inspec 4.12.0 → 4.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72aac2ba7eb1565ecbbd18436e96c770151f5be68b3bcc8897db7a0baee22621
-  data.tar.gz: 2466be933623846f985f9b66e3a572d617f516274ad2dc7b81d048b2ebe2d104
+  metadata.gz: 877fb588106fac603caf212f8224901fbad9d694097718b85382c40140989477
+  data.tar.gz: afc82cd0c4e59ddf7466c68f8a67a79288548f44fddb5b49b27726f8dbe2f05e
 SHA512:
-  metadata.gz: 269ccd7e103663bec2dd23058dc0481775b840f22a93a3cd81e8f8e0e5c774def3cd6ecaae12604f2c13fe6bcfd33864040acfa9a2ff3bf49e50c1111f5d7be9
-  data.tar.gz: 9f6b41d84be75a69cb1c405302f7c076f6192f16f506d8d4b958bf76e707057961a6ba692dadb528b39997140c1682ee9d2d328efd8d06f2249f104497c79b62
+  metadata.gz: 197367b25a88684493e27d1db0b070c2790d9373476f98b09fb11a5d213d50e4c971d26c9be8c4969833cbb87f09fa28c88be448303646bd26ca85374182af44
+  data.tar.gz: ac3787f1a29e222221edbeefa46c620fc59d2a6e712e2c1de8d3594de448473acd0700ba7880c1d2e82bd7b02804f161ad42421423940f36b8ffa8b43b0b90d1

data/etc/plugin_filters.json

@@ -25,10 +25,6 @@
       "plugin_name": "inspec-release",
       "rationale": "This gem is currently only a placeholder, waiting to be built."
     },
-    {
-      "plugin_name": "inspec-vault",
-      "rationale": "This gem is currently only a placeholder, waiting to be built."
-    },
     {
       "plugin_name": "train-vault",
       "rationale": "This gem is currently only a placeholder, waiting to be built."

data/lib/fetchers/git.rb

@@ -52,6 +52,7 @@ module Fetchers
       # processing, but then again, if you passed a relative path
       # to an on-disk repo, you probably expect it to exist.
       return url_or_file_path unless File.exist?(url_or_file_path)
+
       # It's important to expand this path, because it may be specified
       # locally in the metadata files, and when we clone, we will be
       # in a temp dir.
@@ -97,6 +98,7 @@ module Fetchers
 
     def cache_key
       return resolved_ref unless @relative_path
+
       OpenSSL::Digest::SHA256.hexdigest(resolved_ref + @relative_path)
     end
 

data/lib/inspec/base_cli.rb

@@ -133,6 +133,8 @@ module Inspec
       option :reporter, type: :array,
         banner: "one two:/output/file/path",
         desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"
+      option :input, type: :array, banner: "name1=value1 name2=value2",
+        desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE"
       option :input_file, type: :array,
         desc: "Load one or more input files, a YAML file with values for the profile to use"
       option :attrs, type: :array,

data/lib/inspec/cli.rb

@@ -124,8 +124,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     else
       %w{location profile controls timestamp valid}.each do |item|
         prepared_string = format("%-12s %s",
-                                 "#{item.to_s.capitalize} :",
-                                 result[:summary][item.to_sym])
+          "#{item.to_s.capitalize} :",
+          result[:summary][item.to_sym])
         ui.plain_line(prepared_string)
       end
       puts

data/lib/inspec/config.rb

@@ -7,9 +7,12 @@ require "forwardable"
 require "thor"
 require "base64"
 require "inspec/base_cli"
+require "inspec/plugin/v2/filter"
 
 module Inspec
   class Config
+    include Inspec::Plugin::V2::FilterPredicates
+
     # These are options that apply to any transport
     GENERIC_CREDENTIALS = %w{
       backend
@@ -23,6 +26,11 @@ module Inspec
       shell_command
     }.freeze
 
+    KNOWN_VERSIONS = [
+      "1.1",
+      "1.2",
+    ].freeze
+
     extend Forwardable
 
     # Many parts of InSpec expect to treat the Config as a Hash
@@ -48,6 +56,7 @@ module Inspec
     def initialize(cli_opts = {}, cfg_io = nil, command_name = nil)
       @command_name = command_name || (ARGV.empty? ? nil : ARGV[0].to_sym)
       @defaults = Defaults.for_command(@command_name)
+      @plugin_cfg = {}
 
