inspec 2.2.70 → 2.2.78

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6dc6fb470460ab2b0b96771d62cb0daf7c236d69ddb6dd79f213656a55d54e5f
4
- data.tar.gz: 239448502597b1907e8d35761ca18317ed75462cf0063105a6a770e4949b861d
3
+ metadata.gz: 842e90c7b84b1e95a0ca1989f26048ab81a67a5e4f602461c7f6eb6a9ac8a0df
4
+ data.tar.gz: 0c9220d4fdd48bece5981ff0a7599e070742208de5520f449d79068031c9b839
5
5
  SHA512:
6
- metadata.gz: d173ad69e9b20522dff8a485c50d3e11c429115eea183ce558871f4a826d5c2bbde620798dceb6840ddf017e18eb7f59e5fc1f53ddc020c6c84f3c145abb3e8b
7
- data.tar.gz: cfc9224a29d43af3dbbc4e5da21c9a64af68cf27a7e1d2cef471506662046080f627055f8217cd34dc368f3ebeca6c49b0a0da569c30e428b40d0c7f32207502
6
+ metadata.gz: d52ea98ca54e58a0191968e445c7e5f32c7cac9fd58be5f7e00acba5fed6ec5bb4f9cb9bcdc8bc1fe988b925f8c9c64a80283a4309b20135d1d2d395362c8ff0
7
+ data.tar.gz: ad42da9cb733b08b50f5082742fda88147ca7f6c8a3739fac19ad74d4fe5acc88f5ce92ff4e7be28e013637dbae009fccb32811ef9baed9727a66cb4b8d5236f
@@ -1,35 +1,51 @@
1
1
  # Change Log
2
2
  <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
3
- <!-- latest_release 2.2.70 -->
4
- ## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-23)
3
+ <!-- latest_release 2.2.78 -->
4
+ ## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
5
5
 
6
6
  #### Merged Pull Requests
7
- - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
7
+ - Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah))
8
8
  <!-- latest_release -->
9
9
 
10
- <!-- release_rollup since=2.2.64 -->
11
- ### Changes since 2.2.64 release
10
+ <!-- release_rollup since=2.2.70 -->
11
+ ### Changes since 2.2.70 release
12
12
 
13
- #### Enhancements
14
- - Infer `--sudo` when `--sudo-password` is used [#3313](https://github.com/inspec/inspec/pull/3313) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.68 -->
13
+ #### New Features
14
+ - Add HTTP basic auth for URL based inspec deps [#3341](https://github.com/inspec/inspec/pull/3341) ([frezbo](https://github.com/frezbo)) <!-- 2.2.77 -->
15
+ - Support erb rendering [#3338](https://github.com/inspec/inspec/pull/3338) ([frezbo](https://github.com/frezbo)) <!-- 2.2.76 -->
15
16
 
16
17
  #### Bug Fixes
17
- - Fix skip hash being passed instead of boolean value [#3323](https://github.com/inspec/inspec/pull/3323) ([frezbo](https://github.com/frezbo)) <!-- 2.2.67 -->
18
+ - fix skip message not being passed for merge [#3329](https://github.com/inspec/inspec/pull/3329) ([frezbo](https://github.com/frezbo)) <!-- 2.2.73 -->
18
19
 
19
20
  #### Merged Pull Requests
20
- - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick)) <!-- 2.2.70 -->
21
- - Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick)) <!-- 2.2.66 -->
22
- - Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil)) <!-- 2.2.65 -->
21
+ - Update demo site nom packages [#3343](https://github.com/inspec/inspec/pull/3343) ([miah](https://github.com/miah)) <!-- 2.2.78 -->
22
+ - Fix the brew command to install inspec [#3335](https://github.com/inspec/inspec/pull/3335) ([tas50](https://github.com/tas50)) <!-- 2.2.75 -->
23
+ - Convert legacy supports to their platform counterparts [#3333](https://github.com/inspec/inspec/pull/3333) ([jquick](https://github.com/jquick)) <!-- 2.2.74 -->
24
+ - bump inspec/train version [#3331](https://github.com/inspec/inspec/pull/3331) ([tomqwu](https://github.com/tomqwu)) <!-- 2.2.72 -->
25
+ - Cached profiles with Compliance Fetcher [#3221](https://github.com/inspec/inspec/pull/3221) ([itmustbejj](https://github.com/itmustbejj)) <!-- 2.2.71 -->
23
26
  <!-- release_rollup -->
24
27
 
