inspec 2.1.54 → 2.1.59

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 70091b75b95f9e09f83249bc3ed5de294da9989c
-  data.tar.gz: c481fe8cdd37aae2eecc2ce18481924d0f9dcead
+  metadata.gz: d57f969266c045b09307eba2c128be6fbb77e3f7
+  data.tar.gz: 3feecd806c8a21b6f8ce3e37287e7905d0df86d9
 SHA512:
-  metadata.gz: 43840caed0f0399d671b5514940f7c9dc2c73cdac09820609e9bd132cc0b7c30d4985690c8674638473aea52b5644a658eafb2feac4a399e3182078d4edd4693
-  data.tar.gz: 3d1e4c52daf5a58b8ea2b1f0705e7fb375a1579d4b279cc774058e015c6dfe9efea650ba2400e6ee8ec0aa78427975e13abac78ace6c8885fc35567572a462d9
+  metadata.gz: cfd2b0a9cabfe3838b27d03c5dca5bd67bcca64c10e8bf48b628318a0fbe6cf118c98309f71ac0fce2fba65b10f06b28e821eeeb47b438b7f2559a00c6d29679
+  data.tar.gz: 5d61ddf3ddb8126c490c1536c28c99b1a6b93615b78c6a7a17023b86133a2818b6e673cd5ff21400441c9c07a4c925b61fec730ac88318d2f4bee571fdf5c678

data/CHANGELOG.md

@@ -1,36 +1,50 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.1.54 -->
-## [v2.1.54](https://github.com/chef/inspec/tree/v2.1.54) (2018-04-19)
+<!-- latest_release 2.1.59 -->
+## [v2.1.59](https://github.com/chef/inspec/tree/v2.1.59) (2018-04-26)
 
 #### Bug Fixes
-- Add missing `git` to Dockerfile. [#2969](https://github.com/chef/inspec/pull/2969) ([miah](https://github.com/miah))
+- Catch exceptions in control blocks and fail the control [#2987](https://github.com/chef/inspec/pull/2987) ([clintoncwolfe](https://github.com/clintoncwolfe))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.1.43 -->
-### Changes since 2.1.43 release
+<!-- release_rollup since=2.1.54 -->
+### Changes since 2.1.54 release
+
+#### Bug Fixes
+- Catch exceptions in control blocks and fail the control [#2987](https://github.com/chef/inspec/pull/2987) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.59 -->
 
 #### Merged Pull Requests
-- Add A2 support to the inspec-compliance toolset [#2963](https://github.com/chef/inspec/pull/2963) ([jquick](https://github.com/jquick)) <!-- 2.1.52 -->
+- os_env resource returns only user&#39;s environment variable on Windows [#2945](https://github.com/chef/inspec/pull/2945) ([omar-irizarry](https://github.com/omar-irizarry)) <!-- 2.1.58 -->
+- Fix case where res is nil in etc_group [#2984](https://github.com/chef/inspec/pull/2984) ([chris-rock](https://github.com/chris-rock)) <!-- 2.1.57 -->
+- Makes JSON resource enumerable, despite method_missing magic [#2910](https://github.com/chef/inspec/pull/2910) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 2.1.56 -->
 
-#### New Features
-- Inline and attached policies for aws_iam_user and aws_iam_users [#2947](https://github.com/chef/inspec/pull/2947) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.48 -->
+#### Enhancements
+- Update shadow#to_s to return @path instead of hardcoded `/etc/shadow` [#2978](https://github.com/chef/inspec/pull/2978) ([miah](https://github.com/miah)) <!-- 2.1.55 -->
+<!-- release_rollup -->
 
