inspec 1.20.0 → 1.21.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a68bde2c8c3272f13f8f2953742130866e0a8384
-  data.tar.gz: ce752f86311f19345c39d1ae1a3884194700164d
+  metadata.gz: 765c8898efac5c64dbba0583086f069eea4b521b
+  data.tar.gz: 28d639d2d72be737cb57366790ac1ee572eedc5c
 SHA512:
-  metadata.gz: 4271a1f24111f22d6044ff3e0892e16ccbd32b9cdcc942afe1d10490225594f8aaff71c1a41b98fdc347d65612fcd254295a1f90c3941a73c54d4c4b029e3c72
-  data.tar.gz: 6c2e5e7c839b3e641a435570e00ee48c839f1ed9bf84220505a2eee1be2dc97719d58b851205cd9b8e52e38383b0debbe86628cfcda95507b490b49de59767d3
+  metadata.gz: a48f8574446241505bb8678bedc9069931841bee798e8d5dbeb133151e195191cacaa67bfb48441d219d498ed14752f98dea4273120138298df5530545e9b3d3
+  data.tar.gz: c3f91d119061a9695653ee94f50f8c2588b9c6eb08a262578f2caef1b75ac9bef41d290aaa2af51fe9d0e154be0e093aabae23173e1c583fadaa1714d69f7f35

data/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Change Log
 
+## [v1.21.0](https://github.com/chef/inspec/tree/v1.21.0) (2017-04-24)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.20.0...v1.21.0)
+
+**Implemented enhancements:**
+
+- user resource is not fetching groups for windows [\#1400](https://github.com/chef/inspec/issues/1400)
+- docker resources [\#71](https://github.com/chef/inspec/issues/71)
+
+**Fixed bugs:**
+
+- Web references in inspec shell help are wrong [\#1667](https://github.com/chef/inspec/issues/1667)
+- bugfix: solve warn on uninitialized [\#1694](https://github.com/chef/inspec/pull/1694) ([arlimus](https://github.com/arlimus))
+
+**Closed issues:**
+
+- Adding windows domain users to users resource [\#1688](https://github.com/chef/inspec/issues/1688)
+- stdout matcher has depreciation warnings [\#1685](https://github.com/chef/inspec/issues/1685)
+- profile upload with dependencies fails uploading to compliance server  [\#1670](https://github.com/chef/inspec/issues/1670)
+- Retrying Inspec Tests [\#1665](https://github.com/chef/inspec/issues/1665)
+- Add a way to retry a test if failing [\#1404](https://github.com/chef/inspec/issues/1404)
+- --sudo does not appear to elevate privileges when evaluating local systems. [\#1279](https://github.com/chef/inspec/issues/1279)
+
+**Merged pull requests:**
+
+- \[www\] Update www Gemfile.lock [\#1691](https://github.com/chef/inspec/pull/1691) ([adamleff](https://github.com/adamleff))
+- showing how to shellout in docs [\#1689](https://github.com/chef/inspec/pull/1689) ([rshade](https://github.com/rshade))
+- \[www\] Fix docs pages for x509\_certificate and key\_rsa [\#1683](https://github.com/chef/inspec/pull/1683) ([adamleff](https://github.com/adamleff))
+- fix spelling mistake in powershell resource documentation [\#1682](https://github.com/chef/inspec/pull/1682) ([Happycoil](https://github.com/Happycoil))
+- fetch user groups while building user object [\#1681](https://github.com/chef/inspec/pull/1681) ([Happycoil](https://github.com/Happycoil))
+- update sslshake to v1.2 [\#1680](https://github.com/chef/inspec/pull/1680) ([arlimus](https://github.com/arlimus))
+- Fix type-o in control code [\#1676](https://github.com/chef/inspec/pull/1676) ([hannah-radish](https://github.com/hannah-radish))
+- fix web reference url [\#1669](https://github.com/chef/inspec/pull/1669) ([chris-rock](https://github.com/chris-rock))
+- fix sshd config help [\#1668](https://github.com/chef/inspec/pull/1668) ([chris-rock](https://github.com/chris-rock))
+- ER-508 Extended http resource to support no ssl verification [\#1663](https://github.com/chef/inspec/pull/1663) ([ElizabethU](https://github.com/ElizabethU))
+- Move Habitat sleep time to config file [\#1662](https://github.com/chef/inspec/pull/1662) ([adamleff](https://github.com/adamleff))
+- Docker resource [\#1566](https://github.com/chef/inspec/pull/1566) ([chris-rock](https://github.com/chris-rock))
+
 ## [v1.20.0](https://github.com/chef/inspec/tree/v1.20.0) (2017-04-13)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.19.2...v1.20.0)
 
