inspec 1.0.0.beta3 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75fea2e790e0dcea3951df73e3ad7976a5e8e659
-  data.tar.gz: b7bd822fd9b85f6da803b2078481089cb9801b83
+  metadata.gz: 6c1825c5508e4853cf4bc1446a5b2bd679d9d1be
+  data.tar.gz: 6ffbe626a987b38ea03561d8bd18681803d89aaf
 SHA512:
-  metadata.gz: 705b7694c8d6dbecea6646f6f71c691774ae5946106e9381f47fdfb276848e7e0b1ca1c80e7c3db5ee3dbf6b8958ed0a1fa94b6f75d5abea19ac555bfc44f095
-  data.tar.gz: fd38cbdb8d6f3d9063283a9c9f774e7d0f412e5bc1d697dc9cbeeed29dd911b239470b18d273d691fe7ddf53c3699359895cdb8a0b354f6a6f38205ae890d738
+  metadata.gz: 4bb3e9f9c6295dcb29e500b134e5b264ac239f8270cb695dd6c28aeefa7fc9b65604e93b9c144f2754536988a8c1220dc31df12add23729fcaea9eabecbd6b11
+  data.tar.gz: 5916f874af8a593d5b08e7456bacf42b5ed7c6dadf73b243c4e0d6d675af470f7aa2928abb603da4a32d97c76ded9e1354e6ab05eac61ffd85d4d0030e7fe60f

data/CHANGELOG.md

@@ -1,7 +1,39 @@
 # Change Log
 
-## [1.0.0.beta3](https://github.com/chef/inspec/tree/1.0.0.beta3) (2016-09-25)
-[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.beta2...1.0.0.beta3)
+## [1.0.0](https://github.com/chef/inspec/tree/1.0.0) (2016-09-26)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.beta3...1.0.0)
+
+**Implemented enhancements:**
+
+- InSpec OS package [\#646](https://github.com/chef/inspec/issues/646)
+- replace wmi win32\_useraccount with adsi users [\#1149](https://github.com/chef/inspec/pull/1149) ([chris-rock](https://github.com/chris-rock))
+
+**Fixed bugs:**
+
+- README.md has broken link to non-existent file [\#1136](https://github.com/chef/inspec/issues/1136)
+
+**Merged pull requests:**
+
+- update omnibus images [\#1164](https://github.com/chef/inspec/pull/1164) ([chris-rock](https://github.com/chris-rock))
+- website / tutorial interaction [\#1163](https://github.com/chef/inspec/pull/1163) ([chris-rock](https://github.com/chris-rock))
+- fix buttons on community page [\#1162](https://github.com/chef/inspec/pull/1162) ([arlimus](https://github.com/arlimus))
+- fix alignment of community buttons [\#1161](https://github.com/chef/inspec/pull/1161) ([arlimus](https://github.com/arlimus))
+- Fix require\_controls DSL method [\#1160](https://github.com/chef/inspec/pull/1160) ([stevendanna](https://github.com/stevendanna))
+- Document the require\_resource function [\#1158](https://github.com/chef/inspec/pull/1158) ([stevendanna](https://github.com/stevendanna))
+- fix css in docs search [\#1157](https://github.com/chef/inspec/pull/1157) ([arlimus](https://github.com/arlimus))
+- update www readme for releasing the site [\#1156](https://github.com/chef/inspec/pull/1156) ([arlimus](https://github.com/arlimus))
+- Fix minor typo in sys\_info documentation [\#1155](https://github.com/chef/inspec/pull/1155) ([stevendanna](https://github.com/stevendanna))
+- fix outdated link in readme [\#1154](https://github.com/chef/inspec/pull/1154) ([arlimus](https://github.com/arlimus))
+- fix minor website bugs [\#1153](https://github.com/chef/inspec/pull/1153) ([arlimus](https://github.com/arlimus))
+- clean www before releasing [\#1152](https://github.com/chef/inspec/pull/1152) ([arlimus](https://github.com/arlimus))
+- add docs to the website [\#1151](https://github.com/chef/inspec/pull/1151) ([arlimus](https://github.com/arlimus))
+- return empty array for known privileges [\#1150](https://github.com/chef/inspec/pull/1150) ([chris-rock](https://github.com/chris-rock))
+- Extend example for parse\_config.rb [\#1148](https://github.com/chef/inspec/pull/1148) ([nvtkaszpir](https://github.com/nvtkaszpir))
+- Bump lockfile version to 1.0 [\#1141](https://github.com/chef/inspec/pull/1141) ([stevendanna](https://github.com/stevendanna))
+- Improve error messages from compliance fetcher [\#1126](https://github.com/chef/inspec/pull/1126) ([stevendanna](https://github.com/stevendanna))
+
+## [v1.0.0.beta3](https://github.com/chef/inspec/tree/v1.0.0.beta3) (2016-09-25)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.beta2...v1.0.0.beta3)
 
