inspec 4.1.4.preview → 4.2.0.preview

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7dd53f745c6f68b24d0b987f09258c973a6d4579
-  data.tar.gz: f9b791e75517949b5007d0d6904c7d70752103b6
+  metadata.gz: 8114c17ed673de114cd1b869cffc981834e57abb
+  data.tar.gz: 5f4bdb0617548cee5b60ca0adf3a0f2c2d508285
 SHA512:
-  metadata.gz: bcfdc38552520f03dcb738e3273d8cbee50ea35bb33d6f5f0e4bde0fae9b2b3b1dd36369b88a754fea078ddf23073400a81a914bb54468b0d573f5f471bec1e5
-  data.tar.gz: 1ee7fdfc45f33bcbf182da86da273e2634825da4b6a218750ddbf77dfc150eb5f70484df22e524dead114dc8d4656784e00f402cdb49ebb8b2ce0c646bea6d58
+  metadata.gz: 9db1040f08a657def6c3a719eb8ce6c8eb0106024cda21395dc452f21eebfd8892b5e6779c501061cc12e3e19ade491bc3d272717fbb01cb8797b62fe4afc19b
+  data.tar.gz: 9b8863d0b896f9bc51c6b095ea373abd674ebb7e5464f16a7d0d2d0f2a055cc85ef97de8c53872a1110bcbdb43dad84e446adf1560b34b5fbe40789f78007acd

data/Gemfile

@@ -8,6 +8,8 @@ gem 'ffi', '>= 1.9.14'
 group :omnibus do
   gem 'rb-readline'
   gem 'appbundler'
+  gem 'ed25519' # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+  gem 'bcrypt_pbkdf' # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
 end
 
 group :test do

data/etc/deprecations.json

@@ -3,12 +3,12 @@
   "unknown_group_action": "ignore",
   "groups": {
     "attrs_value_replaces_default": {
-      "action": "ignore",
+      "action": "warn",
       "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
     },
     "aws_resources_in_resource_pack": {
       "comment": "See #3822",
-      "action": "ignore",
+      "action": "warn",
       "prefix": "AWS resources shipped with core InSpec are being to moved to a resource pack for faster iteration. Please update your profiles to depend on git@github.com:inspec/inspec-aws.git ."
     },
     "cli_option_json_config": {
@@ -17,11 +17,11 @@
       "comment": "See #3661"
     },
     "file_resource_be_mounted_matchers": {
-      "action": "warn",
+      "action": "fail_control",
       "suffix": "This will not be supported in InSpec 4.0."
     },
     "host_resource_proto_usage": {
-      "action": "warn",
+      "action": "fail_control",
       "suffix": "This will not be supported in InSpec 4.0."
     },
     "inspec_ui_methods": {
@@ -30,67 +30,67 @@
       "comment": "See #3715"
     },
     "mssql_session_pass_option": {
-      "action": "warn",
+      "action": "exit",
       "suffix": "This will not be supported in InSpec 4.0."
     },
     "oracledb_session_pass_option": {
-      "action": "warn",
-      "suffix": "This will not be supported in InSpec 4.0."
+      "action": "exit",
+      "suffix": "This is not supported in InSpec 4.0."
     },
     "property_filesystem_size": {
-      "action": "ignore",
+      "action": "warn",
       "comment": "See #3778"
     },
     "property_processes_list": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     },
     "properties_aws_iam_user": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     },
     "properties_shadow": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     },
     "rename_attributes_to_inputs": {
-      "action": "ignore",
+      "action": "warn",
       "prefix": "InSpec Attributes are being renamed to InSpec Inputs to avoid confusion with Chef Attributes.",
       "comment": "See #3802"
     },
     "resource_apache": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0."
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0."
     },
     "resource_azure_generic_resource": {
       "action": "warn",
       "prefix": "The azure_generic_resource is deprecated. Please use a specific resource. See: 'https://github.com/inspec/inspec/issues/3131'"
     },
     "resource_iis_website": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "resource_linux_kernel_parameter": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "resource_ppa": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "resource_script": {
-      "action": "warn",
+      "action": "exit",
       "suffix": "This resource will be removed in InSpec 4.0"
     },
     "resource_user_serverspec_compat": {
-      "action": "warn"
+      "action": "fail_control"
     },
     "resource_windows_registry_key": {
-      "action": "warn",
-      "suffix": "This resource will be removed in InSpec 4.0.",
+      "action": "exit",
+      "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
     "serverspec_compatibility": {
@@ -101,11 +101,11 @@
       "action": "warn"
     },
     "mount_parser_serverspec_compat": {
-      "action": "warn"
+      "action": "fail_control"
     },
     "wmi_non_hash_usage": {
-      "action": "warn",
-      "suffix": "This property will be removed in InSpec 4.0."
+      "action": "fail_control",
+      "suffix": "This property was removed in InSpec 4.0."
     }
   }
 }

