[:http_basic_authentication] = [@config[:username], @config[:password]] if @config[:username]
229
+
226
230
  # Do not send any headers that have nil values.
227
231
  # Net::HTTP does not gracefully handle this situation.
228
232
  check_for_missing_values!(opts)
@@ -204,7 +204,8 @@ module Inspec
204
204
 
205
205
  def self.from_yaml(ref, content, profile_id, logger = nil)
206
206
  res = Metadata.new(ref, logger)
207
- res.params = YAML.load(content)
207
+ require 'erb'
208
+ res.params = YAML.load(ERB.new(content).result)
208
209
  res.content = content
209
210
  finalize(res, profile_id, {}, logger)
210
211
  end
@@ -229,7 +229,7 @@ module Inspec
229
229
  info(load_params.dup)
230
230
  end
231
231
 
232
- def info(res = params.dup)
232
+ def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity
233
233
  # add information about the controls
234
234
  res[:controls] = res[:controls].map do |id, rule|
235
235
  next if id.to_s.empty?
@@ -252,6 +252,15 @@ module Inspec
252
252
  res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
253
253
  res[:sha256] = sha256
254
254
  res[:parent_profile] = parent_profile unless parent_profile.nil?
255
+
256
+ # convert legacy os-* supports to their platform counterpart
257
+ if res[:supports] && !res[:supports].empty?
258
+ res[:supports].each do |support|
259
+ support[:"platform-family"] = support.delete(:"os-family") if support.key?(:"os-family")
260
+ support[:"platform-name"] = support.delete(:"os-name") if support.key?(:"os-name")
261
+ end
262
+ end
263
+
255
264
  res
256
265
  end
257
266
 
@@ -227,9 +227,10 @@ module Inspec
227
227
  # all checks that were defined in the destination
228
228
  sc = checks(src)
229
229
  dst.instance_variable_set(:@__checks, sc) unless sc.empty?
230
- # we need only the value of result not the Hash containing value and message
231
- sr = skip_status(src)[:result]
232
- set_skip_rule(dst, sr) unless sr.nil?
230
+ skip_check = skip_status(src)
231
+ sr = skip_check[:result]
232
+ msg = skip_check[:message]
233
+ set_skip_rule(dst, sr, msg) unless sr.nil?
233
234
 
234
235
  # Save merge history
235
236
  dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)
@@ -102,7 +102,12 @@ module Inspec
102
102
  'type' => 'object',
103
103
  'additionalProperties' => false,
104
104
  'properties' => {
105
+ 'platform-family' => { 'type' => 'string', 'optional' => true },
106
+ 'platform-name' => { 'type' => 'string', 'optional' => true },
107
+ 'platform' => { 'type' => 'string', 'optional' => true },
108
+ # os-* supports are being deprecated
105
109
  'os-family' => { 'type' => 'string', 'optional' => true },
110
+ 'os-name' => { 'type' => 'string', 'optional' => true },
106
111
  },
107
112
  }.freeze
108
113
 
@@ -4,5 +4,5 @@
4
4
  # author: Christoph Hartmann
5
5
 
6
6
  module Inspec
7
- VERSION = '2.2.70'
7
+ VERSION = '2.2.78'
8
8
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.70
4
+ version: 2.2.78
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dominik Richter
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-08-23 00:00:00.000000000 Z
11
+ date: 2018-08-30 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: train
@@ -19,7 +19,7 @@ dependencies:
19
19
  version: '1.4'
20
20
  - - ">="
21
21
  - !ruby/object:Gem::Version
22
- version: 1.4.15
22
+ version: 1.4.35
23
23
  type: :runtime
24
24
  prerelease: false
25
25
  version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
29
29
  version: '1.4'
30
30
  - - ">="
31
31
  - !ruby/object:Gem::Version
32
- version: 1.4.15
32
+ version: 1.4.35
33
33
  - !ruby/object:Gem::Dependency
34
34
  name: thor
35
35
  requirement: !ruby/object:Gem::Requirement