 **Implemented enhancements:**
 

data/README.md

@@ -18,7 +18,7 @@ describe inetd_conf do
 end
 ```
 
-InSpec makes it easy to run your tests wherever you need. More options listed here: https://github.com/chef/inspec/blob/master/docs/cli.rst
+InSpec makes it easy to run your tests wherever you need. More options are found in our [CLI docs](http://inspec.io/docs/reference/cli/).
 
 ```bash
 # run test locally

data/docs/inspec_and_friends.md

@@ -4,6 +4,9 @@ title: InSpec and friends
 
 # InSpec and friends
 
+This page looks at projects that are similar to InSpec to explain how they
+relate to each other.
+
 ## RSpec
 
 RSpec is an awesome framework that is widely used to test Ruby code. It
@@ -37,7 +40,7 @@ control "sshd-11" do
 end
 ```
 
-## Serverspec
+## Serverspec
 
 Serverspec can be credited as the first extension of RSpec that enabled
 users to run RSpec tests on servers to verify deployed artifacts. It was

data/docs/profiles.md

@@ -242,6 +242,20 @@ For example, to require that controls `cis-fs-2.1` and `cis-fs-2.2` be loaded fr
 
     end
 
+
+## require_resource
+
+By default, all of the resources from a listed dependency are available
+for use in your profile. If two of your dependencies provide a resource with
+the same name, you can use the `require_resource` DSL function to
+disambiguate the two:
+
+    require_resource(profile: 'my_dep', resource: 'my_res',
+                     as: 'my_res2')
+
+This will allow you to reference the resource `my_res` from the
+profile `my_dep` using the name `my_res2`.
+
 # Profile Attributes
 
 Attributes may be used in profiles to define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. First specify a variable in the control for each secret, then add the secret to a Yaml file located on the local machine, and then run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.

data/lib/bundles/inspec-compliance/target.rb

@@ -4,6 +4,7 @@
 
 require 'uri'
 require 'inspec/fetcher'
+require 'inspec/errors'
 
 # InSpec Target Helper for Chef Compliance
 # reuses UrlHelper, but it knows the target server and the access token already
@@ -24,11 +25,23 @@ module Compliance
 
       # check if we have a compliance token
       config = Compliance::Configuration.new
-      return nil if config['token'].nil?
+      if config['token'].nil?
+        fail Inspec::FetcherFailure, <<EOF
+
+Cannot fetch #{uri} because your compliance token has not been
+configured.
+
+Please login using
+
+    inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE'
+EOF
+      end
 
       # verifies that the target e.g base/ssh exists
       profile = uri.host + uri.path
-      Compliance::API.exist?(config, profile)
+      if !Compliance::API.exist?(config, profile)
+        fail Inpsec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
+      end
       new(target_url(profile, config), config)
     rescue URI::Error => _e
       nil

data/lib/inspec/base_cli.rb

@@ -132,6 +132,16 @@ module Inspec
       Logger.const_get(l.upcase)
     end
 
+    def pretty_handle_exception(exception)
+      case exception
+      when Inspec::Error
+        $stderr.puts exception.message
+        exit(1)
+      else
+        raise exception # rubocop:disable Style/SignalException
+      end
+    end
+
     def configure_logger(o)
       #
       # TODO(ssd): This is a big gross, but this configures the

data/lib/inspec/cli.rb

@@ -48,6 +48,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
       fdst = File.expand_path(dst)
       File.write(fdst, JSON.dump(profile.info))
     end
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'check PATH', 'verify all tests at the specified PATH'
@@ -97,6 +99,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
       end
     end
     exit 1 unless result[:summary][:valid]
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'vendor', 'Download all dependencies and generate a lockfile'
@@ -105,6 +109,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     profile = Inspec::Profile.for_target('./', opts.merge(cache: Inspec::Cache.new(path)))
