inspec 3.9.3 → 4.1.4.preview

data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb

@@ -3,12 +3,13 @@
 
 title 'Sample Section'
 
-aws_vpc_id = attribute('aws_vpc_id')
+aws_vpc_id = attribute('aws_vpc_id', default: '', description: 'Optional AWS VPC identifier.')
 
-# you add controls here
-control 'aws-vpc-check' do                                                  # A unique ID for this control.
+# You add controls here
+control 'aws-single-vpc-exists-check' do                                    # A unique ID for this control.
+  only_if { aws_vpc_id != ''}                                               # Only run this control if the `aws_vpc_id` attribute is provided.
   impact 1.0                                                                # The criticality, if this control fails.
-  title 'Check to see if custom VPC exists.'                                # A human-readable title
+  title 'Check to see if custom VPC exists.'                                # A human-readable title.
   describe aws_vpc(aws_vpc_id) do                                           # The test itself.
     it { should exist }
   end
@@ -24,3 +25,16 @@ control 'aws-vpcs-check' do
     end
   end
 end
+
+control 'aws-vpcs-multi-region-status-check' do                             # A unique ID for this control.
+  impact 1.0                                                                # The criticality, if this control fails.
+  title 'Check AWS VPCs in all regions have status "available"'             # A human-readable title.
+  aws_regions.region_names.each do |region|                                 # Loop over all available AWS regions
+    aws_vpcs(aws_region: region).vpc_ids.each do |vpc|                      # Find all VPCs in a single AWS region
+      describe aws_vpc(aws_region: region, vpc_id: vpc) do                  # The test itself.
+        it { should exist }                                                 # Confirms AWS VPC exists
+        it { should be_available }                                          # Confirms AWS VPC has status "available"
+      end
+    end
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml

@@ -6,11 +6,17 @@ copyright_email: you@example.com
 license: Apache-2.0
 summary: An InSpec Compliance Profile For AWS
 version: 0.1.0
-inspec_version: '>= 2.3.5'
+inspec_version: '~> 4'
 attributes:
 - name: aws_vpc_id
-  required: true
-  description: 'The Custom AWS VPC Id'
+  required: false
+  # Below is deliberately left as a default empty string to allow the profile to run when this is not provided.
+  # Please see the README for more details.
+  default: ''
+  description: 'Optional Custom AWS VPC Id'
   type: string
+depends:
+  - name: inspec-aws
+    url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
 supports:
-- platform: aws
+  - platform: aws

data/lib/resource_support/aws.rb

@@ -1,7 +1,23 @@
 # Main AWS loader file.  The intent is for this to be
 # loaded only if AWS resources are needed.
 
-require 'aws-sdk' # TODO: split once ADK v3 is in use
+require 'aws-sdk-core'
+
+require 'aws-sdk-cloudtrail'
+require 'aws-sdk-cloudwatch'
+require 'aws-sdk-cloudwatchlogs'
+require 'aws-sdk-costandusagereportservice'
+require 'aws-sdk-configservice'
+require 'aws-sdk-ec2'
+require 'aws-sdk-ecs'
+require 'aws-sdk-eks'
+require 'aws-sdk-elasticloadbalancing'
+require 'aws-sdk-iam'
+require 'aws-sdk-kms'
+require 'aws-sdk-rds'
+require 'aws-sdk-s3'
+require 'aws-sdk-sqs'
+require 'aws-sdk-sns'
 
 require 'resource_support/aws/aws_backend_factory_mixin'
 require 'resource_support/aws/aws_resource_mixin'

data/lib/resources/apache.rb

@@ -26,7 +26,7 @@ module Inspec::Resources
 
     attr_reader :service, :conf_dir, :conf_path, :user
     def initialize
-      warn '[DEPRECATED] The `apache` resource is deprecated and will be removed in InSpec 4.0'
+      Inspec.deprecate(:resource_apache, 'The apache resource is deprecated')
 
       if inspec.os.debian?
         @service = 'apache2'

data/lib/resources/apt.rb

@@ -127,8 +127,6 @@ module Inspec::Resources
     end
   end
 
-  # for compatability with serverspec
-  # this is deprecated syntax and will be removed in future versions
   class PpaRepository < AptRepository
     name 'ppa'
 
