inspec 4.16.0 → 4.17.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 877fb588106fac603caf212f8224901fbad9d694097718b85382c40140989477
-  data.tar.gz: afc82cd0c4e59ddf7466c68f8a67a79288548f44fddb5b49b27726f8dbe2f05e
+  metadata.gz: a2c29f41f20501e3eb5820dd06a6ff60cec6f4c5af386f820c819f8e58651a81
+  data.tar.gz: b7eb018efcf58fcc215e5188f29c3207be4cc3046da1683bef3f58de3fb42c1d
 SHA512:
-  metadata.gz: 197367b25a88684493e27d1db0b070c2790d9373476f98b09fb11a5d213d50e4c971d26c9be8c4969833cbb87f09fa28c88be448303646bd26ca85374182af44
-  data.tar.gz: ac3787f1a29e222221edbeefa46c620fc59d2a6e712e2c1de8d3594de448473acd0700ba7880c1d2e82bd7b02804f161ad42421423940f36b8ffa8b43b0b90d1
+  metadata.gz: 0b7b9738ff7701f7a4d1a61797c2353c06fc437102b5202f7e83857c4ba40189c2ab0d2b17ec34649bb18fa4a6b851040b6f0be6f3c719cfc62f01bfe67af111
+  data.tar.gz: c291eae358770b3af3ebca51acaf38105c609867084ed94262b1079f3a903ce6365d6e3e60c446ef51b1e74d8b23351ba9056dea18b3f421e78223b82ea55718

data/lib/inspec.rb

@@ -28,4 +28,3 @@ require "inspec/base_cli"
 require "inspec/fetcher"
 require "inspec/source_reader"
 require "inspec/resource"
-require "inspec/resources"

data/lib/inspec/backend.rb

@@ -4,6 +4,7 @@ require "train"
 require "inspec/config"
 require "inspec/version"
 require "inspec/resource"
+require "inspec/dsl" # for method_missing_resource
 
 module Inspec
   module Backend
@@ -77,6 +78,12 @@ module Inspec
           connection
         end
 
+        def method_missing(id, *args, &blk)
+          Inspec::DSL.method_missing_resource(self, id, *args)
+        rescue LoadError
+          super
+        end
+
         Inspec::Resource.registry.each do |id, r|
           define_method id.to_sym do |*args|
             r.new(self, id.to_s, *args)

data/lib/inspec/base_cli.rb

@@ -137,6 +137,8 @@ module Inspec
         desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE"
       option :input_file, type: :array,
         desc: "Load one or more input files, a YAML file with values for the profile to use"
+      option :waiver_file, type: :array,
+        desc: "Load one or more waiver files."
       option :attrs, type: :array,
         desc: "Legacy name for --input-file - deprecated."
       option :create_lockfile, type: :boolean,

data/lib/inspec/cli.rb

@@ -64,7 +64,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "A list of controls to include. Ignore all other tests."
   profile_options
   def json(target)
-    require "inspec/resources"
     require "json"
 
     o = config
@@ -103,8 +102,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :format, type: :string
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
-    require "inspec/resources"
-
     o = config
     diagnose(o)
     o["log_location"] ||= STDERR if o["format"] == "json"
@@ -157,8 +154,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :overwrite, type: :boolean, default: false,
     desc: "Overwrite existing vendored dependencies and lockfile."
   def vendor(path = nil)
-    require "inspec/resources"
-
     o = config
     configure_logger(o)
     o[:logger] = Logger.new($stdout)
@@ -180,8 +175,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   option :ignore_errors, type: :boolean, default: false,
     desc: "Ignore profile warnings."
   def archive(path)
-    require "inspec/resources"
-
     o = config
     diagnose(o)
 
@@ -208,9 +201,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc "exec LOCATIONS", "run all test files at the specified LOCATIONS."
-  # TODO: find a way for Thor not to butcher the formatting of this
-  long_desc <<~EOT
+  desc "exec LOCATIONS", <<~EOT
+    Run all test files at the specified LOCATIONS.
+
     Loads the given profile(s) and fetches their dependencies if needed. Then
     connects to the target and executes any controls contained in the profiles.
     One or more reporters are used to generate output.

