inspec 2.3.10 → 2.3.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d261f57b62c68d93b2eae0ac5638f4a629bb79957706cc69076c104cf48275a2
-  data.tar.gz: 3e56e8f8d99b7ffccd9cd3e2987728c81515170e78d0f00edd088cda80f606ab
+  metadata.gz: bb147670fb50f5098fa9bedd9800c529d2e1d93a56e2b80770089f6713dd99fc
+  data.tar.gz: c7af0a7c8d4518f20c03ff338ac940ae4a2d70834c3b53d8951a3d16abd4a024
 SHA512:
-  metadata.gz: 6ad6c74ff0b50cc206aa2611aa0230aeaafbbb62cdeba18044437f2d482ccf3392d07b6cb8d1b2fadb5b6634a7cb2502808cd11f1de387158b6db981f2fac8ef
-  data.tar.gz: ee8921329a5652a91cce8a7d9720da31be2a2aae5b50af909a7f073ae1296177c8060f0ca3650eaf63b12f873fc59413e92b52c9d5221bc92cbdb3dc200018e9
+  metadata.gz: d47c6b4fc24e3541723e19ad6656629b82429a3b22530bcd8a1c2fe3a4dcfc876797ea41eafa6eb0f36c778a1d79e07ef6e23735b0d9a8b2fff73d16a14c5ae2
+  data.tar.gz: 3e996b5ac2419172aeae1d164531d38c6a2dc1564c2ae203793699fb2bf6fefff5646c6ef00e93011af3b6f1e7b43d86fb83c9655aebf9053d451ac26213d70d

data/CHANGELOG.md

@@ -1,33 +1,54 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.3.10 -->
-## [v2.3.10](https://github.com/inspec/inspec/tree/v2.3.10) (2018-10-04)
+<!-- latest_release 2.3.23 -->
+## [v2.3.23](https://github.com/inspec/inspec/tree/v2.3.23) (2018-10-12)
 
-#### Enhancements
-- Move compliance to v2 plugin  [#3423](https://github.com/inspec/inspec/pull/3423) ([jquick](https://github.com/jquick))
+#### Merged Pull Requests
+- Fix plugin issues on omni builds [#3499](https://github.com/inspec/inspec/pull/3499) ([jquick](https://github.com/jquick))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.3.5 -->
-### Changes since 2.3.5 release
+<!-- release_rollup since=2.3.10 -->
+### Changes since 2.3.10 release
+
+#### Enhancements
+- Plugins: Filter Plugins During Search and Install [#3458](https://github.com/inspec/inspec/pull/3458) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.3.20 -->
 
 #### Bug Fixes
-- Fix distinct_exit cli desc to reflect reality [#3463](https://github.com/inspec/inspec/pull/3463) ([teknofire](https://github.com/teknofire)) <!-- 2.3.8 -->
+- Backport compliance namespace and add testing for A2 audit report. [#3493](https://github.com/inspec/inspec/pull/3493) ([jquick](https://github.com/jquick)) <!-- 2.3.21 -->
+- Fix error on empty attributes yaml [#3485](https://github.com/inspec/inspec/pull/3485) ([jquick](https://github.com/jquick)) <!-- 2.3.19 -->
+- small fix - update to AlpinePkg Class  [#3483](https://github.com/inspec/inspec/pull/3483) ([aaronlippold](https://github.com/aaronlippold)) <!-- 2.3.16 -->
 
 #### Merged Pull Requests
-- Fix `attribute` with empty hash regression [#3454](https://github.com/inspec/inspec/pull/3454) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.3.7 -->
+- Fix plugin issues on omni builds [#3499](https://github.com/inspec/inspec/pull/3499) ([jquick](https://github.com/jquick)) <!-- 2.3.23 -->
+- Set a static node GUID for travis runs [#3497](https://github.com/inspec/inspec/pull/3497) ([jquick](https://github.com/jquick)) <!-- 2.3.22 -->
+- docs: Add version to multiple descriptions doc [#3477](https://github.com/inspec/inspec/pull/3477) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.3.18 -->
+- Skip running appveyor on docs and examples [#3474](https://github.com/inspec/inspec/pull/3474) ([btm](https://github.com/btm)) <!-- 2.3.17 -->
+- Remove &#39;demo&#39; from website. [#3475](https://github.com/inspec/inspec/pull/3475) ([miah](https://github.com/miah)) <!-- 2.3.15 -->
+- Enable compression for deb/rpm packages [#3472](https://github.com/inspec/inspec/pull/3472) ([tas50](https://github.com/tas50)) <!-- 2.3.14 -->
+- Fix Packages Resource Docs [#3469](https://github.com/inspec/inspec/pull/3469) ([pwelch](https://github.com/pwelch)) <!-- 2.3.13 -->
+- Exclude docs and examples from the gem [#3471](https://github.com/inspec/inspec/pull/3471) ([tas50](https://github.com/tas50)) <!-- 2.3.12 -->
+- Fix archive with required attributes [#3468](https://github.com/inspec/inspec/pull/3468) ([jquick](https://github.com/jquick)) <!-- 2.3.11 -->
+<!-- release_rollup -->
+
+<!-- latest_stable_release -->
+## [v2.3.10](https://github.com/inspec/inspec/tree/v2.3.10) (2018-10-04)
 
