inspec 0.33.2 → 0.34.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2f4f2b2442e3a19f101d6d04c0a13815dc086b66
-  data.tar.gz: 1b02e5addd71a28377e73c7080ab7b88f2af28d4
+  metadata.gz: d0a1f7cf81639eade2bf2ac0203d87420d7b8a31
+  data.tar.gz: a9f5f10e11a0b00cbe9f8ae60434e0e19337f5d3
 SHA512:
-  metadata.gz: e6317eb3c488e0590a5ffa5bae91fca369d3662555423271f5bdbf348ae93b2947a2a1b613403699a5ecf46926f4e1fe873db827b23bebe3f7b9e561d1e4472a
-  data.tar.gz: 9b18e3a35eda7e93cdfcfb0f1566090d7eaaae81e6ceeae02b2af205edc281f9a74cfd8b2b637f3a99a43dda66c3857099e8015745039e91fa17d91e0525bd86
+  metadata.gz: 2a53d8b5b6e0d51912192f08d7b42a5691142976c507373996ac8c05f76dea3ccd96c77476dce6c3f4bfb82e8c0aeb47818dd618385f4a8e88081a42957deb91
+  data.tar.gz: cc3dc4d250b1d2eb10253b69c49f0f0d270bade569ebad3474ebd359fb1e5948b6e7b74ff0a60c4bd3b3ad0594a32839619b9bed120a3336cc496e7343619c9a

data/CHANGELOG.md

@@ -1,7 +1,41 @@
 # Change Log
 
-## [0.33.2](https://github.com/chef/inspec/tree/0.33.2) (2016-09-07)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.33.1...0.33.2)
+## [0.34.0](https://github.com/chef/inspec/tree/0.34.0) (2016-09-12)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.33.2...0.34.0)
+
+**Implemented enhancements:**
+
+- Vendor Github and Supermarket dependencies [\#959](https://github.com/chef/inspec/issues/959)
+- use simple config for security policy resource [\#1044](https://github.com/chef/inspec/pull/1044) ([chris-rock](https://github.com/chris-rock))
+- identify enabled/disabled accounts for windows [\#1039](https://github.com/chef/inspec/pull/1039) ([chris-rock](https://github.com/chris-rock))
+
+**Closed issues:**
+
+- Compliance should allow the ability to upload the unconverted SCAP profiles from the agencies. [\#1055](https://github.com/chef/inspec/issues/1055)
+- Multiple matchers in a describe block display only a single line [\#1025](https://github.com/chef/inspec/issues/1025)
+- Create all content for inspec homepage demo [\#1021](https://github.com/chef/inspec/issues/1021)
+- User resource should use Filtertable [\#948](https://github.com/chef/inspec/issues/948)
+
+**Merged pull requests:**
+
+- rename example to meta-profile [\#1051](https://github.com/chef/inspec/pull/1051) ([chris-rock](https://github.com/chris-rock))
+- fix webpack start script for tutorial [\#1050](https://github.com/chef/inspec/pull/1050) ([vjeffrey](https://github.com/vjeffrey))
+- Add Inspec::Fetcher\#relative\_target for compatibility [\#1046](https://github.com/chef/inspec/pull/1046) ([stevendanna](https://github.com/stevendanna))
+- Typo supermarket -\> compliance [\#1041](https://github.com/chef/inspec/pull/1041) ([stevendanna](https://github.com/stevendanna))
+- Improve duplicate and cycle detection in resolver [\#1038](https://github.com/chef/inspec/pull/1038) ([stevendanna](https://github.com/stevendanna))
+- Add example of corporate profile [\#1037](https://github.com/chef/inspec/pull/1037) ([stevendanna](https://github.com/stevendanna))
+- Ensure simplecov starts before everything else [\#1036](https://github.com/chef/inspec/pull/1036) ([stevendanna](https://github.com/stevendanna))
+- add sys\_info resource to get information about the hostname [\#1035](https://github.com/chef/inspec/pull/1035) ([chris-rock](https://github.com/chris-rock))
+- Add GitFetcher and rework Fetchers+SourceReaders [\#1034](https://github.com/chef/inspec/pull/1034) ([stevendanna](https://github.com/stevendanna))
+- add demo content [\#1033](https://github.com/chef/inspec/pull/1033) ([vjeffrey](https://github.com/vjeffrey))
+- add health graphs [\#1032](https://github.com/chef/inspec/pull/1032) ([arlimus](https://github.com/arlimus))
+- fix table formatting in readme [\#1031](https://github.com/chef/inspec/pull/1031) ([arlimus](https://github.com/arlimus))
+- remove old delivery tests [\#1029](https://github.com/chef/inspec/pull/1029) ([arlimus](https://github.com/arlimus))
+- make demo better [\#1015](https://github.com/chef/inspec/pull/1015) ([vjeffrey](https://github.com/vjeffrey))
+- user resource should support filtertable [\#990](https://github.com/chef/inspec/pull/990) ([ksubrama](https://github.com/ksubrama))
+
+## [v0.33.2](https://github.com/chef/inspec/tree/v0.33.2) (2016-09-07)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.33.1...v0.33.2)
 
 **Implemented enhancements:**
 

data/README.md

@@ -311,6 +311,11 @@ InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project.