@@ -15,6 +52,7 @@
 
 **Merged pull requests:**
 
+- Release 1.20.0 [\#1657](https://github.com/chef/inspec/pull/1657) ([adamleff](https://github.com/adamleff))
 - Habitat packages should run as root [\#1656](https://github.com/chef/inspec/pull/1656) ([adamleff](https://github.com/adamleff))
 - harmonize compliance profiles view with supermarket views [\#1654](https://github.com/chef/inspec/pull/1654) ([chris-rock](https://github.com/chris-rock))
 - \[www\] Update community page [\#1651](https://github.com/chef/inspec/pull/1651) ([adamleff](https://github.com/adamleff))
@@ -466,6 +504,7 @@
 - do not load controls from test directory [\#1327](https://github.com/chef/inspec/pull/1327) ([chris-rock](https://github.com/chris-rock))
 - Replaced Colors for output [\#1320](https://github.com/chef/inspec/pull/1320) ([hannah-radish](https://github.com/hannah-radish))
 - Hannah vj/fix tests formatting [\#1319](https://github.com/chef/inspec/pull/1319) ([hannah-radish](https://github.com/hannah-radish))
+- revert style changes temporarily [\#1317](https://github.com/chef/inspec/pull/1317) ([vjeffrey](https://github.com/vjeffrey))
 - Updated color palettes, label colors and icons [\#1313](https://github.com/chef/inspec/pull/1313) ([hannah-radish](https://github.com/hannah-radish))
 - Remove extra `'` in registry key examples [\#1308](https://github.com/chef/inspec/pull/1308) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 - also push docker latest tag with each release [\#1307](https://github.com/chef/inspec/pull/1307) ([chris-rock](https://github.com/chris-rock))
@@ -486,7 +525,6 @@
 
 **Merged pull requests:**
 
-- revert style changes temporarily [\#1317](https://github.com/chef/inspec/pull/1317) ([vjeffrey](https://github.com/vjeffrey))
 - ensure metadata release entry is a string [\#1305](https://github.com/chef/inspec/pull/1305) ([chris-rock](https://github.com/chris-rock))
 - Fixes resources in the docs [\#1303](https://github.com/chef/inspec/pull/1303) ([burtlo](https://github.com/burtlo))
 - copy vendored dependencies into cache [\#1291](https://github.com/chef/inspec/pull/1291) ([chris-rock](https://github.com/chris-rock))

data/docs/resources/docker.md.erb

@@ -0,0 +1,160 @@
+---
+title: About the docker Resource
+---
+
+# docker
+
+Use the `docker` InSpec audit resource to test configuration data for docker daemon. It is a very comprehensive resource. Please have a look at [docker_container](docker_container) and [docker_image](docker_image), too.
+
+## Syntax
+
+A `docker` resource block declares allows you to write test for many containers:
+
+    describe docker.containers do
+      its('images') { should_not include 'u12:latest' }
+    end
+
+or:
+
+    describe docker.containers.where { name == 'flamboyant_colden' } do
+      it { should be_running }
+    end
+
+where
+
+* `.where()` may specify a specific item and value, to which the matchers are compared
+* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes`  and `'status'` are valid matchers for `containers`
+
+The `docker` resource block also declares allows you to write test for many images:
+
+    describe docker.images do
+      its('repositories') { should_not include 'inssecure_image' }
+    end
+
+or if you want to query specific images:
+
+    describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do
+      it { should_not exist }
+    end
+
+where
+
+* `.where()` may specify a specific item and value, to which the matchers are compared
+* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes`  and `'status'` are valid matchers for `containers`
+
+
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### containers
+
+`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). You can determine specific information about
+
+    describe docker.containers do
+      its('ids') { should include 'sha:71b5df59...442b' }
+      its('commands') { should_not include '/bin/sh' }
+      its('images') { should_not include 'u12:latest' }
+      its('ports') { should include '0.0.0.0:1234->1234/tcp' }
+      its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
+    end
+
+
+### images
+
+`images` returns information about docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). You can determine specific information about
+
+    describe docker.images do
+      its('ids') { should include 'sha:12b5df59...442b' }
+      its('repositories') { should_not include 'my_image' }
+      its('tags') { should_not include 'unwanted_tag' }
+      its('sizes') { should_not include "1.41 GB" }
+    end
+
+### version
+
+`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
+
+    describe docker.version do
+      its('Server.Version') { should cmp >= '1.12'}
+      its('Client.Version') { should cmp >= '1.12'}
+    end
+
+
+### info
+
+`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
+
+    describe docker.info do
+      its('Configuration.Path') { should eq 'value' }
+    end
+
+
+### object('id')
+
+`object` returns low-level information about docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
+
+    describe docker.object(id) do
+      its('Configuration.Path') { should eq 'value' }
+    end
+
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Return all running containers
+
+    docker.containers.running?.ids.each do |id|
+      describe docker.object(id) do
+        its('State.Health.Status') { should eq 'healthy' }
+      end
+    end
+
+### Verify a Docker Server and Client version
+
+    describe docker.version do
+      its('Server.Version') { should cmp >= '1.12'}
+      its('Client.Version') { should cmp >= '1.12'}
+    end
+
+### Iterate over all containers to verify host coniguration
+
+    docker.containers.ids.each do |id|
+      # call docker inspect for a specific container id
+      describe docker.object(id) do
+        its(%w(HostConfig Privileged)) { should cmp false }
+        its(%w(HostConfig Privileged)) { should_not cmp true }
+      end
+    end
+
+### Iterate over all images to verify the container was built without ADD instruction
+
+    docker.images.ids.each do |id|
+      describe command("docker history #{id}| grep 'ADD'") do
+        its('stdout') { should eq '' }
+      end
+    end
+
+### Verify that health-checks are enabled for a container
+
+    describe docker.object('71b5df59442b') do
+      its(%w(Config Healthcheck)) { should_not eq nil }
+    end
+
+### Run the DevSec docker baseline  profile
+
+There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource.
+
+Clone the profile:
+
+    $ git clone https://github.com/dev-sec/cis-docker-benchmark.git
+
+and then run:
+
+    $ inspec exec cis-docker-benchmark
+
+Or execute the profile directly via URL:
+
+    $ inspec exec https://github.com/dev-sec/cis-docker-benchmark