@@ -143,7 +141,7 @@ module Inspec::Resources
     end
 
     def deprecated
-      warn '[DEPRECATION] `ppa(reponame)` is deprecated.  Please use `apt(reponame)` instead.'
+      Inspec.deprecate(:resource_ppa, 'The `ppa` resource is deprecated. Please use `apt`')
     end
   end
 end

data/lib/resources/aws/aws_iam_user.rb

@@ -22,7 +22,7 @@ class AwsIamUser < Inspec.resource(1)
   alias has_console_password? has_console_password
 
   def name
-    warn "[DEPRECATION] - Property ':name' is deprecated on the aws_iam_user resource.  Use ':username' instead."
+    Inspec.deprecate(:properties_aws_iam_user, 'The aws_iam_user `name` property is deprecated. Please use `username` instead')
     username
   end
 
@@ -51,13 +51,13 @@ class AwsIamUser < Inspec.resource(1)
     )
     # If someone passed :name, rename it to :username
     if validated_params.key?(:name)
-      warn "[DEPRECATION] - Resource parameter ':name' is deprecated on the aws_iam_user resource.  Use ':username' instead."
+      Inspec.deprecate(:properties_aws_iam_user, 'The aws_iam_users `name` property is deprecated. Please use `username` instead')
       validated_params[:username] = validated_params.delete(:name)
     end
 
     # If someone passed :user, rename it to :aws_user_struct
     if validated_params.key?(:user)
-      warn "[DEPRECATION] - Resource parameter ':user' is deprecated on the aws_iam_user resource.  Use ':aws_user_struct' instead."
+      Inspec.deprecate(:properties_aws_iam_user, 'The aws_iam_users `user` property is deprecated. Please use `aws_user_struct` instead')
       validated_params[:aws_user_struct] = validated_params.delete(:user)
     end
 

data/lib/resources/azure/azure_generic_resource.rb

@@ -16,7 +16,7 @@ module Inspec::Resources
     attr_accessor :filter, :total, :counts, :name, :type, :location, :probes
 
     def initialize(opts = {})
-      warn "[DEPRECATED] use a specific azure resources instead of 'azure_generic_resource'. See https://github.com/inspec/inspec/issues/3131"
+      Inspec.deprecate(:resource_azure_generic_resource)
 
       # Call the parent class constructor
       super(opts)

data/lib/resources/file.rb

@@ -98,7 +98,7 @@ module Inspec::Resources
       return file.mounted? if expected_options.nil?
 
       # deprecation warning, this functionality will be removed in future version
-      warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated.  Please use `mount('#{source_path}')` instead."
+      Inspec.deprecate(:file_resource_be_mounted_matchers, 'The file resource `be_mounted.with` and `be_mounted.only_with` matchers are deprecated. Please use the `mount` resource instead')
 
       # we cannot read mount data on non-Linux systems
       return nil if !inspec.os.linux?
@@ -133,6 +133,35 @@ module Inspec::Resources
 
