inspec 0.20.1 → 0.21.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9b3d26c30944b98d35c1e06487c1711b8a6bba52
-  data.tar.gz: c14acfafa355f63e575c1f7537c8dd8abebb2053
+  metadata.gz: 609dd579538c5f1f9a4f86acf691fee0270ad878
+  data.tar.gz: c4d6ae9ca27a55efca499a37ee70d71c50e2ff42
 SHA512:
-  metadata.gz: 63fc4286cc81c5894332deeff52d9294b533e7f7febfead32eb2ae2351bbfd320deb8db9167974fd153e656e1ce28de4c8fe91084476efd5dc8ba195c3ed8246
-  data.tar.gz: 44f92719f4699885b9c63d34bb6487d6dd4f6e54443e0e2af65b3c22f6697c4c526336e884922d5bbb393c47e0da47e25e0c9b1b39e1aa2347525387024544c1
+  metadata.gz: 29a47097ef98d5ddafc0c145bfff580ac74762538e3de8ef9d5730e210f0a76a478d084acf344f3668b946bee98c03102f8248d4d0632bcc12b5d94cf574b3e9
+  data.tar.gz: 65fb88edad1729f9968024c37e9466824d467f290c14f233ca87e70e1792d96cac3a37d9cd36ec2177ac0a64e7f0038225d38911183525e74c4ad23374f68472

data/CHANGELOG.md

@@ -1,7 +1,46 @@
 # Change Log
 
-## [0.20.1](https://github.com/chef/inspec/tree/0.20.1) (2016-04-30)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.20.0...0.20.1)
+## [0.21.0](https://github.com/chef/inspec/tree/0.21.0) (2016-05-10)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.20.1...0.21.0)
+
+**Implemented enhancements:**
+
+- Support nested describe.one blocks [\#711](https://github.com/chef/inspec/issues/711)
+- inspec exec format json backtrace [\#614](https://github.com/chef/inspec/issues/614)
+- Improve error output for compliance plugin [\#544](https://github.com/chef/inspec/issues/544)
+- Cryptic error output if authentication with Chef Compliance fails [\#489](https://github.com/chef/inspec/issues/489)
+- How to access the impact of a test failure? [\#377](https://github.com/chef/inspec/issues/377)
+- Optimize InSpec detect [\#300](https://github.com/chef/inspec/issues/300)
+- document output and/or expected results [\#210](https://github.com/chef/inspec/issues/210)
+- Remove redundant space when missing expectation [\#724](https://github.com/chef/inspec/pull/724) ([alexpop](https://github.com/alexpop))
+- Provide service params [\#721](https://github.com/chef/inspec/pull/721) ([alexpop](https://github.com/alexpop))
+- api: make processes return integers for pid/vsz/rss [\#717](https://github.com/chef/inspec/pull/717) ([arlimus](https://github.com/arlimus))
+- Expose systemd service properties via .info [\#715](https://github.com/chef/inspec/pull/715) ([alexpop](https://github.com/alexpop))
+- Use only strings in resource examples, docs and tests [\#708](https://github.com/chef/inspec/pull/708) ([alexpop](https://github.com/alexpop))
+- use filtertable with passwd resource [\#699](https://github.com/chef/inspec/pull/699) ([arlimus](https://github.com/arlimus))
+- show error if user is not logged in to compliance server [\#696](https://github.com/chef/inspec/pull/696) ([chris-rock](https://github.com/chris-rock))
+- JSON formatter redesign [\#671](https://github.com/chef/inspec/pull/671) ([arlimus](https://github.com/arlimus))
+
+**Fixed bugs:**
+
+- bugfix: handle train errors in inspec execution [\#705](https://github.com/chef/inspec/pull/705) ([arlimus](https://github.com/arlimus))
+
+**Closed issues:**
+
+- How do I inherit a profile from another profile? [\#691](https://github.com/chef/inspec/issues/691)
+- How do I download a profile from a compliance server? [\#690](https://github.com/chef/inspec/issues/690)
+- inspec compliance login fails [\#689](https://github.com/chef/inspec/issues/689)
+
+**Merged pull requests:**
+
+- inspec detect learns human-readable output [\#720](https://github.com/chef/inspec/pull/720) ([chris-rock](https://github.com/chris-rock))
+- Add documentation on how to use ruby  [\#718](https://github.com/chef/inspec/pull/718) ([alexpop](https://github.com/alexpop))
+- export \#tests\(\) from OrTest object [\#714](https://github.com/chef/inspec/pull/714) ([arlimus](https://github.com/arlimus))
+- use strings instead of symbols [\#707](https://github.com/chef/inspec/pull/707) ([vjeffrey](https://github.com/vjeffrey))
+- hpux support for basic port properties [\#706](https://github.com/chef/inspec/pull/706) ([Anirudh-Gupta](https://github.com/Anirudh-Gupta))
+
+## [v0.20.1](https://github.com/chef/inspec/tree/v0.20.1) (2016-04-30)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.20.0...v0.20.1)
 
