inspec 1.30.0 → 1.31.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 745f9c48fb9d28298944aef579f3d8d24255acf5
-  data.tar.gz: 0e69074ae2ba59b6fd09c6f09ddb784a97fd4fee
+  metadata.gz: 0f63e2bc3c79b42602da904d3a7d1c270eb82281
+  data.tar.gz: 0f288778eab441b7325fb7f4401c15a24cca1abb
 SHA512:
-  metadata.gz: '043509ac03b2be5d7025476cbe33ffff43cf8cc6b5176b4f2519317ef8c3190302b3edc2d870a218c10192699b927b4e6027806fdd3ff677bdcbbf51d605d051'
-  data.tar.gz: '009d85fe8d9e0f0e778286b229e1ef4ad70ee18e023bfd638143cf2a68db068272fc862bc17161151842e3e0fd7b16cb516c0b9079a73f13ad327baf1e171aa9'
+  metadata.gz: 036eaca5d11a52c0218416510139b133547811ceecfc8ac19659cbec50951a61d8eb7bfda9a3280b3e3944c7bfd0b295d8691124ed6984372968330d8af8db0f
+  data.tar.gz: fc6b35830b818319d4a13ec75015b16e9dca38f048d52ed2f1c1d034b7a87a16d08a1deea09010cbc153f82de8ba24dc4ce4c2d1b777676f26affc69d79da7c0

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Change Log
 
+## [v1.31.0](https://github.com/chef/inspec/tree/v1.31.0) (2017-07-06)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.30.0...v1.31.0)
+
+**Implemented enhancements:**
+
+- Add support for ncat in host resource for CoreOS [\#1993](https://github.com/chef/inspec/pull/1993) ([adamleff](https://github.com/adamleff))
+- New postgres\_hba\_conf resource [\#1964](https://github.com/chef/inspec/pull/1964) ([aaronlippold](https://github.com/aaronlippold))
+- New postgres\_ident\_conf resource [\#1963](https://github.com/chef/inspec/pull/1963) ([aaronlippold](https://github.com/aaronlippold))
+
+**Fixed bugs:**
+
+- Fix formatter when two profiles have the same name [\#1991](https://github.com/chef/inspec/pull/1991) ([adamleff](https://github.com/adamleff))
+- Fix host resolution on Darwin, use dig wherever possible [\#1986](https://github.com/chef/inspec/pull/1986) ([adamleff](https://github.com/adamleff))
+- updated postgres\_session resource properly escape queries [\#1939](https://github.com/chef/inspec/pull/1939) ([aaronlippold](https://github.com/aaronlippold))
+
 ## [v1.30.0](https://github.com/chef/inspec/tree/v1.30.0) (2017-06-29)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.29.0...v1.30.0)
 

data/README.md

@@ -284,7 +284,7 @@ Gentoo Linux | | x86_64
 Arch Linux | | x86_64
 HP-UX | 11.31 | ia64
 
-*For Windows 2008 and 2008 R2 an updated Powershell (Windows Management Framework 5.0) is required.*
+*For Windows, PowerShell 3.0 or above is required.*
 
 In addition, runtime support is provided for:
 

data/docs/resources/host.md.erb

@@ -14,6 +14,8 @@ A `host` resource block declares a host name, and then (depending on what is to
 
    describe host('example.com', port: 80, protocol: 'tcp') do
      it { should be_reachable }
+     it { should be_resolvable }
+     its('ipaddress') { should include '12.34.56.78' }
    end
 
 where
@@ -22,7 +24,6 @@ where
 * `'example.com'` is the host name
 * `port:` is the port number
 * `protocol: 'name'` is the Internet protocol: TCP (`protocol: 'tcp'`), UDP (`protocol: 'udp'` or  ICMP (`protocol: 'icmp'`))
-* `be_reachable` is a valid matcher for this resource
 
 
 ## Matchers
@@ -83,3 +84,11 @@ The following examples show how to use this InSpec audit resource.
       it { should be_resolvable }
       its('ipaddress') { should include '192.168.1.1' }
     end
+
+### Review the connection setup and socket contents when checking reachability
+
+    describe host('example.com', port: 12345, protocol: 'tcp') do
+      it { should be_reachable }
+      its('connection') { should_not match /connection refused/ }
+      its('socket') { should match /STATUS_OK/ }
+    end

data/docs/resources/kernel_module.md.erb

@@ -4,20 +4,33 @@ title: About the kernel_module Resource
 
 # kernel_module
 
-Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
+Use the `kernel_module` InSpec audit resource to test kernel modules on Linux
+platforms. These parameters are located under `/lib/modules`. Any submodule may
+be tested using this resource.
+
+The `kernel_module` resource can also verify if a kernel module is `blacklisted`
+or if a module is disabled via a fake install using the `bin_true` or `bin_false`
+method.
 