data/inspec.gemspec

@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'train-aws', '~> 0.1'
 
   # Implementation dependencies
-  spec.add_dependency 'license-acceptance', '~> 0.2'
+  spec.add_dependency 'license-acceptance', '>= 0.2.13', '< 2.0'
   spec.add_dependency 'thor', '~> 0.20'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'method_source', '~> 0.8'

data/lib/inspec/cli.rb

@@ -392,7 +392,11 @@ require 'license_acceptance/acceptor'
 begin
   if (commands_exempt_from_license_check & ARGV.map(&:downcase)).empty? &&  # Did they use a non-exempt command?
      !ARGV.empty?                                                           # Did they supply at least one command?
-    LicenseAcceptance::Acceptor.check_and_persist('inspec', Inspec::VERSION)
+    LicenseAcceptance::Acceptor.check_and_persist(
+      'inspec',
+      Inspec::VERSION,
+      logger: Inspec::Log,
+    )
   end
 rescue LicenseAcceptance::LicenseNotAcceptedError
   Inspec::Log.error 'InSpec cannot execute without accepting the license'

data/lib/inspec/control_eval_context.rb

@@ -26,8 +26,23 @@ module Inspec
         with_resource_dsl resources_dsl
 
         # allow attributes to be accessed within control blocks
-        define_method :attribute do |name|
-          Inspec::InputRegistry.find_input(name, profile_id).value
+        # TODO: deprecate name, use input()
+        define_method :attribute do |input_name, options = {}|
+          if options.empty?
+            # Simply an access, no event here
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_id).value
+          else
+            options[:priority] = 20
+            options[:provider] = :inline_control_code
+            evt = Inspec::Input.infer_event(options)
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_name, event: evt).value
+          end
+        end
+
+        # Find the Input object, but don't collapse to a value.
+        # Will return nil on a miss.
+        define_method :input_object do |input_name|
+          Inspec::InputRegistry.find_or_register_input(input_name, profile_id)
         end
 
         # Support for Control DSL plugins.
@@ -168,14 +183,25 @@ module Inspec
         end
 
         # method for inputs; import input handling
-        define_method :attribute do |name, options = nil|
-          if options.nil?
-            Inspec::InputRegistry.find_input(name, profile_id).value
+        # TODO: deprecate name, use input()
+        define_method :attribute do |input_name, options = {}|
+          if options.empty?
+            # Simply an access, no event here
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_id).value
           else
-            profile_context_owner.register_input(name, options)
+            options[:priority] = 20
+            options[:provider] = :inline_control_code
+            evt = Inspec::Input.infer_event(options)
+            Inspec::InputRegistry.find_or_register_input(input_name, profile_name, event: evt).value
           end
         end
 
