inspec 4.18.51 → 4.18.85

data/lib/inspec/rule.rb

@@ -1,389 +0,0 @@
-# copyright: 2015, Dominik Richter
-
-require "method_source"
-require "date"
-require "inspec/describe_base"
-require "inspec/expect"
-require "inspec/impact"
-require "inspec/resource"
-require "inspec/resources/os"
-require "inspec/input_registry"
-
-module Inspec
-  class Rule
-    include ::RSpec::Matchers
-
-    #
-    # Include any resources from the given resource DSL.  The passed
-    # resource_dsl will also be included in any Inspec::Expect objects
-    # we make.
-    #
-    # @params resource_dsl [Module]
-    # @returns [TrueClass]
-    #
-    def self.with_resource_dsl(resource_dsl)
-      include resource_dsl
-      @resource_dsl = resource_dsl
-      true
-    end
-
-    def self.resource_dsl # rubocop:disable Style/TrivialAccessors
-      @resource_dsl
-    end
-
-    attr_reader :__waiver_data
-    def initialize(id, profile_id, opts, &block)
-      @impact = nil
-      @title = nil
-      @descriptions = {}
-      @refs = []
-      @tags = {}
-
-      # not changeable by the user:
-      @__code = nil
-      @__block = block
-      @__source_location = __get_block_source_location(&block)
-      @__rule_id = id
-      @__profile_id = profile_id
-      @__checks = []
-      @__skip_rule = {} # { result: true, message: "Why", type: [:only_if, :waiver] }
-      @__merge_count = 0
-      @__merge_changes = []
-      @__skip_only_if_eval = opts[:skip_only_if_eval]
-
-      # evaluate the given definition
-      return unless block_given?
-
-      begin
-        instance_eval(&block)
-
-        # By applying waivers *after* the instance eval, we assure that
-        # waivers have higher precedence than only_if.
-        __apply_waivers
-
-      rescue SystemStackError, StandardError => e
-        # We've encountered an exception while trying to eval the code inside the
-        # control block. We need to prevent the exception from bubbling up, and
-        # fail the control. Controls are failed by having a failed resource within
-        # them; but since our control block is unsafe (and opaque) to us, let's
-        # make a dummy and fail that.
-        location = block.source_location.compact.join(":")
-        describe "Control Source Code Error" do
-          # Rubocop thinks we are raising an exception - we're actually calling RSpec's fail()
-          its(location) { fail e.message } # rubocop: disable Style/SignalException
-        end
-      end
-    end
-
-    def to_s
-      Inspec::Rule.rule_id(self)
-    end
-
-    def id(*_)
-      # never overwrite the ID
-      @id
-    end
-
-    def impact(v = nil)
-      if v.is_a?(String)
-        @impact = Inspec::Impact.impact_from_string(v)
-      elsif !v.nil?
-        @impact = v
-      end
-
-      @impact
-    end
-
-    def title(v = nil)
-      @title = v unless v.nil?
-      @title
-    end
-
-    def desc(v = nil, data = nil)
-      return @descriptions[:default] if v.nil?
-
-      if data.nil?
-        @descriptions[:default] = unindent(v)
-      else
-        @descriptions[v.to_sym] = unindent(data)
-      end
-    end
-
-    def descriptions(description_hash = nil)
-      return @descriptions if description_hash.nil?
-
-      @descriptions.merge!(description_hash)
-    end
-
-    def ref(ref = nil, opts = {})
-      return @refs if ref.nil? && opts.empty?
-
-      if opts.empty? && ref.is_a?(Hash)
-        opts = ref
-      else
-        opts[:ref] = ref
-      end
-      @refs.push(opts)
-    end
-
-    def tag(*args)
-      args.each do |arg|
-        if arg.is_a?(Hash)
-          @tags.merge!(arg)
-        else
-          @tags[arg] ||= nil
-        end
-      end
-      @tags
-    end
-
-    def source_file
-      @__file
-    end
-
-    # Skip all checks if only_if is false
-    #
-    # @param [Type] &block returns true if tests are added, false otherwise
-    # @return [nil]
-    def only_if(message = nil)
-      return unless block_given?
-      return if @__skip_only_if_eval == true
-
-      @__skip_rule[:result] ||= !yield
-      @__skip_rule[:type] = :only_if
-      @__skip_rule[:message] = message
-    end
-
-    # Describe will add one or more tests to this control. There is 2 ways
-    # of calling it:
-    #
-    #   describe resource do ... end
-    #
-    # or
-    #
-    #   describe.one do ... end
-    #
-    # @param [any] Resource to be describe, string, or nil
-    # @param [Proc] An optional block containing tests for the described resource
-    # @return [nil|DescribeBase] if called without arguments, returns DescribeBase
-    def describe(*values, &block)
-      if values.empty? && !block_given?
