inspec 2.2.70 → 2.2.78

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6dc6fb470460ab2b0b96771d62cb0daf7c236d69ddb6dd79f213656a55d54e5f
-  data.tar.gz: 239448502597b1907e8d35761ca18317ed75462cf0063105a6a770e4949b861d
+  metadata.gz: 842e90c7b84b1e95a0ca1989f26048ab81a67a5e4f602461c7f6eb6a9ac8a0df
+  data.tar.gz: 0c9220d4fdd48bece5981ff0a7599e070742208de5520f449d79068031c9b839
 SHA512:
-  metadata.gz: d173ad69e9b20522dff8a485c50d3e11c429115eea183ce558871f4a826d5c2bbde620798dceb6840ddf017e18eb7f59e5fc1f53ddc020c6c84f3c145abb3e8b
-  data.tar.gz: cfc9224a29d43af3dbbc4e5da21c9a64af68cf27a7e1d2cef471506662046080f627055f8217cd34dc368f3ebeca6c49b0a0da569c30e428b40d0c7f32207502
+  metadata.gz: d52ea98ca54e58a0191968e445c7e5f32c7cac9fd58be5f7e00acba5fed6ec5bb4f9cb9bcdc8bc1fe988b925f8c9c64a80283a4309b20135d1d2d395362c8ff0
+  data.tar.gz: ad42da9cb733b08b50f5082742fda88147ca7f6c8a3739fac19ad74d4fe5acc88f5ce92ff4e7be28e013637dbae009fccb32811ef9baed9727a66cb4b8d5236f

data/CHANGELOG.md

@@ -1,35 +1,51 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.70 -->
-## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-23)
+<!-- latest_release 2.2.78 -->
+## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
 
 #### Merged Pull Requests
-- Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
+- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.64 -->
-### Changes since 2.2.64 release
+<!-- release_rollup since=2.2.70 -->
+### Changes since 2.2.70 release
 
-#### Enhancements
-- Infer `--sudo` when `--sudo-password` is used [#3313](https://github.com/inspec/inspec/pull/3313) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.68 -->
+#### New Features
+- Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo)) <!-- 2.2.77 -->
+- Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo)) <!-- 2.2.76 -->
 
 #### Bug Fixes
-- Fix skip hash being passed instead of boolean value [#3323](https://github.com/inspec/inspec/pull/3323) ([frezbo](https://github.com/frezbo)) <!-- 2.2.67 -->
+- fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo)) <!-- 2.2.73 -->
 
 #### Merged Pull Requests
-- Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick)) <!-- 2.2.70 -->
-- Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick)) <!-- 2.2.66 -->
-- Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil)) <!-- 2.2.65 -->
+- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah)) <!-- 2.2.78 -->
+- Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50)) <!-- 2.2.75 -->
+- Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick)) <!-- 2.2.74 -->
+- bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu)) <!-- 2.2.72 -->
+- Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj)) <!-- 2.2.71 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-24)
+
+#### Enhancements
+- Infer `--sudo` when `--sudo-password` is used [#3313](https://github.com/inspec/inspec/pull/3313) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+
+#### Bug Fixes
+- Fix skip hash being passed instead of boolean value [#3323](https://github.com/inspec/inspec/pull/3323) ([frezbo](https://github.com/frezbo))
+
+#### Merged Pull Requests
+- Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil))
+- Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick))
+- Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
+<!-- latest_stable_release -->
+
 ## [v2.2.64](https://github.com/inspec/inspec/tree/v2.2.64) (2018-08-17)
 