data/docs/resources/docker_container.md.erb

@@ -0,0 +1,89 @@
+---
+title: About the docker_container Resource
+---
+
+# docker_container
+
+Use the `docker_container` InSpec audit resource to test a docker container.
+
+## Syntax
+
+A `docker_container` resource block declares the configuration data to be tested:
+
+    describe docker_container('container') do
+      it { should exist }
+      it { should be_running }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'busybox:latest' }
+      its('repo') { should eq 'busybox' }
+      its('tag') { should eq 'latest' }
+      its('ports') { should eq [] }
+      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+    end
+
+The container name can also be passed with the `name` argument:
+
+    describe docker_container(name: 'an-echo-server') do
+      it { should exist }
+      it { should be_running }
+    end
+
+Alternatively, you can pass in the container id:
+
+    describe docker_container(id: '71b5df59442b') do
+      it { should exist }
+      it { should be_running }
+    end
+
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### id
+
+The `id` matcher tests the container id:
+
+    its('id') { should eq 'sha:71b5df59...442b' }
+
+### repo
+
+The `repo` matcher tests the value of the image repository:
+
+    its('repo') { should eq 'busybox' }
+
+### tag
+
+The `tag` matcher tests the value of the image tag:
+
+    its('tag') { should eq 'latest' }
+
+### ports
+
+The `ports` matcher tests the value the docker ports:
+
+    its('ports') { should eq '0.0.0.0:1234->1234/tcp' }
+
+### command
+
+The `command` matcher tests the value of the container run command:
+
+    its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+
+
+## Examples
+
+The following examples show how to use this InSpec resource.
+
+### Verify an running container:
+
+    describe docker_container('an-echo-server') do
+      it { should exist }
+      it { should be_running }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'busybox:latest' }
+      its('repo') { should eq 'busybox' }
+      its('tag') { should eq 'latest' }
+      its('ports') { should eq [] }
+      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+    end

data/docs/resources/docker_image.md.erb

@@ -0,0 +1,86 @@
+---
+title: About the docker_image Resource
+---
+
+# docker_image
+
+Use the `docker_image` InSpec audit resource to verify a docker image.
+
+## Syntax
+
+A `docker_image` resource block declares the image:
+
+    describe docker_image('alpine:latest') do
+      it { should exist }
+      its('id') { should eq 'sha256:4a415e...a526' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+The resource allows you to pass in an image id:
+
+    describe docker_image(id: alpine_id) do
+      ...
+    end
+
+If the tag is missing for an image, `latest` is assumed as default:
+
+    describe docker_image('alpine') do
+      ...
+    end
+
+You can also pass in repository and tag as separate values
+
+    describe docker_image(repo: 'alpine', tag: 'latest') do
+      ...
+    end
+
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### exist
+
+The `exist` matcher tests if the image is available on the node:
+
+    it { should exist }
+
+### id
+
+The `id` matcher returns the full image id:
+
+    its('id') { should eq 'sha256:4a415e3663882fbc554ee830889c68a33b3585503892cc718a4698e91ef2a526' }
+
+### image
+
+The `image` matcher tests the value of the image. It is a combination of `repository/tag`:
+
+    its('image') { should eq 'alpine:latest' }
+
+### repo
+
+The `repo` matcher tests the value of the repository name:
+
+    its('repo') { should eq 'alpine' }
+
+### tag
+
+The `tag` matcher tests the value of image tag:
+
+    its('tag') { should eq 'latest' }
+
+
+## Examples
+
+The following examples show how to use this InSpec `docker_image` resource.
+
+### Test a docker image
+
+    describe docker_image('alpine:latest') do
+      it { should exist }
+      its('id') { should eq 'sha256:4a415e...a526' }
+      its('image') { should eq 'alpine:latest' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end