-        dsl = self.class.ancestors[1]
-        Class.new(DescribeBase) do
-          include dsl
-        end.new(method(:__add_check))
-      else
-        __add_check("describe", values, with_dsl(block))
-      end
-    end
-
-    def expect(value, &block)
-      target = Inspec::Expect.new(value, &with_dsl(block))
-      __add_check("expect", [value], target)
-      target
-    end
-
-    def self.rule_id(rule)
-      rule.instance_variable_get(:@__rule_id)
-    end
-
-    def self.set_rule_id(rule, value)
-      rule.instance_variable_set(:@__rule_id, value)
-    end
-
-    def self.profile_id(rule)
-      rule.instance_variable_get(:@__profile_id)
-    end
-
-    def self.checks(rule)
-      rule.instance_variable_get(:@__checks)
-    end
-
-    def self.skip_status(rule)
-      rule.instance_variable_get(:@__skip_rule)
-    end
-
-    def self.set_skip_rule(rule, value, message = nil, type = :only_if)
-      rule.instance_variable_set(:@__skip_rule,
-                                 {
-                                   result: value,
-                                   message: message,
-                                   type: type,
-                                 })
-    end
-
-    def self.merge_count(rule)
-      rule.instance_variable_get(:@__merge_count)
-    end
-
-    def self.merge_changes(rule)
-      rule.instance_variable_get(:@__merge_changes)
-    end
-
-    # If a rule is marked to be skipped, this
-    # creates a dummay array of "checks" with a skip outcome
-    def self.prepare_checks(rule)
-      skip_check = skip_status(rule)
-      return checks(rule) unless skip_check[:result].eql?(true)
-
-      if skip_check[:message]
-        msg = "Skipped control due to #{skip_check[:type]} condition: #{skip_check[:message]}"
-      else
-        msg = "Skipped control due to #{skip_check[:type]} condition."
-      end
-
-      resource = rule.noop
-      resource.skip_resource(msg)
-      [["describe", [resource], nil]]
-    end
-
-    def self.merge(dst, src) # rubocop:disable Metrics/AbcSize
-      if src.id != dst.id
-        # TODO: register an error, this case should not happen
-        return
-      end
-
-      sp = rule_id(src)
-      dp = rule_id(dst)
-      if sp != dp
-        # TODO: register an error, this case should not happen
-        return
-      end
-
-      # merge all fields
-      dst.impact(src.impact)                 unless src.impact.nil?
-      dst.title(src.title)                   unless src.title.nil?
-      dst.descriptions(src.descriptions)     unless src.descriptions.nil?
-      dst.tag(src.tag)                       unless src.tag.nil?
-      dst.ref(src.ref)                       unless src.ref.nil?
-
-      # merge indirect fields
-      # checks defined in the source will completely eliminate
-      # all checks that were defined in the destination
-      sc = checks(src)
-      dst.instance_variable_set(:@__checks, sc) unless sc.empty?
-      skip_check = skip_status(src)
-      sr = skip_check[:result]
-      msg = skip_check[:message]
-      skip_type = skip_check[:type]
-      set_skip_rule(dst, sr, msg, skip_type) unless sr.nil?
-
-      # Save merge history
-      dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)
-      dst.instance_variable_set(
-        :@__merge_changes,
-        merge_changes(dst) << src.instance_variable_get(:@__source_location)
-      )
-    end
-
-    private
-
-    def __add_check(describe_or_expect, values, block)
-      @__checks.push([describe_or_expect, values, block])
-    end
-
-    # Look for an input with a matching ID, and if found, apply waiver
-    # skipping logic. Basically, if we have a current waiver, and it says
-    # to skip, we'll replace all the checks with a dummy check (same as
-    # only_if mechanism)
-    # Double underscore: not intended to be called as part of the DSL
-    def __apply_waivers
-      input_name = @__rule_id # TODO: control ID slugging
-      registry = Inspec::InputRegistry.instance
-      input = registry.inputs_by_profile.dig(@__profile_id, input_name)
-      return unless input
-
-      # An InSpec Input is a datastructure that tracks a profile parameter
-      # over time. Its value can be set by many sources, and it keeps a
-      # log of each "set" event so that when it is collapsed to a value,
-      # it can determine the correct (highest priority) value.
-      # Store in an instance variable for.. later reading???
