inspec 2.2.27 → 2.2.34

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8d1fd91c23f600805625f0091a060ed582d7037cf057f5d302f9d8251807ae64
4
- data.tar.gz: 168ceacd5af2cc37cfd5728c11f22045efe2146ebd4ef7e0838e799b7591ad31
3
+ metadata.gz: 29857224509b0eeb7fb9942ce70b5520b54d44b15cb996db137d24f09cb18b73
4
+ data.tar.gz: 95f7da542bd317544cd1ab5e225f7366cfc9d1430970b8fb976c1d71e79f0dec
5
5
  SHA512:
6
- metadata.gz: '018755cf06f189d55edf114bcddc147e1ebfb4cf14c46b0363d20408cf90a4e6682df07c706aff1290f6848b50072fd7204ae493463ae97d8f89db84c745c86b'
7
- data.tar.gz: ff105b814bbeb16760bed805bb6ea6a31af22e686bbc005ba25176e2d953a10052496bd5d0cb174258ec50f02a0b18f62540db6ed344733fde116a96c0690a65
6
+ metadata.gz: e1d5acf1b120e9dbeac94bbaaaa483ebeb8e08202b41c383ed7743e34f626e6d8915b67d6d8e59bd5648b9d497670ca032b3aaf10b9c8908a4bd0e68feb318bf
7
+ data.tar.gz: a838959692ee73761ec76d9a39659d875b592fd747c74e67b98e73357ae84a522c9013c0c790d1f9bccef552c9bb6a94cec69754f49dba456fc7b692c2f79e6e
@@ -1,32 +1,50 @@
1
1
  # Change Log
2
2
  <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
3
- <!-- latest_release 2.2.27 -->
4
- ## [v2.2.27](https://github.com/inspec/inspec/tree/v2.2.27) (2018-06-29)
3
+ <!-- latest_release 2.2.34 -->
4
+ ## [v2.2.34](https://github.com/inspec/inspec/tree/v2.2.34) (2018-07-05)
5
5
 
6
- #### New Features
7
- - Document exit codes for &#39;inspec exec&#39; and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe))
6
+ #### Bug Fixes
7
+ - fix for apache_conf to handle quoted Includes [#3193](https://github.com/inspec/inspec/pull/3193) ([voroniys](https://github.com/voroniys))
8
8
  <!-- latest_release -->
9
9
 
10
- <!-- release_rollup since=2.2.20 -->
11
- ### Changes since 2.2.20 release
10
+ <!-- release_rollup since=2.2.27 -->
11
+ ### Changes since 2.2.27 release
12
12
 
13
13
  #### New Features
14
- - Document exit codes for &#39;inspec exec&#39; and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.27 -->
15
- - Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick)) <!-- 2.2.25 -->
14
+ - cli: Add `--insecure` option for `exec` and `shell` [#3195](https://github.com/inspec/inspec/pull/3195) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.31 -->
16
15
 
17
- #### Enhancements
18
- - Update core resources with filtertable API changes [#3117](https://github.com/inspec/inspec/pull/3117) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.26 -->
19
- - apache_conf resource: Strip quotes from values [#3142](https://github.com/inspec/inspec/pull/3142) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.24 -->
16
+ #### Bug Fixes
17
+ - fix for apache_conf to handle quoted Includes [#3193](https://github.com/inspec/inspec/pull/3193) ([voroniys](https://github.com/voroniys)) <!-- 2.2.34 -->
18
+ - Fix some issues with the vendor functional tests [#3196](https://github.com/inspec/inspec/pull/3196) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.30 -->
20
19
 
21
20
  #### Merged Pull Requests
22
- - Add functional tests for nested attributes [#3157](https://github.com/inspec/inspec/pull/3157) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.23 -->
21
+ - Prevent Slashes in profile names [#3175](https://github.com/inspec/inspec/pull/3175) ([miah](https://github.com/miah)) <!-- 2.2.32 -->
22
+ - Fix vendor functional test to not validate a repo hash that can change. [#3198](https://github.com/inspec/inspec/pull/3198) ([miah](https://github.com/miah)) <!-- 2.2.29 -->
23
23
 
