inspec 1.41.0 → 1.42.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 111ac2cdb0069f50d575dfd47e2644489c3b8296
-  data.tar.gz: b989512dea168e62bc8092c1e3df498a706badd3
+  metadata.gz: 6253ad47423d8b2a7bfc56409b61d31c0065aa6e
+  data.tar.gz: 7e3e02b74a6a6af95e62c09b62e949bf95eea242
 SHA512:
-  metadata.gz: 1cca620d9852d2a6369bbc0bec4663514abcd80e102a7d7b75a3f62f61c1438df5810bc25d81453fda09cd1b72f59ab648bea045b72c95b42da7211b5dda3c4a
-  data.tar.gz: efa759491e6cadb78ee7f97a2e626663a18548f7f3d60db9fc04d431ad19c5fe11f9427a0a124a05abca26242c12fefd54951b395dc30683253d72dbdc8ef88c
+  metadata.gz: 85007c9bc4574c090be7315dc133d21a364afd72af9115ea470fe026aeed18443d50271523ce2ea64d5c729315a0f0dd4433b807b23f4285ce3b8a1537174274
+  data.tar.gz: 8a1cc9ab25dd32116be49e3a05c67234040cb47d7db36629ff2fe38bfdb85684b3a9a9846900ea997054c8ac2ce140f4e27e0f4b5998980714382446e6d0a6de

data/CHANGELOG.md

@@ -1,41 +1,58 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 1.40.13 -->
-## [v1.40.13](https://github.com/chef/inspec/tree/v1.40.13) (2017-10-07)
+<!-- latest_release 1.42.3 -->
+## [v1.42.3](https://github.com/chef/inspec/tree/v1.42.3) (2017-10-18)
 
 #### Enhancements
-- Enhance cmp matcher to work with symbols, fix file documentation [#2224](https://github.com/chef/inspec/pull/2224) ([adamleff](https://github.com/adamleff))
+- windows_hotfix resource: Replace WMI query with PowerShell cmdlet &quot;get-hotfix&quot; [#2252](https://github.com/chef/inspec/pull/2252) ([mattray](https://github.com/mattray))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.40.0 -->
-### Changes since 1.40.0 release
+<!-- release_rollup since=1.41.0 -->
+### Changes since 1.41.0 release
+
+#### Merged Pull Requests
+- Squashed some unit test warnings [#2242](https://github.com/chef/inspec/pull/2242) ([username-is-already-taken2](https://github.com/username-is-already-taken2)) <!-- 1.41.9 -->
+- Fix documentation of `split` matcher [#2240](https://github.com/chef/inspec/pull/2240) ([eramoto](https://github.com/eramoto)) <!-- 1.41.4 -->
+- Update the profile tempate [#2238](https://github.com/chef/inspec/pull/2238) ([nathenharvey](https://github.com/nathenharvey)) <!-- 1.41.3 -->
 
 #### Bug Fixes
-- ssl resource: properly raise error when unable to determine if port is enabled [#2205](https://github.com/chef/inspec/pull/2205) ([jquick](https://github.com/jquick)) <!-- 1.40.12 -->
-- Fix loading profile files when executing multiple profiles [#2223](https://github.com/chef/inspec/pull/2223) ([adamleff](https://github.com/adamleff)) <!-- 1.40.11 -->
-- Support symbol keys in ObjectTraverser [#2221](https://github.com/chef/inspec/pull/2221) ([adamleff](https://github.com/adamleff)) <!-- 1.40.8 -->
-- Add nil check for sshd config file [#2217](https://github.com/chef/inspec/pull/2217) ([jquick](https://github.com/jquick)) <!-- 1.40.7 -->
+- Fix `only_if` behavior when used outside controls [#2216](https://github.com/chef/inspec/pull/2216) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.41.8 -->
+- Fix port ressource ss line parsing [#2243](https://github.com/chef/inspec/pull/2243) ([narkaTee](https://github.com/narkaTee)) <!-- 1.41.7 -->
+- Support PAX-formatted tar files, standardize file lists [#2225](https://github.com/chef/inspec/pull/2225) ([adamleff](https://github.com/adamleff)) <!-- 1.41.2 -->
+- Fix typo in error message in postgres resource [#2248](https://github.com/chef/inspec/pull/2248) ([rndmh3ro](https://github.com/rndmh3ro)) <!-- 1.42.2 -->
+- Resolve the weird encoding issue within inspec shell [#2234](https://github.com/chef/inspec/pull/2234) ([username-is-already-taken2](https://github.com/username-is-already-taken2)) <!-- 1.41.10 -->
 