data/lib/inspec/config.rb

@@ -203,8 +203,7 @@ module Inspec
 
     def _utc_find_credset_name(_credentials, transport_name)
       return nil unless final_options[:target]
-
-      match = final_options[:target].match(%r{^#{transport_name}://(?<credset_name>[\w\d\-]+)$})
+      match = final_options[:target].match(%r{^#{transport_name}://(?<credset_name>[\w\-]+)$})
       match ? match[:credset_name] : nil
     end
 
@@ -221,8 +220,8 @@ module Inspec
 
       path = determine_cfg_path(cli_opts)
 
-      cfg_io = File.open(path) if path
-      cfg_io || StringIO.new('{ "version": "1.1" }')
+      ver = KNOWN_VERSIONS.max
+      path ? File.open(path) : StringIO.new({ "version" => ver }.to_json)
     end
 
     def check_for_piped_config(cli_opts)

data/lib/inspec/control_eval_context.rb

@@ -66,9 +66,11 @@ module Inspec
             # We still haven't called it, so do so now.
             send(method_name, *arguments, &block)
           else
-            # If we couldn't find a plugin to match, maybe something up above has it,
-            # or maybe it is just a unknown method error.
-            super
+            begin
+              Inspec::DSL.method_missing_resource(inspec, method_name, *arguments)
+            rescue LoadError
+              super
+            end
           end
         end
 

data/lib/inspec/dsl.rb

@@ -3,6 +3,8 @@ require "inspec/log"
 require "inspec/plugin/v2"
 
 module Inspec::DSL
+  attr_accessor :backend
+
   def require_controls(id, &block)
     opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies }
     ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block)
@@ -25,6 +27,23 @@ module Inspec::DSL
     add_resource(target_name, res)
   end
 
+  ##
+  # Try to load and instantiate a missing resource or raise LoadError
+  # if unable. Requiring the resource registers it and generates a
+  # method for it so you should only hit this once per missing
+  # resource.
+
+  def self.method_missing_resource(backend, id, *arguments)
+    begin
+      require "inspec/resources/#{id}"
+    rescue LoadError
+      require "resources/aws/#{id}"
+    end
+
+    klass = Inspec::Resource.registry[id.to_s]
+    klass.new(backend, id, *arguments)
+  end
+
   # Support for Outer Profile DSL plugins
   # This is called when an unknown method is encountered
   # "bare" in a control file - outside of a control or describe block.
@@ -44,7 +63,11 @@ module Inspec::DSL
       # We still haven't called it, so do so now.
       send(method_name, *arguments, &block)
     else
-      super
+      begin
+        Inspec::DSL.method_missing_resource(backend, method_name, *arguments)
+      rescue LoadError
+        super
+      end
     end
   end
 

data/lib/inspec/errors.rb

@@ -14,31 +14,5 @@ module Inspec
   class ConfigError::MalformedJson < ConfigError; end
   class ConfigError::Invalid < ConfigError; end
 
-  class Input
-    class Error < Inspec::Error; end
-    class ValidationError < Error
-      attr_accessor :input_name
-      attr_accessor :input_value
-      attr_accessor :input_type
-    end
-    class TypeError < Error
-      attr_accessor :input_type
-    end
-    class RequiredError < Error
-      attr_accessor :input_name
-    end
-  end
-
-  class InputRegistry
-    class Error < Inspec::Error; end
-    class ProfileLookupError < Error
-      attr_accessor :profile_name
-    end
-    class InputLookupError < Error
-      attr_accessor :profile_name
-      attr_accessor :input_name
-    end
-  end
-
   class UserInteractionRequired < Error; end
 end

data/lib/inspec/file_provider.rb

@@ -51,7 +51,7 @@ module Inspec
     def relative_provider
       RelativeFileProvider.new(self)
     end
-  end
+  end # class FileProvider
 
   class MockProvider < FileProvider
     attr_reader :files
@@ -89,7 +89,7 @@ module Inspec
 
       File.binread(file)
     end
-  end
+  end # class DirProvider
 
   class ZipProvider < FileProvider
     attr_reader :files
@@ -146,7 +146,7 @@ module Inspec
       end
       res
     end
-  end
+  end # class ZipProvider
 
   class TarProvider < FileProvider
     attr_reader :files
@@ -154,42 +154,48 @@ module Inspec
     def initialize(path)
       @path = path
       @contents = {}
-      @files = []
-      walk_tar(@path) do |tar|
-        @files = tar.find_all(&:file?)
 