 #### Enhancements
-- Move compliance to v2 plugin  [#3423](https://github.com/inspec/inspec/pull/3423) ([jquick](https://github.com/jquick)) <!-- 2.3.10 -->
-- Support finding larger processes on Busybox [#3446](https://github.com/inspec/inspec/pull/3446) ([RoboticCheese](https://github.com/RoboticCheese)) <!-- 2.3.9 -->
-- Modify `cmp` matcher output to use `.inspect` [#3450](https://github.com/inspec/inspec/pull/3450) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.3.6 -->
-<!-- release_rollup -->
+- Modify `cmp` matcher output to use `.inspect` [#3450](https://github.com/inspec/inspec/pull/3450) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Support finding larger processes on Busybox [#3446](https://github.com/inspec/inspec/pull/3446) ([RoboticCheese](https://github.com/RoboticCheese))
+- Move compliance to v2 plugin  [#3423](https://github.com/inspec/inspec/pull/3423) ([jquick](https://github.com/jquick))
+
+#### Bug Fixes
+- Fix distinct_exit cli desc to reflect reality [#3463](https://github.com/inspec/inspec/pull/3463) ([teknofire](https://github.com/teknofire))
 
+#### Merged Pull Requests
+- Fix `attribute` with empty hash regression [#3454](https://github.com/inspec/inspec/pull/3454) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_stable_release -->
+
 ## [v2.3.5](https://github.com/inspec/inspec/tree/v2.3.5) (2018-10-01)
 
 #### Bug Fixes
 - Update plugin gem install code [#3453](https://github.com/inspec/inspec/pull/3453) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v2.3.4](https://github.com/inspec/inspec/tree/v2.3.4) (2018-09-28)
 

data/etc/plugin_filters.json

@@ -0,0 +1,25 @@
+{
+  "file_version": "1.0.0",
+  "exclude": [
+    {
+      "plugin_name": "inspec-core",
+      "rationale": "This gem is a stripped-down alternate packaging of InSpec. It is not a plugin."
+    },
+    {
+      "plugin_name": "inspec-multi-server",
+      "rationale": "This gem is a script that attempts to drive a parallel execution of InSpec by wrapping and forking. It is not a plugin."
+    },
+    {
+      "plugin_name": "train-tax-calculator",
+      "rationale": "This gem is a tax calculation tool for the Philippines. It has nothing to do the Chef Train remote execution framework, or the InSpec project."
+    },
+    {
+      "plugin_name": "inspec-plugin-example",
+      "rationale": "This gem is an early self-taught example of a v1 plugin. Please use inspec-resource-lister as an example for PluginV2 development."
+    },
+    {
+      "plugin_name": "train-core",
+      "rationale": "This gem is a stripped-down alternate packaging of Train. It is not a plugin."
+    }
+  ]
+}

data/inspec.gemspec

@@ -10,14 +10,14 @@ Gem::Specification.new do |spec|
   spec.email         = ['dominik.richter@gmail.com']
   spec.summary       = 'Infrastructure and compliance testing.'
   spec.description   = 'InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification.'
-  spec.homepage      = 'https://github.com/chef/inspec'
+  spec.homepage      = 'https://github.com/inspec/inspec'
   spec.license       = 'Apache-2.0'
 
   spec.files = %w{
-    README.md Rakefile MAINTAINERS.toml MAINTAINERS.md LICENSE inspec.gemspec
+    README.md Rakefile MAINTAINERS.md LICENSE inspec.gemspec
     Gemfile CHANGELOG.md .rubocop.yml
   } + Dir.glob(
-    '{bin,docs,examples,lib}/**/*', File::FNM_DOTMATCH
+    '{bin,lib,etc}/**/*', File::FNM_DOTMATCH
   ).reject { |f| File.directory?(f) }
 
   spec.executables   = %w{inspec}

data/lib/bundles/inspec-compliance/api.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/api'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/configuration.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/configuration'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/http.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/http'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/support.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/support'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/bundles/inspec-compliance/target.rb