     alias sticky? sticky
 
+    def more_permissive_than?(max_mode = nil)
+      raise Inspec::Exceptions::ResourceFailed, 'The file' + file.path + 'doesn\'t seem to exist' unless exist?
+      raise ArgumentError, 'You must proivde a value for the `maximum allowable permission` for the file.' if max_mode.nil?
+      raise ArgumentError, 'You must proivde the `maximum permission target` as a `String`, you provided: ' + max_mode.class.to_s unless max_mode.is_a?(String)
+      raise ArgumentError, 'The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`' unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
+
+      # Using the files mode and a few bit-wise calculations we can ensure a
+      # file is no more permisive than desired.
+      #
+      # 1. Calculate the inverse of the desired mode (e.g., 0644) by XOR it with
+      # 0777 (all 1s). We are interested in the bits that are currently 0 since
+      # it indicates that the actual mode is more permissive than the desired mode.
+      # Conversely, we dont care about the bits that are currently 1 because they
+      # cannot be any more permissive and we can safely ignore them.
+      #
+      # 2. Calculate the above result of ANDing the actual mode and the inverse
+      # mode. This will determine if any of the bits that would indicate a more
+      # permissive mode are set in the actual mode.
+      #
+      # 3. If the result is 0000, the files mode is equal
+      # to or less permissive than the desired mode (PASS). Otherwise, the files
+      # mode is more permissive than the desired mode (FAIL).
+
+      max_mode = max_mode.rjust(4, '0')
+      binary_desired_mode = format('%04b', max_mode).to_i(2)
+      desired_mode_inverse = (binary_desired_mode ^ 0b111111111)
+      (desired_mode_inverse & file.mode).zero? ? false : true
+    end
+
     def to_s
       "File #{source_path}"
     end
@@ -212,6 +241,10 @@ module Inspec::Resources
       raise '`check_file_permission_by_mask` is not supported on Windows'
     end
 
+    def more_permissive_than?(*)
+      raise Inspec::Exceptions::ResourceSkipped, 'The `more_permissive_than?` matcher is not supported on your OS yet.'
+    end
+
     def check_file_permission_by_user(access_type, user, path)
       access_rule = translate_perm_names(access_type)
       access_rule = convert_to_powershell_array(access_rule)

data/lib/resources/filesystem.rb

@@ -52,7 +52,7 @@ module Inspec::Resources
     end
 
     def size
-      Inspec.deprecate(:filesystem_property_size, 'The `size` property did not reliably use the correct units.  Please use `size_kb` instead.')
+      Inspec.deprecate(:property_filesystem_size, 'The `size` property did not reliably use the correct units. Please use `size_kb` instead.')
       if inspec.os.windows?
         # On windows, we had a bug prior to #3767 in which the
         # 'size' value was be scaled to GB in powershell.

data/lib/resources/host.rb

@@ -49,7 +49,7 @@ module Inspec::Resources
       @port = params[:port]
 
       if params[:proto]
-        warn '[DEPRECATION] The `proto` parameter is deprecated. Use `protocol` instead.'
+        Inspec.deprecate(:host_resource_proto_usage, 'The `host` resource `proto` resource parameter is deprecated. Please use `protocol`.')
         @protocol = params[:proto]
       else
         @protocol = params.fetch(:protocol, 'icmp')
@@ -75,7 +75,7 @@ module Inspec::Resources
     end
 
     def proto
-      warn '[DEPRECATION] The `proto` method is deprecated. Use `protocol` instead.'
+      Inspec.deprecate(:host_resource_proto_usage, 'The host resource `proto` method is deprecated. Please use `protocol`.')
       protocol
     end
 

data/lib/resources/iis_site.rb

@@ -134,8 +134,8 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(site_name)
+      Inspec.deprecate(:resource_iis_website, 'The `iis_website` resource is deprecated. Please use `iis_site` instead.')
       super(site_name)
-      warn '[DEPRECATION] `iis_website(site_name)` is deprecated.  Please use `iis_site(site_name)` instead.'
     end
 
     def in_app_pool?(app_pool)

data/lib/resources/interface.rb

@@ -13,6 +13,8 @@ module Inspec::Resources
         it { should exist }
         it { should be_up }
         its('speed') { should eq 1000 }
+        its('ipv4_addresses') { should include '127.0.0.1' }
+        its('ipv6_cidrs') { should include '::1/128' }
       end
     EXAMPLE
     def initialize(iface)
@@ -41,6 +43,42 @@ module Inspec::Resources
       interface_info.nil? ? nil : interface_info[:speed]
     end
 
