inspec 3.0.25 → 3.0.46

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 700c2c2e139df82d21cd61a364c6c5bb6196fbdde2cfc9744158393016517829
-  data.tar.gz: 692f3fe6d15c7b53ba72c6021f94be6f68221c9ca968b0afe57f01a9309c259d
+  metadata.gz: 5ff447f7ae9aa9544f0e511e2d5d07f2e52015e031f33fdde47e578b3f1a7ed8
+  data.tar.gz: 94a76db1779ffcf1e6b74101e064891578e30e74f18c3d6dc87d9a0dfb1e593f
 SHA512:
-  metadata.gz: 2821d882bee10794b31c1df6953faec5ae3a7ef67b011f64744cce1aa896c65160895258c349ae56115b77c3245ba2d44d8780e760f023683b91aad3acc8f187
-  data.tar.gz: 9d53539b5fe2f7083bca609663fd6e883de379146d9c97e82edd808be123b55db28de54ace378641998dcf36185bebddb15f12fdf46cf9e6c92ce07febeb49d3
+  metadata.gz: 052a13a474764ee9857ade3a9caef06204a568d48a254f85f753d8ccfa6051b6214268e007acdf051fc8fc0699bb18680b92acd870cab2889e1e24037ceabafb
+  data.tar.gz: 3ce8e4121cd642573a713d365e9bdb1624c0ab145b81c42ce608e2a57705a0fa80356731d94d88367d23ce84b7af0b5b18ca399471de50f0db9c074fb715409f

data/CHANGELOG.md

@@ -1,31 +1,53 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 3.0.25 -->
-## [v3.0.25](https://github.com/inspec/inspec/tree/v3.0.25) (2018-11-01)
+<!-- latest_release 3.0.46 -->
+## [v3.0.46](https://github.com/inspec/inspec/tree/v3.0.46) (2018-11-08)
 
-#### Merged Pull Requests
-- bump expeditor version [#3569](https://github.com/inspec/inspec/pull/3569) ([jquick](https://github.com/jquick))
+#### New Features
+- Add Git SSH and HTTP basic auth support to `inspec exec` [#3562](https://github.com/inspec/inspec/pull/3562) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_release -->
 
-<!-- release_rollup since=3.0.12 -->
-### Changes since 3.0.12 release
+<!-- release_rollup since=3.0.25 -->
+### Changes since 3.0.25 release
+
+#### New Features
+- Add Git SSH and HTTP basic auth support to `inspec exec` [#3562](https://github.com/inspec/inspec/pull/3562) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.0.46 -->
 
 #### Bug Fixes
-- Change usage of `Dir.home` to `Inspec.config_dir` [#3567](https://github.com/inspec/inspec/pull/3567) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.0.19 -->
+- port: Correctly detect FreeBSD [#3579](https://github.com/inspec/inspec/pull/3579) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 3.0.43 -->
+- Update iis_site bindingInformation construction and add tests [#3492](https://github.com/inspec/inspec/pull/3492) ([mrshanahan](https://github.com/mrshanahan)) <!-- 3.0.40 -->
+- Silence RSpec &#39;should&#39; Warning [#3560](https://github.com/inspec/inspec/pull/3560) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 3.0.29 -->
 
 #### Enhancements
-- Allow help args after Thor commands [#3553](https://github.com/inspec/inspec/pull/3553) ([jquick](https://github.com/jquick)) <!-- 3.0.17 -->
-- ✓ adds additional checks for vendored profiles [#3362](https://github.com/inspec/inspec/pull/3362) ([chris-rock](https://github.com/chris-rock)) <!-- 3.0.14 -->
+- Allow add_test to accept negation [#3586](https://github.com/inspec/inspec/pull/3586) ([rachelrice](https://github.com/rachelrice)) <!-- 3.0.37 -->
+- Added xml resource support for ints, bools, and string responses [#3583](https://github.com/inspec/inspec/pull/3583) ([greenantdotcom](https://github.com/greenantdotcom)) <!-- 3.0.34 -->
+- Add only_if to Inspec objects [#3577](https://github.com/inspec/inspec/pull/3577) ([james-stocks](https://github.com/james-stocks)) <!-- 3.0.31 -->
+- aws_vpc: accept 17 hexadecimal characters for vpc_id [#3564](https://github.com/inspec/inspec/pull/3564) ([kchistova](https://github.com/kchistova)) <!-- 3.0.28 -->
 