@@ -2,3 +2,6 @@
 # TODO: Remove in inspec 4.0
 
 require 'plugins/inspec-compliance/lib/inspec-compliance/target'
+
+# Backport old namespace
+Compliance = InspecPlugins::Compliance unless defined?(Compliance)

data/lib/inspec/objects/attribute.rb

@@ -89,6 +89,9 @@ module Inspec
     private
 
     def validate_required(value)
+      # skip if we are not doing an exec call (archive/vendor/check)
+      return unless Inspec::BaseCLI.inspec_cli_command == :exec
+
       # value will be set already if a secrets file was passed in
       if (!@opts.key?(:default) && value.nil?) || (@opts[:default].nil? && value.nil?)
         error = Inspec::Attribute::RequiredError.new

data/lib/inspec/plugin/v2.rb

@@ -11,6 +11,9 @@ module Inspec
         attr_accessor :version
       end
       class InstallError < Inspec::Plugin::V2::GemActionError; end
+      class PluginExcludedError < Inspec::Plugin::V2::InstallError
+        attr_accessor :details
+      end
       class UpdateError < Inspec::Plugin::V2::GemActionError
         attr_accessor :from_version, :to_version
       end

data/lib/inspec/plugin/v2/filter.rb

@@ -0,0 +1,62 @@
+require 'singleton'
+require 'json'
+require 'inspec/globals'
+
+module Inspec::Plugin::V2
+  Exclusion = Struct.new(:plugin_name, :rationale)
+
+  class PluginFilter
+    include Singleton
+    def initialize
+      read_filter_data
+    end
+
+    def self.exclude?(plugin_name)
+      instance.exclude?(plugin_name)
+    end
+
+    def exclude?(plugin_name)
+      # Currently, logic is very simple: is there an exact match?
+      # In the future, we might add regexes on names, or exclude version ranges
+      return false unless @filter_data[:exclude].detect { |e| e.plugin_name == plugin_name }
+
+      # OK, return entire data structure.
+      @filter_data[:exclude].detect { |e| e.plugin_name == plugin_name }
+    end
+
+    private
+
+    def read_filter_data
+      path = File.join(Inspec.src_root, 'etc', 'plugin_filters.json')
+      @filter_data = JSON.parse(File.read(path))
+
+      unless @filter_data['file_version'] == '1.0.0'
+        raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format at #{path}"
+      end
+
+      validate_plugin_filter_file('1.0.0')
+
+      @filter_data[:exclude] = @filter_data['exclude'].map do |entry|
+        Exclusion.new(entry['plugin_name'], entry['rationale'])
+      end
+      @filter_data.delete('exclude')
+    end
+
+    def validate_plugin_filter_file(_file_version)
+      unless @filter_data.key?('exclude') && @filter_data['exclude'].is_a?(Array)
+        raise Inspec::Plugin::V2::ConfigError, 'Unknown plugin fillter file format: expected "exclude" to be an array'
+      end
+      @filter_data['exclude'].each_with_index do |entry, idx|
+        unless entry.is_a? Hash
+          raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format: expected entry #{idx} to be a Hash / JS Object"
+        end
+        unless entry.key?('plugin_name')
+          raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format: expected entry #{idx} to have a \"plugin_name\" field"
+        end
+        unless entry.key?('rationale')
+          raise Inspec::Plugin::V2::ConfigError, "Unknown plugin fillter file format: expected entry #{idx} to have a \"rationale\" field"
+        end
+      end
+    end
+  end
+end

data/lib/inspec/plugin/v2/installer.rb

@@ -9,6 +9,8 @@ require 'rubygems/package'
 require 'rubygems/name_tuple'
 require 'rubygems/uninstaller'
 