+    def ipv4_address?
+      !ipv4_addresses.nil? && !ipv4_addresses.empty?
+    end
+
+    def ipv6_address?
+      !ipv6_addresses.nil? && !ipv6_addresses.empty?
+    end
+
+    def ipv4_addresses
+      ipv4_cidrs.map { |i| i.split('/')[0] }
+    end
+
+    def ipv6_addresses
+      ipv6_cidrs.map { |i| i.split('/')[0] }
+    end
+
+    def ipv4_addresses_netmask
+      ipv4_cidrs.map { |i| i.split('/') }.map do |addr, netlen|
+        binmask = "#{'1' * netlen.to_i}#{'0' * (32 - netlen.to_i)}".to_i(2)
+        netmask = []
+        (1..4).each do |_byte|
+          netmask.unshift(binmask & 255)
+          binmask = binmask >> 8
+        end
+        "#{addr}/#{netmask.join('.')}"
+      end
+    end
+
+    def ipv4_cidrs
+      interface_info.nil? ? [] : interface_info[:ipv4_addresses]
+    end
+
+    def ipv6_cidrs
+      interface_info.nil? ? [] : interface_info[:ipv6_addresses]
+    end
+
     def to_s
       "Interface #{@iface}"
     end
@@ -87,28 +125,54 @@ module Inspec::Resources
         speed = convert_to_i(speed)
       end
 
+      family_addresses = addresses(iface)
       {
         name: iface,
         up: state,
         speed: speed,
+        ipv4_addresses: family_addresses['inet'],
+        ipv6_addresses: family_addresses['inet6'],
       }
     end
+
+    private
+
+    def addresses(iface)
+      addrs_by_family = { 'inet6' => [], 'inet' => [] }
+      [4, 6].each do |v|
+        cmd = inspec.command("/sbin/ip -br -#{v} address show dev #{iface}")
+        next unless cmd.exit_status.to_i == 0
+        family = v == 6 ? 'inet6' : 'inet'
+
+        cmd.stdout.each_line do |line|
+          _dev, _state, *addrs = line.split(/\s+/)
+          addrs_by_family[family] = addrs
+        end
+      end
+      addrs_by_family
+    end
   end
 
   class WindowsInterface < InterfaceInfo
     def interface_info(iface)
       # gather all network interfaces
-      cmd = inspec.command('Get-NetAdapter | Select-Object -Property Name, InterfaceDescription, Status, State, MacAddress, LinkSpeed, ReceiveLinkSpeed, TransmitLinkSpeed, Virtual | ConvertTo-Json')
+      cmd = inspec.command('Get-NetAdapter | Select-Object -Property Name, InterfaceDescription, Status, State, ' \
+                           'MacAddress, LinkSpeed, ReceiveLinkSpeed, TransmitLinkSpeed, Virtual | ConvertTo-Json')
+
+      addr_cmd = inspec.command('Get-NetIPAddress | Select-Object -Property IPv6Address, IPv4Address, InterfaceAlias,' \
+                                ' PrefixLength | ConvertTo-Json')
 
       # filter network interface
       begin
         net_adapter = JSON.parse(cmd.stdout)
+        addresses = JSON.parse(addr_cmd.stdout)
       rescue JSON::ParserError => _e
         return nil
       end
 
       # ensure we have an array of groups
       net_adapter = [net_adapter] if !net_adapter.is_a?(Array)
+      addresses = [addresses] if !addresses.is_a?(Array)
 
       # select the requested interface
       adapters = net_adapter.each_with_object([]) do |adapter, adapter_collection|
@@ -117,6 +181,8 @@ module Inspec::Resources
           name: adapter['Name'],
           up: adapter['State'] == 2,
           speed: adapter['ReceiveLinkSpeed'] / 1000,
+          ipv4_addresses: addresses_for_proto(addresses, adapter['Name'], 'IPv4'),
+          ipv6_addresses: addresses_for_proto(addresses, adapter['Name'], 'IPv6'),
         }
         adapter_collection.push(info) if info[:name].casecmp(iface) == 0
       end
@@ -125,5 +191,13 @@ module Inspec::Resources
       warn "[Possible Error] detected multiple network interfaces with the name #{iface}" if adapters.size > 1
       adapters[0]
     end
+
+    private
+
+    def addresses_for_proto(all_addresses, iface, proto)
+      all_addresses.select { |i| i['InterfaceAlias'] == iface }
+                   .map { |i| "#{i["#{proto}Address"]}/#{i['PrefixLength']}" unless i["#{proto}Address"].nil? }
+                   .compact
+    end
   end
 end