       @cli_opts = cli_opts.dup
       cfg_io = resolve_cfg_io(@cli_opts, cfg_io)
@@ -119,6 +128,13 @@ module Inspec
       end
     end
 
+    #-----------------------------------------------------------------------#
+    #                      Fetching Plugin Data
+    #-----------------------------------------------------------------------#
+    def fetch_plugin_config(plugin_name)
+      Thor::CoreExt::HashWithIndifferentAccess.new(@plugin_cfg[plugin_name] || {})
+    end
+
     private
 
     def _utc_merge_transport_options(credentials, transport_name)
@@ -285,16 +301,24 @@ module Inspec
       # Assume legacy format, which is unconstrained
       return unless version
 
-      unless version == "1.1"
-        raise Inspec::ConfigError::Invalid, "Unsupported config file version '#{version}' - currently supported versions: 1.1"
+      unless KNOWN_VERSIONS.include?(version)
+        raise Inspec::ConfigError::Invalid, "Unsupported config file version '#{version}' - currently supported versions: #{KNOWN_VERSIONS.join(",")}"
       end
 
+      # Use Gem::Version for comparision operators
+      cfg_version = Gem::Version.new(version)
+      version_1_2 = Gem::Version.new("1.2")
+
+      # TODO: proper schema version loading and validation
       valid_fields = %w{version cli_options credentials compliance reporter}.sort
+      valid_fields << "plugins" if cfg_version >= version_1_2
       @cfg_file_contents.keys.each do |seen_field|
         unless valid_fields.include?(seen_field)
           raise Inspec::ConfigError::Invalid, "Unrecognized top-level configuration field #{seen_field}.  Recognized fields: #{valid_fields.join(", ")}"
         end
       end
+
+      validate_plugins! if cfg_version >= version_1_2
     end
 
     def validate_reporters!(reporters)
@@ -334,6 +358,29 @@ module Inspec
       raise ArgumentError, "The option --reporter can only have a single report outputting to stdout." if stdout_reporters > 1
     end
 
+    def validate_plugins!
+      return unless @cfg_file_contents.key? "plugins"
+
+      data = @cfg_file_contents["plugins"]
+      unless data.is_a?(Hash)
+        raise Inspec::ConfigError::Invalid, "The 'plugin' field in your config file must be a hash (key-value list), not an array."
+      end
+
+      data.each do |plugin_name, plugin_settings|
+        # Enforce that every key is a valid inspec or train plugin name
+        unless valid_plugin_name?(plugin_name)
+          raise Inspec::ConfigError::Invalid, "Plugin settings should ne named after the the InSpec or Train plugin. Valid names must begin with inspec- or train-, not '#{plugin_name}' "
+        end
+
+        # Enforce that every entry is hash-valued
+        unless plugin_settings.is_a?(Hash)
+          raise Inspec::ConfigError::Invalid, "The plugin settings for '#{plugin_name}' in your config file should be a Hash (key-value list)."
+        end
+      end
+
+      @plugin_cfg = data
+    end
+
     #-----------------------------------------------------------------------#
     #                         Merging Options
     #-----------------------------------------------------------------------#

data/lib/inspec/input_registry.rb

@@ -64,6 +64,9 @@ module Inspec
     #-------------------------------------------------------------#
 
     def find_or_register_input(input_name, profile_name, options = {})
+      input_name = input_name.to_s
+      profile_name = profile_name.to_s
+
       if profile_alias?(profile_name) && !profile_aliases[profile_name].nil?
         alias_name = profile_name
         profile_name = profile_aliases[profile_name]
@@ -132,10 +135,37 @@ module Inspec
       bind_inputs_from_metadata(profile_name, sources[:profile_metadata])
       bind_inputs_from_input_files(profile_name, sources[:cli_input_files])
       bind_inputs_from_runner_api(profile_name, sources[:runner_api])
+      bind_inputs_from_cli_args(profile_name, sources[:cli_input_arg])
     end
 