+require 'inspec/plugin/v2/filter'
+
 module Inspec::Plugin::V2
   # Handles all actions modifying the user's plugin set:
   # * Modifying the plugins.json file
@@ -127,7 +129,7 @@ module Inspec::Plugin::V2
       else
         regex = Regexp.new('^' + plugin_query + '.*')
         matched_tuples = fetcher.detect(opts[:scope]) do |tuple|
-          tuple.name != 'inspec-core' && tuple.name =~ regex
+          tuple.name =~ regex && !Inspec::Plugin::V2::PluginFilter.exclude?(tuple.name)
         end
       end
 
@@ -193,6 +195,13 @@ module Inspec::Plugin::V2
           raise InstallError, "#{plugin_name} is already installed. Use 'inspec plugin update' to change version."
         end
       end
+
+      reason = Inspec::Plugin::V2::PluginFilter.exclude?(plugin_name)
+      if reason
+        ex = PluginExcludedError.new("Refusing to install #{plugin_name}.  It is on the Plugin Exclusion List.  Rationale: #{reason.rationale}")
+        ex.details = reason
+        raise ex
+      end
     end
     # rubocop: enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize
 
@@ -386,10 +395,21 @@ module Inspec::Plugin::V2
     class InstalledVendorSet < Gem::Resolver::VendorSet
       def initialize
         super
+
         Gem::Specification.find_all do |spec|
           @specs[spec.name] = spec
           @directories[spec] = spec.gem_dir
         end
+
+        if !defined?(::Bundler)
+          directories = Gem::Specification.dirs.find_all do |path|
+            !path.start_with?(Gem.user_dir)
+          end
+          Gem::Specification.each_spec(directories) do |spec|
+            @specs[spec.name] = spec
+            @directories[spec] = spec.gem_dir
+          end
+        end
       end
     end
 

data/lib/inspec/plugin/v2/loader.rb

@@ -31,6 +31,10 @@ module Inspec::Plugin::V2
     end
 
     def load_all
+      # This fixes the gem paths on some bundles
+      Gem.path << plugin_gem_path
+      Gem.refresh
+
       # Be careful not to actually iterate directly over the registry here;
       # we want to allow "sidecar loading", in which case a plugin may add an entry to the registry.
       registry.plugin_names.dup.each do |plugin_name|

data/lib/inspec/profile.rb

@@ -126,12 +126,14 @@ module Inspec
     end
 
     def register_metadata_attributes
-      if metadata.params.key?(:attributes)
+      if metadata.params.key?(:attributes) && metadata.params[:attributes].is_a?(Array)
         metadata.params[:attributes].each do |attribute|
           attr_dup = attribute.dup
           name = attr_dup.delete(:name)
           @runner_context.register_attribute(name, attr_dup)
         end
+      elsif metadata.params.key?(:attributes)
+        Inspec::Log.warn 'Attributes must be defined as an Array. Skipping current definition.'
       end
     end
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.3.10'
+  VERSION = '2.3.23'
 end

data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb

@@ -1,5 +1,6 @@
 require 'term/ansicolor'
 require 'pathname'
+require 'inspec/plugin/v2'
 require 'inspec/plugin/v2/installer'
 
 module InspecPlugins
@@ -35,16 +36,30 @@ module InspecPlugins
       #                        inspec plugin search
       #==================================================================#
 
-      desc 'search [options] PATTERN', 'Searches rubygems.org for InSpec plugins. Exits 0 on a search hit, exits 2 on a search miss.'
+      desc 'search [options] PATTERN', 'Searches rubygems.org for plugins.'
+      long_desc <<~EOLD
+        Searches rubygems.org for InSpec plugins. Exits 0 on a search hit, 1 on user error,
+        2 on a search miss. PATTERN is a simple string; a wildcard will be added as
+        a suffix, unless -e is used.
+      EOLD
       option :all, desc: 'List all available versions, not just the latest one.', type: :boolean, aliases: [:a]
       option :exact, desc: 'Assume PATTERN is exact; do not add a wildcard to the end', type: :boolean, aliases: [:e]
+      option :'include-test-fixture', type: :boolean, desc: 'Internal use', hide: true
       # Justification for disabling ABC: currently at 33.51/33
       def search(search_term) # rubocop: disable Metrics/AbcSize
         search_results = installer.search(search_term, exact: options[:exact])
+        # The search results have already been filtered by the reject list.  But the
+        # RejectList doesn't filter {inspec, train}-test-fixture because we need those
+        # for testing.  We want to hide those from users, so unless we know we're in
+        # test mode, remove them.
+        unless options[:'include-test-fixture']
+          search_results.delete('inspec-test-fixture')
+          search_results.delete('train-test-fixture')
+        end
 
