inspec 4.6.9 → 4.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f5b73cc4ec9d1e11867bb9e7d0cc7eeb1007ef4b10f56485d817bd56811d662
-  data.tar.gz: 12b23768ff808f509c88b7ce0558a73e04a328d8d9a6e37da6b6ac74208e891e
+  metadata.gz: 92f16a5a5997ab82b670f6aad951d3cfdce80bbe74e6454c7495fca62621267c
+  data.tar.gz: 2e8a866d55ad0ac9710725e4f19667b2a53df7c6b7ddaf814a5a117a2e5314f2
 SHA512:
-  metadata.gz: 39a2cdcd01416f61101a2436ce3a01bc754cd3212010d348a094b14b1ac8a7b07e9dbc4b2da1795c5b75ea628e760c4cf5ddb84a446531531bdad78f3d24f183
-  data.tar.gz: 25b1c69962503c6567ec46f8122edddc614bdfa16b475b6a64ad4c488e7e115830aeb59a215826cfb6b9ac1b67b9b9a6c6c1de395c7d0dce3689bc4ae88121b9
+  metadata.gz: 3394cc65c1f7b4901ebd99172e082b6e241c44a8cadb2b23eafd87411ab091073d2bcedb811f796272c4828422dca67adae1162814912bbebd408e93377472b9
+  data.tar.gz: 1fb91443861897468c24a5a83d4135387c869f8fb8e8f16c7c8307a5971452101fce2a0e5fa21357c68a32a9c614c7c19448e3c1a55d83662676878d8ca47755

data/Gemfile

@@ -19,7 +19,7 @@ group :omnibus do
 end
 
 group :test do
-  gem "chefstyle", "~> 0.6"
+  gem "chefstyle", "0.13.0"
   gem "coveralls", require: false
   gem "minitest", "~> 5.5"
   gem "rake", ">= 10"

data/README.md

@@ -31,15 +31,18 @@ Chef InSpec makes it easy to run your tests wherever you need. More options are
 # run test locally
 inspec exec test.rb
 
-# run test on remote host on SSH
+# run test on remote host via SSH
 inspec exec test.rb -t ssh://user@hostname -i /path/to/key
 
 # run test on remote host using SSH agent private key authentication. Requires Chef InSpec 1.7.1
 inspec exec test.rb -t ssh://user@hostname
 
-# run test on remote windows host on WinRM
+# run test on remote windows host via WinRM
 inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
 