-#### Bug Fixes
-- Add missing `git` to Dockerfile. [#2969](https://github.com/chef/inspec/pull/2969) ([miah](https://github.com/miah)) <!-- 2.1.54 -->
-- updating kitchen-puppet example for the `puppet_apply` provisioner [#2972](https://github.com/chef/inspec/pull/2972) ([moutons](https://github.com/moutons)) <!-- 2.1.49 -->
-- Policy statement search: don&#39;t stacktrace on missing field [#2962](https://github.com/chef/inspec/pull/2962) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.47 -->
-- Fixed numerous naming errors in aws_iam_vpcs integration tests [#2961](https://github.com/chef/inspec/pull/2961) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.46 -->
-- aws_iam_policy statement search fix for degenerate policies [#2958](https://github.com/chef/inspec/pull/2958) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.45 -->
+<!-- latest_stable_release -->
+## [v2.1.54](https://github.com/chef/inspec/tree/v2.1.54) (2018-04-19)
+
+#### New Features
+- Inline and attached policies for aws_iam_user and aws_iam_users [#2947](https://github.com/chef/inspec/pull/2947) ([clintoncwolfe](https://github.com/clintoncwolfe))
 
 #### Enhancements
-- Make names for AWS Config service objects optional [#2928](https://github.com/chef/inspec/pull/2928) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.53 -->
-- Upgrade Terraform version pins for integration testing [#2968](https://github.com/chef/inspec/pull/2968) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.51 -->
-- Amazon linux service mgmt detection [#2970](https://github.com/chef/inspec/pull/2970) ([meringu](https://github.com/meringu)) <!-- 2.1.50 -->
-- updating output for aws_iam_role to match other AWS resources [#2960](https://github.com/chef/inspec/pull/2960) ([tmonk42](https://github.com/tmonk42)) <!-- 2.1.44 -->
-<!-- release_rollup -->
+- updating output for aws_iam_role to match other AWS resources [#2960](https://github.com/chef/inspec/pull/2960) ([tmonk42](https://github.com/tmonk42))
+- Amazon linux service mgmt detection [#2970](https://github.com/chef/inspec/pull/2970) ([meringu](https://github.com/meringu))
+- Upgrade Terraform version pins for integration testing [#2968](https://github.com/chef/inspec/pull/2968) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- Make names for AWS Config service objects optional [#2928](https://github.com/chef/inspec/pull/2928) ([clintoncwolfe](https://github.com/clintoncwolfe))
 
+#### Bug Fixes
+- aws_iam_policy statement search fix for degenerate policies [#2958](https://github.com/chef/inspec/pull/2958) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- Fixed numerous naming errors in aws_iam_vpcs integration tests [#2961](https://github.com/chef/inspec/pull/2961) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- Policy statement search: don&#39;t stacktrace on missing field [#2962](https://github.com/chef/inspec/pull/2962) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- updating kitchen-puppet example for the `puppet_apply` provisioner [#2972](https://github.com/chef/inspec/pull/2972) ([moutons](https://github.com/moutons))
+- Add missing `git` to Dockerfile. [#2969](https://github.com/chef/inspec/pull/2969) ([miah](https://github.com/miah))
+
+#### Merged Pull Requests
+- Add A2 support to the inspec-compliance toolset [#2963](https://github.com/chef/inspec/pull/2963) ([jquick](https://github.com/jquick))
 <!-- latest_stable_release -->
+
 ## [v2.1.43](https://github.com/chef/inspec/tree/v2.1.43) (2018-04-12)
 
 #### New Features
@@ -51,7 +65,6 @@
 - Update filesystem.md.erb [#2909](https://github.com/chef/inspec/pull/2909) ([tlmikulski](https://github.com/tlmikulski))
 - Fixes configuration for Azure integrationt tests [#2941](https://github.com/chef/inspec/pull/2941) ([dmccown](https://github.com/dmccown))
 - powershell resource: Add support line for Unix [#2952](https://github.com/chef/inspec/pull/2952) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
-<!-- latest_stable_release -->
 