 #### Merged Pull Requests
-- bump expeditor version [#3569](https://github.com/inspec/inspec/pull/3569) ([jquick](https://github.com/jquick)) <!-- 3.0.25 -->
-- Pin to train 1.5.6 [#3568](https://github.com/inspec/inspec/pull/3568) ([jquick](https://github.com/jquick)) <!-- 3.0.18 -->
-- Allow end of options during Thor array parsing [#3547](https://github.com/inspec/inspec/pull/3547) ([jquick](https://github.com/jquick)) <!-- 3.0.16 -->
-- Modernize omnibus config and reduce omnibus package size [#3543](https://github.com/inspec/inspec/pull/3543) ([tas50](https://github.com/tas50)) <!-- 3.0.15 -->
-- Adding inspec init profile for GCP. [#3484](https://github.com/inspec/inspec/pull/3484) ([skpaterson](https://github.com/skpaterson)) <!-- 3.0.13 -->
+- Fixes broken link in documentation [#3588](https://github.com/inspec/inspec/pull/3588) ([dmccown](https://github.com/dmccown)) <!-- 3.0.30 -->
+- Fixes (some) ruby warnings related to functional tests [#3561](https://github.com/inspec/inspec/pull/3561) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 3.0.27 -->
+- Fix functional tests issues with vendoring [#3572](https://github.com/inspec/inspec/pull/3572) ([jquick](https://github.com/jquick)) <!-- 3.0.26 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v3.0.25](https://github.com/inspec/inspec/tree/v3.0.25) (2018-11-01)
+
+#### Enhancements
+- ✓ adds additional checks for vendored profiles [#3362](https://github.com/inspec/inspec/pull/3362) ([chris-rock](https://github.com/chris-rock))
+- Allow help args after Thor commands [#3553](https://github.com/inspec/inspec/pull/3553) ([jquick](https://github.com/jquick))
+
+#### Bug Fixes
+- Change usage of `Dir.home` to `Inspec.config_dir` [#3567](https://github.com/inspec/inspec/pull/3567) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+
+#### Merged Pull Requests
+- Adding inspec init profile for GCP. [#3484](https://github.com/inspec/inspec/pull/3484) ([skpaterson](https://github.com/skpaterson))
+- Modernize omnibus config and reduce omnibus package size [#3543](https://github.com/inspec/inspec/pull/3543) ([tas50](https://github.com/tas50))
+- Allow end of options during Thor array parsing [#3547](https://github.com/inspec/inspec/pull/3547) ([jquick](https://github.com/jquick))
+- Pin to train 1.5.6 [#3568](https://github.com/inspec/inspec/pull/3568) ([jquick](https://github.com/jquick))
+- bump expeditor version [#3569](https://github.com/inspec/inspec/pull/3569) ([jquick](https://github.com/jquick))
+<!-- latest_stable_release -->
+
 ## [v3.0.12](https://github.com/inspec/inspec/tree/v3.0.12) (2018-10-24)
 
 #### New Resources
@@ -36,7 +58,6 @@
 
 #### Merged Pull Requests
 - Add inspec/train vault to plugin exclusion [#3532](https://github.com/inspec/inspec/pull/3532) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v3.0.9](https://github.com/inspec/inspec/tree/v3.0.9) (2018-10-18)
 

data/Rakefile

@@ -81,19 +81,18 @@ namespace :test do
     t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
   end
 
-  # Functional tests on Windows are a WIP. Currently only some
-  # functional test files are supported.
-  # TODO: Ensure all functional tests are ran on Windows
-  Rake::TestTask.new(:'functional:windows') do |t|
+  # Functional tests on Windows take a bit to run. This
+  # optionally takes a env to breake the tests up into 3 workers.
+  Rake::TestTask.new(:'functional:windows') do |t, args|
+    files = Dir.glob('test/functional/*_test.rb').sort
+    if ENV['WORKER_NUMBER']
+      count = (files.count / 3).abs+1
+      start = (ENV['WORKER_NUMBER'].to_i - 1) * count
+      files = files[start..start+count-1]
+    end
+
     t.libs << 'test'
-    t.test_files = [
-      'test/functional/inspec_exec_test.rb',
-      'test/functional/inspec_exec_json_test.rb',
-      'test/functional/inspec_detect_test.rb',
-      'test/functional/inspec_vendor_test.rb',
-      'test/functional/inspec_check_test.rb',
-      'test/functional/filter_table_test.rb',
-    ]
+    t.test_files = files
     t.warning = true
     t.verbose = true
     t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)