+# run test on remote windows host via WinRM as a domain user
+inspec exec test.rb -t winrm://windowshost --user 'UserName@domain' --password 'your-password'
+
 # run test on docker container
 inspec exec test.rb -t docker://container_id
 ```

data/lib/inspec/config.rb

@@ -295,19 +295,19 @@ module Inspec
     def validate_reporters!(reporters)
       return if reporters.nil?
       # TODO: move this into a reporter plugin type system
-      valid_types = [
-        "automate",
-        "cli",
-        "documentation",
-        "html",
-        "json",
-        "json-automate",
-        "json-min",
-        "json-rspec",
-        "junit",
-        "progress",
-        "yaml",
-      ]
+      valid_types = %w{
+        automate
+        cli
+        documentation
+        html
+        json
+        json-automate
+        json-min
+        json-rspec
+        junit
+        progress
+        yaml
+      }
 
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)

data/lib/inspec/plugin/v2/installer.rb

@@ -461,9 +461,9 @@ module Inspec::Plugin::V2
 
       # Combine the Sets, so the resolver has one composite place to look
       Gem::Resolver.compose_sets(
-        installed_plugins_gem_set,     # The gems that are in the plugin gem path directory tree
+        installed_plugins_gem_set, # The gems that are in the plugin gem path directory tree
         InstalledVendorSet.new,
-        *extra_request_sets,           # Anything else our caller wanted to include
+        *extra_request_sets # Anything else our caller wanted to include
       )
     end
 

data/lib/inspec/plugin/v2/status.rb

@@ -14,7 +14,7 @@ module Inspec::Plugin::V2
     :loaded,                  # true, false False could mean not attempted or failed
     :load_exception,          # Exception class if it failed to load
     :name,                    # String name
-    :version,                 # three-digit version.  Core / bundled plugins use InSpec version here.
+    :version # three-digit version.  Core / bundled plugins use InSpec version here.
   ) do
     def initialize(*)
       super

data/lib/inspec/profile.rb

@@ -127,7 +127,7 @@ module Inspec
         cli_input_files: options[:runner_conf][:input_file], # From CLI --input-file
         profile_metadata: metadata,
         # TODO: deprecation checks here
-        runner_api: options[:runner_conf][:attributes], # This is the route the audit_cookbook and kitchen-inspec take
+        runner_api: options[:runner_conf][:attributes] # This is the route the audit_cookbook and kitchen-inspec take
       )
 
       @runner_context =

data/lib/inspec/resources.rb

@@ -56,6 +56,7 @@ require "inspec/resources/iis_app_pool"
 require "inspec/resources/iis_site"
 require "inspec/resources/inetd_conf"
 require "inspec/resources/interface"
+require "inspec/resources/ip6tables"
 require "inspec/resources/iptables"
 require "inspec/resources/kernel_module"
 require "inspec/resources/kernel_parameter"

data/lib/inspec/resources/apt.rb

@@ -102,7 +102,7 @@ module Inspec::Resources
           components: parse_repo[4].chomp.split(" "),
           active: active,
         }
-        next unless ["deb", "deb-src"].include? repo[:type]
+        next unless %w{deb deb-src}.include? repo[:type]
 
         lines.push(repo)
       end

data/lib/inspec/resources/ip6tables.rb

@@ -0,0 +1,79 @@
+require "inspec/resources/command"
+
+# Usage:
+# describe ip6tables do
+#   it { should have_rule('-P INPUT ACCEPT') }
+# end
+#
+# The following serverspec sytax is not implemented:
+# describe ip6tables do
+#   it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }
+# end
+# Please use the new sytax:
+# describe ip6tables(table:'mangle', chain: 'input') do
+#   it { should have_rule('-P INPUT ACCEPT') }
+# end
+#
+# Note: Docker containers normally do not have ip6tables installed
+#
+# @see http://ipset.netfilter.org/ip6tables.man.html
+# @see http://ipset.netfilter.org/ip6tables.man.html
+module Inspec::Resources
+  class Ip6Tables < Inspec.resource(1)
+    name "ip6tables"
+    supports platform: "linux"
+    desc "Use the ip6tables InSpec audit resource to test rules that are defined in ip6tables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet."
+    example <<~EXAMPLE
+      describe ip6tables do
+        it { should have_rule('-P INPUT ACCEPT') }
+      end
+    EXAMPLE
+
+    def initialize(params = {})
+      @table = params[:table]
+      @chain = params[:chain]
+
+      # we're done if we are on linux
+      return if inspec.os.linux?
+
+      # ensures, all calls are aborted for non-supported os
+      @ip6tables_cache = []
+      skip_resource "The `ip6tables` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil, _table = nil, _chain = nil)
+      # checks if the rule is part of the ruleset
+      # for now, we expect an exact match
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      return @ip6tables_cache if defined?(@ip6tables_cache)
+
+      # construct ip6tables command to read all rules
+      bin = find_ip6tables_or_error
+      table_cmd = "-t #{@table}" if @table
+      ip6tables_cmd = format("%s %s -S %s", bin, table_cmd, @chain).strip
+
+      cmd = inspec.command(ip6tables_cmd)
+      return [] if cmd.exit_status.to_i != 0
+
+      # split rules, returns array or rules
+      @ip6tables_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      format("Ip6tables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
+    end
+
+    private
+
+    def find_ip6tables_or_error
+      %w{/usr/sbin/ip6tables /sbin/ip6tables ip6tables}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ip6tables`"
+    end
+  end
+end

data/lib/inspec/resources/service.rb

@@ -127,10 +127,14 @@ module Inspec::Resources
           Systemd.new(inspec, service_ctl)
         end
       elsif %w{debian}.include?(platform)
-        version = os[:release].to_i
+        if os[:release] == "buster/sid"
+          version = 10
+        else
+          version = os[:release].to_i
+        end
         if version > 7
           Systemd.new(inspec, service_ctl)
-        else
+        elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
       elsif %w{redhat fedora centos oracle cloudlinux}.include?(platform)

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.6.9".freeze
+  VERSION = "4.7.3".freeze
 end

data/lib/matchers/matchers.rb

@@ -147,7 +147,7 @@ RSpec::Matchers.define :be_resolvable do
   end
 end
 
-# matcher for iptables
+# matcher for iptables and ip6tables
 RSpec::Matchers.define :have_rule do |rule|
   match do |tables|
     tables.has_rule?(rule)

data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb

@@ -233,10 +233,10 @@ class PluginManagerCliSearch < Minitest::Test
     result = run_inspec_process("plugin search --include-test-fixture inspec-")
     assert_equal 0, result.exit_status, "Search should exit 0"
     assert_includes result.stdout, "inspec-test-fixture", "Search result should contain the test gem"
-    [
-      "inspec-core",
-      "inspec-multi-server",
-    ].each do |plugin_name|
+    %w{
+      inspec-core
+      inspec-multi-server
+    }.each do |plugin_name|
       refute_includes result.stdout, plugin_name, "Search result should not contain excluded gems"
     end
   end
@@ -555,11 +555,11 @@ class PluginManagerCliInstall < Minitest::Test
     # are the names of real rubygems.  They are not InSpec/Train plugins, though,
     # and installing them would be a jam-up.
     # This is configured in 'etc/plugin-filter.json'.
-    [
-      "inspec-core",
-      "inspec-multi-server",
-      "train-tax-calculator",
-    ].each do |plugin_name|
+    %w{
+      inspec-core
+      inspec-multi-server
+      train-tax-calculator
+    }.each do |plugin_name|
       install_result = run_inspec_process_with_this_plugin("plugin install #{plugin_name}")
       assert_empty install_result.stderr
       assert_equal 2, install_result.exit_status, "Exit status should be 2"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 4.6.9
+  version: 4.7.3
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-01 00:00:00.000000000 Z
+date: 2019-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -546,6 +546,7 @@ files:
 - lib/inspec/resources/inetd_conf.rb
 - lib/inspec/resources/ini.rb
 - lib/inspec/resources/interface.rb
+- lib/inspec/resources/ip6tables.rb
 - lib/inspec/resources/iptables.rb
 - lib/inspec/resources/json.rb
 - lib/inspec/resources/kernel_module.rb