 ## [v2.1.30](https://github.com/chef/inspec/tree/v2.1.30) (2018-04-05)
 

data/docs/dev/control-eval.md

@@ -0,0 +1,62 @@
+# What happens when a profile file is loaded
+
+## Consult with Harry Tuttle
+
+[He's not from Central Services or anything.](https://youtu.be/VRfoIyx8KfU?t=2m41s)
+
+## Tips
+
+* In the early days of InSpec / ServerSpec, controls were called "rules".  Throughout various places in the code, the word "rule" is used to mean "control".  Make the mental subsitution.
+* InSpec supports reading profiles from tarballs, local files, git repos, etc.  So, don't count on local file reading; instead it uses a special source reader to obtain the contents of the files.
+
+## The basics of the stack
+
+    #5  Inspec::Profile.collect_tests(include_list#Array) at lib/inspec/profile.rb:167
+    #4  Hash.each at lib/inspec/profile.rb:167
+    #3  block in Inspec::Profile.block in collect_tests(include_list#Array) at lib/inspec/profile.rb:170
+    #2  Inspec::ProfileContext.load_control_file(*args#Array) at lib/inspec/profile_context.rb:141
+    #1  Inspec::ProfileContext.control_eval_context at lib/inspec/profile_context.rb:58
+    #0  #<Class:Inspec::ControlEvalContext>.create(profile_context#Inspec::ProfileContext, resources_dsl#Module) at lib/inspec/control_eval_context.rb:41
+
+## A profile context is created
+
+Like many things in InSpec core, a profile context is an anonymous class. (verify)
+
+Additionally, a control_eval_context is created.  It is an instance of an anonymous class; it has a class<->relationship with its profile context.  See `lib/inspec/control_eval_context.rb`.
+
+## Each file's contents are instance eval'd against the control_eval_context
+
+### DSL methods are executed at this time
+
+So, if you have a control file with `title` in it, that will call the title method that was defined at `lib/inspec/control_eval_context.rb:60`.  Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes).
+
+### Each control and their block are wrapped in an anonymous class
+
+The anonymous class generator is located at `lib/inspec/control_eval_context.rb:24`.  At this point, the terminology switches from `control` to `rule`.  Each context class inherits from Inspec::Rule, which provides the constructor.
+
+The control context class also gets extended with the resource DSL, so anything in the source code for the control can use the resource DSL.  This includes all resource names, but importantly, the `describe` DSL keyword.
+
+Finally, Inspec::Rule provides the control DSL - impact, title, desc, ref, and tags.
+
+### The block is instance_eval'd against the control context class
+
+See `lib/inspec/rule.rb:50`.  We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context anonymous class, and the current control's block is being instance eval'd against a control context anonymous class.
+
+At this stage, control-level metadata (impact, title, refs, tags, desc) are evaluated and set as instance vars on the control.
+
+Any "loose" ruby in the control is also executed at this point.
+
+And, the describe and describe.one blocks are executed.
+
+### TODO: describe blocks are *not* instance-evaled
+
+### The control is registered with the profile
+
+Using the method register_control (dynamically defined on the control eval context), we check for various skip conditions.  If none of them apply, the control is then registered with the profile context using register_rule.
+
+ProfileContext.register_rule's main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it.  (This is where overriding happens).
+
+Note: can skip a control with:
+Inspec::Rule.set_skip_rule(control, msg)
+
+## What else?

data/docs/resources/os_env.md.erb

@@ -35,6 +35,19 @@ The following examples show how to use this InSpec audit resource.
       its('split') { should_not include('.') }
     end
 
+### Test the Path environment variable by specifying the target Environment (Windows)
+
+On windows a User's environment variable may obscure the local machine (system) environment variable.  The correct environment variable may be tested as follows:
+
+    describe os_env('PATH', 'target') do
+      its('split') { should_not include('') }
+      its('split') { should_not include('.') }
+    end
+
+where
+
+* `'target'` may be either `system` or `user` 
+
 ### Test Habitat environment variables
 
 Habitat uses the `os_env` resource to test environment variables. The environment variables are first defined in a whitespace array, after which each environment variable is tested:

data/lib/inspec/rule.rb

@@ -47,7 +47,21 @@ module Inspec
       @__skip_only_if_eval = opts[:skip_only_if_eval]
 