+        # Find the Input object, but don't collapse to a value.
+        # Will return nil on a miss.
+        define_method :input_object do |input_name|
+          Inspec::InputRegistry.find_or_register_input(input_name, profile_id)
+        end
+
         define_method :skip_control do |id|
           profile_context_owner.unregister_rule(id)
         end

data/lib/inspec/dependencies/requirement.rb

@@ -118,6 +118,7 @@ module Inspec
       return @profile unless @profile.nil?
       opts = @opts.dup
       opts[:backend] = @backend
+      opts[:runner_conf] = Inspec::Config.cached
       if !@dependencies.nil? && !@dependencies.empty?
         opts[:dependencies] = Inspec::DependencySet.from_array(@dependencies, @cwd, @cache, @backend)
       end

data/lib/inspec/dependencies/resolver.rb

@@ -23,6 +23,7 @@ module Inspec
   # implementation of the fetcher being used.
   #
   class Resolver
+    # Here deps is an Array of Hashes
     def self.resolve(dependencies, cache, working_dir, backend)
       reqs = dependencies.map do |dep|
         req = Inspec::Requirement.from_metadata(dep, cache, cwd: working_dir, backend: backend)
@@ -47,6 +48,7 @@ module Inspec
       end
     end
 
+    # Here deps is an Array of Inspec::Requirement
     def resolve(deps, top_level = true, seen_items = {}, path_string = '') # rubocop:disable Metrics/AbcSize
       graph = {}
       if top_level

data/lib/inspec/dsl.rb

@@ -79,7 +79,7 @@ module Inspec::DSL
 
   def self.filter_included_controls(context, profile, &block)
     mock = Inspec::Backend.create(Inspec::Config.mock)
-    include_ctx = Inspec::ProfileContext.for_profile(profile, mock, {})
+    include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
     include_ctx.load(block) if block_given?
     # remove all rules that were not registered
     context.all_rules.each do |r|

data/lib/inspec/impact.rb

@@ -4,7 +4,7 @@
 module Inspec::Impact
   IMPACT_SCORES = {
     'none'     => 0.0,
-    'low'      => 0.01,
+    'low'      => 0.1,
     'medium'   => 0.4,
     'high'     => 0.7,
     'critical' => 0.9,

data/lib/inspec/input_registry.rb

@@ -1,83 +1,224 @@
 require 'forwardable'
 require 'singleton'
 require 'inspec/objects/input'
+require 'inspec/secrets'
+require 'inspec/exceptions'
 
 module Inspec
+  # The InputRegistry's responsibilities include:
+  #   - maintaining a list of Input objects that are bound to profiles
+  #   - assisting in the lookup and creation of Inputs
   class InputRegistry
     include Singleton
     extend Forwardable
 
-    attr_reader :list
-    def_delegator :list, :each
-    def_delegator :list, :[]
-    def_delegator :list, :key?, :profile_exist?
-    def_delegator :list, :select
+    attr_reader :inputs_by_profile, :profile_aliases
+    def_delegator :inputs_by_profile, :each
+    def_delegator :inputs_by_profile, :[]
+    def_delegator :inputs_by_profile, :key?, :profile_known?
+    def_delegator :inputs_by_profile, :select
+    def_delegator :profile_aliases, :key?, :profile_alias?
 
-    # These self methods are convenience methods so you dont always
-    # have to specify instance when calling the registry
-    def self.find_input(name, profile)
-      instance.find_input(name, profile)
-    end
+    def initialize
+      # Keyed on String profile_name => Hash of String input_name => Input object
+      @inputs_by_profile = {}
 
-    def self.register_input(name, profile, options = {})
-      instance.register_input(name, profile, options)
+      # this is a list of optional profile name overrides set in the inspec.yml
+      @profile_aliases = {}
     end
 
-    def self.register_profile_alias(name, alias_name)
-      instance.register_profile_alias(name, alias_name)
+    #-------------------------------------------------------------#
+    #                 Support for Profiles
+    #-------------------------------------------------------------#
+
+    def register_profile_alias(name, alias_name)
+      @profile_aliases[name] = alias_name
     end
 
-    def self.list_inputs_for_profile(profile)
-      instance.list_inputs_for_profile(profile)
+    def list_inputs_for_profile(profile)
+      inputs_by_profile[profile] = {} unless profile_known?(profile)
+      inputs_by_profile[profile]
     end
 