 #### Merged Pull Requests
 - Update `only_if` to allow user specified messages. [#3267](https://github.com/inspec/inspec/pull/3267) ([miah](https://github.com/miah))
 - Allow the jsonAutomate report to be executed from cli [#3285](https://github.com/inspec/inspec/pull/3285) ([jquick](https://github.com/jquick))
 - Dummy PR to bump expeditor version. [#3298](https://github.com/inspec/inspec/pull/3298) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v2.2.61](https://github.com/inspec/inspec/tree/v2.2.61) (2018-08-09)
 

data/docs/profiles.md

@@ -71,6 +71,24 @@ depends:
 inspec_version: "~> 2.1"
 ```
 
+The `inspec.yml` also supports embedded ERB in the file. For example:
+
+```YAML
+name: dummy
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0
+depends:
+- name: inherit
+  url: "https://artifactory.com/artifactory/example-repo-local/inspec/0.4.1.tar.gz"
+  username: <%= ENV['USERNAME'] %>
+  password: <%= ENV['API_KEY'] %>
+```
+
 ## Verify Profiles
 
 Use the `inspec check` command to verify the implementation of a profile:
@@ -181,6 +199,16 @@ depends:
   url: https://github.com/myusername/myprofile-repo/archive/master.tar.gz
 ```
 
+`url` also supports basic authentication.
+
+```YAML
+depends:
+- name: my-profile
+  url: https://my.domain/path/to/profile.tgz
+  username: user
+  password: password
+```
+
 ### git
 
 A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.

data/docs/resources/azure_generic_resource.md.erb

@@ -180,4 +180,4 @@ This InSpec audit resource has the following special matchers. For a full list o
 
 Please see the integration tests for in depth examples of how this resource can be used.
 
-[Inspec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/azure/verify/controls)
+[Inspec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/integration/azure/verify/controls)

data/inspec.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3'
 
-  spec.add_dependency 'train', '~> 1.4', '>= 1.4.15'
+  spec.add_dependency 'train', '~> 1.4', '>= 1.4.35'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'

data/lib/bundles/inspec-compliance/api.rb

@@ -19,7 +19,7 @@ module Compliance
     # return all compliance profiles available for the user
     # the user is either specified in the options hash or by default
     # the username of the account is used that is logged in
-    def self.profiles(config) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
+    def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
       owner = config['owner'] || config['user']
 
       # Chef Compliance
@@ -36,9 +36,14 @@ module Compliance
       end
 
       headers = get_headers(config)
+      if profile_filter
+        _owner, id, ver = profile_split(profile_filter)
+      else
+        id, ver = nil
+      end
 
       if is_automate2_server?(config)
-        body = { owner: owner }.to_json
+        body = { owner: owner, name: id }.to_json
         response = Compliance::HTTP.post_with_headers(url, headers, body, config['insecure'])
       else
         response = Compliance::HTTP.get(url, headers, config['insecure'])
@@ -69,6 +74,10 @@ module Compliance
             e
           }
         end
+        # filter by name and version if they were specified in profile_filter
+        mapped_profiles.select! do |p|
+          (!ver || p['version'] == ver) && (!id || p['name'] == id)
+        end
         return msg, mapped_profiles
       when '401'
         msg = '401 Unauthorized. Please check your token.'
@@ -101,25 +110,10 @@ module Compliance
       parsed
     end
 
-    # verifies that a profile
+    # verifies that a profile exists
     def self.exist?(config, profile)
-      owner, id, ver = profile_split(profile)
-
-      # ensure that we do not manipulate the configuration object
-      user_config = config.dup
-      user_config['owner'] = owner
-      _msg, profiles = Compliance::API.profiles(user_config)
-
-      if !profiles.empty?
-        profiles.any? do |p|
-          profile_owner = p['owner_id'] || p['owner']
-          profile_owner == owner &&
-            p['name'] == id &&
-            (ver.nil? || p['version'] == ver)
-        end
-      else
-        false
-      end
+      _msg, profiles = Compliance::API.profiles(config, profile)
+      !profiles.empty?
     end
 
     def self.upload(config, owner, profile_name, archive_path)

data/lib/bundles/inspec-compliance/target.rb

@@ -13,50 +13,81 @@ module Compliance
   class Fetcher < Fetchers::Url
     name 'compliance'
     priority 500
-    def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize
-      uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
-              URI(target)
-            elsif target.respond_to?(:key?) && target.key?(:compliance)
-              URI("compliance://#{target[:compliance]}")
-            end
+    attr_reader :upstream_sha256
+
+    def initialize(target, opts)
+      super(target, opts)
+      if target.is_a?(Hash) && target.key?(:url)
+        @target = target[:url]
+        @upstream_sha256 = target[:sha256]
+      elsif target.is_a?(String)
+        @target = target
+        @upstream_sha256 = ''
+      end
+    end
 