 ## Syntax
 
-A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
+A `kernel_module` resource block declares a module name, and then tests if that
+module is a loadable kernel module, if it is enabled, disabled or if it is
+blacklisted:
 
     describe kernel_module('module_name') do
       it { should be_loaded }
+      it { should_not be_disabled }
+      it { should_not be_blacklisted }
+    end
     end
 
 where
 
 * `'module_name'` must specify a kernel module, such as `'bridge'`
 * `{ should be_loaded }` tests if the module is a loadable kernel module
+* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
+* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
 
 ## Matchers
 
@@ -59,9 +72,50 @@ The `version` matcher tests if the named module version is on the system:
 
 The following examples show how to use this InSpec audit resource.
 
-### Test if a module is loaded
+    ### Test a modules 'version'
 
     describe kernel_module('bridge') do
       it { should be_loaded }
       its(:version) { should cmp >= '2.2.2' }
     end
+
+    ### Test if a module is loaded, not disabled and not blacklisted
+
+    describe kernel_module('video') do
+      it { should be_loaded }
+      it { should_not be_disabled }
+      it { should_not be_blacklisted }
+    end
+
+    ### Check if a module is blacklisted
+
+    describe kernel_module('floppy') do
+      it { should be_blacklisted }
+    end
+
+    ### Ensure a module is *not* blacklisted and it is loaded
+
+    describe kernel_module('video') do
+      it { should_not be_blacklisted }
+      it { should be_loaded }
+    end
+
+    ### Ensure a module is disabled via 'bin_false'
+
+    describe kernel_module('sstfb') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
+
+    ### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
+
+    describe kernel_module('nvidiafb') do
+      it { should_not be_loaded }
+      it { should be_blacklisted }
+    end
+
+    ### Ensure a module is not loaded
+
+    describe kernel_module('dhcp') do
+      it { should_not be_loaded }
+    end

data/docs/resources/postgres_hba_conf.md.erb

@@ -0,0 +1,104 @@
+---
+title: About the postgres_hba_conf Resource
+---
+
+# postgres_hba_conf
+
+Use the `postgres_hba_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.
+## Syntax
+
+An `postgres_hba_conf` InSpec audit resource block declares client authentication data that should be tested:
+
+    describe postgres_hba_conf.where { type == 'local' } do
+     its('auth_method') { should eq ['peer'] }
+    end
+
+where
+
+* `'attribute'` is a attribute in the  pg hba configuration file
+* `'filter_value'` is the value that is to be filtered for
+* `'value'` is the value that is to be matched expected
+
+## Matchers
+
+This InSpec audit resource matches any service that is listed in the HBA configuration file:
+
+    its('auth_method') { should_not cmp 'peer' }
+
+or:
+
+    its('auth_method') { should cmp 'peer' }
+
+For example:
+
+    describe postgres_hba_conf.where { type == 'type' } do
+      its('auth_method') { should cmp 'value' }
+      its('user') { should cmp 'value' }
+    end
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+
+## Supported Properties
+
+    'address', 'auth_method', 'auth_params', 'conf_dir' , 'conf_file' , 'database', 'params' ,'type', 'user'
+
+## Property Examples and Return Types
+
+### address([String])
+
+`address` returns a an array of strings that matches the where condition of the filter table
+
+    describe postgres_hba_conf.where { type == 'local' } do
+      its('address') { should cmp 'value' }
+    end
+    
+### auth_method([String])
+
+`auth_method` returns a an array of strings that matches the where condition of the filter table
+
+    describe postgres_hba_conf.where { type == 'local' } do
+      its('auth_method') { should cmp 'value' }
+    end
+
+### database([String])
+
+`database` returns a an array of strings that matches the where condition of the filter table
+
+    describe postgres_hba_conf.where { type == 'local' } do
+      its('database') { should cmp 'value' }
+    end
+
+### type([String])
+
+`type` returns a an array of strings that matches the where condition of the filter table
+
+    describe postgres_hba_conf.where { database == 'acme_test_db' } do
+      its('type') { should cmp 'value' }
+    end
+
+### user([String])
+
+`user` returns a an array of strings that matches the where condition of the filter table
+
+    describe postgres_hba_conf.where { database == 'acme_test_db' } do
+      its('user') { should cmp 'value' }
+    end