data/docs/ruby_usage.md

@@ -152,3 +152,53 @@ describe command('ls -al /') do
   its('exit_status') { should eq 0 }
 end
 ```
+
+## Shelling out in tests
+
+When writing tests you can not use standard ruby methods to shellout as it tries to execute those commands locally.
+However, the `command` resource has a `.stdout` method that will allow you to manipulate the results.
+Using the above example, you could check the writes on several subdirectories.
+
+### Example 1:
+```ruby
+$ inspec shell
+Welcome to the interactive InSpec Shell
+To find out how to use it, type: help
+
+inspec> output=command('echo test').stdout
+=> "test\n"
+inspec> describe command('echo test') do
+inspec>   its('stdout') { should eq output }
+inspec> end
+
+Profile: inspec-shell
+Version: (not specified)
+
+  Command echo
+     ✔  test stdout should eq "test\n"
+
+Test Summary: 1 successful, 0 failures, 0 skipped
+```
+
+### Example 2:
+```ruby
+$ inspec shell
+Welcome to the interactive InSpec Shell
+To find out how to use it, type: help
+
+inspec> dirs = command('ls -d /home/gordon/git/inspec/docs').stdout.split("\n")
+=> ["/home/gordon/git/inspec/docs"]
+inspec> dirs.each do |dir|
+inspec>   describe directory(dir) do
+inspec>     its('mode') { should cmp '0775' }
+inspec>   end
+inspec> end
+
+Profile: inspec-shell
+Version: (not specified)
+
+  File /home/gordon/git/inspec/docs/
+     ✔  mode should cmp == "0775"
+
+Test Summary: 1 successful, 0 failures, 0 skipped
+```

data/inspec.gemspec

@@ -37,7 +37,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'pry', '~> 0'
   spec.add_dependency 'hashie', '~> 3.4'
   spec.add_dependency 'mixlib-log'
-  spec.add_dependency 'sslshake', '~> 1.1'
+  spec.add_dependency 'sslshake', '~> 1.2'
   spec.add_dependency 'parallel', '~> 1.9'
   spec.add_dependency 'faraday', '>=0.9.0'
   spec.add_dependency 'toml', '~> 0.1'

data/lib/bundles/inspec-habitat/profile.rb

@@ -43,6 +43,7 @@ module Habitat
       copy_profile_to_work_dir
       create_plan
       create_run_hook
+      create_settings_file
       create_default_config
 
       # returns the path to the .hart file in the work directory
@@ -152,6 +153,7 @@ module Habitat
       @work_dir ||= Dir.mktmpdir('inspec-habitat-exporter')
       Dir.mkdir(File.join(@work_dir, 'src'))
       Dir.mkdir(File.join(@work_dir, 'habitat'))
+      Dir.mkdir(File.join(@work_dir, 'habitat', 'config'))
       Dir.mkdir(File.join(@work_dir, 'habitat', 'hooks'))
       Habitat::Log.debug("Generated work directory #{@work_dir}")
 
@@ -185,6 +187,12 @@ module Habitat
       File.write(run_hook_file, run_hook_contents)
     end
 
+    def create_settings_file
+      settings_file = File.join(work_dir, 'habitat', 'config', 'settings.sh')
+      Habitat::Log.info("Generating a settings file at #{settings_file}...")
+      File.write(settings_file, "SLEEP_TIME={{cfg.sleep_time}}\n")
+    end
+
     def create_default_config
       default_toml = File.join(work_dir, 'habitat', 'default.toml')
       Habitat::Log.info("Generating Habitat's default.toml configuration...")
@@ -335,7 +343,6 @@ export PATH=${PATH}:$(hab pkg path core/ruby)/bin
 export HOME={{pkg.svc_var_path}}
 
 PROFILE_IDENT="#{habitat_origin}/#{package_name}"
-SLEEP_TIME={{cfg.sleep_time}}
 RESULTS_DIR="{{pkg.svc_var_path}}/inspec_results"
 RESULTS_FILE="${RESULTS_DIR}/#{package_name}.json"
 ERROR_FILE="{{pkg.svc_var_path}}/inspec.err"
@@ -350,11 +357,15 @@ while true; do
 
   if [ "x${RC}" == "x0" ]; then
     echo "InSpec run completed successfully."
-  else
-    echo "InSpec run did NOT complete successfully."
+  elsif [ -s ${ERROR_FILE} ]
+    echo "InSpec run did NOT complete successfully. Error:"
     cat ${ERROR_FILE}
+  else
+    echo "InSpec run completed successfully, but there were control failures."
+    echo "Check the output at ${RESULTS_FILE} for details."
   fi
 
+  source {{pkg.svc_config_path}}/settings.sh
   echo "sleeping for ${SLEEP_TIME} seconds"
   sleep ${SLEEP_TIME}
 done

data/lib/inspec/objects/test.rb

@@ -66,13 +66,14 @@ module Inspec
       res, xtra = describe_chain
       itsy = xtra.nil? ? 'it' : 'its(' + xtra.to_s.inspect + ')'
       naughty = @negated ? '_not' : ''
-      xpect = defined?(@expectation) ? expectation.inspect : ''
-      if @expectation.class == Regexp
-        # without this, xpect values like / \/zones\// will not be parsed properly
-        xpect = "(#{xpect})"
-      elsif xpect != ''
-        xpect = ' ' + xpect
-      end
+      xpect = if !defined?(@expectation)
+                ''
+              elsif @expectation.class == Regexp
+                # without this, xpect values like / \/zones\// will not be parsed properly
+                "(#{@expectation.inspect})"
+              elsif xpect != ''
+                ' ' + expectation.inspect
+              end
       format("%sdescribe %s do\n  %s { should%s %s%s }\nend",
              vars, res, itsy, naughty, matcher, xpect)
     end

data/lib/inspec/resource.rb

@@ -82,6 +82,9 @@ require 'resources/command'
 require 'resources/crontab'
 require 'resources/dh_params'
 require 'resources/directory'
+require 'resources/docker'
