inspec 4.10.4 → 4.12.0

data/lib/inspec/resources/iis_app_pool.rb

@@ -5,125 +5,127 @@ require "inspec/resources/powershell"
 # check for web applications in IIS
 # Note: this is only supported in windows 2012 and later
 
-class IisAppPool < Inspec.resource(1)
-  name "iis_app_pool"
-  desc "Tests IIS application pool configuration on windows."
-  supports platform: "windows"
-  example <<~EXAMPLE
-    describe iis_app_pool('DefaultAppPool') do
-      it { should exist }
-      its('enable32bit') { should cmp 'True' }
-      its('runtime_version') { should eq 'v4.0' }
-      its('pipeline_mode') { should eq 'Integrated' }
-    end
-  EXAMPLE
-
-  def initialize(pool_name)
-    @pool_name = pool_name
-    @pool_path = "IIS:\\AppPools\\#{@pool_name}"
-    @cache = nil
-
-    # verify that this resource is only supported on Windows
-    return skip_resource "The `iis_app_pool` resource is not supported on your OS." unless inspec.os.windows?
-  end
-
-  def pool_name
-    iis_app_pool[:pool_name]
-  end
-
-  def runtime_version
-    iis_app_pool[:version]
-  end
+module Inspec::Resources
+  class IisAppPool < Inspec.resource(1)
+    name "iis_app_pool"
+    desc "Tests IIS application pool configuration on windows."
+    supports platform: "windows"
+    example <<~EXAMPLE
+      describe iis_app_pool('DefaultAppPool') do
+        it { should exist }
+        its('enable32bit') { should cmp 'True' }
+        its('runtime_version') { should eq 'v4.0' }
+        its('pipeline_mode') { should eq 'Integrated' }
+      end
+    EXAMPLE
+
+    def initialize(pool_name)
+      @pool_name = pool_name
+      @pool_path = "IIS:\\AppPools\\#{@pool_name}"
+      @cache = nil
+
+      # verify that this resource is only supported on Windows
+      return skip_resource "The `iis_app_pool` resource is not supported on your OS." unless inspec.os.windows?
+    end
 
-  def enable32bit
-    iis_app_pool[:e32b]
-  end
+    def pool_name
+      iis_app_pool[:pool_name]
+    end
 
-  def pipeline_mode
-    iis_app_pool[:mode]
-  end
+    def runtime_version
+      iis_app_pool[:version]
+    end
 
-  def max_processes
-    iis_app_pool[:processes]
-  end
+    def enable32bit
+      iis_app_pool[:e32b]
+    end
 
-  def timeout
-    iis_app_pool[:timeout]
-  end
+    def pipeline_mode
+      iis_app_pool[:mode]
+    end
 
-  def timeout_days
-    iis_app_pool[:timeout_days]
-  end
+    def max_processes
+      iis_app_pool[:processes]
+    end
 
-  def timeout_hours
-    iis_app_pool[:timeout_hours]
-  end
+    def timeout
+      iis_app_pool[:timeout]
+    end
 
-  def timeout_minutes
-    iis_app_pool[:timeout_minutes]
-  end
+    def timeout_days
+      iis_app_pool[:timeout_days]
+    end
 
-  def timeout_seconds
-    iis_app_pool[:timeout_seconds]
-  end
+    def timeout_hours
+      iis_app_pool[:timeout_hours]
+    end
 
-  def user_identity_type
-    iis_app_pool[:user_identity_type]
-  end
+    def timeout_minutes
+      iis_app_pool[:timeout_minutes]
+    end
 
-  def username
-    iis_app_pool[:username]
-  end
+    def timeout_seconds
+      iis_app_pool[:timeout_seconds]
+    end
 
-  def exists?
-    !iis_app_pool[:pool_name].empty?
-  end
+    def user_identity_type
+      iis_app_pool[:user_identity_type]
+    end
 
-  def to_s
-    "IIS App Pool '#{@pool_name}'"
-  end
+    def username
+      iis_app_pool[:username]
+    end
 
-  private
+    def exists?
+      !iis_app_pool[:pool_name].empty?
+    end
 
-  def iis_app_pool
-    return @cache unless @cache.nil?
+    def to_s
+      "IIS App Pool '#{@pool_name}'"
+    end
 