data/lib/resources/kernel_parameter.rb

@@ -33,24 +33,19 @@ module Inspec::Resources
     end
   end
 
-  # for compatability with serverspec
-  # this is deprecated syntax and will be removed in future versions
   class LinuxKernelParameter < KernelParameter
     name 'linux_kernel_parameter'
 
     def initialize(parameter)
+      Inspec.deprecate(:resource_linux_kernel_parameter, 'The `linux_kernel_parameter` resource is deprecated. Please use `kernel_parameter`')
       super(parameter)
     end
 
     def value
-      deprecated
+      Inspec.deprecate(:resource_linux_kernel_parameter, 'The `linux_kernel_parameter` resource is deprecated. Please use `kernel_parameter`')
       super()
     end
 
-    def deprecated
-      warn '[DEPRECATION] `linux_kernel_parameter(parameter)` is deprecated.  Please use `kernel_parameter(parameter)` instead.'
-    end
-
     def to_s
       "Kernel Parameter #{@parameter}"
     end

data/lib/resources/mssql_session.rb

@@ -34,7 +34,7 @@ module Inspec::Resources
       @user = opts[:user]
       @password = opts[:password] || opts[:pass]
       if opts[:pass]
-        warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
+        Inspec.deprecate(:mssql_session_pass_option, 'The mssql_session `pass` option is deprecated. Please use `password`.')
       end
       @local_mode = opts[:local_mode]
       unless local_mode?

data/lib/resources/oracledb_session.rb

@@ -28,7 +28,7 @@ module Inspec::Resources
       @user = opts[:user]
       @password = opts[:password] || opts[:pass]
       if opts[:pass]
-        warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
+        Inspec.deprecate(:oracledb_session_pass_option, 'The oracledb_session `pass` option is deprecated. Please use `password`.')
       end
 
       @host = opts[:host] || 'localhost'

data/lib/resources/powershell.rb

@@ -56,12 +56,8 @@ module Inspec::Resources
     name 'script'
 
     def initialize(script)
-      deprecated
+      Inspec.deprecate(:resource_script, 'The `script` resource is deprecated. Please use `powershell` instead.')
       super(script)
     end
-
-    def deprecated
-      warn '[DEPRECATION] `script(script)` is deprecated.  Please use `powershell(script)` instead.'
-    end
   end
 end

data/lib/resources/processes.rb

@@ -56,7 +56,7 @@ module Inspec::Resources
     end
 
     def list
-      warn '[DEPRECATION] `processes.list` is deprecated. Please use `processes.entries` instead. It will be removed in version 4.0.'
+      Inspec.deprecate(:property_processes_list, 'The processes `list` property is deprecated. Please use `entries` instead.')
       @list
     end
 

data/lib/resources/registry_key.rb

@@ -280,18 +280,12 @@ module Inspec::Resources
     end
   end
 
-  # for compatability with serverspec
-  # this is deprecated syntax and will be removed in future versions
   class WindowsRegistryKey < RegistryKey
     name 'windows_registry_key'
 
     def initialize(name)
-      deprecated
+      Inspec.deprecate(:resource_windows_registry_key, 'The `windows_registry_key` resource is deprecated. Please use `registry_key` instead.')
       super(name)
     end
-
-    def deprecated
-      warn '[DEPRECATION] `windows_registry_key(reg_key)` is deprecated.  Please use `registry_key(\'path\to\key\')` instead.'
-    end
   end
 end