inspec 4.18.51 → 4.18.85

data/lib/inspec/resources/iis_site.rb

@@ -1,148 +0,0 @@
-# frozen_string_literal: true
-
-require "inspec/resources/command"
-
-# check for site in IIS
-# Usage:
-# describe iis_site('Default Web Site') do
-#   it{ should exist }
-#   it{ should be_running }
-#   it{ should be_in_app_pool('Default App Pool') }
-#   it{ should have_path('C:\\inetpub\wwwroot\\DefaultWebSite') }
-#   it{ should have_binding('https :443:www.contoso.com sslFlags=0') }
-#   it{ should have_binding('net.pipe *') }
-# end
-#
-# Note: this is only supported in windows 2012 and later
-
-module Inspec::Resources
-  class IisSite < Inspec.resource(1)
-    name "iis_site"
-    supports platform: "windows"
-    desc "Tests IIS site configuration on windows. Supported in server 2012+ only"
-    example <<~EXAMPLE
-      describe iis_site('Default Web Site') do
-        it { should exist }
-        it { should be_running }
-        it { should have_app_pool('DefaultAppPool') }
-        it { should have_binding('https :443:www.contoso.com sslFlags=0') }
-        it { should have_binding('net.pipe *') }
-        it { should have_path('C:\\inetpub\\wwwroot') }
-      end
-    EXAMPLE
-
-    def initialize(site_name)
-      @site_name = site_name
-      @cache = nil
-
-      @site_provider = SiteProvider.new(inspec)
-
-      # verify that this resource is only supported on Windows
-      return skip_resource "The `iis_site` resource is not supported on your OS." if inspec.os[:family] != "windows"
-    end
-
-    def app_pool
-      iis_site.nil? ? nil : iis_site[:app_pool]
-    end
-
-    def bindings
-      iis_site.nil? ? nil : iis_site[:bindings]
-    end
-
-    def state
-      iis_site.nil? ? nil : iis_site[:state]
-    end
-
-    def path
-      iis_site.nil? ? nil : iis_site[:path]
-    end
-
-    def exists?
-      !iis_site.nil? && !iis_site[:name].nil?
-    end
-
-    def running?
-      iis_site.nil? ? false : (iis_site[:state] == "Started")
-    end
-
-    def has_app_pool?(app_pool)
-      iis_site.nil? ? false : iis_site[:app_pool] == app_pool
-    end
-
-    def has_path?(path)
-      iis_site.nil? ? false : iis_site[:path] == path
-    end
-
-    def has_binding?(binding)
-      iis_site.nil? ? false : (iis_site[:bindings].include? binding)
-    end
-
-    def to_s
-      "iis_site '#{@site_name}'"
-    end
-
-    def iis_site
-      return @cache unless @cache.nil?
-
-      @cache = @site_provider.iis_site(@site_name) unless @site_provider.nil?
-    end
-  end
-
-  class SiteProvider
-    attr_reader :inspec
-
-    def initialize(inspec)
-      @inspec = inspec
-    end
-
-    # want to populate everything using one powershell command here and spit it out as json
-    def iis_site(name)
-      command = "Get-Website '#{name}' | Select-Object -Property Name,State,PhysicalPath,bindings,ApplicationPool | ConvertTo-Json"
-      cmd = @inspec.command(command)
-
-      begin
-        site = JSON.parse(cmd.stdout)
-      rescue JSON::ParserError => _e
-        return nil
-      end
-
-      bindings_array = site["bindings"]["Collection"].map do |k|
-        "#{k["protocol"]} #{k["bindingInformation"]}#{k["protocol"] == "https" ? " sslFlags=#{k["sslFlags"]}" : ""}"
-      end
-
-      # map our values to a hash table
-      info = {
-        name: site["name"],
-        state: site["state"],
-        path: site["physicalPath"],
-        bindings: bindings_array,
-        app_pool: site["applicationPool"],
-      }
-
-      info
-    end
-  end
-
-  # for compatability with serverspec
-  # this is deprecated syntax and will be removed in future versions
-  class IisSiteServerSpec < IisSite
-    name "iis_website"
-    desc "Tests IIS site configuration on windows. Deprecated, use `iis_site` instead."
-    example <<~EXAMPLE
-      describe iis_website('Default Website') do
-        it{ should exist }
-        it{ should be_running }
-        it{ should be_in_app_pool('Default App Pool') }
-      end
-    EXAMPLE
-
-    def initialize(site_name)
-      Inspec.deprecate(:resource_iis_website, "The `iis_website` resource is deprecated. Please use `iis_site` instead.")
-      super(site_name)
-    end
-
-    def in_app_pool?(app_pool)
-      has_app_pool?(app_pool)
-    end
-  end
-end