 1. Create new Pull Request
 
 
+The InSpec community and maintainers are very active and helpful. This project benefits greatly from this activity.
+
+[![InSpec health](https://graphs.waffle.io/chef/inspec/throughput.svg)](https://waffle.io/chef/inspec/metrics/throughput)
+
+
 ## Testing InSpec
 
 We perform `unit`, `resource` and `integration` tests.
@@ -380,21 +385,15 @@ transport:
 ```
 
 
-### Chef Delivery Tests
-
-It may be informative to look at what [tests Chef Delivery](https://github.com/chef/inspec/blob/master/.delivery/build-cookbook/recipes/unit.rb) is running for CI.
-
 ## License
 
-| **Author:**          | Dominik Richter (<drichter@chef.io>)
-
-| **Author:**          | Christoph Hartmann (<chartmann@chef.io>)
-
-| **Copyright:**       | Copyright (c) 2015 Chef Software Inc.
-
-| **Copyright:**       | Copyright (c) 2015 Vulcano Security GmbH.
-
-| **License:**         | Apache License, Version 2.0
+|  |  |
+| ------ | --- |
+| **Author:** | Dominik Richter (<drichter@chef.io>) |
+| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
+| **Copyright:** | Copyright (c) 2015 Chef Software Inc. |
+| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. |
+| **License:** | Apache License, Version 2.0 |
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

data/examples/meta-profile/README.md

@@ -0,0 +1,11 @@
+# meta-profile
+
+The inspec.yml file in this profile shows how one can use dependencies
+from non-local sources such as Git or an HTTP url. This feature can
+be used to build up a environment-wide profile that is based on more
+specific profiles managed by others.
+
+# WARNING
+
+This profile likely does not work yet. It exists as a target for
+ongoing development work.

data/examples/meta-profile/controls/example.rb

@@ -0,0 +1,8 @@
+# encoding: utf-8
+# copyright: 2015, The Authors
+# license: All rights reserved
+include_controls 'ssh-hardening'
+include_controls 'os-hardening'
+include_controls 'ssl-benchmark'
+include_controls 'linux'
+include_controls 'windows-patch-benchmark'

data/examples/meta-profile/inspec.yml

@@ -0,0 +1,19 @@
+name: meta-profile
+title: Meta Compliance Profile
+maintainer: InSpec Authors
+copyright: InSpec Authors
+copyright_email: support@chef.io
+license: Apache 2
+summary: InSpec Profile that is only consuming dependencies
+version: 0.2.0
+depends:
+  - name: ssh-hardening
+    supermarket: hardening/ssh-hardening
+  - name: os-hardening
+    url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
+  - name: ssl-benchmark
+    git: https://github.com/dev-sec/ssl-benchmark.git
+  - name: windows-patch-benchmark
+    git: https://github.com/chris-rock/windows-patch-benchmark.git
+  - name: linux
+    compliance: base/linux

data/lib/bundles/inspec-compliance/target.rb

@@ -4,7 +4,6 @@
 
 require 'uri'
 require 'inspec/fetcher'
-require 'fetchers/url'
 
 # InSpec Target Helper for Chef Compliance
 # reuses UrlHelper, but it knows the target server and the access token already
@@ -14,11 +13,14 @@ module Compliance
     name 'compliance'
     priority 500
 
-    def self.resolve(target, _opts = {})
-      return nil unless target.is_a?(String)
-      # check for local scheme compliance://
-      uri = URI(target)
-      return nil unless URI(uri).scheme == 'compliance'
+    def self.resolve(target)
+      uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
+              URI(target)
+            elsif target.respond_to?(:key?) && target.key?(:compliance)
+              URI("compliance://#{target[:compliance]}")
+            end
+
+      return nil if uri.nil?