 **Implemented enhancements:**
 
@@ -11,6 +50,10 @@
 
 - fix appveyor caching [\#700](https://github.com/chef/inspec/pull/700) ([arlimus](https://github.com/arlimus))
 
+**Merged pull requests:**
+
+- 0.20.1 [\#702](https://github.com/chef/inspec/pull/702) ([alexpop](https://github.com/alexpop))
+
 ## [v0.20.0](https://github.com/chef/inspec/tree/v0.20.0) (2016-04-29)
 [Full Changelog](https://github.com/chef/inspec/compare/v0.19.3...v0.20.0)
 

data/docs/dsl_inspec.rst

@@ -117,7 +117,7 @@ The following test shows how to audit machines running |mysql| to ensure that pa
        them to an attacker. Prevent this at all costs.
      '
      describe command('env') do
-       its(:stdout) { should_not match(/^MYSQL_PWD=/) }
+       its('stdout') { should_not match(/^MYSQL_PWD=/) }
      end
    end
 
@@ -232,7 +232,7 @@ The following example illustrates various ways to add tags and references to `co
 .. |inspec resource| replace:: InSpec Resource
 .. |chef compliance| replace:: Chef Compliance
 .. |ruby| replace:: Ruby
-.. |ruby| replace:: SSH
+.. |ssh| replace:: SSH
 .. |windows| replace:: Microsoft Windows
 .. |postgresql| replace:: PostgreSQL
 .. |apache| replace:: Apache

data/docs/resources.rst

@@ -364,7 +364,7 @@ The following examples show how to use this InSpec audit resource.
 
    # syntax for auditd >= 2.3
    describe auditd_rules do
-     its(:lines) { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
+     its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
    end
 
 The syntax for recent auditd versions allows more precise tests, such as the following:
@@ -386,7 +386,7 @@ The syntax for recent auditd versions allows more precise tests, such as the fol
    end
 
    describe auditd_rules.key('sshd_config') do
-     its(:permissions) { should contain_match(/x/) }
+     its('permissions') { should contain_match(/x/) }
    end
 
 Note that filters can be chained, for example:
@@ -2045,7 +2045,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe kernel_parameter('net.ipv4.conf.all.forwarding') do
-     its(:value) { should eq 1 }
+     its('value') { should eq 1 }
    end
 
 **Test if global forwarding is disabled for an IPv6 address**
@@ -2053,7 +2053,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe kernel_parameter('net.ipv6.conf.all.forwarding') do
-     its(:value) { should eq 0 }
+     its('value') { should eq 0 }
    end
 
 **Test if an IPv6 address accepts redirects**
@@ -2061,7 +2061,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
-     its(:value) { should eq 'true' }
+     its('value') { should eq 'true' }
    end
 
 
@@ -2417,7 +2417,7 @@ The following examples show how to use this InSpec audit resource.
 
    sql = mysql_session('my_user','password')
    describe sql.query('show databases like \'test\';') do
-     its(:stdout) { should_not match(/test/) }
+     its('stdout') { should_not match(/test/) }
    end
 