data/docs/resources/postgres_ident_conf.md.erb

@@ -0,0 +1,87 @@
+---
+title: About the postgres_ident_conf Resource
+---
+
+# postgres_ident_conf
+
+Use the `postgres_ident_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.
+## Syntax
+
+An `postgres_ident_conf` InSpec audit resource block declares client authentication data that should be tested:
+
+    describe postgres_ident_conf.where { pg_username == 'filter_value' } do
+      its('attribute') { should eq ['value'] }
+    end
+
+where
+
+* `'attribute'` is a attribute in the  pg ident configuration file
+* `'filter_value'` is the value that is to be filtered for
+* `'value'` is the value that is to be matched expected
+
+## Matchers
+
+This InSpec audit resource matches any service that is listed in the pg ident  configuration file:
+
+    its('pg_username') { should_not eq ['peer'] }
+
+or:
+
+    its('map_name') { should eq ['value'] }
+
+For example:
+
+    describe postgres_ident_conf.where { pg_username == 'name' } do
+      its('system_username') { should eq ['value'] }
+      its('map_name') { should eq ['value'] }
+    end
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+
+## Supported Properties
+
+    'conf_file', 'map_name', 'params', 'pg_username', 'system_username'
+
+## Property Examples and Return Types
+
+### map_name([String])
+
+`address` returns a an array of strings that matches the where condition of the filter table
+
+    describe pg_hba_conf.where { pg_username == 'name' } do
+      its('map_name') { should eq ['value'] }
+    end
+### pg_username([String])
+
+`pg_username` returns a an array of strings that matches the where condition of the filter table
+
+    describe pg_hba_conf.where { pg_username == 'name' } do
+      its('pg_username') { should eq ['value'] }
+    end
+
+### system_username([String])
+
+`system_username` returns a an array of strings that matches the where condition of the filter table
+
+    describe pg_hba_conf.where { pg_username == 'name' } do
+      its('system_username') { should eq ['value'] }
+    end

data/lib/inspec/resource.rb

@@ -122,6 +122,8 @@ require 'resources/package'
 require 'resources/packages'
 require 'resources/parse_config'
 require 'resources/passwd'
+require 'resources/postgres_hba_conf'
+require 'resources/postgres_ident_conf'
 require 'resources/pip'
 require 'resources/port'
 require 'resources/postgres'

data/lib/inspec/rspec_json_formatter.rb

@@ -243,7 +243,16 @@ class InspecRspecJson < InspecRspecMiniJson # rubocop:disable Metrics/ClassLengt
     # this example, leading to Ruby exceptions.
     return false if profile_name.nil? || example_profile_id.nil?
 
-    profile_name == example_profile_id
+    # The correct profile is one where the name of the profile, and the profile
+    # name in the example match. Additionally, the list of controls in the
+    # profile must contain the example in question (which we match by ID).
+    #
+    # While the profile name match is usually good enough, we must also match by
+    # the control ID in the case where an InSpec runner has multiple profiles of
+    # the same name (i.e. when Test Kitchen is running concurrently using a
+    # single test suite that uses the Flat source reader, in which case InSpec
+    # creates a fake profile with a name like "tests from /path/to/tests")
+    profile_name == example_profile_id && profile[:controls].any? { |control| control[:id] == example[:id] }
   end
 
   def move_example_into_control(example, control)

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.30.0'.freeze
+  VERSION = '1.31.0'.freeze
 end

data/lib/resources/host.rb

@@ -24,6 +24,8 @@
 #   it { should be_resolvable.by('dns') }
 # end
 
+require 'resolv'
+
 module Inspec::Resources
   class Host < Inspec.resource(1)
     name 'host'
@@ -31,6 +33,8 @@ module Inspec::Resources
     example "
       describe host('example.com') do
         it { should be_reachable }
+        it { should be_resolvable }
+        its('ipaddress') { should include '12.34.56.78' }
       end
 
       describe host('example.com', port: '80', protocol: 'tcp') do
@@ -140,7 +144,39 @@ module Inspec::Resources
     end
   end
 