 
       # check if we have a compliance token
       config = Compliance::Configuration.new
@@ -27,18 +29,33 @@ module Compliance
       # verifies that the target e.g base/ssh exists
       profile = uri.host + uri.path
       Compliance::API.exist?(config, profile)
-      super(target_url(config, profile), config)
+      new(target_url(profile, config), config)
     rescue URI::Error => _e
       nil
     end
 
-    def self.target_url(config, profile)
+    def self.target_url(profile, config)
       owner, id = profile.split('/')
       "#{config['server']}/owners/#{owner}/compliance/#{id}/tar"
     end
 
+    #
+    # We want to save compliance: in the lockfile rather than url: to
+    # make sure we go back through the ComplianceAPI handling.
+    #
+    def resolved_source
+      { compliance: supermarket_profile_name }
+    end
+
     def to_s
       'Chef Compliance Profile Loader'
     end
+
+    private
+
+    def supermarket_profile_name
+      m = %r{^#{@config['server']}/owners/(?<owner>[^/]+)/compliance/(?<id>[^/]+)/tar$}.match(@target)
+      "#{m[:owner]}/#{m[:id]}"
+    end
   end
 end

data/lib/bundles/inspec-supermarket/api.rb

@@ -9,18 +9,14 @@ module Supermarket
   class API
     SUPERMARKET_URL = 'https://supermarket.chef.io'.freeze
 
-    def self.supermarket_url
-      SUPERMARKET_URL
-    end
-
     # displays a list of profiles
-    def self.profiles
-      url = "#{SUPERMARKET_URL}/api/v1/tools-search"
+    def self.profiles(supermarket_url = SUPERMARKET_URL)
+      url = "#{supermarket_url}/api/v1/tools-search"
       _success, data = get(url, { q: 'compliance_profile' })
       if !data.nil?
         profiles = JSON.parse(data)
         profiles['items'].map { |x|
-          m = %r{^#{Supermarket::API.supermarket_url}/api/v1/tools/(?<slug>[\w-]+)(/)?$}.match(x['tool'])
+          m = %r{^#{supermarket_url}/api/v1/tools/(?<slug>[\w-]+)(/)?$}.match(x['tool'])
           x['slug'] = m[:slug]
           x
         }
@@ -37,10 +33,10 @@ module Supermarket
     end
 
     # displays profile infos
-    def self.info(profile)
+    def self.info(profile, supermarket_url = SUPERMARKET_URL)
       _tool_owner, tool_name = profile_name("supermarket://#{profile}")
       return if tool_name.nil? || tool_name.empty?
-      url = "#{SUPERMARKET_URL}/api/v1/tools/#{tool_name}"
+      url = "#{supermarket_url}/api/v1/tools/#{tool_name}"
       _success, data = get(url, {})
       JSON.parse(data) if !data.nil?
     rescue JSON::ParserError
@@ -48,24 +44,24 @@ module Supermarket
     end
 
     # compares a profile with the supermarket tool info
-    def self.same?(profile, supermarket_tool)
+    def self.same?(profile, supermarket_tool, supermarket_url = SUPERMARKET_URL)
       tool_owner, tool_name = profile_name(profile)
-      tool = "#{SUPERMARKET_URL}/api/v1/tools/#{tool_name}"
+      tool = "#{supermarket_url}/api/v1/tools/#{tool_name}"
       supermarket_tool['tool_owner'] == tool_owner && supermarket_tool['tool'] == tool
     end
 
-    def self.find(profile)
-      profiles = Supermarket::API.profiles
+    def self.find(profile, supermarket_url)
+      profiles = Supermarket::API.profiles(supermarket_url=SUPERMARKET_URL)
       if !profiles.empty?
-        index = profiles.index { |t| same?(profile, t) }
+        index = profiles.index { |t| same?(profile, t, supermarket_url) }
         # return profile or nil
         profiles[index] if !index.nil? && index >= 0
       end
     end
 
     # verifies that a profile exists
-    def self.exist?(profile)
-      !find(profile).nil?