     lockfile = profile.generate_lockfile
     File.write('inspec.lock', lockfile.to_yaml)
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'archive PATH', 'archive a profile to tar.gz (default) or zip'
@@ -136,6 +142,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
 
     # generate archive
     exit 1 unless profile.archive(opts)
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'exec PATHS', 'run all test files at the specified PATH.'
@@ -147,6 +155,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
 
     # run tests
     run_tests(targets, o)
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'detect', 'detect the target OS'
@@ -165,6 +175,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
                     mark_text(res[item.to_sym]))
       }
     end
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'shell', 'open an interactive debugging shell'
@@ -196,12 +208,16 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     exit 0
   rescue RuntimeError, Train::UserError => e
     $stderr.puts e.message
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'env', 'Output shell-appropriate completion configuration'
   def env(shell = nil)
     p = Inspec::EnvPrinter.new(self.class, shell)
     p.print_and_exit!
+  rescue StandardError => e
+    pretty_handle_exception(e)
   end
 
   desc 'version', 'prints the version of this tool'

data/lib/inspec/dependencies/lockfile.rb

@@ -4,8 +4,8 @@ require 'yaml'
 module Inspec
   class Lockfile
     # When we finalize this feature, we should set these to 1
-    MINIMUM_SUPPORTED_VERSION = 0
-    CURRENT_LOCKFILE_VERSION = 0
+    MINIMUM_SUPPORTED_VERSION = 1
+    CURRENT_LOCKFILE_VERSION = 1
 
     def self.from_dependency_set(dep_set)
       lockfile_content = {
@@ -32,14 +32,6 @@ lower than the minimum supported version #{MINIMUM_SUPPORTED_VERSION}.
 Please create a new lockfile for this project by running:
 
     inspec vendor
-EOF
-      elsif version == 0
-        # Remove this case once this feature stablizes
-        $stderr.puts <<EOF
-WARNING: This is a version 0 lockfile. Thank you for trying the
-experimental dependency management feature. Please be aware you may
-need to regenerate this lockfile in future versions as the feature is
-currently in development.
 EOF
       elsif version > CURRENT_LOCKFILE_VERSION
         fail <<EOF
@@ -78,8 +70,8 @@ EOF
     # different entry points of the API.
     def parse_content_hash(lockfile_content_hash)
       case version
-      when 0
-        parse_content_hash_0(lockfile_content_hash)
+      when 1
+        parse_content_hash_1(lockfile_content_hash)
       else
         # If we've gotten here, there is likely a mistake in the
         # lockfile version validation in the constructor.
@@ -87,7 +79,7 @@ EOF
       end
     end
 
-    def parse_content_hash_0(lockfile_content_hash)
+    def parse_content_hash_1(lockfile_content_hash)
       @deps = if lockfile_content_hash['depends']
                 lockfile_content_hash['depends'].map { |i| symbolize_keys(i) }
               end

data/lib/inspec/dsl.rb

@@ -53,12 +53,15 @@ EOF
   end
 
   def self.filter_included_controls(context, profile, &block)
-    include_ctx = profile.runner_context
+    mock = Inspec::Backend.create({ backend: 'mock' })
+    include_ctx = Inspec::ProfileContext.for_profile(profile, mock, {})
     include_ctx.load(block) if block_given?
     # remove all rules that were not registered
-    context.rules.keys.each do |id|
-      unless include_ctx.rules[id]
-        context.rules[id] = nil
+    context.all_rules.each do |r|
+      id = Inspec::Rule.rule_id(r)
+      fid = Inspec::Rule.profile_id(r) + '/' + id
+      unless include_ctx.rules[id] || include_ctx.rules[fid]
+        context.remove_rule(fid)
       end
     end
   end

data/lib/inspec/errors.rb

@@ -9,4 +9,5 @@ module Inspec
   class CyclicDependencyError < Error; end
   class UnsatisfiedVersionSpecification < Error; end
   class DuplicateDep < Error; end
+  class FetcherFailure < Error; end
 end

data/lib/inspec/profile.rb