24
- #### Bug Fixes
25
- - Detect inspec-core mode and do not attempt to load cloud resources [#3163](https://github.com/inspec/inspec/pull/3163) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.22 -->
26
- - Add support for shallow link paths [#3168](https://github.com/inspec/inspec/pull/3168) ([ColinHebert](https://github.com/ColinHebert)) <!-- 2.2.21 -->
24
+ #### Enhancements
25
+ - Accept regexes for --controls option to inspec exec [#3179](https://github.com/inspec/inspec/pull/3179) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.33 -->
26
+ - Update the node platform issues to warn severity [#3186](https://github.com/inspec/inspec/pull/3186) ([jquick](https://github.com/jquick)) <!-- 2.2.28 -->
27
27
  <!-- release_rollup -->
28
28
 
29
29
  <!-- latest_stable_release -->
30
+ ## [v2.2.27](https://github.com/inspec/inspec/tree/v2.2.27) (2018-06-29)
31
+
32
+ #### New Features
33
+ - Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick))
34
+ - Document exit codes for &#39;inspec exec&#39; and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe))
35
+
36
+ #### Enhancements
37
+ - apache_conf resource: Strip quotes from values [#3142](https://github.com/inspec/inspec/pull/3142) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
38
+ - Update core resources with filtertable API changes [#3117](https://github.com/inspec/inspec/pull/3117) ([clintoncwolfe](https://github.com/clintoncwolfe))
39
+
40
+ #### Bug Fixes
41
+ - Add support for shallow link paths [#3168](https://github.com/inspec/inspec/pull/3168) ([ColinHebert](https://github.com/ColinHebert))
42
+ - Detect inspec-core mode and do not attempt to load cloud resources [#3163](https://github.com/inspec/inspec/pull/3163) ([clintoncwolfe](https://github.com/clintoncwolfe))
43
+
44
+ #### Merged Pull Requests
45
+ - Add functional tests for nested attributes [#3157](https://github.com/inspec/inspec/pull/3157) ([clintoncwolfe](https://github.com/clintoncwolfe))
46
+ <!-- latest_stable_release -->
47
+
30
48
  ## [v2.2.20](https://github.com/inspec/inspec/tree/v2.2.20) (2018-06-21)
31
49
 
32
50
  #### Enhancements
@@ -36,7 +54,6 @@
36
54
 
37
55
  #### Merged Pull Requests
38
56
  - Accept symbols and downcased criteria in aws_iam_policy have_statement matcher [#3129](https://github.com/inspec/inspec/pull/3129) ([clintoncwolfe](https://github.com/clintoncwolfe))
39
- <!-- latest_stable_release -->
40
57
 
41
58
  ## [v2.2.16](https://github.com/inspec/inspec/tree/v2.2.16) (2018-06-15)
42
59
 
@@ -5,148 +5,253 @@ platform: linux
5
5
 
6
6
  # shadow
7
7
 
8
- Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only readable by the `root` user. The format for `/etc/shadow` includes:
8
+ Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are readable only by the `root` user. `shadow` is a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource). Like all plural resources, it functions by performing searches across multiple entries in the shadow file.
9
+
10
+ The format for `/etc/shadow` includes:
9
11
 
10
12
  * A username
11
13
  * The hashed password for that user
12
- * The last time a password was changed
14
+ * The last date a password was changed, as the number of days since Jan 1 1970
13
15
  * The minimum number of days a password must exist, before it may be changed
14
16
  * The maximum number of days after which a password must be changed
15
17
  * The number of days a user is warned about an expiring password
16
18
  * The number of days a user must be inactive before the user account is disabled
17
- * The number of days a user account has been disabled
19
+ * The date on which a user account was disabled, as the number of days since Jan 1 1970
18
20
 
19
21
  These entries are defined as a colon-delimited row in the file, one row per user:
20
22
 
21
23
  dannos:Gb7crrO5CDF.:10063:0:99999:7:::
22
24
 
25
+ The `shadow` resource understands this format, allows you to search on the fields, and exposes the selected users' properties.
26
+
23
27
  <br>
24
28
 
25
- ## Syntax
29
+ ## Resource Parameters
26
30
 
27
- A `shadow` resource block declares user properties to be tested:
31
+ The `shadow` resource takes one optional parameter: the path to the shadow file. If omitted, `/etc/shadow` is assumed.
28
32
 
33
+ # Expect a file to exist at the default location and have 32 users
29
34
  describe shadow do
30
- its('users') { should_not include 'forbidden_user' }
35
+ its('count') { should eq 32 }
31
36
  end
32
37
 