+    def self.exist?(profile, supermarket_url = SUPERMARKET_URL)
+      !find(profile, supermarket_url).nil?
     end
 
     def self.get(url, params)

data/lib/bundles/inspec-supermarket/target.rb

@@ -8,16 +8,21 @@ require 'fetchers/url'
 
 # InSpec Target Helper for Supermarket
 module Supermarket
-  class Fetcher < Fetchers::Url
+  class Fetcher < Inspec.fetcher(1)
     name 'supermarket'
     priority 500
 
     def self.resolve(target, opts = {})
-      return nil unless target.is_a?(String)
-      return nil unless URI(target).scheme == 'supermarket'
-      return nil unless Supermarket::API.exist?(target)
-      tool_info = Supermarket::API.find(target)
-      super(tool_info['tool_source_url'], opts)
+      supermarket_uri, supermarket_server = if target.is_a?(String) && URI(target).scheme == 'supermarket'
+                                              [target, Supermarket::API::SUPERMARKET_URL]
+                                            elsif target.respond_to?(:key?) && target.key?(:supermarket)
+                                              supermarket_server = target[:supermarket_url] || Supermarket::API::SUPERMARKET_URL
+                                              ["supermarket://#{target[:supermarket]}", supermarket_server]
+                                            end
+      return nil unless supermarket_uri
+      return nil unless Supermarket::API.exist?(supermarket_uri, supermarket_server)
+      tool_info = Supermarket::API.find(supermarket_uri, supermarket_server)
+      resolve_next(tool_info['tool_source_url'], opts)
     rescue URI::Error
       nil
     end

data/lib/fetchers/git.rb

@@ -0,0 +1,162 @@
+# encoding: utf-8
+require 'tmpdir'
+require 'fileutils'
+require 'mixlib/shellout'
+require 'inspec/log'
+
+module Fetchers
+  #
+  # The git fetcher uses the git binary to fetch remote git sources.
+  # Git-based sources should be specified with the `git:` key in the
+  # source hash. Additionally, we accept `:branch`, `:ref`, and `:tag`
+  # keys to allow users to pin to a particular revision.
+  #
+  # Parts of this class are derived from:
+  #
+  #  https://github.com/chef/omnibus/blob/master/lib/omnibus/fetchers/git_fetcher.rb
+  #
+  # which is Copyright 2012-2014 Chef Software, Inc. and offered under
+  # the same Apache 2 software license as inspec.
+  #
+  # Many thanks to the omnibus authors!
+  #
+  # Note that we haven't replicated all of omnibus' features here.  If
+  # you got to this file during debugging, you may want to look at the
+  # omnibus source for hints.
+  #
+  class Git < Inspec.fetcher(1)
+    name 'git'
+    priority 200
+
+    def self.resolve(target, opts = {})
+      if target.respond_to?(:has_key?) &&target.key?(:git)
+        new(target[:git], opts.merge(target))
+      end
+    end
+
+    def initialize(remote_url, opts = {})
+      @branch = opts[:branch]
+      @tag = opts[:tag]
+      @ref = opts[:ref]
+      @remote_url = remote_url
+      @repo_directory = nil
+    end
+
+    def fetch(dir)
+      @repo_directory = dir
+      if cloned?
+        checkout
+      else
+        Dir.mktmpdir do |tmpdir|
+          checkout(tmpdir)
+          Inspec::Log.debug("Checkout of #{resolved_ref} successful. Moving checkout to #{dir}")
+          FileUtils.cp_r(tmpdir, @repo_directory)
+        end
+      end
+      @repo_directory
+    end
+
+    def archive_path
+      @repo_directory
+    end
+
+    def resolved_source
+      { git: @remote_url, ref: resolved_ref }
+    end
+
+    private
+
+    def resolved_ref
+      @resolved_ref ||= if @ref
+                          @ref
+                        elsif @branch
+                          resolve_ref(@branch)
+                        elsif @tag
+                          resolve_ref(@tag)
+                        else
+                          resolve_ref('master')
+                        end
+    end
+
+    def resolve_ref(ref_name)
+      cmd = shellout("git ls-remote \"#{@remote_url}\" \"#{ref_name}*\"")
+      ref = parse_ls_remote(cmd.stdout, ref_name)
+      if !ref
+        fail "Unable to resolve #{ref_name} to a specific git commit for #{@remote_url}"
+      end
+      ref
+    end
+
+    #
+    # The following comment is a minor modification of the comment in
+    # the omnibus source for a similar function:
+    #
+    # Dereference annotated tags.