data/lib/inspec/resources/iis_website.rb

@@ -1,2 +0,0 @@
-# This is just here to make the dynamic loader happy.
-require "inspec/resources/iis_website.rb"

data/lib/inspec/resources/inetd_conf.rb

@@ -1,53 +0,0 @@
-# copyright: 2015, Vulcano Security GmbH
-
-require "inspec/utils/simpleconfig"
-require "inspec/utils/file_reader"
-
-module Inspec::Resources
-  class InetdConf < Inspec.resource(1)
-    name "inetd_conf"
-    supports platform: "unix"
-    desc "Use the inetd_conf InSpec audit resource to test if a service is enabled in the inetd.conf file on Linux and UNIX platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The inetd.conf file is typically located at /etc/inetd.conf and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled."
-    example <<~EXAMPLE
-      describe inetd_conf do
-        its('shell') { should eq nil }
-        its('login') { should eq nil }
-        its('exec') { should eq nil }
-      end
-    EXAMPLE
-
-    include FileReader
-
-    def initialize(path = nil)
-      @conf_path = path || "/etc/inetd.conf"
-      @content = read_file_content(@conf_path)
-    end
-
-    # overwrite exec to ensure it works with its
-    # TODO: this needs to be fixed in RSpec
-    def exec
-      read_params["exec"]
-    end
-
-    def method_missing(name)
-      read_params[name.to_s]
-    end
-
-    def read_params
-      return @params if defined?(@params)
-
-      # parse the file
-      conf = SimpleConfig.new(
-        @content,
-        assignment_regex: /^\s*(\S+?)\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*?)\s*$/,
-        key_values: 6,
-        multiple_values: false
-      )
-      @params = conf.params
-    end
-
-    def to_s
-      "inetd.conf"
-    end
-  end
-end

data/lib/inspec/resources/ini.rb

@@ -1,28 +0,0 @@
-require "inspec/resources/json"
-require "inspec/utils/simpleconfig"
-
-module Inspec::Resources
-  class IniConfig < JsonConfig
-    name "ini"
-    supports platform: "unix"
-    supports platform: "windows"
-    desc "Use the ini InSpec audit resource to test data in a INI file."
-    example <<~EXAMPLE
-      descibe ini do
-        its('auth_protocol') { should eq 'https' }
-      end
-    EXAMPLE
-    # override file load and parse hash with simple config
-    def parse(content)
-      SimpleConfig.new(content).params
-    end
-
-    private
-
-    # used by JsonConfig to build up a full to_s method
-    # based on whether a file path, content, or command was supplied.
-    def resource_base_name
-      "INI"
-    end
-  end
-end

