inspec 2.2.78 → 2.2.101

data/lib/inspec/globals.rb

@@ -0,0 +1,5 @@
+module Inspec
+  def self.config_dir
+    ENV['INSPEC_CONFIG_DIR'] ? ENV['INSPEC_CONFIG_DIR'] : File.join(Dir.home, '.inspec')
+  end
+end

data/lib/inspec/impact.rb

@@ -0,0 +1,34 @@
+# encoding: utf-8
+
+# Impact scores based off CVSS 3.0
+module Inspec::Impact
+  IMPACT_SCORES = {
+    'none'     => 0.0,
+    'low'      => 0.01,
+    'medium'   => 0.4,
+    'high'     => 0.7,
+    'critical' => 0.9,
+  }.freeze
+
+  def self.impact_from_string(value)
+    # return if its a number
+    return value if is_number?(value)
+    raise Inspec::ImpactError, "'#{value}' is not a valid impact name. Valid impact names: none, low, medium, high, critical." unless IMPACT_SCORES.key?(value.downcase)
+    IMPACT_SCORES[value]
+  end
+
+  def self.is_number?(value)
+    Float(value)
+    true
+  rescue
+    false
+  end
+
+  def self.string_from_impact(value)
+    value = value.to_f
+    raise Inspec::ImpactError, "'#{value}' is not a valid impact score. Valid impact scores: [0.0 - 1.0]." if value < 0 || value > 1
+    IMPACT_SCORES.reverse_each do |name, impact|
+      return name if value >= impact
+    end
+  end
+end

data/lib/inspec/objects/attribute.rb

@@ -3,7 +3,16 @@
 module Inspec
   class Attribute
     attr_accessor :name
-    attr_writer :value
+
+    VALID_TYPES = %w{
+      String
+      Numeric
+      Regexp
+      Array
+      Hash
+      Boolean
+      Any
+    }.freeze
 
     DEFAULT_ATTRIBUTE = Class.new do
       def initialize(name)
@@ -16,7 +25,6 @@ module Inspec
           "Use --attrs to provide a value for '#{@name}' or specify a default  "\
           "value with `attribute('#{@name}', default: 'somedefault', ...)`.",
         )
-
         self
       end
 
@@ -28,16 +36,22 @@ module Inspec
     def initialize(name, options = {})
       @name = name
       @opts = options
+      validate_value_type(default) if @opts.key?(:type) && @opts.key?(:default)
       @value = nil
     end
 
-    # implicit call is done by inspec to determine the value of an attribute
-    def value
-      @value.nil? ? default : @value
+    def value=(new_value)
+      validate_value_type(new_value) if @opts.key?(:type)
+      @value = new_value
     end
 
-    def default
-      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new(@name)
+    def value
+      if @value.nil?
+        validate_required(@value) if @opts[:required] == true
+        @value = default
+      else
+        @value
+      end
     end
 
     def title
@@ -71,5 +85,76 @@ module Inspec
     def to_s
       "Attribute #{@name} with #{@value}"
     end
+
+    private
+
+    def validate_required(value)
+      # value will be set already if a secrets file was passed in
+      if (!@opts.key?(:default) && value.nil?) || (@opts[:default].nil? && value.nil?)
+        error = Inspec::Attribute::RequiredError.new
+        error.attribute_name = @name
+        raise error, "Attribute '#{error.attribute_name}' is required and does not have a value."
+      end
+    end
+
+    def validate_type(type)
+      type = type.capitalize
+      abbreviations = {
+        'Num' => 'Numeric',
+        'Regex' => 'Regexp',
+      }
+      type = abbreviations[type] if abbreviations.key?(type)
+      if !VALID_TYPES.include?(type)
+        error = Inspec::Attribute::TypeError.new
+        error.attribute_type = type
+        raise error, "Type '#{error.attribute_type}' is not a valid attribute type."
+      end
+      type
+    end
+
+    def valid_numeric?(value)
+      Float(value)
+      true
+    rescue
+      false
+    end
+
+    def valid_regexp?(value)
+      # check for invalid regex syntex
+      Regexp.new(value)
+      true
+    rescue
+      false
+    end
+
+    # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def validate_value_type(value)
+      type = validate_type(@opts[:type])
+      return if type == 'Any'
+
+      invalid_type = false
+      if type == 'Regexp'
+        invalid_type = true if !value.is_a?(String) || !valid_regexp?(value)
+      elsif type == 'Numeric'
+        invalid_type = true if !valid_numeric?(value)
+      elsif type == 'Boolean'
+        invalid_type = true if ![true, false].include?(value)
+      elsif value.is_a?(Module.const_get(type)) == false
+        invalid_type = true
+      end
+
+      if invalid_type == true
+        error = Inspec::Attribute::ValidationError.new
+        error.attribute_name = @name
+        error.attribute_value = value
+        error.attribute_type = type
+        raise error, "Attribute '#{error.attribute_name}' with value '#{error.attribute_value}' does not validate to type '#{error.attribute_type}'."
+      end
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+    def default
+      @opts.key?(:default) ? @opts[:default] : DEFAULT_ATTRIBUTE.new(@name)
+    end
   end
 end

data/lib/inspec/profile.rb

@@ -5,6 +5,7 @@
 
 require 'forwardable'
 require 'openssl'
+require 'inspec/attribute_registry'
 require 'inspec/polyfill'
 require 'inspec/cached_fetcher'
 require 'inspec/file_provider'
@@ -55,7 +56,7 @@ module Inspec
       file_provider = FileProvider.for_path(path)
       rp = file_provider.relative_provider
 
-      # copy embedded dependecies into global cache
+      # copy embedded dependencies into global cache
       copy_deps_into_cache(rp, opts) unless opts[:vendor_cache].nil?
 
       reader = Inspec::SourceReader.resolve(rp)
@@ -79,7 +80,7 @@ module Inspec
     end
 
     attr_reader :source_reader, :backend, :runner_context, :check_mode
-    attr_accessor :parent_profile
+    attr_accessor :parent_profile, :profile_name
     def_delegator :@source_reader, :tests
     def_delegator :@source_reader, :libraries
     def_delegator :@source_reader, :metadata
@@ -93,11 +94,13 @@ module Inspec
       @controls = options[:controls] || []
       @writable = options[:writable] || false
       @profile_id = options[:id]
+      @profile_name = options[:profile_name]
       @cache = options[:vendor_cache] || Cache.new
       @attr_values = options[:attributes]
       @tests_collected = false
       @libraries_loaded = false
       @check_mode = options[:check_mode] || false
+      @parent_profile = options[:parent_profile]
       Metadata.finalize(@source_reader.metadata, @profile_id, options)
 
       # if a backend has already been created, clone it so each profile has its own unique backend object
@@ -119,6 +122,17 @@ module Inspec
 
       @supports_platform = metadata.supports_platform?(@backend)
       @supports_runtime = metadata.supports_runtime?
+      register_metadata_attributes
+    end
+
+    def register_metadata_attributes
+      if metadata.params.key?(:attributes)
+        metadata.params[:attributes].each do |attribute|
+          attr_dup = attribute.dup
+          name = attr_dup.delete(:name)
+          @runner_context.register_attribute(name, attr_dup)
+        end
+      end
     end
 
     def name
@@ -229,7 +243,7 @@ module Inspec
       info(load_params.dup)
     end
 
-    def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity
+    def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
       # add information about the controls
       res[:controls] = res[:controls].map do |id, rule|
         next if id.to_s.empty?
@@ -239,6 +253,16 @@ module Inspec
         data[:impact] = 1.0 if data[:impact] > 1.0
         data[:impact] = 0.0 if data[:impact] < 0.0
         data[:id] = id
+
+        # if the code field is empty try and pull info from dependencies
+        if data[:code].empty? && parent_profile.nil?
+          locked_dependencies.dep_list.each do |_name, dep|
+            profile = dep.profile
+            code = Inspec::MethodSource.code_at(data[:source_location], profile.source_reader)
+            data[:code] = code unless code.nil? || code.empty?
+            break if !data[:code].empty?
+          end
+        end
         data
       end.compact
 
@@ -249,7 +273,12 @@ module Inspec
       end
 
       # add information about the required attributes
-      res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
+      if res[:attributes].nil? || res[:attributes].empty?
+        # convert to array for backwords compatability
+        res[:attributes] = []
+      else
+        res[:attributes] = res[:attributes].values.map(&:to_hash)
+      end
       res[:sha256] = sha256
       res[:parent_profile] = parent_profile unless parent_profile.nil?
 

data/lib/inspec/profile_context.rb

@@ -18,7 +18,7 @@ module Inspec
                                    'check_mode' => profile.check_mode })
     end
 
-    attr_reader :attributes, :profile_id, :resource_registry, :backend
+    attr_reader :attributes, :backend, :profile_name, :profile_id, :resource_registry
     attr_accessor :rules
     def initialize(profile_id, backend, conf)
       if backend.nil?
@@ -28,12 +28,14 @@ module Inspec
       @profile_id = profile_id
       @backend = backend
       @conf = conf.dup
+      @profile_name = @conf['profile'].profile_name || @profile_id if @conf['profile']
       @skip_only_if_eval = @conf['check_mode']
       @rules = {}
       @control_subcontexts = []
       @lib_subcontexts = []
       @require_loader = ::Inspec::RequireLoader.new
-      @attributes = []
+      Inspec::AttributeRegistry.register_profile_alias(@profile_id, @profile_name) if @profile_id != @profile_name
+      @attributes = Inspec::AttributeRegistry.list_attributes_for_profile(@profile_id)
       # A local resource registry that only contains resources defined
       # in the transitive dependency tree of the loaded profile.
       @resource_registry = Inspec::Resource.new_registry
@@ -187,11 +189,9 @@ module Inspec
 
     def register_attribute(name, options = {})
       # we need to return an attribute object, to allow dermination of default values
-      attr = Attribute.new(name, options)
-      # read value from given gived values
-      attr.value = @conf['attributes'][attr.name] unless @conf['attributes'].nil?
-      @attributes.push(attr)
-      attr.value
+      attribute = Inspec::AttributeRegistry.register_attribute(name, @profile_id, options)
+      attribute.value = @conf['attributes'][name] unless @conf['attributes'].nil? || @conf['attributes'][name].nil?
+      attribute.value
     end
 
     def set_header(field, val)

data/lib/inspec/profile_vendor.rb

@@ -8,7 +8,7 @@ module Inspec
     attr_reader :profile_path
 
     def initialize(path)
-      @profile_path = Pathname.new(path)
+      @profile_path = Pathname.new(File.expand_path(path))
     end
 
     def vendor!
@@ -56,11 +56,31 @@ module Inspec
     def vendor_dependencies
       delete_vendored_data
       File.write(lockfile, profile.generate_lockfile.to_yaml)
+      extract_archives
     end
 
     def delete_vendored_data
       FileUtils.rm_rf(cache_path) if cache_path.exist?
       File.delete(lockfile) if lockfile.exist?
     end
+
+    def extract_archives
+      Dir.glob(File.join(cache_path, '*')).each do |filepath|
+        # Get SHA without extension
+        # We use split since '.' is not valid in a SHA checksum
+        destination_dir_name = File.basename(filepath).split('.')[0]
+        destination_path = File.join(cache_path, destination_dir_name)
+
+        provider = FileProvider.for_path(filepath)
+
+        next unless provider.is_a?(ZipProvider) || provider.is_a?(TarProvider)
+
+        Inspec::Log.debug("Extracting '#{filepath}' to '#{destination_path}'")
+        provider.extract(destination_path)
+
+        Inspec::Log.debug("Deleting archive '#{filepath}'")
+        File.delete(filepath)
+      end
+    end
   end
 end

data/lib/inspec/reporters/automate.rb

@@ -53,8 +53,13 @@ module Inspec::Reporters
           http.verify_mode = OpenSSL::SSL::VERIFY_NONE
         end
 
-        http.request(req)
-        return true
+        res = http.request(req)
+        if res.is_a?(Net::HTTPSuccess)
+          return true
+        else
+          Inspec::Log.error "send_report: POST to #{uri.path} returned: #{res.body}"
+          return false
+        end
       rescue => e
         Inspec::Log.error "send_report: POST to #{uri.path} returned: #{e.message}"
         return false

data/lib/inspec/reporters/cli.rb

@@ -63,9 +63,17 @@ module Inspec::Reporters
     private
 
     def print_profile_header(profile)
-      output("Profile: #{format_profile_name(profile)}")
-      output("Version: #{profile[:version] || '(not specified)'}")
-      output("Target:  #{run_data[:platform][:target]}") unless run_data[:platform][:target].nil?
+      header = {
+        'Profile' => format_profile_name(profile),
+        'Version' => profile[:version] || '(not specified)',
+      }
+      header['Target'] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
+      header['Target ID'] = @config['target_id'] unless @config['target_id'].nil?
+
+      pad = header.keys.max_by(&:length).length + 1
+      header.each do |title, value|
+        output(format("%-#{pad}s %s", title + ':', value))
+      end
       output('')
     end
 
@@ -141,7 +149,7 @@ module Inspec::Reporters
 
       message_to_format = ''
       message_to_format += "#{INDICATORS[indicator]}  " unless indicator.nil?
-      message_to_format += message.to_s.lstrip
+      message_to_format += message.to_s.lstrip.force_encoding(Encoding::UTF_8)
 
       format_with_color(color, indent_lines(message_to_format, indentation))
     end

data/lib/inspec/reporters/json.rb

@@ -22,10 +22,12 @@ module Inspec::Reporters
     private
 
     def platform
-      {
+      platform = {
         name: run_data[:platform][:name],
         release: run_data[:platform][:release],
       }
+      platform[:target_id] = @config['target_id'] if @config['target_id']
+      platform
     end
 
     def profile_results(control)

data/lib/inspec/rspec_extensions.rb

@@ -0,0 +1,12 @@
+require 'inspec/attribute_registry'
+require 'rspec/core/example_group'
+
+# This file allows you to add ExampleGroups to be used in rspec tests
+#
+class RSpec::Core::ExampleGroup
+  # This DSL method allows us to access the values of attributes within InSpec tests
+  def attribute(name)
+    Inspec::AttributeRegistry.find_attribute(name, self.class.metadata[:profile_id]).value
+  end
+  define_example_method :attribute
+end

data/lib/inspec/rule.rb

@@ -75,7 +75,12 @@ module Inspec
     end
 
     def impact(v = nil)
-      @impact = v unless v.nil?
+      if v.is_a?(String)
+        @impact = Inspec::Impact.impact_from_string(v)
+      elsif !v.nil?
+        @impact = v
+      end
+
       @impact
     end
 

data/lib/inspec/runner.rb

@@ -52,7 +52,7 @@ module Inspec
       end
 
       # list of profile attributes
-      @attributes = []
+      @attributes = {}
 
       load_attributes(@conf)
       configure_transport
@@ -88,7 +88,7 @@ module Inspec
           @test_collector.add_profile(requirement.profile)
         end
 
-        @attributes |= profile.runner_context.attributes
+        @attributes = profile.runner_context.attributes if @attributes.empty?
         all_controls += profile.collect_tests
       end