33
- Properties can be used as a single query:
34
-
35
- describe shadow.user('root') do
36
- its('count') { should eq 1 }
38
+ # Use a custom location
39
+ describe shadow('/etc/my-custom-place/shadow') do
40
+ its('count') { should eq 32 }
37
41
  end
38
42
 
39
- Use the `.where` method to find properties that match a value:
43
+ ## Examples
40
44
 
41
- describe shadow.where { min_days == '0' } do
42
- its ('users') { should include 'nfs' }
43
- end
45
+ A `shadow` resource block uses `where` to filter entries from the shadow file. If `where` is omitted, all entries are selected.
44
46
 
45
- describe shadow.where { password =~ /[x|!|*]/ } do
46
- its('count') { should eq 0 }
47
+ # Select all users. Among them, there should not be a user with the name 'forbidden_user'.
48
+ describe shadow do
49
+ its('users') { should_not include 'forbidden_user' }
47
50
  end
48
51
 
49
- The following properties are available:
50
-
51
- * `users`
52
- * `passwords`
53
- * `last_changes`
54
- * `min_days`
55
- * `max_days`
56
- * `warn_days`
57
- * `inactive_days`
58
- * `expiry_dates`
59
- * `reserved`
60
-
61
- <br>
62
-
63
- ## Examples
64
-
65
- The following examples show how to use this InSpec audit resource.
52
+ # Ensure there is only one user named 'root' (Select all with name 'root', then count them).
53
+ describe shadow.where(user: 'root') do
54
+ its('count') { should eq 1 }
55
+ end
66
56
 
67
- ### Test for a forbidden user
57
+ Use `where` to match any of the supported [filter criteria](#filter_criteria). `where` has a method form for simple equality and a block form for more complex queries.
68
58
 
69
- describe shadow do
70
- its('users') { should_not include 'forbidden_user' }
59
+ # Method form, simple
60
+ # Select just the root user (direct equality)
61
+ describe shadow.where(user: 'root') do
62
+ its ('count') { should eq 1 }
71
63
  end
72
64
 
73
- ### Test that a user appears one time
65
+ # Method form, with a regex
66
+ # Select all users whose names begin with smb
67
+ describe shadow.where(user: /^smb/) do
68
+ its ('count') { should eq 2 }
69
+ end
74
70
 
75
- describe shadow.users('bin') do
76
- its('passwords') { should cmp 'x' }
77
- its('count') { should eq 1 }
71
+ # Block form
72
+ # Select users whose passwords have expired
73
+ describe shadow.where { expiry_date > 0 } do
74
+ # This test directly asserts that there should be 0 such users
75
+ its('count') { should eq 0 }
76
+ # But if the count test fails, this test outputs the users that are causing the failure.
77
+ its('users') { should be_empty }
78
78
  end
79
79
 
80
80
  <br>
81
81
 
82
82
  ## Properties
83
83
 
84
+ As a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource), all of `shadow`'s properties return lists (that is, Ruby Arrays). `include` and `be_empty` are two useful matchers when working with lists. You can also perform manipulation of the lists, such as calling `uniq`, `sort`, `count`, `first`, `last`, `min`, and `max`.
85
+
84
86
  ### users
85
87
 
86
- The `users` property tests if the username exists `/etc/shadow`:
88
+ A list of strings, representing the usernames matched by the filter.
87
89
 
88
- its('users') { should include 'root' }
90
+ describe shadow
91
+ its('users') { should include 'root' }
92
+ end
89
93
 
90
94
  ### passwords
91
95
 
92
- The `passwords` property returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.
93
-
94
- For example:
96
+ A list of strings, representing the encrypted password strings for entries matched by the `where` filter. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use different flags here (such as `*LK*` to indicate the account is locked).
95
97
 
96
- its('passwords') { should cmp '*' }
98
+ # Use uniq to remove duplicates, then determine
99
+ # if the only password left on the list is '*'
100
+ describe shadow.where(user: /adm$/) do
101
+ its('passwords.uniq.first') { should cmp '*' }
102
+ its('passwords.uniq.count') { should eq 1 }
103
+ end
97
104
 
98
105
  ### last\_changes
99
106
 
100
- The `last_changes` property tests the last time a password was changed:
107
+ A list of integers, indicating the number of days since Jan 1 1970 since the password for each matching entry was changed.
101
108
 