data/lib/inspec/resources/interface.rb

@@ -1,204 +0,0 @@
-require "inspec/resources/command"
-require "inspec/utils/convert"
-require "inspec/utils/simpleconfig"
-
-module Inspec::Resources
-  class NetworkInterface < Inspec.resource(1)
-    name "interface"
-    supports platform: "unix"
-    supports platform: "windows"
-    desc "Use the interface InSpec audit resource to test basic network adapter properties, such as name, status, and link speed (in MB/sec)."
-    example <<~EXAMPLE
-      describe interface('eth0') do
-        it { should exist }
-        it { should be_up }
-        its('speed') { should eq 1000 }
-        its('ipv4_addresses') { should include '127.0.0.1' }
-        its('ipv6_cidrs') { should include '::1/128' }
-      end
-    EXAMPLE
-
-    def initialize(iface)
-      @iface = iface
-    end
-
-    def exists?
-      !!(interface_info && interface_info[:name])
-    end
-
-    def up?
-      !!(interface_info && interface_info[:up])
-    end
-
-    def name
-      interface_info[:name]
-    end
-
-    # returns link speed in Mbits/sec
-    def speed
-      interface_info && interface_info[:speed]
-    end
-
-    def ipv4_address?
-      ipv4_addresses && !ipv4_addresses.empty?
-    end
-
-    def ipv6_address?
-      ipv6_addresses && !ipv6_addresses.empty?
-    end
-
-    def ipv4_addresses
-      ipv4_cidrs.map { |i| i.split("/")[0] }
-    end
-
-    def ipv6_addresses
-      ipv6_cidrs.map { |i| i.split("/")[0] }
-    end
-
-    def ipv4_addresses_netmask
-      ipv4_cidrs.map { |i| i.split("/") }.map do |addr, netlen|
-        binmask = "#{"1" * netlen.to_i}#{"0" * (32 - netlen.to_i)}".to_i(2)
-        netmask = []
-        (1..4).each do |_byte|
-          netmask.unshift(binmask & 255)
-          binmask = binmask >> 8
-        end
-        "#{addr}/#{netmask.join(".")}"
-      end
-    end
-
-    def ipv4_cidrs
-      interface_info && Array(interface_info[:ipv4_addresses])
-    end
-
-    def ipv6_cidrs
-      interface_info && Array(interface_info[:ipv6_addresses])
-    end
-
-    def to_s
-      "Interface #{@iface}"
-    end
-
-    private
-
-    def interface_info
-      @cache ||= begin
-                   provider = LinuxInterface.new(inspec) if inspec.os.linux?
-                   provider = WindowsInterface.new(inspec) if inspec.os.windows?
-                   Hash(provider && provider.interface_info(@iface))
-                 end
-    end
-  end
-
-  class InterfaceInfo
-    include Converter
-    attr_reader :inspec
-    def initialize(inspec)
-      @inspec = inspec
-    end
-  end
-
-  class LinuxInterface < InterfaceInfo
-    def interface_info(iface)
-      # will return "[mtu]\n1500\n[type]\n1"
-      cmd = inspec.command("find /sys/class/net/#{iface}/ -maxdepth 1 -type f -exec sh -c 'echo \"[$(basename {})]\"; cat {} || echo -n' \\;")
-      return nil if cmd.exit_status.to_i != 0
-
-      # parse values, we only recieve values, therefore we threat them as keys
-      params = SimpleConfig.new(cmd.stdout.chomp).params
-
-      # abort if we got an empty result-set
-      return nil if params.empty?
-
-      # parse state
-      state = false
-      if params.key?("operstate")
-        operstate, _value = params["operstate"].first
-        state = operstate == "up"
-      end
-
-      # parse speed
-      speed = nil
-      if params.key?("speed")
-        speed, _value = params["speed"].first
-        speed = convert_to_i(speed)
-      end
-
-      family_addresses = addresses(iface)
-      {
-        name: iface,
-        up: state,
-        speed: speed,
-        ipv4_addresses: family_addresses["inet"],
-        ipv6_addresses: family_addresses["inet6"],
-      }
-    end
-
-    private
-
-    def addresses(iface)
-      addrs_by_family = { "inet6" => [], "inet" => [] }
-      [4, 6].each do |v|
-        cmd = inspec.command("/sbin/ip -br -#{v} address show dev #{iface}")
-        next unless cmd.exit_status.to_i == 0
-
-        family = v == 6 ? "inet6" : "inet"
-
-        cmd.stdout.each_line do |line|
-          _dev, _state, *addrs = line.split(/\s+/)
-          addrs_by_family[family] = addrs
-        end
-      end
-      addrs_by_family
-    end
-  end
-
-  class WindowsInterface < InterfaceInfo
-    def interface_info(iface)
-      # gather all network interfaces
-      cmd = inspec.command("Get-NetAdapter | Select-Object -Property Name, InterfaceDescription, Status, State, " \
-                           "MacAddress, LinkSpeed, ReceiveLinkSpeed, TransmitLinkSpeed, Virtual | ConvertTo-Json")
-
-      addr_cmd = inspec.command("Get-NetIPAddress | Select-Object -Property IPv6Address, IPv4Address, InterfaceAlias," \
-                                " PrefixLength | ConvertTo-Json")
-
-      # filter network interface
-      begin
-        net_adapter = JSON.parse(cmd.stdout)
-        addresses = JSON.parse(addr_cmd.stdout)
-      rescue JSON::ParserError => _e
-        return nil
-      end
-
-      # ensure we have an array of groups
-      net_adapter = [net_adapter] unless net_adapter.is_a?(Array)
-      addresses = [addresses] unless addresses.is_a?(Array)
-
-      # select the requested interface
-      adapters = net_adapter.each_with_object([]) do |adapter, adapter_collection|
-        # map object
-        info = {
-          name: adapter["Name"],
-          up: adapter["State"] == 2,
-          speed: adapter["ReceiveLinkSpeed"] / 1000,
-          ipv4_addresses: addresses_for_proto(addresses, adapter["Name"], "IPv4"),
-          ipv6_addresses: addresses_for_proto(addresses, adapter["Name"], "IPv6"),
-        }
-        adapter_collection.push(info) if info[:name].casecmp(iface) == 0
-      end
-
-      return nil if adapters.empty?
-
-      warn "[Possible Error] detected multiple network interfaces with the name #{iface}" if adapters.size > 1
-      adapters[0]
-    end
-
-    private
-
-    def addresses_for_proto(all_addresses, iface, proto)
-      all_addresses.select { |i| i["InterfaceAlias"] == iface }
-        .map { |i| "#{i["#{proto}Address"]}/#{i["PrefixLength"]}" unless i["#{proto}Address"].nil? }
-        .compact
-    end
-  end
-end