-        # delete all entries with no name
-        @files = @files.find_all { |x| !x.full_name.empty? && x.full_name.squeeze("/") !~ %r{\.{2}(?:/|\z)} }
+      here = Pathname.new(".")
 
-        # delete all entries that have a PaxHeader
-        @files = @files.delete_if { |x| x.full_name.include?("PaxHeader/") }
+      walk_tar(@path) do |entries|
+        entries.each do |entry|
+          name = entry.full_name
 
-        # replace all items of the array simply with the relative filename of the file
-        @files.map! { |x| Pathname.new(x.full_name).relative_path_from(Pathname.new(".")).to_s }
+          # rubocop:disable Layout/MultilineOperationIndentation
+          # rubocop:disable Style/ParenthesesAroundCondition
+          next unless (entry.file? &&              # duh
+                       !name.empty? &&             # for empty filenames?
+                       name !~ %r{\.\.(?:/|\z)} && # .. (to avoid attacks?)
+                       !name.include?("PaxHeader/"))
+
+          path = Pathname.new(name).relative_path_from(here).to_s
+
+          @contents[path] = begin # not ||= in a tarball, last one wins
+                              res = entry.read
+                              try = res.dup
+                              try.force_encoding Encoding::UTF_8
+                              res = try if try.valid_encoding?
+                              res
+                            end
+        end
+
+        @files = @contents.keys
       end
     end
 
     def extract(destination_path = ".")
       FileUtils.mkdir_p(destination_path)
 
-      walk_tar(@path) do |files|
-        files.each do |file|
-          next unless @files.include?(file.full_name)
-
-          final_path = File.join(destination_path, file.full_name)
-
-          # This removes the top level directory (and any other files) to ensure
-          # extracted files do not conflict.
-          FileUtils.remove_entry(final_path) if File.exist?(final_path)
+      @contents.each do |path, body|
+        full_path = File.join(destination_path, path)
 
-          FileUtils.mkdir_p(File.dirname(final_path))
-          File.open(final_path, "wb") { |f| f.write(file.read) }
-        end
+        FileUtils.mkdir_p(File.dirname(full_path))
+        File.open(full_path, "wb") { |f| f.write(body) }
       end
     end
 
     def read(file)
-      @contents[file] ||= read_from_tar(file)
+      @contents[file]
     end
 
     private
@@ -200,23 +206,7 @@ module Inspec
     ensure
       tar_file.close
     end
-
-    def read_from_tar(file)
-      return nil unless @files.include?(file)
-
-      res = nil
-      # NB `TarReader` includes `Enumerable` beginning with Ruby 2.x
-      walk_tar(@path) do |tar|
-        tar.each do |entry|
-          next unless entry.file? && [file, "./#{file}"].include?(entry.full_name)
-
-          res = entry.read
-          break
-        end
-      end
-      res
-    end
-  end
+  end # class TarProvider
 
   class RelativeFileProvider
     BLACKLIST_FILES = [
@@ -318,5 +308,5 @@ module Inspec
       b = File.dirname(new_pre + "b")
       get_prefix([a, b])
     end
-  end
+  end # class RelativeFileProvider
 end

data/lib/inspec/formatters/base.rb

@@ -158,6 +158,7 @@ module Inspec::Formatters
         start_time: example.execution_result.started_at.to_datetime.rfc3339.to_s,
         resource_title: example.metadata[:described_class] || example.metadata[:example_group][:description],
         expectation_message: format_expectation_message(example),
+        waiver_data: example.metadata[:waiver_data],
       }
 
       unless (pid = example.metadata[:profile_id]).nil?