 #### Enhancements
-- Enhance cmp matcher to work with symbols, fix file documentation [#2224](https://github.com/chef/inspec/pull/2224) ([adamleff](https://github.com/adamleff)) <!-- 1.40.13 -->
-- processes resource: support busybox ps [#2222](https://github.com/chef/inspec/pull/2222) ([adamleff](https://github.com/adamleff)) <!-- 1.40.10 -->
-- Update shell resource help to return what is defined [#2219](https://github.com/chef/inspec/pull/2219) ([jquick](https://github.com/jquick)) <!-- 1.40.9 -->
-- Add output for port/protocol for host resource. [#2202](https://github.com/chef/inspec/pull/2202) ([jquick](https://github.com/jquick)) <!-- 1.40.3 -->
-
-#### Merged Pull Requests
-- Add Segment tag to enable Google Analytics [#2220](https://github.com/chef/inspec/pull/2220) ([hamburglar](https://github.com/hamburglar)) <!-- 1.40.6 -->
-- http resource: properly execute tests on remote target [#2209](https://github.com/chef/inspec/pull/2209) ([adamleff](https://github.com/adamleff)) <!-- 1.40.5 -->
-- Adding examples of using expect syntax [#2213](https://github.com/chef/inspec/pull/2213) ([adamleff](https://github.com/adamleff)) <!-- 1.40.4 -->
-- Add bsd platform family to etc_hosts resource [#2192](https://github.com/chef/inspec/pull/2192) ([ctbarrett](https://github.com/ctbarrett)) <!-- 1.40.2 -->
-- Clean-up kitchen-inspec reference doc [#2208](https://github.com/chef/inspec/pull/2208) ([nathenharvey](https://github.com/nathenharvey)) <!-- 1.40.1 -->
+- windows_hotfix resource: Replace WMI query with PowerShell cmdlet &quot;get-hotfix&quot; [#2252](https://github.com/chef/inspec/pull/2252) ([mattray](https://github.com/mattray)) <!-- 1.42.3 -->
+- Extend Windows ACL matchers [#1744](https://github.com/chef/inspec/pull/1744) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 1.42.1 -->
+- Add inspec habitat profile setup command [#2239](https://github.com/chef/inspec/pull/2239) ([adamleff](https://github.com/adamleff)) <!-- 1.42.0 -->
+- Add missed &#39;html&#39; to &#39;format&#39; option explanation and arrange formatters in alphabetical order [#2244](https://github.com/chef/inspec/pull/2244) ([strangeman](https://github.com/strangeman)) <!-- 1.41.6 -->
+- Uses netstat to detect open ports on AIX [#2210](https://github.com/chef/inspec/pull/2210) ([cattywampus](https://github.com/cattywampus)) <!-- 1.41.1 -->
+- etc_fstab resource: properly namespace the resource, add nfs_file_systems documentation [#2190](https://github.com/chef/inspec/pull/2190) ([jburns12](https://github.com/jburns12)) <!-- 1.41.5 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v1.41.0](https://github.com/chef/inspec/tree/v1.41.0) (2017-10-09)
+
+#### Enhancements
+- Add bsd platform family to etc_hosts resource [#2192](https://github.com/chef/inspec/pull/2192) ([ctbarrett](https://github.com/ctbarrett))
+- http resource: properly execute tests on remote target [#2209](https://github.com/chef/inspec/pull/2209) ([adamleff](https://github.com/adamleff))
+- Add output for port/protocol for host resource. [#2202](https://github.com/chef/inspec/pull/2202) ([jquick](https://github.com/jquick))
+- Update shell resource help to return what is defined [#2219](https://github.com/chef/inspec/pull/2219) ([jquick](https://github.com/jquick))
+- processes resource: support busybox ps [#2222](https://github.com/chef/inspec/pull/2222) ([adamleff](https://github.com/adamleff))
+- Enhance cmp matcher to work with symbols, fix file documentation [#2224](https://github.com/chef/inspec/pull/2224) ([adamleff](https://github.com/adamleff))
+
+#### Bug Fixes
+- Add nil check for sshd config file [#2217](https://github.com/chef/inspec/pull/2217) ([jquick](https://github.com/jquick))
+- Support symbol keys in ObjectTraverser [#2221](https://github.com/chef/inspec/pull/2221) ([adamleff](https://github.com/adamleff))
+- Fix loading profile files when executing multiple profiles [#2223](https://github.com/chef/inspec/pull/2223) ([adamleff](https://github.com/adamleff))
+- ssl resource: properly raise error when unable to determine if port is enabled [#2205](https://github.com/chef/inspec/pull/2205) ([jquick](https://github.com/jquick))
+<!-- latest_stable_release -->
+
 ## [v1.40.0](https://github.com/chef/inspec/tree/v1.40.0) (2017-09-28)
 
 #### New Resources
 - firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj))
-<!-- latest_stable_release -->
 
 ## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
 

data/docs/resources/etc_fstab.md.erb

@@ -100,7 +100,7 @@ The following examples show how to use this InSpec resource.
 
 ### Check all partitions that have type of 'nfs'.
 
-    nfs_systems = etc_fstab.nfs_file_systems
+    nfs_systems = etc_fstab.nfs_file_systems.entries
     nfs_systems.each do |partition|
       describe partition do
         its('mount_options') { should include 'nosuid' }

data/docs/resources/os_env.md.erb

@@ -70,14 +70,8 @@ The `content` matcher return the value of the environment variable:
 
 ### split
 
-The `split` splits the content with the `:` deliminator:
+The `split` matcher splits the value of the environment variable with the `:` deliminator (use the `;` deliminator if Windows):
 
-    its('split') { should include (':') }
+    its('split') { should include ('/usr/bin') }
 