data/lib/fetchers/git.rb

@@ -29,7 +29,11 @@ module Fetchers
     priority 200
 
     def self.resolve(target, opts = {})
-      new(target[:git], opts.merge(target)) if target.respond_to?(:has_key?) && target.key?(:git)
+      if target.is_a?(String)
+        new(target, opts) if target.start_with?('git@') || target.end_with?('.git')
+      elsif target.respond_to?(:has_key?) && target.key?(:git)
+        new(target[:git], opts.merge(target))
+      end
     end
 
     def initialize(remote_url, opts = {})

data/lib/fetchers/url.rb

@@ -95,6 +95,7 @@ module Fetchers
 
     def initialize(url, opts)
       @target = url
+      @target_uri = parse_uri(@target)
       @insecure = opts['insecure']
       @token = opts['token']
       @config = opts
@@ -120,6 +121,11 @@ module Fetchers
 
     private
 
+    def parse_uri(target)
+      return URI.parse(target) if target.is_a?(String)
+      URI.parse(target[:url])
+    end
+
     def sha256
       file = @archive_path || temp_archive_path
       OpenSSL::Digest::SHA256.digest(File.read(file)).unpack('H*')[0]
@@ -155,9 +161,8 @@ module Fetchers
         version: @config['profile'][2],
       }.to_json
 
-      uri = URI.parse(@target)
       opts = http_opts
-      opts[:use_ssl] = uri.scheme == 'https'
+      opts[:use_ssl] = @target_uri.scheme == 'https'
 
       if @insecure
         opts[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
@@ -165,12 +170,12 @@ module Fetchers
         opts[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
       end
 
-      req = Net::HTTP::Post.new(uri)
+      req = Net::HTTP::Post.new(@target_uri)
       opts.each do |key, value|
         req.add_field(key, value)
       end
       req.body = json
-      res = Net::HTTP.start(uri.host, uri.port, opts) { |http|
+      res = Net::HTTP.start(@target_uri.host, @target_uri.port, opts) { |http|
         http.request(req)
       }
 
@@ -188,7 +193,7 @@ module Fetchers
     def download_archive_to_temp
       return @temp_archive_path if !@temp_archive_path.nil?
       Inspec::Log.debug("Fetching URL: #{@target}")
-      remote = open(@target, http_opts)
+      remote = open_via_uri(@target)
       @archive_type = file_type_from_remote(remote) # side effect :(
       archive = Tempfile.new(['inspec-dl-', @archive_type])
       archive.binmode
@@ -199,6 +204,17 @@ module Fetchers
       @temp_archive_path = archive.path
     end
 
+    def open_via_uri(target)
+      opts = http_opts
+
+      if opts[:http_basic_authentication]
+        # OpenURI does not support userinfo so we need to remove it
+        open(target.sub("#{@target_uri.userinfo}@", ''), opts)
+      else
+        open(target, opts)
+      end
+    end
+
     def download_archive(path)
       temp_archive_path
       final_path = "#{path}#{@archive_type}"
@@ -225,7 +241,9 @@ module Fetchers
         opts['Authorization'] = "Bearer #{@token}"
       end
 
-      opts[:http_basic_authentication] = [@config[:username], @config[:password]] if @config[:username]
+      username = @config[:username] || @target_uri.user
+      password = @config[:password] || @target_uri.password
+      opts[:http_basic_authentication] = [username, password] if username
 
       # Do not send any headers that have nil values.
       # Net::HTTP does not gracefully handle this situation.

data/lib/inspec/cli.rb

@@ -168,9 +168,70 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     pretty_handle_exception(e)
   end
 