-    def initialize
-      # this is a collection of profiles which have a value of input objects
-      @list = {}
+    #-------------------------------------------------------------#
+    #              Support for Individual Inputs
+    #-------------------------------------------------------------#
 
-      # this is a list of optional profile name overrides set in the inspec.yml
-      @profile_aliases = {}
+    def find_or_register_input(input_name, profile_name, options = {})
+      if profile_alias?(profile_name)
+        alias_name = profile_name
+        profile_name = profile_aliases[profile_name]
+        handle_late_arriving_alias(alias_name, profile_name) if profile_known?(alias_name)
+      end
+
+      inputs_by_profile[profile_name] ||= {}
+      if inputs_by_profile[profile_name].key?(input_name)
+        inputs_by_profile[profile_name][input_name].update(options)
+      else
+        inputs_by_profile[profile_name][input_name] = Inspec::Input.new(input_name, options)
+      end
+
+      inputs_by_profile[profile_name][input_name]
     end
 
-    def find_input(name, profile)
-      profile = @profile_aliases[profile] if !profile_exist?(profile) && @profile_aliases[profile]
-      unless profile_exist?(profile)
-        error = Inspec::InputRegistry::ProfileLookupError.new
-        error.profile_name = profile
-        raise error, "Profile '#{error.profile_name}' does not have any inputs"
+    # It is possible for a wrapper profile to create an input in metadata,
+    # referring to the child profile by an alias that has not yet been registered.
+    # The registry will then store the inputs under the alias, as if the alias
+    # were a true profile.
+    # If that happens and the child profile also mentions the input, we will
+    # need to move some things - all inputs should be stored under the true
+    # profile name, and no inputs should be stored under the alias.
+    def handle_late_arriving_alias(alias_name, profile_name)
+      inputs_by_profile[profile_name] ||= {}
+      inputs_by_profile[alias_name].each do |input_name, input_from_alias|
+        # Move the inpuut, or if it exists, merge events
+        existing = inputs_by_profile[profile_name][input_name]
+        if existing
+          existing.events.concat(input_from_alias.events)
+        else
+          inputs_by_profile[profile_name][input_name] = input_from_alias
+        end
       end
+      # Finally, delete the (now copied-out) entry for the alias
+      inputs_by_profile.delete(alias_name)
+    end
+    #-------------------------------------------------------------#
+    #               Support for Binding Inputs
+    #-------------------------------------------------------------#
+
+    # This method is called by the Profile as soon as it has
+    # enough context to allow binding inputs to it.
+    def bind_profile_inputs(profile_name, sources = {})
+      inputs_by_profile[profile_name] ||= {}
+
+      # In a more perfect world, we could let the core plugins choose
+      # self-determine what to do; but as-is, the APIs that call this
+      # are a bit over-constrained.
+      bind_inputs_from_metadata(profile_name, sources[:profile_metadata])
+      bind_inputs_from_input_files(profile_name, sources[:cli_input_files])
+      bind_inputs_from_runner_api(profile_name, sources[:runner_api])
+    end
+
+    private
 
-      unless list[profile].key?(name)
-        error = Inspec::InputRegistry::InputLookupError.new
-        error.input_name = name
-        error.profile_name = profile
-        raise error, "Profile '#{error.profile_name}' does not have an input with name '#{error.input_name}'"
+    def bind_inputs_from_runner_api(profile_name, input_hash)
+      # TODO: move this into a core plugin
+
+      return if input_hash.nil?
+      return if input_hash.empty?
+
+      # These arrive as a bare hash - values are raw values, not options
+      input_hash.each do |input_name, input_value|
+        loc = Inspec::Input::Event.probe_stack # TODO: likely modify this to look for a kitchen.yml, if that is realistic
+        evt = Inspec::Input::Event.new(
+          value: input_value,
+          provider: :runner_api, # TODO: suss out if audit cookbook or kitchen-inspec or something unknown
+          priority: 40,
+          file: loc.path,
+          line: loc.lineno,
+        )
+        find_or_register_input(input_name, profile_name, event: evt)
       end
-      list[profile][name]
     end
 