-or:
-
-    its('split') { should_not include ('.') }
-
-Use `-1` to test for cases where there is a trailing colon (`:`), such as `dir1::dir2:`:
-
-    its('split') { should include ('-1') }
+Note: the `split` matcher returns an array including `""` for cases where there is a trailing colon (`:`), such as `dir1::dir2:`

data/lib/bundles/inspec-habitat/cli.rb

@@ -7,14 +7,19 @@ module Habitat
   class HabitatProfileCLI < Thor
     namespace 'habitat profile'
 
-    desc 'create PATH', 'Create a Habitat artifact for the profile found at PATH'
+    desc 'create PATH', 'Create a one-time Habitat artifact for the profile found at PATH'
     option :output_dir, type: :string, required: false,
       desc: 'Directory in which to save the generated Habitat artifact. Default: current directory'
     def create(path)
       Habitat::Profile.create(path, options)
     end
 
-    desc 'upload PATH', 'Create a Habitat artifact for the profile found at PATH, and upload it to a Habitat Depot'
+    desc 'setup PATH', 'Configure the profile at PATH for Habitat, including a plan and hooks'
+    def setup(path)
+      Habitat::Profile.setup(path)
+    end
+
+    desc 'upload PATH', 'Create a one-time Habitat artifact for the profile found at PATH, and upload it to a Habitat Depot'
     def upload(path)
       Habitat::Profile.upload(path, options)
     end

data/lib/bundles/inspec-habitat/profile.rb

@@ -17,6 +17,10 @@ module Habitat
       creator.delete_work_dir
     end
 
+    def self.setup(path)
+      new(path).setup
+    end
+
     def self.upload(path, options = {})
       uploader = new(path, options)
       uploader.upload
@@ -41,10 +45,11 @@ module Habitat
       verify_profile
       vendor_profile_dependencies
       copy_profile_to_work_dir
-      create_plan
-      create_run_hook
-      create_settings_file
-      create_default_config
+      create_habitat_directories(work_dir)
+      create_plan(work_dir)
+      create_run_hook(work_dir)
+      create_settings_file(work_dir)
+      create_default_config(work_dir)
 
       # returns the path to the .hart file in the work directory
       build_hart
@@ -80,6 +85,18 @@ module Habitat
       FileUtils.rm_rf(work_dir) if Dir.exist?(work_dir)
     end
 
+    def setup
+      Habitat::Log.info("Setting up profile at #{path} for Habitat...")
+      create_profile_object
+      verify_profile
+      vendor_profile_dependencies
+      create_habitat_directories(path)
+      create_plan(path)
+      create_run_hook(path)
+      create_settings_file(path)
+      create_default_config(path)
+    end
+
     private
 
     def create_profile_object
@@ -151,20 +168,26 @@ module Habitat
       return @work_dir if @work_dir
 
       @work_dir ||= Dir.mktmpdir('inspec-habitat-exporter')
-      Dir.mkdir(File.join(@work_dir, 'src'))
-      Dir.mkdir(File.join(@work_dir, 'habitat'))
-      Dir.mkdir(File.join(@work_dir, 'habitat', 'config'))
-      Dir.mkdir(File.join(@work_dir, 'habitat', 'hooks'))
       Habitat::Log.debug("Generated work directory #{@work_dir}")
 
       @work_dir
     end
 
+    def create_habitat_directories(parent_directory)
+      [
+        File.join(parent_directory, 'habitat'),
+        File.join(parent_directory, 'habitat', 'config'),
+        File.join(parent_directory, 'habitat', 'hooks'),
+      ].each do |dir|
+        Dir.mkdir(dir) unless Dir.exist?(dir)
+      end
+    end
+
     def copy_profile_to_work_dir
       Habitat::Log.info('Copying profile contents to the work directory...')
       profile.files.each do |f|
         src = File.join(profile.root_path, f)
-        dst = File.join(work_dir, 'src', f)
+        dst = File.join(work_dir, f)
         if File.directory?(f)
           Habitat::Log.debug("Creating directory #{dst}")
           FileUtils.mkdir_p(dst)
@@ -175,26 +198,26 @@ module Habitat
       end
     end
 
-    def create_plan
-      plan_file = File.join(work_dir, 'habitat', 'plan.sh')
+    def create_plan(directory)
+      plan_file = File.join(directory, 'habitat', 'plan.sh')
       Habitat::Log.info("Generating Habitat plan at #{plan_file}...")
       File.write(plan_file, plan_contents)
     end
 
-    def create_run_hook
-      run_hook_file = File.join(work_dir, 'habitat', 'hooks', 'run')
+    def create_run_hook(directory)
+      run_hook_file = File.join(directory, 'habitat', 'hooks', 'run')
       Habitat::Log.info("Generating a Habitat run hook at #{run_hook_file}...")
       File.write(run_hook_file, run_hook_contents)
     end
 
-    def create_settings_file
-      settings_file = File.join(work_dir, 'habitat', 'config', 'settings.sh')
+    def create_settings_file(directory)
+      settings_file = File.join(directory, 'habitat', 'config', 'settings.sh')
       Habitat::Log.info("Generating a settings file at #{settings_file}...")
       File.write(settings_file, "SLEEP_TIME={{cfg.sleep_time}}\n")
     end
 