25
28
  <!-- latest_stable_release -->
29
+ ## [v2.2.70](https://github.com/inspec/inspec/tree/v2.2.70) (2018-08-24)
30
+
31
+ #### Enhancements
32
+ - Infer `--sudo` when `--sudo-password` is used [#3313](https://github.com/inspec/inspec/pull/3313) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
33
+
34
+ #### Bug Fixes
35
+ - Fix skip hash being passed instead of boolean value [#3323](https://github.com/inspec/inspec/pull/3323) ([frezbo](https://github.com/frezbo))
36
+
37
+ #### Merged Pull Requests
38
+ - Add cloudlinux under redhat family [#2935](https://github.com/inspec/inspec/pull/2935) ([tarcinil](https://github.com/tarcinil))
39
+ - Suppress logs for json-automate reporter [#3324](https://github.com/inspec/inspec/pull/3324) ([jquick](https://github.com/jquick))
40
+ - Rebuild InSpec omni bundles [#3327](https://github.com/inspec/inspec/pull/3327) ([jquick](https://github.com/jquick))
41
+ <!-- latest_stable_release -->
42
+
26
43
  ## [v2.2.64](https://github.com/inspec/inspec/tree/v2.2.64) (2018-08-17)
27
44
 
28
45
  #### Merged Pull Requests
29
46
  - Update `only_if` to allow user specified messages. [#3267](https://github.com/inspec/inspec/pull/3267) ([miah](https://github.com/miah))
30
47
  - Allow the jsonAutomate report to be executed from cli [#3285](https://github.com/inspec/inspec/pull/3285) ([jquick](https://github.com/jquick))
31
48
  - Dummy PR to bump expeditor version. [#3298](https://github.com/inspec/inspec/pull/3298) ([jquick](https://github.com/jquick))
32
- <!-- latest_stable_release -->
33
49
 
34
50
  ## [v2.2.61](https://github.com/inspec/inspec/tree/v2.2.61) (2018-08-09)
35
51
 
@@ -71,6 +71,24 @@ depends:
71
71
  inspec_version: "~> 2.1"
72
72
  ```
73
73
 
74
+ The `inspec.yml` also supports embedded ERB in the file. For example:
75
+
76
+ ```YAML
77
+ name: dummy
78
+ title: InSpec Profile
79
+ maintainer: The Authors
80
+ copyright: The Authors
81
+ copyright_email: you@example.com
82
+ license: Apache-2.0
83
+ summary: An InSpec Compliance Profile
84
+ version: 0.1.0
85
+ depends:
86
+ - name: inherit
87
+ url: "https://artifactory.com/artifactory/example-repo-local/inspec/0.4.1.tar.gz"
88
+ username: <%= ENV['USERNAME'] %>
89
+ password: <%= ENV['API_KEY'] %>
90
+ ```
91
+
74
92
  ## Verify Profiles
75
93
 
76
94
  Use the `inspec check` command to verify the implementation of a profile:
@@ -181,6 +199,16 @@ depends:
181
199
  url: https://github.com/myusername/myprofile-repo/archive/master.tar.gz
182
200
  ```
183
201
 
202
+ `url` also supports basic authentication.
203
+
204
+ ```YAML
205
+ depends:
206
+ - name: my-profile
207
+ url: https://my.domain/path/to/profile.tgz
208
+ username: user
209
+ password: password
210
+ ```
211
+
184
212
  ### git
185
213
 
186
214
  A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.
@@ -180,4 +180,4 @@ This InSpec audit resource has the following special matchers. For a full list o
180
180
 
181
181
  Please see the integration tests for in depth examples of how this resource can be used.
182
182
 
183
- [Inspec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/azure/verify/controls)
183
+ [Inspec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/integration/azure/verify/controls)
@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
26
26
 
27
27
  spec.required_ruby_version = '>= 2.3'
28
28
 
29
- spec.add_dependency 'train', '~> 1.4', '>= 1.4.15'
29
+ spec.add_dependency 'train', '~> 1.4', '>= 1.4.35'
30
30
  spec.add_dependency 'thor', '~> 0.20'
31
31
  spec.add_dependency 'json', '>= 1.8', '< 3.0'
32
32
  spec.add_dependency 'method_source', '~> 0.8'
@@ -19,7 +19,7 @@ module Compliance
19
19
  # return all compliance profiles available for the user
20
20
  # the user is either specified in the options hash or by default
21
21
  # the username of the account is used that is logged in
22
- def self.profiles(config) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
22
+ def self.profiles(config, profile_filter = nil) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength
23
23
  owner = config['owner'] || config['user']
24
24
 