     private
 
+    def bind_inputs_from_cli_args(profile_name, input_list)
+      # TODO: move this into a core plugin
+
+      return if input_list.nil?
+      return if input_list.empty?
+
+      # These arrive as an array of "name=value" strings
+      # If the user used a comma, we'll see unfortunately see it as "name=value," pairs
+      input_list.each do |pair|
+        unless pair.include?("=")
+          if pair.end_with?(".yaml")
+            raise ArgumentError, "ERROR: --input is used for individual input values, as --input name=value. Use --input-file to load a YAML file."
+          else
+            raise ArgumentError, "ERROR: An '=' is required when using --input. Usage: --input input_name1=input_value1 input2=value2"
+          end
+        end
+        input_name, input_value = pair.split("=")
+        evt = Inspec::Input::Event.new(
+          value: input_value.chomp(","), # Trim trailing comma if any
+          provider: :cli,
+          priority: 50
+        )
+        find_or_register_input(input_name, profile_name, event: evt)
+      end
+    end
+
     def bind_inputs_from_runner_api(profile_name, input_hash)
       # TODO: move this into a core plugin
 

data/lib/inspec/metadata.rb

@@ -88,6 +88,10 @@ module Inspec
         errors.push("Version needs to be in SemVer format")
       end
 
+      unless supports_runtime?
+        warnings.push("The current inspec version #{Inspec::VERSION} cannot satisfy profile inspec_version constraint #{params[:inspec_version]}")
+      end
+
       %w{title summary maintainer copyright license}.each do |field|
         next unless params[field.to_sym].nil?
 

data/lib/inspec/plugin/v1/plugin_types/resource.rb

@@ -81,17 +81,13 @@ module Inspec
           @resource_skipped = false
           @resource_failed = false
           @supports = Inspec::Resource.supports[name]
+          @resource_exception_message = nil
 
           # attach the backend to this instance
           @__backend_runner__ = backend
           @__resource_name__ = name
 
-          # check resource supports
-          supported = true
-          supported = check_supports unless @supports.nil?
-          test_backend = defined?(Train::Transports::Mock::Connection) && backend.backend.class == Train::Transports::Mock::Connection
-          # do not return if we are supported, or for tests
-          return unless supported || test_backend
+          check_supports unless @supports.nil? # this has side effects
 
           # call the resource initializer
           begin
@@ -100,12 +96,10 @@ module Inspec
             skip_resource(e.message)
           rescue Inspec::Exceptions::ResourceFailed => e
             fail_resource(e.message)
+          rescue NotImplementedError => e
+            fail_resource(e.message) unless @resource_failed
           rescue NoMethodError => e
-            # The new platform resources have methods generated on the fly
-            # for inspec check to work we need to skip these train errors
-            raise unless test_backend && e.receiver.class == Train::Transports::Mock::Connection
-
-            skip_resource(e.message)
+            skip_resource(e.message) unless @resource_failed
           end
         end
 

data/lib/inspec/plugin/v2/filter.rb

@@ -2,6 +2,8 @@ require "singleton"
 require "json"
 require "inspec/globals"
 
+module Inspec::Plugin; end
+
 module Inspec::Plugin::V2
   Exclusion = Struct.new(:plugin_name, :rationale)
 
@@ -60,4 +62,35 @@ module Inspec::Plugin::V2
       end
     end
   end
+
+  # To be a valid plugin name, the plugin must beign with either
+  # inspec- or train-, AND ALSO not be on the exclusion list.
+  # We maintain this exclusion list to avoid confusing users.
+  # For example, we want to have a real gem named inspec-test-fixture,
+  # but we don't want the users to see that.
+  module FilterPredicates
+    def train_plugin_name?(name)
+      valid_plugin_name?(name, :train)
+    end
+
+    def inspec_plugin_name?(name)
+      valid_plugin_name?(name, :inspec)
+    end
+
+    def valid_plugin_name?(name, kind = :either)
+      # Must have a permitted prefix.
+      return false unless case kind
+      when :inspec
+        name.to_s.start_with?("inspec-")
+      when :train
+        name.to_s.start_with?("train-")
+      when :either
+        name.to_s.match(/^(inspec|train)-/)
+      else false
+      end # rubocop: disable Layout/EndAlignment
+
+      # And must not be on the exclusion list.
+      ! Inspec::Plugin::V2::PluginFilter.exclude?(name)
+    end
+  end
 end

data/lib/inspec/plugin/v2/installer.rb

@@ -60,14 +60,15 @@ module Inspec::Plugin::V2
       # TODO: - check plugins.json for validity before trying anything that needs to modify it.
       validate_installation_opts(plugin_name, opts)
 