-      @__waiver_data = input.value
-      __waiver_data["skipped_due_to_waiver"] = false
-      __waiver_data["message"] = ""
-
-      # Waivers should have a hash value with keys possibly including "run" and
-      # expiration_date. We only care here if it has a "run" key and it
-      # is false-like, since all non-skipped waiver operations are handled
-      # during reporting phase.
-      return unless __waiver_data.key?("run") && !__waiver_data["run"]
-
-      # OK, the intent is to skip. Does it have an expiration date, and
-      # if so, is it in the future?
-      expiry = __waiver_data["expiration_date"]
-      if expiry
-        if expiry.is_a?(Date)
-          # It appears that yaml.rb automagically parses dates for us
-          if expiry < Date.today # If the waiver expired, return - no skip applied
-            __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
-            return
-          end
-        else
-          ui = Inspec::UI.new
-          ui.error("Unable to parse waiver expiration date '#{expiry}' for control #{@__rule_id}")
-          ui.exit(:usage_error)
-        end
-      end
-
-      # OK, apply a skip.
-      @__skip_rule[:result] = true
-      @__skip_rule[:type] = :waiver
-      @__skip_rule[:message] = __waiver_data["justification"]
-      __waiver_data["skipped_due_to_waiver"] = true
-    end
-
-    #
-    # Takes a block and returns a block that will run the given block
-    # with access to the resource_dsl of the current class. This is to
-    # ensure that inside the constructed Rspec::ExampleGroup users
-    # have access to DSL methods. Previous this was done in
-    # Inspec::Runner before sending the example groups to rspec. It
-    # was moved here to ensure that code inside `its` blocks hae the
-    # same visibility into resources as code outside its blocks.
-    #
-    # @param [Proc] block
-    # @return [Proc]
-    #
-    def with_dsl(block)
-      return nil if block.nil?
-
-      dsl = self.class.resource_dsl
-
-      return block unless dsl
-
-      proc do |*args|
-        include dsl
-        instance_exec(*args, &block)
-      end
-    end
-
-    # Idio(ma)tic unindent, behaves similar to Ruby2.3 curly heredocs.
-    # Find the shortest indentation of non-empty lines and strip that from every line
-    # See: https://bugs.ruby-lang.org/issues/9098
-    #
-    # It is implemented here to support pre-Ruby2.3 with this feature and
-    # to not force non-programmers to understand heredocs.
-    #
-    # Please note: tabs are not supported! (they will be removed but they are not
-    # treated the same as in Ruby2.3 heredocs)
-    #
-    # @param [String] text string which needs to be unindented
-    # @return [String] input with indentation removed; '' if input is nil
-    def unindent(text)
-      return "" if text.nil?
-
-      len = text.split("\n").reject { |l| l.strip.empty? }.map { |x| x.index(/[^\s]/) }.compact.min
-      text.gsub(/^[[:blank:]]{#{len}}/, "").strip
-    end
-
-    # get the source location of the block
-    def __get_block_source_location(&block)
-      return {} unless block_given?
-
-      r, l = block.source_location
-      { ref: r, line: l }
-    rescue MethodSource::SourceNotFoundError
-      {}
-    end
-  end
-end

data/lib/inspec/runner.rb

@@ -1,333 +0,0 @@
-# copyright: 2015, Dominik Richter
-
-require "forwardable"
-require "uri"
-require "inspec/backend"
-require "inspec/profile_context"
-require "inspec/profile"
-require "inspec/metadata"
-require "inspec/config"
-require "inspec/dependencies/cache"
-require "inspec/dist"
-require "inspec/reporters"
-require "inspec/runner_rspec"
-# spec requirements
-
-module Inspec
-  #
-  # Inspec::Runner coordinates the running of tests and is the main
-  # entry point to the application.
-  #
-  # Users are expected to insantiate a runner, add targets to be run,
-  # and then call the run method:
-  #
-  # ```
-  # r = Inspec::Runner.new()
-  # r.add_target("/path/to/some/profile")
-  # r.add_target("http://url/to/some/profile")
-  # r.run
-  # ```
-  #
-  class Runner
-    extend Forwardable
-
-    attr_reader :backend, :rules
-    attr_accessor :target_profiles
-
-    attr_accessor :test_collector
-
-    def attributes
-      Inspec.deprecate(:rename_attributes_to_inputs, "Don't call runner.attributes, call runner.inputs")
-      inputs
-    end
-
-    def initialize(conf = {})
-      @rules = []
-      # If we were handed a Hash config (by audit cookbook or kitchen-inspec),
-      # upgrade it to a proper config. This handles a lot of config finalization,
-      # like reporter parsing.
