inspec/lib/resources/etc_group.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter
# license: All rights reserved

# The file format consists of
# - group name
# - password - group's encrypted password
# - gid - group's decimal ID
# - member list - group members, comma seperated list
#
# Usage:
# describe etc_group do
#   its('gids') { should_not contain_duplicates }
#   its('groups') { should include 'my_user' }
#   its('users') { should include 'my_user' }
# end
#
# describe etc_group.where(name: 'my_group') do
#   its('users') { should include 'my_user' }
# end

require 'utils/convert'
require 'utils/parser'

module Inspec::Resources
  class EtcGroup < Inspec.resource(1)
    include Converter
    include CommentParser

    name 'etc_group'
    desc 'Use the etc_group InSpec audit resource to test groups that are defined on Linux and UNIX platforms. The /etc/group file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.'
    example "
      describe etc_group do
        its('gids') { should_not contain_duplicates }
        its('groups') { should include 'my_user' }
        its('users') { should include 'my_user' }
      end
    "

    attr_accessor :gid, :entries
    def initialize(path = nil)
      @path = path || '/etc/group'
      @entries = parse_group(@path)

      # skip resource if it is not supported on current OS
      return skip_resource 'The `etc_group` resource is not supported on your OS.' \
      unless inspec.os.unix?
    end

    def groups(filter = nil)
      entries = filter || @entries
      entries.map { |x| x['name'] } if !entries.nil?
    end

    def gids(filter = nil)
      entries = filter || @entries
      entries.map { |x| x['gid'] } if !entries.nil?
    end

    def users(filter = nil)
      entries = filter || @entries
      return nil if entries.nil?
      # filter the user entry
      res = entries.map { |x|
        x['members'].split(',') if !x.nil? && !x['members'].nil?
      }.flatten
      # filter nil elements
      res.reject { |x| x.nil? || x.empty? }
    end

    def where(conditions = {})
      return if conditions.empty?
      fields = {
        name: 'name',
        group_name: 'name',
        password: 'password',
        gid: 'gid',
        group_id: 'gid',
        users: 'members',
        members: 'members',
      }
      res = entries

      conditions.each do |k, v|
        idx = fields[k.to_sym]
        next if idx.nil?
        res = res.select { |x| x[idx] == v.to_s }
      end

      EtcGroupView.new(self, res)
    end

    def to_s
      '/etc/group'
    end

    private

    def parse_group(path)
      @content = inspec.file(path).content
      if @content.nil?
        skip_resource "Can't access group file in #{path}"
        return []
      end
      # iterate over each line and filter comments
      @content.split("\n").each_with_object([]) do |line, lines|
        grp_info = parse_group_line(line)
        lines.push(grp_info) if !grp_info.nil? && grp_info.size > 0
      end
    end

    def parse_group_line(line)
      opts = {
        comment_char: '#',
        standalone_comments: false,
      }
      line, _idx_nl = parse_comment_line(line, opts)
      x = line.split(':')
      # abort if we have an empty or comment line
      return nil if x.size == 0
      # map data
      {
        'name' => x.at(0), # Name of the group.
        'password' => x.at(1), # Group's encrypted password.
        'gid' => convert_to_i(x.at(2)), # The group's decimal ID.
        'members' => x.at(3), # Group members.
      }
    end
  end

  # object that hold a specifc view on etc group
  class EtcGroupView
    def initialize(parent, filter)
      @parent = parent
      @filter = filter
    end

    # returns the group object
    def entries
      @filter
    end

    # only returns group name
    def groups
      @parent.groups(@filter)
    end

    # only return gids
    def gids
      @parent.gids(@filter)
    end

    # only returns users
    def users
      @parent.users(@filter)
    end
  end
end
add etc_group implementation 2015-07-15 13:16:10 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Christoph Hartmann`
			`# author: Dominik Richter`
add etc_group implementation 2015-07-15 13:16:10 +00:00			`# license: All rights reserved`

			`# The file format consists of`
			`# - group name`
filter comments in /etc/group 2015-10-06 11:56:29 +00:00			`# - password - group's encrypted password`
			`# - gid - group's decimal ID`
			`# - member list - group members, comma seperated list`
improvement: use separate object to hold filter state, optimize users output 2015-09-05 20:26:21 +00:00			`#`
			`# Usage:`
			`# describe etc_group do`
			`# its('gids') { should_not contain_duplicates }`
			`# its('groups') { should include 'my_user' }`
			`# its('users') { should include 'my_user' }`
			`# end`
			`#`
			`# describe etc_group.where(name: 'my_group') do`
			`# its('users') { should include 'my_user' }`
			`# end`
add etc_group implementation 2015-07-15 13:16:10 +00:00
improvement: return gids in etc_group as integer 2015-10-06 12:00:19 +00:00			`require 'utils/convert'`
filter comments in /etc/group 2015-10-06 11:56:29 +00:00			`require 'utils/parser'`

Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
			`class EtcGroup < Inspec.resource(1)`
			`include Converter`
			`include CommentParser`