-  desc 'exec PATHS', 'run all test files at the specified PATH.'
+  desc 'exec LOCATIONS', 'run all test files at the specified LOCATIONS.'
   long_desc <<~EOT
-    Loads the given profile(s) and fetches their dependencies if needed.  Then connects to the target and executes any controls contained in the profiles.  One or more reporters are used to generate output.  If all tests passed (no fails, no skips) exit code 0 is returned.  If some tests skipped but none failed, exit code 101 is returned. If at least one test failed, exit code 100 is returned.  If inspec failed for any other reason, exit code 1 is returned.
+    Loads the given profile(s) and fetches their dependencies if needed. Then
+    connects to the target and executes any controls contained in the profiles.
+    One or more reporters are used to generate output. If all tests passed
+    (no fails, no skips) exit code 0 is returned. If some tests skipped but
+    none failed, exit code 101 is returned. If at least one test failed, exit
+    code 100 is returned. If inspec failed for any other reason, exit code 1
+    is returned.
+
+    Below are some examples of using `exec` with different test LOCATIONS:
+
+    Automate:
+      ```
+      inspec compliance login
+      inspec exec compliance://username/linux-baseline
+      ```
+
+    Supermarket:
+      ```
+      inspec exec supermarket://username/linux-baseline
+      ```
+
+    Local profile (executes all tests in `controls/`):
+      ```
+      inspec exec /path/to/profile
+      ```
+
+    Local single test (doesn't allow attributes or custom resources)
+      ```
+      inspec exec /path/to/a_test.rb
+      ```
+
+    Git via SSH
+      ```
+      inspec exec git@github.com:dev-sec/linux-baseline.git
+      ```
+
+    Git via HTTPS (.git suffix is required):
+      ```
+      inspec exec https://github.com/dev-sec/linux-baseline.git
+      ```
+
+    Private Git via HTTPS (.git suffix is required):
+      ```
+      inspec exec https://API_TOKEN@github.com/dev-sec/linux-baseline.git
+      ```
+
+    Private Git via HTTPS and cached credentials (.git suffix is required):
+      ```
+      git config credential.helper cache
+      git ls-remote https://github.com/dev-sec/linux-baseline.git
+      inspec exec https://github.com/dev-sec/linux-baseline.git
+      ```
+
+    Web hosted fileshare (also supports .zip):
+      ```
+      inspec exec https://webserver/linux-baseline.tar.gz
+      ```
+
+    Web hosted fileshare with basic authentication (supports .zip):
+      ```
+      inspec exec https://username:password@webserver/linux-baseline.tar.gz
+      ```
   EOT
   exec_options
   def exec(*targets)

data/lib/inspec/objects/control.rb

@@ -2,7 +2,7 @@
 
 module Inspec
   class Control
-    attr_accessor :id, :title, :descriptions, :impact, :tests, :tags, :refs
+    attr_accessor :id, :title, :descriptions, :impact, :tests, :tags, :refs, :only_if
     def initialize
       @tests = []
       @tags = []
@@ -43,6 +43,7 @@ module Inspec
       res.push "  impact #{impact}" unless impact.nil?
       tags.each { |t| res.push(indent(t.to_ruby, 2)) }
       refs.each { |t| res.push("  ref   #{print_ref(t)}") }
+      res.push "  only_if { #{only_if} }" if only_if
       tests.each { |t| res.push(indent(t.to_ruby, 2)) }
       res.push 'end'
       res.join("\n")

data/lib/inspec/objects/describe.rb

@@ -57,8 +57,8 @@ module Inspec
       @variables = []
     end
 
-    def add_test(its, matcher, expectation)
-      test = Inspec::Describe::Test.new(its, matcher, expectation, false)
+    def add_test(its, matcher, expectation, opts = {})
+      test = Inspec::Describe::Test.new(its, matcher, expectation, opts[:negated])
       tests.push(test)
       test
     end

data/lib/inspec/objects/test.rb

@@ -2,7 +2,7 @@
 
 module Inspec
   class Test
-    attr_accessor :qualifier, :matcher, :expectation, :skip, :negated, :variables
+    attr_accessor :qualifier, :matcher, :expectation, :skip, :negated, :variables, :only_if
     include RubyHelper
 
     def initialize
@@ -61,6 +61,7 @@ module Inspec
     end
 
     def rb_describe
+      only_if_clause = "only_if { #{only_if} }\n" if only_if
       vars = variables.map(&:to_ruby).join("\n")
       vars += "\n" unless vars.empty?
       res, xtra = describe_chain
@@ -74,8 +75,8 @@ module Inspec
               elsif xpect != ''
                 ' ' + expectation.inspect
               end
-      format("%sdescribe %s do\n  %s { should%s %s%s }\nend",
-             vars, res, itsy, naughty, matcher, xpect)
+      format("%s%sdescribe %s do\n  %s { should%s %s%s }\nend",
+             only_if_clause, vars, res, itsy, naughty, matcher, xpect)
     end
 
     def rb_skip

data/lib/inspec/rspec_extensions.rb

@@ -1,6 +1,14 @@
 require 'inspec/attribute_registry'
+require 'rspec/core'
 require 'rspec/core/example_group'
 