 
@@ -3148,12 +3148,12 @@ A ``passwd`` |inspec resource| block declares one (or more) users and associated
 .. code-block:: ruby
 
    describe passwd do
-     its(:users) { should_not include 'forbidden_user' }
+     its('users') { should_not include 'forbidden_user' }
    end
 
    describe passwd.uid(0) do
-     its(:users) { should cmp 'root' }
-     its(:count) { should eq 1 }
+     its('users') { should cmp 'root' }
+     its('count') { should eq 1 }
    end
 
 where

data/docs/ruby_usage.rst

@@ -0,0 +1,145 @@
+=====================================================
+Using |ruby| in InSpec
+=====================================================
+
+The |inspec| DSL is a |ruby| based DSL for writing audit controls, which includes audit resources that you can invoke.
+Core and custom resources are written as regular |ruby| classes which inherit from ``Inspec.resource``.
+
+Assuming we have a |json| file like this on the node to be tested:
+
+.. code-block:: json
+
+    {
+      "keys":[
+        {"username":"john", "key":"/opt/keys/johnd.key"},
+        {"username":"jane", "key":"/opt/keys/janed.key"},
+        {"username":"sunny ", "key":"/opt/keys/sunnym.key"}
+      ]
+    }
+
+The following example shows how you can use pure |ruby| code(variables, loops, conditionals, regular expressions, etc) to run a few tests against the above |json| file:
+
+.. code-block:: ruby
+
+    control 'check-interns' do
+      # use the json inspec resource to get the file
+      json_obj = json('/opt/keys/interns.json')
+      describe json_obj do
+        its('keys') { should_not eq nil }
+      end
+      if json_obj['keys']
+        # loop over the keys array
+        json_obj['keys'].each do |intern|
+          username = intern['username'].strip
+          # check for white spaces chars in usernames
+          describe username do
+            it { should_not match(/\s/) }
+          end
+          # check key file owners and permissions
+          describe file(intern['key']) do
+            it { should be_owned_by username }
+            its('mode') { should eq 0600 }
+          end
+        end
+      end
+    end
+
+Execution
+=====================================================
+
+It's important to understand that |ruby| code used in custom resources and controls DSL is executed on the system that runs |inspec|. This allows |inspec| to work without |ruby| and rubygems being required on remote targets(servers or containers).
+
+For example, using ```ls``` or ``system('ls')`` will result in the ``ls`` command being run locally and not on the target(remote) system.
+In order to process the output of ``ls`` executed on the target system, use ``inspec.command('ls')`` or ``inspec.powershell('ls')``
+
+Similarly, use ``inspec.file(PATH)`` to access files or directories from remote systems in your tests or custom resources.
+
+Using rubygems
+=====================================================
+
+|ruby| gems are self-contained programs and libraries ...
+
+
+Interactive Debugging with Pry
+=====================================================
+
+Here's a sample |inspec| control that users |ruby| variables to instantiate an |inspec| resource once and use the content in multipLe tests.
+
+.. code-block:: ruby
+
+    control 'check-perl' do
+      impact 0.3
+      title 'Check perl compiled options and permissions'
+      perl_out = command('perl -V')
+      #require 'pry'; binding.pry;
+      describe perl_out do
+        its('exit_status') { should eq 0 }
+        its('stdout') { should match (/USE_64_BIT_ALL/) }
+        its('stdout') { should match (/useposix=true/) }
+        its('stdout') { should match (/-fstack-protector/) }
+      end
+
+      # extract an array of include directories
+      perl_inc = perl_out.stdout.partition('@INC:').last.strip.split("\n")
+      # ensure include directories are only writable by 'owner'
+      perl_inc.each do |path|
+        describe directory(path.strip) do
+          it { should_not be_writable.by('group') }
+          it { should_not be_writable.by('other') }
+        end
+      end
+    end
+
+An **advanced** but very useful |ruby| tip. In the previous example, I commented out the ``require 'pry'; binding.pry;`` line. If you remove  the ``#`` prefix and run the control, the execution will stop at that line and give you a ``pry`` shell. Use that to troubleshoot, print variables, see methods available, etc. For the above example:
+
+.. code-block:: ruby
+
+    [1] pry> perl_out.exit_status
+    => 0
+    [2] pry> perl_out.stderr
+    => ""
+    [3] pry> ls perl_out
+    Inspec::Plugins::Resource#methods: inspect
+    Inspec::Resources::Cmd#methods: command  exist?  exit_status  result  stderr  stdout  to_s
+    Inspec::Plugins::ResourceCommon#methods: resource_skipped  skip_resource
+    Inspec::Resource::Registry::Command#methods: inspec
+    instance variables: @__backend_runner__  @__resource_name__  @command  @result
+    [4] pry> perl_out.stdout.partition('@INC:').last.strip.split("\n")
+    => ["/Library/Perl/5.18/darwin-thread-multi-2level",
+     "    /Library/Perl/5.18",
+    ...REDACTED...
+    [5] pry> exit    # or abort
+
+You can use ``pry`` inside both the controls DSL and resources.
+Similarly, for dev and test, you can use ``inspec shell`` which is based on ``pry``, for example:
+
+.. code-block:: ruby
+
+    $ inspec shell
+    Welcome to the interactive InSpec Shell
+    To find out how to use it, type: help
+
+    inspec> command('ls /home/gordon/git/inspec/docs').stdout
+    => "ctl_inspec.rst\ndsl_inspec.rst\ndsl_resource.rst\n"
+    inspec> command('ls').stdout.split("\n")
+    => ["ctl_inspec.rst", "dsl_inspec.rst", "dsl_resource.rst"]
+
+    inspec> help command
+    Name: command
+
+    Description:
+    Use the command InSpec audit resource to test an arbitrary command that is run on the system.
+
+    Example:
+    describe command('ls -al /') do
+      it { should exist }
+      its('stdout') { should match /bin/ }
+      its('stderr') { should eq '' }
+      its('exit_status') { should eq 0 }
+    end
+
+.. |inspec| replace:: InSpec
+.. |chef compliance| replace:: Chef Compliance
+.. |ruby| replace:: Ruby
+.. |csv| replace:: CSV
+.. |json| replace:: JSON

