inspec 2.2.78 → 2.2.101

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 842e90c7b84b1e95a0ca1989f26048ab81a67a5e4f602461c7f6eb6a9ac8a0df
-  data.tar.gz: 0c9220d4fdd48bece5981ff0a7599e070742208de5520f449d79068031c9b839
+  metadata.gz: 97359c70280644ef6740b0411da01c65f28f68b2c605f80f7a929ce40ed1f420
+  data.tar.gz: 6ef3c2bbc9ab39b14ca2b9e0c7702d8d08619022ce12369fa58bc7ef28537e4e
 SHA512:
-  metadata.gz: d52ea98ca54e58a0191968e445c7e5f32c7cac9fd58be5f7e00acba5fed6ec5bb4f9cb9bcdc8bc1fe988b925f8c9c64a80283a4309b20135d1d2d395362c8ff0
-  data.tar.gz: ad42da9cb733b08b50f5082742fda88147ca7f6c8a3739fac19ad74d4fe5acc88f5ce92ff4e7be28e013637dbae009fccb32811ef9baed9727a66cb4b8d5236f
+  metadata.gz: 67a8ae8d08412975b9d3eb1d1921b720e5b86017f66a644d9b563d15b5aa558d35898ea65c68a8a2b2cacb15de5863aedbb44a9fc25dc5168b93879ab1e43eca
+  data.tar.gz: 1be01c10d2ec56e0f064f13ea8cd303e656ff7ede25f91d93845daa8118bc889a4a3f0e8683d2ca87416a1175906bcb3ed4a4d414e52f7d8bb51e39185a8cea6

data/CHANGELOG.md

@@ -1,31 +1,62 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.78 -->
-## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
+<!-- latest_release 2.2.101 -->
+## [v2.2.101](https://github.com/inspec/inspec/tree/v2.2.101) (2018-09-14)
 
 #### Merged Pull Requests
-- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
+- Fix profile vendoring on Windows [#3378](https://github.com/inspec/inspec/pull/3378) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.70 -->
-### Changes since 2.2.70 release
+<!-- release_rollup since=2.2.78 -->
+### Changes since 2.2.78 release
 
 #### New Features
-- Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo)) <!-- 2.2.77 -->
-- Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo)) <!-- 2.2.76 -->
+- Add string impact options for controls [#3359](https://github.com/inspec/inspec/pull/3359) ([jquick](https://github.com/jquick)) <!-- 2.2.96 -->
 
 #### Bug Fixes
-- fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo)) <!-- 2.2.73 -->
+- Fix the compliance target error checks [#3392](https://github.com/inspec/inspec/pull/3392) ([jquick](https://github.com/jquick)) <!-- 2.2.94 -->
+- Prevent logs from showing up when running inspec json [#3391](https://github.com/inspec/inspec/pull/3391) ([jquick](https://github.com/jquick)) <!-- 2.2.93 -->
+- Fixing AWS integration tests. [#3374](https://github.com/inspec/inspec/pull/3374) ([MartinLogan](https://github.com/MartinLogan)) <!-- 2.2.87 -->
+- enforce utf encoding for cli output [#3376](https://github.com/inspec/inspec/pull/3376) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.86 -->
+- Fix vendoring functional test cleanup [#3377](https://github.com/inspec/inspec/pull/3377) ([jquick](https://github.com/jquick)) <!-- 2.2.85 -->
+- use multipart gem for upload to support upload on windows [#3369](https://github.com/inspec/inspec/pull/3369) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.84 -->
+- ensure we use the mock backend when we upload profiles [#3370](https://github.com/inspec/inspec/pull/3370) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.83 -->
+
+#### Enhancements
+- do not show success message since its confusing [#3366](https://github.com/inspec/inspec/pull/3366) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.82 -->
+- Harmonize vendoring (ensure archives are extracted and local paths do not vendor on exec) [#3286](https://github.com/inspec/inspec/pull/3286) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.81 -->
+- handle errors from automate report and display them to the user [#3360](https://github.com/inspec/inspec/pull/3360) ([chris-rock](https://github.com/chris-rock)) <!-- 2.2.80 -->
 