102
- its('last_changes') { should be_empty }
109
+ # Ensure all entries have changed their password in the last 90 days. (Probably want a filter on that)
110
+ describe shadow do
111
+ its('last_changes.min') { should be < Date.today - 90 - Date.new(1970,1,1) }
112
+ end
103
113
 
104
114
  ### min\_days
105
115
 
106
- The `min_days` property tests the minimum number of days a password must exist, before it may be changed:
116
+ A list of integers reflecting the minimum number of days a password must exist, before it may be changed, for the users that matched the filter.
107
117
 
108
- its('min_days') { should eq 0 }
118
+ # min_days seems crazy today; make sure it is zero for everyone
119
+ describe shadow do
120
+ its('min_days.uniq') { should eq [0] }
121
+ end
109
122
 
110
123
  ### max\_days
111
124
 
112
- The `max_days` property tests the maximum number of days after which a password must be changed:
125
+ A list of integers reflecting the maximum number of days after which the password must be changed for each user matching the filter.
113
126
 
114
- its('max_days') { should eq 90 }
127
+ # Make sure there is no policy allowing longer than 90 days
128
+ describe shadow do
129
+ its('max_days.max') { should be < 90 }
130
+ end
115
131
 
116
132
  ### warn\_days
117
133
 
118
- The `warn_days` property tests the number of days a user is warned about an expiring password:
134
+ A list of integers reflecting the number of days a user is warned about an expiring password for each user matching the filter.
119
135
 
120
- its('warn_days') { should eq 7 }
136
+ # Ensure everyone gets the same 7-day policy
137
+ describe shadow do
138
+ its('warn_days.uniq.count') { should eq 1 }
139
+ its('warn_days.uniq.first') { should eq 7 }
140
+ end
121
141
 
122
142
  ### inactive\_days
123
143
 
124
- The `inactive_days` property tests the number of days a user must be inactive before the user account is disabled:
144
+ A list of integers reflecting the number of days a user must be inactive before the user account is disabled for each user matching the filter.
125
145
 
126
- its('inactive_days') { should be_empty }
146
+ # Ensure everyone except admins has an stale policy of no more than 14 days
147
+ describe shadow.where { user !~ /adm$/ } do
148
+ its('inactive_days.max') { should be <= 14 }
149
+ end
127
150
 
128
151
  ### expiry\_dates
129
152
 
130
- The `expiry_dates` property tests the number of days a user account has been disabled:
153
+ A list of integers reflecting the number of days since Jan 1 1970 that a user account has been disabled, for each user matching the filter. Value is `nil` if the account has not expired.
131
154
 
132
- its('expiry_dates') { should be_empty }
155
+ # No one should have an expired account.
156
+ describe shadow do
157
+ its('expiry_dates.compact') { should be_empty }
158
+ end
133
159
 
134
160
  ### count
135
161
 
136
- The `count` property tests the number of times the named property appears:
162
+ The `count` property tests the number of records that the filter matched.
137
163
 
164
+ # Should probably only have one root user
138
165
  describe shadow.user('root') do
139
166
  its('count') { should eq 1 }
140
167
  end
141
168
 
142
- This property is best used in conjunction with filters. For example:
169
+ <br>
143
170
 
144
- describe shadow.where { password =~ /[x|!|*]/ } do
145
- its('count') { should eq 0 }
171
+ ## Filter Criteria
172
+
173
+ You may use any of these filter criteria with the `where` function. They are named after the columns in the shadow file. Each has a related list [property](#properties).
174
+
175
+ ### user
176
+
177
+ The string username of a user. Always present. Not required to be unique.
178
+
179
+ # Expect all users whose name ends in adm to have a disabled password via the '*' flag
180
+ describe shadow.where(user: /adm$/) do
181
+ its('password.uniq') { should eq ['*'] }
146
182
  end
147
183
 
148
- <br>
184
+ ### password
185
+
186
+ The encrypted password strings, or an account status string. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use other flags here (such as `*LK*` to indicate the account is locked).
187
+
188
+ # Find 'locked' accounts and ensure 'nobody' is on the list
189
+ describe shadow.where(password: '*LK*') do
190
+ its('users') { should include 'nobody' }
191
+ end
192
+
193
+ ### last_change
194
+
195
+ An integer reflecting the number of days since Jan 1 1970 since the user's password was changed.
196
+
197
+ # Find users who have not changed their password within 90 days
198
+ describe shadow.where { last_change > Date.today - 90 - Date.new(1970,1,1) } do
199
+ its('users') { should be_empty }
200
+ end
201
+
202
+ ### min_days
203
+
204
+ An integer reflecting the minimum number of days a user is required to wait before
205
+ changing their password again.
206
+
207
+ # Find users who have a nonzero wait time
208
+ describe shadow.where { min_days > 0 } do
209
+ its('users') { should be_empty }
210
+ end
211
+
212
+ ### max_days
213
+
214
+ An integer reflecting the maximum number of days a user may go without changing their password.
215
+
216
+ # All users should have a 30-day policy
217
+ describe shadow.where { max_days != 30 } do
218
+ its('users') { should be_empty }
219
+ end
220
+
221
+ ### warn_days
222
+
223
+ An integer reflecting the number of days before a password expiration that a user recieves an alert.
224
+
225
+ # All users should have a 7-day warning policy
226
+ describe shadow.where { warn_days != 7 } do
227
+ its('users') { should be_empty }
228
+ end
229
+
230
+ ### inactive_days
231
+
232
+ An integer reflecting the number of days that must pass before a user who has not logged in will be disabled.
233
+
234
+ # Ensure everyone has a stale policy of no more than 14 days.
235
+ describe shadow.where { inactive_days.nil? || inactive_days > 14 } do
236
+ its('users') { should be_empty }
237
+ end
238
+
239
+ ### expiry_date
240
+
241
+ An integer reflecting the number of days since Jan 1, 1970 on which the user was disabled. The `expiry_date` criterion is `nil` for enabled users.
242
+
243
+ # Ensure no one is disabled due to a old password
244
+ describe shadow.where { !expiry_date.nil? } do
245
+ its('users') { should be_empty }
246
+ end
247
+
248
+ # Ensure no one is disabled for more than 14 days
249
+ describe shadow.where { !expiry_date.nil? && expiry_date - Date.new(1970,1,1) > 14} do
250
+ its('users') { should be_empty }
251
+ end
149
252
 
150
253
  ## Matchers
151
254
 
152
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
255
+ This resource has no resource-specific matchers.
256
+
257
+ For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -1,5 +1,4 @@
1
1
  # encoding: utf-8
2
- # author: Christoph Hartmann
3
2
 
4
3
  require 'pathname'
5
4
 
@@ -42,8 +41,13 @@ module Init
42
41
  base_dir = File.join(dir, 'templates', type)
43
42
  # prepare glob for all subdirectories and files
44
43
  template = File.join(base_dir, '**', '{*,.*}')
45
- # generate target path
46
- target = Pathname.new(Dir.pwd).join(attributes[:name])
44
+ # Use the name attribute to define the path to the profile.
45
+ profile_path = attributes[:name]
46
+ # Use slashes (\, /) to split up the name into an Array then use the last entry
47
+ # to reset the name of the profile.
48
+ attributes[:name] = attributes[:name].split(%r{\\|\/}).last
49
+ # Generate the full target path on disk
50
+ target = Pathname.new(Dir.pwd).join(profile_path)
47
51
  puts "Create new #{type} at #{mark_text(target)}"
48
52
 
49
53
  # check that the directory does not exist
@@ -13,7 +13,7 @@ module Inspec
13
13
  true
14
14
  end
15
15
 
16
- def self.target_options
16
+ def self.target_options # rubocop:disable MethodLength
17
17
  option :target, aliases: :t, type: :string,
18
18
  desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
19
19
  option :backend, aliases: :b, type: :string,
@@ -54,6 +54,14 @@ module Inspec
54
54
  desc: 'Read configuration from JSON file (`-` reads from stdin).'
55
55
  option :proxy_command, type: :string,
56
56
  desc: 'Specifies the command to use to connect to the server'
57
+ option :bastion_host, type: :string,
58
+ desc: 'Specifies the bastion host if applicable'
59
+ option :bastion_user, type: :string,
60
+ desc: 'Specifies the bastion user if applicable'
61
+ option :bastion_port, type: :string,
62
+ desc: 'Specifies the bastion port if applicable'
63
+ option :insecure, type: :boolean, default: false,
64
+ desc: 'Disable SSL verification on select targets'
57
65
  end
58
66
 