data/lib/inspec/resources/ip6tables.rb

@@ -1,79 +0,0 @@
-require "inspec/resources/command"
-
-# Usage:
-# describe ip6tables do
-#   it { should have_rule('-P INPUT ACCEPT') }
-# end
-#
-# The following serverspec sytax is not implemented:
-# describe ip6tables do
-#   it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }
-# end
-# Please use the new sytax:
-# describe ip6tables(table:'mangle', chain: 'input') do
-#   it { should have_rule('-P INPUT ACCEPT') }
-# end
-#
-# Note: Docker containers normally do not have ip6tables installed
-#
-# @see http://ipset.netfilter.org/ip6tables.man.html
-# @see http://ipset.netfilter.org/ip6tables.man.html
-module Inspec::Resources
-  class Ip6Tables < Inspec.resource(1)
-    name "ip6tables"
-    supports platform: "linux"
-    desc "Use the ip6tables InSpec audit resource to test rules that are defined in ip6tables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet."
-    example <<~EXAMPLE
-      describe ip6tables do
-        it { should have_rule('-P INPUT ACCEPT') }
-      end
-    EXAMPLE
-
-    def initialize(params = {})
-      @table = params[:table]
-      @chain = params[:chain]
-
-      # we're done if we are on linux
-      return if inspec.os.linux?
-
-      # ensures, all calls are aborted for non-supported os
-      @ip6tables_cache = []
-      skip_resource "The `ip6tables` resource is not supported on your OS yet."
-    end
-
-    def has_rule?(rule = nil, _table = nil, _chain = nil)
-      # checks if the rule is part of the ruleset
-      # for now, we expect an exact match
-      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
-    end
-
-    def retrieve_rules
-      return @ip6tables_cache if defined?(@ip6tables_cache)
-
-      # construct ip6tables command to read all rules
-      bin = find_ip6tables_or_error
-      table_cmd = "-t #{@table}" if @table
-      ip6tables_cmd = format("%s %s -S %s", bin, table_cmd, @chain).strip
-
-      cmd = inspec.command(ip6tables_cmd)
-      return [] if cmd.exit_status.to_i != 0
-
-      # split rules, returns array or rules
-      @ip6tables_cache = cmd.stdout.split("\n").map(&:strip)
-    end
-
-    def to_s
-      format("Ip6tables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
-    end
-
-    private
-
-    def find_ip6tables_or_error
-      %w{/usr/sbin/ip6tables /sbin/ip6tables ip6tables}.each do |cmd|
-        return cmd if inspec.command(cmd).exist?
-      end
-
-      raise Inspec::Exceptions::ResourceFailed, "Could not find `ip6tables`"
-    end
-  end
-end