25
25
  # Chef Compliance
@@ -36,9 +36,14 @@ module Compliance
36
36
  end
37
37
 
38
38
  headers = get_headers(config)
39
+ if profile_filter
40
+ _owner, id, ver = profile_split(profile_filter)
41
+ else
42
+ id, ver = nil
43
+ end
39
44
 
40
45
  if is_automate2_server?(config)
41
- body = { owner: owner }.to_json
46
+ body = { owner: owner, name: id }.to_json
42
47
  response = Compliance::HTTP.post_with_headers(url, headers, body, config['insecure'])
43
48
  else
44
49
  response = Compliance::HTTP.get(url, headers, config['insecure'])
@@ -69,6 +74,10 @@ module Compliance
69
74
  e
70
75
  }
71
76
  end
77
+ # filter by name and version if they were specified in profile_filter
78
+ mapped_profiles.select! do |p|
79
+ (!ver || p['version'] == ver) && (!id || p['name'] == id)
80
+ end
72
81
  return msg, mapped_profiles
73
82
  when '401'
74
83
  msg = '401 Unauthorized. Please check your token.'
@@ -101,25 +110,10 @@ module Compliance
101
110
  parsed
102
111
  end
103
112
 
104
- # verifies that a profile
113
+ # verifies that a profile exists
105
114
  def self.exist?(config, profile)
106
- owner, id, ver = profile_split(profile)
107
-
108
- # ensure that we do not manipulate the configuration object
109
- user_config = config.dup
110
- user_config['owner'] = owner
111
- _msg, profiles = Compliance::API.profiles(user_config)
112
-
113
- if !profiles.empty?
114
- profiles.any? do |p|
115
- profile_owner = p['owner_id'] || p['owner']
116
- profile_owner == owner &&
117
- p['name'] == id &&
118
- (ver.nil? || p['version'] == ver)
119
- end
120
- else
121
- false
122
- end
115
+ _msg, profiles = Compliance::API.profiles(config, profile)
116
+ !profiles.empty?
123
117
  end
124
118
 
125
119
  def self.upload(config, owner, profile_name, archive_path)
@@ -13,50 +13,81 @@ module Compliance
13
13
  class Fetcher < Fetchers::Url
14
14
  name 'compliance'
15
15
  priority 500
16
- def self.resolve(target) # rubocop:disable PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize
17
- uri = if target.is_a?(String) && URI(target).scheme == 'compliance'
18
- URI(target)
19
- elsif target.respond_to?(:key?) && target.key?(:compliance)
20
- URI("compliance://#{target[:compliance]}")
21
- end
16
+ attr_reader :upstream_sha256
17
+
18
+ def initialize(target, opts)
19
+ super(target, opts)
20
+ if target.is_a?(Hash) && target.key?(:url)
21
+ @target = target[:url]
22
+ @upstream_sha256 = target[:sha256]
23
+ elsif target.is_a?(String)
24
+ @target = target
25
+ @upstream_sha256 = ''
26
+ end
27
+ end
22
28
 
23
- return nil if uri.nil?
29
+ def sha256
30
+ upstream_sha256.empty? ? super : upstream_sha256
31
+ end
24
32
 
25
- # we have detailed information available in our lockfile, no need to ask the server
26
- if target.respond_to?(:key?) && target.key?(:url)
27
- profile_fetch_url = target[:url]
28
- config = {}
29
- else
30
- # check if we have a compliance token
31
- config = Compliance::Configuration.new
32
- if config['token'].nil? && config['refresh_token'].nil?
33
- if config['server_type'] == 'automate'
34
- server = 'automate'
35
- msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
36
- elsif config['server_type'] == 'automate2'
37
- server = 'automate2'
38
- msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
39
- else
40
- server = 'compliance'
41
- msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
42
- end
43
- raise Inspec::FetcherFailure, <<~EOF
33
+ def self.check_compliance_token(config)
34
+ if config['token'].nil? && config['refresh_token'].nil?
35
+ if config['server_type'] == 'automate'
36
+ server = 'automate'
37
+ msg = 'inspec compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN'
38
+ elsif config['server_type'] == 'automate2'
39
+ server = 'automate2'
40
+ msg = 'inspec compliance login https://your_automate2_server --user USER --token APITOKEN'
41
+ else
42
+ server = 'compliance'
43
+ msg = "inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' "
44
+ end
45
+ raise Inspec::FetcherFailure, <<~EOF
44
46
 
