inspec/lib/resources/file.rb

141 lines
3.8 KiB
Ruby
Raw Normal View History

2015-07-15 13:15:18 +00:00
# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
2015-10-06 16:55:44 +00:00
# author: Dominik Richter
# author: Christoph Hartmann
2015-07-15 13:15:18 +00:00
# license: All rights reserved
2015-10-26 03:04:18 +00:00
module Inspec::Resources
class File < Inspec.resource(1)
name 'file'
2015-11-27 13:02:38 +00:00
desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
example "
describe file('path') do
it { should exist }
it { should be_file }
it { should be_readable }
it { should be_writable }
it { should be_owned_by 'root' }
its('mode') { should eq 0644 }
end
"
include MountParser
attr_reader :file, :path, :mount_options
def initialize(path)
@path = path
2015-10-26 03:04:18 +00:00
@file = inspec.backend.file(@path)
end
%w{
type exist? file? block_device? character_device? socket? directory?
2015-09-05 14:07:54 +00:00
symlink? pipe? mode mode? owner owned_by? group grouped_into? link_target
link_path linked_to? content mtime size selinux_label immutable?
2015-09-05 14:07:54 +00:00
product_version file_version version? md5sum sha256sum
}.each do |m|
define_method m.to_sym do |*args|
file.method(m.to_sym).call(*args)
end
end
def contain(*_)
2015-10-25 20:47:27 +00:00
fail 'Contain is not supported. Please use standard RSpec matchers.'
end
def readable?(by_usergroup, by_specific_user)
return false unless exist?
file_permission_granted?('r', by_usergroup, by_specific_user)
end
def writable?(by_usergroup, by_specific_user)
return false unless exist?
file_permission_granted?('w', by_usergroup, by_specific_user)
end
def executable?(by_usergroup, by_specific_user)
return false unless exist?
file_permission_granted?('x', by_usergroup, by_specific_user)
end
def mounted?(expected_options = nil, identical = false)
mounted = file.mounted
# return if no additional parameters have been provided
return file.mounted? if expected_options.nil?
# parse content if we are on linux
@mount_options ||= parse_mount_options(mounted.stdout, true)
if identical
# check if the options should be identical
@mount_options == expected_options
else
# otherwise compare the selected values
@mount_options.contains(expected_options)
end
end
def to_s
"File #{path}"
end
private
def file_permission_granted?(flag, by_usergroup, by_specific_user)
fail 'Checking file permissions is not supported on your os' unless unix?
usergroup = usergroup_for(by_usergroup, by_specific_user)
if by_specific_user.nil?
check_file_permission_by_mask(usergroup, flag)
else
check_file_permission_by_user(by_specific_user, flag)
end
end
def check_file_permission_by_mask(usergroup, flag)
mask = file.unix_mode_mask(usergroup, flag)
fail 'Invalid usergroup/owner provided' if mask.nil?
(file.mode & mask) != 0
end
def check_file_permission_by_user(user, flag)
if linux?
perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{path}\" #{user}"
elsif family == 'freebsd'
perm_cmd = "sudo -u #{user} test -#{flag} #{path}"
else
return skip_resource 'The `file` resource does not support `by_user` on your OS.'
end
cmd = inspec.command(perm_cmd)
cmd.exit_status == 0 ? true : false
end
def usergroup_for(usergroup, specific_user)
if usergroup == 'others'
'other'
elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
'all'
else
usergroup
end
end
def unix?
inspec.os.unix?
end
def linux?
inspec.os.linux?
end
def family
inspec.os[:family]
end
end
end