+require 'resources/docker_image'
+require 'resources/docker_container'
 require 'resources/etc_group'
 require 'resources/file'
 require 'resources/gem'

data/lib/inspec/shell.rb

@@ -141,7 +141,7 @@ EOF
 
 #{mark 'Web Reference:'}
 
-https://github.com/chef/inspec/blob/master/docs/resources.rst##{resource}
+http://inspec.io/docs/reference/resources/#{resource}
 
 EOF
       else

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.20.0'.freeze
+  VERSION = '1.21.0'.freeze
 end

data/lib/resources/docker.rb

@@ -0,0 +1,159 @@
+# encoding: utf-8
+#
+# Copyright 2017, Christoph Hartmann
+#
+# author: Christoph Hartmann
+# author: Patrick Muench
+# author: Dominik Richter
+
+require 'utils/filter'
+require 'hashie/mash'
+
+module Inspec::Resources
+  class DockerContainerFilter
+    # use filtertable for containers
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:commands,       field: 'command')
+          .add(:ids,            field: 'id')
+          .add(:images,         field: 'image')
+          .add(:labels,         field: 'labels')
+          .add(:local_volumes,  field: 'localvolumes')
+          .add(:mounts,         field: 'mounts')
+          .add(:names,          field: 'names')
+          .add(:networks,       field: 'networks')
+          .add(:ports,          field: 'ports')
+          .add(:running_for,    field: 'runningfor')
+          .add(:sizes,          field: 'size')
+          .add(:status,         field: 'status')
+          .add(:exists?) { |x| !x.entries.empty? }
+          .add(:running?) { |x|
+            x.where { status.downcase.start_with?('up') }
+          }
+    filter.connect(self, :containers)
+
+    attr_reader :containers
+    def initialize(containers)
+      @containers = containers
+    end
+  end
+
+  class DockerImageFilter
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:ids,              field: 'id')
+          .add(:repositories,     field: 'repository')
+          .add(:tags,             field: 'tag')
+          .add(:sizes,            field: 'size')
+          .add(:digests,          field: 'digest')
+          .add(:created,          field: 'createdat')
+          .add(:created_since,    field: 'createdsize')
+          .add(:exists?) { |x| !x.entries.empty? }
+    filter.connect(self, :images)
+
+    attr_reader :images
+    def initialize(images)
+      @images = images
+    end
+  end
+
+  # This resource helps to parse information from the docker host
+  # For compatability with Serverspec we also offer the following resouses:
+  # - docker_container
+  # - docker_image
+  class Docker < Inspec.resource(1)
+    name 'docker'
+
+    desc "
+      A resource to retrieve information about docker
+    "
+
+    example "
+      describe docker.containers do
+        its('images') { should_not include 'u12:latest' }
+      end
+
+      describe docker.images do
+        its('repositories') { should_not include 'inssecure_image' }
+      end
+
+      describe docker.version do
+        its('Server.Version') { should cmp >= '1.12'}
+        its('Client.Version') { should cmp >= '1.12'}
+      end
+
+      describe docker.object(id) do
+        its('Configuration.Path') { should eq 'value' }
+      end
+
+      docker.containers.ids.each do |id|
+        # call docker inspect for a specific container id
+        describe docker.object(id) do
+          its(%w(HostConfig Privileged)) { should cmp false }
+          its(%w(HostConfig Privileged)) { should_not cmp true }
+        end
+      end
+    "
+
+    def containers
+      DockerContainerFilter.new(parse_containers)
+    end
+
+    def images
+      DockerImageFilter.new(parse_images)
+    end
+
+    def version
+      return @version if defined?(@version)
+      data = JSON.parse(inspec.command('docker version --format \'{{ json . }}\'').stdout)
+      @version = Hashie::Mash.new(data)
+    end
+
+    def info
+      return @info if defined?(@info)
+      data = JSON.parse(inspec.command('docker info --format \'{{ json . }}\'').stdout)
+      @info = Hashie::Mash.new(data)
+    end
+
+    # returns information about docker objects
+    def object(id)
+      return @inspect if defined?(@inspect)
+      data = JSON.parse(inspec.command("docker inspect #{id}").stdout)
+      data = data[0] if data.is_a?(Array)
+      @inspect = Hashie::Mash.new(data)
+    end
+
+    def to_s
+      'Docker Host'
+    end
+
+    private
+
+    def parse_containers
+      raw_containers = inspec.command('docker ps -a --no-trunc --format \'{{ json . }}\'').stdout
+      ps = []
+      # since docker is not outputting valid json, we need to parse each row
+      raw_containers.each_line { |entry|
+        j = JSON.parse(entry)
+        # convert all keys to lower_case to work well with ruby and filter table
+        j = j.map { |k, v|
+          [k.downcase, v]
+        }.to_h
+        ps.push(j)
+      }
+      ps
+    end
+
+    def parse_images
+      # docker does not support the `json .` function here, therefore we need to emulate that behavior.