45
- Cannot fetch #{uri} because your #{server} token has not been
46
- configured.
47
+ Cannot fetch #{uri} because your #{server} token has not been
48
+ configured.
47
49
 
48
- Please login using
50
+ Please login using
49
51
 
50
- #{msg}
51
- EOF
52
- end
52
+ #{msg}
53
+ EOF
54
+ end
55
+ end
56
+
57
+ def self.get_target_uri(target)
58
+ if target.is_a?(String) && URI(target).scheme == 'compliance'
59
+ URI(target)
60
+ elsif target.respond_to?(:key?) && target.key?(:compliance)
61
+ URI("compliance://#{target[:compliance]}")
62
+ end
63
+ end
53
64
 
65
+ def self.resolve(target)
66
+ uri = get_target_uri(target)
67
+ return nil if uri.nil?
68
+
69
+ config = Compliance::Configuration.new
70
+ profile = Compliance::API.sanitize_profile_name(uri)
71
+ profile_fetch_url = Compliance::API.target_url(config, profile)
72
+ # we have detailed information available in our lockfile, no need to ask the server
73
+ if target.respond_to?(:key?) && target.key?(:sha256)
74
+ profile_checksum = target[:sha256]
75
+ else
76
+ check_compliance_token(config)
54
77
  # verifies that the target e.g base/ssh exists
55
- profile = Compliance::API.sanitize_profile_name(uri)
56
- if !Compliance::API.exist?(config, profile)
78
+ # Call profiles directly instead of exist? to capture the results
79
+ # so we can access the upstream sha256 from the results.
80
+ _msg, profile_result = Compliance::API.profiles(config, profile)
81
+ if profile_result.empty?
57
82
  raise Inspec::FetcherFailure, "The compliance profile #{profile} was not found on the configured compliance server"
83
+ else
84
+ # Guarantee sorting by verison and grab the latest.
85
+ # If version was specified, it will be the first and only result.
86
+ # Note we are calling the sha256 as a string, not a symbol since
87
+ # it was returned as json from the Compliance API.
88
+ profile_info = profile_result.sort_by { |x| Gem::Version.new(x['version']) }[0]
89
+ profile_checksum = profile_info.key?('sha256') ? profile_info['sha256'] : ''
58
90
  end
59
- profile_fetch_url = Compliance::API.target_url(config, profile)
60
91
  end
61
92
  # We need to pass the token to the fetcher
62
93
  config['token'] = Compliance::API.get_token(config)
@@ -65,7 +96,7 @@ module Compliance
65
96
  profile_stub = profile || target[:compliance]
66
97
  config['profile'] = Compliance::API.profile_split(profile_stub)
67
98
 
68
- new(profile_fetch_url, config)
99
+ new({ url: profile_fetch_url, sha256: profile_checksum }, config)
69
100
  rescue URI::Error => _e
70
101
  nil
71
102
  end
@@ -21,17 +21,19 @@ module Fetchers
21
21
 
22
22
  def self.resolve(target, opts = {})
23
23
  if target.is_a?(Hash) && target.key?(:url)
24
- resolve_from_string(target[:url], opts)
24
+ resolve_from_string(target[:url], opts, target[:username], target[:password])
25
25
  elsif target.is_a?(String)
26
26
  resolve_from_string(target, opts)
27
27
  end
28
28
  end
29
29
 
30
- def self.resolve_from_string(target, opts)
30
+ def self.resolve_from_string(target, opts, username = nil, password = nil)
31
31
  uri = URI.parse(target)
32
32
  return nil if uri.nil? or uri.scheme.nil?
33
33
  return nil unless %{ http https }.include? uri.scheme
34
34
  target = transform(target)
35
+ opts[:username] = username if username
36
+ opts[:password] = password if password
35
37
  new(target, opts)
36
38
  rescue URI::Error
37
39
  nil
@@ -223,6 +225,8 @@ module Fetchers
223
225
  opts['Authorization'] = "Bearer #{@token}"
224
226
  end
225
227
 