-      @conf = conf.is_a?(Hash) ? Inspec::Config.new(conf) : conf
-      @conf[:logger] ||= Logger.new(nil)
-      @target_profiles = []
-      @controls = @conf[:controls] || []
-      @depends = @conf[:depends] || []
-      @create_lockfile = @conf[:create_lockfile]
-      @cache = Inspec::Cache.new(@conf[:vendor_cache])
-
-      @test_collector = @conf.delete(:test_collector) || begin
-        RunnerRspec.new(@conf)
-      end
-
-      if @conf[:waiver_file]
-        waivers = @conf.delete(:waiver_file)
-        @conf[:input_file] ||= []
-        @conf[:input_file].concat waivers
-      end
-
-      # About reading inputs:
-      #   @conf gets passed around a lot, eventually to
-      # Inspec::InputRegistry.register_external_inputs.
-      #
-      #   @conf may contain the key :attributes or :inputs, which is to be a Hash
-      # of values passed in from the Runner API.
-      # This is how kitchen-inspec and the audit_cookbook pass in inputs.
-      #
-      #   @conf may contain the key :attrs or :input_file, which is to be an Array
-      # of file paths, each a YAML file. This how --input-file works.
-
-      configure_transport
-    end
-
-    def tests
-      @test_collector.tests
-    end
-
-    def configure_transport
-      @backend = Inspec::Backend.create(@conf)
-      @test_collector.backend = @backend
-    end
-
-    def reset
-      @test_collector.reset
-      @target_profiles.each do |profile|
-        profile.runner_context.rules = {}
-      end
-      @rules = []
-    end
-
-    def load
-      all_controls = []
-
-      @target_profiles.each do |profile|
-        @test_collector.add_profile(profile)
-        next unless profile.supports_platform?
-
-        write_lockfile(profile) if @create_lockfile
-        profile.locked_dependencies
-        profile_context = profile.load_libraries
-
-        profile_context.dependencies.list.values.each do |requirement|
-          unless requirement.profile.supports_platform?
-            Inspec::Log.warn "Skipping profile: '#{requirement.profile.name}'" \
-             " on unsupported platform: '#{@backend.platform.name}/#{@backend.platform.release}'."
-            next
-          end
-          @test_collector.add_profile(requirement.profile)
-        end
-
-        tests = profile.collect_tests
-        all_controls += tests unless tests.nil?
-      end
-
-      all_controls.each do |rule|
-        register_rule(rule) unless rule.nil?
-      end
-    end
-
-    def run(with = nil)
-      Inspec::Log.debug "Starting run with targets: #{@target_profiles.map(&:to_s)}"
-      load
-      run_tests(with)
-    end
-
-    def render_output(run_data)
-      return if @conf["reporter"].nil?
-
-      @conf["reporter"].each do |reporter|
-        result = Inspec::Reporters.render(reporter, run_data)
-        raise Inspec::ReporterError, "Error generating reporter '#{reporter[0]}'" if result == false
-      end
-    end
-
-    def report
-      Inspec::Reporters.report(@conf["reporter"].first, @run_data)
-    end
-
-    def write_lockfile(profile)
-      return false unless profile.writable?
-
-      if profile.lockfile_exists?
-        Inspec::Log.debug "Using existing lockfile #{profile.lockfile_path}"
-      else
-        Inspec::Log.debug "Creating lockfile: #{profile.lockfile_path}"
-        lockfile = profile.generate_lockfile
-        File.write(profile.lockfile_path, lockfile.to_yaml)
-      end
-    end
-
-    def run_tests(with = nil)
-      @run_data = @test_collector.run(with)
-      # dont output anything if we want a report
-      render_output(@run_data) unless @conf["report"]
-      @test_collector.exit_code
-    end
-
-    #
-    # add_target allows the user to add a target whose tests will be
-    # run when the user calls the run method.
-    #
-    # A target is a path or URL that points to a profile. Using this
-    # target we generate a Profile and a ProfileContext. The content
-    # (libraries, tests, and inputs) from the Profile are loaded
-    # into the ProfileContext.
-    #
-    # If the profile depends on other profiles, those profiles will be
-    # loaded on-demand when include_content or required_content are
-    # called using similar code in Inspec::DSL.
-    #
-    # Once the we've loaded all of the tests files in the profile, we
-    # query the profile for the full list of rules. Those rules are
-    # registered with the @test_collector which is ultimately
-    # responsible for actually running the tests.
-    #
-    # TODO: Deduplicate/clarify the loading code that exists in here,
-    # the ProfileContext, the Profile, and Inspec::DSL
-    #
-    # @params target [String] A path or URL to a profile or raw test.