data/lib/inspec/impact.rb

@@ -1,3 +1,5 @@
+require "inspec/errors"
+
 # Impact scores based off CVSS 3.0
 module Inspec::Impact
   IMPACT_SCORES = {

data/lib/inspec/input.rb

@@ -0,0 +1,410 @@
+require "inspec/utils/deprecation"
+
+# For backwards compatibility during the rename (see #3802),
+# maintain the Inspec::Attribute namespace for people checking for
+# Inspec::Attribute::DEFAULT_ATTRIBUTE
+module Inspec
+  class Attribute
+    # This only exists to create the Inspec::Attribute::DEFAULT_ATTRIBUTE symbol with a class
+    class DEFAULT_ATTRIBUTE; end # rubocop: disable Naming/ClassAndModuleCamelCase
+  end
+end
+
+module Inspec
+  class Input
+
+    class Error < Inspec::Error; end
+    class ValidationError < Error
+      attr_accessor :input_name
+      attr_accessor :input_value
+      attr_accessor :input_type
+    end
+    class TypeError < Error
+      attr_accessor :input_type
+    end
+    class RequiredError < Error
+      attr_accessor :input_name
+    end
+
+    #===========================================================================#
+    #                        Class Input::Event
+    #===========================================================================#
+
+    # TODO: break this out to its own file under inspec/input?
+    # Information about how the input obtained its value.
+    # Each time it changes, an Input::Event is added to the #events array.
+    class Event
+      EVENT_PROPERTIES = [
+        :action,   # :create, :set, :fetch
+        :provider, # Name of the plugin
+        :priority, # Priority of this plugin for resolving conflicts.  1-100, higher numbers win.
+        :value,    # New value, if provided.
+        :file,     # File containing the input-changing action, if known
+        :line,     # Line in file containing the input-changing action, if known
+        :hit,      # if action is :fetch, true if the remote source had the input
+      ].freeze
+
+      # Value has a special handler
+      EVENT_PROPERTIES.reject { |p| p == :value }.each do |prop|
+        attr_accessor prop
+      end
+
+      attr_reader :value
+
+      def initialize(properties = {})
+        @value_has_been_set = false
+
+        properties.each do |prop_name, prop_value|
+          if EVENT_PROPERTIES.include? prop_name
+            # OK, save the property
+            send((prop_name.to_s + "=").to_sym, prop_value)
+          else
+            raise "Unrecognized property to Input::Event: #{prop_name}"
+          end
+        end
+      end
+
+      def value=(the_val)
+        # Even if set to nil or false, it has indeed been set; note that fact.
+        @value_has_been_set = true
+        @value = the_val
+      end
+
+      def value_has_been_set?
+        @value_has_been_set
+      end
+
+      def diagnostic_string
+        to_h.reject { |_, val| val.nil? }.to_a.map { |pair| "#{pair[0]}: '#{pair[1]}'" }.join(", ")
+      end
+
+      def to_h
+        EVENT_PROPERTIES.each_with_object({}) do |prop, hash|
+          hash[prop] = send(prop)
+        end
+      end
+
+      def self.probe_stack
+        frames = caller_locations(2, 40)
+        frames.reject! { |f| f.path && f.path.include?("/lib/inspec/") }
+        frames.first
+      end
+    end # class Event
+
+    #===========================================================================#
+    #                    Class NO_VALUE_SET
+    #===========================================================================#
+    # This special class is used to represent the value when an input has
+    # not been assigned a value. This allows a user to explicitly assign nil
+    # to an input.
+    class NO_VALUE_SET # rubocop: disable Naming/ClassAndModuleCamelCase
+      def initialize(name)
+        @name = name
+
+        # output warn message if we are in a exec call
+        if Inspec::BaseCLI.inspec_cli_command == :exec
+          Inspec::Log.warn(
+            "Input '#{@name}' does not have a value. "\
+            "Use --input-file to provide a value for '#{@name}' or specify a  "\
+            "value with `attribute('#{@name}', value: 'somevalue', ...)`."
+          )
+        end
+      end
+
+      def method_missing(*_)
+        self
+      end
+
+      def respond_to_missing?(_, _)
+        true
+      end
+
+      def to_s
+        "Input '#{@name}' does not have a value. Skipping test."
+      end
+
+      def is_a?(klass)
+        if klass == Inspec::Attribute::DEFAULT_ATTRIBUTE
+          Inspec.deprecate(:rename_attributes_to_inputs, "Don't check for `is_a?(Inspec::Attribute::DEFAULT_ATTRIBUTE)`, check for `Inspec::Input::NO_VALUE_SET")
+          true # lie for backward compatibility
+        else