-    def create_default_config
-      default_toml = File.join(work_dir, 'habitat', 'default.toml')
+    def create_default_config(directory)
+      default_toml = File.join(directory, 'habitat', 'default.toml')
       Habitat::Log.info("Generating Habitat's default.toml configuration...")
       File.write(default_toml, 'sleep_time = 300')
     end
@@ -308,7 +331,7 @@ EOL
       plan += <<-EOL
 
 do_build() {
-  cp -vr $PLAN_CONTEXT/../src/* $HAB_CACHE_SRC_PATH/$pkg_dirname
+  cp -vr $PLAN_CONTEXT/../* $HAB_CACHE_SRC_PATH/$pkg_dirname
 }
 
 do_install() {
@@ -321,6 +344,7 @@ do_install() {
     profile_contents=(${profile_contents[@]/$item/})
   done
 
+  mkdir ${pkg_prefix}/dist
   cp -r ${profile_contents[@]} ${pkg_prefix}/dist/
 }
       EOL

data/lib/bundles/inspec-init/templates/profile/README.md

@@ -1,3 +1,3 @@
 # Example InSpec Profile
 
-This example shows the implementation of an InSpec [profile](../../docs/profiles.rst).
+This example shows the implementation of an InSpec profile.

data/lib/bundles/inspec-init/templates/profile/controls/example.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
-# copyright: 2015, The Authors
+# copyright: 2017, The Authors
 
 title 'sample section'
 

data/lib/inspec/cli.rb

@@ -186,7 +186,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
   option :command, aliases: :c,
     desc: 'A single command string to run instead of launching the shell'
   option :format, type: :string, default: nil, hide: true,
-    desc: 'Which formatter to use: cli, progress, documentation, json, json-min, junit'
+    desc: 'Which formatter to use: cli, documentation, html, json, json-min, junit, progress'
   def shell_func
     diagnose
     o = opts.dup

data/lib/inspec/control_eval_context.rb

@@ -35,7 +35,7 @@ module Inspec
     # @param profile_context [Inspec::ProfileContext]
     # @param outer_dsl [OuterDSLClass]
     # @return [ProfileContextClass]
-    def self.create(profile_context, resources_dsl) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+    def self.create(profile_context, resources_dsl) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
       rule_class = rule_context(resources_dsl)
       profile_context_owner = profile_context
       profile_id = profile_context.profile_id
@@ -45,12 +45,14 @@ module Inspec
         include Inspec::DSL::RequireOverride
         include resources_dsl
 
+        attr_accessor :skip_file
+
         def initialize(backend, conf, dependencies, require_loader)
           @backend = backend
           @conf = conf
           @dependencies = dependencies
           @require_loader = require_loader
-          @skip_profile = false
+          @skip_file = false
         end
 
         define_method :title do |arg|
@@ -113,7 +115,7 @@ module Inspec
         end
 
         define_method :register_control do |control, &block|
-          if @skip_profile || !profile_context_owner.profile_supports_os?
+          if @skip_file || !profile_context_owner.profile_supports_os?
             ::Inspec::Rule.set_skip_rule(control, true)
           end
 
@@ -129,9 +131,17 @@ module Inspec
           profile_context_owner.unregister_rule(id)
         end
 
-        def only_if
-          return unless block_given?
-          @skip_profile ||= !yield
+        define_method :only_if do |&block|
+          return unless block
+          return if @skip_file == true || block.yield == true
+
+          # Apply `set_skip_rule` for other rules in the same file
+          profile_context_owner.rules.values.each do |r|
+            sources_match = r.source_file == block.source_location[0]
+            Inspec::Rule.set_skip_rule(r, true) if sources_match
+          end
+
+          @skip_file = true
         end
 
         alias_method :rule, :control

data/lib/inspec/file_provider.rb

@@ -137,7 +137,16 @@ module Inspec
       @contents = {}
       @files = []
       walk_tar(@path) do |tar|
-        @files = tar.map(&:full_name).find_all { |x| !x.empty? }
+        @files = tar.find_all(&:file?)
+
+        # delete all entries with no name
+        @files = @files.find_all { |x| !x.full_name.empty? }
+
+        # delete all entries that have a PaxHeader
+        @files = @files.delete_if { |x| x.full_name.include?('PaxHeader/') }
+
+        # replace all items of the array simply with the relative filename of the file
+        @files.map! { |x| Pathname.new(x.full_name).relative_path_from(Pathname.new('.')).to_s }
       end
     end
 
@@ -157,7 +166,7 @@ module Inspec
       # NB `TarReader` includes `Enumerable` beginning with Ruby 2.x
       walk_tar(@path) do |tar|
         tar.each do |entry|
-          next unless entry.file? && file == entry.full_name
+          next unless entry.file? && [file, "./#{file}"].include?(entry.full_name)
           res = entry.read
           break
         end
@@ -182,8 +191,19 @@ module Inspec
       if @prefix.nil?
         raise "Could not determine path prefix for #{parent}"
       end
-      @files = parent.files.find_all { |x| x.start_with?(prefix) && x != prefix }
+
+      # select all files that begin with the prefix, and strip off the prefix from the file.
+      #
+      # strip off any leading top-level relative path (./) which is common in
+      # PAX-formatted tar files. Do not do any translation of the path if the
+      # path is an absolute path.
+      @files = parent.files
+                     .find_all { |x| x.start_with?(prefix) && x != prefix }
                      .map { |x| x[prefix.length..-1] }
+                     .map do |x|
+                       path = Pathname.new(x)
+                       path.absolute? ? path.to_s : path.relative_path_from(Pathname.new('.')).to_s
+                     end
     end
 