59
67
  def self.profile_options
@@ -65,7 +73,7 @@ module Inspec
65
73
  target_options
66
74
  profile_options
67
75
  option :controls, type: :array,
68
- desc: 'A list of controls to run. Ignore all other tests.'
76
+ desc: 'A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.'
69
77
  option :format, type: :string,
70
78
  desc: '[DEPRECATED] Please use --reporter - this will be removed in InSpec 3.0'
71
79
  option :reporter, type: :array,
@@ -189,7 +189,7 @@ module Inspec::Formatters
189
189
  begin
190
190
  @backend.platform[field]
191
191
  rescue Train::Error => e
192
- Inspec::Log.error(e.message)
192
+ Inspec::Log.warn(e.message)
193
193
  nil
194
194
  end
195
195
  end
@@ -1,7 +1,5 @@
1
1
  # encoding: utf-8
2
2
  # Copyright 2015 Dominik Richter
3
- # author: Dominik Richter
4
- # author: Christoph Hartmann
5
3
 
6
4
  require 'logger'
7
5
  require 'rubygems/version'
@@ -78,10 +76,9 @@ module Inspec
78
76
  errors.push("Missing profile #{field} in #{ref}")
79
77
  end
80
78
 
81
- if params[:name] =~ %r{[\/\\]}
82
- warnings.push("Your profile name (#{params[:name]}) contains a slash " \
83
- 'which will not be permitted in InSpec 2.0. Please change your profile ' \
84
- 'name in the `inspec.yml` file.')
79
+ if %r{[\/\\]} =~ params[:name]
80
+ errors.push("The profile name (#{params[:name]}) contains a slash" \
81
+ ' which is not permitted. Please remove all slashes from `inspec.yml`.')
85
82
  end
86
83
 
87
84
  # if version is set, ensure it is correct
@@ -190,7 +187,7 @@ module Inspec
190
187
  # unit tests that look for warning sequences
191
188
  return if original_target.to_s.empty?
192
189
  metadata.params[:title] = "tests from #{original_target}"
193
- metadata.params[:name] = metadata.params[:title].gsub(%r{[\\\/]}, '.')
190
+ metadata.params[:name] = metadata.params[:title].gsub(%r{[\/\\]}, '.')
194
191
  end
195
192
 
196
193
  def self.finalize(metadata, profile_id, options, logger = nil)
@@ -177,9 +177,29 @@ module Inspec
177
177
 
178
178
  def filter_controls(controls_array, include_list)
179
179
  return controls_array if include_list.nil? || include_list.empty?
180
+
181
+ # Check for anything that might be a regex in the list, and make it official
182
+ include_list.each_with_index do |inclusion, index|
183
+ next if inclusion.is_a?(Regexp)
184
+ # Insist the user wrap the regex in slashes to demarcate it as a regex
185
+ next unless inclusion.start_with?('/') && inclusion.end_with?('/')
186
+ inclusion = inclusion[1..-2] # Trim slashes
187
+ begin
188
+ re = Regexp.new(inclusion)
189
+ include_list[index] = re
190
+ rescue RegexpError => e
191
+ warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
192
+ include_list[index] = nil
193
+ end
194
+ end
195
+ include_list.compact!
196
+
180
197
  controls_array.select do |c|
181
198
  id = ::Inspec::Rule.rule_id(c)
182
- include_list.include?(id)
199
+ include_list.any? do |inclusion|
200
+ # Try to see if the inclusion is a regex, and if it matches
201
+ inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
202
+ end
183
203
  end
184
204
  end
185
205
 
@@ -4,5 +4,5 @@
4
4
  # author: Christoph Hartmann
5
5
 
6
6
  module Inspec
7
- VERSION = '2.2.27'
7
+ VERSION = '2.2.34'
8
8
  end
@@ -82,7 +82,7 @@ module Inspec::Resources
82
82
  # The regex is terminated by an expression that matches zero or more spaces.
83
83
  params = SimpleConfig.new(
84
84
  raw_conf,
85
- assignment_regex: /^\s*(\S+)\s+((?=.*\s+$).*?|.*)\s*$/,
85
+ assignment_regex: /^\s*(\S+)\s+['"]*((?=.*\s+$).*?|.*?)['"]*\s*$/,
86
86
  multiple_values: true,
87
87
  ).params
88
88
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.27
4
+ version: 2.2.34
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dominik Richter
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-06-29 00:00:00.000000000 Z
11
+ date: 2018-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: train