       # evaluate the given definition
-      instance_eval(&block) if block_given?
+      return unless block_given?
+      begin
+        instance_eval(&block)
+      rescue StandardError => e
+        # We've encountered an exception while trying to eval the code inside the
+        # control block. We need to prevent the exception from bubbling up, and
+        # fail the control. Controls are failed by having a failed resource within
+        # them; but since our control block is unsafe (and opaque) to us, let's
+        # make a dummy and fail that.
+        location = block.source_location.compact.join(':')
+        describe 'Control Source Code Error' do
+          # Rubocop thinks we are raising an exception - we're actually calling RSpec's fail()
+          its(location) { fail e.message } # rubocop: disable Style/SignalException
+        end
+      end
     end
 
     def to_s

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.1.54'
+  VERSION = '2.1.59'
 end

data/lib/resources/etc_group.rb

@@ -78,10 +78,12 @@ module Inspec::Resources
       }
       res = entries
 
-      conditions.each do |k, v|
-        idx = fields[k.to_sym]
-        next if idx.nil?
-        res = res.select { |x| x[idx].to_s == v.to_s }
+      unless res.nil?
+        conditions.each do |k, v|
+          idx = fields[k.to_sym]
+          next if idx.nil?
+          res = res.select { |x| x[idx].to_s == v.to_s }
+        end
       end
 
       EtcGroupView.new(self, res)

data/lib/resources/json.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 
 require 'utils/object_traversal'
+require 'utils/enumerable_delegation'
 require 'utils/file_reader'
 
 module Inspec::Resources
@@ -37,6 +38,9 @@ module Inspec::Resources
       # load the raw content from the source, and then parse it
       @raw_content = load_raw_content(opts)
       @params = parse(@raw_content)
+
+      # If the JSON content is enumerable, make this object enumerable too
+      extend EnumerableDelegation if @params.respond_to?(:each)
     end
 
     # Shorthand to retrieve a parameter name via `#its`.

data/lib/resources/os_env.rb

@@ -22,8 +22,15 @@ module Inspec::Resources
       end
     "
 
-    def initialize(env = nil)
+    def initialize(env = nil, target = nil)
       @osenv = env
+      @target = unless target.nil?
+                  if target.casecmp('system') == 0
+                    'Machine'
+                  else
+                    'User'
+                  end
+                end
     end
 
     def split
@@ -37,7 +44,7 @@ module Inspec::Resources
 
     def content
       return @content if defined?(@content)
-      @content = value_for(@osenv) unless @osenv.nil?
+      @content = value_for(@osenv, @target) unless @osenv.nil?
     end
 
     def to_s
@@ -50,9 +57,13 @@ module Inspec::Resources
 
     private
 
-    def value_for(env)
+    def value_for(env, target = nil)
       command = if inspec.os.windows?
-                  "${Env:#{env}}"
+                  if target.nil?
+                    "${Env:#{env}}"
+                  else
+                    "[System.Environment]::GetEnvironmentVariable('#{env}', [System.EnvironmentVariableTarget]::#{target})"
+                  end
                 else
                   'env'
                 end

data/lib/resources/shadow.rb

@@ -120,7 +120,7 @@ module Inspec::Resources
 
     def to_s
       f = @filters.empty? ? '' : ' with'+@filters
-      "/etc/shadow#{f}"
+      "#{@path}#{f}"
     end
 
     private

data/lib/utils/enumerable_delegation.rb

@@ -0,0 +1,9 @@
+# encoding: utf-8
+
+module EnumerableDelegation
+  include Enumerable
+
+  def each(&block)
+    @params.each(&block)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 2.1.54
+  version: 2.1.59
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-19 00:00:00.000000000 Z
+date: 2018-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -290,6 +290,7 @@ files:
 - bin/inspec
 - docs/.gitignore
 - docs/README.md
+- docs/dev/control-eval.md
 - docs/dsl_inspec.md
 - docs/dsl_resource.md
 - docs/glossary.md
@@ -766,6 +767,7 @@ files:
 - lib/utils/command_wrapper.rb
 - lib/utils/convert.rb
 - lib/utils/database_helpers.rb
+- lib/utils/enumerable_delegation.rb
 - lib/utils/erlang_parser.rb
 - lib/utils/file_reader.rb
 - lib/utils/filter.rb