+      raw_images = inspec.command('docker images -a --no-trunc --format \'{ "id": {{json .ID}}, "repository": {{json .Repository}}, "tag": {{json .Tag}}, "size": {{json .Size}}, "digest": {{json .Digest}}, "createdat": {{json .CreatedAt}}, "createdsize": {{json .CreatedSince}} }\'').stdout
+      c_images = []
+      raw_images.each_line { |entry|
+        c_images.push(JSON.parse(entry))
+      }
+      c_images
+    end
+  end
+end

data/lib/resources/docker_container.rb

@@ -0,0 +1,97 @@
+# encoding: utf-8
+#
+# Copyright 2017, Christoph Hartmann
+#
+# author: Christoph Hartmann
+# author: Patrick Muench
+# author: Dominik Richter
+
+module Inspec::Resources
+  class DockerContainer < Inspec.resource(1)
+    name 'docker_container'
+    desc ''
+    example "
+      describe docker_container('an-echo-server') do
+        it { should exist }
+        it { should be_running }
+        its('id') { should_not eq '' }
+        its('image') { should eq 'busybox:latest' }
+        its('repo') { should eq 'busybox' }
+        its('tag') { should eq 'latest' }
+        its('ports') { should eq [] }
+        its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+      end
+
+      describe docker_container(id: 'e2c52a183358') do
+        it { should exist }
+        it { should be_running }
+      end
+    "
+
+    def initialize(opts = {})
+      # if a string is provided, we expect it is the name
+      if opts.is_a?(String)
+        @opts = { name: opts }
+      else
+        @opts = opts
+      end
+    end
+
+    def exist?
+      container_info.exists?
+    end
+
+    # is allways returning the full id
+    def id
+      container_info.ids[0] if container_info.entries.length == 1
+    end
+
+    def running?
+      status.downcase.start_with?('up') if container_info.entries.length == 1
+    end
+
+    def status
+      container_info.status[0] if container_info.entries.length == 1
+    end
+
+    def labels
+      container_info.labels[0] if container_info.entries.length == 1
+    end
+
+    def ports
+      container_info.ports[0] if container_info.entries.length == 1
+    end
+
+    def command
+      if container_info.entries.length == 1
+        cmd = container_info.commands[0]
+        cmd.slice(1, cmd.length - 2)
+      end
+    end
+
+    def image
+      container_info.images[0] if container_info.entries.length == 1
+    end
+
+    def repo
+      image.split(':')[0] unless image.nil?
+    end
+
+    def tag
+      image.split(':')[1] unless image.nil?
+    end
+
+    def to_s
+      name = @opts[:name] || @opts[:id]
+      "Docker Container #{name}"
+    end
+
+    private
+
+    def container_info
+      return @info if defined?(@info)
+      opts = @opts
+      @info = inspec.docker.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
+    end
+  end
+end

data/lib/resources/docker_image.rb

@@ -0,0 +1,96 @@
+# encoding: utf-8
+#
+# Copyright 2017, Christoph Hartmann
+#
+# author: Christoph Hartmann
+# author: Patrick Muench
+# author: Dominik Richter
+
+module Inspec::Resources
+  class DockerImage < Inspec.resource(1)
+    name 'docker_image'
+    desc ''
+    example "
+      describe docker_image('alpine:latest') do
+        it { should exist }
+        its('id') { should_not eq '' }
+        its('image') { should eq 'alpine:latest' }
+        its('repo') { should eq 'alpine' }
+        its('tag') { should eq 'latest' }
+      end
+
+      describe docker_image('alpine:latest') do
+        it { should exist }
+      end
+
+      describe docker_image(id: '4a415e366388') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # do sanitizion of input values
+      o = opts.dup
+      o = { image: opts } if opts.is_a?(String)
+      @opts = sanitize_options(o)
+    end
+
+    def exist?
+      image_info.exists?
+    end
+
+    def id
+      image_info.ids[0] if image_info.entries.size == 1
+    end
+
+    def image
+      "#{repo}:#{tag}" if image_info.entries.size == 1
+    end
+
+    def repo
+      image_info.repositories[0] if image_info.entries.size == 1
+    end
+
+    def tag
+      image_info.tags[0] if image_info.entries.size == 1
+    end
+
+    def to_s
+      img = @opts[:image] || @opts[:id]
+      "Docker Image #{img}"
+    end
+
+    private
+
+    def sanitize_options(opts)
+      if !opts[:image].nil?
+        if !opts[:image].index(':').nil?
+          repo, tag = opts[:image].split(':')
+        else
+          opts[:repo] = opts[:image]
+          opts[:image] = nil
+        end
+        opts[:repo] ||= repo
+        opts[:tag] ||= tag
+      end
+
+      if !opts[:id].nil?
+        if opts[:id].index(':').nil?
+          opts[:id] = 'sha256:' + opts[:id]
+        end
+      end
+
+      opts[:tag] ||= 'latest'
+      opts[:image] ||= "#{opts[:repo]}:#{opts[:tag]}" unless opts[:repo].nil?
+      opts
+    end
+
+    def image_info
+      return @info if defined?(@info)
+      opts = @opts
+      @info = inspec.docker.images.where {
+        (repository == opts[:repo] && tag == opts[:tag]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
+      }
+    end
+  end
+end

data/lib/resources/http.rb

@@ -25,13 +25,14 @@ module Inspec::Resources
     "
 
     # rubocop:disable ParameterLists