			`name 'etc_group'`
			`desc 'Use the etc_group InSpec audit resource to test groups that are defined on Linux and UNIX platforms. The /etc/group file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.'`
			`example "`
			`describe etc_group do`
			`its('gids') { should_not contain_duplicates }`
			`its('groups') { should include 'my_user' }`
			`its('users') { should include 'my_user' }`
			`end`
			`"`

			`attr_accessor :gid, :entries`
			`def initialize(path = nil)`
			`@path = path \|\| '/etc/group'`
			`@entries = parse_group(@path)`

			`# skip resource if it is not supported on current OS`
			return skip_resource 'The `etc_group` resource is not supported on your OS.' \
			`unless inspec.os.unix?`
add inline documentation 2015-11-27 13:02:38 +00:00			`end`
add etc_group implementation 2015-07-15 13:16:10 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def groups(filter = nil)`
			`entries = filter \|\| @entries`
			`entries.map { \|x\| x['name'] } if !entries.nil?`
feature: etc_group with where-function overhaul Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-08-03 01:42:05 +00:00			`end`
improve etc_group parser, keep parsed data internally instead of raw data 2015-10-07 10:33:33 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def gids(filter = nil)`
			`entries = filter \|\| @entries`
			`entries.map { \|x\| x['gid'] } if !entries.nil?`
			`end`
feature: etc_group with where-function overhaul Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-08-03 01:42:05 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def users(filter = nil)`
			`entries = filter \|\| @entries`
			`return nil if entries.nil?`
			`# filter the user entry`
			`res = entries.map { \|x\|`
			`x['members'].split(',') if !x.nil? && !x['members'].nil?`
			`}.flatten`
			`# filter nil elements`
			`res.reject { \|x\| x.nil? \|\| x.empty? }`
			`end`
add to_s methods to resources, fixes #98 2015-10-12 11:01:58 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def where(conditions = {})`
			`return if conditions.empty?`
			`fields = {`
			`name: 'name',`
			`group_name: 'name',`
			`password: 'password',`
			`gid: 'gid',`
			`group_id: 'gid',`
			`users: 'members',`
			`members: 'members',`
			`}`
			`res = entries`

			`conditions.each do \|k, v\|`
			`idx = fields[k.to_sym]`
			`next if idx.nil?`
			`res = res.select { \|x\| x[idx] == v.to_s }`
			`end`

			`EtcGroupView.new(self, res)`
			`end`
move resource methods to respective library files Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-08-03 00:40:08 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def to_s`
			`'/etc/group'`
bugfix: fail on missing access to /etc/group 2015-10-26 15:11:28 +00:00			`end`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00
			`private`

			`def parse_group(path)`
			`@content = inspec.file(path).content`
			`if @content.nil?`
			`skip_resource "Can't access group file in #{path}"`
			`return []`
			`end`
			`# iterate over each line and filter comments`
			`@content.split("\n").each_with_object([]) do \|line, lines\|`
			`grp_info = parse_group_line(line)`
			`lines.push(grp_info) if !grp_info.nil? && grp_info.size > 0`
			`end`
migrated inetd config and etc group Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:52:59 +00:00			`end`
filter comments in /etc/group 2015-10-06 11:56:29 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def parse_group_line(line)`
			`opts = {`
			`comment_char: '#',`
			`standalone_comments: false,`
			`}`
			`line, _idx_nl = parse_comment_line(line, opts)`
			`x = line.split(':')`
			`# abort if we have an empty or comment line`
			`return nil if x.size == 0`
			`# map data`
			`{`
			`'name' => x.at(0), # Name of the group.`
			`'password' => x.at(1), # Group's encrypted password.`
			`'gid' => convert_to_i(x.at(2)), # The group's decimal ID.`
			`'members' => x.at(3), # Group members.`
			`}`
			`end`
filter comments in /etc/group 2015-10-06 11:56:29 +00:00			`end`
improvement: use separate object to hold filter state, optimize users output 2015-09-05 20:26:21 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# object that hold a specifc view on etc group`
			`class EtcGroupView`
			`def initialize(parent, filter)`
			`@parent = parent`
			`@filter = filter`
			`end`
improvement: use separate object to hold filter state, optimize users output 2015-09-05 20:26:21 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# returns the group object`
			`def entries`
			`@filter`
			`end`
modify etc_group to return complete group info 2015-10-07 09:28:00 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# only returns group name`
			`def groups`
			`@parent.groups(@filter)`
			`end`
improvement: use separate object to hold filter state, optimize users output 2015-09-05 20:26:21 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# only return gids`
			`def gids`
			`@parent.gids(@filter)`
			`end`
improvement: use separate object to hold filter state, optimize users output 2015-09-05 20:26:21 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# only returns users`
			`def users`
			`@parent.users(@filter)`
			`end`
lint resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:37:16 +00:00			`end`
improvement: use separate object to hold filter state, optimize users output 2015-09-05 20:26:21 +00:00			`end`