@@ -388,6 +388,7 @@ module Inspec
       params[:groups] = groups = {}
       prefix = @source_reader.target.prefix || ''
       tests.each do |rule|
+        next if rule.nil?
         f = load_rule_filepath(prefix, rule)
         load_rule(rule, f, controls, groups)
       end

data/lib/inspec/profile_context.rb

@@ -67,6 +67,13 @@ module Inspec
       @conf['profile'].supports_os?
     end
 
+    def remove_rule(id)
+      @rules[id] = nil if @rules.key?(id)
+      @control_subcontexts.each do |c|
+        c.remove_rule(id)
+      end
+    end
+
     def all_controls
       ret = @rules.values
       ret += @control_subcontexts.map(&:all_rules).flatten

data/lib/inspec/runner.rb

@@ -86,7 +86,7 @@ module Inspec
       end
 
       all_controls.each do |rule|
-        register_rule(rule)
+        register_rule(rule) unless rule.nil?
       end
     end
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.0.0.beta3'.freeze
+  VERSION = '1.0.0'.freeze
 end

data/lib/resources/parse_config.rb

@@ -19,10 +19,27 @@ module Inspec::Resources
     desc 'Use the parse_config InSpec audit resource to test arbitrary configuration files.'
     example "
       output = command('some-command').stdout
-
       describe parse_config(output, { data_config_option: value } ) do
         its('setting') { should eq 1 }
       end
+
+      output2 = command('curl http://127.0.0.1/php_status').stdout
+      # php status is in format 'key : value', and we do not allow for multiple values
+      options2 = {
+        assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
+        multiple_values: false
+      }
+
+      describe parse_config(output2, options2) do
+        its('pool') { should eq 'www'}
+        its('process manager') { should eq process_manager }
+      end
+
+      # getting specific key from the output above, convert it to integer and then compare
+      # make sure 'listen queue' is below 100
+      describe parse_config(output2, options2 ).params['listen queue'].to_i do
+        it { should be < 100 }
+      end
     "
 
     attr_reader :content

data/lib/resources/security_policy.rb

@@ -16,6 +16,57 @@
 require 'hashie'
 
 module Inspec::Resources
+  # known and supported MS privilege rights
+  # @see https://technet.microsoft.com/en-us/library/dd277311.aspx
+  # @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
+  MS_PRIVILEGES_RIGHTS = [
+    'SeNetworkLogonRight',
+    'SeBackupPrivilege',
+    'SeChangeNotifyPrivilege',
+    'SeSystemtimePrivilege',
+    'SeCreatePagefilePrivilege',
+    'SeDebugPrivilege',
+    'SeRemoteShutdownPrivilege',
+    'SeAuditPrivilege',
+    'SeIncreaseQuotaPrivilege',
+    'SeIncreaseBasePriorityPrivilege',
+    'SeLoadDriverPrivilege',
+    'SeBatchLogonRight',
+    'SeServiceLogonRight',
+    'SeInteractiveLogonRight',
+    'SeSecurityPrivilege',
+    'SeSystemEnvironmentPrivilege',
+    'SeProfileSingleProcessPrivilege',
+    'SeSystemProfilePrivilege',
+    'SeAssignPrimaryTokenPrivilege',
+    'SeRestorePrivilege',
+    'SeShutdownPrivilege',
+    'SeTakeOwnershipPrivilege',
+    'SeUndockPrivilege',
+    'SeManageVolumePrivilege',
+    'SeRemoteInteractiveLogonRight',
+    'SeImpersonatePrivilege',
+    'SeCreateGlobalPrivilege',
+    'SeIncreaseWorking',
+    'SeTimeZonePrivilege',
+    'SeCreateSymbolicLinkPrivilege',
+    'SeDenyNetworkLogonRight', # Deny access to this computer from the network
+    'SeDenyInteractiveLogonRight', # Deny logon locally
+    'SeDenyBatchLogonRight', # Deny logon as a batch job
+    'SeDenyServiceLogonRight', # Deny logon as a service
+    'SeTcbPrivilege',
+    'SeMachineAccountPrivilege',
+    'SeCreateTokenPrivilege',
+    'SeCreatePermanentPrivilege',
+    'SeEnableDelegationPrivilege',
+    'SeLockMemoryPrivilege',
+    'SeSyncAgentPrivilege',
+    'SeUnsolicitedInputPrivilege',
+    'SeTrustedCredManAccessPrivilege',
+    'SeRelabelPrivilege', # the privilege to change a Windows integrity label (new to Windows Vista)
+    'SeDenyRemoteInteractiveLogonRight', # Deny logon through Terminal Services