-      return nil if uri.nil?
+    def sha256
+      upstream_sha256.empty? ? super : upstream_sha256
+    end
 
-      # we have detailed information available in our lockfile, no need to ask the server
-      if target.respond_to?(:key?) && target.key?(:url)
-        profile_fetch_url = target[:url]
-        config = {}
-      else
-        # check if we have a compliance token
-        config = Compliance::Configuration.new
-        if config['token'].nil? && config['refresh_token'].nil?
-          if config['server_type'] == 'automate'
-            server = 'automate'
-            msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
-          elsif config['server_type'] == 'automate2'
-            server = 'automate2'
-            msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
-          else
-            server = 'compliance'
-            msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
-          end
-          raise Inspec::FetcherFailure, <<~EOF
+    def self.check_compliance_token(config)
+      if config['token'].nil? && config['refresh_token'].nil?
+        if config['server_type'] == 'automate'
+          server = 'automate'
+          msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
+        elsif config['server_type'] == 'automate2'
+          server = 'automate2'
+          msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
+        else
+          server = 'compliance'
+          msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
+        end
+        raise Inspec::FetcherFailure, <<~EOF
 
-            Cannot fetch #{uri} because your #{server} token has not been
-            configured.
+          Cannot fetch #{uri} because your #{server} token has not been
+          configured.
 
-            Please login using
+          Please login using
 
-                #{msg}
-          EOF
-        end
+              #{msg}
+        EOF
+      end
+    end
+
+    def self.get_target_uri(target)
+      if target.is_a?(String) && URI(target).scheme == 'compliance'
+        URI(target)
+      elsif target.respond_to?(:key?) && target.key?(:compliance)
+        URI("compliance://#{target[:compliance]}")
+      end
+    end
 
+    def self.resolve(target)
+      uri = get_target_uri(target)
+      return nil if uri.nil?
+
+      config = Compliance::Configuration.new
+      profile = Compliance::API.sanitize_profile_name(uri)
+      profile_fetch_url = Compliance::API.target_url(config, profile)
+      # we have detailed information available in our lockfile, no need to ask the server
+      if target.respond_to?(:key?) && target.key?(:sha256)
+        profile_checksum = target[:sha256]
+      else
+        check_compliance_token(config)
         # verifies that the target e.g base/ssh exists
-        profile = Compliance::API.sanitize_profile_name(uri)
-        if !Compliance::API.exist?(config, profile)
+        # Call profiles directly instead of exist? to capture the results
+        # so we can access the upstream sha256 from the results.
+        _msg, profile_result = Compliance::API.profiles(config, profile)
+        if profile_result.empty?
           raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
+        else
+          # Guarantee sorting by verison and grab the latest.
+          # If version was specified, it will be the first and only result.
+          # Note we are calling the sha256 as a string, not a symbol since
+          # it was returned as json from the Compliance API.
+          profile_info = profile_result.sort_by { |x| Gem::Version.new(x['version']) }[0]
+          profile_checksum = profile_info.key?('sha256') ? profile_info['sha256'] : ''
         end
-        profile_fetch_url = Compliance::API.target_url(config, profile)
       end
       # We need to pass the token to the fetcher
       config['token'] = Compliance::API.get_token(config)
@@ -65,7 +96,7 @@ module Compliance
       profile_stub = profile || target[:compliance]
       config['profile'] = Compliance::API.profile_split(profile_stub)
 