+          super(klass)
+        end
+      end
+
+      def kind_of?(klass)
+        if klass == Inspec::Attribute::DEFAULT_ATTRIBUTE
+          Inspec.deprecate(:rename_attributes_to_inputs, "Don't check for `kind_of?(Inspec::Attribute::DEFAULT_ATTRIBUTE)`, check for `Inspec::Input::NO_VALUE_SET")
+          true # lie for backward compatibility
+        else
+          super(klass)
+        end
+      end
+    end # class NO_VALUE_SET
+
+    #===========================================================================#
+    #                       Class Inspec::Input
+    #===========================================================================#
+
+    # Validation types for input values
+    VALID_TYPES = %w{
+      String
+      Numeric
+      Regexp
+      Array
+      Hash
+      Boolean
+      Any
+    }.freeze
+
+    # TODO: this is not used anywhere?
+    # If you call `input` in a control file, the input will receive this priority.
+    # You can override that with a :priority option.
+    DEFAULT_PRIORITY_FOR_DSL_ATTRIBUTES = 20
+
+    # If you somehow manage to initialize an Input outside of the DSL,
+    # AND you don't provide an Input::Event, this is the priority you get.
+    DEFAULT_PRIORITY_FOR_UNKNOWN_CALLER = 10
+
+    # If you directly call value=, this is the priority assigned.
+    # This is the highest priority within InSpec core; though plugins
+    # are free to go higher.
+    DEFAULT_PRIORITY_FOR_VALUE_SET = 60
+
+    attr_reader :description, :events, :identifier, :name, :required, :title, :type
+
+    def initialize(name, options = {})
+      @name = name
+      @opts = options
+      if @opts.key?(:default)
+        Inspec.deprecate(:attrs_value_replaces_default, "input name: '#{name}'")
+        if @opts.key?(:value)
+          Inspec::Log.warn "Input #{@name} created using both :default and :value options - ignoring :default"
+          @opts.delete(:default)
+        end
+      end
+
+      # Array of Input::Event objects.  These compete with one another to determine
+      # the value of the input when value() is called, as well as providing a
+      # debugging record of when and how the value changed.
+      @events = []
+      events.push make_creation_event(options)
+
+      update(options)
+    end
+
+    # TODO: is this here just for testing?
+    def set_events
+      events.select { |e| e.action == :set }
+    end
+
+    def diagnostic_string
+      "Input #{name}, with history:\n" +
+        events.map(&:diagnostic_string).map { |line| "  #{line}" }.join("\n")
+    end
+
+    #--------------------------------------------------------------------------#
+    #                           Managing Value
+    #--------------------------------------------------------------------------#
+
+    def update(options)
+      _update_set_metadata(options)
+      normalize_type_restriction!
+
+      # Values are set by passing events in; but we can also infer an event.
+      if options.key?(:value) || options.key?(:default)
+        if options.key?(:event)
+          if options.key?(:value) || options.key?(:default)
+            Inspec::Log.warn "Do not provide both an Event and a value as an option to attribute('#{name}') - using value from event"
+          end
+        else
+          self.class.infer_event(options) # Sets options[:event]
+        end
+      end
+      events << options[:event] if options.key? :event
+
+      enforce_type_restriction!
+    end
+
+    # We can determine a value:
+    # 1. By event.value (preferred)
+    # 2. By options[:value]
+    # 3. By options[:default] (deprecated)
+    def self.infer_event(options)
+      # Don't rely on this working; you really should be passing a proper Input::Event
+      # with the context information you have.
+      location = Input::Event.probe_stack
+      event = Input::Event.new(
+        action: :set,
+        provider: options[:provider] || :unknown,
+        priority: options[:priority] || Inspec::Input::DEFAULT_PRIORITY_FOR_UNKNOWN_CALLER,
+        file: location.path,
+        line: location.lineno
+      )
+
+      if options.key?(:default)
+        Inspec.deprecate(:attrs_value_replaces_default, "attribute name: '#{name}'")
+        if options.key?(:value)
+          Inspec::Log.warn "Input #{@name} created using both :default and :value options - ignoring :default"
+          options.delete(:default)
+        else
+          options[:value] = options.delete(:default)
+        end
+      end
+      event.value = options[:value] if options.key?(:value)
+      options[:event] = event
+    end
+
+    private
+
+    def _update_set_metadata(options)
+      # Basic metadata
