inspec/lib/resources/file.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Dominik Richter
# author: Christoph Hartmann
# license: All rights reserved

require 'shellwords'

module Inspec::Resources
  class FileResource < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
    name 'file'
    desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
    example "
      describe file('path') do
        it { should exist }
        it { should be_file }
        it { should be_readable }
        it { should be_writable }
        it { should be_owned_by 'root' }
        its('mode') { should cmp '0644' }
      end
    "
    include MountParser

    attr_reader :file, :mount_options
    def initialize(path)
      @file = inspec.backend.file(path)
    end

    %w{
      type exist? file? block_device? character_device? socket? directory?
      symlink? pipe? mode mode? owner owned_by? group grouped_into?
      link_path linked_to? mtime size selinux_label immutable?
      product_version file_version version? md5sum sha256sum
      path basename source source_path uid gid
    }.each do |m|
      define_method m.to_sym do |*args|
        file.method(m.to_sym).call(*args)
      end
    end

    def content
      res = file.content
      return nil if res.nil?
      res.force_encoding('utf-8')
    end

    def contain(*_)
      fail 'Contain is not supported. Please use standard RSpec matchers.'
    end

    def readable?(by_usergroup, by_specific_user)
      return false unless exist?

      file_permission_granted?('r', by_usergroup, by_specific_user)
    end

    def writable?(by_usergroup, by_specific_user)
      return false unless exist?

      file_permission_granted?('w', by_usergroup, by_specific_user)
    end

    def executable?(by_usergroup, by_specific_user)
      return false unless exist?

      file_permission_granted?('x', by_usergroup, by_specific_user)
    end

    def mounted?(expected_options = nil, identical = false)
      mounted = file.mounted

      # return if no additional parameters have been provided
      return file.mounted? if expected_options.nil?

      # deprecation warning, this functionality will be removed in future version
      warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated.  Please use `mount('#{source_path}')` instead."

      # we cannot read mount data on non-Linux systems
      return nil if !inspec.os.linux?

      # parse content if we are on linux
      @mount_options ||= parse_mount_options(mounted.stdout, true)

      if identical
        # check if the options should be identical
        @mount_options == expected_options
      else
        # otherwise compare the selected values
        @mount_options.contains(expected_options)
      end
    end

    def suid
      (mode & 04000) > 0
    end

    def sgid
      (mode & 02000) > 0
    end

    def sticky
      (mode & 01000) > 0
    end

    def to_s
      "File #{source_path}"
    end

    private

    def file_permission_granted?(flag, by_usergroup, by_specific_user)
      unless inspec.os.unix?
        fail 'Checking file permissions is not supported on your os'
      end

      if by_specific_user.nil? || by_specific_user.empty?
        usergroup = usergroup_for(by_usergroup, by_specific_user)
        check_file_permission_by_mask(usergroup, flag)
      else
        check_file_permission_by_user(by_specific_user, flag)
      end
    end

    def check_file_permission_by_mask(usergroup, flag)
      mask = file.unix_mode_mask(usergroup, flag)
      fail 'Invalid usergroup/owner provided' if mask.nil?

      (file.mode & mask) != 0
    end

    def check_file_permission_by_user(user, flag)
      if inspec.os.linux?
        perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{source_path}\" #{user}"
      elsif inspec.os.bsd? || inspec.os.solaris?
        perm_cmd = "sudo -u #{user} test -#{flag} #{source_path}"
      elsif inspec.os.aix?
        perm_cmd = "su #{user} -c test -#{flag} #{source_path}"
      elsif inspec.os.hpux?
        perm_cmd = "su #{user} -c \"test -#{flag} #{source_path}\""
      else
        return skip_resource 'The `file` resource does not support `by_user` on your OS.'
      end

      cmd = inspec.command(perm_cmd)
      cmd.exit_status == 0 ? true : false
    end

    def usergroup_for(usergroup, specific_user)
      if usergroup == 'others'
        'other'
      elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
        'all'
      else
        usergroup
      end
    end
  end
end
update copyright header 2015-07-15 13:15:18 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Dominik Richter`
			`# author: Christoph Hartmann`
update copyright header 2015-07-15 13:15:18 +00:00			`# license: All rights reserved`