 #### Merged Pull Requests
-- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah)) <!-- 2.2.78 -->
-- Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50)) <!-- 2.2.75 -->
-- Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick)) <!-- 2.2.74 -->
-- bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu)) <!-- 2.2.72 -->
-- Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj)) <!-- 2.2.71 -->
+- Fix profile vendoring on Windows [#3378](https://github.com/inspec/inspec/pull/3378) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.101 -->
+- Add platforms schema command [#3346](https://github.com/inspec/inspec/pull/3346) ([jquick](https://github.com/jquick)) <!-- 2.2.97 -->
+- Bump omnibus ruby to 2.5.1 [#3390](https://github.com/inspec/inspec/pull/3390) ([jquick](https://github.com/jquick)) <!-- 2.2.95 -->
+- Add windows functional tests [#3385](https://github.com/inspec/inspec/pull/3385) ([jquick](https://github.com/jquick)) <!-- 2.2.92 -->
+- Populate code for inspec json inheritance [#3386](https://github.com/inspec/inspec/pull/3386) ([jquick](https://github.com/jquick)) <!-- 2.2.91 -->
+- Revert uuid change from A2 report [#3387](https://github.com/inspec/inspec/pull/3387) ([jquick](https://github.com/jquick)) <!-- 2.2.90 -->
+- Implement InSpec global attributes [#3318](https://github.com/inspec/inspec/pull/3318) ([jquick](https://github.com/jquick)) <!-- 2.2.89 -->
+- Update rubyzip to resolve a directory traversal security vulnerability. [#3388](https://github.com/inspec/inspec/pull/3388) ([miah](https://github.com/miah)) <!-- 2.2.88 -->
+- Allow target-id passthrough [#3320](https://github.com/inspec/inspec/pull/3320) ([jquick](https://github.com/jquick)) <!-- 2.2.79 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
+
+#### New Features
+- Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo))
+- Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo))
+
+#### Bug Fixes
+- fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo))
+
+#### Merged Pull Requests
+- Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj))
+- bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu))
+- Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick))
+- Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50))
+- Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
+<!-- latest_stable_release -->
+
 ## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-24)
 
 #### Enhancements
@@ -38,7 +69,6 @@
 - Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil))
 - Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick))
 - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v2.2.64](https://github.com/inspec/inspec/tree/v2.2.64) (2018-08-17)
 

data/Rakefile

@@ -75,6 +75,25 @@ namespace :test do
     t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
   end
 
+  # Functional tests on Windows are a WIP. Currently only some
+  # functional test files are supported.
+  # TODO: Ensure all functional tests are ran on Windows
+  Rake::TestTask.new(:'functional:windows') do |t|
+    t.libs << 'test'
+    t.test_files = [
+      'test/functional/inspec_exec_test.rb',
+      'test/functional/inspec_exec_json_test.rb',
+      'test/functional/inspec_detect_test.rb',
+      'test/functional/inspec_vendor_test.rb',
+      'test/functional/inspec_compliance_test.rb',
+      'test/functional/inspec_check_test.rb',
+      'test/functional/filter_table_test.rb',
+    ]
+    t.warning = true
+    t.verbose = true
+    t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
+  end
+
   task :resources do
     tests = Dir['test/resource/*_test.rb']
     return if tests.empty?

data/docs/profiles.md

@@ -51,6 +51,7 @@ Each profile must have an `inspec.yml` file that defines the following informati
 * Use `inspec_version` to place SemVer constraints on the version of InSpec that the profile can run under.
 * Use `supports` to specify a list of supported platform targets.
 * Use `depends` to define a list of profiles on which this profile depends.
+* Use `attributes` to define a list of attributes you can use in your controls.
 
 `name` is required; all other profile settings are optional. For example:
 
@@ -336,15 +337,68 @@ profile `my_dep` using the name `my_res2`.
 
 # Profile Attributes
 
-Attributes may be used in profiles to define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. First specify a variable in the control for each secret, then add the secret to a YAML file located on the local machine, and then run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
+Attributes are frequently used to parameterize a profile for use in different environments or targets. It can also be used define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. Attributes may be set for the whole profile in the `inspec.yml`.
 
-For example, a control:
+Attributes may contain the following options:
 