+# Setup RSpec to allow use of `should` syntax without warnings
+RSpec.configure do |config|
+  config.expect_with(:rspec) do |rspec_expectations_config|
+    rspec_expectations_config.syntax = :should
+  end
+end
+
 # This file allows you to add ExampleGroups to be used in rspec tests
 #
 class RSpec::Core::ExampleGroup

data/lib/inspec/rule.rb

@@ -37,6 +37,7 @@ module Inspec
       @tags = {}
 
       # not changeable by the user:
+      @__code = nil
       @__block = block
       @__source_location = __get_block_source_location(&block)
       @__rule_id = id

data/lib/inspec/runner.rb

@@ -238,9 +238,11 @@ module Inspec
 
       # Load local profile dependencies. This is used in inspec shell
       # to provide access to local profiles that add resources.
-      @depends
-        .map { |x| Inspec::Profile.for_path(x, { profile_context: ctx }) }
-        .each(&:load_libraries)
+      @depends.each do |dep|
+        # support for windows paths
+        dep = dep.tr('\\', '/')
+        Inspec::Profile.for_path(dep, { profile_context: ctx }).load_libraries
+      end
 
       ctx.load(command)
     end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '3.0.25'
+  VERSION = '3.0.46'
 end

data/lib/plugins/inspec-init/test/functional/inspec_init_test.rb

@@ -32,7 +32,6 @@ class InitCli < MiniTest::Test
 
   def test_generating_inspec_profile_with_bad_platform
     Dir.mktmpdir do |dir|
-      profile = File.join(dir, 'test-profile')
       out = run_inspec_process("init profile --platform nonesuch test-profile", prefix: "cd #{dir} &&")
       assert_equal 1, out.exit_status
       assert_includes out.stdout, 'Unable to generate profile'

data/lib/resources/aws/aws_vpc.rb

@@ -30,8 +30,8 @@ class AwsVpc < Inspec.resource(1)
       allowed_scalar_type: String,
     )
 
-    if validated_params.key?(:vpc_id) && validated_params[:vpc_id] !~ /^vpc\-[0-9a-f]{8}/
-      raise ArgumentError, 'aws_vpc VPC ID must be in the format "vpc-" followed by 8 hexadecimal characters.'
+    if validated_params.key?(:vpc_id) && validated_params[:vpc_id] !~ /^vpc\-([0-9a-f]{8})|(^vpc\-[0-9a-f]{17})$/
+      raise ArgumentError, 'aws_vpc VPC ID must be in the format "vpc-" followed by 8 or 17 hexadecimal characters.'
     end
 
     validated_params

data/lib/resources/iis_site.rb

@@ -94,7 +94,7 @@ module Inspec::Resources
 
     # want to populate everything using one powershell command here and spit it out as json
     def iis_site(name)
-      command = "Get-Website '#{name}' | select-object -Property Name,State,PhysicalPath,bindings,ApplicationPool | ConvertTo-Json"
+      command = "Get-Website '#{name}' | Select-Object -Property Name,State,PhysicalPath,bindings,ApplicationPool | ConvertTo-Json"
       cmd = @inspec.command(command)
 
       begin
@@ -103,11 +103,8 @@ module Inspec::Resources
         return nil
       end
 
-      bindings_array = site['bindings']['Collection'].map { |k, _str|
-        k['protocol'] <<
-          ' ' <<
-          k['bindingInformation'] <<
-          (k['protocol'] == 'https' ? ' sslFlags=' << flags : '')
+      bindings_array = site['bindings']['Collection'].map { |k|
+        "#{k['protocol']} #{k['bindingInformation']}#{k['protocol'] == 'https' ? " sslFlags=#{k['sslFlags']}" : ''}"
       }
 
       # map our values to a hash table

data/lib/resources/port.rb

@@ -63,10 +63,12 @@ module Inspec::Resources
         AixPorts.new(inspec)
       elsif os.darwin?
         # Darwin: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/lsof.8.html
+        # Careful: make sure darwin comes before BSD, below
         LsofPorts.new(inspec)
       elsif os.windows?
         WindowsPorts.new(inspec)
-      elsif ['freebsd'].include?(os[:family])
+      elsif os.bsd?
+        # Relies on sockstat, usually present on FreeBSD and NetBSD (but not MacOS X)
         FreeBsdPorts.new(inspec)
       elsif os.solaris?
         SolarisPorts.new(inspec)

data/lib/resources/xml.rb

@@ -27,6 +27,8 @@ module Inspec::Resources
           output.push(element.to_s)
         elsif element.is_a?(REXML::Element)
           output.push(element.text)
+        elsif element.is_a?(Integer) || element.is_a?(TrueClass) || element.is_a?(FalseClass) || element.is_a?(String)
+          output.push(element)
         else
           raise Inspec::Exceptions::ResourceFailed, "Unknown XML object received (#{element.class}): #{element}"
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 3.0.25
+  version: 3.0.46
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-01 00:00:00.000000000 Z
+date: 2018-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train