     def abs_path(file)

data/lib/inspec/profile_context.rb

@@ -127,6 +127,8 @@ module Inspec
     end
 
     def load_control_file(*args)
+      # Set `skip_file` to `false` between file loads to prevent skips from spanning multiple control files
+      control_eval_context.skip_file = false
       load_with_context(control_eval_context, *args)
     end
     alias load load_control_file

data/lib/inspec/rule.rb

@@ -94,6 +94,10 @@ module Inspec
       @tags
     end
 
+    def source_file
+      @__file
+    end
+
     # Skip all checks if only_if is false
     #
     # @param [Type] &block returns true if tests are added, false otherwise

data/lib/inspec/shell.rb

@@ -42,7 +42,7 @@ module Inspec
 
       # configure pry shell prompt
       Pry.config.prompt_name = 'inspec'
-      Pry.prompt = [proc { "#{readline_ignore("\e[0;32m")}#{Pry.config.prompt_name}> #{readline_ignore("\e[0m")}" }]
+      Pry.prompt = [proc { "#{readline_ignore("\e[1m\e[32m")}#{Pry.config.prompt_name}> #{readline_ignore("\e[0m")}" }]
 
       # Add a help menu as the default intro
       Pry.hooks.add_hook(:before_session, 'inspec_intro') do
@@ -79,7 +79,7 @@ module Inspec
     end
 
     def mark(x)
-      "#{readline_ignore("\033[1m")}#{x}#{readline_ignore("\033[0m")}"
+      "\e[1m\e[39m#{x}\e[0m"
     end
 
     def print_example(example)
@@ -106,8 +106,8 @@ module Inspec
       puts <<EOF
 You are currently running on:
 
-    OS platform:  #{mark ctx.os[:name] || 'unknown'}
-    OS family:  #{mark ctx.os[:family] || 'unknown'}
+    OS platform: #{mark ctx.os[:name] || 'unknown'}
+    OS family: #{mark ctx.os[:family] || 'unknown'}
     OS release: #{mark ctx.os[:release] || 'unknown'}
 EOF
     end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.41.0'.freeze
+  VERSION = '1.42.3'.freeze
 end

data/lib/resources/etc_fstab.rb

@@ -4,104 +4,99 @@
 
 require 'utils/parser'
 
-class EtcFstab < Inspec.resource(1)
-  name 'etc_fstab'
-  desc 'Use the etc_fstab InSpec audit resource to check the configuration of the etc/fstab file.'
-  example "
-    removable_media = etc_fstab.removable_media_file_systems
-    removable_media.each do |media|
-      describe media do
-        its ('mount_options') { should include 'nosuid' }
+module Inspec::Resources
+  class EtcFstab < Inspec.resource(1)
+    name 'etc_fstab'
+    desc 'Use the etc_fstab InSpec audit resource to check the configuration of the etc/fstab file.'
+    example "
+      nfs_systems = etc_fstab.nfs_file_systems.entries
+      nfs_systems.each do |file_system|
+        describe file_system do
+          its ('mount_options') { should include 'nosuid' }
+          its ('mount_options') { should include 'noexec' }
+          its ('mount_options') { should include 'sec=krb5:krb5i:krb5p }
+        end
       end
-    end
 
-    nfs_systems = etc_fstab.nfs_file_systems
-    nfs_systems.each do |file_system|
-      describe file_system do
-        its ('mount_options') { should include 'nosuid' }
-        its ('mount_options') { should include 'noexec' }
-        its ('mount_options') { should include '\'sec=krb5:krb5i:krb5p\'' }
+      describe etc_fstab do
+        its ('home_mount_options') { should include 'nosuid' }
       end
-    end
-
-    describe etc_fstab do
-      its ('home_mount_options') { should include 'nosuid' }
-    end
-  "
-
-  attr_reader :params
+    "
 
-  include CommentParser
+    attr_reader :params
 
-  def initialize(fstab_path = nil)
-    return skip_resource 'The `etc_fstab` resource is not supported on your OS.' unless inspec.os.linux?
-    @conf_path      = fstab_path || '/etc/fstab'
-    @files_contents = {}
-    @content        = nil
-    @params         = nil
-    read_content
-  end
+    include CommentParser
 
-  filter = FilterTable.create
-  filter.add_accessor(:where)
-        .add_accessor(:entries)
-        .add(:device_name,           field: 'device_name')
-        .add(:mount_point,           field: 'mount_point')
-        .add(:file_system_type,      field: 'file_system_type')
-        .add(:mount_options,         field: 'mount_options')
-        .add(:dump_options,          field: 'dump_options')
-        .add(:file_system_options,   field: 'file_system_options')
-        .add(:configured?) { |x| x.entries.any? }
-
-  filter.connect(self, :params)
-
-  def nfs_file_systems
-    where { file_system_type.match(/nfs/) }
-  end
+    def initialize(fstab_path = nil)
+      return skip_resource 'The `etc_fstab` resource is not supported on your OS.' unless inspec.os.linux?
+      @conf_path      = fstab_path || '/etc/fstab'
+      @files_contents = {}
+      @content        = nil
+      @params         = nil
+      read_content
+    end
 