+  ].freeze
+
   class SecurityPolicy < Inspec.resource(1)
     name 'security_policy'
     desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
@@ -42,6 +93,9 @@ module Inspec::Resources
       # deep search for hash key
       params.extend Hashie::Extensions::DeepFind
       res = params.deep_find(name.to_s)
+
+      # return an empty array if configuration does not include rights configuration
+      return [] if res.nil? && MS_PRIVILEGES_RIGHTS.include?(name.to_s)
       res
     end
 

data/lib/resources/sys_info.rb

@@ -6,7 +6,7 @@ module Inspec::Resources
 
     desc 'Use the user InSpec system resource to test for operating system properties.'
     example "
-      describe sysinfo do
+      describe sys_info do
         its('hostname') { should eq 'example.com' }
       end
     "

data/lib/resources/users.rb

@@ -547,21 +547,12 @@ module Inspec::Resources
     end
   end
 
-  # For now, we stick with WMI Win32_UserAccount
+  # This optimization was inspired by
+  # @see https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
+  # Alternative solutions are WMI Win32_UserAccount
   # @see https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx
   # @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
-  #
-  # using Get-AdUser would be the best command for domain machines, but it will not be installed
-  # on client machines by default
-  # @see https://technet.microsoft.com/en-us/library/ee617241.aspx
-  # @see https://technet.microsoft.com/en-us/library/hh509016(v=WS.10).aspx
-  # @see http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/
-  # @see http://stackoverflow.com/questions/17548523/the-term-get-aduser-is-not-recognized-as-the-name-of-a-cmdlet
-  #
-  # Just for reference, we could also use ADSI (Active Directory Service Interfaces)
-  # @see https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
   class WindowsUser < UserInfo
-    # parse windows account name
     def parse_windows_account(username)
       account = username.split('\\')
       name = account.pop
@@ -570,67 +561,92 @@ module Inspec::Resources
     end
 
     def identity(username)
-      # extract domain/user information
-      account, domain = parse_windows_account(username)
-
-      # TODO: escape content
-      if !domain.nil?
-        filter = "Name = '#{account}' and Domain = '#{domain}'"
-      else
-        filter = "Name = '#{account}' and LocalAccount = true"
-      end
+      # TODO: we look for local users only at this point
+      name, _domain = parse_windows_account(username)
+      return if collect_user_details.nil?
+      res = collect_user_details.select { |user| user[:username] == name }
+      res[0] if res.length > 0
+    end
 
+    def list_users
+      collect_user_details.map { |user| user[:username] }
+    end
+
+    # https://msdn.microsoft.com/en-us/library/aa746340(v=vs.85).aspx
+    def collect_user_details # rubocop:disable Metrics/MethodLength
+      return @users_cache if defined?(@users_cache)
       script = <<-EOH
-        # find user
-        $user = Get-WmiObject Win32_UserAccount -filter "#{filter}"
-        # get related groups
-        $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
-        # filter user information
-        $user = $user | Select-Object -Property Caption, Description, Domain, Name, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID, SIDType, Status, Disabled
-        # build response object
-        New-Object -Type PSObject | `
-        Add-Member -MemberType NoteProperty -Name User -Value ($user) -PassThru | `
-        Add-Member -MemberType NoteProperty -Name Groups -Value ($groups) -PassThru | `
-        ConvertTo-Json
+Function  ConvertTo-SID { Param([byte[]]$BinarySID)
+  (New-Object  System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
+}
+
+Function  Convert-UserFlag { Param  ($UserFlag)
+  $List  = @()
+  Switch  ($UserFlag) {
+    ($UserFlag  -BOR 0x0001)  { $List += 'SCRIPT' }
+    ($UserFlag  -BOR 0x0002)  { $List += 'ACCOUNTDISABLE' }
+    ($UserFlag  -BOR 0x0008)  { $List += 'HOMEDIR_REQUIRED' }