data/inspec.gemspec

@@ -33,6 +33,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'rspec', '~> 3'
   spec.add_dependency 'rspec-its', '~> 1.2'
   spec.add_dependency 'pry', '~> 0'
+  spec.add_dependency 'hashie', '~> 3.4'
 
   spec.add_development_dependency 'mocha', '~> 1.1'
 end

data/lib/bundles/inspec-compliance/cli.rb

@@ -58,6 +58,8 @@ module Compliance
     desc 'profiles', 'list all available profiles in Chef Compliance'
     def profiles
       config = Compliance::Configuration.new
+      return if !loggedin(config)
+
       profiles = Compliance::API.profiles(config)
       if !profiles.empty?
         # iterate over profiles
@@ -73,6 +75,9 @@ module Compliance
     desc 'exec PROFILE', 'executes a Chef Compliance profile'
     exec_options
     def exec(*tests)
+      config = Compliance::Configuration.new
+      return if !loggedin(config)
+
       # iterate over tests and add compliance scheme
       tests = tests.map { |t| 'compliance://' + t }
 
@@ -84,7 +89,10 @@ module Compliance
     desc 'upload PATH', 'uploads a local profile to Chef Compliance'
     option :overwrite, type: :boolean, default: false,
       desc: 'Overwrite existing profile on Chef Compliance.'
-    def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity
+    def upload(path) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, PerceivedComplexity, Metrics/CyclomaticComplexity
+      config = Compliance::Configuration.new
+      return if !loggedin(config)
+
       unless File.exist?(path)
         puts "Directory #{path} does not exist."
         exit 1
@@ -110,7 +118,6 @@ module Compliance
       end
 
       # determine user information
-      config = Compliance::Configuration.new
       if config['token'].nil? || config['user'].nil?
         error.call('Please login via `inspec compliance login`')
       end
@@ -261,6 +268,12 @@ module Compliance
 
       [success, msg]
     end
+
+    def loggedin(config)
+      serverknown = !config['server'].nil?
+      puts 'You need to login first with `inspec compliance login`' if !serverknown
+      serverknown
+    end
   end
 