-    def initialize(url, method: 'GET', params: nil, auth: {}, headers: {}, data: nil)
+    def initialize(url, method: 'GET', params: nil, auth: {}, headers: {}, data: nil, ssl_verify: true)
       @url = url
       @method = method
       @params = params
       @auth = auth
       @headers = headers
       @data = data
+      @ssl_verify = ssl_verify
     end
 
     def status
@@ -53,7 +54,7 @@ module Inspec::Resources
     private
 
     def response
-      conn = Faraday.new url: @url, headers: @headers, params: @params
+      conn = Faraday.new url: @url, headers: @headers, params: @params, ssl: { verify: @ssl_verify }
 
       # set basic authentication
       conn.basic_auth @auth[:user], @auth[:pass] unless @auth.empty?

data/lib/resources/powershell.rb

@@ -10,7 +10,7 @@ module Inspec::Resources
     desc 'Use the powershell InSpec audit resource to test a Windows PowerShell script on the Microsoft Windows platform.'
     example "
       script = <<-EOH
-        # you powershell script
+        # your powershell script
       EOH
 
       describe powershell(script) do

data/lib/resources/ssh_conf.rb

@@ -9,10 +9,12 @@ require 'utils/simpleconfig'
 module Inspec::Resources
   class SshConf < Inspec.resource(1)
     name 'ssh_config'
-    desc 'Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.'
+    desc 'Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.'
     example "
-      describe sshd_config do
-        its('Protocol') { should eq '2' }
+      describe ssh_config do
+        its('cipher') { should contain '3des' }
+        its('port') { should eq '22' }
+        its('hostname') { should include('example.com') }
       end
     "
 
@@ -83,9 +85,19 @@ module Inspec::Resources
 
   class SshdConf < SshConf
     name 'sshd_config'
+    desc 'Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.'
+    example "
+      describe sshd_config do
+        its('Protocol') { should eq '2' }
+      end
+    "
 
     def initialize(path = nil)
       super(path || '/etc/ssh/sshd_config')
     end
+
+    def to_s
+      'SSHD Configuration'
+    end
   end
 end

data/lib/resources/users.rb

@@ -576,42 +576,42 @@ module Inspec::Resources
     def collect_user_details # rubocop:disable Metrics/MethodLength
       return @users_cache if defined?(@users_cache)
       script = <<-EOH
-Function  ConvertTo-SID { Param([byte[]]$BinarySID)
-  (New-Object  System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
+Function ConvertTo-SID { Param([byte[]]$BinarySID)
+  (New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
 }
 
-Function  Convert-UserFlag { Param  ($UserFlag)
-  $List  = @()
-  Switch  ($UserFlag) {
-    ($UserFlag  -BOR 0x0001)  { $List += 'SCRIPT' }
-    ($UserFlag  -BOR 0x0002)  { $List += 'ACCOUNTDISABLE' }
-    ($UserFlag  -BOR 0x0008)  { $List += 'HOMEDIR_REQUIRED' }
-    ($UserFlag  -BOR 0x0010)  { $List += 'LOCKOUT' }
-    ($UserFlag  -BOR 0x0020)  { $List += 'PASSWD_NOTREQD' }
-    ($UserFlag  -BOR 0x0040)  { $List += 'PASSWD_CANT_CHANGE' }
-    ($UserFlag  -BOR 0x0080)  { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
-    ($UserFlag  -BOR 0x0100)  { $List += 'TEMP_DUPLICATE_ACCOUNT' }
-    ($UserFlag  -BOR 0x0200)  { $List += 'NORMAL_ACCOUNT' }
-    ($UserFlag  -BOR 0x0800)  { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
-    ($UserFlag  -BOR 0x1000)  { $List += 'WORKSTATION_TRUST_ACCOUNT' }
-    ($UserFlag  -BOR 0x2000)  { $List += 'SERVER_TRUST_ACCOUNT' }
-    ($UserFlag  -BOR 0x10000)  { $List += 'DONT_EXPIRE_PASSWORD' }
-    ($UserFlag  -BOR 0x20000)  { $List += 'MNS_LOGON_ACCOUNT' }
-    ($UserFlag  -BOR 0x40000)  { $List += 'SMARTCARD_REQUIRED' }
-    ($UserFlag  -BOR 0x80000)  { $List += 'TRUSTED_FOR_DELEGATION' }
-    ($UserFlag  -BOR 0x100000)  { $List += 'NOT_DELEGATED' }
-    ($UserFlag  -BOR 0x200000)  { $List += 'USE_DES_KEY_ONLY' }
-    ($UserFlag  -BOR 0x400000)  { $List += 'DONT_REQ_PREAUTH' }
-    ($UserFlag  -BOR 0x800000)  { $List += 'PASSWORD_EXPIRED' }
-    ($UserFlag  -BOR 0x1000000)  { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
-    ($UserFlag  -BOR 0x04000000)  { $List += 'PARTIAL_SECRETS_ACCOUNT' }
+Function Convert-UserFlag { Param  ($UserFlag)
+  $List = @()
+  Switch ($UserFlag) {
+    ($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
+    ($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
+    ($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
+    ($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
+    ($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
+    ($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
+    ($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
+    ($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
+    ($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
+    ($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
+    ($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
+    ($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
+    ($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
+    ($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
+    ($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