-    # @params _opts [Hash] Unused, but still here to avoid breaking kitchen-inspec
-    #
-    # @eturns [Inspec::ProfileContext]
-    #
-    def add_target(target, _opts = [])
-      profile = Inspec::Profile.for_target(target,
-                                           vendor_cache: @cache,
-                                           backend: @backend,
-                                           controls: @controls,
-                                           runner_conf: @conf)
-      raise "Could not resolve #{target} to valid input." if profile.nil?
-
-      @target_profiles << profile if supports_profile?(profile)
-    end
-
-    def supports_profile?(profile)
-      unless profile.supports_runtime?
-        raise "This profile requires #{Inspec::Dist::PRODUCT_NAME} version "\
-             "#{profile.metadata.inspec_requirement}. You are running "\
-             "#{Inspec::Dist::PRODUCT_NAME} v#{Inspec::VERSION}.\n"
-      end
-
-      true
-    end
-
-    # In some places we read the rules off of the runner, in other
-    # places we read it off of the profile context. To keep the API's
-    # the same, we provide an #all_rules method here as well.
-    def all_rules
-      @rules
-    end
-
-    def register_rules(ctx)
-      new_tests = false
-      ctx.rules.each do |rule_id, rule|
-        next if block_given? && !(yield rule_id, rule)
-
-        new_tests = true
-        register_rule(rule)
-      end
-      new_tests
-    end
-
-    def eval_with_virtual_profile(command)
-      require "inspec/fetcher/mock"
-      add_target({ "inspec.yml" => "name: inspec-shell" })
-      our_profile = @target_profiles.first
-      ctx = our_profile.runner_context
-
-      # Load local profile dependencies. This is used in inspec shell
-      # to provide access to local profiles that add resources.
-      @depends.each do |dep|
-        # support for windows paths
-        dep = dep.tr('\\', "/")
-        Inspec::Profile.for_path(dep, { profile_context: ctx }).load_libraries
-      end
-
-      ctx.load(command)
-    end
-
-    private
-
-    def block_source_info(block)
-      return {} if block.nil? || !block.respond_to?(:source_location)
-
-      opts = {}
-      file_path, line = block.source_location
-      opts["file_path"] = file_path
-      opts["line_number"] = line
-      opts
-    end
-
-    def get_check_example(method_name, arg, block)
-      opts = block_source_info(block)
-
-      return nil if arg.empty?
-
-      resource = arg[0]
-      # check to see if we are using a filtertable object
-      resource = resource.resource if resource.is_a? FilterTable::Table
-      if resource.respond_to?(:resource_skipped?) && resource.resource_skipped?
-        return rspec_skipped_block(arg, opts, resource.resource_exception_message)
-      end
-
-      if resource.respond_to?(:resource_failed?) && resource.resource_failed?
-        return rspec_failed_block(arg, opts, resource.resource_exception_message)
-      end
-
-      # If neither skipped nor failed then add the resource
-      add_resource(method_name, arg, opts, block)
-    end
-
-    def register_rule(rule)
-      Inspec::Log.debug "Registering rule #{rule}"
-      @rules << rule
-      checks = ::Inspec::Rule.prepare_checks(rule)
-      examples = checks.flat_map do |m, a, b|
-        get_check_example(m, a, b)
-      end.compact
-
-      examples.each { |e| @test_collector.add_test(e, rule) }
-    end
-
-    def rspec_skipped_block(arg, opts, message)
-      @test_collector.example_group(*arg, opts) do
-        # Send custom `it` block to RSpec
-        it message
-      end
-    end
-
-    def rspec_failed_block(arg, opts, message)
-      @test_collector.example_group(*arg, opts) do
-        # Send custom `it` block to RSpec
-        it "" do
-          # Raising here to fail the test and get proper formatting
-          raise Inspec::Exceptions::ResourceFailed, message
-        end
-      end
-    end
-
-    def add_resource(method_name, arg, opts, block)
-      case method_name
-      when "describe"
-        opts = { backend: @test_collector.backend }.merge opts
-
-        @test_collector.example_group(*arg, opts, &block)
-      when "expect"
-        block.example_group
-      when "describe.one"
-        tests = arg.map do |x|
-          @test_collector.example_group(x[1][0], block_source_info(x[2]), &x[2])
-        end
-        return nil if tests.empty?
-
-        successful_tests = tests.find_all(&:run)
-
-        # Return all tests if none succeeds; we will just report full failure
-        return tests if successful_tests.empty?
-
-        successful_tests
-      else
-        raise "A rule was registered with #{method_name.inspect}," \
-              "which isn't understood and cannot be processed."
-      end
-    end
-  end
-end