+    #
+    # The +remote_list+ parameter is assumed to look like this:
+    #
+    #   a2ed66c01f42514bcab77fd628149eccb4ecee28        refs/tags/rel-0.11.0
+    #   f915286abdbc1907878376cce9222ac0b08b12b8        refs/tags/rel-0.11.0^{}
+    #
+    # The SHA with ^{} is the commit pointed to by an annotated
+    # tag. If ref isn't an annotated tag, there will not be a line
+    # with trailing ^{}.
+    #
+    # @param [String] output
+    #   output from `git ls-remote origin` command
+    # @param [String] ref_name
+    #   the target git ref_name
+    #
+    # @return [String]
+    #
+    def parse_ls_remote(output, ref_name)
+      pairs = output.lines.map { |l| l.chomp.split("\t") }
+      tagged_commit = pairs.find { |m| m[1].end_with?("#{ref_name}^{}") }
+      if tagged_commit
+        tagged_commit.first
+      else
+        found = pairs.find { |m| m[1].end_with?(ref_name.to_s) }
+        if found
+          found.first
+        end
+      end
+    end
+
+    def cloned?
+      File.directory?(File.join(@repo_directory, '.git'))
+    end
+
+    def clone(dir = @repo_directory)
+      git_cmd("clone #{@remote_url} ./", dir) unless cloned?
+      @repo_directory
+    end
+
+    def checkout(dir = @repo_directory)
+      clone(dir)
+      git_cmd("checkout #{resolved_ref}", dir)
+      @repo_directory
+    end
+
+    def git_cmd(cmd, dir = @repo_directory)
+      cmd = shellout("git #{cmd}", cwd: dir)
+      cmd.error!
+      cmd.status
+    rescue Errno::ENOENT
+      raise 'To use git sources, you must have git installed.'
+    end
+
+    def shellout(cmd, opts = {})
+      Inspec::Log.debug("Running external command: #{cmd} (#{opts})")
+      cmd = Mixlib::ShellOut.new(cmd, opts)
+      cmd.run_command
+      Inspec::Log.debug("External command: completed with exit status: #{cmd.exitstatus}")
+      Inspec::Log.debug('External command: STDOUT BEGIN')
+      Inspec::Log.debug(cmd.stdout)
+      Inspec::Log.debug('External command: STDOUT END')
+      Inspec::Log.debug('External command: STDERR BEGIN')
+      Inspec::Log.debug(cmd.stderr)
+      Inspec::Log.debug('External command: STDERR END')
+      cmd
+    end
+  end
+end

data/lib/fetchers/local.rb

@@ -7,11 +7,29 @@ module Fetchers
     name 'local'
     priority 0
 
-    attr_reader :files
-
     def self.resolve(target)
-      return nil unless target.is_a?(String)
+      local_path = if target.is_a?(String)
+                     resolve_from_string(target)
+                   elsif target.is_a?(Hash)
+                     resolve_from_hash(target)
+                   end
+
+      if local_path
+        new(local_path)
+      end
+    end
+
+    def self.resolve_from_hash(target)
+      if target.key?(:path)
+        local_path = target[:path]
+        if target.key?(:cwd)
+          local_path = File.expand_path(local_path, target[:cwd])
+        end
+        local_path
+      end
+    end
 
+    def self.resolve_from_string(target)
       # Support "urls" in the form of file://
       if target.start_with?('file://')
         target = target.gsub(%r{^file://}, '')
@@ -20,26 +38,25 @@ module Fetchers
         target = target.tr('\\', '/')
       end
 
-      if !File.exist?(target)
-        nil
-      else
-        new(target)
+      if File.exist?(target)
+        target
       end
     end
 
     def initialize(target)
       @target = target
-      if File.file?(target)
-        @files = [target]
-      else
-        @files = Dir[File.join(target, '**', '*')]
-      end
     end
 
-    def read(file)
-      return nil unless files.include?(file)
-      return nil unless File.file?(file)
-      File.read(file)
+    def fetch(_path)
+      archive_path
+    end
+
+    def archive_path
+      @target
+    end
+
+    def resolved_source
+      { path: @target }
     end
   end
 end

data/lib/fetchers/mock.rb

@@ -16,12 +16,16 @@ module Fetchers
       @data = data
     end
 
-    def files
-      @data.keys
+    def fetch(_path)
+      archive_path
     end
 
-    def read(file)
-      @data[file]
+    def archive_path
+      { mock: @data }
+    end
+
+    def resolved_source
+      { mock_fetcher: true }
     end
   end
 end