-      # TODO: change all of these to return installed spec/gem/thingy
       # TODO: return installed thingy
       if opts[:path]
         install_from_path(plugin_name, opts)
       elsif opts[:gem_file]
-        install_from_gem_file(plugin_name, opts)
+        gem_version = install_from_gem_file(plugin_name, opts)
+        opts[:version] = gem_version.to_s
       else
-        install_from_remote_gems(plugin_name, opts)
+        gem_version = install_from_remote_gems(plugin_name, opts)
+        opts[:version] = gem_version.to_s
       end
 
       update_plugin_config_file(plugin_name, opts.merge({ action: :install }))
@@ -88,9 +89,9 @@ module Inspec::Plugin::V2
 
       # TODO: Handle installing from a local file
       # TODO: Perform dependency checks to make sure the new solution is valid
-      install_from_remote_gems(plugin_name, opts)
+      gem_version = install_from_remote_gems(plugin_name, opts)
 
-      update_plugin_config_file(plugin_name, opts.merge({ action: :update }))
+      update_plugin_config_file(plugin_name, opts.merge({ action: :update, version: gem_version.to_s }))
     end
 
     # Uninstalls (removes) a plugin. Refers to plugin.json to determine if it
@@ -335,13 +336,15 @@ module Inspec::Plugin::V2
       # not obliged to during packaging.)
       # So, after each install, run a scan for all gem(specs) we manage, and copy in their gemspec file
       # into the exploded gem source area if absent.
-
       loader.list_managed_gems.each do |spec|
         path_inside_source = File.join(spec.gem_dir, "#{spec.name}.gemspec")
         unless File.exist?(path_inside_source)
           File.write(path_inside_source, spec.to_ruby)
         end
       end
+
+      # Locate the GemVersion for the new dependency and return it
+      solution.detect { |g| g.name == new_plugin_dependency.name }.version
     end
 
     #===================================================================#
@@ -365,7 +368,7 @@ module Inspec::Plugin::V2
       # excluding any that are path-or-core-based, excluding the gem to be removed
       plugin_deps_we_still_must_satisfy = registry.plugin_statuses
       plugin_deps_we_still_must_satisfy = plugin_deps_we_still_must_satisfy.select do |status|
-        status.installation_type == :gem && status.name != plugin_name_to_be_removed.to_sym
+        status.installation_type == :user_gem && status.name != plugin_name_to_be_removed.to_sym
       end
       plugin_deps_we_still_must_satisfy = plugin_deps_we_still_must_satisfy.map do |status|
         constraint = status.version || "> 0"

data/lib/inspec/plugin/v2/loader.rb

@@ -1,5 +1,6 @@
 require "inspec/log"
 require "inspec/plugin/v2/config_file"
+require "inspec/plugin/v2/filter"
 
 # Add the current directory of the process to the load path
 $LOAD_PATH.unshift(".") unless $LOAD_PATH.include?(".")
@@ -11,9 +12,16 @@ module Inspec::Plugin::V2
   class Loader
     attr_reader :conf_file, :registry, :options
 
+    # For {inspec|train}_plugin_name?
+    include Inspec::Plugin::V2::FilterPredicates
+    extend Inspec::Plugin::V2::FilterPredicates
+
     def initialize(options = {})
       @options = options
       @registry = Inspec::Plugin::V2::Registry.instance
+
+      # User plugins are those installed by the user via `inspec plugin install`
+      # and are installed under ~/.inspec/gems
       unless options[:omit_user_plugins]
         @conf_file = Inspec::Plugin::V2::ConfigFile.new
         read_conf_file_into_registry
@@ -27,9 +35,8 @@ module Inspec::Plugin::V2
       # and may be safely loaded
       detect_core_plugins unless options[:omit_core_plugins]
 