-    def register_input(name, profile, options = {})
-      # check for a profile override name
-      if profile_exist?(profile) && list[profile][name] && options.empty?
-        list[profile][name]
-      else
-        list[profile] = {} unless profile_exist?(profile)
-        list[profile][name] = Inspec::Input.new(name, options)
+    def bind_inputs_from_input_files(profile_name, file_list)
+      # TODO: move this into a core plugin
+
+      return if file_list.nil?
+      return if file_list.empty?
+
+      file_list.each do |path|
+        validate_inputs_file_readability!(path)
+
+        # TODO: drop this SecretsBackend stuff, will be handled by plugin system
+        data = Inspec::SecretsBackend.resolve(path)
+        if data.nil?
+          raise Inspec::Exceptions::SecretsBackendNotFound,
+                "Cannot find parser for inputs file '#{path}'. " \
+                'Check to make sure file has the appropriate extension.'
+        end
+
+        next if data.inputs.nil?
+        data.inputs.each do |input_name, input_value|
+          evt = Inspec::Input::Event.new(
+            value: input_value,
+            provider: :cli_files,
+            priority: 40,
+            file: path,
+            # TODO: any way we could get a line number?
+          )
+          find_or_register_input(input_name, profile_name, event: evt)
+        end
       end
     end
 
-    def register_profile_alias(name, alias_name)
-      @profile_aliases[name] = alias_name
+    def validate_inputs_file_readability!(path)
+      unless File.exist?(path)
+        raise Inspec::Exceptions::InputsFileDoesNotExist,
+              "Cannot find input file '#{path}'. " \
+              'Check to make sure file exists.'
+      end
+
+      unless File.readable?(path)
+        raise Inspec::Exceptions::InputsFileNotReadable,
+              "Cannot read input file '#{path}'. " \
+              'Check to make sure file is readable.'
+      end
+
+      true
     end
 
-    def list_inputs_for_profile(profile)
-      list[profile] = {} unless profile_exist?(profile)
-      list[profile]
+    def bind_inputs_from_metadata(profile_name, profile_metadata_obj)
+      # TODO: move this into a core plugin
+      # TODO: add deprecation stuff
+      return if profile_metadata_obj.nil? # Metadata files are technically optional
+
+      if profile_metadata_obj.params.key?(:attributes) && profile_metadata_obj.params[:attributes].is_a?(Array)
+        profile_metadata_obj.params[:attributes].each do |input_orig|
+          input_options = input_orig.dup
+          input_name = input_options.delete(:name)
+          input_options.merge!({ priority: 30, provider: :profile_metadata, file: File.join(profile_name, 'inspec.yml') })
+          evt = Inspec::Input.infer_event(input_options)
+
+          # Profile metadata may set inputs in other profiles by naming them.
+          if input_options[:profile]
+            profile_name = input_options[:profile] || profile_name
+            # Override priority to force this to win.  Allow user to set their own priority.
+            evt.priority = input_orig[:priority] || 35
+          end
+          find_or_register_input(input_name,
+                                 profile_name,
+                                 type: input_options[:type],
+                                 required: input_options[:required],
+                                 event: evt)
+        end
+      elsif profile_metadata_obj.params.key?(:attributes)
+        Inspec::Log.warn 'Inputs must be defined as an Array. Skipping current definition.'
+      end
     end
 
+    #-------------------------------------------------------------#
+    #               Other Support
+    #-------------------------------------------------------------#
+    public
+
+    # Used in testing
     def __reset
-      @list = {}
+      @inputs_by_profile = {}
       @profile_aliases = {}
     end
+
+    # These class methods are convenience methods so you don't always
+    # have to call #instance when calling the registry
+    [
+      :find_or_register_input,
+      :register_profile_alias,
+      :list_inputs_for_profile,
+      :bind_profile_inputs,
+    ].each do |meth|
+      define_singleton_method(meth) do |*args|
+        instance.send(meth, *args)
+      end
+    end
   end
 end