add file uid and gid accessors 2016-03-31 00:23:23 +00:00			`require 'shellwords'`

rename vulcanosec -> inspec 2015-10-26 03:04:18 +00:00			`module Inspec::Resources`
rename internal `File` -> `FileResource` 2016-03-09 09:35:35 +00:00			`class FileResource < Inspec.resource(1) # rubocop:disable Metrics/ClassLength`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`name 'file'`
add inline documentation 2015-11-27 13:02:38 +00:00			`desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'`
			`example "`
			`describe file('path') do`
			`it { should exist }`
			`it { should be_file }`
			`it { should be_readable }`
			`it { should be_writable }`
			`it { should be_owned_by 'root' }`
update file resource example to use cmd matcher for better failure output in octal 2016-04-20 11:06:40 +00:00			`its('mode') { should cmp '0644' }`
add inline documentation 2015-11-27 13:02:38 +00:00			`end`
			`"`
implement `be_mounted.with` for file resources 2015-12-31 00:08:57 +00:00			`include MountParser`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00
update to new train interface 2016-04-28 16:35:55 +00:00			`attr_reader :file, :mount_options`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`def initialize(path)`
update to new train interface 2016-04-28 16:35:55 +00:00			`@file = inspec.backend.file(path)`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`end`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`%w{`
File.exists? is deprecated in ruby 2.1 See: http://ruby-doc.org/core-2.1.0/File.html#method-c-exists-3F Same for Dir: http://ruby-doc.org/core-2.1.0/Dir.html#method-c-exists-3F Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-18 10:35:32 +00:00			`type exist? file? block_device? character_device? socket? directory?`
update to new train interface 2016-04-28 16:35:55 +00:00			`symlink? pipe? mode mode? owner owned_by? group grouped_into?`
force encoding to utf-8 2016-02-22 03:44:49 +00:00			`link_path linked_to? mtime size selinux_label immutable?`
fix rubocop issues 2015-09-05 14:07:54 +00:00			`product_version file_version version? md5sum sha256sum`
support basename parameter and add tests 2016-04-29 17:28:34 +00:00			`path basename source source_path uid gid`
complete all file tests Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-03 14:17:52 +00:00			`}.each do \|m\|`
			`define_method m.to_sym do \|*args\|`
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`file.method(m.to_sym).call(*args)`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`end`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00			`end`

force encoding to utf-8 2016-02-22 03:44:49 +00:00			`def content`
			`res = file.content`
			`return nil if res.nil?`
			`res.force_encoding('utf-8')`
			`end`

wrap up core resource linting Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:52:27 +00:00			`def contain(*_)`
improve fail warning. thanks @arlimus 2015-10-25 20:47:27 +00:00			`fail 'Contain is not supported. Please use standard RSpec matchers.'`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`end`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`def readable?(by_usergroup, by_specific_user)`
			`return false unless exist?`

			`file_permission_granted?('r', by_usergroup, by_specific_user)`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`end`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`def writable?(by_usergroup, by_specific_user)`
			`return false unless exist?`

			`file_permission_granted?('w', by_usergroup, by_specific_user)`
bugfix: indicate that file resource is really working with paths Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-21 09:23:30 +00:00			`end`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`def executable?(by_usergroup, by_specific_user)`
			`return false unless exist?`

			`file_permission_granted?('x', by_usergroup, by_specific_user)`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00			`end`

implement `be_mounted.with` for file resources 2015-12-31 00:08:57 +00:00			`def mounted?(expected_options = nil, identical = false)`
			`mounted = file.mounted`

			`# return if no additional parameters have been provided`
			`return file.mounted? if expected_options.nil?`

add deprecation warning for serverspec users 2016-01-02 23:01:54 +00:00			`# deprecation warning, this functionality will be removed in future version`
use the source_path instead of path for file internal reporting 2016-04-28 23:56:13 +00:00			warn "[DEPRECATION] `be_mounted.with and be_mounted.only_with` are deprecated. Please use `mount('#{source_path}')` instead."
add deprecation warning for serverspec users 2016-01-02 23:01:54 +00:00
restrict mount functionality to linux 2016-01-02 21:57:52 +00:00			`# we cannot read mount data on non-Linux systems`
			`return nil if !inspec.os.linux?`

implement `be_mounted.with` for file resources 2015-12-31 00:08:57 +00:00			`# parse content if we are on linux`
			`@mount_options \|\|= parse_mount_options(mounted.stdout, true)`