-  class DarwinHostProvider < HostProvider
+  class UnixHostProvider < HostProvider
+    def resolve_with_dig(hostname)
+      addresses = []
+
+      # look for IPv6 addresses
+      cmd = inspec.command("dig +short AAAA #{hostname}")
+      cmd.stdout.lines.each do |line|
+        matched = line.chomp.match(Resolv::IPv6::Regex)
+        addresses << matched.to_s unless matched.nil?
+      end
+
+      # look for IPv4 addresses
+      cmd = inspec.command("dig +short A #{hostname}")
+      cmd.stdout.lines.each do |line|
+        matched = line.chomp.match(Resolv::IPv4::Regex)
+        addresses << matched.to_s unless matched.nil?
+      end
+
+      addresses.empty? ? nil : addresses
+    end
+
+    def resolve_with_getent(hostname)
+      # TODO: we rely on getent hosts for now, but it prefers to return IPv6, only then IPv4
+      cmd = inspec.command("getent hosts #{hostname}")
+      return nil if cmd.exit_status.to_i != 0
+
+      # extract ip adress
+      resolve = /^\s*(?<ip>\S+)\s+(.*)\s*$/.match(cmd.stdout.chomp)
+      [resolve[1]] if resolve
+    end
+  end
+
+  class DarwinHostProvider < UnixHostProvider
     def missing_requirements(protocol)
       missing = []
 
@@ -166,24 +202,16 @@ module Inspec::Resources
     end
 
     def resolve(hostname)
-      # Resolve IPv6 address first, if that fails try IPv4 to match Linux behaivor
-      cmd = inspec.command("host -t AAAA #{hostname}")
-      if cmd.exit_status.to_i != 0
-        cmd = inspec.command("host -t A #{hostname}")
-      end
-      return nil if cmd.exit_status.to_i != 0
-
-      resolve = /^.* has IPv\d address\s+(?<ip>\S+)\s*$/.match(cmd.stdout.chomp)
-      [resolve[1]] if resolve
+      resolve_with_dig(hostname)
     end
   end
 
-  class LinuxHostProvider < HostProvider
+  class LinuxHostProvider < UnixHostProvider
     def missing_requirements(protocol)
       missing = []
 
-      if protocol == 'tcp'
-        missing << 'netcat must be installed' unless inspec.command('nc').exist?
+      if protocol == 'tcp' && (!inspec.command('nc').exist? || !inspec.command('ncat').exist?)
+        missing << 'netcat must be installed'
       end
 
       missing
@@ -191,7 +219,7 @@ module Inspec::Resources
 
     def ping(hostname, port, protocol)
       if protocol == 'tcp'
-        resp = inspec.command("echo | nc -v -w 1 #{hostname} #{port}")
+        resp = inspec.command(tcp_check_command(hostname, port))
       else
         # fall back to ping, but we can only test ICMP packages with ping
         resp = inspec.command("ping -w 1 -c 1 #{hostname}")
@@ -204,14 +232,20 @@ module Inspec::Resources
       }
     end
 
-    def resolve(hostname)
-      # TODO: we rely on getent hosts for now, but it prefers to return IPv6, only then IPv4
-      cmd = inspec.command("getent hosts #{hostname}")
-      return nil if cmd.exit_status.to_i != 0
+    def tcp_check_command(hostname, port)
+      if inspec.command('nc').exist?
+        base_cmd = 'nc'
+      elsif inspec.command('ncat').exist?
+        base_cmd = 'ncat'
+      else
+        return
+      end
 
-      # extract ip adress
-      resolve = /^\s*(?<ip>\S+)\s+(.*)\s*$/.match(cmd.stdout.chomp)
-      [resolve[1]] if resolve
+      "echo | #{base_cmd} -v -w 1 #{hostname} #{port}"
+    end
+
+    def resolve(hostname)
+      inspec.command('dig').exist? ? resolve_with_dig(hostname) : resolve_with_getent(hostname)
     end
   end
 

data/lib/resources/kernel_module.rb

@@ -1,20 +1,44 @@
 # encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
+# author: Aaron Lippold
+# author: Adam Leff
 
 module Inspec::Resources
   class KernelModule < Inspec.resource(1)
     name 'kernel_module'
-    desc 'Use the kernel_module InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under /lib/modules. Any submodule may be tested using this resource.'
+    desc 'Use the kernel_module InSpec audit resource to test kernel modules on
+    Linux platforms. These parameters are located under /lib/modules. Any submodule
+    may be tested using this resource.
+
+    The `kernel_module` resource can also verify if a kernel module is `blacklisted`
+    or if a module is disabled via a fake install using the `bin_true` or `bin_false`
+    method.'
+
     example "
-      describe kernel_module('bridge') do
-        it { should be_loaded }
-      end
+
+    describe kernel_module('video') do
+      it { should be_loaded }
+      it { should_not be_disabled }
+      it { should_not be_blacklisted }
+    end
+
+    describe kernel_module('sstfb') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
+
+    describe kernel_module('floppy') do
+      it { should be_blacklisted }
+    end
+
+    describe kernel_module('dhcp') do
+      it { should_not be_loaded }
+    end
     "
 
     def initialize(modulename = nil)
       @module = modulename
-
       # this resource is only supported on Linux
       return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' if !inspec.os.linux?
     end
@@ -36,19 +60,51 @@ module Inspec::Resources
       !found.nil?
     end
 
+    def disabled?
+      !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil?
+    end
+
+    def blacklisted?
+      !modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false?
+    end
+
     def version
+      cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}")
+      cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
+    end
+
+    def to_s
+      "Kernel Module #{@module}"
+    end
+
+    private
+
+    def modprobe_output
+      @modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout
+    end
+
+    def modinfo_cmd_for_os
       if inspec.os.redhat? || inspec.os.name == 'fedora'
-        modinfo_cmd = "/sbin/modinfo -F version #{@module}"
+        '/sbin/modinfo'
       else
-        modinfo_cmd = "modinfo -F version #{@module}"
+        'modinfo'
       end
+    end
 
-      cmd = inspec.command(modinfo_cmd)
-      cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
+    def modprobe_cmd_for_os
+      if inspec.os.redhat? || inspec.os.name == 'fedora'
+        '/sbin/modprobe'
+      else
+        'modprobe'
+      end
     end
 
-    def to_s
-      "Kernel Module #{@module}"
+    def disabled_via_bin_true?
+      !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil?
+    end
+
+    def disabled_via_bin_false?
+      !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil?
     end
   end
 end

data/lib/resources/postgres_hba_conf.rb

@@ -0,0 +1,101 @@
+# encoding: utf-8
+# author: Rony Xavier,rx294@nyu.edu
+# author: Aaron Lippold, lippold@gmail.com
+
+require 'resources/postgres'
+
+module Inspec::Resources
+  class PostgresHbaConf < Inspec.resource(1)
+    name 'postgres_hba_conf'
+    desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
+          authentication data defined in the pg_hba.conf file.'
+    example "
+      describe postgres_hba_conf.where { type == 'local' } do
+        its('auth_method') { should eq ['peer'] }
+      end
+    "
+
+    attr_reader :conf_file, :params
+
+    # @todo add checks to ensure that we have data in our file
+    def initialize(hba_conf_path = nil)
+      return skip_resource 'The `postgres_hba_conf` resource is not supported on your OS.' unless inspec.os.linux?
+      @conf_file = hba_conf_path || File.expand_path('pg_hba.conf', inspec.postgres.conf_dir)
+      @content = ''
+      @params = {}
+      read_content
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:type,     field: 'type')
+          .add(:database, field: 'database')
+          .add(:user,     field: 'user')
+          .add(:address,  field: 'address')
+          .add(:auth_method, field: 'auth_method')
+          .add(:auth_params, field: 'auth_params')
+
+    filter.connect(self, :params)
+
+    def to_s
+      "Postgres Hba Config #{@conf_file}"
+    end
+
+    private
+
+    def clean_conf_file(conf_file = @conf_file)
+      data = inspec.file(conf_file).content.to_s.lines
+      content = []
+      data.each do |line|
+        line.chomp!
+        content << line unless line.match(/^\s*#/) || line.empty?
+      end
+      content
+    end
+
+    def read_content(config_file = @conf_file)
+      file = inspec.file(config_file)
+
+      if !file.file?
+        return skip_resource "Can't find file \"#{@conf_file}\""
+      end
+
+      raw_conf = file.content
+
+      if raw_conf.empty? && !file.empty?
+        return skip_resource("Can't read the contents of \"#{@conf_file}\"")
+      end
+
+      # @todo use SimpleConfig here if we can
+      # ^\s*(\S+)\s+(\S+)\s+(\S+)\s(?:(\d*.\d*.\d*.\d*\/\d*)|(::\/\d+))\s+(\S+)\s*(.*)?\s*$
+
+      @content = clean_conf_file(@conf_file)
+      @params = parse_conf(@content)
+      @params.each do |line|
+        if line['type'] == 'local'
+          line['auth_method'] = line['address']
+          line['address'] = ''
+        end
+      end
+    end
+
+    def parse_conf(content)
+      content.map do |line|
+        parse_line(line)
+      end.compact
+    end
+
+    def parse_line(line)
+      x = line.split(/\s+/)
+      {
+        'type' => x[0],
+        'database' => x[1],
+        'user' => x[2],
+        'address' => x[3],
+        'auth_method' => x[4],
+        'auth_params' =>  ('' if x.length == 4) || x[5..-1].join(' '),
+      }
+    end
+  end
+end

data/lib/resources/postgres_ident_conf.rb

@@ -0,0 +1,79 @@
+# encoding: utf-8
+# author: Rony Xavier,  rx294@nyu.edu
+# author: Aaron Lippold, lippold@gmail.com
+
+require 'resources/postgres'
+
+module Inspec::Resources
+  class PostgresIdentConf < Inspec.resource(1)
+    name 'postgres_ident_conf'
+    desc 'Use the postgres_ident_conf InSpec audit resource to test the client
+          authentication data is controlled by a pg_ident.conf file.'
+    example "
+      describe postgres_ident_conf.where { pg_username == 'acme_user' } do
+        its('map_name') { should eq ['ssl-test'] }
+      end
+    "
+
+    attr_reader :params, :conf_file
+
+    def initialize(ident_conf_path = nil)
+      return skip_resource 'The `postgres_ident_conf` resource is not supported on your OS.' unless inspec.os.linux?
+      @conf_file = ident_conf_path || File.expand_path('pg_ident.conf', inspec.postgres.conf_dir)
+      @content = nil
+      @params = nil
+      read_content
+      return skip_resource '`pg_ident_conf` is not yet supported on your OS' if inspec.os.windows?
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:map_name,        field: 'map_name')
+          .add(:system_username, field: 'system_username')
+          .add(:pg_username,     field: 'pg_username')
+
+    filter.connect(self, :params)
+
+    def to_s
+      "PostgreSQL Ident Config #{@conf_file}"
+    end
+
+    private
+
+    def filter_comments(data)
+      content = []
+      data.each do |line|
+        line.chomp!
+        content << line unless line.match(/^\s*#/) || line.empty?
+      end
+      content
+    end
+
+    def read_content
+      @content = ''
+      @params = {}
+      @content = filter_comments(read_file(@conf_file))
+      @params = parse_conf(@content)
+    end
+
+    def parse_conf(content)
+      content.map do |line|
+        parse_line(line)
+      end.compact
+    end
+
+    def parse_line(line)
+      x = line.split(/\s+/)
+      {
+        'map_name' => x[0],
+        'system_username' => x[1],
+        'pg_username' => x[2],
+      }
+    end
+
+    def read_file(conf_file = @conf_file)
+      inspec.file(conf_file).content.lines
+    end
+  end
+end

data/lib/resources/postgres_session.rb

@@ -4,6 +4,8 @@
 # author: Christoph Hartmann
 # author: Aaron Lippold
 
+require 'shellwords'
+
 module Inspec::Resources
   class Lines
     attr_reader :output
@@ -35,7 +37,7 @@ module Inspec::Resources
       # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
-        its('output') { should eq('') }
+        its('output') { should eq '' }
       end
     "
 
@@ -46,21 +48,25 @@ module Inspec::Resources
     end
 
     def query(query, db = [])
-      dbs = db.map { |x| "-d #{x}" }.join(' ')
-      # TODO: simple escape, must be handled by a library
-      # that does this securely
-      escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
-      # run the query
-      cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c \"#{escaped_query}\"")
+      psql_cmd = create_psql_cmd(query, db)
+      cmd = inspec.command(psql_cmd)
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 or
-         out =~ /could not connect to .*/ or
-         out.downcase =~ /^error/
-        # skip this test if the server can't run the query
+      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
         skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"
       else
         Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end
     end
+
+    private
+
+    def escaped_query(query)
+      Shellwords.escape(query)
+    end
+
+    def create_psql_cmd(query, db = [])
+      dbs = db.map { |x| "-d #{x}" }.join(' ')
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.30.0
+  version: 1.31.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-29 00:00:00.000000000 Z
+date: 2017-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -319,7 +319,6 @@ files:
 - docs/migration.md
 - docs/plugin_kitchen_inspec.md
 - docs/profiles.md
-- docs/resources.md
 - docs/resources/apache_conf.md.erb
 - docs/resources/apt.md.erb
 - docs/resources/audit_policy.md.erb
@@ -375,6 +374,8 @@ files:
 - docs/resources/pip.md.erb
 - docs/resources/port.md.erb
 - docs/resources/postgres_conf.md.erb
+- docs/resources/postgres_hba_conf.md.erb
+- docs/resources/postgres_ident_conf.md.erb
 - docs/resources/postgres_session.md.erb
 - docs/resources/powershell.md.erb
 - docs/resources/processes.md.erb
@@ -413,7 +414,6 @@ files:
 - examples/README.md
 - examples/inheritance/README.md
 - examples/inheritance/controls/example.rb
-- examples/inheritance/inspec.lock
 - examples/inheritance/inspec.yml
 - examples/kitchen-ansible/.kitchen.yml
 - examples/kitchen-ansible/Gemfile
@@ -439,11 +439,7 @@ files:
 - examples/kitchen-puppet/test/integration/default/web_spec.rb
 - examples/meta-profile/README.md
 - examples/meta-profile/controls/example.rb
-- examples/meta-profile/inspec.lock
 - examples/meta-profile/inspec.yml
-- examples/meta-profile/vendor/0e6d170415e120af5f1dda113f96f7e0d156e49f82706ac41d13da00599f9b25.tar.gz
-- examples/meta-profile/vendor/403580959915ea24bc176b9ebdc555aeda5e2c957604b48d5f32b43554423582.tar.gz
-- examples/meta-profile/vendor/d08d3cc35debff04e708147cdd07739876c5d1c8357afb5e58adfaad92dd650f.tar.gz
 - examples/profile-attribute.yml
 - examples/profile-attribute/README.md
 - examples/profile-attribute/controls/example.rb
@@ -612,6 +608,8 @@ files:
 - lib/resources/port.rb
 - lib/resources/postgres.rb
 - lib/resources/postgres_conf.rb
+- lib/resources/postgres_hba_conf.rb
+- lib/resources/postgres_ident_conf.rb
 - lib/resources/postgres_session.rb
 - lib/resources/powershell.rb
 - lib/resources/processes.rb

data/docs/resources.md

@@ -1,91 +0,0 @@
----
-title: InSpec Resources Reference
----
-
-# InSpec Resources Reference
-
-The following InSpec audit resources are available:
-
-* [apache\_conf](resources/apache_conf.html)
-* [apt](resources/apt.html)
-* [audit\_policy](resources/audit_policy.html)
-* [auditd\_conf](resources/auditd_conf.html)
-* [auditd\_rules](resources/auditd_rules.html)
-* [bash](resources/bash.html)
-* [bond](resources/bond.html)
-* [bridge](resources/bridge.html)
-* [bsd\_service](resources/bsd_service.html)
-* [command](resources/command.html)
-* [crontab](resources/crontab.html)
-* [csv](resources/csv.html)
-* [directory](resources/directory.html)
-* [docker](resources/docker.html)
-* [docker\_container](resources/docker_container.html)
-* [docker\_image](resources/docker_image.html)
-* [etc\_group](resources/etc_group.html)
-* [etc\_passwd](resources/etc_passwd.html)
-* [etc\_shadow](resources/etc_shadow.html)
-* [file](resources/file.html)
-* [gem](resources/gem.html)
-* [group](resources/group.html)
-* [grub\_conf](resources/grub_conf.html)
-* [host](resources/host.html)
-* [http](resources/http.html)
-* [iis\_app](resources/iis_app.html)
-* [iis\_site](resources/iis_site.html)
-* [inetd\_conf](resources/inetd_conf.html)
-* [ini](resources/ini.html)
-* [interface](resources/interface.html)
-* [iptables](resources/iptables.html)
-* [json](resources/json.html)
-* [kernel\_module](resources/kernel_module.html)
-* [kernel\_parameter](resources/kernel_parameter.html)
-* [key\_rsa](resources/key_rsa.html)
-* [launchd\_service](resources/launchd_service.html)
-* [limits\_conf](resources/limits_conf.html)
-* [login\_def](resources/login_def.html)
-* [mount](resources/mount.html)
-* [mssql\_session](resources/mssql_session.html)
-* [mysql\_conf](resources/mysql_conf.html)
-* [mysql\_session](resources/mysql_session.html)
-* [npm](resources/npm.html)
-* [ntp\_conf](resources/ntp_conf.html)
-* [oneget](resources/oneget.html)
-* [oracledb\_session](resources/oracledb_session.html)
-* [os](resources/os.html)
-* [os\_env](resources/os_env.html)
-* [package](resources/package.html)
-* [parse\_config](resources/parse_config.html)
-* [parse\_config_file](resources/parse_config_file.html)
-* [pip](resources/pip.html)
-* [port](resources/port.html)
-* [postgres\_conf](resources/postgres_conf.html)
-* [postgres\_session](resources/postgres_session.html)
-* [powershell](resources/powershell.html)
-* [processes](resources/processes.html)
-* [rabbitmq\_config](resources/rabbitmq_config.html)
-* [registry\_key](resources/registry_key.html)
-* [runit\_service](resources/runit_service.html)
-* [security\_policy](resources/security_policy.html)
-* [service](resources/service.html)
-* [ssh\_config](resources/ssh_config.html)
-* [sshd\_config](resources/sshd_config.html)
-* [ssl](resources/ssl.html)
-* [sys\_info](resources/sys_info.html)
-* [systemd\_service](resources/systemd_service.html)
-* [sysv\_service](resources/sysv_service.html)
-* [upstart\_service](resources/upstart_service.html)
-* [user](resources/user.html)
-* [users](resources/users.html)
-* [vbscript](resources/vbscript.html)
-* [virtualization](resources/virtualization.html)
-* [windows\_feature](resources/windows_feature.html)
-* [windows\_task](resources/windows_task.html)
-* [wmi](resources/wmi.html)
-* [x509\_certificate](resources/x509_certificate.html)
-* [xinetd\_conf](resources/xinetd_conf.html)
-* [yaml](resources/yaml.html)
-* [yum](resources/yum.html)
-* [zfs\_dataset](resources/zfs_dataset.html)
-* [zfs\_pool](resources/zfs_pool.html)
-

data/examples/inheritance/inspec.lock

@@ -1,11 +0,0 @@
----
-lockfile_version: 1
-depends:
-- name: profile
-  resolved_source:
-    path: "/Users/aleff/projects/inspec/examples/profile"
-  version_constraints: ">= 0"
-- name: profile-attribute
-  resolved_source:
-    path: "/Users/aleff/projects/inspec/examples/profile-attribute"
-  version_constraints: ">= 0"

data/examples/meta-profile/inspec.lock

@@ -1,18 +0,0 @@
----
-lockfile_version: 1
-depends:
-- name: dev-sec/ssh-baseline
-  resolved_source:
-    url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
-    sha256: 403580959915ea24bc176b9ebdc555aeda5e2c957604b48d5f32b43554423582
-  version_constraints: ">= 0"
-- name: ssl-baseline
-  resolved_source:
-    url: https://github.com/dev-sec/ssl-baseline/archive/master.tar.gz
-    sha256: 0e6d170415e120af5f1dda113f96f7e0d156e49f82706ac41d13da00599f9b25
-  version_constraints: ">= 0"
-- name: windows-patch-benchmark
-  resolved_source:
-    url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
-    sha256: d08d3cc35debff04e708147cdd07739876c5d1c8357afb5e58adfaad92dd650f
-  version_constraints: ">= 0"