+      @title = options[:title] if options.key?(:title)
+      @description = options[:description] if options.key?(:description)
+      @required = options[:required] if options.key?(:required)
+      @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used
+      @type = options[:type] if options.key?(:type)
+    end
+
+    def make_creation_event(options)
+      loc = options[:location] || Event.probe_stack
+      Input::Event.new(
+        action: :create,
+        provider: options[:provider],
+        file: loc.path,
+        line: loc.lineno
+      )
+    end
+
+    # Determine the current winning value, but don't validate it
+    def current_value
+      # Examine the events to determine highest-priority value. Tie-break
+      # by using the last one set.
+      events_that_set_a_value = events.select(&:value_has_been_set?)
+      winning_priority = events_that_set_a_value.map(&:priority).max
+      winning_events = events_that_set_a_value.select { |e| e.priority == winning_priority }
+      winning_event = winning_events.last # Last for tie-break
+
+      if winning_event.nil?
+        # No value has been set - return special no value object
+        NO_VALUE_SET.new(name)
+      else
+        winning_event.value # May still be nil
+      end
+    end
+
+    public
+
+    def value=(new_value, priority = DEFAULT_PRIORITY_FOR_VALUE_SET)
+      # Inject a new Event with the new value.
+      location = Event.probe_stack
+      events << Event.new(
+        action: :set,
+        provider: :value_setter,
+        priority: priority,
+        value: new_value,
+        file: location.path,
+        line: location.lineno
+      )
+      enforce_type_restriction!
+    end
+
+    def value
+      enforce_required_validation!
+      current_value
+    end
+
+    def has_value?
+      !current_value.is_a? NO_VALUE_SET
+    end
+
+    #--------------------------------------------------------------------------#
+    #                           Value Type Coercion
+    #--------------------------------------------------------------------------#
+
+    def to_s
+      "Input #{name} with #{current_value}"
+    end
+
+    #--------------------------------------------------------------------------#
+    #                               Validation
+    #--------------------------------------------------------------------------#
+
+    private
+
+    def enforce_required_validation!
+      return unless required
+      # skip if we are not doing an exec call (archive/vendor/check)
+      return unless Inspec::BaseCLI.inspec_cli_command == :exec
+
+      proposed_value = current_value
+      if proposed_value.nil? || proposed_value.is_a?(NO_VALUE_SET)
+        error = Inspec::Input::RequiredError.new
+        error.input_name = name
+        raise error, "Input '#{error.input_name}' is required and does not have a value."
+      end
+    end
+
+    def enforce_type_restriction! # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      return unless type
+      return unless has_value?
+
+      type_req = type
+      return if type_req == "Any"
+
+      proposed_value = current_value
+
+      invalid_type = false
+      if type_req == "Regexp"
+        invalid_type = true unless valid_regexp?(proposed_value)
+      elsif type_req == "Numeric"
+        invalid_type = true unless valid_numeric?(proposed_value)
+      elsif type_req == "Boolean"
+        invalid_type = true unless [true, false].include?(proposed_value)
+      elsif proposed_value.is_a?(Module.const_get(type_req)) == false
+        # TODO: why is this case here?
+        invalid_type = true
+      end
+
+      if invalid_type == true
+        error = Inspec::Input::ValidationError.new
+        error.input_name = @name
+        error.input_value = proposed_value
+        error.input_type = type_req
+        raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to type '#{error.input_type}'."
+      end
+    end
+
+    def normalize_type_restriction!
+      return unless type
+
+      type_req = type.capitalize
+      abbreviations = {
+        "Num" => "Numeric",
+        "Regex" => "Regexp",
+      }
+      type_req = abbreviations[type_req] if abbreviations.key?(type_req)
+      unless VALID_TYPES.include?(type_req)
+        error = Inspec::Input::TypeError.new
+        error.input_type = type_req
+        raise error, "Type '#{error.input_type}' is not a valid input type."
+      end
+      @type = type_req
+    end
+
+    def valid_numeric?(value)
+      Float(value)
+      true
+    rescue
+      false
+    end
+
+    def valid_regexp?(value)
+      # check for invalid regex syntax
+      Regexp.new(value)
+      true
+    rescue
+      false
+    end
+  end
+end