-    # We use `-Compress` here to avoid a bug in PowerShell
-    # It does not affect validity of the output, only the representation
-    # See: https://github.com/inspec/inspec/pull/3842
-    script = <<~EOH
-      Import-Module WebAdministration
-      If (Test-Path '#{@pool_path}') {
-        Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json -Compress
-      } Else {
-        Write-Host '{}'
+    private
+
+    def iis_app_pool
+      return @cache unless @cache.nil?
+
+      # We use `-Compress` here to avoid a bug in PowerShell
+      # It does not affect validity of the output, only the representation
+      # See: https://github.com/inspec/inspec/pull/3842
+      script = <<~EOH
+        Import-Module WebAdministration
+        If (Test-Path '#{@pool_path}') {
+          Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json -Compress
+        } Else {
+          Write-Host '{}'
+        }
+      EOH
+      cmd = inspec.powershell(script)
+
+      begin
+        pool = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        raise Inspec::Exceptions::ResourceFailed, "Unable to parse app pool JSON"
+      end
+
+      process_model = pool.fetch("processModel", {})
+      idle_timeout = process_model.fetch("idleTimeout", {})
+
+      # map our values to a hash table
+      @cache = {
+        pool_name: pool["name"],
+        version: pool["managedRuntimeVersion"],
+        e32b: pool["enable32BitAppOnWin64"],
+        mode: pool["managedPipelineMode"],
+        processes: process_model["maxProcesses"],
+        timeout: "#{idle_timeout["Hours"]}:#{idle_timeout["Minutes"]}:#{idle_timeout["Seconds"]}",
+        timeout_days: idle_timeout["Days"],
+        timeout_hours: idle_timeout["Hours"],
+        timeout_minutes: idle_timeout["Minutes"],
+        timeout_seconds: idle_timeout["Seconds"],
+        user_identity_type: process_model["identityType"],
+        username: process_model["userName"],
       }
-    EOH
-    cmd = inspec.powershell(script)
-
-    begin
-      pool = JSON.parse(cmd.stdout)
-    rescue JSON::ParserError => _e
-      raise Inspec::Exceptions::ResourceFailed, "Unable to parse app pool JSON"
-    end
-
-    process_model = pool.fetch("processModel", {})
-    idle_timeout = process_model.fetch("idleTimeout", {})
-
-    # map our values to a hash table
-    @cache = {
-      pool_name: pool["name"],
-      version: pool["managedRuntimeVersion"],
-      e32b: pool["enable32BitAppOnWin64"],
-      mode: pool["managedPipelineMode"],
-      processes: process_model["maxProcesses"],
-      timeout: "#{idle_timeout["Hours"]}:#{idle_timeout["Minutes"]}:#{idle_timeout["Seconds"]}",
-      timeout_days: idle_timeout["Days"],
-      timeout_hours: idle_timeout["Hours"],
-      timeout_minutes: idle_timeout["Minutes"],
-      timeout_seconds: idle_timeout["Seconds"],
-      user_identity_type: process_model["identityType"],
-      username: process_model["userName"],
-    }
+    end
   end
 end

data/lib/inspec/resources/service.rb

@@ -243,6 +243,13 @@ module Inspec::Resources
       info[:startmode]
     end
 
+    # returns the service's user from info
+    def startname
+      return nil if info.nil?
+
+      info[:startname]
+    end
+
     def to_s
       "Service #{@service_name}"
     end
@@ -575,12 +582,13 @@ module Inspec::Resources
     # Also see: https://msdn.microsoft.com/en-us/library/aa384896(v=vs.85).aspx
     # Use the following powershell to determine the start mode
     # PS: Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq $name -or $_.DisplayName -eq $name} | Select-Object -Prop
-    # erty Name, StartMode, State, Status | ConvertTo-Json
+    # erty Name, StartMode, State, Status, StartName | ConvertTo-Json
     # {
     #     "Name":  "Dhcp",
     #     "StartMode":  "Auto",
     #     "State":  "Running",
-    #     "Status":  "OK"
+    #     "Status":  "OK",
+    #     "StartName":  "LocalSystem"
     # }
     #
     # Windows Services have the following status code:
@@ -593,7 +601,7 @@ module Inspec::Resources
     # - 6: Pause Pending
     # - 7: Paused
     def info(service_name)
-      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json")
+      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode, StartName) -PassThru | ConvertTo-Json")
 
       # cannot rely on exit code for now, successful command returns exit code 1
       # return nil if cmd.exit_status != 0
@@ -614,6 +622,7 @@ module Inspec::Resources
         running: service_running?(service),
         enabled: service_enabled?(service),
         startmode: service["WMI"]["StartMode"],
+        startname: service["WMI"]["StartName"],
         type: "windows",
       }
     end

data/lib/inspec/resources/ssl.rb

@@ -6,92 +6,94 @@ require "uri"
 require "parallel"
 
 # Custom resource based on the InSpec resource DSL
-class SSL < Inspec.resource(1)
-  name "ssl"
-  supports platform: "unix"
-  supports platform: "windows"
+module Inspec::Resources
+  class SSL < Inspec.resource(1)
+    name "ssl"
+    supports platform: "unix"
+    supports platform: "windows"
 
-  desc "
-    SSL test resource
-  "
+    desc "
+      SSL test resource
+    "
 
-  example <<~EXAMPLE
-    describe ssl(port: 443) do
-      it { should be_enabled }
-    end
+    example <<~EXAMPLE
+      describe ssl(port: 443) do
+        it { should be_enabled }
+      end
 
-    # protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2
-    describe ssl(port: 443).protocols('ssl2') do
-      it { should_not be_enabled }
-    end
+      # protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2
+      describe ssl(port: 443).protocols('ssl2') do
+        it { should_not be_enabled }
+      end
 
-    # any ciphers, filter by name or regex
-    describe ssl(port: 443).ciphers(/rc4/i) do
-      it { should_not be_enabled }
-    end
-  EXAMPLE
+      # any ciphers, filter by name or regex
+      describe ssl(port: 443).ciphers(/rc4/i) do
+        it { should_not be_enabled }
+      end
+    EXAMPLE
 
-  VERSIONS = [
-    "ssl2",
-    "ssl3",
-    "tls1.0",
-    "tls1.1",
-    "tls1.2",
-  ].freeze
+    VERSIONS = [
+      "ssl2",
+      "ssl3",
+      "tls1.0",
+      "tls1.1",
+      "tls1.2",
+    ].freeze
 
-  attr_reader :host, :port, :timeout, :retries
+    attr_reader :host, :port, :timeout, :retries
 
-  def initialize(opts = {})
-    @host = opts[:host]
-    if @host.nil?
-      # Transports like SSH and WinRM will provide a hostname
-      if inspec.backend.respond_to?("hostname")
-        @host = inspec.backend.hostname
-      elsif inspec.backend.class.to_s == "Train::Transports::Local::Connection"
-        @host = "localhost"
+    def initialize(opts = {})
+      @host = opts[:host]
+      if @host.nil?
+        # Transports like SSH and WinRM will provide a hostname
+        if inspec.backend.respond_to?("hostname")
+          @host = inspec.backend.hostname
+        elsif inspec.backend.class.to_s == "Train::Transports::Local::Connection"
+          @host = "localhost"
+        end
       end
+      @port = opts[:port] || 443
+      @timeout = opts[:timeout]
+      @retries = opts[:retries]
     end
-    @port = opts[:port] || 443
-    @timeout = opts[:timeout]
-    @retries = opts[:retries]
-  end
 
-  filter = FilterTable.create
-  filter.register_custom_matcher(:enabled?) do |x|
-    raise "Cannot determine host for SSL test. Please specify it or use a different target." if x.resource.host.nil?
+    filter = FilterTable.create
+    filter.register_custom_matcher(:enabled?) do |x|
+      raise "Cannot determine host for SSL test. Please specify it or use a different target." if x.resource.host.nil?
 
-    x.handshake.values.any? { |i| i["success"] }
-  end
-  filter.register_column(:ciphers, field: "cipher")
-    .register_column(:protocols, field: "protocol")
-    .register_custom_property(:handshake) do |x|
-      groups = x.entries.group_by(&:protocol)
-      res = Parallel.map(groups, in_threads: 8) do |proto, e|
-        [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
-          protocol: proto, ciphers: e.map(&:cipher),
-          timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
-      end
-      Hash[res]
+      x.handshake.values.any? { |i| i["success"] }
     end
-    .install_filter_methods_on_resource(self, :scan_config)
+    filter.register_column(:ciphers, field: "cipher")
+      .register_column(:protocols, field: "protocol")
+      .register_custom_property(:handshake) do |x|
+        groups = x.entries.group_by(&:protocol)
+        res = Parallel.map(groups, in_threads: 8) do |proto, e|
+          [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
+            protocol: proto, ciphers: e.map(&:cipher),
+            timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
+        end
+        Hash[res]
+      end
+      .install_filter_methods_on_resource(self, :scan_config)
 
-  def to_s
-    "SSL/TLS on #{@host}:#{@port}"
-  end
+    def to_s
+      "SSL/TLS on #{@host}:#{@port}"
+    end
 
-  private
+    private
 
-  def scan_config
-    [
-      { "protocol" => "ssl2", "ciphers" => SSLShake::SSLv2::CIPHERS.keys },
-      { "protocol" => "ssl3", "ciphers" => SSLShake::TLS::SSL3_CIPHERS.keys },
-      { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
-      { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
-      { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
-    ].map do |line|
-      line["ciphers"].map do |cipher|
-        { "protocol" => line["protocol"], "cipher" => cipher }
-      end
-    end.flatten
+    def scan_config
+      [
+        { "protocol" => "ssl2", "ciphers" => SSLShake::SSLv2::CIPHERS.keys },
+        { "protocol" => "ssl3", "ciphers" => SSLShake::TLS::SSL3_CIPHERS.keys },
+        { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
+        { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
+        { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
+      ].map do |line|
+        line["ciphers"].map do |cipher|
+          { "protocol" => line["protocol"], "cipher" => cipher }
+        end
+      end.flatten
+    end
   end
 end

data/lib/inspec/runner.rb

@@ -33,6 +33,7 @@ module Inspec
     extend Forwardable
 
     attr_reader :backend, :rules
+    attr_accessor :target_profiles
 
     def attributes
       Inspec.deprecate(:rename_attributes_to_inputs, "Don't call runner.attributes, call runner.inputs")