+    ($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
+    ($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
+    ($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
+    ($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
+    ($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
+    ($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
+    ($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
   }
   $List
 }
 
-$Computername =  $Env:Computername
-$adsi  = [ADSI]"WinNT://$Computername"
-$adsi.Children | where {$_.SchemaClassName -eq  'user'} |  ForEach {
+$Computername = $Env:Computername
+$adsi = [ADSI]"WinNT://$Computername"
+$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
   New-Object PSObject -property @{
     uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
     username = $_.Name[0]
@@ -627,7 +627,7 @@ $adsi.Children | where {$_.SchemaClassName -eq  'user'} |  ForEach {
     maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
     gid = $null
     group = $null
-    groups = $null
+    groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) })
     home = $_.HomeDirectory[0]
     shell = $null
     domain = $Computername

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.20.0
+  version: 1.21.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-04-13 00:00:00.000000000 Z
+date: 2017-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -182,14 +182,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -291,7 +291,6 @@ files:
 - docs/migration.md
 - docs/plugin_kitchen_inspec.html.md
 - docs/profiles.md
-- docs/resources.md
 - docs/resources/apache_conf.md.erb
 - docs/resources/apt.md.erb
 - docs/resources/audit_policy.md.erb
@@ -306,6 +305,9 @@ files:
 - docs/resources/csv.md.erb
 - docs/resources/dh_params.md
 - docs/resources/directory.md.erb
+- docs/resources/docker.md.erb
+- docs/resources/docker_container.md.erb
+- docs/resources/docker_image.md.erb
 - docs/resources/etc_group.md.erb
 - docs/resources/etc_passwd.md.erb
 - docs/resources/etc_shadow.md.erb
@@ -323,7 +325,7 @@ files:
 - docs/resources/json.md.erb
 - docs/resources/kernel_module.md.erb
 - docs/resources/kernel_parameter.md.erb
-- docs/resources/key_rsa.md
+- docs/resources/key_rsa.md.erb
 - docs/resources/launchd_service.md.erb
 - docs/resources/limits_conf.md.erb
 - docs/resources/login_def.md.erb
@@ -362,7 +364,7 @@ files:
 - docs/resources/windows_feature.md.erb
 - docs/resources/windows_task.md.erb
 - docs/resources/wmi.md.erb
-- docs/resources/x509_certificate.md
+- docs/resources/x509_certificate.md.erb
 - docs/resources/xinetd_conf.md.erb
 - docs/resources/yaml.md.erb
 - docs/resources/yum.md.erb
@@ -378,7 +380,6 @@ files:
 - examples/README.md
 - examples/inheritance/README.md
 - examples/inheritance/controls/example.rb
-- examples/inheritance/inspec.lock
 - examples/inheritance/inspec.yml
 - examples/kitchen-ansible/.kitchen.yml
 - examples/kitchen-ansible/Gemfile
@@ -404,11 +405,7 @@ files:
 - examples/kitchen-puppet/test/integration/default/web_spec.rb
 - examples/meta-profile/README.md
 - examples/meta-profile/controls/example.rb
-- examples/meta-profile/inspec.lock
 - examples/meta-profile/inspec.yml
-- examples/meta-profile/vendor/11b6287b232c2a689ae87b3ba54897eb9067a749da074b6f3040b6442082dd6a.tar.gz
-- examples/meta-profile/vendor/379757a6ba73c9bc17b37353c1ff5b4eb7dd978a3bd38b29d2dda64f90f16c36.tar.gz
-- examples/meta-profile/vendor/dbb5602f09f58d86f8743dfb44327207e9a23a49ef34f65614f1c1d8cc145f6b.tar.gz
 - examples/profile-attribute.yml
 - examples/profile-attribute/README.md
 - examples/profile-attribute/controls/example.rb
@@ -531,6 +528,9 @@ files:
 - lib/resources/csv.rb
 - lib/resources/dh_params.rb
 - lib/resources/directory.rb
+- lib/resources/docker.rb
+- lib/resources/docker_container.rb
+- lib/resources/docker_image.rb
 - lib/resources/etc_group.rb
 - lib/resources/file.rb
 - lib/resources/gem.rb
@@ -625,7 +625,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Infrastructure and compliance testing.

data/examples/inheritance/inspec.lock

@@ -1,11 +0,0 @@
----
-lockfile_version: 1
-depends:
-- name: profile
-  resolved_source:
-    path: "/Users/aleff/projects/inspec/examples/profile"
-  version_constraints: ">= 0"
-- name: profile-attribute
-  resolved_source:
-    path: "/Users/aleff/projects/inspec/examples/profile-attribute"
-  version_constraints: ">= 0"

data/examples/meta-profile/inspec.lock

@@ -1,18 +0,0 @@
----
-lockfile_version: 1
-depends:
-- name: dev-sec/ssh-baseline
-  resolved_source:
-    url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
-    sha256: 379757a6ba73c9bc17b37353c1ff5b4eb7dd978a3bd38b29d2dda64f90f16c36
-  version_constraints: ">= 0"
-- name: ssl-benchmark
-  resolved_source:
-    url: https://github.com/dev-sec/ssl-benchmark/archive/master.tar.gz
-    sha256: 11b6287b232c2a689ae87b3ba54897eb9067a749da074b6f3040b6442082dd6a
-  version_constraints: ">= 0"
-- name: windows-patch-benchmark
-  resolved_source:
-    url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
-    sha256: dbb5602f09f58d86f8743dfb44327207e9a23a49ef34f65614f1c1d8cc145f6b
-  version_constraints: ">= 0"