-  def home_mount_options
-    return nil unless where { mount_point == '/home' }.configured?
-    where { mount_point == '/home' }.entries[0].mount_options
-  end
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:device_name,           field: 'device_name')
+          .add(:mount_point,           field: 'mount_point')
+          .add(:file_system_type,      field: 'file_system_type')
+          .add(:mount_options,         field: 'mount_options')
+          .add(:dump_options,          field: 'dump_options')
+          .add(:file_system_options,   field: 'file_system_options')
+          .add(:configured?) { |x| x.entries.any? }
+
+    filter.connect(self, :params)
+
+    def nfs_file_systems
+      where { file_system_type.match(/nfs/) }
+    end
 
-  private
+    def home_mount_options
+      return nil unless where { mount_point == '/home' }.configured?
+      where { mount_point == '/home' }.entries[0].mount_options
+    end
 
-  def read_content
-    @content = ''
-    @params  = {}
-    @content = read_file(@conf_path)
-    @params  = parse_conf(@content)
-  end
+    private
 
-  def parse_conf(content)
-    content.map do |line|
-      data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
-      parse_line(data) unless data == ''
-    end.compact
-  end
+    def read_content
+      @content = ''
+      @params  = {}
+      @content = read_file(@conf_path)
+      @params  = parse_conf(@content)
+    end
 
-  def parse_line(line)
-    attributes = line.split
-    {
-      'device_name'         => attributes[0],
-      'mount_point'         => attributes[1],
-      'file_system_type'    => attributes[2],
-      'mount_options'       => attributes[3].split(','),
-      'dump_options'        => attributes[4].to_i,
-      'file_system_options' => attributes[5].to_i,
-    }
-  end
+    def parse_conf(content)
+      content.map do |line|
+        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        parse_line(data) unless data == ''
+      end.compact
+    end
 
-  def read_file(conf_path = @conf_path)
-    file = inspec.file(conf_path)
-    if !file.file?
-      return skip_resource "Can't find \"#{@conf_path}\""
+    def parse_line(line)
+      attributes = line.split
+      {
+        'device_name'         => attributes[0],
+        'mount_point'         => attributes[1],
+        'file_system_type'    => attributes[2],
+        'mount_options'       => attributes[3].split(','),
+        'dump_options'        => attributes[4].to_i,
+        'file_system_options' => attributes[5].to_i,
+      }
     end
 
-    raw_conf = file.content
-    if raw_conf.empty? && !file.empty?
-      return skip_resource("File is empty or unable to read file at path:\"#{@conf_path}\"")
+    def read_file(conf_path = @conf_path)
+      file = inspec.file(conf_path)
+      if !file.file?
+        return skip_resource "Can't find \"#{@conf_path}\""
+      end
+
+      raw_conf = file.content
+      if raw_conf.empty? && !file.empty?
+        return skip_resource("File is empty or unable to read file at path:\"#{@conf_path}\"")
+      end
+      raw_conf.lines
     end
-    raw_conf.lines
   end
 end

data/lib/resources/file.rb

@@ -84,6 +84,13 @@ module Inspec::Resources
       file_permission_granted?('execute', by_usergroup, by_specific_user)
     end
 
+    def allowed?(permission, opts = {})
+      return false unless exist?
+      return skip_resource '`allowed?` is not supported on your OS yet.' if @perms_provider.nil?
+
+      file_permission_granted?(permission, opts[:by], opts[:by_user])
+    end
+
     def mounted?(expected_options = nil, identical = false)
       mounted = file.mounted
 
@@ -206,18 +213,82 @@ module Inspec::Resources
     end
 
     def check_file_permission_by_user(access_type, user, path)
-      access_rule = case access_type
-                    when 'read'
-                      '@(\'FullControl\', \'Modify\', \'ReadAndExecute\', \'Read\', \'ListDirectory\')'
-                    when 'write'
-                      '@(\'FullControl\', \'Modify\', \'Write\')'
-                    when 'execute'
-                      '@(\'FullControl\', \'Modify\', \'ReadAndExecute\', \'ExecuteFile\')'
-                    else
-                      raise 'Invalid access_type provided'
-                    end
+      access_rule = translate_perm_names(access_type)
+      access_rule = convert_to_powershell_array(access_rule)
+
       cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
       cmd.stdout.chomp == '0' ? false : true
     end
+
+    private
+
+    def convert_to_powershell_array(arr)
+      if arr.empty?
+        '@()'
+      else
+        %{@('#{arr.join("', '")}')}
+      end
+    end
+
+    # Translates a developer-friendly string into a list of acceptable
+    # FileSystemRights that match it, because Windows has a fun heirarchy
+    # of permissions that are able to be noted in multiple ways.
+    #
+    # See also: https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table
+    def translate_perm_names(access_type)
+      names = translate_common_perms(access_type)
+      names ||= translate_granular_perms(access_type)
+      names ||= translate_uncommon_perms(access_type)
+      raise 'Invalid access_type provided' unless names
+    end
+
+    def translate_common_perms(access_type)
+      case access_type
+      when 'full-control'
+        %w{FullControl}
+      when 'modify'
+        translate_perm_names('full-control') + %w{Modify}
+      when 'read'
+        translate_perm_names('modify') + %w{ReadAndExecute Read}
+      when 'write'
+        translate_perm_names('modify') + %w{Write}
+      when 'execute'
+        translate_perm_names('modify') + %w{ReadAndExecute ExecuteFile Traverse}
+      when 'delete'
+        translate_perm_names('modify') + %w{Delete}
+      end
+    end
+
+    def translate_uncommon_perms(access_type)
+      case access_type
+      when 'delete-subdirectories-and-files'
+        translate_perm_names('full-control') + %w{DeleteSubdirectoriesAndFiles}
+      when 'change-permissions'
+        translate_perm_names('full-control') + %w{ChangePermissions}
+      when 'take-ownership'
+        translate_perm_names('full-control') + %w{TakeOwnership}
+      end
+    end
+
+    def translate_granular_perms(access_type)
+      case access_type
+      when 'write-data', 'create-files'
+        translate_perm_names('write') + %w{WriteData CreateFiles}
+      when 'append-data', 'create-directories'
+        translate_perm_names('write') + %w{CreateDirectories AppendData}
+      when 'write-extended-attributes'
+        translate_perm_names('write') + %w{WriteExtendedAttributes}
+      when 'write-attributes'
+        translate_perm_names('write') + %w{WriteAttributes}
+      when 'read-data', 'list-directory'
+        translate_perm_names('read') + %w{ReadData ListDirectory}
+      when 'read-attributes'
+        translate_perm_names('read') + %w{ReadAttributes}
+      when 'read-extended-attributes'
+        translate_perm_names('read') + %w{ReadExtendedAttributes}
+      when 'read-permissions'
+        translate_perm_names('read') + %w{ReadPermissions}
+      end
+    end
   end
 end

data/lib/resources/port.rb

@@ -59,9 +59,11 @@ module Inspec::Resources
       os = inspec.os
       if os.linux?
         LinuxPorts.new(inspec)
-      elsif %w{darwin aix}.include?(os[:family])
+      elsif os.aix?
         # AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
         #      and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
+        AixPorts.new(inspec)
+      elsif os.darwin?
         # Darwin: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/lsof.8.html
         LsofPorts.new(inspec)
       elsif os.windows?
@@ -263,6 +265,121 @@ module Inspec::Resources
     end
   end
 
+  class AixPorts < PortsInfo
+    def info
+      ports_via_netstat || ports_via_lsof
+    end
+
+    def ports_via_lsof
+      return nil unless inspec.command('lsof').exist?
+      LsofPorts.new(inspec).info
+    end
+
+    def ports_via_netstat
+      return nil unless inspec.command('netstat').exist?
+
+      cmd = inspec.command('netstat -Aan | grep LISTEN')
+      return nil unless cmd.exit_status.to_i.zero?
+
+      ports = []
+      # parse all lines
+      cmd.stdout.each_line do |line|
+        port_info = parse_netstat_line(line)
+
+        # only push protocols we are interested in
+        next unless %w{tcp tcp6 udp udp6}.include?(port_info['protocol'])
+        ports.push(port_info)
+      end
+
+      ports
+    end
+
+    def parse_netstat_line(line)
+      # parse each line
+      # 1 - Socket, 2 - Proto, 3 - Receive-Q, 4 - Send-Q, 5 - Local address, 6 - Foreign Address, 7 - State
+      parsed = /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)?\s+(\S+)/.match(line)
+      return {} if parsed.nil?
+
+      # parse ip4 and ip6 addresses
+      protocol = parsed[2].downcase
+
+      # detect protocol if not provided
+      protocol += '6' if parsed[5].count(':') > 1 && %w{tcp udp}.include?(protocol)
+      protocol.chop! if %w{tcp4 upd4}.include?(protocol)
+
+      # extract host and port information
+      host, port = parse_net_address(parsed[5], protocol)
+      return {} if host.nil?
+
+      # extract PID
+      cmd = inspec.command("rmsock #{parsed[1]} tcpcb")
+      parsed_pid = /^The socket (\S+) is being held by proccess (\d+) \((\S+)\)/.match(cmd.stdout)
+      return {} if parsed_pid.nil?
+      process = parsed_pid[3]
+      pid = parsed_pid[2]
+      pid = pid.to_i if pid =~ /^\d+$/
+
+      {
+        'port'     => port,
+        'address'  => host,
+        'protocol' => protocol,
+        'process'  => process,
+        'pid'      => pid,
+      }
+    end
+
+    def parse_net_address(net_addr, protocol)
+      # local/foreign addresses on AIX use a '.' to separate the addresss
+      # from the port
+      address, _sep, port = net_addr.rpartition('.')
+      if protocol.eql?('tcp6') || protocol.eql?('udp6')
+        ip6addr = address
+        # AIX uses the wildcard character for ipv6 addresses listening on
+        # all interfaces.
+        ip6addr = '::' if ip6addr =~ /^\*$/
+
+        # v6 addresses need to end in a double-colon when using
+        # shorthand notation. netstat ends with a single colon.
+        # IPAddr will fail to properly parse an address unless it
+        # uses a double-colon for short-hand notation.
+        ip6addr += ':' if ip6addr =~ /\w:$/
+
+        begin
+          ip_parser = IPAddr.new(ip6addr)
+        rescue IPAddr::InvalidAddressError
+          # This IP is not parsable. There appears to be a bug in netstat
+          # output that truncates link-local IP addresses:
+          # example: udp6 0 0 fe80::42:acff:fe11::123 :::* 0 54550 3335/ntpd
+          # actual link address: inet6 fe80::42:acff:fe11:5/64 scope link
+          #
+          # in this example, the "5" is truncated making the netstat output
+          # an invalid IP address.
+          return [nil, nil]
+        end
+
+        # Check to see if this is a IPv4 address in a tcp6/udp6 line.
+        # If so, don't put brackets around the IP or URI won't know how
+        # to properly handle it.
+        # example: f000000000000000 tcp6       0      0 127.0.0.1.8005          *.*                    LISTEN
+        if ip_parser.ipv4?
+          ip_addr = URI("addr://#{ip6addr}:#{port}")
+          host = ip_addr.host
+        else
+          ip_addr = URI("addr://[#{ip6addr}]:#{port}")
+          host = ip_addr.host[1..ip_addr.host.size-2]
+        end
+      else
+        ip4addr = address
+        # In AIX the wildcard character is used to match all interfaces
+        ip4addr = '0.0.0.0' if ip4addr =~ /^\*$/
+        ip_addr = URI("addr://#{ip4addr}:#{port}")
+        host = ip_addr.host
+      end
+
+      [host, port.to_i]
+    end
+  end
+
   # extract port information from netstat
   class LinuxPorts < PortsInfo # rubocop:disable Metrics/ClassLength
     ALLOWED_PROTOCOLS = %w{tcp tcp6 udp udp6}.freeze
@@ -430,13 +547,33 @@ module Inspec::Resources
       # the netstat-provided data
       host = '0.0.0.0' if host == '*'
 
-      # parse the process name from the processes information
-      process_match = parsed[6].match(/users:\(\(\"(\S+)\"/)
-      process = process_match.nil? ? nil : process_match[1]
-
-      # parse the PID from the processes information
-      pid_match = parsed[6].match(/pid=(\d+)/)
-      pid = pid_match.nil? ? nil : pid_match[1].to_i
+      # in case process list parsing is not successfull
+      process = nil
+      pid = nil
+
+      # parse process and pid from the process list
+      #
+      # remove the "users:((" and  "))" parts
+      # input: users:((\"nginx\",pid=583,fd=8),(\"nginx\",pid=582,fd=8),(\"nginx\",pid=580,fd=8),(\"nginx\",pid=579,fd=8))
+      # res: \"nginx\",pid=583,fd=8),(\"nginx\",pid=582,fd=8),(\"nginx\",pid=580,fd=8),(\"nginx\",pid=579,fd=8
+      process_list_match = parsed[6].match(/users:\(\((.+)\)\)/)
+      if process_list_match
+        # list entires are seperated by "," the braces can also be removed
+        # input: \"nginx\",pid=583,fd=8),(\"nginx\",pid=582,fd=8),(\"nginx\",pid=580,fd=8),(\"nginx\",pid=579,fd=8
+        # res: ["\"nginx\",pid=583,fd=8", "\"nginx\",pid=582,fd=8", "\"nginx\",pid=580,fd=8", "\"nginx\",pid=579,fd=8"]
+        process_list = process_list_match[1].split('),(')
+        # To stay backwards compatible with netstat we need to select
+        # the last element in the resulting array.
+        # res: "\"nginx\",pid=579,fd=8"
+
+        # parse the process name from the process list
+        process_match = process_list.last.match(/^\"(\S+)\"/)
+        process = process_match.nil? ? nil : process_match[1]
+
+        # parse the PID from the process list
+        pid_match = process_list.last.match(/pid=(\d+)/)
+        pid = pid_match.nil? ? nil : pid_match[1].to_i
+      end
 
       {
         'port'     => port,

data/lib/resources/postgres.rb

@@ -86,7 +86,7 @@ module Inspec::Resources
       if data_dir_loc.nil?
         warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
         execute "psql -t -A -p <port> -h <host> -c "show hba_file";" as the PostgreSQL
-        DBA to find the non-starndard data_dir location.'
+        DBA to find the non-standard data_dir location.'
       end
       data_dir_loc
     end

data/lib/resources/windows_hotfix.rb

@@ -18,7 +18,7 @@ module Inspec::Resources
       @content = nil
       os = inspec.os
       return skip_resource 'The `windows_hotfix` resource is not a feature of your OS.' unless os.windows?
-      query = "Get-WmiObject -class \"win32_quickfixengineering\" -filter \"HotFixID = '" + @id + "'\""
+      query = "get-hotfix -id #{@id}"
       cmd = inspec.powershell(query)
       @content = cmd.stdout
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.41.0
+  version: 1.42.3
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-09 00:00:00.000000000 Z
+date: 2017-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train