+* Use `default` to set a default value for the attribute.
+* Use `type` to restrict an attribute to a specific type (any, string, numeric, array, hash, boolean, regex).
+* Use `required` to mandate the attribute has a default value or a value from a attribute YAML file.
+* Use `description` to set a brief description for the attribute.
+
+
+You can specify attributes in your `inspec.yml` using the `attributes` setting. For example, to add a `user` attribute for your profile:
+```YAML
+attributes:
+  - name: user
+    type: string
+    default: bob
+```
+
+Example of adding a array object of servers:
+```YAML
+attributes:
+  - name: servers
+    type: array
+    default:
+      - server1
+      - server2
+      - server3
+```
+
+To access an attribute you will use the `attribute` keyword. You can use this anywhere in your control code.
+
+For example:
 ```Ruby
-# define these attributes on the top-level of your file and re-use them across all tests!
-val_user = attribute('user', default: 'alice', description: 'An identification for the user')
-val_password = attribute('password', description: 'A value for the password')
+current_user = attribute('user')
+
+control 'system-users' do
+  describe attribute('user') do
+    it { should eq 'bob' }
+  end
+
+  describe current_user do
+    it { should eq attribute('user') }
+  end
+end
+```
+
+For sensitive data it is recomended to use a secrets YAML file located on the local machine to populate the values of attributes. A secrets file will always overwrite a attributes default value. To use the secrets file run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
+
+For example, a inspec.yml:
+```YAML
+attributes:
+  - name: username
+    type: string
+    required: true
+  - name: password
+    type: string
+    required: true
+```
 
+The control:
+
+```Ruby
 control 'system-users' do
   impact 0.8
   desc '
@@ -352,11 +406,11 @@ control 'system-users' do
     specified password.
   '
 
-   val_user do
+  describe attribute('username') do
     it { should eq 'bob' }
   end
 
-  describe val_password do
+  describe attribute('password') do
     it { should eq 'secret' }
   end
 end
@@ -365,7 +419,7 @@ end
 And a YAML file named `profile-attribute.yml`:
 
 ```YAML
-user: bob
+username: bob
 password: secret
 ```
 
@@ -375,6 +429,50 @@ The following command runs the tests and applies the secrets specified in `profi
 $ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
 ```
 
+To change your attributes for platform specific cases you can setup multiple `--attrs` files.
+
+For example, a inspec.yml:
+```YAML
+attributes:
+  - name: users
+    type: array
+    required: true
+```
+
+A YAML file named `windows.yml`
+```YAML
+users:
+  - Administrator
+  - Guest
+  - Randy
+```
+
+A YAML file named `linux.yml`
+```YAML
+users:
+  - root
+  - shadow
+  - rmadison
+```
+
+The control file:
+```RUBY
+control 'system-users' do
+  impact 0.8
+  desc 'Confirm the proper users are created on the system'
+
+  describe users do
+    its('usernames') { should eq attribute('users') }
+  end
+end
+```
+
+The following command runs the tests and applies the attributes specified:
+```bash
+$ inspec exec examples/profile-attribute --attrs examples/windows.yml
+$ inspec exec examples/profile-attribute --attrs examples/linux.yml
+```
+
 See the full example in the InSpec open source repository: [Example InSpec Profile with Attributes](https://github.com/chef/inspec/tree/master/examples/profile-attribute)
 
 # Profile files

data/examples/inheritance/inspec.yml

@@ -7,7 +7,8 @@ license: Apache-2.0
 summary: Demonstrates the use of InSpec profile inheritance
 version: 1.0.0
 supports:
-  - os-family: unix
+  - platform-family: unix
+  - platform-family: windows
 depends:
   - name: profile
     path: ../profile

data/examples/profile/controls/gordon.rb

@@ -11,7 +11,7 @@ title 'Gordon Config Checks'
 # EOF
 # ```
 control 'gordon-1.0' do
-  impact 0.7
+  impact 'critical'
   title 'Verify the version number of Gordon'
   desc 'An optional description...'
   tag 'gordon'

data/examples/profile/controls/meta.rb

@@ -28,6 +28,8 @@ control 'ssh-1' do
   ref 'DISA-RHEL6-SG - Section 9.2.1', url: 'http://iasecontent.disa.mil/stigs/zip/Jan2016/U_RedHat_6_V1R10_STIG.zip'
   ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
 
+  only_if { platform.in_family?('unix') }
+
   describe file('/bin/sh') do
     it { should be_owned_by 'root' }
   end

data/examples/profile/inspec.yml

@@ -7,4 +7,5 @@ license: Apache-2.0
 summary: Demonstrates the use of InSpec Compliance Profile
 version: 1.0.0
 supports:
-  - os-family: unix
+  - platform-family: unix
+  - platform-family: windows

data/inspec.gemspec

@@ -26,11 +26,11 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3'
 
-  spec.add_dependency 'train', '~> 1.4', '>= 1.4.35'
+  spec.add_dependency 'train', '~> 1.4', '>= 1.4.37'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'
-  spec.add_dependency 'rubyzip', '~> 1.1'
+  spec.add_dependency 'rubyzip', '~> 1.2', '>= 1.2.2'
   spec.add_dependency 'rspec', '~> 3'
   spec.add_dependency 'rspec-its', '~> 1.2'
   spec.add_dependency 'pry', '~> 0'
@@ -46,4 +46,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'parslet', '~> 1.5'
   spec.add_dependency 'semverse'
   spec.add_dependency 'htmlentities'
+  spec.add_dependency 'multipart-post'
 end