-      new(profile_fetch_url, config)
+      new({ url: profile_fetch_url, sha256: profile_checksum }, config)
     rescue URI::Error => _e
       nil
     end

data/lib/fetchers/url.rb

@@ -21,17 +21,19 @@ module Fetchers
 
     def self.resolve(target, opts = {})
       if target.is_a?(Hash) && target.key?(:url)
-        resolve_from_string(target[:url], opts)
+        resolve_from_string(target[:url], opts, target[:username], target[:password])
       elsif target.is_a?(String)
         resolve_from_string(target, opts)
       end
     end
 
-    def self.resolve_from_string(target, opts)
+    def self.resolve_from_string(target, opts, username = nil, password = nil)
       uri = URI.parse(target)
       return nil if uri.nil? or uri.scheme.nil?
       return nil unless %{ http https }.include? uri.scheme
       target = transform(target)
+      opts[:username] = username if username
+      opts[:password] = password if password
       new(target, opts)
     rescue URI::Error
       nil
@@ -223,6 +225,8 @@ module Fetchers
         opts['Authorization'] = "Bearer #{@token}"
       end
 
+      opts[:http_basic_authentication] = [@config[:username], @config[:password]] if @config[:username]
+
       # Do not send any headers that have nil values.
       # Net::HTTP does not gracefully handle this situation.
       check_for_missing_values!(opts)

data/lib/inspec/metadata.rb

@@ -204,7 +204,8 @@ module Inspec
 
     def self.from_yaml(ref, content, profile_id, logger = nil)
       res = Metadata.new(ref, logger)
-      res.params = YAML.load(content)
+      require 'erb'
+      res.params = YAML.load(ERB.new(content).result)
       res.content = content
       finalize(res, profile_id, {}, logger)
     end

data/lib/inspec/profile.rb

@@ -229,7 +229,7 @@ module Inspec
       info(load_params.dup)
     end
 
-    def info(res = params.dup)
+    def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity
       # add information about the controls
       res[:controls] = res[:controls].map do |id, rule|
         next if id.to_s.empty?
@@ -252,6 +252,15 @@ module Inspec
       res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
       res[:sha256] = sha256
       res[:parent_profile] = parent_profile unless parent_profile.nil?
+
+      # convert legacy os-* supports to their platform counterpart
+      if res[:supports] && !res[:supports].empty?
+        res[:supports].each do |support|
+          support[:"platform-family"] = support.delete(:"os-family") if support.key?(:"os-family")
+          support[:"platform-name"] = support.delete(:"os-name") if support.key?(:"os-name")
+        end
+      end
+
       res
     end
 

data/lib/inspec/rule.rb

@@ -227,9 +227,10 @@ module Inspec
       # all checks that were defined in the destination
       sc = checks(src)
       dst.instance_variable_set(:@__checks, sc) unless sc.empty?
-      # we need only the value of result not the Hash containing value and message
-      sr = skip_status(src)[:result]
-      set_skip_rule(dst, sr) unless sr.nil?
+      skip_check = skip_status(src)
+      sr = skip_check[:result]
+      msg = skip_check[:message]
+      set_skip_rule(dst, sr, msg) unless sr.nil?
 
       # Save merge history
       dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)

data/lib/inspec/schema.rb

@@ -102,7 +102,12 @@ module Inspec
       'type' => 'object',
       'additionalProperties' => false,
       'properties' => {
+        'platform-family' => { 'type' => 'string', 'optional' => true },
+        'platform-name' => { 'type' => 'string', 'optional' => true },
+        'platform' => { 'type' => 'string', 'optional' => true },
+        # os-* supports are being deprecated
         'os-family' => { 'type' => 'string', 'optional' => true },
+        'os-name' => { 'type' => 'string', 'optional' => true },
       },
     }.freeze
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.2.70'
+  VERSION = '2.2.78'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 2.2.70
+  version: 2.2.78
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-23 00:00:00.000000000 Z
+date: 2018-08-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -19,7 +19,7 @@ dependencies:
         version: '1.4'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.15
+        version: 1.4.35
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '1.4'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.15
+        version: 1.4.35
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement