inspec 3.2.6 → 3.3.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 41bedb4528fa302afca59c5834684789d195e7addb8247cf03bad101be3c26db
-  data.tar.gz: e0d91369ea72888be97ad4eaeab9515f4a38a87609de938495b1c2d317ad67f0
+  metadata.gz: 57b4ef6616ae9f2ee1a0d715fd3849d91f759242afe31da2e044fd243424c88d
+  data.tar.gz: c2a5e2e09134bd5919cdcf057110ad96de7e35bdf8316d440e0d8809d11ea603
 SHA512:
-  metadata.gz: 2beb30ea2652ed85d070783c9f846b47d8624809419286b0cb78ead32902b92af0578e6ea281c50637697b38e20fd165445be9baa5946e04b1aab2503d5fcb6e
-  data.tar.gz: f741b613b7472f4a2be1fd7d155398af3ad9aa54ac4f191ac812e89cf5ab2710fd976b4750a8bcd79dad094facdd50f5c2296f5c4845003975875f1f251ce1ca
+  metadata.gz: b51dad58342d2a68ccec838623278fedc4573576f43618f90a36ba9443415ebb922220b656d0b1a2185f6e699e3d0532bd45ef7cb15ff6996225ed9d7c71d286
+  data.tar.gz: d59f22a869aeabf92638eef956e8b9068a71f636b951b3ddeee8ad1c691d31b264dbafd5384449f0fe7ef6d59742e9814e3b134090a5fb62ec791de449d3742d

data/Gemfile

@@ -6,7 +6,6 @@ gem 'ffi', '>= 1.9.14'
 gem 'aws-sdk', '~> 2'
 
 group :test do
-  gem 'bundler', '~> 1.5'
   gem 'minitest', '~> 5.5'
   gem 'rake', '>= 10'
   gem 'rubocop', '= 0.49.1'
@@ -23,7 +22,7 @@ end
 
 group :integration do
   gem 'berkshelf', '~> 5.2'
-  gem 'test-kitchen', '~> 1.6'
+  gem 'test-kitchen', '>= 1.24'
   gem 'kitchen-vagrant'
   # we need winrm v2 support >= 0.15.1
   gem 'kitchen-inspec', '>= 0.15.1'

data/etc/deprecations.json

@@ -0,0 +1,6 @@
+{
+  "file_version": "1.0.0",
+  "unknown_group_action": "ignore",
+  "groups": {
+  }
+}

data/inspec.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3'
 
-  spec.add_dependency 'train', '~> 1.5', '>= 1.6.3'
+  spec.add_dependency 'train', '~> 1.5', '>= 1.7.0'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'

data/lib/inspec.rb

@@ -8,6 +8,7 @@ $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
 require 'inspec/version'
 require 'inspec/exceptions'
+require 'utils/deprecation'
 require 'inspec/profile'
 require 'inspec/rule'
 require 'matchers/matchers'

data/lib/inspec/cli.rb

@@ -175,14 +175,21 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   desc 'exec LOCATIONS', 'run all test files at the specified LOCATIONS.'
+  # TODO: find a way for Thor not to butcher the formatting of this
   long_desc <<~EOT
     Loads the given profile(s) and fetches their dependencies if needed. Then
     connects to the target and executes any controls contained in the profiles.
-    One or more reporters are used to generate output. If all tests passed
-    (no fails, no skips) exit code 0 is returned. If some tests skipped but
-    none failed, exit code 101 is returned. If at least one test failed, exit
-    code 100 is returned. If inspec failed for any other reason, exit code 1
-    is returned.
+    One or more reporters are used to generate output.
+
+    ```
+    Exit codes:
+        0  Normal exit, all tests passed
+        1  Usage or general error
+        2  Error in plugin system
+        3  Fatal deprecation encountered
+      100  Normal exit, at least one test failed
+      101  Normal exit, at least one test skipped but none failed
+    ```
 
     Below are some examples of using `exec` with different test LOCATIONS:
 

data/lib/inspec/metadata.rb

@@ -91,9 +91,9 @@ module Inspec
         warnings.push("Missing profile #{field} in #{ref}")
       end
 
-      # if version is set, ensure it is in SPDX format
-      if !params[:license].nil? && !Spdx.valid_license?(params[:license])
-        warnings.push("License '#{params[:license]}' needs to be in SPDX format. See https://spdx.org/licenses/.")
+      # if license is set, ensure it is in SPDX format or marked as proprietary
+      if !params[:license].nil? && !valid_license?(params[:license])
+        warnings.push("License '#{params[:license]}' needs to be in SPDX format or marked as 'Proprietary'. See https://spdx.org/licenses/.")
       end
 
       [errors, warnings]
@@ -112,6 +112,10 @@ module Inspec
       false
     end
 
+    def valid_license?(value)
+      value =~ /^Proprietary[,;]?\b/ || Spdx.valid_license?(value)
+    end
+
     def method_missing(sth, *args)
       @logger.warn "#{ref} doesn't support: #{sth} #{args}"
       @missing_methods.push(sth)

data/lib/inspec/plugin/v2/installer.rb

@@ -8,6 +8,7 @@ require 'fileutils'
 require 'rubygems/package'
 require 'rubygems/name_tuple'
 require 'rubygems/uninstaller'
+require 'rubygems/remote_fetcher'
 
 require 'inspec/plugin/v2/filter'
 

data/lib/inspec/ui.rb

@@ -32,6 +32,7 @@ module Inspec
     EXIT_NORMAL = 0
     EXIT_USAGE_ERROR = 1
     EXIT_PLUGIN_ERROR = 2
+    EXIT_FATAL_DEPRECATION = 3
     EXIT_FAILED_TESTS = 100
     EXIT_SKIPPED_TESTS = 101
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '3.2.6'
+  VERSION = '3.3.14'
 end

data/lib/resource_support/aws.rb

@@ -12,6 +12,8 @@ require 'resource_support/aws/aws_backend_base'
 # Load all AWS resources
 # TODO: loop over and load entire directory
 # for f in ls lib/resources/aws/*; do t=$(echo $f | cut -c 5- | cut -f1 -d. ); echo "require '${t}'"; done
+require 'resources/aws/aws_billing_report'
+require 'resources/aws/aws_billing_reports'
 require 'resources/aws/aws_cloudtrail_trail'
 require 'resources/aws/aws_cloudtrail_trails'
 require 'resources/aws/aws_cloudwatch_alarm'

data/lib/resources/aws/aws_billing_report.rb

@@ -0,0 +1,99 @@
+class AwsBillingReport < Inspec.resource(1)
+  name 'aws_billing_report'
+  supports platform: 'aws'
+  desc 'Verifies settings for AWS Cost and Billing Reports.'
+  example "
+    describe aws_billing_report('inspec1') do
+      its('report_name') { should cmp 'inspec1' }
+      its('time_unit') { should cmp 'hourly' }
+    end
+
+    describe aws_billing_report(report: 'inspec1') do
+      it { should exist }
+    end"
+
+  include AwsSingularResourceMixin
+
+  attr_reader :report_name, :time_unit, :format, :compression, :s3_bucket,
+              :s3_prefix, :s3_region
+
+  def to_s
+    "AWS Billing Report #{report_name}"
+  end
+
+  def hourly?
+    exists? ? time_unit.eql?('hourly') : nil
+  end
+
+  def daily?
+    exists? ? time_unit.eql?('daily') : nil
+  end
+
+  def zip?
+    exists? ? compression.eql?('zip') : nil
+  end
+
+  def gzip?
+    exists? ? compression.eql?('gzip') : nil
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:report_name],
+      allowed_scalar_name: :report_name,
+      allowed_scalar_type: String,
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide the parameter 'report_name' to aws_billing_report."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    report = find_report(report_name)
+    @exists = !report.nil?
+    if exists?
+      @time_unit = report.time_unit.downcase
+      @format = report.format.downcase
+      @compression = report.compression.downcase
+      @s3_bucket = report.s3_bucket
+      @s3_prefix = report.s3_prefix
+      @s3_region = report.s3_region
+    end
+  end
+
+  def find_report(report_name)
+    pagination_opts = {}
+    found_report_def = nil
+    while found_report_def.nil?
+      api_result = backend.describe_report_definitions(pagination_opts)
+      next_token = api_result.next_token
+      found_report_def = api_result.report_definitions.find { |report_def| report_def.report_name == report_name }
+      pagination_opts = { next_token: next_token }
+
+      next if found_report_def.nil? && next_token        # Loop again: didn't find it, but there are more results
+      break if found_report_def.nil? && next_token.nil?  # Give up: didn't find it, no more results
+    end
+    found_report_def
+  end
+
+  def backend
+    @backend ||= BackendFactory.create(inspec_runner)
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsBillingReport::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CostandUsageReportService::Client
+
+      def describe_report_definitions(query = {})
+        aws_service_client.describe_report_definitions(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_billing_reports.rb

@@ -0,0 +1,69 @@
+require 'utils/filter'
+
+class AwsBillingReports < Inspec.resource(1)
+  name 'aws_billing_reports'
+  supports platform: 'aws'
+  desc 'Verifies settings for AWS Cost and Billing Reports.'
+  example "
+      describe aws_billing_reports do
+        its('report_names') { should include 'inspec1' }
+        its('s3_buckets') { should include 'inspec1-s3-bucket' }
+      end
+
+     describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
+       its ('report_names') { should include ['inspec1'] }
+       its ('time_units') { should include ['DAILY'] }
+       its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
+     end"
+
+  include AwsPluralResourceMixin
+
+  filtertable = FilterTable.create
+  filtertable.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+             .register_column(:report_names, field: :report_name)
+             .register_column(:time_units, field: :time_unit, style: :simple)
+             .register_column(:formats, field: :format, style: :simple)
+             .register_column(:compressions, field: :compression, style: :simple)
+             .register_column(:s3_buckets, field: :s3_bucket, style: :simple)
+             .register_column(:s3_prefixes, field: :s3_prefix, style: :simple)
+             .register_column(:s3_regions, field: :s3_region, style: :simple)
+  filtertable.install_filter_methods_on_resource(self, :table)
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, 'aws_billing_reports does not accept resource parameters.'
+    end
+    resource_params
+  end
+
+  def to_s
+    'AWS Billing Reports'
+  end
+
+  def fetch_from_api
+    @table = []
+    pagination_opts = {}
+    backend = BackendFactory.create(inspec_runner)
+    loop do
+      api_result = backend.describe_report_definitions(pagination_opts)
+      api_result.report_definitions.each do |raw_report|
+        report = raw_report.to_h
+        %i(time_unit compression).each { |field| report[field].downcase! }
+        @table << report
+      end
+      pagination_opts = { next_token: api_result.next_token }
+      break unless api_result.next_token
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsBillingReports::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CostandUsageReportService::Client
+
+      def describe_report_definitions(options = {})
+        aws_service_client.describe_report_definitions(options)
+      end
+    end
+  end
+end

data/lib/resources/cran.rb

@@ -41,7 +41,7 @@ module Inspec::Resources
       #
       # So make sure command output is converted to unicode, as it returns ASCII-8BIT by default
       utf8_stdout = cmd.stdout.chomp.force_encoding(Encoding::UTF_8)
-      params = /^\[\d+\]\s+(?:\p{Initial_Punctuation})(.+)(?:\p{Final_Punctuation})$/.match(utf8_stdout)
+      params = /^\[\d+\]\s+(?:['\p{Initial_Punctuation}])(.+)(?:['\p{Final_Punctuation}])$/.match(utf8_stdout)
       @info[:installed] = !params.nil?
       return @info unless @info[:installed]
 

data/lib/resources/iis_app_pool.rb

@@ -6,14 +6,15 @@
 class IisAppPool < Inspec.resource(1)
   name 'iis_app_pool'
   desc 'Tests IIS application pool configuration on windows.'
-  example "
+  supports platform: 'windows'
+  example <<~EOH
     describe iis_app_pool('DefaultAppPool') do
       it { should exist }
       its('enable32bit') { should cmp 'True' }
       its('runtime_version') { should eq 'v4.0' }
       its('pipeline_mode') { should eq 'Integrated' }
     end
-  "
+  EOH
 
   def initialize(pool_name)
     @pool_name = pool_name
@@ -77,18 +78,23 @@ class IisAppPool < Inspec.resource(1)
   end
 
   def to_s
-    "iis_app_pool '#{@pool_name}'"
+    "IIS App Pool '#{@pool_name}'"
   end
 
   private
 
-  # I cannot think of a way to shorten this method
-  # rubocop:disable Metrics/AbcSize
   def iis_app_pool
     return @cache unless @cache.nil?
 
-    command = "Import-Module WebAdministration; Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json"
-    cmd = inspec.command(command)
+    script = <<~EOH
+      Import-Module WebAdministration
+      If (Test-Path '#{@pool_path}') {
+        Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json
+      } Else {
+        Write-Host '{}'
+      }
+    EOH
+    cmd = inspec.powershell(script)
 
     begin
       pool = JSON.parse(cmd.stdout)
@@ -96,21 +102,23 @@ class IisAppPool < Inspec.resource(1)
       raise Inspec::Exceptions::ResourceFailed, 'Unable to parse app pool JSON'
     end
 
+    process_model = pool.fetch('processModel', {})
+    idle_timeout = process_model.fetch('idleTimeout', {})
+
     # map our values to a hash table
     @cache = {
       pool_name: pool['name'],
       version: pool['managedRuntimeVersion'],
       e32b: pool['enable32BitAppOnWin64'],
       mode: pool['managedPipelineMode'],
-      processes: pool['processModel']['maxProcesses'],
-      timeout: "#{pool['processModel']['idleTimeout']['Hours']}:#{pool['processModel']['idleTimeout']['Minutes']}:#{pool['processModel']['idleTimeout']['Seconds']}",
-      timeout_days: pool['processModel']['idleTimeout']['Days'],
-      timeout_hours: pool['processModel']['idleTimeout']['Hours'],
-      timeout_minutes: pool['processModel']['idleTimeout']['Minutes'],
-      timeout_seconds: pool['processModel']['idleTimeout']['Seconds'],
-      user_identity_type: pool['processModel']['identityType'],
-      username: pool['processModel']['userName'],
+      processes: process_model['maxProcesses'],
+      timeout: "#{idle_timeout['Hours']}:#{idle_timeout['Minutes']}:#{idle_timeout['Seconds']}",
+      timeout_days: idle_timeout['Days'],
+      timeout_hours: idle_timeout['Hours'],
+      timeout_minutes: idle_timeout['Minutes'],
+      timeout_seconds: idle_timeout['Seconds'],
+      user_identity_type: process_model['identityType'],
+      username: process_model['userName'],
     }
   end
-  # rubocop:enable Metrics/AbcSize
 end

data/lib/resources/postgres.rb

@@ -69,7 +69,6 @@ module Inspec::Resources
     end
 
     def locate_data_dir_location_by_version(ver = @version)
-      data_dir_loc = nil
       dir_list = [
         "/var/lib/pgsql/#{ver}/data",
         '/var/lib/pgsql/data',
@@ -77,10 +76,7 @@ module Inspec::Resources
         '/var/lib/postgresql/data',
       ]
 
-      dir_list.each do |dir|
-        data_dir_loc = dir if inspec.directory(dir).exist?
-        break
-      end
+      data_dir_loc = dir_list.detect { |i| inspec.directory(i).exist? }
 
       if data_dir_loc.nil?
         warn 'Unable to find the PostgreSQL data_dir in expected location(s), please

data/lib/utils/deprecation.rb

@@ -0,0 +1,6 @@
+# A system to provide a unified deprecation facility for InSpec
+
+require 'utils/deprecation/errors'
+require 'utils/deprecation/config_file'
+require 'utils/deprecation/deprecator'
+require 'utils/deprecation/global_method'

data/lib/utils/deprecation/config_file.rb

@@ -0,0 +1,105 @@
+require 'stringio'
+require 'json'
+require 'inspec/globals'
+
+module Inspec
+  module Deprecation
+    class ConfigFile
+      GroupEntry = Struct.new(:name, :action, :prefix, :suffix, :exit_status)
+
+      # What actions may you specify to be taken when a deprecation is encountered?
+      VALID_ACTIONS = [
+        :exit, # Hard exit `inspec`, no stacktrace, exit code specified or Inspec::UI::EXIT_FATAL_DEPRECATION
+        :fail_control, # Fail the control with a message. If not in a control, do :warn action instead.
+        :ignore, # Do nothing.
+        :warn, # Issue a warning
+      ].freeze
+
+      # Note that 'comment' is ignored, but listed here so you can have it present
+      # and pass validation.
+      VALID_GROUP_FIELDS = %w{action suffix prefix exit_status comment}.freeze
+
+      attr_reader :groups, :unknown_group_action
+
+      def initialize(io = nil)
+        io ||= open_default_config_io
+        begin
+          @raw_data = JSON.parse(io.read)
+        rescue JSON::ParserError => e
+          raise Inspec::Deprecation::MalformedConfigFileError, "Could not parse deprecation config file: #{e.message}"
+        end
+
+        @groups = {}
+        @unknown_group_action = :warn
+        validate!
+      end
+
+      private
+
+      def open_default_config_io
+        default_path = File.join(Inspec.src_root, 'etc', 'deprecations.json')
+        unless File.exist?(default_path)
+          raise Inspec::Deprecation::MalformedConfigError, "Missing deprecation config file: #{default_path}"
+        end
+        File.open(default_path)
+      end
+
+      #====================================================================================================#
+      #                                          Validation
+      #====================================================================================================#
+      def validate!
+        validate_file_version
+        validate_unknown_group_action
+
+        unless @raw_data.key?('groups')
+          raise Inspec::Deprecation::InvalidConfigFileError, 'Missing groups field'
+        end
+        unless @raw_data['groups'].is_a?(Hash)
+          raise Inspec::Deprecation::InvalidConfigFileError, 'Groups field must be a Hash'
+        end
+        @raw_data['groups'].each do |group_name, group_info|
+          validate_group_entry(group_name, group_info)
+        end
+      end
+
+      def validate_file_version
+        unless @raw_data.key?('file_version')
+          raise Inspec::Deprecation::InvalidConfigFileError, 'Missing file_version field'
+        end
+        unless @raw_data['file_version'] == '1.0.0'
+          raise Inspec::Deprecation::InvalidConfigFileError, "Unrecognized file_version '#{@raw_data['file_version']}' - supported versions: 1.0.0"
+        end
+      end
+
+      def validate_unknown_group_action
+        seen_action = (@raw_data['unknown_group_action'] || @unknown_group_action).to_sym
+        unless VALID_ACTIONS.include?(seen_action)
+          raise Inspec::Deprecation::UnrecognizedActionError, "Unrecognized value '#{seen_action}' for field 'unknown_group_action' - supported actions: #{VALID_ACTIONS.map(&:to_s).join(', ')}"
+        end
+        @unknown_group_action = seen_action
+      end
+
+      def validate_group_entry(name, opts)
+        opts.each do |seen_field, _value|
+          unless VALID_GROUP_FIELDS.include?(seen_field)
+            raise Inspec::Deprecation::InvalidConfigFileError, "Unrecognized field for group '#{name}' - saw '#{seen_field}', supported fields: #{VALID_GROUP_FIELDS.map(&:to_s).join(', ')}"
+          end
+        end
+
+        entry = GroupEntry.new(name.to_sym)
+
+        opts['action'] = (opts['action'] || :warn).to_sym
+        unless VALID_ACTIONS.include?(opts['action'])
+          raise Inspec::Deprecation::UnrecognizedActionError, "Unrecognized action for group '#{name}' - saw '#{opts['action']}', supported actions: #{VALID_ACTIONS.map(&:to_s).join(', ')}"
+        end
+        entry.action = opts['action']
+
+        entry.suffix = opts['suffix']
+        entry.prefix = opts['prefix']
+        entry.exit_status = opts['exit_status']
+
+        groups[name.to_sym] = entry
+      end
+    end
+  end
+end

data/lib/utils/deprecation/deprecator.rb

@@ -0,0 +1,117 @@
+require 'utils/deprecation/config_file'
+require 'inspec/log'
+
+module Inspec
+  module Deprecation
+    class Deprecator
+      attr_reader :config, :groups
+
+      def initialize(opts = {})
+        @config = Inspec::Deprecation::ConfigFile.new(opts[:config_io])
+        @groups = @config.groups
+      end
+
+      def handle_deprecation(group_name, message, opts = {})
+        group = groups[group_name.to_sym] || create_group_entry_for_unknown_group(group_name)
+        annotate_stack_information(opts)
+        assembled_message = assemble_message(message, group, opts)
+
+        action = group[:action] || :warn
+        action_method = ('handle_' + action.to_s + '_action').to_sym
+        send(action_method, assembled_message, group)
+      end
+
+      private
+
+      def create_group_entry_for_unknown_group(group_name)
+        group = ConfigFile::GroupEntry.new
+        group.name = group_name
+        group.action = config.unknown_group_action
+        group.suffix = "Additionally, the deprecation message is in an unknown group '#{group_name}'."
+        group
+      end
+
+      def annotate_stack_information(opts)
+        stack = caller_locations(1, 25)
+
+        # Attempt to give a meaningful stack location of the place
+        # where the deprecated functionality was used.  This is likely
+        # user (profile) code.
+        used_at = nil
+
+        # If we are in a profile, call stack will first include RSpec its,
+        # then a single call from the profile that originated within a load_with_context.
+        # rspec-core surrounds these.
+
+        # First, purge the deprecation system frames
+        stack.reject! { |frame| frame.path && frame.path =~ %r{lib/utils/deprecation} }
+        # Next, purge all RSpec entries (at least rspec-core, rspec-support, rspec-its).
+        stack.reject! { |frame| frame.path && frame.path =~ %r{rspec-.+/lib/rspec}  }
+        # Now look for the frame that includes load_with_context.
+        used_at ||= stack.detect { |frame| frame.label.include? 'load_with_context' }
+
+        opts[:used_at_stack_frame] = used_at if used_at
+      end
+
+      def assemble_message(message, group, opts)
+        prefix = group.prefix || ''
+        suffix = group.suffix || ''
+        prefix += ' ' unless prefix.empty?
+        suffix = ' ' + suffix unless suffix.empty?
+
+        suffix += (' (used at ' + opts[:used_at_stack_frame].path+ ':' + opts[:used_at_stack_frame].lineno.to_s + ')') if opts.key?(:used_at_stack_frame)
+
+        'DEPRECATION: ' + prefix + message + suffix
+      end
+
+      def called_from_control?
+        # Heuristics for determining if the deprecation is coming from within a control
+        stack = caller_locations(10, 45)
+
+        # Within a control block, that is actually an RSpec:ExampleGroup
+        stack.each do |frame|
+          return true if frame.path.end_with?('rspec/core/example_group.rb')
+        end
+
+        false
+      end
+
+      def handle_ignore_action(message, _group)
+        handle_log_action(message, :debug)
+      end
+
+      def handle_log_action(message, level)
+        case level
+        when :debug
+          Inspec::Log.debug message
+        when :warn
+          Inspec::Log.warn message
+        when :error
+          Inspec::Log.error message
+        end
+      end
+
+      def handle_warn_action(message, _group)
+        handle_log_action(message, :warn)
+      end
+
+      def handle_error_action(message, _group)
+        handle_log_action(message, :error)
+      end
+
+      def handle_fail_control_action(message, group)
+        if called_from_control?
+          raise Inspec::Exceptions::ResourceFailed, message
+        else
+          handle_warn_action(message, group)
+        end
+      end
+
+      def handle_exit_action(message, group)
+        handle_error_action(message, group)
+        status = group[:exit_status] || :fatal_deprecation
+        Inspec::UI.new.exit(status)
+      end
+    end
+  end
+end

data/lib/utils/deprecation/errors.rb

@@ -0,0 +1,14 @@
+require 'inspec/errors'
+
+module Inspec
+  module Deprecation
+    class Error < Inspec::Error; end
+
+    class NoSuchGroupError < Error; end
+
+    class InvalidConfigFileError < Error; end
+    class MalformedConfigFileError < InvalidConfigFileError; end
+    class UnrecognizedActionError < InvalidConfigFileError; end
+    class UnrecognizedOutputStreamError < InvalidConfigFileError; end
+  end
+end

data/lib/utils/deprecation/global_method.rb

@@ -0,0 +1,9 @@
+require 'utils/deprecation/deprecator'
+
+module Inspec
+  def self.deprecate(group, msg, opts = {})
+    config_io = opts.delete(:config_io)
+    deprecator = Inspec::Deprecation::Deprecator.new(config_io: config_io)
+    deprecator.handle_deprecation(group, msg, opts)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 3.2.6
+  version: 3.3.14
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-12-20 00:00:00.000000000 Z
+date: 2019-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -19,7 +19,7 @@ dependencies:
         version: '1.5'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.3
+        version: 1.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '1.5'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.3
+        version: 1.7.0
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -365,6 +365,7 @@ files:
 - LICENSE
 - README.md
 - bin/inspec
+- etc/deprecations.json
 - etc/plugin_filters.json
 - inspec.gemspec
 - lib/bundles/README.md
@@ -550,6 +551,8 @@ files:
 - lib/resources/audit_policy.rb
 - lib/resources/auditd.rb
 - lib/resources/auditd_conf.rb
+- lib/resources/aws/aws_billing_report.rb
+- lib/resources/aws/aws_billing_reports.rb
 - lib/resources/aws/aws_cloudtrail_trail.rb
 - lib/resources/aws/aws_cloudtrail_trails.rb
 - lib/resources/aws/aws_cloudwatch_alarm.rb
@@ -699,6 +702,11 @@ files:
 - lib/utils/command_wrapper.rb
 - lib/utils/convert.rb
 - lib/utils/database_helpers.rb
+- lib/utils/deprecation.rb
+- lib/utils/deprecation/config_file.rb
+- lib/utils/deprecation/deprecator.rb
+- lib/utils/deprecation/errors.rb
+- lib/utils/deprecation/global_method.rb
 - lib/utils/enumerable_delegation.rb
 - lib/utils/erlang_parser.rb
 - lib/utils/file_reader.rb