data/lib/bundles/inspec-compliance/cli.rb

@@ -69,7 +69,8 @@ module Compliance
           li("#{profile['title']} v#{profile['version']} (#{mark_text(owner + '/' + profile['name'])})")
         }
       else
-        puts msg, 'Could not find any profiles'
+        puts msg if msg != 'success'
+        puts 'Could not find any profiles'
         exit 1
       end
     rescue Compliance::ServerConfigurationMissing
@@ -149,6 +150,12 @@ module Compliance
 
       o = options.dup
       configure_logger(o)
+
+      # only run against the mock backend, otherwise we run against the local system
+      o[:backend] = Inspec::Backend.create(target: 'mock://')
+      o[:check_mode] = true
+      o[:vendor_cache] = Inspec::Cache.new(o[:vendor_cache])
+
       # check the profile, we only allow to upload valid profiles
       profile = Inspec::Profile.for_target(path, o)
 
@@ -190,7 +197,9 @@ module Compliance
       end
 
       # if it is a directory, tar it to tmp directory
+      generated = false
       if File.directory?(path)
+        generated = true
         archive_path = Dir::Tmpname.create([profile_name, '.tar.gz']) {}
         puts "Generate temporary profile archive at #{archive_path}"
         profile.archive({ output: archive_path, ignore_errors: false, overwrite: true })
@@ -208,6 +217,9 @@ module Compliance
       end
       success, msg = Compliance::API.upload(config, config['owner'], pname, archive_path)
 
+      # delete temp file if it was temporary generated
+      File.delete(archive_path) if generated && File.exist?(archive_path)
+
       if success
         puts 'Successfully uploaded profile'
       else

data/lib/bundles/inspec-compliance/http.rb

@@ -3,6 +3,7 @@
 # author: Dominik Richter
 
 require 'net/http'
+require 'net/http/post/multipart'
 require 'uri'
 
 module Compliance
@@ -60,7 +61,7 @@ module Compliance
 
       req.body_stream=File.open(file_path, 'rb')
       req.add_field('Content-Length', File.size(file_path))
-      req.add_field('Content-Type', 'application/x-gtar')
+      req.add_field('Content-Type', 'application/x-gzip')
 
       boundary = 'INSPEC-PROFILE-UPLOAD'
       req.add_field('session', boundary)
@@ -77,24 +78,14 @@ module Compliance
       http.use_ssl = (uri.scheme == 'https')
       http.verify_mode = OpenSSL::SSL::VERIFY_NONE if insecure
 
-      req = Net::HTTP::Post.new(uri)
-      headers.each do |key, value|
-        req.add_field(key, value)
+      File.open(file_path) do |tar|
+        req = Net::HTTP::Post::Multipart.new(uri, 'file' => UploadIO.new(tar, 'application/x-gzip', File.basename(file_path)))
+        headers.each do |key, value|
+          req.add_field(key, value)
+        end
+        res = http.request(req)
+        return res
       end
-
-      boundry = 'AaB03x'
-      req.add_field('Content-Type', "multipart/form-data; boundary=#{boundry}")
-
-      post_body = []
-      post_body << "--#{boundry}\r\n"
-      post_body << "Content-Disposition: form-data; name=\"file\"; filename=\"#{File.basename(file_path)}\"\r\n"
-      post_body << "Content-Type: application/x-gtar\r\n\r\n"
-      post_body << File.read(file_path)
-      post_body << "\r\n\r\n--#{boundry}--\r\n"
-      req.body = post_body.join
-
-      res=http.request(req)
-      res
     end
 
     # sends a http requests

data/lib/bundles/inspec-compliance/target.rb

@@ -17,12 +17,12 @@ module Compliance
 
     def initialize(target, opts)
       super(target, opts)
+      @upstream_sha256 = ''
       if target.is_a?(Hash) && target.key?(:url)
         @target = target[:url]
         @upstream_sha256 = target[:sha256]
       elsif target.is_a?(String)
         @target = target
-        @upstream_sha256 = ''
       end
     end
 
@@ -30,7 +30,7 @@ module Compliance
       upstream_sha256.empty? ? super : upstream_sha256
     end
 
-    def self.check_compliance_token(config)
+    def self.check_compliance_token(uri, config)
       if config['token'].nil? && config['refresh_token'].nil?
         if config['server_type'] == 'automate'
           server = 'automate'
@@ -73,7 +73,7 @@ module Compliance
       if target.respond_to?(:key?) && target.key?(:sha256)
         profile_checksum = target[:sha256]
       else
-        check_compliance_token(config)
+        check_compliance_token(uri, config)
         # verifies that the target e.g base/ssh exists
         # Call profiles directly instead of exist? to capture the results
         # so we can access the upstream sha256 from the results.