-      # Train plugins aren't InSpec plugins (they don't use our API)
-      # but InSpec CLI manages them.  So, we have to wrap them a bit.
-      accommodate_train_plugins
+      # Identify plugins that inspec is co-installed with
+      detect_system_plugins unless options[:omit_sys_plugins]
     end
 
     def load_all
@@ -46,7 +53,7 @@ module Inspec::Plugin::V2
         begin
           # We could use require, but under testing, we need to repeatedly reload the same
           # plugin.  However, gems only work with require (rubygems dooes not overload `load`)
-          if plugin_details.installation_type == :gem
+          if plugin_details.installation_type == :user_gem
             activate_managed_gems_for_plugin(plugin_name)
             require plugin_details.entry_point
           else
@@ -130,10 +137,11 @@ module Inspec::Plugin::V2
     end
 
     # Lists all plugin gems found in the plugin_gem_path.
-    # This is simply all gems that begin with train- or inspec-.
+    # This is simply all gems that begin with train- or inspec-
+    # and are not on the exclusion list.
     # @return [Array[Gem::Specification]] Specs of all gems found.
     def self.list_installed_plugin_gems
-      list_managed_gems.select { |spec| spec.name.match(/^(inspec|train)-/) }
+      list_managed_gems.select { |spec| valid_plugin_name?(spec.name) }
     end
 
     def list_installed_plugin_gems
@@ -234,34 +242,70 @@ module Inspec::Plugin::V2
       end
     end
 
-    def accommodate_train_plugins
-      registry.plugin_names.map(&:to_s).grep(/^train-/).each do |train_plugin_name|
-        status = registry[train_plugin_name.to_sym]
-        status.api_generation = :'train-1'
-
-        if status.installation_type == :gem
-          # Activate the gem. This allows train to 'require' the gem later.
-          activate_managed_gems_for_plugin(train_plugin_name)
-        end
-      end
-    end
-
     def read_conf_file_into_registry
       conf_file.each do |plugin_entry|
         status = Inspec::Plugin::V2::Status.new
         status.name = plugin_entry[:name]
         status.loaded = false
-        status.installation_type = (plugin_entry[:installation_type] || :gem)
+        status.installation_type = (plugin_entry[:installation_type] || :user_gem)
         case status.installation_type
-        when :gem
+        when :user_gem
           status.entry_point = status.name.to_s
           status.version = plugin_entry[:version]
         when :path
           status.entry_point = plugin_entry[:installation_path]
         end
 
+        # Train plugins are not true InSpec plugins; we need to decorate them a
+        # bit more to integrate them.
+        fixup_train_plugin_status(status) if train_plugin_name?(plugin_entry[:name])
+
         registry[status.name] = status
       end
     end
+
+    def fixup_train_plugin_status(status)
+      status.api_generation = :'train-1'
+      if status.installation_type == :user_gem
+        # Activate the gem. This allows train to 'require' the gem later.
+        activate_managed_gems_for_plugin(status.entry_point)
+      end
+    end
+
+    def detect_system_plugins
+      # Find the gemspec for inspec
+      inspec_gemspec = Gem::Specification.find_by_name("inspec", "=#{Inspec::VERSION}")
+
+      # Make a RequestSet that represents the dependencies of inspec
+      inspec_deps_request_set = Gem::RequestSet.new(*inspec_gemspec.dependencies)
+      inspec_deps_request_set.remote = false
+
+      # Resolve the request against the installed gem universe
+      gem_resolver = Gem::Resolver::CurrentSet.new
+      runtime_solution = inspec_deps_request_set.resolve(gem_resolver)
+
+      inspec_gemspec.dependencies.each do |inspec_dep|
+        next unless inspec_plugin_name?(inspec_dep.name) || train_plugin_name?(inspec_dep.name)
+
+        plugin_spec = runtime_solution.detect { |s| s.name == inspec_dep.name }.spec
+
+        status = Inspec::Plugin::V2::Status.new
+        status.name = inspec_dep.name
+        status.entry_point = inspec_dep.name # gem-based, just 'require' the name
+        status.version = plugin_spec.version.to_s
+        status.loaded = false
+        status.installation_type = :system_gem
+
+        if train_plugin_name?(status[:name])
+          # Train plugins are not true InSpec plugins; we need to decorate them a
+          # bit more to integrate them.
+          fixup_train_plugin_status(status)
+        else
+          status.api_generation = 2
+        end
+
+        registry[status.name.to_sym] = status
+      end
+    end
   end
 end