+    ($UserFlag  -BOR 0x0010)  { $List += 'LOCKOUT' }
+    ($UserFlag  -BOR 0x0020)  { $List += 'PASSWD_NOTREQD' }
+    ($UserFlag  -BOR 0x0040)  { $List += 'PASSWD_CANT_CHANGE' }
+    ($UserFlag  -BOR 0x0080)  { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
+    ($UserFlag  -BOR 0x0100)  { $List += 'TEMP_DUPLICATE_ACCOUNT' }
+    ($UserFlag  -BOR 0x0200)  { $List += 'NORMAL_ACCOUNT' }
+    ($UserFlag  -BOR 0x0800)  { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
+    ($UserFlag  -BOR 0x1000)  { $List += 'WORKSTATION_TRUST_ACCOUNT' }
+    ($UserFlag  -BOR 0x2000)  { $List += 'SERVER_TRUST_ACCOUNT' }
+    ($UserFlag  -BOR 0x10000)  { $List += 'DONT_EXPIRE_PASSWORD' }
+    ($UserFlag  -BOR 0x20000)  { $List += 'MNS_LOGON_ACCOUNT' }
+    ($UserFlag  -BOR 0x40000)  { $List += 'SMARTCARD_REQUIRED' }
+    ($UserFlag  -BOR 0x80000)  { $List += 'TRUSTED_FOR_DELEGATION' }
+    ($UserFlag  -BOR 0x100000)  { $List += 'NOT_DELEGATED' }
+    ($UserFlag  -BOR 0x200000)  { $List += 'USE_DES_KEY_ONLY' }
+    ($UserFlag  -BOR 0x400000)  { $List += 'DONT_REQ_PREAUTH' }
+    ($UserFlag  -BOR 0x800000)  { $List += 'PASSWORD_EXPIRED' }
+    ($UserFlag  -BOR 0x1000000)  { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
+    ($UserFlag  -BOR 0x04000000)  { $List += 'PARTIAL_SECRETS_ACCOUNT' }
+  }
+  $List
+}
+
+$Computername =  $Env:Computername
+$adsi  = [ADSI]"WinNT://$Computername"
+$adsi.Children | where {$_.SchemaClassName -eq  'user'} |  ForEach {
+  New-Object PSObject -property @{
+    uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
+    username = $_.Name[0]
+    description = $_.Description[0]
+    disabled = $_.AccountDisabled[0]
+    userflags = Convert-UserFlag  -UserFlag $_.UserFlags[0]
+    passwordage = [math]::Round($_.PasswordAge[0]/86400)
+    minpasswordlength = $_.MinPasswordLength[0]
+    mindays = [math]::Round($_.MinPasswordAge[0]/86400)
+    maxdays = [math]::Round($_.MaxPasswordAge[0]/86400)
+    warndays = $null
+    badpasswordattempts = $_.BadPasswordAttempts[0]
+    maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
+    gid = $null
+    group = $null
+    groups = $null
+    home = $_.HomeDirectory[0]
+    shell = $null
+    domain = $Computername
+  }
+} | ConvertTo-Json
       EOH
-
       cmd = inspec.powershell(script)
-
       # cannot rely on exit code for now, successful command returns exit code 1
       # return nil if cmd.exit_status != 0, try to parse json
       begin
-        params = JSON.parse(cmd.stdout)
+        users = JSON.parse(cmd.stdout)
       rescue JSON::ParserError => _e
         return nil
       end
 
-      user_hash = params['User'] || {}
-      group_hashes = params['Groups'] || []
-      # if groups is no array, generate one
-      group_hashes = [group_hashes] unless group_hashes.is_a?(Array)
-      group_names = group_hashes.map { |grp| grp['Caption'] }
-      {
-        uid: user_hash['SID'],
-        username: user_hash['Caption'],
-        gid: nil,
-        group: nil,
-        groups: group_names,
-        disabled: user_hash['Disabled'],
-      }
-    end
-
-    # not implemented yet
-    def meta_info(_username)
-      {
-        home: nil,
-        shell: nil,
-      }
-    end
-
-    def list_users
-      script = 'Get-WmiObject Win32_UserAccount | Select-Object -ExpandProperty Caption'
-      cmd = inspec.powershell(script)
-      cmd.stdout.chomp.lines
+      # ensure we have an array of groups
+      users = [users] if !users.is_a?(Array)
+      # convert keys to symbols
+      @users_cache = users.map { |user| user.each_with_object({}) { |(k, v), h| h[k.to_sym] = v } }
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.0.0.beta3
+  version: 1.0.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-25 00:00:00.000000000 Z
+date: 2016-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -525,9 +525,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.6
@@ -535,3 +535,4 @@ signing_key:
 specification_version: 4
 summary: Infrastructure and compliance testing.
 test_files: []
+has_rdoc: