inspec 0.12.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e3b076ffed41d9148eb98065a025a6acb6a9f70
-  data.tar.gz: eb36dc73cf37bc30a46949943ba7db582ed82417
+  metadata.gz: 0e8809fbed2418c889f95bdd22b409fe730ccb92
+  data.tar.gz: a21f007a1136db0e5869d8789152a59ef648f462
 SHA512:
-  metadata.gz: 09d87d6da242d31586af6d3e39e913223a141d6dbc39474c921636d3169a57bcf1b5029defc1d2f6a8f01c246fe3494846edfe9d00a27381f3aa13f8f335435a
-  data.tar.gz: d2806a4c8e637a1ec46cf3ed9ea5a40fc8dd32a6e3bb0de63f405d33f4de9a09d3f25faf36932d949b73c7d9ff1d11949e59963f6ab6116402890632facb0227
+  metadata.gz: 9a28f59896f7ae9ce9668ec6c6ba03ff78b1437e1d1a10def6bdb9967fc1257f4b8f22395e5174ca4b2271dcf7f27165f302d0dd4f535c04f7351faa7919139a
+  data.tar.gz: c4e01382ab5344ce014379172526f770341cb3fab75cb8da24be156f13efba8316fc2a0b055d96e6148e1a1b700e10a04386e387c9da98c726f7ab5e3e234c31

data/CHANGELOG.md

@@ -1,7 +1,43 @@
 # Change Log
 
-## [0.12.0](https://github.com/chef/inspec/tree/0.12.0) (2016-02-15)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.11.0...0.12.0)
+## [0.14.0](https://github.com/chef/inspec/tree/0.14.0) (2016-02-22)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.13.0...0.14.0)
+
+**Fixed bugs:**
+
+- force encoding to utf-8 [\#476](https://github.com/chef/inspec/pull/476) ([arlimus](https://github.com/arlimus))
+- bugfix: make sure version is always a string [\#475](https://github.com/chef/inspec/pull/475) ([arlimus](https://github.com/arlimus))
+- bugfix: handle edge-cases in upstart service [\#474](https://github.com/chef/inspec/pull/474) ([arlimus](https://github.com/arlimus))
+- replace targets with fetcher+reader system [\#473](https://github.com/chef/inspec/pull/473) ([arlimus](https://github.com/arlimus))
+
+## [v0.13.0](https://github.com/chef/inspec/tree/v0.13.0) (2016-02-19)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.12.0...v0.13.0)
+
+**Implemented enhancements:**
+
+- add shadow resource for /etc/shadow [\#471](https://github.com/chef/inspec/pull/471) ([arlimus](https://github.com/arlimus))
+- improve url handling [\#470](https://github.com/chef/inspec/pull/470) ([chris-rock](https://github.com/chris-rock))
+- add filters to passwd resource + deprecate old accessors [\#467](https://github.com/chef/inspec/pull/467) ([arlimus](https://github.com/arlimus))
+- cmp for single-entry arrays; add cmp docs [\#466](https://github.com/chef/inspec/pull/466) ([arlimus](https://github.com/arlimus))
+
+**Fixed bugs:**
+
+- Windows 2008 Still not detected correctly [\#453](https://github.com/chef/inspec/issues/453)
+- Service-related docs, bugs, integration tests [\#463](https://github.com/chef/inspec/pull/463) ([srenatus](https://github.com/srenatus))
+- fix url target resolution with zip and tar [\#462](https://github.com/chef/inspec/pull/462) ([arlimus](https://github.com/arlimus))
+- ensure permissions of inspec-compliance config.json on store [\#461](https://github.com/chef/inspec/pull/461) ([srenatus](https://github.com/srenatus))
+
+**Closed issues:**
+
+- No way to reload the add resources from test code [\#459](https://github.com/chef/inspec/issues/459)
+- add documentation for new server runlevel support [\#456](https://github.com/chef/inspec/issues/456)
+
+**Merged pull requests:**
+
+- 0.13.0 [\#472](https://github.com/chef/inspec/pull/472) ([chris-rock](https://github.com/chris-rock))
+
+## [v0.12.0](https://github.com/chef/inspec/tree/v0.12.0) (2016-02-15)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.11.0...v0.12.0)
 
 **Implemented enhancements:**
 
@@ -17,6 +53,7 @@
 
 **Merged pull requests:**
 
+- 0.12.0 [\#457](https://github.com/chef/inspec/pull/457) ([arlimus](https://github.com/arlimus))
 - rework target to resolver connection [\#447](https://github.com/chef/inspec/pull/447) ([arlimus](https://github.com/arlimus))
 - separate directory resolver from target resolver [\#446](https://github.com/chef/inspec/pull/446) ([arlimus](https://github.com/arlimus))
 

data/bin/inspec

@@ -20,12 +20,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     desc: 'Attach a profile ID to all test results'
   option :output, aliases: :o, type: :string,
     desc: 'Save the created profile to a path'
-  def json(path)
+  def json(target)
     diagnose
     o = opts.dup
     o[:ignore_supports] = true
 
-    profile = Inspec::Profile.from_path(path, o)
+    profile = Inspec::Profile.for_target(target, o)
     dst = o[:output].to_s
     if dst.empty?
       puts JSON.pretty_generate(profile.info)
@@ -49,7 +49,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     o[:ignore_supports] = true # we check for integrity only
 
     # run check
-    profile = Inspec::Profile.from_path(path, o)
+    profile = Inspec::Profile.for_target(path, o)
     result = profile.check
 
     if opts['format'] == 'json'
@@ -88,7 +88,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     o[:logger] = Logger.new(STDOUT)
     o[:logger].level = get_log_level(o.log_level)
 
-    profile = Inspec::Profile.from_path(path, o)
+    profile = Inspec::Profile.for_target(path, o)
     result = profile.check
 
     if result && !opts[:ignore_errors] == false
@@ -105,9 +105,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     desc: 'Attach a profile ID to all test results'
   target_options
   option :format, type: :string
-  def exec(*tests)
+  def exec(*targets)
     diagnose
-    run_tests(opts, tests)
+    run_tests(targets, opts)
   end
 
   desc 'detect', 'detect the target OS'
@@ -115,11 +115,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   def detect
     diagnose
 
-    runner = Inspec::Runner.new(opts)
     rel = File.join(File.dirname(__FILE__), *%w{.. lib utils detect.rb})
     detect_util = File.expand_path(rel)
-    runner.add_tests([detect_util])
-    runner.run
+    # exits on execution:
+    runner = Inspec::Runner.new(opts)
+    profile = Inspec::Profile.for_target(detect_util, opts)
+    runner.add_profile(profile)
+    exit runner.run
   rescue RuntimeError => e
     puts e.message
   end

data/docs/matchers.rst

@@ -0,0 +1,129 @@
+=====================================================
+InSpec Matchers Reference
+=====================================================
+
+
+Inspec uses matchers to help compare resource values to expectations. The following matchers are available:
+
+* `be`
+* `cmp`
+* `eq`
+* `include`
+* `match`
+
+
+be
+=====================================================
+
+This matcher can be followed by many different comparison operators. Always make sure to use numbers, not strings, for these comparisons.
+
+.. code-block:: ruby
+
+  describe file('/proc/cpuinfo') do
+    its('size') { should be >= 10 }
+    its('size') { should be < 1000 }
+  end
+
+cmp
+=====================================================
+
+Unlike ``eq``, cmp is a matcher for less-restrictive comparisons. It will try to fit the actual value to the type you are comparing it to. This is meant to relieve the user from having to write type-casts and resolutions.
+
+.. code-block:: ruby
+
+  describe sshd_config do
+    its('Protocol') { should cmp 2 }
+  end
+
+  describe passwd.uid(0) do
+    its('users') { should cmp 'root' }
+  end
+
+``cmp`` behaves in the following way:
+
+* Compare strings to numbers
+
+  .. code-block:: ruby
+
+    describe sshd_config do
+      its('Protocol') { should eq '2' }
+
+      its('Protocol') { should cmp '2' }
+      its('Protocol') { should cmp 2 }
+    end
+
+* String comparisons are not case-sensitive
+
+  .. code-block:: ruby
+
+    describe auditd_conf do
+      its('log_format') { should cmp 'raw' }
+      its('log_format') { should cmp 'RAW' }
+    end
+
+* Compare arrays with only one entry to a value
+
+  .. code-block:: ruby
+
+    describe passwd.uids(0) do
+      its('users') { should cmp 'root' }
+      its('users') { should cmp ['root'] }
+    end
+
+* Improved printing of octal comparisons
+
+  .. code-block:: ruby
+
+    describe file('/proc/cpuinfo') do
+      its('mode') { should cmp '0345' }
+    end
+
+    expected: 0345
+    got: 0444
+
+eq
+=====================================================
+
+Test for exact equality of two values.
+
+.. code-block:: ruby
+
+  describe sshd_config do
+    its('RSAAuthentication') { should_not eq 'no' }
+    its('Protocol') { should eq '2' }
+  end
+
+It fails if types don't match. Please keep this in mind, when comparing configuration
+entries that are numbers:
+
+.. code-block:: ruby
+
+  its('Port') { should eq '22' } # ok
+
+  its('Port') { should eq 22 }
+  # fails: '2' != 2 (string vs int)
+
+For less restrictive comparisons, please use ``cmp``.
+
+include
+=====================================================
+
+Verifies if a value is included in a list.
+
+.. code-block:: ruby
+
+  describe passwd do
+    its('users') { should include 'my_user' }
+  end
+
+
+match
+=====================================================
+
+Check if a string matches a regular expression.
+
+.. code-block:: ruby
+
+  describe sshd_config do
+    its('Ciphers') { should_not match /cbc/ }
+  end

data/docs/resources.rst

@@ -3102,19 +3102,22 @@ A ``passwd`` |inspec resource| block declares one (or more) users and associated
 .. code-block:: ruby
 
    describe passwd do
-     its('matcher') { should eq 0 }
+     its(:users) { should_not include 'forbidden_user' }
    end
 
-   describe passwd.uid(filter) do
-     its(:username) { should eq 'root' }
+   describe passwd.uid(0) do
+     its(:users) { should cmp 'root' }
      its(:count) { should eq 1 }
    end
 
 where
 
-* ``gids``, ``passwords``, ``uids``, and ``usernames`` are valid matchers for ``passwd``
-* ``filter`` is a filter for a specific uid
-* ``count``, ``uid``, ``username`` are valid matchers for ``passwd.uid(userid)``
+* ``users``, ``uids``, ``gids``, ``passwords``, ``homes``, and ``shells`` are valid accessors for ``passwd``
+* All of these matchers can be given an argument to filter by, for example: ``passwd.users(/name/)``
+* There is an explicit method to filter by (``filter``) which can take multiple arguments at once
+* ``count`` retrieves the number of entries
+* ``lines`` provides raw passwd lines
+* ``params`` returns an array of maps for all entries
 
 
 Matchers for ``passwd``
@@ -3127,7 +3130,8 @@ The ``gids`` matcher tests if the group indentifiers in the test match group ide
 
 .. code-block:: ruby
 
-   its('gids') { should eq 1234 }
+   its('gids') { should include 1234 }
+   its('gids') { should cmp 0 }
 
 passwords
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -3141,7 +3145,8 @@ For example:
 
 .. code-block:: ruby
 
-   its('passwords') { should eq 'x' }
+   its('passwords') { should eq ['x'] }
+   its('passwords') { should cmp '*' }
 
 uids
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -3151,42 +3156,25 @@ The ``uids`` matcher tests if the user indentifiers in the test match user ident
 
    its('uids') { should eq ['1234', '1235'] }
 
-usernames
+users
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``usernames`` matcher tests if the usernames in the test match usernames in ``/etc/passwd``:
+The ``users`` matcher tests if the usernames in the test match usernames in ``/etc/passwd``:
 
 .. code-block:: ruby
 
-   its('usernames') { should eq ['root', 'www-data'] }
-
+   its('users') { should_not include 'www-data' }
 
-Matchers for ``passwd.uid(userid)``
------------------------------------------------------
-This InSpec audit resource has the following matchers.
 
 count
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``count`` matcher tests the number of times the named user appears in ``/etc/passwd``:
-
-.. code-block:: ruby
-
-   its('count') { should eq 1 }
-
-uid
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``uid`` matcher tests if the user identifier in the test matches a user identifier in ``/etc/passwd``:
+The ``count`` matcher tests the number of entries in ``/etc/passwd``. It becomes especially useful in conjunction combination with filters:
 
 .. code-block:: ruby
 
-   its('uid') { should eq 1234 }
-
-username
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``username`` matcher tests if the user name in the test matches a user name in ``/etc/passwd``:
-
-.. code-block:: ruby
+   describe passwd.users('highlander') do
+     its('count') { should eq 1 }
+   end
 
-   its('username') { should eq 'root' }
 
 Examples
 -----------------------------------------------------
@@ -3197,7 +3185,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe passwd do
-     its('usernames') { should eq ['root', 'www-data'] }
+     its('users') { should eq ['root', 'www-data'] }
      its('uids') { should eq [0, 33] }
    end
 
@@ -3205,13 +3193,13 @@ The following examples show how to use this InSpec audit resource.
 
 .. code-block:: ruby
 
-   describe passwd.uid(0) do
-     its('username') { should eq 'root' }
+   describe passwd.uids(0) do
+     its('users') { should cmp 'root' }
      its('count') { should eq 1 }
    end
 
-   describe passwd.uid(33) do
-     its('username') { should eq 'www-data' }
+   describe passwd.filter(user: 'www-data') do
+     its('uids') { should cmp 33 }
      its('count') { should eq 1 }
    end
 
@@ -3875,6 +3863,45 @@ The following examples show how to use this InSpec audit resource.
    end
 
 
+**Test the runlevels for Sys-V services**
+
+On targets using Sys-V services, the existing runlevels can also be checked:
+
+.. code-block:: ruby
+
+   describe service('sshd').runlevels do
+     its('keys') { should include(2) }
+   end
+
+   describe service('sshd').runlevels(2,4) do
+     it { should be_enabled }
+   end
+
+**Override the service manager**
+
+Under some circumstances, it may be required to override the logic in place to select the right service manager. For example, if you want to check a service managed by Upstart, you can explicitly do so:
+
+.. code-block:: ruby
+
+  describe upstart_service('service') do
+    it { should_not be_enabled }
+    it { should be_installed }
+    it { should be_running }
+  end
+
+This is also possible with `systemd_service`, `runit_service`, `sysv_service`, `bsd_service`, and `launchd_service`.
+You can also provide the control command, for when it is not to be found at the default location.
+For example, if your `sv` command for services managed by Runit is not in PATH:
+
+.. code-block:: ruby
+
+  describe runit_service('service', '/opt/chef/embedded/sbin/sv') do
+    it { should be_enabled }
+    it { should be_installed }
+    it { should be_running }
+  end
+
+
 ssh_config
 =====================================================
 Use the ``ssh_config`` |inspec resource| to test |openssh| |ssh| client configuration data located at ``/etc/ssh/ssh_config`` on |linux| and |unix| platforms.

data/inspec.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'r-train', '~> 0.9', '>= 0.9.6'
+  spec.add_dependency 'r-train', '~> 0.10'
   spec.add_dependency 'thor', '~> 0.19'
   spec.add_dependency 'json', '~> 1.8'
   spec.add_dependency 'rainbow', '~> 2'

data/lib/bundles/inspec-compliance/cli.rb

@@ -47,7 +47,7 @@ module Compliance
 
       # execute profile from inspec exec implementation
       diagnose
-      run_tests(opts, tests)
+      run_tests(tests, opts)
     end
 
     desc 'upload PATH', 'uploads a local profile to Chef Compliance'

data/lib/bundles/inspec-compliance/configuration.rb

@@ -40,6 +40,7 @@ module Compliance
     # stores a hash to json
     def store
       File.open(@config_file, 'w') do |f|
+        f.chmod(0600)
         f.write(@config.to_json)
       end
     end