228
+ opts[:http_basic_authentication] = [@config[:username], @config[:password]] if @config[:username]
229
+
226
230
  # Do not send any headers that have nil values.
227
231
  # Net::HTTP does not gracefully handle this situation.
228
232
  check_for_missing_values!(opts)
@@ -204,7 +204,8 @@ module Inspec
204
204
 
205
205
  def self.from_yaml(ref, content, profile_id, logger = nil)
206
206
  res = Metadata.new(ref, logger)
207
- res.params = YAML.load(content)
207
+ require 'erb'
208
+ res.params = YAML.load(ERB.new(content).result)
208
209
  res.content = content
209
210
  finalize(res, profile_id, {}, logger)
210
211
  end
@@ -229,7 +229,7 @@ module Inspec
229
229
  info(load_params.dup)
230
230
  end
231
231
 
232
- def info(res = params.dup)
232
+ def info(res = params.dup) # rubocop:disable Metrics/CyclomaticComplexity
233
233
  # add information about the controls
234
234
  res[:controls] = res[:controls].map do |id, rule|
235
235
  next if id.to_s.empty?
@@ -252,6 +252,15 @@ module Inspec
252
252
  res[:attributes] = res[:attributes].map(&:to_hash) unless res[:attributes].nil? || res[:attributes].empty?
253
253
  res[:sha256] = sha256
254
254
  res[:parent_profile] = parent_profile unless parent_profile.nil?
255
+
256
+ # convert legacy os-* supports to their platform counterpart
257
+ if res[:supports] && !res[:supports].empty?
258
+ res[:supports].each do |support|
259
+ support[:"platform-family"] = support.delete(:"os-family") if support.key?(:"os-family")
260
+ support[:"platform-name"] = support.delete(:"os-name") if support.key?(:"os-name")
261
+ end
262
+ end
263
+
255
264
  res
256
265
  end
257
266
 
@@ -227,9 +227,10 @@ module Inspec
227
227
  # all checks that were defined in the destination
228
228
  sc = checks(src)
229
229
  dst.instance_variable_set(:@__checks, sc) unless sc.empty?
230
- # we need only the value of result not the Hash containing value and message
231
- sr = skip_status(src)[:result]
232
- set_skip_rule(dst, sr) unless sr.nil?
230
+ skip_check = skip_status(src)
231
+ sr = skip_check[:result]
232
+ msg = skip_check[:message]
233
+ set_skip_rule(dst, sr, msg) unless sr.nil?
233
234
 
234
235
  # Save merge history
235
236
  dst.instance_variable_set(:@__merge_count, merge_count(dst) + 1)
@@ -102,7 +102,12 @@ module Inspec
102
102
  'type' => 'object',
103
103
  'additionalProperties' => false,
104
104
  'properties' => {
105
+ 'platform-family' => { 'type' => 'string', 'optional' => true },
106
+ 'platform-name' => { 'type' => 'string', 'optional' => true },
107
+ 'platform' => { 'type' => 'string', 'optional' => true },
108
+ # os-* supports are being deprecated
105
109
  'os-family' => { 'type' => 'string', 'optional' => true },
110
+ 'os-name' => { 'type' => 'string', 'optional' => true },
106
111
  },
107
112
  }.freeze
108
113
 
@@ -4,5 +4,5 @@
4
4
  # author: Christoph Hartmann
5
5
 
6
6
  module Inspec
7
- VERSION = '2.2.70'
7
+ VERSION = '2.2.78'
8
8
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.70
4
+ version: 2.2.78
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dominik Richter
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-08-23 00:00:00.000000000 Z
11
+ date: 2018-08-30 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: train
@@ -19,7 +19,7 @@ dependencies:
19
19
  version: '1.4'
20
20
  - - ">="
21
21
  - !ruby/object:Gem::Version
22
- version: 1.4.15
22
+ version: 1.4.35
23
23
  type: :runtime
24
24
  prerelease: false
25
25
  version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
29
29
  version: '1.4'
30
30
  - - ">="
31
31
  - !ruby/object:Gem::Version
32
- version: 1.4.15
32
+ version: 1.4.35
33
33
  - !ruby/object:Gem::Dependency
34
34
  name: thor
35
35
  requirement: !ruby/object:Gem::Requirement