			`if identical`
			`# check if the options should be identical`
			`@mount_options == expected_options`
			`else`
			`# otherwise compare the selected values`
			`@mount_options.contains(expected_options)`
			`end`
			`end`

add suid sgid and sticky support for file resource 2016-07-10 18:40:06 +00:00			`def suid`
			`(mode & 04000) > 0`
			`end`

			`def sgid`
			`(mode & 02000) > 0`
			`end`

			`def sticky`
			`(mode & 01000) > 0`
			`end`

start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`def to_s`
use the source_path instead of path for file internal reporting 2016-04-28 23:56:13 +00:00			`"File #{source_path}"`
start migrating file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 00:14:17 +00:00			`end`
improvement: file resource check precondition and add file permission check 2015-10-25 20:35:35 +00:00
			`private`

File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`def file_permission_granted?(flag, by_usergroup, by_specific_user)`
remove os check exposure in file resource 2016-01-28 22:33:11 +00:00			`unless inspec.os.unix?`
			`fail 'Checking file permissions is not supported on your os'`
			`end`
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00
sanity check and AIX tests 2015-12-21 22:12:29 +00:00			`if by_specific_user.nil? \|\| by_specific_user.empty?`
			`usergroup = usergroup_for(by_usergroup, by_specific_user)`
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`check_file_permission_by_mask(usergroup, flag)`
			`else`
			`check_file_permission_by_user(by_specific_user, flag)`
improvement: file resource check precondition and add file permission check 2015-10-25 20:35:35 +00:00			`end`
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`end`

			`def check_file_permission_by_mask(usergroup, flag)`
			`mask = file.unix_mode_mask(usergroup, flag)`
			`fail 'Invalid usergroup/owner provided' if mask.nil?`
improvement: file resource check precondition and add file permission check 2015-10-25 20:35:35 +00:00
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00			`(file.mode & mask) != 0`
			`end`

			`def check_file_permission_by_user(user, flag)`
remove os check exposure in file resource 2016-01-28 22:33:11 +00:00			`if inspec.os.linux?`
use the source_path instead of path for file internal reporting 2016-04-28 23:56:13 +00:00			`perm_cmd = "su -s /bin/sh -c \"test -#{flag} #{source_path}\" #{user}"`
remove os check exposure in file resource 2016-01-28 22:33:11 +00:00			`elsif inspec.os.bsd? \|\| inspec.os.solaris?`
use the source_path instead of path for file internal reporting 2016-04-28 23:56:13 +00:00			`perm_cmd = "sudo -u #{user} test -#{flag} #{source_path}"`
remove os check exposure in file resource 2016-01-28 22:33:11 +00:00			`elsif inspec.os.aix?`
use the source_path instead of path for file internal reporting 2016-04-28 23:56:13 +00:00			`perm_cmd = "su #{user} -c test -#{flag} #{source_path}"`
added file permission by user check for hp-ux 2016-04-26 09:23:28 +00:00			`elsif inspec.os.hpux?`
use the source_path instead of path for file internal reporting 2016-04-28 23:56:13 +00:00			`perm_cmd = "su #{user} -c \"test -#{flag} #{source_path}\""`
improvement: file resource check precondition and add file permission check 2015-10-25 20:35:35 +00:00			`else`
			return skip_resource 'The `file` resource does not support `by_user` on your OS.'
			`end`
File permission checks should return false unless file exists Currently, #readable?, #writeable?, and #executable? will incorrectly return true if the file does not exist. In addition, I took the opportunity to refactor the File resource to make it easier to write unit tests and supplied a full unit test suite for this resource. 2015-12-07 19:41:05 +00:00
			`cmd = inspec.command(perm_cmd)`
			`cmd.exit_status == 0 ? true : false`
			`end`

			`def usergroup_for(usergroup, specific_user)`
			`if usergroup == 'others'`
			`'other'`
			`elsif (usergroup.nil? \|\| usergroup.empty?) && specific_user.nil?`
			`'all'`
			`else`
			`usergroup`
			`end`
			`end`
migrate file resource Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-29 07:44:16 +00:00			`end`
			`end`