         # TODO: ui object support
         puts
-        puts(bold { format(' %-30s%-50s%', 'Plugin Name', 'Versions Available') })
+        puts(bold { format(' %-30s%-50s', 'Plugin Name', 'Versions Available') })
         puts '-' * 55
         search_results.keys.sort.each do |plugin_name|
           versions = options[:all] ? search_results[plugin_name] : [search_results[plugin_name].first]
@@ -342,8 +357,15 @@ module InspecPlugins
         exit 2
       end
 
-      def install_attempt_install(plugin_name)
+      # Rationale for RuboCop variance: This is a one-line method with heavy UX-focused error handling.
+      def install_attempt_install(plugin_name) # rubocop: disable Metrics/AbcSize
         installer.install(plugin_name, version: options[:version])
+      rescue Inspec::Plugin::V2::PluginExcludedError => ex
+        puts(red { 'Plugin on Exclusion List' } + " - #{plugin_name} is listed as an incompatible gem - refusing to install.")
+        puts "Rationale: #{ex.details.rationale}"
+        puts 'Exclusion list location: ' + File.join(Inspec.src_root, 'etc', 'plugin_filters.json')
+        puts 'If you disagree with this determination, please accept our apologies for the misunderstanding, and open an issue at https://github.com/inspec/inspec/issues/new'
+        exit 2
       rescue Inspec::Plugin::V2::InstallError
         results = installer.search(plugin_name, exact: true)
         if results.empty?

data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb

@@ -143,8 +143,14 @@ class PluginManagerCliSearch < MiniTest::Test
   include CorePluginFunctionalHelper
   include PluginManagerHelpers
 
+  # TODO: Thor can't hide options, but we wish it could.
+  # def test_search_include_fixture_hidden_option
+  #   result = run_inspec_process_with_this_plugin('plugin help search')
+  #   refute_includes result.stdout, '--include-test-fixture'
+  # end
+
   def test_search_for_a_real_gem_with_full_name_no_options
-    result = run_inspec_process('plugin search inspec-test-fixture')
+    result = run_inspec_process('plugin search --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -153,7 +159,7 @@ class PluginManagerCliSearch < MiniTest::Test
   end
 
   def test_search_for_a_real_gem_with_stub_name_no_options
-    result = run_inspec_process('plugin search inspec-test-')
+    result = run_inspec_process('plugin search --include-test-fixture inspec-test-')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -163,26 +169,26 @@ class PluginManagerCliSearch < MiniTest::Test
   end
 
   def test_search_for_a_real_gem_with_full_name_and_exact_option
-    result = run_inspec_process('plugin search --exact inspec-test-fixture')
+    result = run_inspec_process('plugin search --exact --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
 
-    result = run_inspec_process('plugin search -e inspec-test-fixture')
+    result = run_inspec_process('plugin search -e --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
   end
 
   def test_search_for_a_real_gem_with_stub_name_and_exact_option
-    result = run_inspec_process('plugin search --exact inspec-test-')
+    result = run_inspec_process('plugin search --exact --include-test-fixture inspec-test-')
     assert_equal 2, result.exit_status, 'Search should exit 2 on a miss'
     assert_includes result.stdout, '0 plugin(s) found', 'Search result should find 0 plugins'
 
-    result = run_inspec_process('plugin search -e inspec-test-')
+    result = run_inspec_process('plugin search -e --include-test-fixture inspec-test-')
     assert_equal 2, result.exit_status, 'Search should exit 2 on a miss'
   end
 
   def test_search_for_a_real_gem_with_full_name_and_all_option
-    result = run_inspec_process('plugin search --all inspec-test-fixture')
+    result = run_inspec_process('plugin search --all --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -190,24 +196,24 @@ class PluginManagerCliSearch < MiniTest::Test
     line = result.stdout.split("\n").grep(/inspec-test-fixture/).first
     assert_match(/\s*inspec-test-fixture\s+\((\d+\.\d+\.\d+(,\s)?){2,}\)/,line,'Plugin line should include name and at least two versions')
 