   # register the subcommand to Inspec CLI registry

data/lib/inspec/cli.rb

@@ -15,8 +15,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     desc: 'Show diagnostics (versions, configurations)'
 
   desc 'json PATH', 'read all tests in PATH and generate a JSON summary'
-  option :id, type: :string,
-    desc: 'Attach a profile ID to all test results'
   option :output, aliases: :o, type: :string,
     desc: 'Save the created profile to a path'
   option :controls, type: :array,
@@ -115,9 +113,19 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
 
   desc 'detect', 'detect the target OS'
   target_options
+  option :format, type: :string
   def detect
-    options_json[:command] = 'os.params'
-    shell_func
+    o = opts.dup
+    o[:command] = 'os.params'
+    res = run_command(o)
+    if opts['format'] == 'json'
+      puts res.to_json
+    else
+      headline('Operating System Details')
+      %w{name family release arch}.each { |item|
+        puts "#{mark_text(item.to_s.capitalize + ':')} #{res[item.to_sym]}"
+      }
+    end
   end
 
   desc 'shell', 'open an interactive debugging shell'
@@ -129,25 +137,30 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     o = opts.dup
     o[:logger] = Logger.new(STDOUT)
     o[:logger].level = get_log_level(o.log_level)
-
     if o[:command].nil?
       runner = Inspec::Runner.new(o)
       return Inspec::Shell.new(runner).start
     else
-      opts[:test_collector] = 'mock'
-      runner = Inspec::Runner.new(opts)
-      res = runner.create_context.load(o[:command])
+      res = run_command(o)
       jres = res.respond_to?(:to_json) ? res.to_json : JSON.dump(res)
       puts jres
     end
-  rescue RuntimeError => e
-    puts e.message
+  rescue RuntimeError, Train::UserError => e
+    $stderr.puts e.message
   end
 
   desc 'version', 'prints the version of this tool'
   def version
     puts Inspec::VERSION
   end
+
+  private
+
+  def run_command(opts)
+    opts[:test_collector] = 'mock'
+    runner = Inspec::Runner.new(opts)
+    runner.create_context.load(opts[:command])
+  end
 end
 
 # Load all plugins on startup

data/lib/inspec/dsl.rb

@@ -31,37 +31,6 @@ module Inspec::DSL
     end
   end
 
-  # Register a given rule with RSpec and
-  # let it run. This happens after everything
-  # else is merged in.
-  def self.execute_rule(r, profile_id)
-    checks = ::Inspec::Rule.prepare_checks(r)
-    fid = InspecBaseRule.full_id(r, profile_id)
-    checks.each do |m, a, b|
-      # check if the resource is skippable and skipped
-      cres = rule_from_check(m, a, b)
-      set_rspec_ids(cres, fid) if m == 'describe'
-    end
-  end
-
-  # merge two rules completely; all defined
-  # fields from src will be overwritten in dst
-  def self.merge_rules(dst, src)
-    InspecBaseRule.merge dst, src
-  end
-
-  # Attach an ID attribute to the
-  # metadata of all examples
-  # TODO: remove this once IDs are in rspec-core
-  def self.set_rspec_ids(obj, id)
-    obj.examples.each {|ex|
-      ex.metadata[:id] = id
-    }
-    obj.children.each {|c|
-      set_rspec_ids(c, id)
-    }
-  end
-
   def self.load_spec_files_for_profile(bind_context, opts, &block)
     # get all spec files
     target = get_reference_profile(opts[:profile_id], opts[:conf])
@@ -121,24 +90,3 @@ module Inspec::DSL
     ctx
   end
 end
-
-module Inspec::GlobalDSL
-  def __register_rule(r)
-    # make sure the profile id is attached to the rule
-    ::Inspec::DSL.execute_rule(r, __profile_id)
-  end
-
-  def __unregister_rule(_id)
-  end
-end
-
-module Inspec::DSLHelper
-  def self.bind_dsl(scope)
-    (class << scope; self; end).class_exec do
-      include Inspec::DSL
-      include Inspec::GlobalDSL
-    end
-  end
-end
-
-::Inspec::DSLHelper.bind_dsl(self)