-    result = run_inspec_process('plugin search -a inspec-test-fixture')
+    result = run_inspec_process('plugin search -a --include-test-fixture inspec-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
   end
 
   def test_search_for_a_gem_with_missing_prefix
-    result = run_inspec_process('plugin search test-fixture')
+    result = run_inspec_process('plugin search --include-test-fixture test-fixture')
     assert_equal 1, result.exit_status, 'Search should exit 1 on user error'
     assert_includes result.stdout, "All inspec plugins must begin with either 'inspec-' or 'train-'"
   end
 
   def test_search_for_a_gem_that_does_not_exist
-    result = run_inspec_process('plugin search inspec-test-fixture-nonesuch')
+    result = run_inspec_process('plugin search --include-test-fixture inspec-test-fixture-nonesuch')
     assert_equal 2, result.exit_status, 'Search should exit 2 on a miss'
     assert_includes result.stdout, '0 plugin(s) found', 'Search result should find 0 plugins'
   end
 
   def test_search_for_a_real_gem_with_full_name_no_options_and_train_name
-    result = run_inspec_process('plugin search train-test-fixture')
+    result = run_inspec_process('plugin search --include-test-fixture train-test-fixture')
     assert_equal 0, result.exit_status, 'Search should exit 0 on a hit'
     assert_includes result.stdout, 'train-test-fixture', 'Search result should contain the gem name'
     assert_includes result.stdout, '1 plugin(s) found', 'Search result should find 1 plugin'
@@ -215,6 +221,28 @@ class PluginManagerCliSearch < MiniTest::Test
     assert_match(/\s*train-test-fixture\s+\((\d+\.\d+\.\d+){1}\)/,line,'Plugin line should include name and exactly one version')
   end
 
+  def test_search_omit_excluded_inspec_plugins
+    result = run_inspec_process('plugin search --include-test-fixture inspec-')
+    assert_equal 0, result.exit_status, 'Search should exit 0'
+    assert_includes result.stdout, 'inspec-test-fixture', 'Search result should contain the test gem'
+    [
+      'inspec-core',
+      'inspec-multi-server',
+    ].each do |plugin_name|
+      refute_includes result.stdout, plugin_name, 'Search result should not contain excluded gems'
+    end
+  end
+  def test_search_for_a_real_gem_with_full_name_no_options_filter_fixtures
+    result = run_inspec_process('plugin search inspec-test-fixture')
+    refute_includes result.stdout, 'inspec-test-fixture', 'Search result should not contain the fixture gem name'
+  end
+
+  def test_search_for_a_real_gem_with_full_name_no_options_filter_fixtures_train
+    result = run_inspec_process('plugin search train-test-fixture')
+    refute_includes result.stdout, 'train-test-fixture', 'Search result should not contain the fixture gem name'
+  end
+
+
 end
 
 #-----------------------------------------------------------------------------------------#
@@ -513,6 +541,32 @@ class PluginManagerCliInstall < MiniTest::Test
     refute_nil itf_line, 'train-test-fixture should now appear in the output of inspec list'
     assert_match(/\s*train-test-fixture\s+0.1.0\s+gem\s+/, itf_line, 'list output should show that it is a gem installation with version')
   end
+
+  def test_refuse_install_when_plugin_on_exclusion_list
+
+    # Here, 'inspec-core', 'inspec-multi-server', and 'train-tax-collector'
+    # are the names of real rubygems.  They are not InSpec/Train plugins, though,
+    # and installing them would be a jam-up.
+    # This is configured in 'etc/plugin-filter.json'.
+    [
+      'inspec-core',
+      'inspec-multi-server',
+      'train-tax-calculator',
+    ].each do |plugin_name|
+      install_result = run_inspec_process_with_this_plugin("plugin install #{plugin_name}")
+      assert_empty install_result.stderr
+      assert_equal 2, install_result.exit_status, 'Exit status should be 2'
+
+      refusal_message = install_result.stdout
+      refute_nil refusal_message, 'Should find a failure message at the end'
+      assert_includes refusal_message, plugin_name
+      assert_includes refusal_message, 'Plugin on Exclusion List'
+      assert_includes refusal_message, 'refusing to install'
+      assert_includes refusal_message, 'Rationale:'
+      assert_includes refusal_message, 'etc/plugin_filters.json'
+      assert_includes refusal_message, 'github.com/inspec/inspec/issues/new'
+    end
+  end
 end